Play interactive tour

Edit tour

Analysis Report iusb3mon_exe.exe

Overview

General Information

Sample Name:	iusb3mon_exe.exe
Analysis ID:	419315
MD5:	9166c1276b296bc78fa816cd8448cd32
SHA1:	b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256:	1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
Infos:
Most interesting Screenshot:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

iusb3mon_exe.exe (PID: 1156 cmdline: 'C:\Users\user\Desktop\iusb3mon_exe.exe' -install MD5: 9166C1276B296BC78FA816CD8448CD32)

iusb3mon_exe.exe (PID: 5932 cmdline: 'C:\Users\user\Desktop\iusb3mon_exe.exe' /install MD5: 9166C1276B296BC78FA816CD8448CD32)

iusb3mon_exe.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\iusb3mon_exe.exe' /load MD5: 9166C1276B296BC78FA816CD8448CD32)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: iusb3mon_exe.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: iusb3mon_exe.exe

Static PE information: certificate valid

Source: iusb3mon_exe.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: d:\ccViews\autobuild1_BR-1309-009D_1.0_Snapshot\USB3_Sakura\driver\Monitor\exe\Release\iusb3mon_exe.pdb source: iusb3mon_exe.exe

Source: iusb3mon_exe.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: iusb3mon_exe.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: iusb3mon_exe.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: iusb3mon_exe.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: iusb3mon_exe.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07

Source: iusb3mon_exe.exe, 00000000.00000002.252395675.000000000143A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Code function: 0_2_009A5701

0_2_009A5701

Source: iusb3mon_exe.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iusb3mon_exe.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iusb3mon_exe.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iusb3mon_exe.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: iusb3mon_exe.exe, 00000000.00000000.231165769.00000000009CF000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameiusb3mon.exeR vs iusb3mon_exe.exe
Source: iusb3mon_exe.exe, 00000002.00000002.260377196.00000000009CF000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameiusb3mon.exeR vs iusb3mon_exe.exe
Source: iusb3mon_exe.exe, 00000003.00000000.242071641.00000000009CF000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameiusb3mon.exeR vs iusb3mon_exe.exe
Source: iusb3mon_exe.exe	Binary or memory string: OriginalFilenameiusb3mon.exeR vs iusb3mon_exe.exe

Source: C:\Users\user\Desktop\iusb3mon_exe.exe	Section loaded: iusb3mon.dll	Jump to behavior
Source: C:\Users\user\Desktop\iusb3mon_exe.exe	Section loaded: iusb3mon.dll	Jump to behavior
Source: C:\Users\user\Desktop\iusb3mon_exe.exe	Section loaded: iusb3mon.dll	Jump to behavior

Source: iusb3mon_exe.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: clean5.winEXE@3/0@0/0

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Command line argument: Usb30Monitor

0_2_009ABCE0

Source: iusb3mon_exe.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iusb3mon_exe.exe 'C:\Users\user\Desktop\iusb3mon_exe.exe' -install
Source: unknown	Process created: C:\Users\user\Desktop\iusb3mon_exe.exe 'C:\Users\user\Desktop\iusb3mon_exe.exe' /install
Source: unknown	Process created: C:\Users\user\Desktop\iusb3mon_exe.exe 'C:\Users\user\Desktop\iusb3mon_exe.exe' /load

Source: iusb3mon_exe.exe

Static PE information: certificate valid

Source: iusb3mon_exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iusb3mon_exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iusb3mon_exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iusb3mon_exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iusb3mon_exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iusb3mon_exe.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: iusb3mon_exe.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: iusb3mon_exe.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: d:\ccViews\autobuild1_BR-1309-009D_1.0_Snapshot\USB3_Sakura\driver\Monitor\exe\Release\iusb3mon_exe.pdb source: iusb3mon_exe.exe

Source: iusb3mon_exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iusb3mon_exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iusb3mon_exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iusb3mon_exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iusb3mon_exe.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Code function: 0_2_009A7E2F LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_009A7E2F

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Code function: 0_2_009A28CD push ecx; ret

0_2_009A28E0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Code function: 0_2_009A1000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_009A1000

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

0_2_009A7E2F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\iusb3mon_exe.exe	Code function: 0_2_009A1000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009A1000
Source: C:\Users\user\Desktop\iusb3mon_exe.exe	Code function: 0_2_009A8C26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_009A8C26
Source: C:\Users\user\Desktop\iusb3mon_exe.exe	Code function: 0_2_009A3427 SetUnhandledExceptionFilter,	0_2_009A3427
Source: C:\Users\user\Desktop\iusb3mon_exe.exe	Code function: 0_2_009A1A74 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009A1A74

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Code function: GetLocaleInfoA,

0_2_009A96A2

Source: C:\Users\user\Desktop\iusb3mon_exe.exe

Code function: 0_2_009A3DB2 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_009A3DB2

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	DLL Side-Loading1	Process Injection1	Process Injection1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	DLL Side-Loading1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery12	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
iusb3mon_exe.exe	0%	Virustotal	Browse
iusb3mon_exe.exe	0%	Metadefender	Browse
iusb3mon_exe.exe	3%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	iusb3mon_exe.exe	false		high
http://ocsp.thawte.com0	iusb3mon_exe.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	419315
Start date:	21.05.2021
Start time:	08:04:58
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	iusb3mon_exe.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@3/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 99.2% (good quality ratio 95.5%) Quality average: 83.4% Quality standard deviation: 25.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Execution Graph export aborted for target iusb3mon_exe.exe, PID 1156 because there are no executed function

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.1572630508555175
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iusb3mon_exe.exe
File size:	292088
MD5:	9166c1276b296bc78fa816cd8448cd32
SHA1:	b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256:	1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA512:	35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26
SSDEEP:	3072:Qtdq0swIPy2VnyLsQhJmxn90RAqt/7kDX1+WrlVx:QPqX/fUAFA9tkU6H
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7~.ls..?s..?s..?zg1?P..?zg ?c..?zg6?...?zg&?q..?...?~..?s..?...?zg<?v..?zg!?r..?zg$?r..?Richs..?................PE..L...mk8R...

File Icon


Icon Hash:	5ec8e4e6fa9a0e80

Static PE Info

General
Entrypoint:	0x4015e2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x52386B6D [Tue Sep 17 14:47:09 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	25184de5e75300ec887e263b6533f8bb

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/7/2011 4:00:00 PM 4/22/2014 4:59:59 PM
Subject Chain	CN=Intel Corporation, OU=ISWQL, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Intel Corporation, L=Folsom, S=California, C=US
Version:	3
Thumbprint MD5:	C2A551B63DA45E6C6803FEA357320BA7
Thumbprint SHA-1:	D4B18DA36C2B91021495E25285DC1BB15C36C54C
Thumbprint SHA-256:	57BBC3A4F608C967E218E87E257C5EFDB9419E2F329D379910731E57063BEF5F
Serial:	10021A27D28312885C613AA498580F6F

Entrypoint Preview

Instruction
call 00007F7B68AFB850h
jmp 00007F7B68AF8EFDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00410678h], eax
mov dword ptr [00410674h], ecx
mov dword ptr [00410670h], edx
mov dword ptr [0041066Ch], ebx
mov dword ptr [00410668h], esi
mov dword ptr [00410664h], edi
mov word ptr [00410690h], ss
mov word ptr [00410684h], cs
mov word ptr [00410660h], ds
mov word ptr [0041065Ch], es
mov word ptr [00410658h], fs
mov word ptr [00410654h], gs
pushfd
pop dword ptr [00410688h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0041067Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00410680h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0041068Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [004105C8h], 00010001h
mov eax, dword ptr [00410680h]
mov dword ptr [0041057Ch], eax
mov dword ptr [00410570h], C0000409h
mov dword ptr [00410574h], 00000001h
mov eax, dword ptr [0040F004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [0040F008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [00000018h]

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd97c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x35124	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x45800	0x1cf8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x49000	0xbec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc270	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xd4b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x228	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xaf97	0xb000	False	0.600985440341	data	6.55141561081	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x25ee	0x2600	False	0.383943256579	data	5.56524672962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x3598	0x1600	False	0.219815340909	data	2.80962375255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x13000	0x35124	0x35200	False	0.326227022059	data	4.47984678938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x49000	0x155c	0x1600	False	0.469992897727	data	4.52419912131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x13e08	0x134	data	Japanese	Japan
RT_CURSOR	0x13f3c	0xb4	data	Japanese	Japan
RT_CURSOR	0x13ff0	0x134	AmigaOS bitmap font	Japanese	Japan
RT_CURSOR	0x14124	0x134	data	Japanese	Japan
RT_CURSOR	0x14258	0x134	data	Japanese	Japan
RT_CURSOR	0x1438c	0x134	data	Japanese	Japan
RT_CURSOR	0x144c0	0x134	data	Japanese	Japan
RT_CURSOR	0x145f4	0x134	data	Japanese	Japan
RT_CURSOR	0x14728	0x134	data	Japanese	Japan
RT_CURSOR	0x1485c	0x134	data	Japanese	Japan
RT_CURSOR	0x14990	0x134	data	Japanese	Japan
RT_CURSOR	0x14ac4	0x134	data	Japanese	Japan
RT_CURSOR	0x14bf8	0x134	AmigaOS bitmap font	Japanese	Japan
RT_CURSOR	0x14d2c	0x134	data	Japanese	Japan
RT_CURSOR	0x14e60	0x134	data	Japanese	Japan
RT_CURSOR	0x14f94	0x134	data	Japanese	Japan
RT_BITMAP	0x150c8	0xb8	data	Japanese	Japan
RT_BITMAP	0x15180	0x144	data	Japanese	Japan
RT_ICON	0x152c4	0x7e9c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Japanese	Japan
RT_ICON	0x1d160	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	Japanese	Japan
RT_ICON	0x2d988	0x94a8	data	Japanese	Japan
RT_ICON	0x36e30	0x5488	data	Japanese	Japan
RT_ICON	0x3c2b8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	Japanese	Japan
RT_ICON	0x404e0	0x25a8	data	Japanese	Japan
RT_ICON	0x42a88	0x10a8	data	Japanese	Japan
RT_ICON	0x43b30	0x988	data	Japanese	Japan
RT_ICON	0x444b8	0x468	GLS_BINARY_LSB_FIRST	Japanese	Japan
RT_ICON	0x44920	0x468	GLS_BINARY_LSB_FIRST	Japanese	Japan
RT_ICON	0x44d88	0x10a8	data	Japanese	Japan
RT_ICON	0x45e30	0x468	GLS_BINARY_LSB_FIRST	Japanese	Japan
RT_ICON	0x46298	0x468	GLS_BINARY_LSB_FIRST	Japanese	Japan
RT_DIALOG	0x46700	0x16a	data	Japanese	Japan
RT_DIALOG	0x4686c	0x16a	data	Japanese	Japan
RT_DIALOG	0x469d8	0xe8	data	Japanese	Japan
RT_DIALOG	0x46ac0	0x34	data	Japanese	Japan
RT_STRING	0x46af4	0x62	data	Japanese	Japan
RT_STRING	0x46b58	0x2e	data	Japanese	Japan
RT_STRING	0x46b88	0xe2	data	Japanese	Japan
RT_STRING	0x46c6c	0x352	AmigaOS bitmap font	Japanese	Japan
RT_STRING	0x46fc0	0x1be	data	Japanese	Japan
RT_STRING	0x47180	0x18e	data	Japanese	Japan
RT_STRING	0x47310	0x68	data	Japanese	Japan
RT_STRING	0x47378	0x76	data	Japanese	Japan
RT_STRING	0x473f0	0x8e	data	Japanese	Japan
RT_STRING	0x47480	0x2e4	data	Japanese	Japan
RT_STRING	0x47764	0x160	data	Japanese	Japan
RT_STRING	0x478c4	0x28	data	Japanese	Japan
RT_STRING	0x478ec	0x2c	data	Japanese	Japan
RT_GROUP_CURSOR	0x47918	0x22	Lotus unknown worksheet or configuration, revision 0x2	Japanese	Japan
RT_GROUP_CURSOR	0x4793c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x47950	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x47964	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x47978	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x4798c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x479a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x479b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x479c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x479dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x479f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x47a04	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x47a18	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x47a2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_CURSOR	0x47a40	0x14	Lotus unknown worksheet or configuration, revision 0x1	Japanese	Japan
RT_GROUP_ICON	0x47a54	0x84	data	Japanese	Japan
RT_GROUP_ICON	0x47ad8	0x14	data	Japanese	Japan
RT_GROUP_ICON	0x47aec	0x14	data	Japanese	Japan
RT_GROUP_ICON	0x47b00	0x14	data	Japanese	Japan
RT_GROUP_ICON	0x47b14	0x14	data	Japanese	Japan
RT_VERSION	0x47b28	0x32c	data	Japanese	Japan
RT_MANIFEST	0x47e54	0x2cf	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
COMCTL32.dll	ImageList_Create, ImageList_ReplaceIcon
iusb3mon.dll	_USB3MON_GetHostInfoW@20, _USB3MON_Create@12, _USB3MON_GetDeviceInfoW@20, _USB3MON_GetInterfaceVersion@8, _USB3MON_DeviceChange@12, _USB3MON_ForwardMessage@16, _USB3MON_Close@4
KERNEL32.dll	FreeLibrary, InterlockedIncrement, WaitForSingleObject, SetEvent, GlobalAlloc, lstrcmpW, lstrlenW, ReleaseSemaphore, InterlockedExchange, GetLastError, GlobalFree, CreateSemaphoreW, CreateEventW, WaitForMultipleObjects, OpenEventW, GetUserDefaultUILanguage, ReleaseMutex, CloseHandle, ResumeThread, CreateThread, LoadLibraryExW, ExitThread, ResetEvent, SuspendThread, GetConsoleOutputCP, CreateMutexW, HeapSize, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, MultiByteToWideChar, GetConsoleMode, GetConsoleCP, SetFilePointer, HeapReAlloc, VirtualAlloc, HeapAlloc, RtlUnwind, InitializeCriticalSectionAndSpinCount, LoadLibraryA, IsValidCodePage, GetOEMCP, SetStdHandle, WriteConsoleA, WriteConsoleW, CreateFileA, FlushFileBuffers, GetACP, GetCPInfo, GetCurrentThreadId, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, InterlockedDecrement, Sleep, ExitProcess, HeapFree, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection
USER32.dll	GetWindowRect, GetDlgItem, EndDialog, GetDesktopWindow, SetWindowPos, SetDlgItemTextW, SendMessageW, DestroyWindow, SetTimer, GetMessageW, PostQuitMessage, PostMessageW, KillTimer, DialogBoxParamW, LoadCursorW, RegisterClassExW, LoadIconW, LoadStringW, ShowWindow, CreateWindowExW, UpdateWindow, SetWindowTextW, DefWindowProcW, DispatchMessageW, TranslateMessage
GDI32.dll	GetStockObject
ADVAPI32.dll	RegQueryValueExW, SetNamedSecurityInfoW, RegOpenKeyExW, RegSetValueExW, RegCloseKey, RegCreateKeyExW
SHELL32.dll	Shell_NotifyIconW

Version Infos

Description	Data
LegalCopyright	(C) 2011 - 2013 Intel Corporation
InternalName	iusb3mon.exe
FileVersion	1.0.10.255
CompanyName	Intel Corporation
ProductName	Intel(R) USB 3.0 Monitor
ProductVersion	1.0.10.255
FileDescription	Intel(R) USB 3.0 Monitor
OriginalFilename	iusb3mon.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• iusb3mon_exe.exe
• iusb3mon_exe.exe
• iusb3mon_exe.exe

Click to jump to process

Memory Usage

• iusb3mon_exe.exe
• iusb3mon_exe.exe
• iusb3mon_exe.exe

Click to jump to process

Behavior

• iusb3mon_exe.exe
• iusb3mon_exe.exe
• iusb3mon_exe.exe

Click to jump to process

System Behavior

Analysis Process: iusb3mon_exe.exe PID: 1156 Parent PID: 5748

Function Logs

General

Start time:	08:05:48
Start date:	21/05/2021
Path:	C:\Users\user\Desktop\iusb3mon_exe.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\iusb3mon_exe.exe' -install
Imagebase:	0x9a0000
File size:	292088 bytes
MD5 hash:	9166C1276B296BC78FA816CD8448CD32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Analysis Process: iusb3mon_exe.exe PID: 5932 Parent PID: 5748

Function Logs

General

Start time:	08:05:51
Start date:	21/05/2021
Path:	C:\Users\user\Desktop\iusb3mon_exe.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\iusb3mon_exe.exe' /install
Imagebase:	0x9a0000
File size:	292088 bytes
MD5 hash:	9166C1276B296BC78FA816CD8448CD32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Analysis Process: iusb3mon_exe.exe PID: 5524 Parent PID: 5748

Function Logs

General

Start time:	08:05:53
Start date:	21/05/2021
Path:	C:\Users\user\Desktop\iusb3mon_exe.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\iusb3mon_exe.exe' /load
Imagebase:	0x9a0000
File size:	292088 bytes
MD5 hash:	9166C1276B296BC78FA816CD8448CD32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Show Windows behavior

Process Activities

Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: iusb3mon_exe.exe PID: 1156 Parent PID: 5748 iusb3mon_exe.exeCOMMON

Executed Functions

Non-executed Functions

Function 009ABCE0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 148
synchronizationwindowthreadCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E009ABCE0(MSG* __edx, intOrPtr _a4) {
				struct HWND__* _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				void _v60;
				struct HWND__* _v64;
				struct tagMSG _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t20;
				signed int _t21;
				void* _t26;
				void* _t31;
				void* _t32;
				void* _t33;
				void _t34;
				void* _t35;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				int _t43;
				intOrPtr _t48;
				void* _t49;
				void* _t64;
				void* _t68;
				signed int _t71;

				_t58 = __edx;
				_push(0xfffffffe);
				_push(0x9ad960);
				_push(E009A28F0);
				_push( *[fs:0x0]);
				_t20 =  *0x9af004; // 0xd975285d
				_v12 = _v12 ^ _t20;
				_t21 = _t20 ^ _t71;
				_v32 = _t21;
				_push(_t21);
				 *[fs:0x0] =  &_v20;
				_t48 = _a4;
				memcpy( &_v60, L"Usb30Monitor", 6 << 2);
				asm("movsw");
				_v64 = 0;
				_v8 = 0;
				 *0x9b2570 = E009AA750();
				 *0x9b2574 = E009AA6C0();
				_t26 = CreateMutexW(0, 1, L"IUsb3MonMutexString");
				_v64 = _t26;
				if(_t26 == 0 || GetLastError() == 0xb7) {
					L15:
					_v8 = 0xfffffffe;
					E009ABEB0();
					 *[fs:0x0] = _v20;
					_pop(_t64);
					_pop(_t68);
					_pop(_t49);
					__eflags = _v32 ^ _t71;
					return E009A1000(0, _t49, _v32 ^ _t71, _t58, _t64, _t68);
				} else {
					_t31 = CreateSemaphoreW(0, 1, 1, 0);
					 *0x9b2544 = _t31;
					if(_t31 == 0) {
						goto L15;
					}
					_t32 = CreateSemaphoreW(0, 1, 1, 0);
					 *0x9b255c = _t32;
					if(_t32 == 0) {
						goto L15;
					}
					_t33 = CreateEventW(0, 0, 0, 0);
					 *0x9b2548 = _t33;
					if(_t33 == 0) {
						goto L15;
					}
					 *0x9b254c = 1;
					 *0x9b2550 = 0x2710;
					 *0x9b2560 = 0;
					 *0x9b256c = 0;
					_t34 = CreateThread(0, 0, E009AA320, 0x9b2540, 0, 0);
					 *0x9b2540 = _t34;
					if(_t34 == 0) {
						goto L15;
					}
					_t35 = CreateMutexW(0, 0, L"{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}");
					 *0x9b2584 = _t35;
					if(_t35 == 0) {
						goto L15;
					}
					_t36 = CreateMutexW(0, 0, L"{B6D22F93-22FB-4db9-9F39-42AFED80B597}");
					 *0x9b2588 = _t36;
					if(_t36 == 0) {
						goto L15;
					}
					_t37 = E009AB000();
					_t85 = _t37;
					if(_t37 == 0) {
						goto L15;
					}
					_t38 = E009AA830(_t48, CreateMutexW, _t85);
					 *0x9b2554 = _t38;
					if(_t38 == 0) {
						goto L15;
					}
					_push( &_v60);
					if(E009ABC60(_t48) != 0 && E009AB2B0( &_v60, _t58, _t48) != 0) {
						while(1) {
							_t43 = GetMessageW( &_v92, 0, 0, 0);
							if(_t43 == 0) {
								goto L15;
							}
							if(_t43 != 0xffffffff) {
								_t58 =  &_v92;
								TranslateMessage( &_v92);
								DispatchMessageW( &_v92);
							}
						}
					}
					goto L15;
				}
			}

