Create Interactive Tour

Windows Analysis Report
alternateshell.exe

Overview

General Information

Sample Name:	alternateshell.exe
Analysis ID:	614316
MD5:	9ec3d89978c9a2ea2a7454d2913d79d2
SHA1:	178f6491b30329f7946d0ba2c9d484e7d363ec6d
SHA256:	7acd2e8f32235743d25b48d9b679b553e60a6348e13edd4f7eab6aee79fefe2c
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

PE file contains strange resources

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

alternateshell.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\alternateshell.exe" MD5: 9EC3D89978C9A2EA2A7454D2913D79D2)

cleanup

Joe Sandbox Signatures

• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: alternateshell.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: alternateshell.exe

Static PE information: certificate valid

Source: alternateshell.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\adrien\Documents\JWTS\workbench-release\c++\UniversalLauncher\Release\UniversalLauncher.pdb source: alternateshell.exe

Source: alternateshell.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: alternateshell.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: alternateshell.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: alternateshell.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: alternateshell.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: alternateshell.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: alternateshell.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: alternateshell.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: alternateshell.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: alternateshell.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: alternateshell.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: alternateshell.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: alternateshell.exe, 00000000.00000002.247159785.00000000010AA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: alternateshell.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: alternateshell.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alternateshell.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: alternateshell.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: alternateshell.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\alternateshell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean4.winEXE@1/0@0/0

Source: alternateshell.exe

Static PE information: certificate valid

Source: alternateshell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: alternateshell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: alternateshell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: alternateshell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: alternateshell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: alternateshell.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: alternateshell.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: alternateshell.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\adrien\Documents\JWTS\workbench-release\c++\UniversalLauncher\Release\UniversalLauncher.pdb source: alternateshell.exe

Source: alternateshell.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: alternateshell.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: alternateshell.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: alternateshell.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: alternateshell.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\alternateshell.exe

Code function: 0_2_0009336B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0009336B

Source: C:\Users\user\Desktop\alternateshell.exe

Code function: 0_2_000926A5 push ecx; ret

0_2_000926B8

Source: C:\Users\user\Desktop\alternateshell.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-2676

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\alternateshell.exe

0_2_0009336B

Source: C:\Users\user\Desktop\alternateshell.exe

Code function: 0_2_00092E19 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00092E19

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\alternateshell.exe	Code function: 0_2_00092E19 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00092E19
Source: C:\Users\user\Desktop\alternateshell.exe	Code function: 0_2_00091439 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00091439

Source: C:\Users\user\Desktop\alternateshell.exe

Code function: 0_2_0009284F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0009284F

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	Path Interception	1 Obfuscated Files or Information	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
alternateshell.exe	0%	Virustotal	Browse
alternateshell.exe	0%	Metadefender	Browse
alternateshell.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	614316
Start date and time: 23/04/202210:59:43	2022-04-23 10:59:43 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	alternateshell.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.4% (good quality ratio 91.1%) Quality average: 79.2% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 94% Number of executed functions: 5 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.40.136.238
Excluded domains from analysis (whitelisted): iris-de-prod-azsc-frc-b.francecentral.cloudapp.azure.com, store-images.s-microsoft.com, arc.trafficmanager.net, arc.msn.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.106728522496812
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	alternateshell.exe
File size:	97992
MD5:	9ec3d89978c9a2ea2a7454d2913d79d2
SHA1:	178f6491b30329f7946d0ba2c9d484e7d363ec6d
SHA256:	7acd2e8f32235743d25b48d9b679b553e60a6348e13edd4f7eab6aee79fefe2c
SHA512:	0d06435bcf7b5e1b7cb4d13ecff8048e8ed90dda953dab9ba5fddb7467d6474ca57a3d070feb5162b55e070ead2087ba4ab39ef4b0989ed0684bda84275c8f9b
SSDEEP:	1536:6iysMsz9FI3Fs6Z4HLN72NBNhFaaDvsoAKQ3XDk/wXiv:ssMs5W3u6yHWBVU/nY/wk
TLSH:	BAA36C82B690C4B2D47D4A3068B7D6A1193F7C52BA70521F36BEB36D1FB2392147931B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.....mY..mY..mYd^.Yu.mYd^.Yw.mYd^.YF.mYv..Yx.mY..lY8.mYd^.Y~.mYd^.Y~.mYd^.Y~.mYRich..mY........PE..L....A_Y.................H.

File Icon


Icon Hash:	f8f09a9ab6e2c478

Static PE Info

General

Entrypoint:	0x40142f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x595F41C6 [Fri Jul 7 08:09:42 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6c22b430b335a4c5df9dfac22085a338

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/6/2016 4:00:00 PM 12/7/2019 3:59:59 PM
Subject Chain	CN=JWTS, O=JWTS, STREET=105 RUE DE L ABBE GROULT, L=Paris, S=Paris, PostalCode=75015, C=FR
Version:	3
Thumbprint MD5:	A628AE2A47F43E753AFCE759375AE223
Thumbprint SHA-1:	0A5056EF8D5A22AA72B8B23E6D8F481D578ED32D
Thumbprint SHA-256:	5F7AFAC78212668738727EB174DC5D4DE230EC739A7904AC191804D5C6368C49
Serial:	4656DAA8B8B1F3E94BB8DBC46B5026C6