0x009abce0
0x009abce3
0x009abce5
0x009abcea
0x009abcf5
0x009abcf9
0x009abcfe
0x009abd01
0x009abd03
0x009abd09
0x009abd0d
0x009abd13
0x009abd23
0x009abd25
0x009abd29
0x009abd2c
0x009abd34
0x009abd3e
0x009abd51
0x009abd53
0x009abd58
0x009abe84
0x009abe84
0x009abe8b
0x009abe95
0x009abe9d
0x009abe9e
0x009abe9f
0x009abea3
0x009abead
0x009abd6f
0x009abd7b
0x009abd7d
0x009abd84
0x00000000
0x00000000
0x009abd92
0x009abd94
0x009abd9d
0x00000000
0x00000000
0x009abda7
0x009abdad
0x009abdb4
0x00000000
0x00000000
0x009abdba
0x009abdc4
0x009abdce
0x009abdd4
0x009abde8
0x009abdee
0x009abdf5
0x00000000
0x00000000
0x009abe02
0x009abe04
0x009abe0b
0x00000000
0x00000000
0x009abe14
0x009abe16
0x009abe1d
0x00000000
0x00000000
0x009abe1f
0x009abe24
0x009abe26
0x00000000
0x00000000
0x009abe28
0x009abe2d
0x009abe34
0x00000000
0x00000000
0x009abe39
0x009abe46
0x009abe58
0x009abe5f
0x009abe67
0x00000000
0x00000000
0x009abe6c
0x009abe6e
0x009abe72
0x009abe7c
0x009abe7c
0x009abe6c
0x009abe58
0x00000000
0x009abe46

APIs

Part of subcall function 009AA750: RegOpenKeyExW.ADVAPI32(80000001,Software\Intel\iusb3mon\Parameters,00000000,00020019,00000004,D975285D), ref: 009AA779
Part of subcall function 009AA750: RegQueryValueExW.ADVAPI32(?,ExeDebugLevel,00000000,?,?,?), ref: 009AA79E
Part of subcall function 009AA750: RegCloseKey.ADVAPI32 ref: 009AA7A8

Part of subcall function 009AA6C0: RegOpenKeyExW.ADVAPI32 ref: 009AA6EE
Part of subcall function 009AA6C0: RegQueryValueExW.ADVAPI32(00020019,DevNodeTime,00000000,00000BB8,?,00020019), ref: 009AA713
Part of subcall function 009AA6C0: RegCloseKey.ADVAPI32(?), ref: 009AA73A

CreateMutexW.KERNEL32(00000000,00000001,IUsb3MonMutexString,D975285D), ref: 009ABD51
GetLastError.KERNEL32 ref: 009ABD5E
CreateSemaphoreW.KERNEL32(00000000,00000001,00000001,00000000), ref: 009ABD7B
CreateSemaphoreW.KERNEL32(00000000,00000001,00000001,00000000), ref: 009ABD92
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 009ABDA7
CreateThread.KERNEL32 ref: 009ABDE8
CreateMutexW.KERNEL32(00000000,00000000,{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}), ref: 009ABE02
CreateMutexW.KERNEL32(00000000,00000000,{B6D22F93-22FB-4db9-9F39-42AFED80B597}), ref: 009ABE14

Part of subcall function 009AB000: WaitForSingleObject.KERNEL32 ref: 009AB03F
Part of subcall function 009AB000: RegCreateKeyExW.ADVAPI32(80000001,Software\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8},00000000,009B0FC0,00000000,000F003F,00000000,000000FF,?), ref: 009AB062
Part of subcall function 009AB000: RegCloseKey.ADVAPI32(00000000), ref: 009AB109
Part of subcall function 009AB000: ReleaseMutex.KERNEL32(?), ref: 009AB116

Part of subcall function 009AA830: _memset.LIBCMT ref: 009AA856
Part of subcall function 009AA830: GetUserDefaultUILanguage.KERNEL32 ref: 009AA867
Part of subcall function 009AA830: swprintf.LIBCMT ref: 009AA8A8
Part of subcall function 009AA830: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,?,00000000), ref: 009AA8BF
Part of subcall function 009AA830: _memset.LIBCMT ref: 009AA8D0
Part of subcall function 009AA830: swprintf.LIBCMT ref: 009AA8EE
Part of subcall function 009AA830: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009AA8FF

Part of subcall function 009ABC60: LoadIconW.USER32 ref: 009ABC8D
Part of subcall function 009ABC60: LoadCursorW.USER32(00000000,00007F00), ref: 009ABCA1
Part of subcall function 009ABC60: GetStockObject.GDI32(00000000), ref: 009ABCAC
Part of subcall function 009ABC60: RegisterClassExW.USER32 ref: 009ABCCB

Part of subcall function 009AB2B0: CreateWindowExW.USER32 ref: 009AB2F9

GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009ABE5F
TranslateMessage.USER32(?), ref: 009ABE72
DispatchMessageW.USER32 ref: 009ABE7C

Strings

IUsb3MonMutexString, xrefs: 009ABD43
{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}, xrefs: 009ABDFB
Usb30Monitor, xrefs: 009ABD1B
{B6D22F93-22FB-4db9-9F39-42AFED80B597}, xrefs: 009ABE0D

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Create$LoadMutex$CloseMessage$LibraryObjectOpenQuerySemaphoreValue_memsetswprintf$ClassCursorDefaultDispatchErrorEventIconLanguageLastRegisterReleaseSingleStockThreadTranslateUserWaitWindow
String ID: IUsb3MonMutexString$Usb30Monitor${B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}${B6D22F93-22FB-4db9-9F39-42AFED80B597}
API String ID: 3510075701-2966448562
Opcode ID: af574f766aac09b106b6b4b44df0f8acde6187589c4f2ffb0fd8248293216a80
Instruction ID: b5541263d6a7c4471c4f9cc6ac2512f9b604a2af756095a16b0e9ef61914dd43
Opcode Fuzzy Hash: af574f766aac09b106b6b4b44df0f8acde6187589c4f2ffb0fd8248293216a80
Instruction Fuzzy Hash: 9541B271915228ABC7209FB5AD49BDFBFBCEF46B20F100626F515E61A1D7B09800DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009A1000, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E009A1000(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x9af004; // 0xd975285d
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x9b0678 = _t6;
				 *0x9b0674 = _t22;
				 *0x9b0670 = _t25;
				 *0x9b066c = _t21;
				 *0x9b0668 = _t27;
				 *0x9b0664 = _t26;
				 *0x9b0690 = ss;
				 *0x9b0684 = cs;
				 *0x9b0660 = ds;
				 *0x9b065c = es;
				 *0x9b0658 = fs;
				 *0x9b0654 = gs;
				asm("pushfd");
				_pop( *0x9b0688);
				 *0x9b067c =  *_t31;
				 *0x9b0680 = _v0;
				 *0x9b068c =  &_a4;
				 *0x9b05c8 = 0x10001;
				_t11 =  *0x9b0680; // 0x0
				 *0x9b057c = _t11;
				 *0x9b0570 = 0xc0000409;
				 *0x9b0574 = 1;
				_t12 =  *0x9af004; // 0xd975285d
				_v812 = _t12;
				_t13 =  *0x9af008; // 0x44bf19b1
				_v808 = _t13;
				 *0x9b05c0 = IsDebuggerPresent();
				_push(1);
				E009A3E48(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x9ac28c);
				if( *0x9b05c0 == 0) {
					_push(1);
					E009A3E48(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x009a1000
0x009a1000
0x009a1000
0x009a1000
0x009a1000
0x009a1000
0x009a1000
0x009a1006
0x009a1008
0x009a1008
0x009a15f7
0x009a15fc
0x009a1602
0x009a1608
0x009a160e
0x009a1614
0x009a161a
0x009a1621
0x009a1628
0x009a162f
0x009a1636
0x009a163d
0x009a1644
0x009a1645
0x009a164e
0x009a1656
0x009a165e
0x009a1669
0x009a1673
0x009a1678
0x009a167d
0x009a1687
0x009a1691
0x009a1696
0x009a169c
0x009a16a1
0x009a16ad
0x009a16b2
0x009a16b4
0x009a16bc
0x009a16c7
0x009a16d4
0x009a16d6
0x009a16d8
0x009a16dd
0x009a16f1

APIs

IsDebuggerPresent.KERNEL32 ref: 009A16A7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009A16BC
UnhandledExceptionFilter.KERNEL32(009AC28C), ref: 009A16C7
GetCurrentProcess.KERNEL32(C0000409), ref: 009A16E3
TerminateProcess.KERNEL32(00000000), ref: 009A16EA

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3412aa4cf91ff2c59369fad7a63a78503b2d8bc8adc9c1571ee82287f1b98907
Instruction ID: 2584f5d0fd482fd37223c588598584e35532dbc8023ae6fe22e6a291ea897d87
Opcode Fuzzy Hash: 3412aa4cf91ff2c59369fad7a63a78503b2d8bc8adc9c1571ee82287f1b98907
Instruction Fuzzy Hash: 70211FB992D304DFD350DF65EE4AA463BA4FBC9364F00031AF80887661E7B09990EF95

Uniqueness

Uniqueness Score: -1.00%

Function 009A3427, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009A3427() {

				SetUnhandledExceptionFilter(E009A33E5);
				return 0;
			}

0x009a342c
0x009a3434

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000033E5), ref: 009A342C

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0a29c6aec3cee4c2a2702eee6dd276796da4cb075986405e69504a7c9bf8d892
Instruction ID: f0cdb2615ded313abac6287ac00bfb4883de47683680c96e9ac277d201caa6bb
Opcode Fuzzy Hash: 0a29c6aec3cee4c2a2702eee6dd276796da4cb075986405e69504a7c9bf8d892
Instruction Fuzzy Hash: 7D9002A036E140866A0017715D4A61525D55E9AB4A79144587111C8055DE55810065A2

Uniqueness

Uniqueness Score: -1.00%

Function 009AB950, Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 251
windowtimesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E009AB950(void* __ebp, int _a8, int _a12, long _a16) {
				struct HWND__* _v12;
				void* __esi;
				void* _t14;
				void* _t18;
				void* _t24;
				signed int _t26;
				signed int _t27;
				void* _t36;
				void* _t39;
				void* _t40;
				void* _t41;
				void* _t43;
				void* _t50;
				int _t67;
				void* _t75;
				void* _t77;
				void* _t82;
				long _t84;
				int _t87;
				struct HWND__* _t88;
				void* _t89;
				void* _t90;
				void* _t93;

				_t90 = __ebp;
				_t67 = _a12;
				_t87 = _a8;
				_t84 = _a16;
				__imp___USB3MON_ForwardMessage@16( *0x9b2520, _t87, _t67, _t84);
				_t93 = _t87 - 0x219;
				if(_t93 > 0) {
					__eflags = _t87 - 0x401;
					if(_t87 == 0x401) {
						goto L23;
					} else {
						__eflags = _t87 - 0x800a;
						if(_t87 == 0x800a) {
							_t14 = _t84 - 0x403;
							__eflags = _t14;
							if(_t14 == 0) {
								SetEvent( *0x9b2548);
								__eflags = 0;
								return 0;
							} else {
								_t18 = _t14 - 1;
								__eflags = _t18;
								if(_t18 == 0) {
									SetEvent( *0x9b2548);
									__eflags = 0;
									return 0;
								} else {
									__eflags = _t18 != 1;
									if(_t18 != 1) {
										goto L24;
									} else {
										__eflags =  *0x9b2558 - 2;
										if( *0x9b2558 != 2) {
											L39:
											SetEvent( *0x9b2548);
											__eflags = 0;
											return 0;
										} else {
											_t24 =  *0x9b2530;
											__eflags = _t24;
											if(_t24 == 0) {
												goto L39;
											} else {
												 *_t24 = 1;
												SetEvent( *0x9b2548);
												_t26 = E009AA7C0();
												__eflags = _t26;
												if(_t26 == 0) {
													__imp__GetUserDefaultUILanguage();
													_t26 = _t26 & 0x0000ffff;
												}
												_t27 = _t26 & 0x000000ff;
												__eflags = _t27 - 1;
												if(_t27 == 1) {
													L38:
													DialogBoxParamW( *0x9b2528, 0x6b, _v12, E009AAFC0, 0);
													 *0x9b2558 = 0;
													__eflags = 0;
													return 0;
												} else {
													__eflags = _t27 - 0xd;
													if(_t27 == 0xd) {
														goto L38;
													} else {
														DialogBoxParamW( *0x9b2528, 0x6a, _v12, E009AAFC0, 0);
														 *0x9b2558 = 0;
														__eflags = 0;
														return 0;
													}
												}
											}
										}
									}
								}
							}
						} else {
							goto L27;
						}
					}
				} else {
					if(_t93 == 0) {
						_t36 = _t67 - 0x8000;
						__eflags = _t36;
						if(_t36 == 0) {
							L23:
							InterlockedIncrement(0x9b257c);
						} else {
							__eflags = _t36 == 4;
							if(_t36 == 4) {
								goto L23;
							}
						}
						L24:
						__eflags = 0;
						return 0;
					} else {
						_t39 = _t87 - 1;
						if(_t39 == 0) {
							_t40 = CreateEventW(0, 0, 0, 0);
							_t88 = _v12;
							 *0x9b2564 = _t40;
							 *0x9b0fb8 = _t88;
							_t41 = E009A116D(_t77, _t88, 0, 0, E009AB1D0, 0x9b0fb8, 0, 0);
							 *0x9b0fbc = _t41;
							__eflags = _t41;
							if(_t41 == 0) {
								PostMessageW(_t88, 0x10, 0, 0);
							}
							_t43 = E009AB260(_t88);
							__imp___USB3MON_GetInterfaceVersion@8(0, 0x9b2524);
							__eflags = _t43;
							if(_t43 != 0) {
								_t43 = PostMessageW(_t88, 0x10, 0, 0);
							}
							__imp___USB3MON_Create@12(_t88,  *0x9b2528, 0x9b2520);
							__eflags = _t43;
							if(_t43 != 0) {
								PostMessageW(_t88, 0x10, 0, 0);
							} else {
								E009AB600(_t90);
							}
							 *0x9b2580 = 0;
							SetTimer(_t88, 1,  *0x9b2574, 0x9ab8b0);
							__eflags = 0;
							return 0;
						} else {
							_t50 = _t39 - 1;
							if(_t50 == 0) {
								__eflags =  *0x9b0fbc; // 0x0
								if(__eflags != 0) {
									__eflags =  *0x9b256c - 1;
									if( *0x9b256c != 1) {
										_t89 = OpenEventW(0x1f0003, 0, L"Global\\IUSB3MON");
										__eflags = _t89;
										if(_t89 != 0) {
											SetEvent(_t89);
											CloseHandle(_t89);
										}
									} else {
										SetEvent( *0x9b2564);
									}
									E009AB450();
									CloseHandle( *0x9b2564);
									_t75 =  *0x9b0fbc; // 0x0
									 *0x9b2564 = 0;
									WaitForSingleObject(_t75, 0xffffffff);
									_t82 =  *0x9b0fbc; // 0x0
									CloseHandle(_t82);
									 *0x9b0fbc = 0;
									Shell_NotifyIconW(2, 0x9b2160);
									__imp___USB3MON_Close@4( *0x9b2520);
								}
								KillTimer(_v12, 1);
								PostQuitMessage(0);
								__eflags = 0;
								return 0;
							} else {
								if(_t50 != 0xe) {
									L27:
									return DefWindowProcW(_v12, _t87, _t67, _t84);
								} else {
									 *0x9b256c = 1;
									DestroyWindow(_v12);
									return 0;
								}
							}
						}
					}
				}
			}

0x009ab950
0x009ab956
0x009ab95b
0x009ab960
0x009ab968
0x009ab96e
0x009ab974
0x009abb36
0x009abb3c
0x00000000
0x009abb3e
0x009abb3e
0x009abb44
0x009abb5c
0x009abb5c
0x009abb61
0x009abc44
0x009abc4c
0x009abc4f
0x009abb67
0x009abb67
0x009abb67
0x009abb6a
0x009abc30
0x009abc38
0x009abc3b
0x009abb70
0x009abb70
0x009abb73
0x00000000
0x009abb75
0x009abb75
0x009abb7c
0x009abc14
0x009abc1b
0x009abc23
0x009abc26
0x009abb82
0x009abb82
0x009abb89
0x009abb8b
0x00000000
0x009abb91
0x009abb91
0x009abb9e
0x009abba4
0x009abba9
0x009abbab
0x009abbad
0x009abbb3
0x009abbb3
0x009abbb6
0x009abbbb
0x009abbbe
0x009abbed
0x009abc00
0x009abc08
0x009abc0e
0x009abc11
0x009abbc0
0x009abbc0
0x009abbc3
0x00000000
0x009abbc5
0x009abbd9
0x009abbe1
0x009abbe7
0x009abbea
0x009abbea
0x009abbc3
0x009abbbe
0x009abb8b
0x009abb7c
0x009abb73
0x009abb6a
0x00000000
0x00000000
0x00000000
0x009abb44
0x009ab97a
0x009ab97a
0x009abb17
0x009abb17
0x009abb1c
0x009abb23
0x009abb28
0x009abb1e
0x009abb1e
0x009abb21
0x00000000
0x00000000
0x009abb21
0x009abb30
0x009abb30
0x009abb33
0x009ab980
0x009ab982
0x009ab985
0x009aba6f
0x009aba75
0x009aba87
0x009aba8c
0x009aba92
0x009abaa0
0x009abaa5
0x009abaa7
0x009abaae
0x009abaae
0x009abab2
0x009ababd
0x009abac3
0x009abac5
0x009abacc
0x009abacc
0x009abadb
0x009abae1
0x009abae3
0x009abaf1
0x009abae5
0x009abae5
0x009abae5
0x009abb01
0x009abb07
0x009abb0f
0x009abb12
0x009ab98b
0x009ab98b
0x009ab98e
0x009ab9b8
0x009ab9be
0x009ab9c4
0x009ab9d1
0x009ab9f3
0x009ab9f5
0x009ab9f7
0x009ab9fa
0x009aba01
0x009aba01
0x009ab9d3
0x009ab9da
0x009ab9da
0x009aba03
0x009aba0e
0x009aba10
0x009aba19
0x009aba1f
0x009aba25
0x009aba2c
0x009aba35
0x009aba3b
0x009aba47
0x009aba47
0x009aba54
0x009aba5b
0x009aba63
0x009aba66
0x009ab990
0x009ab993
0x009abb46
0x009abb57
0x009ab999
0x009ab99e
0x009ab9a8
0x009ab9b3
0x009ab9b3
0x009ab993
0x009ab98e
0x009ab985
0x009ab97a