Entrypoint Preview

Instruction
call 00007F5A444BE6B0h
jmp 00007F5A444BD12Ah
cmp ecx, dword ptr [00409050h]
jne 00007F5A444BD294h
rep ret
jmp 00007F5A444BE737h
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov edx, eax
mov cx, word ptr [eax]
add eax, 02h
test cx, cx
jne 00007F5A444BD287h
mov cx, word ptr [ebp+0Ch]
sub eax, 02h
cmp eax, edx
je 00007F5A444BD297h
cmp word ptr [eax], cx
jne 00007F5A444BD286h
cmp word ptr [eax], cx
je 00007F5A444BD294h
xor eax, eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push ebx
mov ebx, dword ptr [ebp+0Ch]
cmp word ptr [ebx], 0000h
push edi
mov edi, eax
je 00007F5A444BD2D5h
movzx ecx, word ptr [eax]
test cx, cx
je 00007F5A444BD2CBh
mov edx, ecx
sub eax, ebx
mov ecx, dword ptr [ebp+0Ch]
test dx, dx
je 00007F5A444BD2ABh
movzx edx, word ptr [ecx]
test dx, dx
je 00007F5A444BD2BDh
movzx ebx, word ptr [eax+ecx]
sub ebx, edx
jne 00007F5A444BD29Bh
add ecx, 02h
cmp word ptr [eax+ecx], bx
jne 00007F5A444BD279h
cmp word ptr [ecx], 0000h
je 00007F5A444BD2A6h
add edi, 02h
movzx edx, word ptr [edi]
add eax, 02h
test dx, dx
jne 00007F5A444BD25Dh
xor eax, eax
pop edi
pop ebx
pop ebp
ret
mov eax, edi
jmp 00007F5A444BD28Ah
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F5A444BD2BCh
cmp dword ptr [eax+10h], 03h
jne 00007F5A444BD2B6h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h

Rich Headers

Programming Language:

[LNK] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7b0c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0xdd20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x16200	0x1cc8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6140	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x7890	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x10c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x46a2	0x4800	False	0.616048177083	data	6.46027549604	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x2142	0x2200	False	0.340533088235	data	4.71286861664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x18c0	0xc00	False	0.213216145833	data	2.47173833754	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xb000	0xdd20	0xde00	False	0.439629082207	data	5.66526402542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x19000	0x81c	0xa00	False	0.515625	data	4.62724530341	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xb388	0xa68	dBase IV DBT of \200.DBF, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xbdf0	0x668	data	English	United States
RT_ICON	0xc458	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2415919103, next used block 7376776	English	United States
RT_ICON	0xc740	0x1e8	data	English	United States
RT_ICON	0xc928	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xca50	0x1628	dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 4009030900, next used block 4008636142	English	United States
RT_ICON	0xe078	0xea8	data	English	United States
RT_ICON	0xef20	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xf7c8	0x6c8	data	English	United States
RT_ICON	0xfe90	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x103f8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4294901760	English	United States
RT_ICON	0x14620	0x25a8	data	English	United States
RT_ICON	0x16bc8	0x10a8	data	English	United States
RT_ICON	0x17c70	0x988	data	English	United States
RT_ICON	0x185f8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x18a60	0xd8	data	English	United States
RT_MANIFEST	0x18b38	0x1e8	ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetCommandLineW, WaitForSingleObject, GetExitCodeProcess, GetFileAttributesW, GetModuleFileNameW, SetCurrentDirectoryW, CloseHandle, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, HeapAlloc, GetCommandLineA, HeapSetInformation, SetUnhandledExceptionFilter, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, LoadLibraryW, HeapFree, Sleep, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, HeapSize, IsProcessorFeaturePresent
USER32.dll	MessageBoxW
SHELL32.dll	ShellExecuteExW, CommandLineToArgvW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• alternateshell.exe

Click to jump to process

Memory Usage

• alternateshell.exe

Click to jump to process

System Behavior

Analysis Process: alternateshell.exePID: 6636, Parent PID: 5100

Function Logs

General

Target ID:	0
Start time:	11:00:41
Start date:	23/04/2022
Path:	C:\Users\user\Desktop\alternateshell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\alternateshell.exe"
Imagebase:	0x90000
File size:	97992 bytes
MD5 hash:	9EC3D89978C9A2EA2A7454D2913D79D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: alternateshell.exePID: 6636, Parent PID: 5100COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.4%
Total number of Nodes:	972
Total number of Limit Nodes:	18

Executed Functions

Function 00091000 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 203
synchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00091000() {
				signed int _v8;
				short _v528;
				char _v1048;
				char _v66584;
				void* _v66588;
				long _v66592;
				int _v66596;
				struct _SHELLEXECUTEINFOW _v66656;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t57;
				short* _t61;
				long _t64;
				void* _t70;
				WCHAR* _t71;
				unsigned int _t72;
				short* _t76;
				void* _t77;
				unsigned int _t78;
				void* _t81;
				intOrPtr* _t92;
				WCHAR* _t99;
				WCHAR* _t101;
				signed int _t104;
				signed int _t105;
				short _t106;
				void _t107;
				signed int _t109;
				short _t114;
				short _t115;
				void _t116;
				void _t117;
				signed int _t119;
				int _t122;
				signed int _t124;
				intOrPtr _t130;
				short _t134;
				signed short* _t135;
				void* _t138;
				short _t139;
				void* _t140;
				void* _t142;
				short* _t143;
				void* _t145;
				void* _t147;
				void* _t153;
				void* _t157;
				short* _t158;
				void* _t160;
				intOrPtr* _t161;
				void* _t162;
				void* _t163;
				signed int _t165;