APIs

_USB3MON_ForwardMessage@16.IUSB3MON(?,?,?,?), ref: 009AB968
DestroyWindow.USER32(?), ref: 009AB9A8
SetEvent.KERNEL32(?), ref: 009AB9DA
CloseHandle.KERNEL32(?), ref: 009ABA0E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 009ABA1F
CloseHandle.KERNEL32(00000000), ref: 009ABA2C
Shell_NotifyIconW.SHELL32(00000002,009B2160), ref: 009ABA3B
_USB3MON_Close@4.IUSB3MON(?), ref: 009ABA47
KillTimer.USER32(?,00000001), ref: 009ABA54
PostQuitMessage.USER32(00000000), ref: 009ABA5B
CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 009ABA6F
PostMessageW.USER32 ref: 009ABAAE
_USB3MON_GetInterfaceVersion@8.IUSB3MON(00000000,009B2524), ref: 009ABABD
PostMessageW.USER32 ref: 009ABACC
_USB3MON_Create@12.IUSB3MON(?,?,009B2520), ref: 009ABADB
SetTimer.USER32 ref: 009ABB07
InterlockedIncrement.KERNEL32(009B257C), ref: 009ABB28
DefWindowProcW.USER32(?,?,?,?), ref: 009ABB4E
SetEvent.KERNEL32(?), ref: 009ABB9E
GetUserDefaultUILanguage.KERNEL32 ref: 009ABBAD
DialogBoxParamW.USER32(?,0000006A,?,Function_0000AFC0,00000000), ref: 009ABBD9

Strings

Global\IUSB3MON, xrefs: 009AB9E2

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: EventMessagePost$CloseHandleTimerWindow$Close@4CreateCreate@12DefaultDestroyDialogForwardIconIncrementInterfaceInterlockedKillLanguageMessage@16NotifyObjectParamProcQuitShell_SingleUserVersion@8Wait
String ID: Global\IUSB3MON
API String ID: 21712265-2420347707
Opcode ID: 8124fb9e74eba735e2563618309fc979b3b610f5cdc70e085378ca72d5ba360f
Instruction ID: 58a3a3741b6abbf5b437d13613b638f72dcaf5386a01acc2df42b470f59df908
Opcode Fuzzy Hash: 8124fb9e74eba735e2563618309fc979b3b610f5cdc70e085378ca72d5ba360f
Instruction Fuzzy Hash: AF7167B23182149FD720DFA8AD9CEAB776CFB86365B004929F141D6162C7B59841EBF0

Uniqueness

Uniqueness Score: -1.00%

Function 009AA320, Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 229
threadsynchronizationinjectionCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E009AA320(void** _a4) {
				void** _v4;
				int _v12;
				signed int _t41;
				int _t42;
				void* _t47;
				int _t52;
				int _t60;
				void* _t67;
				void* _t78;
				void* _t79;
				void** _t83;
				void* _t101;
				long _t102;
				long _t103;
				intOrPtr* _t104;
				void* _t105;

				while(1) {
					_t101 = 0;
					goto L2;
					do {
						do {
							L2:
							_t83 = _a4;
							_t102 = 1;
							 *0x9b254c =  *0x9b254c - 1;
							WaitForSingleObject(_t83[1], 0xffffffff);
							if(_t101 == 0) {
								_t101 = _t83[0xe];
								if(_t101 != 0) {
									_t83[0xe] =  *(_t101 + 0x214);
								}
							}
							ReleaseSemaphore(_t83[1], _t102, 0x9b254c);
							 *0x9b254c =  *0x9b254c + _t102;
							if(_t101 != 0) {
								if( *((intOrPtr*)(_t101 + 0x21c)) != _t102) {
									goto L31;
								}
								_t41 =  *_t101;
								_t103 = 0;
								if((_t41 & 0x00000001) == 0) {
									if((_t41 & 0x00000002) == 0) {
										if((_t41 & 0x00000008) == 0) {
											 *_t101 = 0;
											goto L24;
										}
										 *_t101 = _t41 ^ 0x00000008;
										if(( *(_t101 + 0x220))[2] != 0) {
											goto L24;
										}
										LoadStringW( *0x9b2554, 0x47f, 0x9b2178, 0x100);
										_t52 = Shell_NotifyIconW(0, 0x9b2160);
										GetLastError();
										if(_t52 != 0) {
											 *0x9b2558 = 8;
											 *0x9b216c = 0x10;
											 *0x9b2504 = 2;
											LoadStringW( *0x9b2554, 0x47f, 0x9b2484, 0x80);
											LoadStringW( *0x9b2554, 0x480, 0x9b2280, 0x200);
											_t103 = 1;
											( *(_t101 + 0x220))[2] = 1;
										}
										L23:
										_t83 = _v4;
										goto L24;
									}
									 *_t101 = _t41 ^ 0x00000002;
									if(( *(_t101 + 0x220))[1] != 0) {
										goto L24;
									}
									LoadStringW( *0x9b2554, 0x457, 0x9b2178, 0x100);
									_t60 = Shell_NotifyIconW(0, 0x9b2160);
									_t85 = _t60;
									GetLastError();
									if(_t60 != 0) {
										 *0x9b2558 = 2;
										 *0x9b216c = 0x10;
										 *0x9b2504 = 2;
										LoadStringW( *0x9b2554, 0x457, 0x9b2484, 0x80);
										LoadStringW( *0x9b2554, 0x458, 0x9b2280, 0x200);
										_t24 = _t101 + 4; // 0x4
										_t90 = _t24;
										E009AB370(0x9b2280, L"TargetDevice", _t24);
										_t105 = _t105 + 0xc;
										_t103 = 1;
										 *0x9b2560 =  *0x9b2560 + 1;
										_t67 = GlobalAlloc(0x40, 0x218);
										 *0x9b2530 = _t67;
										if(_t67 != 0) {
											 *_t67 = 0;
											E009A127E(_t85, _t90, _t67 + 4, 0x214, _t101, 0x214);
											_t105 = _t105 + 0x10;
											( *(_t101 + 0x220))[1] = 1;
										} else {
											_t103 = 0;
										}
									}
									goto L23;
								} else {
									 *_t101 = _t41 ^ 0x00000001;
									if( *( *(_t101 + 0x220)) == 0) {
										if(E009AA100() != 1) {
											 *( *(_t101 + 0x220)) = 1;
										} else {
											LoadStringW( *0x9b2554, 0x44d, 0x9b2178, 0x100);
											_v12 = Shell_NotifyIconW(0, 0x9b2160);
											GetLastError();
											if(_v12 != 0) {
												_t103 = 1;
												 *0x9b2558 = 1;
												E009AA200(1, _t101);
												 *( *(_t101 + 0x220)) = 1;
											}
										}
									}
									L24:
									 *0x9b2480 = 0x2710;
									if(_t103 != 0) {
										_t104 = Shell_NotifyIconW;
										_t42 = Shell_NotifyIconW(1, 0x9b2160);
										 *0x9b216c = 7;
										if(_t42 != 0) {
											ResetEvent(_t83[2]);
											WaitForSingleObject(_t83[2], 0x2710);
											_t47 =  *0x9b2530;
											if(_t47 != 0 &&  *_t47 == 0) {
												 *0x9b2560 =  *0x9b2560 - 1;
												GlobalFree(_t47);
												 *0x9b2530 = 0;
											}
										}
										 *_t104(2, 0x9b2160);
									}
									_t102 = 1;
									goto L31;
								}
							}
							_t78 =  *_t83;
							if(_t78 == 0) {
								break;
							}
							SuspendThread(_t78);
						} while ( *_t83 != _t101);
						if(_t83[0xe] == 0) {
							L10:
							ExitThread(0);
						} else {
							goto L9;
						}
						do {
							L9:
							_t79 = _t83[0xe];
							_t83[0xe] =  *(_t79 + 0x214);
							 *0x9b2560 =  *0x9b2560 - _t102;
							GlobalFree(_t79);
						} while (_t83[0xe] != 0);
						goto L10;
						L31:
					} while ( *_t101 != 0 &&  *((intOrPtr*)(_t101 + 0x21c)) != 0);
					 *0x9b2560 =  *0x9b2560 - _t102;
					GlobalFree(_t101);
				}
			}

0x009aa32b
0x009aa32b
0x009aa32b
0x009aa330
0x009aa330
0x009aa330
0x009aa330
0x009aa339
0x009aa33e
0x009aa345
0x009aa34d
0x009aa34f
0x009aa354
0x009aa35c
0x009aa35c
0x009aa354
0x009aa369
0x009aa36f
0x009aa377
0x009aa3c1
0x00000000
0x00000000
0x009aa3c7
0x009aa3c9
0x009aa3cd
0x009aa45b
0x009aa5fb
0x009aa6aa
0x00000000
0x009aa6aa
0x009aa604
0x009aa60f
0x00000000
0x00000000
0x009aa62b
0x009aa634
0x009aa63c
0x009aa644
0x009aa660
0x009aa66a
0x009aa674
0x009aa67e
0x009aa695
0x009aa69d
0x009aa6a2
0x009aa6a2
0x009aa52f
0x009aa52f
0x00000000
0x009aa52f
0x009aa464
0x009aa46f
0x00000000
0x00000000
0x009aa48b
0x009aa494
0x009aa49a
0x009aa49c
0x009aa4a4
0x009aa4c5
0x009aa4ca
0x009aa4d4
0x009aa4d9
0x009aa4f0
0x009aa4f2
0x009aa4f2
0x009aa500
0x009aa505
0x009aa50d
0x009aa512
0x009aa51a
0x009aa520
0x009aa527
0x009aa5d4
0x009aa5e3
0x009aa5ee
0x009aa5f1
0x009aa52d
0x009aa52d
0x009aa52d
0x009aa527
0x00000000
0x009aa3d3
0x009aa3dc
0x009aa3e0
0x009aa3ee
0x009aa44e
0x009aa3f0
0x009aa405
0x009aa413
0x009aa417
0x009aa421
0x009aa427
0x009aa430
0x009aa436
0x009aa441
0x009aa441
0x009aa421
0x009aa3ee
0x009aa533
0x009aa533
0x009aa53f
0x009aa541
0x009aa54e
0x009aa550
0x009aa55c
0x009aa562
0x009aa571
0x009aa577
0x009aa57e
0x009aa585
0x009aa58c
0x009aa592
0x009aa592
0x009aa57e
0x009aa5a3
0x009aa5a3
0x009aa5a5
0x00000000
0x009aa5a5
0x009aa3cd
0x009aa379
0x009aa37d
0x00000000
0x00000000
0x009aa380
0x009aa386
0x009aa38e
0x009aa3af
0x009aa3b1
0x00000000
0x00000000
0x00000000
0x009aa390
0x009aa390
0x009aa390
0x009aa399
0x009aa39c
0x009aa3a3
0x009aa3a9
0x00000000
0x009aa5aa
0x009aa5aa
0x009aa5bc
0x009aa5c3
0x009aa5c3

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AA345
ReleaseSemaphore.KERNEL32(?,00000001,009B254C), ref: 009AA369
SuspendThread.KERNEL32(00000000), ref: 009AA380
GlobalFree.KERNEL32 ref: 009AA3A3
ExitThread.KERNEL32 ref: 009AA3B1

Strings

TargetDevice, xrefs: 009AA4F6

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Thread$ExitFreeGlobalObjectReleaseSemaphoreSingleSuspendWait
String ID: TargetDevice
API String ID: 748675075-539041744
Opcode ID: 5048b451ed8bbf79e252c3c98fb5cd983accf9e8a061a206e70527b4d5aada3b
Instruction ID: 1dbb5da9e826b1685bf2d69c29a624365e475e85194c6124ab6454eaa50f2a3c
Opcode Fuzzy Hash: 5048b451ed8bbf79e252c3c98fb5cd983accf9e8a061a206e70527b4d5aada3b
Instruction Fuzzy Hash: 0391F2B0658304DFDB209FA4ED89B5A37A8FF46724F004518F6459B2A1C7B4A844DFD5

Uniqueness

Uniqueness Score: -1.00%

Function 009AB000, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 106
registrysynchronizationstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AB000() {
				int* _v4;
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _t30;
				int _t31;
				int _t42;
				void* _t58;
				int* _t60;

				_t60 = 0;
				_v4 = 1;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				 *0x9b258c = 0;
				 *0x9b2590 = 0;
				 *0x9b2594 = 0;
				WaitForSingleObject( *0x9b2584, 0xffffffff);
				if(RegCreateKeyExW(0x80000001, L"Software\\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}", 0, 0x9b0fc0, 0, 0xf003f, 0,  &_v20,  &_v12) == 0) {
					_t30 = _v12 - 1;
					if(_t30 == 0) {
						_t31 = lstrlenW(L"{EAC6B3CA-E278-4446-9122-E11396A0D68E}");
						_t22 = _t31 + 2; // 0x2
						RegSetValueExW(_v20, L"PopupMessageAp", 0, 1, L"{EAC6B3CA-E278-4446-9122-E11396A0D68E}", _t31 + _t22);
						goto L7;
					} else {
						if(_t30 == 1) {
							RegQueryValueExW(_v20, L"PopupMessageAp", 0,  &_v8, 0,  &_v16);
							_t58 = GlobalAlloc(0x40, _v16);
							RegQueryValueExW(_v20, L"PopupMessageAp", 0,  &_v8, _t58,  &_v16);
							_t42 = lstrcmpW(_t58, L"{EAC6B3CA-E278-4446-9122-E11396A0D68E}");
							if(_t42 == 0) {
								_t17 = _t42 + 1; // 0x1
								_t60 = _t17;
							}
							GlobalFree(_t58);
							if(_t60 == 1) {
								L7:
								WaitForSingleObject( *0x9b2588, 0xffffffff);
								 *0x9b258c = 1;
							}
						} else {
							_v4 = 0;
						}
					}
				}
				RegCloseKey(_v20);
				ReleaseMutex( *0x9b2584);
				return _v4;
			}

0x009ab010
0x009ab015
0x009ab01d
0x009ab021
0x009ab025
0x009ab029
0x009ab02d
0x009ab033
0x009ab039
0x009ab03f
0x009ab06a
0x009ab074
0x009ab077
0x009ab12b
0x009ab135
0x009ab148
0x00000000
0x009ab07d
0x009ab080
0x009ab0a6
0x009ab0ba
0x009ab0cd
0x009ab0d5
0x009ab0dd
0x009ab0df
0x009ab0df
0x009ab0df
0x009ab0e3
0x009ab0ee
0x009ab0f0
0x009ab0f8
0x009ab0fa
0x009ab0fa
0x009ab082
0x009ab082
0x009ab082
0x009ab080
0x009ab077
0x009ab109
0x009ab116
0x009ab125

APIs

WaitForSingleObject.KERNEL32 ref: 009AB03F
RegCreateKeyExW.ADVAPI32(80000001,Software\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8},00000000,009B0FC0,00000000,000F003F,00000000,000000FF,?), ref: 009AB062
RegQueryValueExW.ADVAPI32(00000000,PopupMessageAp,00000000,?,00000000,?,0000DD4C,?), ref: 009AB0A6
GlobalAlloc.KERNEL32(00000040,?), ref: 009AB0AF
RegQueryValueExW.ADVAPI32(?,PopupMessageAp,00000000,?,00000000,?), ref: 009AB0CD
lstrcmpW.KERNEL32(00000000,{EAC6B3CA-E278-4446-9122-E11396A0D68E}), ref: 009AB0D5
GlobalFree.KERNEL32 ref: 009AB0E3
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AB0F8
RegCloseKey.ADVAPI32(00000000), ref: 009AB109
ReleaseMutex.KERNEL32(?), ref: 009AB116
lstrlenW.KERNEL32({EAC6B3CA-E278-4446-9122-E11396A0D68E}), ref: 009AB12B
RegSetValueExW.ADVAPI32(00000000,PopupMessageAp,00000000,00000001,{EAC6B3CA-E278-4446-9122-E11396A0D68E},00000002), ref: 009AB148

Strings

{EAC6B3CA-E278-4446-9122-E11396A0D68E}, xrefs: 009AB13A
{EAC6B3CA-E278-4446-9122-E11396A0D68E}, xrefs: 009AB126
{EAC6B3CA-E278-4446-9122-E11396A0D68E}, xrefs: 009AB0CF
PopupMessageAp, xrefs: 009AB142
Software\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}, xrefs: 009AB058
PopupMessageAp, xrefs: 009AB0C7
PopupMessageAp, xrefs: 009AB0A0

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Value$GlobalObjectQuerySingleWait$AllocCloseCreateFreeMutexReleaselstrcmplstrlen
String ID: PopupMessageAp$PopupMessageAp$PopupMessageAp$Software\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}${EAC6B3CA-E278-4446-9122-E11396A0D68E}${EAC6B3CA-E278-4446-9122-E11396A0D68E}${EAC6B3CA-E278-4446-9122-E11396A0D68E}
API String ID: 4158681666-3516284508
Opcode ID: 602a1efa946c295a8927fcb94a6ba003e438f2bb4486cfadb4eee4776100ab69
Instruction ID: 8976fe34a4d464d46a727be06b32603a19f9b0d4732f10638a9fcc777ce72015
Opcode Fuzzy Hash: 602a1efa946c295a8927fcb94a6ba003e438f2bb4486cfadb4eee4776100ab69
Instruction Fuzzy Hash: EC314DB1218321AFC714CF58DD89DAB7BA8EBCAB64F004A0CF65597161D7B0E904DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009AADD0, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E009AADD0(struct HWND__* __ecx, void* __ebp, void* __eflags) {
				signed int _v4;
				char _v260;
				short _v1284;
				void* _v1288;
				void* _v1292;
				signed char _v1293;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t30;
				void* _t32;
				void* _t38;
				void* _t66;
				void* _t90;
				struct HWND__* _t92;
				signed int _t96;

				_t30 =  *0x9af004; // 0xd975285d
				_v4 = _t30 ^ _t96;
				_t66 = 0;
				_t92 = __ecx;
				_v1292 = 0;
				_v1288 = 0;
				_t32 = E009AAD40( &_v1292);
				_t90 = _v1292;
				if(_t32 == 1) {
					_push( &_v1288);
					_t38 = E009AACD0( *((intOrPtr*)(_t90 + 0x210)));
					_t66 = _v1288;
					_t96 = _t96 + 8;
					if(_t38 == 1) {
						_v1293 = E009AAA00(_t66, _t90);
						LoadStringW( *0x9b2554, 0x461,  &_v1284, 0x400);
						SetWindowTextW(_t92,  &_v1284);
						LoadStringW( *0x9b2554, 0x462,  &_v1284, 0x400);
						SetDlgItemTextW(_t92, 0x3e9,  &_v1284);
						LoadStringW( *0x9b2554, 0x463,  &_v1284, 0x400);
						SetDlgItemTextW(_t92, 0x3ed,  &_v1284);
						LoadStringW( *0x9b2554, 0x46b,  &_v1284, 0x400);
						E009AB370( &_v1284, L"TargetDevice", _v1292 + 4);
						E009A140F(_v1293 & 0x000000ff,  &_v260, 0x100, 0xa);
						E009AB370( &_v1284, L"nn",  &_v260);
						SetDlgItemTextW(_t92, 0x3ea,  &_v1284);
						LoadStringW( *0x9b2554, 0x46c,  &_v1284, 0x400);
						SetDlgItemTextW(_t92, 0x3eb,  &_v1284);
						_t81 =  &_v1284;
						LoadStringW( *0x9b2554, 0x46d,  &_v1284, 0x400);
						SetDlgItemTextW(_t92, 0x3ee,  &_v1284);
						E009AAA50(LoadStringW, _t92);
						_push(_t66);
						E009AAB60(_t92);
						_t90 = _v1292;
						_t96 = _t96 + 0x30;
					}
				}
				if(_t90 != 0) {
					 *0x9b2560 =  *0x9b2560 - 1;
					GlobalFree(_t90);
				}
				if(_t66 != 0) {
					 *0x9b2560 =  *0x9b2560 - 1;
					GlobalFree(_t66);
				}
				return E009A1000(E009AA920(_t92), _t66, _v4 ^ _t96, _t81, _t90, _t92);
			}

0x009aadd6
0x009aaddd
0x009aade8
0x009aadee
0x009aadf0
0x009aadf4
0x009aadf8
0x009aadfd
0x009aae04
0x009aae14
0x009aae16
0x009aae1b
0x009aae1f
0x009aae25
0x009aae42
0x009aae51
0x009aae59
0x009aae74
0x009aae87
0x009aae9e
0x009aaeab
0x009aaec2
0x009aaed6
0x009aaef0
0x009aaf07
0x009aaf1a
0x009aaf31
0x009aaf3e
0x009aaf4a
0x009aaf55
0x009aaf62
0x009aaf65
0x009aaf6a
0x009aaf6d
0x009aaf72
0x009aaf76
0x009aaf76
0x009aae25
0x009aaf81
0x009aaf83
0x009aaf8a
0x009aaf8a
0x009aaf8e
0x009aaf90
0x009aaf97
0x009aaf97
0x009aafb6

APIs

Part of subcall function 009AAD40: GlobalAlloc.KERNEL32(00000040,00000214), ref: 009AAD56
Part of subcall function 009AAD40: WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AAD70
Part of subcall function 009AAD40: _memcpy_s.LIBCMT ref: 009AAD90
Part of subcall function 009AAD40: GlobalFree.KERNEL32 ref: 009AADA5
Part of subcall function 009AAD40: ReleaseSemaphore.KERNEL32(?,00000001,009B254C), ref: 009AADBF

LoadStringW.USER32(?,00000461,?,00000400), ref: 009AAE51
SetWindowTextW.USER32(?,?), ref: 009AAE59
LoadStringW.USER32(?,00000462,?,00000400), ref: 009AAE74
SetDlgItemTextW.USER32 ref: 009AAE87
LoadStringW.USER32(?,00000463,?,00000400), ref: 009AAE9E
SetDlgItemTextW.USER32 ref: 009AAEAB
LoadStringW.USER32(?,0000046B,?,00000400), ref: 009AAEC2

Part of subcall function 009AB370: _memmove_s.LIBCMT ref: 009AB3FA
Part of subcall function 009AB370: _memmove_s.LIBCMT ref: 009AB425

__itow_s.LIBCMT ref: 009AAEF0

Part of subcall function 009A140F: _xtow_s@20.LIBCMT ref: 009A1434

SetDlgItemTextW.USER32 ref: 009AAF1A
LoadStringW.USER32(?,0000046C,?,00000400), ref: 009AAF31
SetDlgItemTextW.USER32 ref: 009AAF3E
LoadStringW.USER32(?,0000046D,?,00000400), ref: 009AAF55
SetDlgItemTextW.USER32 ref: 009AAF62

Part of subcall function 009AAA50: GetDlgItem.USER32 ref: 009AAA75
Part of subcall function 009AAA50: GetWindowRect.USER32 ref: 009AAA83
Part of subcall function 009AAA50: LoadStringW.USER32 ref: 009AAAD1
Part of subcall function 009AAA50: SendMessageW.USER32(00000000,00001061,00000000,?), ref: 009AAAF0
Part of subcall function 009AAA50: LoadStringW.USER32(?,00000465,?,00000080), ref: 009AAB14
Part of subcall function 009AAA50: SendMessageW.USER32(00000000,00001061,00000001,?), ref: 009AAB33

Part of subcall function 009AAB60: GetDlgItem.USER32 ref: 009AAB87
Part of subcall function 009AAB60: SendMessageW.USER32(00000000), ref: 009AABBF
Part of subcall function 009AAB60: swprintf.LIBCMT ref: 009AAC08
Part of subcall function 009AAB60: SendMessageW.USER32 ref: 009AAC4C
Part of subcall function 009AAB60: swprintf.LIBCMT ref: 009AAC74
Part of subcall function 009AAB60: SendMessageW.USER32(00000000,0000104C,00000000,?), ref: 009AACA2

GlobalFree.KERNEL32 ref: 009AAF8A
GlobalFree.KERNEL32 ref: 009AAF97

Part of subcall function 009AACD0: GlobalAlloc.KERNEL32(00000040,00000208), ref: 009AACEE
Part of subcall function 009AACD0: _USB3MON_GetHostInfoW@20.IUSB3MON(?,?,00000000,00000208,00000000), ref: 009AAD06
Part of subcall function 009AACD0: GlobalFree.KERNEL32 ref: 009AAD18

Strings

TargetDevice, xrefs: 009AAED0

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: LoadString$Item$GlobalText$MessageSend$Free$AllocWindow_memmove_sswprintf$HostInfoObjectRectReleaseSemaphoreSingleW@20Wait__itow_s_memcpy_s_xtow_s@20
String ID: TargetDevice
API String ID: 3222704523-539041744
Opcode ID: 4c5dcc9c9b8529e750ae817af811d539740b71f5daf910201e86a9c146ec83ed
Instruction ID: efa9f7078ea432bf75a5073e4c004bff7e3dc0eb91be19e3e97729d3fbc7f56c
Opcode Fuzzy Hash: 4c5dcc9c9b8529e750ae817af811d539740b71f5daf910201e86a9c146ec83ed
Instruction Fuzzy Hash: 734143B22183046FD314DF94DD92EAB73ACEFC5705F00491DB34596191EBB8E6098BE6

Uniqueness

Uniqueness Score: -1.00%

Function 009AB600, Relevance: 21.2, APIs: 14, Instructions: 188
synchronizationmemorythreadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E009AB600(void* __ebp) {
				signed int _v4;
				signed int _v36;
				void* _v48;
				char _v52;
				char _v540;
				void* _v544;
				char _v548;
				intOrPtr _v552;
				void* _v556;
				long _v568;
				intOrPtr _v576;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t44;
				void* _t50;
				void* _t57;
				signed int _t61;
				void* _t62;
				intOrPtr _t69;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t83;
				long _t86;
				signed int _t88;

				_t88 =  &_v544;
				_t40 =  *0x9af004; // 0xd975285d
				_v4 = _t40 ^ _t88;
				_t86 = 0;
				_v540 = 0;
				do {
					_t73 =  *0x9b2520;
					_t42 =  &_v540;
					__imp___USB3MON_DeviceChange@12( *0x9b2520,  &_v544, _t42);
					_t61 = _t42;
					if(_v552 == _t86 &&  *0x9b258c == 1) {
						_t42 = ReleaseMutex( *0x9b2588);
						 *0x9b258c = _t86;
					}
					if(_t61 == 3 || _t61 == 6) {
						_t73 = _v556;
						_t44 =  *0x9b2520;
						__imp___USB3MON_GetDeviceInfoW@20(_t44, _v556,  *0x9b2524, 0x214,  &_v548);
						_t61 = _t44;
						if(_t61 != _t86) {
							goto L15;
						}
						 *0x9b2560 =  *0x9b2560 + 1;
						_t82 = GlobalAlloc(0x40, 0x18);
						if(_t82 == _t86) {
							_t76 = 0;
						} else {
							 *((intOrPtr*)(_t82 + 0x10)) = _v576;
							_t73 = _v48;
							 *(_t82 + 0xc) = _v48;
							_t76 = E009AB580( &_v568, _t82);
							_t88 = _t88 + 4;
							if(_t76 != _t86) {
								 *0x9b2560 =  *0x9b2560 - 1;
								GlobalFree(_t82);
							} else {
								E009AB520(_t82);
								_t76 = _t82;
							}
						}
						_t42 = _v568;
						if((_t42 & 0x00000002) != 0 && _v52 != 3) {
							_t42 = _t42 - 2;
							_v568 = _t42;
						}
						if(_t42 == _t86 || _t76 == _t86) {
							goto L17;
						} else {
							 *0x9b2560 =  *0x9b2560 + 1;
							_t83 = GlobalAlloc(0x40, 0x224);
							if(_t83 == 0) {
								goto L17;
							}
							 *(_t83 + 0x21c) = 1;
							 *((intOrPtr*)(_t83 + 0x218)) = _v576;
							 *(_t83 + 0x220) = _t76;
							E009A127E(_t61,  &_v568, _t83, 0x214,  &_v568, 0x214);
							_t73 =  *0x9b2544;
							_t88 = _t88 + 0x10;
							 *0x9b254c =  *0x9b254c - 1;
							WaitForSingleObject( *0x9b2544, 0xffffffff);
							_t50 =  *0x9b2578;
							if(_t50 != 0) {
								_t69 = _v576;
								if( *((intOrPtr*)(_t50 + 0x218)) == _t69) {
									_t86 = 1;
								}
								if( *(_t50 + 0x214) == 0) {
									L42:
									if(_t86 != 0) {
										 *0x9b2560 =  *0x9b2560 - 1;
										GlobalFree(_t83);
									} else {
										 *(_t50 + 0x214) = _t83;
									}
									L45:
									_t42 = ReleaseSemaphore( *0x9b2544, 1, 0x9b254c);
									 *0x9b254c =  *0x9b254c + 1;
									goto L17;
								} else {
									do {
										_t50 =  *(_t50 + 0x214);
										if( *((intOrPtr*)(_t50 + 0x218)) == _t69) {
											_t86 = 1;
										}
									} while ( *(_t50 + 0x214) != 0);
									goto L42;
								}
							}
							 *0x9b2578 = _t83;
							goto L45;
						}
					} else {
						if(_t61 != 4) {
							if((_t61 & 0xc0000000) == 0) {
								L16:
								if(_t61 == 5) {
									break;
								}
								goto L17;
							}
							L15:
							_t42 = InterlockedIncrement(0x9b257c);
							goto L16;
						}
						 *0x9b254c =  *0x9b254c - 1;
						WaitForSingleObject( *0x9b2544, 0xffffffff);
						_t57 =  *0x9b2578;
						if(_t57 == _t86) {
							L13:
							_t73 =  *0x9b2544;
							ReleaseSemaphore( *0x9b2544, 1, 0x9b254c);
							 *0x9b254c =  *0x9b254c + 1;
							_t42 = E009AB4B0(_v556);
							goto L17;
						}
						_t72 = _v556;
						while(_t72 !=  *((intOrPtr*)(_t57 + 0x218))) {
							_t57 =  *(_t57 + 0x214);
							if(_t57 != _t86) {
								continue;
							}
							goto L13;
						}
						 *(_t57 + 0x21c) = _t86;
						goto L13;
					}
					L17:
					_t86 = 0;
				} while ((_t61 & 0xc0000000) == 0);
				_pop(_t75);
				_pop(_t81);
				_pop(_t62);
				if( *0x9b2578 != _t86) {
					_t42 = ResumeThread( *0x9b2540);
				}
				return E009A1000(_t42, _t62, _v36 ^ _t88, _t73, _t75, _t81);
			}

0x009ab600
0x009ab606
0x009ab60d
0x009ab617
0x009ab61a
0x009ab620
0x009ab620
0x009ab626
0x009ab631
0x009ab637
0x009ab642
0x009ab652
0x009ab658
0x009ab658
0x009ab661
0x009ab72f
0x009ab738
0x009ab745
0x009ab74b
0x009ab74f
0x00000000
0x00000000
0x009ab751
0x009ab761
0x009ab765
0x009ab7a3
0x009ab767
0x009ab76b
0x009ab76e
0x009ab77a
0x009ab782
0x009ab784
0x009ab789
0x009ab794
0x009ab79b
0x009ab78b
0x009ab78b
0x009ab790
0x009ab790
0x009ab789
0x009ab7a5
0x009ab7ab
0x009ab7b7
0x009ab7ba
0x009ab7ba
0x009ab7c0
0x00000000
0x009ab7ce
0x009ab7ce
0x009ab7e1
0x009ab7e5
0x00000000
0x00000000
0x009ab7f5
0x009ab809
0x009ab80f
0x009ab815
0x009ab81a
0x009ab820
0x009ab82a
0x009ab831
0x009ab837
0x009ab83e
0x009ab848
0x009ab852
0x009ab854
0x009ab854
0x009ab85d
0x009ab879
0x009ab87b
0x009ab885
0x009ab88c
0x009ab87d
0x009ab87d
0x009ab87d
0x009ab892
0x009ab89e
0x009ab8a4
0x00000000
0x009ab860
0x009ab860
0x009ab860
0x009ab86c
0x009ab86e
0x009ab86e
0x009ab870
0x00000000
0x009ab860
0x009ab85d
0x009ab840
0x00000000
0x009ab840
0x009ab670
0x009ab673
0x009ab6db
0x009ab6e8
0x009ab6eb
0x00000000
0x00000000
0x00000000
0x009ab6eb
0x009ab6dd
0x009ab6e2
0x00000000
0x009ab6e2
0x009ab67b
0x009ab684
0x009ab68a
0x009ab691
0x009ab6b1
0x009ab6b1
0x009ab6be
0x009ab6c4
0x009ab6ce
0x00000000
0x009ab6ce
0x009ab693
0x009ab697
0x009ab69f
0x009ab6a7
0x00000000
0x00000000
0x00000000
0x009ab6a9
0x009ab6ab
0x00000000
0x009ab6ab
0x009ab6ed
0x009ab6ed
0x009ab6ef
0x009ab701
0x009ab702
0x009ab704
0x009ab705
0x009ab70e
0x009ab70e
0x009ab728

APIs

_USB3MON_DeviceChange@12.IUSB3MON(?,?,?), ref: 009AB631
ReleaseMutex.KERNEL32(?), ref: 009AB652
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AB684
ReleaseSemaphore.KERNEL32(?,00000001,009B254C), ref: 009AB6BE
InterlockedIncrement.KERNEL32(009B257C), ref: 009AB6E2
ResumeThread.KERNEL32(?), ref: 009AB70E
_USB3MON_GetDeviceInfoW@20.IUSB3MON(?,?,?,00000214,?), ref: 009AB745
GlobalAlloc.KERNEL32(00000040,00000018), ref: 009AB75B
GlobalFree.KERNEL32 ref: 009AB79B
GlobalAlloc.KERNEL32(00000040,00000224), ref: 009AB7DB
_memcpy_s.LIBCMT ref: 009AB815
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AB831
GlobalFree.KERNEL32 ref: 009AB88C
ReleaseSemaphore.KERNEL32(?,00000001,009B254C), ref: 009AB89E

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Global$Release$AllocDeviceFreeObjectSemaphoreSingleWait$Change@12IncrementInfoInterlockedMutexResumeThreadW@20_memcpy_s
String ID:
API String ID: 417763785-0
Opcode ID: beee2462535b2a3a8c194accebb912eb1905e8c93e088d200d593495e1a48240
Instruction ID: d65f00ce9735f2f57938399e2b8487784513d959385f268839961da3fcd3d652
Opcode Fuzzy Hash: beee2462535b2a3a8c194accebb912eb1905e8c93e088d200d593495e1a48240
Instruction Fuzzy Hash: 1B61DDB1558308DFC730DF68E99CAAA77A8FB96324F140A2DF40587262D7B49844EFD1

Uniqueness

Uniqueness Score: -1.00%

Function 009AA3B7, Relevance: 21.1, APIs: 14, Instructions: 120
windowsynchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E009AA3B7(int _a24, void** _a32, void** _a40) {
				signed int _t41;
				int _t42;
				void* _t47;
				int _t52;
				int _t60;
				void* _t67;
				void* _t78;
				void* _t79;
				void** _t84;
				void* _t103;
				long _t105;
				long _t106;
				intOrPtr* _t107;
				void* _t108;

				L11:
				while(1) {
					L11:
					if( *((intOrPtr*)(_t103 + 0x21c)) != _t105) {
						L31:
						if( *_t103 == 0 ||  *((intOrPtr*)(_t103 + 0x21c)) == 0) {
							 *0x9b2560 =  *0x9b2560 - _t105;
							GlobalFree(_t103);
							_t103 = 0;
						}
						do {
							_t84 = _a40;
							_t105 = 1;
							 *0x9b254c =  *0x9b254c - 1;
							WaitForSingleObject(_t84[1], 0xffffffff);
							if(_t103 == 0) {
								_t103 = _t84[0xe];
								if(_t103 != 0) {
									_t84[0xe] =  *(_t103 + 0x214);
								}
							}
							ReleaseSemaphore(_t84[1], _t105, 0x9b254c);
							 *0x9b254c =  *0x9b254c + _t105;
							if(_t103 != 0) {
								goto L11;
							}
							_t78 =  *_t84;
							if(_t78 == 0) {
								break;
							}
							SuspendThread(_t78);
						} while ( *_t84 != _t103);
						if(_t84[0xe] == 0) {
							L10:
							ExitThread(0);
						} else {
							goto L9;
						}
						do {
							L9:
							_t79 = _t84[0xe];
							_t84[0xe] =  *(_t79 + 0x214);
							 *0x9b2560 =  *0x9b2560 - _t105;
							GlobalFree(_t79);
						} while (_t84[0xe] != 0);
						goto L10;
					}
					_t41 =  *_t103;
					_t106 = 0;
					if((_t41 & 0x00000001) == 0) {
						if((_t41 & 0x00000002) == 0) {
							if((_t41 & 0x00000008) == 0) {
								 *_t103 = 0;
								goto L24;
							}
							 *_t103 = _t41 ^ 0x00000008;
							if(( *(_t103 + 0x220))[2] != 0) {
								goto L24;
							}
							LoadStringW( *0x9b2554, 0x47f, 0x9b2178, 0x100);
							_t52 = Shell_NotifyIconW(0, 0x9b2160);
							GetLastError();
							if(_t52 != 0) {
								 *0x9b2558 = 8;
								 *0x9b216c = 0x10;
								 *0x9b2504 = 2;
								LoadStringW( *0x9b2554, 0x47f, 0x9b2484, 0x80);
								LoadStringW( *0x9b2554, 0x480, 0x9b2280, 0x200);
								_t106 = 1;
								( *(_t103 + 0x220))[2] = 1;
							}
							L23:
							_t84 = _a32;
							goto L24;
						}
						 *_t103 = _t41 ^ 0x00000002;
						if(( *(_t103 + 0x220))[1] != 0) {
							goto L24;
						}
						LoadStringW( *0x9b2554, 0x457, 0x9b2178, 0x100);
						_t60 = Shell_NotifyIconW(0, 0x9b2160);
						_t86 = _t60;
						GetLastError();
						if(_t60 != 0) {
							 *0x9b2558 = 2;
							 *0x9b216c = 0x10;
							 *0x9b2504 = 2;
							LoadStringW( *0x9b2554, 0x457, 0x9b2484, 0x80);
							LoadStringW( *0x9b2554, 0x458, 0x9b2280, 0x200);
							_t24 = _t103 + 4; // 0x4
							_t91 = _t24;
							E009AB370(0x9b2280, L"TargetDevice", _t24);
							_t108 = _t108 + 0xc;
							_t106 = 1;
							 *0x9b2560 =  *0x9b2560 + 1;
							_t67 = GlobalAlloc(0x40, 0x218);
							 *0x9b2530 = _t67;
							if(_t67 != 0) {
								 *_t67 = 0;
								E009A127E(_t86, _t91, _t67 + 4, 0x214, _t103, 0x214);
								_t108 = _t108 + 0x10;
								( *(_t103 + 0x220))[1] = 1;
							} else {
								_t106 = 0;
							}
						}
						goto L23;
					} else {
						 *_t103 = _t41 ^ 0x00000001;
						if( *( *(_t103 + 0x220)) == 0) {
							if(E009AA100() != 1) {
								 *( *(_t103 + 0x220)) = 1;
							} else {
								LoadStringW( *0x9b2554, 0x44d, 0x9b2178, 0x100);
								_a24 = Shell_NotifyIconW(0, 0x9b2160);
								GetLastError();
								if(_a24 != 0) {
									_t106 = 1;
									 *0x9b2558 = 1;
									E009AA200(1, _t103);
									 *( *(_t103 + 0x220)) = 1;
								}
							}
						}
						L24:
						 *0x9b2480 = 0x2710;
						if(_t106 != 0) {
							_t107 = Shell_NotifyIconW;
							_t42 = Shell_NotifyIconW(1, 0x9b2160);
							 *0x9b216c = 7;
							if(_t42 != 0) {
								ResetEvent(_t84[2]);
								WaitForSingleObject(_t84[2], 0x2710);
								_t47 =  *0x9b2530;
								if(_t47 != 0 &&  *_t47 == 0) {
									 *0x9b2560 =  *0x9b2560 - 1;
									GlobalFree(_t47);
									 *0x9b2530 = 0;
								}
							}
							 *_t107(2, 0x9b2160);
						}
						_t105 = 1;
						goto L31;
					}
				}
			}