				E00095670(0x1045c);
				_t57 =  *0x99050; // 0x4b09c3c4
				_v8 = _t57 ^ _t165;
				GetModuleFileNameW(0,  &_v528, 0x104);
				_t61 = E00091448( &_v528, 0x5c);
				_t4 = _t61 + 2; // 0x2
				_t99 = _t4;
				_t101 = _t99;
				_t5 =  &(_t101[1]); // 0x4
				_t158 = _t5;
				do {
					_t134 =  *_t101;
					_t101 =  &(_t101[1]);
				} while (_t134 != 0);
				_t7 = (_t101 - _t158 >> 1) * 2; // -6
				_t143 = _t99 + _t7 - 8;
				_t135 = L".bin";
				_t160 = _t143 - _t135;
				do {
					_t104 =  *_t135 & 0x0000ffff;
					 *(_t160 + _t135) = _t104;
					_t135 =  &(_t135[1]);
				} while (_t104 != 0);
				 *_t61 = 0;
				SetCurrentDirectoryW( &_v528);
				_t64 = GetFileAttributesW(_t99); // executed
				if(_t64 != 0xffffffff) {
					_t161 = CommandLineToArgvW(GetCommandLineW(),  &_v66596);
					_t145 = GetCommandLineW();
					_v66588 = _t145;
					if(_t145 == E00091476(_t145,  *_t161)) {
						_t92 =  *_t161;
						_t14 = _t92 + 2; // 0x2
						_t142 = _t14;
						do {
							_t130 =  *_t92;
							_t92 = _t92 + 2;
						} while (_t130 != 0);
						_t16 = (_t92 - _t142 >> 1) * 2; // 0x2
						_v66588 = _t145 + _t16 + 2;
					}
					_t70 = 0;
					do {
						_t19 = _t70 + "\""; // 0x22
						_t105 =  *_t19 & 0x0000ffff;
						 *(_t165 + _t70 - 0x10414) = _t105;
						_t70 = _t70 + 2;
					} while (_t105 != 0);
					_t71 = _t99;
					_t138 = _t99;
					do {
						_t106 =  *_t71;
						_t71 =  &(_t71[1]);
					} while (_t106 != 0);
					_t72 = _t71 - _t138;
					_t147 =  &_v66584 + 0xfffffffe;
					do {
						_t107 =  *(_t147 + 2);
						_t147 = _t147 + 2;
					} while (_t107 != 0);
					_t109 = _t72 >> 2;
					_t162 = _t138;
					_t76 = memcpy(_t162 + _t109 + _t109, _t162, memcpy(_t147, _t162, _t109 << 2) & 0x00000003) + 0xfffffffe;
					do {
						_t114 = _t76[1];
						_t76 =  &(_t76[1]);
					} while (_t114 != 0);
					_t115 = L"\" "; // 0x200022
					_t139 =  *0x97874; // 0x0
					 *_t76 = _t115;
					_t76[2] = _t139;
					_t77 = _v66588;
					_t140 = _t77;
					do {
						_t116 =  *_t77;
						_t77 = _t77 + 2;
					} while (_t116 != 0);
					_t78 = _t77 - _t140;
					_t153 =  &_v66584 + 0xfffffffe;
					do {
						_t117 =  *(_t153 + 2);
						_t153 = _t153 + 2;
					} while (_t117 != 0);
					_t119 = _t78 >> 2;
					_t163 = _t140;
					_t122 = memcpy(_t153, _t163, _t119 << 2) & 0x00000003;
					memcpy(_t163 + _t119 + _t119, _t163, _t122);
					_t157 = _t163 + _t122 + _t122;
					_t81 = 0;
					do {
						_t32 = _t81 + L"svcr.exe"; // 0x760073
						_t124 =  *_t32 & 0x0000ffff;
						 *(_t165 + _t81 - 0x414) = _t124;
						_t81 = _t81 + 2;
					} while (_t124 != 0);
					_v66592 = 0;
					E00094880( &(_v66656.fMask), 0, 0x38);
					_t141 =  &_v66584;
					_v66656.cbSize = 0x3c;
					_v66656.fMask = 0x40;
					_v66656.hwnd = 0;
					_v66656.lpVerb = 0;
					_v66656.lpFile =  &_v1048;
					_v66656.lpParameters =  &_v66584;
					_v66656.lpDirectory = 0;
					_v66656.nShow = 5;
					_v66656.hInstApp = 0;
					if(ShellExecuteExW( &_v66656) != 0) {
						WaitForSingleObject(_v66656.hProcess, 0xffffffff);
						_t141 =  &_v66592;
						GetExitCodeProcess(_v66656.hProcess,  &_v66592);
						CloseHandle(_v66656.hProcess);
					}
					return E00091439(_v66592, _t99, _v8 ^ _t165, _t141, _t157, 0);
				} else {
					 *_t143 = 0; // executed
					MessageBoxW(0, L"File not found", _t99, 0x10); // executed
					return E00091439(1, _t99, _v8 ^ _t165, 0, _t143, _t160);
				}
			}

0x00091008
0x0009100d
0x00091014
0x00091028
0x00091037
0x0009103c
0x0009103c
0x0009103f
0x00091044
0x00091044
0x00091047
0x00091047
0x0009104a
0x0009104d
0x00091056
0x00091056
0x0009105a
0x00091061
0x00091063
0x00091063
0x00091066
0x0009106a
0x0009106d
0x00091074
0x0009107e
0x00091085
0x0009108e
0x000910d0
0x000910d4
0x000910da
0x000910ea
0x000910ec
0x000910ee
0x000910ee
0x000910f1
0x000910f1
0x000910f4
0x000910f7
0x00091100
0x00091104
0x00091104
0x0009110a
0x00091110
0x00091110
0x00091110
0x00091117
0x0009111f
0x00091122
0x00091127
0x00091129
0x00091130
0x00091130
0x00091133
0x00091136
0x00091141
0x00091143
0x00091146
0x00091146
0x0009114a
0x0009114d
0x00091154
0x00091157
0x00091168
0x00091170
0x00091170
0x00091174
0x00091177
0x0009117c
0x00091182
0x00091189
0x0009118b
0x0009118f
0x00091195
0x00091197
0x00091197
0x0009119a
0x0009119d
0x000911a8
0x000911aa
0x000911b0
0x000911b0
0x000911b4
0x000911b7
0x000911be
0x000911c1
0x000911c7
0x000911ca
0x000911ca
0x000911ce
0x000911d0
0x000911d0
0x000911d0
0x000911d7
0x000911df
0x000911e2
0x000911f1
0x000911f7
0x0009120b
0x00091212
0x0009121c
0x00091226
0x0009122c
0x00091232
0x00091238
0x0009123e
0x00091244
0x0009124e
0x0009125c
0x00091267
0x00091273
0x0009127b
0x00091288
0x00091288
0x000912a4
0x00091090
0x0009109b
0x0009109e
0x000910b9
0x000910b9

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00091028
_wcsrchr.LIBCMT ref: 00091037
SetCurrentDirectoryW.KERNEL32(?), ref: 0009107E
GetFileAttributesW.KERNELBASE(00000002), ref: 00091085
MessageBoxW.USER32(00000000,File not found,00000002,00000010), ref: 0009109E
GetCommandLineW.KERNEL32(?), ref: 000910C7
CommandLineToArgvW.SHELL32(00000000), ref: 000910CA
GetCommandLineW.KERNEL32 ref: 000910D2
_memset.LIBCMT ref: 000911F7
ShellExecuteExW.SHELL32(?), ref: 00091254
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00091267
GetExitCodeProcess.KERNEL32 ref: 0009127B

Strings

@, xrefs: 0009121C
.bin, xrefs: 0009105A
File not found, xrefs: 00091095
<, xrefs: 00091212

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: CommandLine$File$ArgvAttributesCodeCurrentDirectoryExecuteExitMessageModuleNameObjectProcessShellSingleWait_memset_wcsrchr
String ID: .bin$<$@$File not found
API String ID: 3099538705-2818582479
Opcode ID: faeac68f449992d9a693f88c1c7e4af3a883d130228b8c17f7f66ff9a3b797f8
Instruction ID: ebc97f51b575be8e456ae98c8d5c82ca764e20bccd29d5179e0c96f47a0d05c9
Opcode Fuzzy Hash: faeac68f449992d9a693f88c1c7e4af3a883d130228b8c17f7f66ff9a3b797f8
Instruction Fuzzy Hash: 5A71C671A002199BCF24DF64CC95AEB73F4FF84310F0041A9EA4AD7291EBB56AC5DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00091551 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00091551(int _a4) {

				E00091526(_a4);
				ExitProcess(_a4);
			}

0x00091559
0x00091562

APIs

___crtCorExitProcess.LIBCMT ref: 00091559

Part of subcall function 00091526: GetModuleHandleW.KERNEL32(mscoree.dll,?,0009155E,?,?,00094965,000000FF,0000001E,00000001,00000000,00000000,?,00093780,?,00000001,?), ref: 00091530
Part of subcall function 00091526: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00091540

ExitProcess.KERNEL32 ref: 00091562

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 0919f66d2f5745d37786a46cf73c32a1041470f9bc6828a22b10a24d7c6232dd
Instruction ID: 252ca4fa5dcf054fca0ffcc888ca7f4632cd3c4def95fdba71439343e6f57bd4
Opcode Fuzzy Hash: 0919f66d2f5745d37786a46cf73c32a1041470f9bc6828a22b10a24d7c6232dd
Instruction Fuzzy Hash: F4B09B31000108BBDF112F11DC098893F15EBC03507514011F91505131DF769D519581

Uniqueness

Uniqueness Score: -1.00%

Function 000949CA Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E000949CA(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x9a2a0, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x9a780;
					if( *0x9a780 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00092FB3(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0009301D(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x000949cf
0x000949d4
0x000949f1
0x000949f6
0x000949f8
0x000949fa
0x000949fc
0x000949fc
0x000949fc
0x00000000
0x00094a04
0x00094a0d
0x00094a13
0x00094a15
0x00000000
0x00000000
0x00094a49
0x00094a4b
0x00000000
0x00094a17
0x00094a17
0x00094a1e
0x00094a3c
0x00094a3f
0x00094a41
0x00094a43
0x00094a43
0x00094a20
0x00094a21
0x00094a27
0x00094a29
0x000949fd
0x000949fd
0x000949ff
0x00094a02
0x00000000
0x00000000
0x00000000
0x00000000
0x00094a2b
0x00094a2b
0x00094a2e
0x00094a30
0x00094a32
0x00094a32
0x00094a38
0x00094a38
0x00094a29
0x00000000
0x000949d6
0x000949da
0x000949dd
0x000949e0
0x00000000
0x000949e2
0x000949e7
0x000949f0
0x000949f0
0x000949e0
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,000937CA,?,?,00000000,00000000,00000000,?,00092324,00000001,00000214,?,00091872), ref: 00094A0D

Part of subcall function 0009301D: __getptd_noexit.LIBCMT ref: 0009301D

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 3357a536eeb983f79bb4a0e5e5e30089aa818eb5e2e55b89a268ad9f62d61ea1
Instruction ID: 63df1756454d78e76cdb559ae380793f9db452bc78c0ea484a4c7e9d221349a6
Opcode Fuzzy Hash: 3357a536eeb983f79bb4a0e5e5e30089aa818eb5e2e55b89a268ad9f62d61ea1
Instruction Fuzzy Hash: DB01B1312452119AEF689F76DC54F6B37D8BB81360F00462AE815CB1A1D7748C02E791