0x00000000
0x009aa3bb
0x009aa3bb
0x009aa3c1
0x009aa5aa
0x009aa5ad
0x009aa5bc
0x009aa5c3
0x009aa32b
0x009aa32b
0x009aa330
0x009aa330
0x009aa339
0x009aa33e
0x009aa345
0x009aa34d
0x009aa34f
0x009aa354
0x009aa35c
0x009aa35c
0x009aa354
0x009aa369
0x009aa36f
0x009aa377
0x00000000
0x00000000
0x009aa379
0x009aa37d
0x00000000
0x00000000
0x009aa380
0x009aa386
0x009aa38e
0x009aa3af
0x009aa3b1
0x00000000
0x00000000
0x00000000
0x009aa390
0x009aa390
0x009aa390
0x009aa399
0x009aa39c
0x009aa3a3
0x009aa3a9
0x00000000
0x009aa390
0x009aa3c7
0x009aa3c9
0x009aa3cd
0x009aa45b
0x009aa5fb
0x009aa6aa
0x00000000
0x009aa6aa
0x009aa604
0x009aa60f
0x00000000
0x00000000
0x009aa62b
0x009aa634
0x009aa63c
0x009aa644
0x009aa660
0x009aa66a
0x009aa674
0x009aa67e
0x009aa695
0x009aa69d
0x009aa6a2
0x009aa6a2
0x009aa52f
0x009aa52f
0x00000000
0x009aa52f
0x009aa464
0x009aa46f
0x00000000
0x00000000
0x009aa48b
0x009aa494
0x009aa49a
0x009aa49c
0x009aa4a4
0x009aa4c5
0x009aa4ca
0x009aa4d4
0x009aa4d9
0x009aa4f0
0x009aa4f2
0x009aa4f2
0x009aa500
0x009aa505
0x009aa50d
0x009aa512
0x009aa51a
0x009aa520
0x009aa527
0x009aa5d4
0x009aa5e3
0x009aa5ee
0x009aa5f1
0x009aa52d
0x009aa52d
0x009aa52d
0x009aa527
0x00000000
0x009aa3d3
0x009aa3dc
0x009aa3e0
0x009aa3ee
0x009aa44e
0x009aa3f0
0x009aa405
0x009aa413
0x009aa417
0x009aa421
0x009aa427
0x009aa430
0x009aa436
0x009aa441
0x009aa441
0x009aa421
0x009aa3ee
0x009aa533
0x009aa533
0x009aa53f
0x009aa541
0x009aa54e
0x009aa550
0x009aa55c
0x009aa562
0x009aa571
0x009aa577
0x009aa57e
0x009aa585
0x009aa58c
0x009aa592
0x009aa592
0x009aa57e
0x009aa5a3
0x009aa5a3
0x009aa5a5
0x00000000
0x009aa5a5
0x009aa3cd

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AA345
ReleaseSemaphore.KERNEL32(?,00000001,009B254C), ref: 009AA369
SuspendThread.KERNEL32(00000000), ref: 009AA380
GlobalFree.KERNEL32 ref: 009AA3A3
ExitThread.KERNEL32 ref: 009AA3B1
LoadStringW.USER32(?,0000044D,009B2178,00000100), ref: 009AA405
Shell_NotifyIconW.SHELL32(00000000,009B2160), ref: 009AA40D
GetLastError.KERNEL32 ref: 009AA417

Part of subcall function 009AA200: LoadStringW.USER32(?,0000047F,009B2484,00000080), ref: 009AA24A
Part of subcall function 009AA200: LoadStringW.USER32(?,00000480,009B2280,00000200), ref: 009AA262

LoadStringW.USER32(?,00000457,009B2178,00000100), ref: 009AA48B
Shell_NotifyIconW.SHELL32(00000000,009B2160), ref: 009AA494
GetLastError.KERNEL32 ref: 009AA49C
LoadStringW.USER32(?,00000457,009B2484,00000080), ref: 009AA4D9
LoadStringW.USER32(?,00000458,009B2280,00000200), ref: 009AA4F0
GlobalAlloc.KERNEL32(00000040,00000218), ref: 009AA51A
Shell_NotifyIconW.SHELL32(00000001,009B2160), ref: 009AA54E
ResetEvent.KERNEL32(?), ref: 009AA562
WaitForSingleObject.KERNEL32(?,00002710), ref: 009AA571
GlobalFree.KERNEL32 ref: 009AA58C
Shell_NotifyIconW.SHELL32(00000002,009B2160), ref: 009AA5A3
GlobalFree.KERNEL32 ref: 009AA5C3
_memcpy_s.LIBCMT ref: 009AA5E3
LoadStringW.USER32(?,0000047F,009B2178,00000100), ref: 009AA62B
Shell_NotifyIconW.SHELL32(00000000,009B2160), ref: 009AA634
GetLastError.KERNEL32 ref: 009AA63C
LoadStringW.USER32(?,0000047F,009B2484,00000080), ref: 009AA67E
LoadStringW.USER32(?,00000480,009B2280,00000200), ref: 009AA695

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: LoadString$IconNotifyShell_$Global$ErrorFreeLast$ObjectSingleThreadWait$AllocEventExitReleaseResetSemaphoreSuspend_memcpy_s
String ID:
API String ID: 3479209953-0
Opcode ID: e8c96140368304040d052bb46193cdff0714ad9e6f751dfb503cbadce977619f
Instruction ID: 43c4638317181a45e051e76421c55a35033e84c1a789b361780e69b11104765d
Opcode Fuzzy Hash: e8c96140368304040d052bb46193cdff0714ad9e6f751dfb503cbadce977619f
Instruction Fuzzy Hash: 234192B0A18314DFDB219F65ED8CB5A77A8FF46321F110518F9058B291C7B59880DFE6

Uniqueness

Uniqueness Score: -1.00%

Function 009ABEB0, Relevance: 19.6, APIs: 13, Instructions: 70
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009ABEB0() {
				struct HINSTANCE__* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t20;
				void* _t24;
				void* _t27;

				_t2 =  *0x9b2554;
				if(_t2 != 0) {
					FreeLibrary(_t2);
					 *0x9b2554 = 0;
				}
				_t24 =  *0x9b2540;
				if(_t24 != 0) {
					 *0x9b2540 = 0;
					if(ResumeThread(_t24) != 1) {
						SetEvent( *0x9b2548);
					}
					WaitForSingleObject(_t24, 0xffffffff);
					CloseHandle(_t24);
				}
				_t3 =  *0x9b2548;
				if(_t3 != 0) {
					CloseHandle(_t3);
					 *0x9b2548 = 0;
				}
				_t4 =  *0x9b255c;
				if(_t4 != 0) {
					CloseHandle(_t4);
					 *0x9b255c = 0;
				}
				_t5 =  *0x9b2544;
				if(_t5 != 0) {
					CloseHandle(_t5);
					 *0x9b2544 = 0;
				}
				_t6 =  *0x9b2588;
				if(_t6 != 0) {
					if( *0x9b258c == 1) {
						ReleaseMutex(_t6);
						 *0x9b258c = 0;
					}
					CloseHandle( *0x9b2588);
					 *0x9b2588 = 0;
				}
				_t7 =  *0x9b2584;
				if(_t7 != 0) {
					_t7 = CloseHandle(_t7);
					 *0x9b2584 = 0;
				}
				_t20 =  *(_t27 - 0x3c);
				if(_t20 != 0) {
					ReleaseMutex(_t20);
					return CloseHandle(_t20);
				}
				return _t7;
			}

0x009abeb0
0x009abeb7
0x009abeba
0x009abec0
0x009abec0
0x009abeca
0x009abed4
0x009abed6
0x009abee6
0x009abeef
0x009abeef
0x009abef8
0x009abf05
0x009abf05
0x009abf0f
0x009abf16
0x009abf19
0x009abf1b
0x009abf1b
0x009abf21
0x009abf28
0x009abf2b
0x009abf2d
0x009abf2d
0x009abf33
0x009abf3a
0x009abf3d
0x009abf3f
0x009abf3f
0x009abf45
0x009abf4c
0x009abf55
0x009abf58
0x009abf5e
0x009abf5e
0x009abf6b
0x009abf6d
0x009abf6d
0x009abf73
0x009abf7a
0x009abf7d
0x009abf7f
0x009abf7f
0x009abf85
0x009abf8a
0x009abf8d
0x00000000
0x009abf94
0x009abf96

APIs

FreeLibrary.KERNEL32(?,009ABE90), ref: 009ABEBA
ResumeThread.KERNEL32(?,009ABE90), ref: 009ABEDD
SetEvent.KERNEL32(?), ref: 009ABEEF
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009ABEF8
CloseHandle.KERNEL32(?), ref: 009ABF05
CloseHandle.KERNEL32(?,009ABE90), ref: 009ABF19
CloseHandle.KERNEL32(?,009ABE90), ref: 009ABF2B
CloseHandle.KERNEL32(?,009ABE90), ref: 009ABF3D
ReleaseMutex.KERNEL32(?,009ABE90), ref: 009ABF58
CloseHandle.KERNEL32(?,009ABE90), ref: 009ABF6B
CloseHandle.KERNEL32(?,009ABE90), ref: 009ABF7D
ReleaseMutex.KERNEL32(?,009ABE90), ref: 009ABF8D
CloseHandle.KERNEL32(?), ref: 009ABF94

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: CloseHandle$MutexRelease$EventFreeLibraryObjectResumeSingleThreadWait
String ID:
API String ID: 78869731-0
Opcode ID: c566e5b5986950b7dd2053a8927ecc97683310408a88fb55b3ab482f76ef5a80
Instruction ID: a6584a1c259fdcb8ea350cfc226ebab00f7f015b1a6da83a37ab23e7cc700437
Opcode Fuzzy Hash: c566e5b5986950b7dd2053a8927ecc97683310408a88fb55b3ab482f76ef5a80
Instruction Fuzzy Hash: 0221EDB092C620DFCB24AF69EE98959B7ADEB463213290706F410D7235D7F59841AF90

Uniqueness

Uniqueness Score: -1.00%

Function 009AA830, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67
libraryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E009AA830(void* __ebx, void* __edi, void* __eflags) {
				signed int _v4;
				char _v522;
				short _v524;
				void* __esi;
				signed int _t10;
				signed int _t14;
				void* _t22;
				void* _t33;
				void* _t35;
				signed int _t36;
				void* _t37;
				signed int _t38;

				_t32 = __edi;
				_t22 = __ebx;
				_t36 =  &_v524;
				_t10 =  *0x9af004; // 0xd975285d
				_v4 = _t10 ^ _t36;
				_v524 = 0;
				E009A2BF0(__edi,  &_v522, 0, 0x206);
				_t37 = _t36 + 0xc;
				_t14 = E009AA7C0();
				if(_t14 == 0) {
					__imp__GetUserDefaultUILanguage();
					_t14 = _t14 & 0x0000ffff;
				}
				if((_t14 & 0x000003ff) == 4 && (_t14 & 0x0000fc00) == 0xc00) {
					_t14 = 0x404;
				}
				_t31 =  &_v524;
				swprintf( &_v524, 0x208, L"%04x\\%s", _t14, L"iusb3mon.exe.mui", _t33);
				_t38 = _t37 + 0x14;
				if(LoadLibraryExW( &_v524, 0, 2) == 0) {
					E009A2BF0(_t32,  &_v524, _t17, 0x104);
					_t31 =  &_v524;
					swprintf( &_v524, 0x208, L"%04x\\%s", 0x409, L"iusb3mon.exe.mui");
					_t38 = _t38 + 0x20;
					_t17 = LoadLibraryExW( &_v524, 0, 2);
				}
				_pop(_t35);
				return E009A1000(_t17, _t22, _v4 ^ _t38, _t31, _t32, _t35);
			}

0x009aa830
0x009aa830
0x009aa830
0x009aa836
0x009aa83d
0x009aa851
0x009aa856
0x009aa85b
0x009aa85e
0x009aa865
0x009aa867
0x009aa86d
0x009aa86d
0x009aa87b
0x009aa88d
0x009aa88d
0x009aa89e
0x009aa8a8
0x009aa8b3
0x009aa8c3
0x009aa8d0
0x009aa8e4
0x009aa8ee
0x009aa8f3
0x009aa8ff
0x009aa8ff
0x009aa908
0x009aa916

APIs

_memset.LIBCMT ref: 009AA856

Part of subcall function 009AA7C0: RegOpenKeyExW.ADVAPI32 ref: 009AA7ED
Part of subcall function 009AA7C0: RegQueryValueExW.ADVAPI32(00000004,LCID,00000000,80000001,00020019,00020019), ref: 009AA812
Part of subcall function 009AA7C0: RegCloseKey.ADVAPI32 ref: 009AA81C

GetUserDefaultUILanguage.KERNEL32 ref: 009AA867
swprintf.LIBCMT ref: 009AA8A8
LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,?,00000000), ref: 009AA8BF
_memset.LIBCMT ref: 009AA8D0
swprintf.LIBCMT ref: 009AA8EE
LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 009AA8FF

Strings

iusb3mon.exe.mui, xrefs: 009AA8D5
%04x\%s, xrefs: 009AA899
iusb3mon.exe.mui, xrefs: 009AA893
%04x\%s, xrefs: 009AA8DF

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: LibraryLoad_memsetswprintf$CloseDefaultLanguageOpenQueryUserValue
String ID: %04x\%s$%04x\%s$iusb3mon.exe.mui$iusb3mon.exe.mui
API String ID: 2768219929-4225885805
Opcode ID: 86b4d75dfed49f85ef43a3158a94fbaa670a502a8e99f382c38340f0c89c4169
Instruction ID: 16d94be89364e5b9606b5e2ed23183473196d9f0d1d75bfe7096aef315a695ee
Opcode Fuzzy Hash: 86b4d75dfed49f85ef43a3158a94fbaa670a502a8e99f382c38340f0c89c4169
Instruction Fuzzy Hash: 571198B5A943007BE714DB648C47FAB339C9FD5714F40C919F655D61C2EA78D40487D2

Uniqueness

Uniqueness Score: -1.00%

Function 009AA100, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 63
registrysynchronizationstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AA100() {
				int _v4;
				void* _v8;
				int _t19;
				int _t30;

				_t30 = 0;
				_v4 = 0;
				_v8 = 0;
				if( *0x9b258c != 1) {
					if( *0x9b2590 == 1) {
						WaitForSingleObject( *0x9b2584, 0xffffffff);
						if(WaitForSingleObject( *0x9b2588, 0x3e8) != 0x102) {
							 *0x9b258c = 1;
							if(RegCreateKeyExW(0x80000001, L"Software\\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}", 0, 0x9b0fc8, 0, 0xf003f, 0,  &_v8,  &_v4) == 0) {
								_t19 = lstrlenW(L"{EAC6B3CA-E278-4446-9122-E11396A0D68E}");
								_t8 = _t19 + 2; // 0x2
								RegSetValueExW(_v8, L"PopupMessageAp", 0, 1, L"{EAC6B3CA-E278-4446-9122-E11396A0D68E}", _t19 + _t8);
								_t30 = 1;
							}
							RegCloseKey(_v8);
						}
						ReleaseMutex( *0x9b2584);
					}
					return _t30;
				} else {
					_t3 = _t30 + 1; // 0x1
					return _t3;
				}
			}

0x009aa104
0x009aa10d
0x009aa111
0x009aa115
0x009aa126
0x009aa13b
0x009aa151
0x009aa174
0x009aa186
0x009aa18d
0x009aa197
0x009aa1aa
0x009aa1b0
0x009aa1b0
0x009aa1ba
0x009aa1ba
0x009aa1c7
0x009aa1c7
0x009aa1d3
0x009aa117
0x009aa117
0x009aa11e
0x009aa11e

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AA13B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009AA149
RegCreateKeyExW.ADVAPI32(80000001,Software\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8},00000000,009B0FC8,00000000,000F003F,00000000,?,?), ref: 009AA17E
lstrlenW.KERNEL32({EAC6B3CA-E278-4446-9122-E11396A0D68E}), ref: 009AA18D
RegSetValueExW.ADVAPI32(?,PopupMessageAp,00000000,00000001,{EAC6B3CA-E278-4446-9122-E11396A0D68E},00000002), ref: 009AA1AA
RegCloseKey.ADVAPI32(?), ref: 009AA1BA
ReleaseMutex.KERNEL32(?), ref: 009AA1C7

Strings

Software\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}, xrefs: 009AA16A
{EAC6B3CA-E278-4446-9122-E11396A0D68E}, xrefs: 009AA19C
PopupMessageAp, xrefs: 009AA1A4
{EAC6B3CA-E278-4446-9122-E11396A0D68E}, xrefs: 009AA188

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateMutexReleaseValuelstrlen
String ID: PopupMessageAp$Software\{B2CB09FF-2453-4f85-9F40-21C05BE4CBA8}${EAC6B3CA-E278-4446-9122-E11396A0D68E}${EAC6B3CA-E278-4446-9122-E11396A0D68E}
API String ID: 1625864877-3526467220
Opcode ID: f19eb56aa254bd8a415912b1063f26f1b475e53156fe9d702a52942db2efd488
Instruction ID: f4bbbe4dd8d14bb4f1433e683e47e025f7bbd53ae0807cb54063dc3b09981032
Opcode Fuzzy Hash: f19eb56aa254bd8a415912b1063f26f1b475e53156fe9d702a52942db2efd488
Instruction Fuzzy Hash: 1E11E27425C320FFCB24DB54ED99D977BA8EB8A769F004A19F50886191D7B09404EBE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A1DF1, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E009A1DF1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x9ad5e8);
				E009A2888(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E009A23ED(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x9ac328;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x9af4b8;
				E009A41F5(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E009A1EC6();
				E009A41F5(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x9af4a8; // 0x9af3d0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E009A4371( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E009A28CD(E009A1ECF());
			}

0x009a1df1
0x009a1df1
0x009a1df3
0x009a1df8
0x009a1dfd
0x009a1e03
0x009a1e0b
0x009a1e0e
0x009a1e13
0x009a1e14
0x009a1e17
0x009a1e1a
0x009a1e24
0x009a1e29
0x009a1e31
0x009a1e39
0x009a1e49
0x009a1e49
0x009a1e4f
0x009a1e52
0x009a1e59
0x009a1e60
0x009a1e69
0x009a1e6f
0x009a1e76
0x009a1e7c
0x009a1e83
0x009a1e8a
0x009a1e90
0x009a1e93
0x009a1e96
0x009a1e9b
0x009a1e9d
0x009a1ea2
0x009a1ea2
0x009a1ea8
0x009a1eae
0x009a1ebf

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,009AD5E8,0000000C,009A1F2C,00000000,00000000,?,009A1C09,009A1029), ref: 009A1E03
__crt_waiting_on_module_handle.LIBCMT ref: 009A1E0E

Part of subcall function 009A23ED: Sleep.KERNEL32(000003E8,00000000,?,009A1D17,KERNEL32.DLL,?,009A1D83,?,009A1EEF,?,009A1C09,009A1029), ref: 009A23F9
Part of subcall function 009A23ED: GetModuleHandleW.KERNEL32(?,?,009A1D17,KERNEL32.DLL,?,009A1D83,?,009A1EEF,?,009A1C09,009A1029), ref: 009A2402

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 009A1E37
GetProcAddress.KERNEL32(?,DecodePointer), ref: 009A1E47
__lock.LIBCMT ref: 009A1E69
InterlockedIncrement.KERNEL32(009AF4B8), ref: 009A1E76
__lock.LIBCMT ref: 009A1E8A
___addlocaleref.LIBCMT ref: 009A1EA8

Strings

DecodePointer, xrefs: 009A1E3F
EncodePointer, xrefs: 009A1E2B
KERNEL32.DLL, xrefs: 009A1DFD, 009A1E02, 009A1E0D