Uniqueness

Uniqueness Score: -1.00%

Function 000917A9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E000917A9(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E00091669(_t3, _t4, _t5, _t6, _t9); // executed
				return _t2;
			}

0x000917ae
0x000917b0
0x000917b2
0x000917b5
0x000917be

APIs

_doexit.LIBCMT ref: 000917B5

Part of subcall function 00091669: __lock.LIBCMT ref: 00091677
Part of subcall function 00091669: RtlDecodePointer.NTDLL(000979A0,00000020,000917D0,?,00000001,00000000,?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D), ref: 000916B3
Part of subcall function 00091669: DecodePointer.KERNEL32(?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000916C4
Part of subcall function 00091669: DecodePointer.KERNEL32(-00000004,?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000916EA
Part of subcall function 00091669: DecodePointer.KERNEL32(?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000916FD
Part of subcall function 00091669: DecodePointer.KERNEL32(?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 00091707

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: DecodePointer$__lock_doexit
String ID:
API String ID: 3343572566-0
Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction ID: 4c8c4062dcfe786a33c299c1907986b9efd86a4b841279fb8b283d31fd5d82a5
Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
Instruction Fuzzy Hash: 9EB01232A8030C77DF202542EC07F863F0D87C1BA0F280020FE0C1D1E2A9E3B96190C9

Uniqueness

Uniqueness Score: -1.00%

Function 000921C2 Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000,000916E0,?,00091810,000000FF,?,00092BDB,00000011,?,?,0009228F,0000000D,?,00091872,00000003), ref: 000921C4

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 3221543673582f874f52d21363128cc88d063c98cc06bc142a4ca70d5a9ac98f
Instruction ID: a5fb41dc557ab68a1c0c02e949e0d1ae0d7af091f855144f05beb64016198225
Opcode Fuzzy Hash: 3221543673582f874f52d21363128cc88d063c98cc06bc142a4ca70d5a9ac98f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00091439 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00091439(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x99050; // 0x4b09c3c4
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x9a3b0 = _t6;
				 *0x9a3ac = _t22;
				 *0x9a3a8 = _t25;
				 *0x9a3a4 = _t21;
				 *0x9a3a0 = _t27;
				 *0x9a39c = _t26;
				 *0x9a3c8 = ss;
				 *0x9a3bc = cs;
				 *0x9a398 = ds;
				 *0x9a394 = es;
				 *0x9a390 = fs;
				 *0x9a38c = gs;
				asm("pushfd");
				_pop( *0x9a3c0);
				 *0x9a3b4 =  *_t31;
				 *0x9a3b8 = _v0;
				 *0x9a3c4 =  &_a4;
				 *0x9a300 = 0x10001;
				_t11 =  *0x9a3b8; // 0x0
				 *0x9a2b4 = _t11;
				 *0x9a2a8 = 0xc0000409;
				 *0x9a2ac = 1;
				_t12 =  *0x99050; // 0x4b09c3c4
				_v812 = _t12;
				_t13 =  *0x99054; // 0xb4f63c3b
				_v808 = _t13;
				 *0x9a2f8 = IsDebuggerPresent();
				_push(1);
				E000944B2(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x96c60);
				if( *0x9a2f8 == 0) {
					_push(1);
					E000944B2(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00091439
0x00091439
0x00091439
0x00091439
0x00091439
0x00091439
0x00091439
0x0009143f
0x00091441
0x00091441
0x000928f5
0x000928fa
0x00092900
0x00092906
0x0009290c
0x00092912
0x00092918
0x0009291f
0x00092926
0x0009292d
0x00092934
0x0009293b
0x00092942
0x00092943
0x0009294c
0x00092954
0x0009295c
0x00092967
0x00092971
0x00092976
0x0009297b
0x00092985
0x0009298f
0x00092994
0x0009299a
0x0009299f
0x000929ab
0x000929b0
0x000929b2
0x000929ba
0x000929c5
0x000929d2
0x000929d4
0x000929d6
0x000929db
0x000929ef

APIs

IsDebuggerPresent.KERNEL32 ref: 000929A5
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000929BA
UnhandledExceptionFilter.KERNEL32(00096C60), ref: 000929C5
GetCurrentProcess.KERNEL32(C0000409), ref: 000929E1
TerminateProcess.KERNEL32(00000000), ref: 000929E8

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: bfc2937e27f6f1700d2948ea27d40def3b32cbaaf8f1d005eda83be613c925d3
Instruction ID: 4d9ed93ab358b7469338188e1a6b006849953ce302284f80279064cedb8ea68e
Opcode Fuzzy Hash: bfc2937e27f6f1700d2948ea27d40def3b32cbaaf8f1d005eda83be613c925d3
Instruction Fuzzy Hash: 2421CEB4A00304EFEB41DF69ED896553BB4BB4A710F50811BF908872A1E7BD5A848F96

Uniqueness

Uniqueness Score: -1.00%

Function 000924BB Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E000924BB(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				void* _t35;
				struct HINSTANCE__* _t36;
				intOrPtr* _t37;
				void* _t40;
				intOrPtr* _t42;
				void* _t43;