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 8fb1f5ae07759ecc7129774f6009b97bde816aa9ce6250af84758d2aa426fb97
Instruction ID: 14287376ccdd1ee00b5d029fd14f2aa4872470b13161bcbc0d5cbe7ddfa44551
Opcode Fuzzy Hash: 8fb1f5ae07759ecc7129774f6009b97bde816aa9ce6250af84758d2aa426fb97
Instruction Fuzzy Hash: 4011AFB1904701DEDB20AF79CC05B5ABBE0AF86318F20451DE8A99A2A1CB74A9418FD0

Uniqueness

Uniqueness Score: -1.00%

Function 009AB1D0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E009AB1D0(struct HWND__** _a4) {
				struct _SECURITY_ATTRIBUTES* _t2;
				void* _t8;

				_t2 = OpenEventW(0x1f0003, 0, L"Global\\IUSB3MON");
				 *0x9b2568 = _t2;
				if(_t2 == 0) {
					_t8 = CreateEventW(_t2, _t2, _t2, L"Global\\IUSB3MON");
					 *0x9b2568 = _t8;
					__imp__SetNamedSecurityInfoW(L"Global\\IUSB3MON", 6, 4, 0, 0, 0, 0);
				}
				WaitForMultipleObjects(2, 0x9b2564, 0, 0xffffffff);
				if( *0x9b256c == 0) {
					PostMessageW( *_a4, 2, 0, 0);
				}
				CloseHandle( *0x9b2568);
				 *0x9b2568 = 0;
				return 0;
			}

0x009ab1dc
0x009ab1e2
0x009ab1e9
0x009ab1f3
0x009ab20a
0x009ab20f
0x009ab20f
0x009ab220
0x009ab22d
0x009ab23c
0x009ab23c
0x009ab249
0x009ab24f
0x009ab25b

APIs

OpenEventW.KERNEL32(001F0003,00000000,Global\IUSB3MON), ref: 009AB1DC
CreateEventW.KERNEL32(00000000,00000000,00000000,Global\IUSB3MON), ref: 009AB1F3
SetNamedSecurityInfoW.ADVAPI32(Global\IUSB3MON,00000006,00000004,00000000,00000000,00000000,00000000), ref: 009AB20F
WaitForMultipleObjects.KERNEL32(00000002,009B2564,00000000,000000FF), ref: 009AB220
PostMessageW.USER32 ref: 009AB23C
CloseHandle.KERNEL32(?), ref: 009AB249

Strings

Global\IUSB3MON, xrefs: 009AB1D0
Global\IUSB3MON, xrefs: 009AB205
Global\IUSB3MON, xrefs: 009AB1EB

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Event$CloseCreateHandleInfoMessageMultipleNamedObjectsOpenPostSecurityWait
String ID: Global\IUSB3MON$Global\IUSB3MON$Global\IUSB3MON
API String ID: 3696460326-331121007
Opcode ID: 065a8d7c1ba0c38febf4c5215e5f4c83a69762efc773238d47df5d6f9b695f54
Instruction ID: 07bbd0c92a4e23d51eb17c48bec634471b93b099306cdbeef34d13586c0df8bc
Opcode Fuzzy Hash: 065a8d7c1ba0c38febf4c5215e5f4c83a69762efc773238d47df5d6f9b695f54
Instruction Fuzzy Hash: 210131B03A8300BBF7319F609E5EF5636A8EB56F25F204614B701AD1E1DBF05401EB58

Uniqueness

Uniqueness Score: -1.00%

Function 009AAB60, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 105
windowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E009AAB60(struct HWND__* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t48;
				signed int _t55;
				signed char _t56;
				struct HWND__* _t63;
				void* _t64;
				signed int _t70;
				intOrPtr _t78;
				void* _t79;
				struct HWND__* _t81;
				signed char* _t82;
				void* _t83;
				signed int _t85;
				signed int _t88;
				void* _t89;

				_t39 =  *0x9af004; // 0xd975285d
				 *(_t88 + 0x240) = _t39 ^ _t88;
				_t85 =  *(_t88 + 0x250);
				_t81 = __ecx;
				_t63 = GetDlgItem(__ecx, 0x3ec);
				E009AA990(_t81);
				 *((intOrPtr*)(_t88 + 0x2c)) = _t85 + 8;
				 *((intOrPtr*)(_t88 + 0x24)) = 3;
				 *((intOrPtr*)(_t88 + 0x28)) = 0;
				 *((intOrPtr*)(_t88 + 0x2c)) = 0;
				 *((intOrPtr*)(_t88 + 0x40)) = 0;
				SendMessageW(_t63, 0x104d, 0, _t88 + 0x14);
				_t48 =  *((intOrPtr*)(_t85 + 4)) + _t85;
				_t82 = _t85 + 0x208;
				_t78 = 1;
				 *((intOrPtr*)(_t88 + 0x10)) = _t48;
				while(_t82 < _t48) {
					if(_t82[1] == 3 && _t82[4] != 0) {
						swprintf(_t88 + 0x58, 0x200, L"Port%d",  *_t82 & 0x000000ff);
						_t89 = _t88 + 0x10;
						 *((intOrPtr*)(_t89 + 0x24)) = 0x13;
						 *((intOrPtr*)(_t89 + 0x38)) = _t89 + 0x5c;
						 *((intOrPtr*)(_t89 + 0x28)) = _t78;
						 *(_t89 + 0x2c) = 0;
						 *((intOrPtr*)(_t89 + 0x40)) = 1;
						 *((intOrPtr*)(_t89 + 0x48)) = 1;
						SendMessageW(_t63, 0x104d, 0, _t89 + 0x14);
						_t70 = _t82[4];
						_t55 = _t82[8] * 0x64;
						_t56 = _t55 / _t70;
						if(_t55 % _t70 != 0) {
							_t56 = _t56 + 1;
						}
						swprintf(_t89 + 0x58, 0x200, L"%d%%", _t56 & 0x000000ff);
						_t88 = _t89 + 0x10;
						 *(_t88 + 0x14) = 1;
						 *((intOrPtr*)(_t88 + 0x1c)) = 1;
						_t72 = _t88 + 0x5c;
						 *((intOrPtr*)(_t88 + 0x38)) = _t88 + 0x5c;
						 *((intOrPtr*)(_t88 + 0x28)) = _t78;
						SendMessageW(_t63, 0x104c, 0, _t88 + 0x14);
						_t48 =  *((intOrPtr*)(_t88 + 0x10));
						_t78 = _t78 + 1;
					}
					_t82 =  &(_t82[0xc]);
				}
				_pop(_t79);
				_pop(_t83);
				_pop(_t64);
				return E009A1000(_t48, _t64,  *(_t88 + 0x250) ^ _t88, _t72, _t79, _t83);
			}

0x009aab66
0x009aab6d
0x009aab76
0x009aab7f
0x009aab8d
0x009aab91
0x009aab9e
0x009aabab
0x009aabb3
0x009aabb7
0x009aabbb
0x009aabbf
0x009aabc8
0x009aabca
0x009aabd0
0x009aabd5
0x009aabdb
0x009aabe5
0x009aac08
0x009aac13
0x009aac2c
0x009aac34
0x009aac38
0x009aac3c
0x009aac44
0x009aac48
0x009aac4c
0x009aac51
0x009aac54
0x009aac59
0x009aac5d
0x009aac5f
0x009aac5f
0x009aac74
0x009aac7e
0x009aac81
0x009aac85
0x009aac95
0x009aac9a
0x009aac9e
0x009aaca2
0x009aaca4
0x009aaca8
0x009aaca8
0x009aaca9
0x009aacac
0x009aacbb
0x009aacbc
0x009aacbe
0x009aaccc

APIs

GetDlgItem.USER32 ref: 009AAB87

Part of subcall function 009AA990: GetDlgItem.USER32 ref: 009AA998
Part of subcall function 009AA990: ImageList_Create.COMCTL32(00000010,00000010,00000008,00000002,00000000,?,000003EC), ref: 009AA9AA
Part of subcall function 009AA990: SendMessageW.USER32(00000000,00001003,00000001,00000000), ref: 009AA9BE
Part of subcall function 009AA990: LoadIconW.USER32 ref: 009AA9D3
Part of subcall function 009AA990: ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,000003EC), ref: 009AA9E5
Part of subcall function 009AA990: LoadIconW.USER32 ref: 009AA9EF
Part of subcall function 009AA990: ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,000003EC), ref: 009AA9FB

SendMessageW.USER32(00000000), ref: 009AABBF
swprintf.LIBCMT ref: 009AAC08

Part of subcall function 009A12FB: __vswprintf_s_l.LIBCMT ref: 009A130F

SendMessageW.USER32 ref: 009AAC4C
swprintf.LIBCMT ref: 009AAC74
SendMessageW.USER32(00000000,0000104C,00000000,?), ref: 009AACA2

Strings

%d%%, xrefs: 009AAC65
Port%d, xrefs: 009AABF9

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: IconMessageSend$ImageList_$ItemLoadReplaceswprintf$Create__vswprintf_s_l
String ID: %d%%$Port%d
API String ID: 3705057638-558675316
Opcode ID: 071fbfe2ff6a69b4609c797fecf8367fdd36e6c9283b3bad8208e4e0792f6a24
Instruction ID: 141aed43ea37730c336b435ab24775740044ccf6f3f8e597f935d3df00fe4de9
Opcode Fuzzy Hash: 071fbfe2ff6a69b4609c797fecf8367fdd36e6c9283b3bad8208e4e0792f6a24
Instruction Fuzzy Hash: 0F41B5B16083409FE310DF69C885BABB7E8EFC4704F00492EF59997281D7B5D944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 009AA200, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AA200(void* __eax, void* __ecx) {
				void* _t2;
				void* _t5;
				void* _t6;
				void* _t20;

				_t2 = __eax - 1;
				_t20 = __ecx;
				 *0x9b216c = 0x10;
				if(_t2 == 0) {
					 *0x9b2504 = 1;
					LoadStringW( *0x9b2554, 0x44d, 0x9b2484, 0x80);
					LoadStringW( *0x9b2554, 0x44e, 0x9b2280, 0x200);
					_t5 = E009AB370(0x9b2280, L"TargetDevice", _t20 + 4);
					goto L6;
				} else {
					_t6 = _t2 - 1;
					if(_t6 == 0) {
						 *0x9b2504 = 2;
						LoadStringW( *0x9b2554, 0x457, 0x9b2484, 0x80);
						LoadStringW( *0x9b2554, 0x458, 0x9b2280, 0x200);
						return E009AB370(0x9b2280, L"TargetDevice", _t20 + 4);
					} else {
						_t5 = _t6 - 6;
						if(_t5 != 0) {
							L6:
							return _t5;
						} else {
							 *0x9b2504 = 2;
							LoadStringW( *0x9b2554, 0x47f, 0x9b2484, 0x80);
							return LoadStringW( *0x9b2554, 0x480, 0x9b2280, 0x200);
						}
					}
				}
			}

0x009aa200
0x009aa205
0x009aa207
0x009aa211
0x009aa2db
0x009aa2e5
0x009aa2fd
0x009aa30d
0x00000000
0x009aa217
0x009aa217
0x009aa21a
0x009aa283
0x009aa28d
0x009aa2a4
0x009aa2be
0x009aa21c
0x009aa21c
0x009aa21f
0x009aa315
0x009aa317
0x009aa225
0x009aa240
0x009aa24a
0x009aa266
0x009aa266
0x009aa21f
0x009aa21a

APIs

LoadStringW.USER32(?,0000047F,009B2484,00000080), ref: 009AA24A
LoadStringW.USER32(?,00000480,009B2280,00000200), ref: 009AA262
LoadStringW.USER32(?,00000457,009B2484,00000080), ref: 009AA28D
LoadStringW.USER32(?,00000458,009B2280,00000200), ref: 009AA2A4
LoadStringW.USER32(?,0000044D,009B2484,00000080), ref: 009AA2E5
LoadStringW.USER32(?,0000044E,009B2280,00000200), ref: 009AA2FD

Strings

TargetDevice, xrefs: 009AA2AA
TargetDevice, xrefs: 009AA303

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: LoadString
String ID: TargetDevice$TargetDevice
API String ID: 2948472770-4167339378
Opcode ID: 7142a842abec3ec9c6842aef8f89a3a2752003c79678d6b68b5d633770edfe3c
Instruction ID: 5a00df63110f10befb1fdf17bc7331046e01bf396eeeb22fa0caf4feede2c176
Opcode Fuzzy Hash: 7142a842abec3ec9c6842aef8f89a3a2752003c79678d6b68b5d633770edfe3c
Instruction Fuzzy Hash: 3F1193727A83107BD2589B98BF57F963755D7C6B38F004215F344EB2E2CAE0B4099794

Uniqueness

Uniqueness Score: -1.00%

Function 009AAA50, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E009AAA50(void* __ebp, struct HWND__* _a4) {
				signed int _v4;
				short _v132;
				struct tagRECT _v148;
				int _v172;
				WCHAR* _v180;
				intOrPtr _v184;
				int _v188;
				void* _v192;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				struct HWND__* _t40;
				intOrPtr _t53;
				signed int _t55;

				_t60 =  &_v192;
				_t25 =  *0x9af004; // 0xd975285d
				_v4 = _t25 ^  &_v192;
				_t40 = GetDlgItem(_a4, 0x3ec);
				GetWindowRect(_t40,  &_v148);
				_t55 = _v148.right - _v148.left;
				_t53 = (0x55555556 * _t55 >> 0x20 >> 0x1f) + (0x55555556 * _t55 >> 0x20) + (0x55555556 * _t55 >> 0x20 >> 0x1f) + (0x55555556 * _t55 >> 0x20);
				_v192 = 0xf;
				_v188 = 0;
				_v184 = _t53;
				LoadStringW( *0x9b2554, 0x464,  &_v132, 0x80);
				_v180 =  &_v132;
				_v172 = 0;
				SendMessageW(_t40, 0x1061, 0,  &_v192);
				_v184 = _t55 - _t53 - 5;
				LoadStringW( *0x9b2554, 0x465,  &_v132, 0x80);
				_v180 =  &_v132;
				_v172 = 1;
				return E009A1000(SendMessageW(_t40, 0x1061, 1,  &_v192), _t40, _v4 ^ _t60,  &_v192, _t53, _t55 - _t53 - 5);
			}

0x009aaa50
0x009aaa56
0x009aaa5d
0x009aaa7b
0x009aaa83
0x009aaa8d
0x009aaaba
0x009aaabd
0x009aaac5
0x009aaacd
0x009aaad1
0x009aaae4
0x009aaae8
0x009aaaf0
0x009aab10
0x009aab14
0x009aab27
0x009aab2b
0x009aab51

APIs

GetDlgItem.USER32 ref: 009AAA75
GetWindowRect.USER32 ref: 009AAA83
LoadStringW.USER32 ref: 009AAAD1
SendMessageW.USER32(00000000,00001061,00000000,?), ref: 009AAAF0
LoadStringW.USER32(?,00000465,?,00000080), ref: 009AAB14
SendMessageW.USER32(00000000,00001061,00000001,?), ref: 009AAB33

Strings

VUUU, xrefs: 009AAA97

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: LoadMessageSendString$ItemRectWindow
String ID: VUUU
API String ID: 2469071548-2040033107
Opcode ID: feb89489aebd8e1362e22e1c8d9ae82af93ac0f6d3221a2b3e216e6b6b044360
Instruction ID: 295ca33b4b8bc4ed5e72420036af0ac56b315c5904bfc9fbc01e35b9c8494eb9
Opcode Fuzzy Hash: feb89489aebd8e1362e22e1c8d9ae82af93ac0f6d3221a2b3e216e6b6b044360
Instruction Fuzzy Hash: 01213BB2218340AFE310CF99DD49F6BBBE8EFC8700F404A1DF64997291D7B495088B92

Uniqueness

Uniqueness Score: -1.00%

Function 009AB2B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E009AB2B0(WCHAR* __ecx, void* __edx, struct HINSTANCE__* _a4) {
				signed int _v4;
				short _v1028;
				void* __esi;
				signed int _t7;
				struct HINSTANCE__* _t9;
				void* _t19;
				void* _t26;
				void* _t28;
				struct HWND__* _t29;

				_t26 = __edx;
				_t30 =  &_v1028;
				_t7 =  *0x9af004; // 0xd975285d
				_v4 = _t7 ^  &_v1028;
				_t9 = _a4;
				 *0x9b2528 = _t9;
				_t29 = CreateWindowExW(0, __ecx, L"Intel(R) USB 3.0 Monitor", 0xcf0000, 0xc8, 0xc8, 0x12c, 0x226, 0, 0, _t9, 0);
				if(_t29 != 0) {
					LoadStringW( *0x9b2554, 0x474,  &_v1028, 0x400);
					SetWindowTextW(_t29,  &_v1028);
					ShowWindow(_t29, 0);
					UpdateWindow(_t29);
					return E009A1000(1, _t19, _v4 ^ _t30,  &_v1028, _t28, _t29);
				} else {
					return E009A1000(_t10, _t19, _v4 ^ _t30, _t26, _t28, _t29);
				}
			}

0x009ab2b0
0x009ab2b0
0x009ab2b6
0x009ab2bd
0x009ab2c4
0x009ab2f4
0x009ab2ff
0x009ab303
0x009ab331
0x009ab33d
0x009ab346
0x009ab34d
0x009ab36d
0x009ab306
0x009ab31a
0x009ab31a

APIs

CreateWindowExW.USER32 ref: 009AB2F9
LoadStringW.USER32(?,00000474,?,00000400), ref: 009AB331
SetWindowTextW.USER32(00000000,?), ref: 009AB33D
ShowWindow.USER32(00000000,00000000), ref: 009AB346
UpdateWindow.USER32(00000000), ref: 009AB34D

Strings

Intel(R) USB 3.0 Monitor, xrefs: 009AB2EC

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Window$CreateLoadShowStringTextUpdate
String ID: Intel(R) USB 3.0 Monitor
API String ID: 1826498862-3626528269
Opcode ID: e57d2dd303e6b1cb969e5d57f17f55d961c1db5f94082eb2a7d341d37713e66a
Instruction ID: 03521f9cf04aea143162f22950e437248c5f03f0fe6fe4f2e8eb2be6d9547cab
Opcode Fuzzy Hash: e57d2dd303e6b1cb969e5d57f17f55d961c1db5f94082eb2a7d341d37713e66a
Instruction Fuzzy Hash: 1D1180F57983106BE3349B64ED1AFAA3798EF89B05F004509F709AA1D2DAB4640187DA

Uniqueness

Uniqueness Score: -1.00%

Function 009A10EA, Relevance: 10.5, APIs: 7, Instructions: 42
threadCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E009A10EA(intOrPtr __edx, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				DWORD* _v12;
				void* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t27;
				void* _t33;
				DWORD* _t38;
				intOrPtr* _t40;
				void* _t42;
				void* _t48;
				long _t51;
				void* _t61;
				struct _SECURITY_ATTRIBUTES* _t62;
				intOrPtr* _t64;
				void* _t65;

				_t58 = __edx;
				_push(_t64);
				E009A1D63();
				_t27 = E009A1D43(E009A1D5D());
				if(_t27 != 0) {
					_t51 = _a4;
					 *((intOrPtr*)(_t27 + 0x54)) =  *((intOrPtr*)(_t51 + 0x54));
					 *((intOrPtr*)(_t27 + 0x58)) =  *((intOrPtr*)(_t51 + 0x58));
					_t58 =  *((intOrPtr*)(_t51 + 4));
					_push(_t51);
					 *((intOrPtr*)(_t27 + 4)) =  *((intOrPtr*)(_t51 + 4));
					E009A1F6B(_t48, _t61, _t64, __eflags);
				} else {
					_t64 = _a4;
					if(E009A1D97(E009A1D5D(), _t64) == 0) {
						ExitThread(GetLastError());
					}
					 *_t64 = GetCurrentThreadId();
				}
				_t73 =  *0x9b2144;
				if( *0x9b2144 != 0) {
					_t42 = E009A2330(_t73, 0x9b2144);
					_pop(_t51);
					_t74 = _t42;
					if(_t42 != 0) {
						 *0x9b2144();
					}
				}
				E009A10A9(_t58, _t61, _t64, _t74);
				asm("int3");
				_push(_t51);
				_push(_t48);
				_push(_t61);
				_t62 = _v0;
				_v20 = 0;
				_t75 = _t62;
				if(_t62 != 0) {
					_push(_t64);
					E009A1D63();
					_t65 = E009A2B4F(1, 0x214);
					__eflags = _t65;
					if(__eflags == 0) {
						L16:
						_push(_t65);
						E009A2A7C(0, _t62, _t65, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E009A1C2A(_v12);
						}
						_t33 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E009A1F51(0, _t58, _t62, __eflags) + 0x6c)));
						_push(_t65);
						E009A1DF1(0, _t62, _t65, __eflags);
						 *(_t65 + 4) =  *(_t65 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t65 + 0x58)) = _a12;
						_t38 = _a20;
						 *((intOrPtr*)(_t65 + 0x54)) = _t62;
						__eflags = _t38;
						if(_t38 == 0) {
							_t38 =  &_a8;
						}
						_t33 = CreateThread(_v0, _a4, E009A10EA, _t65, _a16, _t38);
						__eflags = _t33;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L16;
						}
					}
				} else {
					_t40 = E009A1C04(_t75);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t40 = 0x16;
					E009A1B9C(_t58, _t62, _t64);
					_t33 = 0;
				}
				return _t33;
			}

0x009a10ea
0x009a10ef
0x009a10f0
0x009a10fb
0x009a1102
0x009a112e
0x009a1134
0x009a113a
0x009a113d
0x009a1140
0x009a1141
0x009a1144
0x009a1104
0x009a1104
0x009a1115
0x009a111e
0x009a111e
0x009a112a
0x009a112a
0x009a1149
0x009a1150
0x009a1157
0x009a115c
0x009a115d
0x009a115f
0x009a1161
0x009a1161
0x009a115f
0x009a1167
0x009a116c
0x009a1172
0x009a1173
0x009a1174
0x009a1175
0x009a117a
0x009a117d
0x009a117f
0x009a119d
0x009a119e
0x009a11af
0x009a11b3
0x009a11b5
0x009a1201
0x009a1201
0x009a1202
0x009a1208
0x009a120b
0x009a1210
0x009a1215
0x009a1216
0x009a1216
0x009a11b7
0x009a11bc
0x009a11bf
0x009a11c0
0x009a11c8
0x009a11cc
0x009a11cf
0x009a11d4
0x009a11d7
0x009a11d9
0x009a11db
0x009a11db
0x009a11ee
0x009a11f4
0x009a11f6
0x009a11fe
0x00000000
0x009a11fe
0x009a11f6
0x009a1181
0x009a1181
0x009a1186
0x009a1187
0x009a1188
0x009a1189
0x009a118a
0x009a118b
0x009a1191
0x009a1199
0x009a1199
0x009a121c

APIs

___set_flsgetvalue.LIBCMT ref: 009A10F0

Part of subcall function 009A1D63: TlsGetValue.KERNEL32(?,009A1EEF,?,009A1C09,009A1029), ref: 009A1D6C
Part of subcall function 009A1D63: __decode_pointer.LIBCMT ref: 009A1D7E
Part of subcall function 009A1D63: TlsSetValue.KERNEL32(00000000,009A1EEF,?,009A1C09,009A1029), ref: 009A1D8D

Part of subcall function 009A1D43: TlsGetValue.KERNEL32(?,?,009A1100,00000000), ref: 009A1D51

___fls_setvalue@8.LIBCMT ref: 009A110E

Part of subcall function 009A1D97: __decode_pointer.LIBCMT ref: 009A1DA8

GetLastError.KERNEL32(00000000,?,00000000), ref: 009A1117
ExitThread.KERNEL32 ref: 009A111E
GetCurrentThreadId.KERNEL32 ref: 009A1124
__freefls@4.LIBCMT ref: 009A1144
__IsNonwritableInCurrentImage.LIBCMT ref: 009A1157

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 480636954-0
Opcode ID: 1c7a3ed718bf29cc29596480fe9f1b007dd8a83f743d8917a8e80b2d59ed5b4a
Instruction ID: 38fe9fd2a3b24a83d7bfaddee4c183af798c367f124a995b99a192b99492aa04
Opcode Fuzzy Hash: 1c7a3ed718bf29cc29596480fe9f1b007dd8a83f743d8917a8e80b2d59ed5b4a
Instruction Fuzzy Hash: D501D674508601EFCB18BFB5DD09A5A3BAD9F87314F108058FA149B262DB34C841CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009AA990, Relevance: 10.5, APIs: 7, Instructions: 41
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AA990(struct HWND__* __eax) {
				struct HWND__* _t2;
				long _t3;

				_t2 = GetDlgItem(__eax, 0x3ec);
				_t3 = ImageList_Create(0x10, 0x10, 8, 2, 0);
				 *0x9b251c = _t3;
				SendMessageW(_t2, 0x1003, 1, _t3);
				ImageList_ReplaceIcon( *0x9b251c, 0xffffffff, LoadIconW( *0x9b2528, 0x68));
				return ImageList_ReplaceIcon( *0x9b251c, 0xffffffff, LoadIconW( *0x9b2528, 0x69));
			}

0x009aa998
0x009aa9aa
0x009aa9b9
0x009aa9be
0x009aa9e5
0x009aa9ff

APIs

GetDlgItem.USER32 ref: 009AA998
ImageList_Create.COMCTL32(00000010,00000010,00000008,00000002,00000000,?,000003EC), ref: 009AA9AA
SendMessageW.USER32(00000000,00001003,00000001,00000000), ref: 009AA9BE
LoadIconW.USER32 ref: 009AA9D3
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,000003EC), ref: 009AA9E5
LoadIconW.USER32 ref: 009AA9EF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000,?,000003EC), ref: 009AA9FB

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Icon$ImageList_$LoadReplace$CreateItemMessageSend
String ID:
API String ID: 189666923-0
Opcode ID: 7979b46385f5491dc9ca4f58dbf44bb05bb0dc9c50c2157397111bac33307eab
Instruction ID: 31fab3b1c143600f23b2e8736cf03ac625183c11dec82c8900a9bfd34a552499
Opcode Fuzzy Hash: 7979b46385f5491dc9ca4f58dbf44bb05bb0dc9c50c2157397111bac33307eab
Instruction Fuzzy Hash: CDF062B1768310BBE73057A5AC19F56365CEB89B32F004705B710EB2E0C9F19941AFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A116D, Relevance: 9.1, APIs: 6, Instructions: 71
threadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E009A116D(void* __edx, void* __esi, struct _SECURITY_ATTRIBUTES* _a4, long _a8, char _a12, intOrPtr _a16, long _a20, DWORD* _a24) {
				DWORD* _v8;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t20;
				DWORD* _t25;
				intOrPtr* _t27;
				char _t41;
				void* _t44;

				_t41 = _a12;
				_v8 = 0;
				_t48 = _t41;
				if(_t41 != 0) {
					_push(__esi);
					E009A1D63();
					_t44 = E009A2B4F(1, 0x214);
					__eflags = _t44;
					if(__eflags == 0) {
						L7:
						_push(_t44);
						E009A2A7C(0, _t41, _t44, __eflags);
						__eflags = _v8;
						if(_v8 != 0) {
							E009A1C2A(_v8);
						}
						_t20 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E009A1F51(0, __edx, _t41, __eflags) + 0x6c)));
						_push(_t44);
						E009A1DF1(0, _t41, _t44, __eflags);
						 *(_t44 + 4) =  *(_t44 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 + 0x58)) = _a16;
						_t25 = _a24;
						 *((intOrPtr*)(_t44 + 0x54)) = _t41;
						__eflags = _t25;
						if(_t25 == 0) {
							_t25 =  &_a12;
						}
						_t20 = CreateThread(_a4, _a8, E009A10EA, _t44, _a20, _t25);
						__eflags = _t20;
						if(__eflags == 0) {
							_v8 = GetLastError();
							goto L7;
						}
					}
				} else {
					_t27 = E009A1C04(_t48);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t27 = 0x16;
					E009A1B9C(__edx, _t41, __esi);
					_t20 = 0;
				}
				return _t20;
			}

0x009a1175
0x009a117a
0x009a117d
0x009a117f
0x009a119d
0x009a119e
0x009a11af
0x009a11b3
0x009a11b5
0x009a1201
0x009a1201
0x009a1202
0x009a1208
0x009a120b
0x009a1210
0x009a1215
0x009a1216
0x009a1216
0x009a11b7
0x009a11bc
0x009a11bf
0x009a11c0
0x009a11c8
0x009a11cc
0x009a11cf
0x009a11d4
0x009a11d7
0x009a11d9
0x009a11db
0x009a11db
0x009a11ee
0x009a11f4
0x009a11f6
0x009a11fe
0x00000000
0x009a11fe
0x009a11f6
0x009a1181
0x009a1181
0x009a1186
0x009a1187
0x009a1188
0x009a1189
0x009a118a
0x009a118b
0x009a1191
0x009a1199
0x009a1199
0x009a121c

APIs

___set_flsgetvalue.LIBCMT ref: 009A119E
__calloc_crt.LIBCMT ref: 009A11AA
__getptd.LIBCMT ref: 009A11B7
CreateThread.KERNEL32 ref: 009A11EE
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 009A11F8
__dosmaperr.LIBCMT ref: 009A1210

Part of subcall function 009A1C04: __getptd_noexit.LIBCMT ref: 009A1C04

Part of subcall function 009A1B9C: __decode_pointer.LIBCMT ref: 009A1BA7

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1803633139-0
Opcode ID: 61cfc9129d3b94927a0249eb36a8ab0febcd2d09a37c74c27b57d5223280aeb8
Instruction ID: c3cf515e5e87a83793498068107ed6dd43c1aa82a3539bce08c2828560dbee47
Opcode Fuzzy Hash: 61cfc9129d3b94927a0249eb36a8ab0febcd2d09a37c74c27b57d5223280aeb8
Instruction Fuzzy Hash: 2811C172504258EFCF14BFA8DC82A9E7BA9EF86324F104429FA15D60A1EB31D90197E0

Uniqueness

Uniqueness Score: -1.00%

Function 009AA6C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AA6C0() {
				int _v4;
				int _v8;
				void* _v12;
				char _v16;
				char _t17;

				_v4 = 4;
				_v8 = 4;
				_v16 = 0xbb8;
				if(RegOpenKeyExW(0x80000001, L"Software\\Intel\\iusb3mon\\Parameters", 0, 0x20019,  &_v12) == 0 && RegQueryValueExW(_v12, L"DevNodeTime", 0,  &_v4,  &_v16,  &_v8) == 0) {
					_t17 = _v16;
					if(_t17 < 0x3e8 || _t17 > 0x2710) {
						_v16 = 0xbb8;
					}
				}
				RegCloseKey(_v12);
				return _v16;
			}

0x009aa6c8
0x009aa6cc
0x009aa6e6
0x009aa6f6
0x009aa71d
0x009aa725
0x009aa72e
0x009aa72e
0x009aa725
0x009aa73a
0x009aa746

APIs

RegOpenKeyExW.ADVAPI32 ref: 009AA6EE
RegQueryValueExW.ADVAPI32(00020019,DevNodeTime,00000000,00000BB8,?,00020019), ref: 009AA713
RegCloseKey.ADVAPI32(?), ref: 009AA73A

Strings

Software\Intel\iusb3mon\Parameters, xrefs: 009AA6DC
DevNodeTime, xrefs: 009AA70D

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: DevNodeTime$Software\Intel\iusb3mon\Parameters
API String ID: 3677997916-2435076179
Opcode ID: 291e9372bfc21f8e07fac449b143f35fcf4a3ed6dbda58a9becfd5e55115ea7a
Instruction ID: 18b8408f40af7c11bad88fc12ebb878295042acecb1941d87f7276a1bc611092
Opcode Fuzzy Hash: 291e9372bfc21f8e07fac449b143f35fcf4a3ed6dbda58a9becfd5e55115ea7a
Instruction Fuzzy Hash: C101FBB4648301AFE710DF14C984F9BB7F8EB85B04F41891DF5899A190E774D944DBA3

Uniqueness

Uniqueness Score: -1.00%

Function 009ABC60, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009ABC60(struct HINSTANCE__* __eax) {
				intOrPtr _v0;
				struct HICON__* _v4;
				struct _WNDCLASSEXW _v52;
				struct HICON__* _t17;

				_v52.style = 0x30;
				_v52.lpfnWndProc = 3;
				_v52.cbClsExtra = E009AB950;
				_v52.cbWndExtra = 0;
				_v52.hInstance = 0;
				_v52.hIcon = __eax;
				_t17 = LoadIconW(__eax, 0x65);
				_v52.hCursor = _t17;
				_v4 = _t17;
				_v52.hbrBackground = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = GetStockObject(0);
				_v52.lpszMenuName = 0;
				_v52.lpszClassName = _v0;
				_v52.hIconSm = 0;
				return RegisterClassExW( &_v52) & 0x0000ffff;
			}

0x009abc69
0x009abc71
0x009abc79
0x009abc81
0x009abc85
0x009abc89
0x009abc8d
0x009abc99
0x009abc9d
0x009abca8
0x009abcb2
0x009abcbf
0x009abcc3
0x009abcc7
0x009abcd8

APIs

LoadIconW.USER32 ref: 009ABC8D
LoadCursorW.USER32(00000000,00007F00), ref: 009ABCA1
GetStockObject.GDI32(00000000), ref: 009ABCAC
RegisterClassExW.USER32 ref: 009ABCCB

Strings

0, xrefs: 009ABC69

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Load$ClassCursorIconObjectRegisterStock
String ID: 0
API String ID: 4250381028-4108050209
Opcode ID: cf3f665fea4a9a4bba297cf1aca9321fbb810d097dc7601f6bb6d77032f6f32f
Instruction ID: 14732ca8e2c4e8c4d3da624c01d78764a1234b5efeb1677039a025b1629bcf4a
Opcode Fuzzy Hash: cf3f665fea4a9a4bba297cf1aca9321fbb810d097dc7601f6bb6d77032f6f32f
Instruction Fuzzy Hash: 9B01E4B082D361AFC340CF69884865BBFE8FF89B04F400A1EF488D6250D77486088FC6

Uniqueness

Uniqueness Score: -1.00%

Function 009AA7C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AA7C0() {
				int _v4;
				int _v8;
				char _v12;
				void* _v16;

				_v4 = 4;
				_v8 = 4;
				_v12 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Intel\\iusb3mon\\Parameters", 0, 0x20019,  &_v16) == 0) {
					RegQueryValueExW(_v16, L"LCID", 0,  &_v4,  &_v12,  &_v8);
				}
				RegCloseKey(_v16);
				return _v12;
			}

0x009aa7c8
0x009aa7cc
0x009aa7e5
0x009aa7f5
0x009aa812
0x009aa812
0x009aa81c
0x009aa829

APIs

RegOpenKeyExW.ADVAPI32 ref: 009AA7ED
RegQueryValueExW.ADVAPI32(00000004,LCID,00000000,80000001,00020019,00020019), ref: 009AA812
RegCloseKey.ADVAPI32 ref: 009AA81C

Strings

LCID, xrefs: 009AA80C
Software\Intel\iusb3mon\Parameters, xrefs: 009AA7DB

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: LCID$Software\Intel\iusb3mon\Parameters
API String ID: 3677997916-2906745039
Opcode ID: 19db7884bb2193a47b8c76c3e0b0e9a28b3b6629983de9f680f4b1aa2bd7ef91
Instruction ID: 0bac9af577a4146f9539825bde6ae22ae14b0899437478e4838741d07869d363
Opcode Fuzzy Hash: 19db7884bb2193a47b8c76c3e0b0e9a28b3b6629983de9f680f4b1aa2bd7ef91
Instruction Fuzzy Hash: 3EF017B4248301ABE710EF14CC85FABBBE8EB88B48F00890CF58996191D274E408DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009AA750, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AA750() {
				int _v4;
				int _v8;
				char _v12;
				void* _v16;

				_v12 = 4;
				_v4 = 4;
				_v8 = 4;
				if(RegOpenKeyExW(0x80000001, L"Software\\Intel\\iusb3mon\\Parameters", 0, 0x20019,  &_v16) == 0) {
					RegQueryValueExW(_v16, L"ExeDebugLevel", 0,  &_v4,  &_v12,  &_v8);
				}
				RegCloseKey(_v16);
				return _v12;
			}

0x009aa758
0x009aa75c
0x009aa760
0x009aa781
0x009aa79e
0x009aa79e
0x009aa7a8
0x009aa7b5

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Intel\iusb3mon\Parameters,00000000,00020019,00000004,D975285D), ref: 009AA779
RegQueryValueExW.ADVAPI32(?,ExeDebugLevel,00000000,?,?,?), ref: 009AA79E
RegCloseKey.ADVAPI32 ref: 009AA7A8

Strings

Software\Intel\iusb3mon\Parameters, xrefs: 009AA76F
ExeDebugLevel, xrefs: 009AA798

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: ExeDebugLevel$Software\Intel\iusb3mon\Parameters
API String ID: 3677997916-2535549919
Opcode ID: f0ea5abceb11019e2c2c2dae7f92f0f789e295b701eb2b22a1dd2a20e4ee3feb
Instruction ID: c4096998cd6d0312d89be2bf59f57807f704a1dfae806fd1fe420a3119fd4f95
Opcode Fuzzy Hash: f0ea5abceb11019e2c2c2dae7f92f0f789e295b701eb2b22a1dd2a20e4ee3feb
Instruction Fuzzy Hash: 63F017B4648301BFD710EB28CD85F9BB7E8EF88B04F00891DF599D6150E270D804DB92

Uniqueness

Uniqueness Score: -1.00%

Function 009A4773, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E009A4773(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x9ad718);
				E009A2888(__ebx, __edi, __esi);
				_t31 = E009A1F51(__ebx, __edx, __edi, _t35);
				_t15 =  *0x9afc80; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E009A41F5(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x9af8e0; // 0x9af4b8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x9af4b8;
								if(__eflags != 0) {
									_push(_t33);
									E009A2A7C(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x9af8e0; // 0x9af4b8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x9af8e0; // 0x9af4b8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E009A480E();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E009A241D(_t29, _t31, 0x20);
				}
				return E009A28CD(_t33);
			}

0x009a4773
0x009a4773
0x009a4773
0x009a4773
0x009a4775
0x009a477a
0x009a4784
0x009a4786
0x009a478e
0x009a47af
0x009a47b5
0x009a47b9
0x009a47bc
0x009a47bf
0x009a47c5
0x009a47c7
0x009a47c9
0x009a47cc
0x009a47d2
0x009a47d4
0x009a47d6
0x009a47dc
0x009a47de
0x009a47df
0x009a47e4
0x009a47dc
0x009a47d4
0x009a47e5
0x009a47ea
0x009a47ed
0x009a47f3
0x009a47f7
0x009a47f7
0x009a47fd
0x009a4804
0x009a4796
0x009a4796
0x009a4796
0x009a479b
0x009a479f
0x009a47a4
0x009a47ac

APIs

__getptd.LIBCMT ref: 009A477F

Part of subcall function 009A1F51: __getptd_noexit.LIBCMT ref: 009A1F54
Part of subcall function 009A1F51: __amsg_exit.LIBCMT ref: 009A1F61

__amsg_exit.LIBCMT ref: 009A479F
__lock.LIBCMT ref: 009A47AF
InterlockedDecrement.KERNEL32(?), ref: 009A47CC
InterlockedIncrement.KERNEL32(009AF4B8), ref: 009A47F7