				_t35 = __edx;
				_t30 = __ebx;
				_t36 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t36 != 0) {
					 *0x9a290 = GetProcAddress(_t36, "FlsAlloc");
					 *0x9a294 = GetProcAddress(_t36, "FlsGetValue");
					 *0x9a298 = GetProcAddress(_t36, "FlsSetValue");
					_t7 = GetProcAddress(_t36, "FlsFree");
					__eflags =  *0x9a290;
					_t40 = TlsSetValue;
					 *0x9a29c = _t7;
					if( *0x9a290 == 0) {
						L6:
						 *0x9a294 = TlsGetValue;
						 *0x9a290 = 0x921cb;
						 *0x9a298 = _t40;
						 *0x9a29c = TlsFree;
					} else {
						__eflags =  *0x9a294;
						if( *0x9a294 == 0) {
							goto L6;
						} else {
							__eflags =  *0x9a298;
							if( *0x9a298 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x9904c = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x9a294);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0009157B();
							_t42 = __imp__EncodePointer;
							_t14 =  *_t42( *0x9a290);
							 *0x9a290 = _t14;
							_t15 =  *_t42( *0x9a294);
							 *0x9a294 = _t15;
							_t16 =  *_t42( *0x9a298);
							 *0x9a298 = _t16;
							 *0x9a29c =  *_t42( *0x9a29c);
							_t18 = E00092A3A();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00092208();
								goto L15;
							} else {
								_t37 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t37()))( *0x9a290, E0009238C);
								 *0x99048 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t43 = E000937B4(1, 0x214);
									__eflags = _t43;
									if(_t43 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t37()))( *0x9a298,  *0x99048, _t43);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t43);
											E00092245(_t30, _t35, _t37, _t43, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t43 + 4) =  *(_t43 + 4) | 0xffffffff;
											 *_t43 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00092208();
					return 0;
				}
			}

0x000924bb
0x000924bb
0x000924c9
0x000924cd
0x000924ed
0x000924fa
0x00092507
0x0009250c
0x0009250e
0x00092515
0x0009251b
0x00092520
0x00092538
0x0009253d
0x00092547
0x00092551
0x00092557
0x00092522
0x00092522
0x00092529
0x00000000
0x0009252b
0x0009252b
0x00092532
0x00000000
0x00092534
0x00092534
0x00092536
0x00000000
0x00000000
0x00092536
0x00092532
0x00092529
0x0009255c
0x00092562
0x00092567
0x0009256a
0x00092631
0x00092631
0x00092631
0x00092570
0x00092577
0x00092579
0x0009257b
0x00000000
0x00092581
0x00092581
0x0009258c
0x00092592
0x0009259a
0x0009259f
0x000925a7
0x000925ac
0x000925b4
0x000925bb
0x000925c0
0x000925c5
0x000925c7
0x0009262c
0x0009262c
0x00000000
0x000925c9
0x000925c9
0x000925dc
0x000925de
0x000925e3
0x000925e6
0x00000000
0x000925e8
0x000925f4
0x000925f8
0x000925fa
0x00000000
0x000925fc
0x0009260d
0x0009260f
0x00000000
0x00092611
0x00092611
0x00092613
0x00092614
0x0009261b
0x00092621
0x00092625
0x00092629
0x00092629
0x0009260f
0x000925fa
0x000925e6
0x000925c7
0x0009257b
0x00092635
0x000924cf
0x000924cf
0x000924d7
0x000924d7

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0009134E,00097980,00000014), ref: 000924C3
__mtterm.LIBCMT ref: 000924CF

Part of subcall function 00092208: DecodePointer.KERNEL32(00000005,00092631,?,0009134E,00097980,00000014), ref: 00092219
Part of subcall function 00092208: TlsFree.KERNEL32(00000019,00092631,?,0009134E,00097980,00000014), ref: 00092233
Part of subcall function 00092208: DeleteCriticalSection.KERNEL32(00000000,00000000,774BF3A0,?,00092631,?,0009134E,00097980,00000014), ref: 00092AA1
Part of subcall function 00092208: _free.LIBCMT ref: 00092AA4
Part of subcall function 00092208: DeleteCriticalSection.KERNEL32(00000019,774BF3A0,?,00092631,?,0009134E,00097980,00000014), ref: 00092ACB

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000924E5
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000924F2
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000924FF
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0009250C
TlsAlloc.KERNEL32(?,0009134E,00097980,00000014), ref: 0009255C
TlsSetValue.KERNEL32(00000000,?,0009134E,00097980,00000014), ref: 00092577
__init_pointers.LIBCMT ref: 00092581
EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 00092592
EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 0009259F
EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 000925AC
EncodePointer.KERNEL32(?,0009134E,00097980,00000014), ref: 000925B9
DecodePointer.KERNEL32(0009238C,?,0009134E,00097980,00000014), ref: 000925DA
__calloc_crt.LIBCMT ref: 000925EF
DecodePointer.KERNEL32(00000000,?,0009134E,00097980,00000014), ref: 00092609
GetCurrentThreadId.KERNEL32 ref: 0009261B

Strings

FlsGetValue, xrefs: 000924E7
KERNEL32.DLL, xrefs: 000924BE
FlsAlloc, xrefs: 000924DF
FlsFree, xrefs: 00092501
FlsSetValue, xrefs: 000924F4

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: 65f54d48cb205d7343e0a1162137bbb9f9f74b1b300558d5652fe6bcd14568e9
Instruction ID: 90436bcf3e6d3c31e987a055bfbe451e4c7e4d4e1dcfc0942bf66872918cffd2
Opcode Fuzzy Hash: 65f54d48cb205d7343e0a1162137bbb9f9f74b1b300558d5652fe6bcd14568e9
Instruction Fuzzy Hash: 78314F71A01211AEFF12AB78AE4A5573FB0FBC5B60B15051BE518D22B1DB3E8441EE92

Uniqueness

Uniqueness Score: -1.00%

Function 00092245 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00092245(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;