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 3941b8e44ff37c342b88734008efaf02c31eb92c0e282be799c2d8fba673a60e
Instruction ID: 814e1a9448fbb04a737c12cb4993b6712905c01bdde1fd4743245ef8e53644d4
Opcode Fuzzy Hash: 3941b8e44ff37c342b88734008efaf02c31eb92c0e282be799c2d8fba673a60e
Instruction Fuzzy Hash: CF01D231905621ABDB20BBAC980A75D73A0BFC7718F000125F81067291DB78A841EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009A2A7C, Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E009A2A7C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x9ad678);
				_t8 = E009A2888(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E009A28CD(_t8);
				}
				if( *0x9b2004 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x9b0d04, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E009A1C04(_t31);
						 *_t10 = E009A1BC2(GetLastError());
					}
					goto L9;
				}
				E009A41F5(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E009A5203(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E009A5233();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E009A2AD2();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x009a2a7c
0x009a2a7e
0x009a2a83
0x009a2a88
0x009a2a8d
0x009a2b04
0x009a2b09
0x009a2b09
0x009a2a96
0x009a2adb
0x009a2adc
0x009a2ae4
0x009a2aea
0x009a2aec
0x009a2aee
0x009a2b01
0x009a2b03
0x00000000
0x009a2aec
0x009a2a9a
0x009a2aa0
0x009a2aa5
0x009a2aab
0x009a2ab0
0x009a2ab2
0x009a2ab3
0x009a2ab4
0x009a2aba
0x009a2abb
0x009a2ac2
0x009a2acb
0x00000000
0x009a2acd
0x009a2acd
0x00000000
0x009a2acd

APIs

__lock.LIBCMT ref: 009A2A9A

Part of subcall function 009A41F5: __mtinitlocknum.LIBCMT ref: 009A420B
Part of subcall function 009A41F5: __amsg_exit.LIBCMT ref: 009A4217
Part of subcall function 009A41F5: EnterCriticalSection.KERNEL32(?,?,?,009A5E61,00000004,009AD7F8,0000000C,009A2B65,?,?,00000000,00000000,00000000,?,009A1F03,00000001), ref: 009A421F

___sbh_find_block.LIBCMT ref: 009A2AA5
___sbh_free_block.LIBCMT ref: 009A2AB4
HeapFree.KERNEL32(00000000,?,009AD678,0000000C,009A41D6,00000000,009AD6D8,0000000C,009A4210,?,?,?,009A5E61,00000004,009AD7F8,0000000C), ref: 009A2AE4
GetLastError.KERNEL32(?,009A5E61,00000004,009AD7F8,0000000C,009A2B65,?,?,00000000,00000000,00000000,?,009A1F03,00000001,00000214), ref: 009A2AF5

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: de7385e64e117226df825d59200259c8ae3a49724c3e0dd07655d0e9063c4078
Instruction ID: 233625af6e77431e07b3d65ddb0fdacbc7ba54d14bdb010eefa87b0b24596f04
Opcode Fuzzy Hash: de7385e64e117226df825d59200259c8ae3a49724c3e0dd07655d0e9063c4078
Instruction Fuzzy Hash: E2016271949305ABDB34BFB99D0AB9E3B78DF93720F104505F814660D1DB389940DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 009AAD40, Relevance: 7.5, APIs: 5, Instructions: 43
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009AAD40(void** __edi) {
				void* __ebx;
				void* _t1;
				long _t15;

				 *0x9b2560 =  *0x9b2560 + 1;
				_t15 = 0;
				_t1 = GlobalAlloc(0x40, 0x214);
				 *__edi = _t1;
				if(_t1 != 0) {
					 *0x9b254c =  *0x9b254c - 1;
					WaitForSingleObject( *0x9b2544, 0xffffffff);
					_t5 =  *0x9b2530;
					if( *0x9b2530 != 0) {
						E009A127E(1,  *__edi,  *__edi, 0x214, _t5 + 4, 0x214);
						 *0x9b2560 =  *0x9b2560 - 1;
						GlobalFree( *0x9b2530);
						 *0x9b2530 = 0;
						_t15 = 1;
					}
					ReleaseSemaphore( *0x9b2544, 1, 0x9b254c);
					 *0x9b254c =  *0x9b254c + 1;
				}
				return _t15;
			}

0x009aad4c
0x009aad54
0x009aad56
0x009aad5c
0x009aad60
0x009aad67
0x009aad70
0x009aad76
0x009aad7d
0x009aad90
0x009aad9b
0x009aada5
0x009aadab
0x009aadb1
0x009aadb1
0x009aadbf
0x009aadc5
0x009aadc5
0x009aadcf

APIs

GlobalAlloc.KERNEL32(00000040,00000214), ref: 009AAD56
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009AAD70
_memcpy_s.LIBCMT ref: 009AAD90
GlobalFree.KERNEL32 ref: 009AADA5
ReleaseSemaphore.KERNEL32(?,00000001,009B254C), ref: 009AADBF

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Global$AllocFreeObjectReleaseSemaphoreSingleWait_memcpy_s
String ID:
API String ID: 1496807306-0
Opcode ID: bb9aff92af98c06ca378c2fe26432b7cbaa83d03ef5ed8489a9e5fc06427ca53
Instruction ID: 0dfbb997d0c12bd9d56ebcb7e11e51c047fae41051a9872a4741a8060e0300d8
Opcode Fuzzy Hash: bb9aff92af98c06ca378c2fe26432b7cbaa83d03ef5ed8489a9e5fc06427ca53
Instruction Fuzzy Hash: CC01A2B1668324AFD7209F68EE98A6A7328FB04735B100319F915D72A4D7B49C00EFE0

Uniqueness

Uniqueness Score: -1.00%

Function 009A706B, Relevance: 6.1, APIs: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009A706B(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E009A3139( &_v20, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E009A719C( *_t72 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E009A1C04(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t72[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x009a7075
0x009a707c
0x009a7093
0x00000000
0x009a7083
0x009a7085
0x009a709f
0x009a70a4
0x009a70a7
0x009a70aa
0x009a70d3
0x009a70da
0x009a70dc
0x009a715d
0x009a7178
0x009a717a
0x009a70ba
0x009a70ba
0x009a70bd
0x009a70bf
0x009a70c2
0x009a70c2
0x009a70c2
0x009a70c2
0x00000000
0x009a70c8
0x009a713c
0x009a713c
0x009a7141
0x009a7147
0x009a714a
0x009a714c
0x009a714f
0x009a714f
0x009a714f
0x009a714f
0x00000000
0x009a7153
0x009a70de
0x009a70e1
0x009a70e7
0x009a70ea
0x009a7111
0x009a7114
0x009a711a
0x00000000
0x00000000
0x009a711c
0x009a711f
0x00000000
0x00000000
0x009a7121
0x009a7121
0x009a7127
0x009a712a
0x009a7098
0x009a7098
0x009a7133
0x00000000
0x009a7133
0x009a70ec
0x009a70ef
0x00000000
0x00000000
0x009a70f3
0x009a7104
0x009a710a
0x009a710c
0x009a710f
0x00000000
0x00000000
0x00000000
0x009a710f
0x009a70ac
0x009a70af
0x009a70b1
0x009a70b7
0x009a70b7
0x00000000
0x009a7087
0x009a7087
0x009a708c
0x009a7090
0x009a7090
0x00000000
0x009a708c
0x009a7085

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009A709F
__isleadbyte_l.LIBCMT ref: 009A70D3
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000), ref: 009A7104
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 009A7172

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d26ac6e946d4cad86ae445547518f20598c32766f393a5a851a192d9e20c448b
Instruction ID: f8087ec97c64299644898096540eb48ea3123f7e081ab49d05cccf7b008b87b2
Opcode Fuzzy Hash: d26ac6e946d4cad86ae445547518f20598c32766f393a5a851a192d9e20c448b
Instruction Fuzzy Hash: 9131C231608255EFCB20DFB4CC86ABEBBA9EF02311F158569E4618B191D730DD41DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009AA920, Relevance: 6.0, APIs: 4, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E009AA920(struct HWND__* __esi) {
				struct tagRECT _v16;
				struct tagRECT _v32;
				long _t23;
				intOrPtr _t32;

				GetWindowRect(GetDesktopWindow(),  &_v16);
				GetWindowRect(__esi,  &_v32);
				_t32 = _v32.right;
				_t23 = _v32.left;
				_t30 = _t32 - _t23;
				asm("cdq");
				asm("cdq");
				return SetWindowPos(__esi, 0xffffffff, _t23 - _t32 + _v16.right - _t32 - _t23 >> 1, _v32.top - _v32.bottom + _v16.bottom - _t32 - _t23 >> 1, _t30, _v32.bottom - _v32.top, 0x40);
			}

0x009aa937
0x009aa93f
0x009aa949
0x009aa94d
0x009aa960
0x009aa963
0x009aa971
0x009aa985

APIs

GetDesktopWindow.USER32 ref: 009AA925
GetWindowRect.USER32 ref: 009AA937
GetWindowRect.USER32 ref: 009AA93F
SetWindowPos.USER32(?,000000FF,?,?,?,?,00000040,?,?), ref: 009AA97A

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Window$Rect$Desktop
String ID:
API String ID: 2751908114-0
Opcode ID: 38474aab9e3fc3d4da307cd0451ec5f597d57ec1c1864f71d61eda446d4ef4c6
Instruction ID: 266552d9c121eca41128403745b83a5974b3e3e12e06933734244f86c4f9d7b4
Opcode Fuzzy Hash: 38474aab9e3fc3d4da307cd0451ec5f597d57ec1c1864f71d61eda446d4ef4c6
Instruction Fuzzy Hash: 9DF049B57181016FD704DF38DD85CAF77AAEFC9210F058618F950C7294C634F8098A61

Uniqueness

Uniqueness Score: -1.00%

Function 009A44D7, Relevance: 6.0, APIs: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E009A44D7(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x9ad6f8);
				E009A2888(__ebx, __edi, __esi);
				_t28 = E009A1F51(__ebx, __edx, __edi, _t30);
				_t13 =  *0x9afc80; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E009A41F5(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x9af4a8; // 0x9af3d0
					 *((intOrPtr*)(_t29 - 0x1c)) = E009A4499(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E009A4541();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E009A1F51(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E009A241D(_t25, _t26, 0x20);
				}
				return E009A28CD(_t28);
			}

0x009a44d7
0x009a44d7
0x009a44d7
0x009a44d7
0x009a44d7
0x009a44d9
0x009a44de
0x009a44e8
0x009a44ea
0x009a44f2
0x009a4516
0x009a4518
0x009a451e
0x009a4522
0x009a4525
0x009a4530
0x009a4533
0x009a453a
0x009a44f4
0x009a44f4
0x009a44f8
0x00000000
0x009a44fa
0x009a44ff
0x009a44ff
0x009a44f8
0x009a4504
0x009a4508
0x009a450d
0x009a4515

APIs

__getptd.LIBCMT ref: 009A44E3

Part of subcall function 009A1F51: __getptd_noexit.LIBCMT ref: 009A1F54
Part of subcall function 009A1F51: __amsg_exit.LIBCMT ref: 009A1F61

__getptd.LIBCMT ref: 009A44FA
__amsg_exit.LIBCMT ref: 009A4508
__lock.LIBCMT ref: 009A4518

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: cc993ab45d8e27d162ee7bb3c02276c0fd04ef11d63e9374813eefd334d30493
Instruction ID: be17682876a796802a47c96f3f4f988d950831a40d2a1bf3a8b0fc58b7b38b7f
Opcode Fuzzy Hash: cc993ab45d8e27d162ee7bb3c02276c0fd04ef11d63e9374813eefd334d30493
Instruction Fuzzy Hash: A6F09A32D49704DFDB20FBAC940675933E0AFC7720F104119F4559B292CBB8A9419BE1

Uniqueness

Uniqueness Score: -1.00%

Function 009A10DE, Relevance: 6.0, APIs: 4, Instructions: 24
threadCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E009A10DE(intOrPtr __edx, void* __edi, long _a4, char _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				struct _SECURITY_ATTRIBUTES* _v0;
				intOrPtr _v4;
				DWORD* _v12;
				void* _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				void* _t30;
				void* _t36;
				DWORD* _t41;
				intOrPtr* _t43;
				void* _t45;
				void* _t51;
				long _t54;
				void* _t64;
				intOrPtr _t65;
				intOrPtr* _t67;
				void* _t68;
				intOrPtr _t71;
				void* _t74;

				_t64 = __edi;
				_t61 = __edx;
				_t74 = _v24;
				E009A26A3(_v28);
				asm("int3");
				_t71 = _t74;
				_push(_t67);
				E009A1D63();
				_t30 = E009A1D43(E009A1D5D());
				if(_t30 != 0) {
					_t54 = _a4;
					 *((intOrPtr*)(_t30 + 0x54)) =  *((intOrPtr*)(_t54 + 0x54));
					 *((intOrPtr*)(_t30 + 0x58)) =  *((intOrPtr*)(_t54 + 0x58));
					_t61 =  *((intOrPtr*)(_t54 + 4));
					_push(_t54);
					 *((intOrPtr*)(_t30 + 4)) =  *((intOrPtr*)(_t54 + 4));
					E009A1F6B(_t51, __edi, _t67, __eflags);
				} else {
					_t67 = _a4;
					if(E009A1D97(E009A1D5D(), _t67) == 0) {
						ExitThread(GetLastError());
					}
					 *_t67 = GetCurrentThreadId();
				}
				_t79 =  *0x9b2144;
				if( *0x9b2144 != 0) {
					_t45 = E009A2330(_t79, 0x9b2144);
					_pop(_t54);
					_t80 = _t45;
					if(_t45 != 0) {
						 *0x9b2144();
					}
				}
				E009A10A9(_t61, _t64, _t67, _t80);
				asm("int3");
				_push(_t71);
				_push(_t54);
				_push(_t51);
				_push(_t64);
				_t65 = _v4;
				_v24 = 0;
				_t81 = _t65;
				if(_t65 != 0) {
					_push(_t67);
					E009A1D63();
					_t68 = E009A2B4F(1, 0x214);
					__eflags = _t68;
					if(__eflags == 0) {
						L17:
						_push(_t68);
						E009A2A7C(0, _t65, _t68, __eflags);
						__eflags = _v12;
						if(_v12 != 0) {
							E009A1C2A(_v12);
						}
						_t36 = 0;
						__eflags = 0;
					} else {
						_push( *((intOrPtr*)(E009A1F51(0, _t61, _t65, __eflags) + 0x6c)));
						_push(_t68);
						E009A1DF1(0, _t65, _t68, __eflags);
						 *(_t68 + 4) =  *(_t68 + 4) | 0xffffffff;
						 *((intOrPtr*)(_t68 + 0x58)) = _a12;
						_t41 = _a20;
						 *((intOrPtr*)(_t68 + 0x54)) = _t65;
						__eflags = _t41;
						if(_t41 == 0) {
							_t41 =  &_a8;
						}
						_t36 = CreateThread(_v0, _a4, E009A10EA, _t68, _a16, _t41);
						__eflags = _t36;
						if(__eflags == 0) {
							_v12 = GetLastError();
							goto L17;
						}
					}
				} else {
					_t43 = E009A1C04(_t81);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t43 = 0x16;
					E009A1B9C(_t61, _t65, _t67);
					_t36 = 0;
				}
				return _t36;
			}

0x009a10de
0x009a10de
0x009a10de
0x009a10e4
0x009a10e9
0x009a10ed
0x009a10ef
0x009a10f0
0x009a10fb
0x009a1102
0x009a112e
0x009a1134
0x009a113a
0x009a113d
0x009a1140
0x009a1141
0x009a1144
0x009a1104
0x009a1104
0x009a1115
0x009a111e
0x009a111e
0x009a112a
0x009a112a
0x009a1149
0x009a1150
0x009a1157
0x009a115c
0x009a115d
0x009a115f
0x009a1161
0x009a1161
0x009a115f
0x009a1167
0x009a116c
0x009a116f
0x009a1172
0x009a1173
0x009a1174
0x009a1175
0x009a117a
0x009a117d
0x009a117f
0x009a119d
0x009a119e
0x009a11af
0x009a11b3
0x009a11b5
0x009a1201
0x009a1201
0x009a1202
0x009a1208
0x009a120b
0x009a1210
0x009a1215
0x009a1216
0x009a1216
0x009a11b7
0x009a11bc
0x009a11bf
0x009a11c0
0x009a11c8
0x009a11cc
0x009a11cf
0x009a11d4
0x009a11d7
0x009a11d9
0x009a11db
0x009a11db
0x009a11ee
0x009a11f4
0x009a11f6
0x009a11fe
0x00000000
0x009a11fe
0x009a11f6
0x009a1181
0x009a1181
0x009a1186
0x009a1187
0x009a1188
0x009a1189
0x009a118a
0x009a118b
0x009a1191
0x009a1199
0x009a1199
0x009a121c

APIs

Part of subcall function 009A26A3: _doexit.LIBCMT ref: 009A26AF

___set_flsgetvalue.LIBCMT ref: 009A10F0

Part of subcall function 009A1D63: TlsGetValue.KERNEL32(?,009A1EEF,?,009A1C09,009A1029), ref: 009A1D6C
Part of subcall function 009A1D63: __decode_pointer.LIBCMT ref: 009A1D7E
Part of subcall function 009A1D63: TlsSetValue.KERNEL32(00000000,009A1EEF,?,009A1C09,009A1029), ref: 009A1D8D

Part of subcall function 009A1D43: TlsGetValue.KERNEL32(?,?,009A1100,00000000), ref: 009A1D51

___fls_setvalue@8.LIBCMT ref: 009A110E

Part of subcall function 009A1D97: __decode_pointer.LIBCMT ref: 009A1DA8

GetLastError.KERNEL32(00000000,?,00000000), ref: 009A1117
ExitThread.KERNEL32 ref: 009A111E
GetCurrentThreadId.KERNEL32 ref: 009A1124
__freefls@4.LIBCMT ref: 009A1144
__IsNonwritableInCurrentImage.LIBCMT ref: 009A1157

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 26186426-0
Opcode ID: fd37ae19a41172c680c2e11822ecebb81c94b60d2d0cde100c4a0f2d7080a463
Instruction ID: 13b81cc4377aefd9919419b8058339929827e5a5d77a56e9e734ab9eac60d61d
Opcode Fuzzy Hash: fd37ae19a41172c680c2e11822ecebb81c94b60d2d0cde100c4a0f2d7080a463
Instruction Fuzzy Hash: 57E0EC75D15619BBCF103BF19D0AE9F3B6D9D83354F104420FB10A7452DF28991186E6

Uniqueness

Uniqueness Score: -1.00%

Function 009A106C, Relevance: 6.0, APIs: 4, Instructions: 19
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E009A106C(long _a4) {
				void* _t6;
				void* _t9;
				void* _t10;

				_t11 =  *0x9b2140;
				if( *0x9b2140 != 0 && E009A2330(_t11, 0x9b2140) != 0) {
					 *0x9b2140();
				}
				if(E009A1ED8(_t6) != 0) {
					E009A209A(_t6, _t9, _t10, _t2);
				}
				ExitThread(_a4);
			}

0x009a1071
0x009a1078
0x009a1089
0x009a1089
0x009a1096
0x009a1099
0x009a109e
0x009a10a2

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 009A107F

Part of subcall function 009A2330: __FindPESection.LIBCMT ref: 009A238B

__getptd_noexit.LIBCMT ref: 009A108F
__freeptd.LIBCMT ref: 009A1099
ExitThread.KERNEL32 ref: 009A10A2

Memory Dump Source

Source File: 00000000.00000002.251887699.00000000009A1000.00000020.00020000.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.251883150.00000000009A0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251897320.00000000009AC000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251901567.00000000009AD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251905990.00000000009AF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.251920358.00000000009B0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.251925075.00000000009B3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251937470.00000000009C0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251947007.00000000009CD000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.251951608.00000000009CF000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_iusb3mon_exe.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: b3fa1deb733116f06c791dcbb0240df9df4b82ea2f164e93cc25f0ac10b60b03
Instruction ID: 103acb780f4a0279d0d6da46eab8e3ae5fd881864ae52a1a9ab76a90871cb12c
Opcode Fuzzy Hash: b3fa1deb733116f06c791dcbb0240df9df4b82ea2f164e93cc25f0ac10b60b03
Instruction Fuzzy Hash: B8D05E3101D3A197DB2837BADE0EB693A5DEF83321F140129FA18890B2DF70C880D9E0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report iusb3mon_exe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: iusb3mon_exe.exe PID: 1156 Parent PID: 5748

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows

Registry Activities