				_t31 = __ebx;
				_push(8);
				_push(0x979c0);
				E00092660(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x96b78;
				 *(_t40 + 8) =  *(_t40 + 8) & 0x00000000;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x99310;
				E00092BB4(__ebx, 1, 0xd);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				InterlockedIncrement( *(_t40 + 0x68));
				 *(_t41 - 4) = 0xfffffffe;
				E000922E7();
				E00092BB4(_t31, 1, 0xc);
				 *(_t41 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x99a78; // 0x999a0
					 *((intOrPtr*)(_t40 + 0x6c)) = _t30;
				}
				E00094024( *((intOrPtr*)(_t40 + 0x6c)));
				 *(_t41 - 4) = 0xfffffffe;
				return E000926A5(E000922F0());
			}

0x00092245
0x00092245
0x00092247
0x0009224c
0x00092256
0x0009225c
0x0009225f
0x00092266
0x0009226d
0x00092270
0x00092273
0x0009227a
0x00092281
0x0009228a
0x00092290
0x00092297
0x0009229d
0x000922a4
0x000922ab
0x000922b1
0x000922b4
0x000922b7
0x000922bc
0x000922be
0x000922c3
0x000922c3
0x000922c9
0x000922cf
0x000922e0

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,000979C0,00000008,0009234D,00000000,00000000,?,00091872,00000003), ref: 00092256
__lock.LIBCMT ref: 0009228A

Part of subcall function 00092BB4: __mtinitlocknum.LIBCMT ref: 00092BCA
Part of subcall function 00092BB4: __amsg_exit.LIBCMT ref: 00092BD6
Part of subcall function 00092BB4: EnterCriticalSection.KERNEL32(?,?,?,0009228F,0000000D,?,00091872,00000003), ref: 00092BDE

InterlockedIncrement.KERNEL32(00099310), ref: 00092297
__lock.LIBCMT ref: 000922AB
___addlocaleref.LIBCMT ref: 000922C9

Strings

KERNEL32.DLL, xrefs: 00092251
xk, xrefs: 0009225F

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL$xk
API String ID: 637971194-616238704
Opcode ID: 9b313cd7a647b62f695df39f171f595640b785c5c4f0ae30a16a15c588828712
Instruction ID: 115b71b7f74dd412e6d5ec48de7926d190aad50d465ca0980c037062ff51b210
Opcode Fuzzy Hash: 9b313cd7a647b62f695df39f171f595640b785c5c4f0ae30a16a15c588828712
Instruction Fuzzy Hash: F0016D71405B00FBEF20AF69C806799BBF0BF40320F10894EE5D6976A2CBB5A644EB15

Uniqueness

Uniqueness Score: -1.00%

Function 00093A71 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E00093A71(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x97ab0);
				E00092660(__ebx, __edi, __esi);
				_t31 = E00092372(__ebx, _t35);
				_t15 =  *0x99a90; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00092BB4(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x99738; // 0xe815f8
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x99310;
								if(__eflags != 0) {
									E000936D6(_t33);
								}
							}
						}
						_t21 =  *0x99738; // 0xe815f8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x99738; // 0xe815f8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00093B0C();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E000917F3(_t29, _t38);
				}
				return E000926A5(_t33);
			}

0x00093a71
0x00093a71
0x00093a71
0x00093a71
0x00093a73
0x00093a78
0x00093a82
0x00093a84
0x00093a8c
0x00093aad
0x00093ab3
0x00093ab7
0x00093aba
0x00093abd
0x00093ac3
0x00093ac5
0x00093ac7
0x00093ad0
0x00093ad2
0x00093ad4
0x00093ada
0x00093add
0x00093ae2
0x00093ada
0x00093ad2
0x00093ae3
0x00093ae8
0x00093aeb
0x00093af1
0x00093af5
0x00093af5
0x00093afb
0x00093b02
0x00093a94
0x00093a94
0x00093a94
0x00093a97
0x00093a99
0x00093a9b
0x00093a9d
0x00093aa2
0x00093aaa

APIs

__getptd.LIBCMT ref: 00093A7D

Part of subcall function 00092372: __getptd_noexit.LIBCMT ref: 00092375
Part of subcall function 00092372: __amsg_exit.LIBCMT ref: 00092382

__amsg_exit.LIBCMT ref: 00093A9D
__lock.LIBCMT ref: 00093AAD
InterlockedDecrement.KERNEL32(?), ref: 00093ACA
_free.LIBCMT ref: 00093ADD
InterlockedIncrement.KERNEL32(00E815F8), ref: 00093AF5

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 8c1ec00d5bc2345709edbdcb2ea5a953d89454280289ec9ae8055f243faf86e1
Instruction ID: 69fa1039ed6952c0ec8f0afaedb485ca900f6091acd192bb4983b6b54b2545ec
Opcode Fuzzy Hash: 8c1ec00d5bc2345709edbdcb2ea5a953d89454280289ec9ae8055f243faf86e1
Instruction Fuzzy Hash: 61018432A05611ABEF21AF6998467DEB7E0BF04710F04400AE841A72D2CB395B41FFD2

Uniqueness

Uniqueness Score: -1.00%

Function 00094A4C Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00094A4C(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x9a2a0, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x9a780 - _t7;
								if(__eflags == 0) {
									_t9 = E0009301D(__eflags);
									 *_t9 = E00092FDB(GetLastError());
									goto L17;
								} else {
									__eflags = E00092FB3(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E0009301D(__eflags);
										 *_t12 = E00092FDB(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00092FB3(_t6, _t30);
						 *((intOrPtr*)(E0009301D(__eflags))) = 0xc;
						goto L12;
					} else {
						E000936D6(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00094936(__edx, __edi, __esi, _a8);
				}
			}

0x00094a55
0x00094a62
0x00094a63
0x00094a66
0x00094a68
0x00094a77
0x00094aaa
0x00094aaa
0x00094aad
0x00000000
0x00000000
0x00094a7a
0x00094a7c
0x00094a7e
0x00094a7e
0x00094a7e
0x00094a8b
0x00094a91
0x00094a93
0x00094a95
0x00094af5
0x00094af5
0x00094a97
0x00094a97
0x00094a9d
0x00094adf
0x00094af3
0x00000000
0x00094a9f
0x00094aa6
0x00094aa8
0x00094ac7
0x00094adb
0x00094ac1
0x00094ac1
0x00094ac1
0x00000000
0x00000000
0x00000000
0x00094aa8
0x00094a9d
0x00000000
0x00094ac3
0x00094ab0
0x00094abb
0x00000000
0x00094a6a
0x00094a6d
0x00094a73
0x00094a73
0x00094ac4
0x00094ac6
0x00094a57
0x00094a61
0x00094a61

APIs

_malloc.LIBCMT ref: 00094A5A

Part of subcall function 00094936: __FF_MSGBANNER.LIBCMT ref: 0009494F
Part of subcall function 00094936: __NMSG_WRITE.LIBCMT ref: 00094956
Part of subcall function 00094936: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00093780,?,00000001,?,?,00092B3F,00000018,00097A30,0000000C,00092BCF), ref: 0009497B

_free.LIBCMT ref: 00094A6D

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 160d49f60a0573b41593bda6d81a2f09625737e2ab868bc5386eaed07dc6ea18
Instruction ID: d344757178c79528bfed39b028e2d01b5600b5487787f8f97eec1772f3e5a4f3
Opcode Fuzzy Hash: 160d49f60a0573b41593bda6d81a2f09625737e2ab868bc5386eaed07dc6ea18
Instruction Fuzzy Hash: 2211EB325845107BCF712F74DC05E9A37D4AF80360F100536F85887292DB358D42BB95

Uniqueness

Uniqueness Score: -1.00%

Function 000942E4 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E000942E4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x97af0);
				E00092660(__ebx, __edi, __esi);
				_t28 = E00092372(__ebx, _t31);
				_t12 =  *0x99a90; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00092BB4(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00094297(_t29,  *0x99a78);
					 *(_t30 - 4) = 0xfffffffe;
					E00094351();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00092372(_t20, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E000917F3(_t25, _t34);
				}
				return E000926A5(_t29);
			}

0x000942e4
0x000942e4
0x000942e4
0x000942e4
0x000942e4
0x000942e6
0x000942eb
0x000942f5
0x000942f7
0x000942ff
0x00094323
0x00094325
0x0009432b
0x00094335
0x00094340
0x00094343
0x0009434a
0x00094301
0x00094301
0x00094305
0x00000000
0x00094307
0x0009430c
0x0009430c
0x00094305
0x0009430f
0x00094311
0x00094313
0x00094315
0x0009431a
0x00094322

APIs

__getptd.LIBCMT ref: 000942F0

Part of subcall function 00092372: __getptd_noexit.LIBCMT ref: 00092375
Part of subcall function 00092372: __amsg_exit.LIBCMT ref: 00092382

__getptd.LIBCMT ref: 00094307
__amsg_exit.LIBCMT ref: 00094315
__lock.LIBCMT ref: 00094325
__updatetlocinfoEx_nolock.LIBCMT ref: 00094339

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 012f10d465506e0013248f77ae0650d0738e006cc75643b26a30180aec6f61f9
Instruction ID: 86629f831f5d2b693f666af4527d4db321076e0a02be681966f5d23132c1a6c0
Opcode Fuzzy Hash: 012f10d465506e0013248f77ae0650d0738e006cc75643b26a30180aec6f61f9
Instruction Fuzzy Hash: D3F09032D05310AAEE21BB789803F8D37E0BF00720F108109F455666D3CB684B42BB56

Uniqueness

Uniqueness Score: -1.00%

Function 00092F67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,00092FA0,00000000,00000000,00000000,00000000,00000000,000936D1,?,00091872,00000003), ref: 00092F72
__invoke_watson.LIBCMT ref: 00092F8E

Strings

aW`aW`, xrefs: 00092F6C

Memory Dump Source

Source File: 00000000.00000002.246995229.0000000000091000.00000020.00000001.01000000.00000003.sdmp, Offset: 00090000, based on PE: true

Associated: 00000000.00000002.246984977.0000000000090000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247011516.0000000000096000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247016370.0000000000099000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.247021033.000000000009B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_90000_alternateshell.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: aW`aW`
API String ID: 4034010525-35805422
Opcode ID: f9f1db970e276fb40bdac492d32b48aa3c0456a5b526c52e44136476c616b219
Instruction ID: 1f1265997f94962baf72ec03a4c5017a74adacbbc34ff52bb39ff14b01ed05b6
Opcode Fuzzy Hash: f9f1db970e276fb40bdac492d32b48aa3c0456a5b526c52e44136476c616b219
Instruction Fuzzy Hash: 7DE0B632104109BBDF012FA19C0A9AA3A6AEF54350B544470BE1480031DA36C870AB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report alternateshell.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: alternateshell.exePID: 6636, Parent PID: 5100

General

File Activities

File Opened

File Read

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Windows Analysis Report
alternateshell.exe

Function 00091000 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 203
synchronizationwindowCOMMON

Function 00091551 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 000949CA Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Function 000917A9 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Function 000921C2 Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE

Function 00091439 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 000924BB Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Function 00092245 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40
COMMONLIBRARYCODE

Function 00093A71 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Function 00094A4C Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Function 000942E4 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE