Create Interactive Tour

Windows Analysis Report
ntrights.exe

Overview

General Information

Sample Name:	ntrights.exe
Analysis ID:	638122
MD5:	416c43aeb17252ee33048bd1f277d2a5
SHA1:	085deb77551f9f6201e5aa352b62cad91c3005e5
SHA256:	f46baa1b6227226518e42263e9b4808f81c27d060207df160f9ac64deae4f4f5
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

Uses 32bit PE files

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Classification

Process Tree

System is start

ntrights.exe (PID: 7884 cmdline: "C:\Users\user\Desktop\ntrights.exe" MD5: 416C43AEB17252EE33048BD1F277D2A5)

conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

ntrights.exe (PID: 5544 cmdline: "C:\Users\user\Desktop\ntrights.exe" MD5: 416C43AEB17252EE33048BD1F277D2A5)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

cleanup

Joe Sandbox Signatures

• Compliance
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ntrights.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: ntrights.pdb source: ntrights.exe

Source: ntrights.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_01002F04

0_2_01002F04

Source: ntrights.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ntrights.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean4.winEXE@4/2@0/0

Source: unknown	Process created: C:\Users\user\Desktop\ntrights.exe "C:\Users\user\Desktop\ntrights.exe"
Source: C:\Users\user\Desktop\ntrights.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\ntrights.exe "C:\Users\user\Desktop\ntrights.exe"
Source: C:\Users\user\Desktop\ntrights.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:304:WilStaging_02

Source: ntrights.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: ntrights.pdb source: ntrights.exe

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_01005205 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_01005205

Source: C:\Users\user\Desktop\ntrights.exe	Code function: 0_2_010030D0 push eax; ret	0_2_010030E4
Source: C:\Users\user\Desktop\ntrights.exe	Code function: 0_2_010030D0 push eax; ret	0_2_0100310C
Source: C:\Users\user\Desktop\ntrights.exe	Code function: 0_2_01002EF3 push ecx; ret	0_2_01002F03

Source: C:\Users\user\Desktop\ntrights.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-2739

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_010076E5 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_010076E5

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_01005205 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_01005205

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_01002D03 EntryPoint,GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,

0_2_01002D03

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_010079F8 SetUnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_010079F8

Source: C:\Users\user\Desktop\ntrights.exe

Code function: GetLocaleInfoA,

0_2_010074E7

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_01007A96 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,GetModuleHandleA,GetProcAddress,

0_2_01007A96

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_01002455 GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetProcessHeap,HeapAlloc,HeapReAlloc,LookupAccountNameW,GetLastError,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,

0_2_01002455

Source: C:\Users\user\Desktop\ntrights.exe

Code function: 0_2_01002D03 EntryPoint,GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetCommandLineA,

0_2_01002D03

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
ntrights.exe	0%	Virustotal	Browse
ntrights.exe	3%	Metadefender	Browse
ntrights.exe	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	638122
Start date and time: 02/06/202212:20:54	2022-06-02 12:20:54 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ntrights.exe
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean4.winEXE@4/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 95.7%) Quality average: 84.5% Quality standard deviation: 25.9%
HCA Information:	Successful, ratio: 86% Number of executed functions: 6 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): rundll32.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, nexusrules.officeapps.live.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\ntrights.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	954
Entropy (8bit):	4.639667401056998
Encrypted:	false
SSDEEP:	12:JIg11Wsj81zJeoI2ksRVd0I5pNTCu+MG25cTal3Jr5vI:mYWsw8L2kUnvzGwXrxI
MD5:	0738872157F49B15C26B726F14936810
SHA1:	43CD75E2D52CE895BEC1C16B45D766F9AF77CE14
SHA-256:	7C1C238C8456F9095B59F1B99800528A5BEA52712FF3B5EE4DF41717D410F2CB
SHA-512:	634F1C9FE5149C01ADFC2633A7F902CA7AA8DF596C9A2B62E488B5F1241B724012C90618044805AC308B5A7E72F42F28B679FECBF5879C3198E1FEBFC1A251BA
Malicious:	false
Reputation:	low
Preview:	NTRights.Exe - Beta Version by Georg Zanzen..Grants/Revokes NT-Rights to a user/group..usage: -u xxx User/Group.. -m \\xxx machine to perform the operation on (default local machine).. -e xxxxx Add xxxxx to the event log.. -r xxx revokes the xxx right.. +r xxx grants the xxx right..valid NTRights are:.. SeCreateTokenPrivilege.. SeAssignPrimaryTokenPrivilege.. SeLockMemoryPrivilege.. SeIncreaseQuotaPrivilege.. SeUnsolicitedInputPrivilege.. SeMachineAccountPrivilege.. SeTcbPrivilege.. SeSecurityPrivilege.. SeTakeOwnershipPrivilege.. SeLoadDriverPrivilege.. SeSystemProfilePrivilege.. SeSystemtimePrivilege.. SeProfileSingleProcessPrivilege.. SeIncreaseBasePriorityPrivilege.. SeCreatePagefilePrivilege.. SeCreatePermanentPrivilege.. SeBackupPrivilege.. SeRestorePrivilege.. SeShutdownPrivilege.. SeAuditPrivilege.. SeSystemEnvironmentPrivilege.. SeChangeNotifyPrivilege.. SeRemoteShutdownPrivilege..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.155904506995028
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ntrights.exe
File size:	32256
MD5:	416c43aeb17252ee33048bd1f277d2a5
SHA1:	085deb77551f9f6201e5aa352b62cad91c3005e5
SHA256:	f46baa1b6227226518e42263e9b4808f81c27d060207df160f9ac64deae4f4f5
SHA512:	3155de3fb04f1df246d6cecfa1c89f8ae9963c18be1ce717731ff210ab39d537be01231002a54d4346b4116e3505f387c92dfecc18a80ce7eb99c6d33e5f1f2a
SSDEEP:	384:V2xoEQ1hlwZ1GADuwSoDFJqawj0zIjiOURFtk+bn7c/bAxi1I2Y8AVq65zHwP9TG:+l6pGXtk+D7c/N1I2Cq65z60sl
TLSH:	A5E27C11B0E5817FF0D356B456B707255B77B85003B26B8F0B9814ABAB726C0AB3B353
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z..c.S.c.S.c.S.c.S.c.S.kIS.c.S.k.S.c.S.ktS.c.S.kKS.c.S.kNS.c.SRich.c.S........PE..L......>.................r...,.......-.....

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x1002d03
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows cui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x3EA0A0FB [Sat Apr 19 01:06:03 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ee4f39f47003fa082601c87fd03e9ee8

Entrypoint Preview

Instruction
push 00000018h
push 01001930h
call 00007FF36430484Eh
mov ebx, 00000094h
push ebx
push 00000000h
mov edi, dword ptr [010010D4h]
call edi
push eax
call dword ptr [010010D8h]
mov esi, eax
test esi, esi
je 00007FF3643046BAh
mov dword ptr [esi], ebx
push esi
call dword ptr [0100102Ch]
push esi
test eax, eax
jne 00007FF3643046B6h
push eax
call edi
push eax
call dword ptr [010010E4h]
mov eax, 000000FFh
jmp 00007FF3643047F2h
mov eax, dword ptr [esi+10h]
mov dword ptr [0100999Ch], eax
mov eax, dword ptr [esi+04h]
mov dword ptr [010099A8h], eax
mov eax, dword ptr [esi+08h]
mov dword ptr [010099ACh], eax
mov eax, dword ptr [esi+0Ch]
and eax, 00007FFFh
mov dword ptr [010099A0h], eax
xor ebx, ebx
push ebx
call edi
push eax
call dword ptr [010010E4h]
cmp dword ptr [0100999Ch], 02h
je 00007FF3643046A9h
or byte ptr [010099A1h], FFFFFF80h
mov eax, dword ptr [010099A8h]
shl eax, 08h
add eax, dword ptr [010099ACh]
mov dword ptr [010099A4h], eax
call 00007FF3643045A5h
mov dword ptr [ebp-1Ch], eax
push ebx
call 00007FF364305479h
pop ecx
test eax, eax
jne 00007FF3643046C3h
cmp dword ptr [0100998Ch], 02h
je 00007FF3643046A7h
call 00007FF364304CCEh
push 0000001Ch
call 00007FF364304B66h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7b1c	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1150	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2330	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x118	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7174	0x7200	False	0.590117872807	DOS executable (COM, 0x8C-variant)	6.4508000935	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x9000	0x2a80	0x800	False	0.236328125	data	1.70309551967	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntdll.dll	RtlUnwind
KERNEL32.dll	GetCommandLineA, GetVersionExA, ExitProcess, GetProcAddress, GetModuleHandleA, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, InterlockedExchange, GetVersionExW, LoadLibraryA, Sleep, GetACP, GetSystemTimeAsFileTime, GetCPInfo, VirtualAlloc, SetFilePointer, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FlushFileBuffers, SetStdHandle, GetLocaleInfoA, VirtualProtect, GetSystemInfo, CloseHandle, GetCurrentThreadId, GetTickCount, lstrlenW, MultiByteToWideChar, GetProcessHeap, HeapAlloc, HeapReAlloc, GetLastError, HeapFree, GetCurrentProcessId, VirtualQuery, GetOEMCP, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, QueryPerformanceCounter
USER32.dll	wsprintfW
ADVAPI32.dll	RegisterEventSourceW, ReportEventW, DeregisterEventSource, LsaNtStatusToWinError, LsaAddAccountRights, LsaRemoveAccountRights, LookupAccountNameW, LsaOpenPolicy, LsaClose

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• ntrights.exe
• conhost.exe
• ntrights.exe
• conhost.exe

Click to jump to process

Behavior

• ntrights.exe
• conhost.exe
• ntrights.exe
• conhost.exe

Click to jump to process

System Behavior

Analysis Process: ntrights.exePID: 7884, Parent PID: 6496

Function Logs

General

Target ID:	0
Start time:	12:21:32
Start date:	02/06/2022
Path:	C:\Users\user\Desktop\ntrights.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ntrights.exe"
Imagebase:	0x1000000
File size:	32256 bytes
MD5 hash:	416C43AEB17252EE33048BD1F277D2A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7868, Parent PID: 7884

Function Logs

General

Target ID:	1
Start time:	12:21:32
Start date:	02/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a8820000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: ntrights.exePID: 5544, Parent PID: 4192

Function Logs

General

Target ID:	6
Start time:	12:22:15
Start date:	02/06/2022
Path:	C:\Users\user\Desktop\ntrights.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ntrights.exe"
Imagebase:	0x1000000
File size:	32256 bytes
MD5 hash:	416C43AEB17252EE33048BD1F277D2A5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Written

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Terminated

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5384, Parent PID: 5544

Function Logs

General

Target ID:	7
Start time:	12:22:16
Start date:	02/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a8820000
File size:	885760 bytes
MD5 hash:	C5E9B1D1103EDCEA2E408E9497A5A88F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: ntrights.exePID: 7884, Parent PID: 6496COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	47.3%
Signature Coverage:	13.4%
Total number of Nodes:	619
Total number of Limit Nodes:	4

Executed Functions

Function 01002D03 Relevance: 12.1, APIs: 8, Instructions: 111
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			_entry_(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				long _t17;
				signed int _t25;
				signed int _t29;
				signed int _t30;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				intOrPtr _t36;
				void* _t51;
				void* _t55;
				struct _OSVERSIONINFOA* _t57;
				intOrPtr _t58;
				void* _t59;

				_push(0x18);
				_push(0x1001930);
				E01002EB8(__ebx, __edi, __esi);
				_t55 = GetProcessHeap;
				_t57 = HeapAlloc(GetProcessHeap(), 0, 0x94);
				if(_t57 == 0) {
					L3:
					_t15 = 0xff;
				} else {
					_t57->dwOSVersionInfoSize = 0x94;
					_t17 = GetVersionExA(_t57);
					_push(_t57);
					if(_t17 != 0) {
						 *0x100999c = _t57->dwPlatformId;
						 *0x10099a8 = _t57->dwMajorVersion;
						 *0x10099ac = _t57->dwMinorVersion;
						 *0x10099a0 = _t57->dwBuildNumber & 0x00007fff;
						HeapFree(GetProcessHeap(), 0, ??);
						__eflags =  *0x100999c - 2;
						if( *0x100999c != 2) {
							 *0x10099a1 =  *0x10099a1 | 0x00000080;
							__eflags =  *0x10099a1;
						}
						_t25 =  *0x10099a8; // 0x6
						 *0x10099a4 = (_t25 << 8) +  *0x10099ac;
						 *(_t59 - 0x1c) = E01002CA7();
						_t29 = E01003B84(0);
						_pop(_t51);
						__eflags = _t29;
						if(__eflags == 0) {
							__eflags =  *0x100998c - 2;
							if( *0x100998c != 2) {
								E010033EC(_t51);
							}
							E0100328B(_t51, 0x1c);
							E0100310D(0xff);
							_pop(_t51);
						}
						 *(_t59 - 4) = 0;
						_t30 = E010039A7(0, _t55, _t57, __eflags); // executed
						__eflags = _t30;
						if(_t30 < 0) {
							E01002C82(_t51, 0x1b);
							_pop(_t51);
						}
						 *0x100ba74 = GetCommandLineA();
						 *0x1009984 = E01003881();
						_t33 = E010037E0();
						__eflags = _t33;
						if(_t33 < 0) {
							E01002C82(_t51, 8);
							_pop(_t51);
						}
						_t34 = E01003596();
						__eflags = _t34;
						if(_t34 < 0) {
							E01002C82(_t51, 9);
							_pop(_t51);
						}
						_t35 = E0100313D();
						 *(_t59 - 0x24) = _t35;
						__eflags = _t35;
						if(_t35 != 0) {
							E01002C82(_t51, _t35);
						}
						_t36 =  *0x10099bc; // 0xbf0c00
						 *0x10099c0 = _t36;
						_push(_t36);
						_push( *0x10099b4);
						_push( *0x10099b0);
						_t58 = E01002A43();
						 *((intOrPtr*)(_t59 - 0x28)) = _t58;
						__eflags =  *(_t59 - 0x1c);
						if( *(_t59 - 0x1c) == 0) {
							E0100324B(_t58);
						}
						E0100326D();
						_t10 = _t59 - 4;
						 *_t10 =  *(_t59 - 4) | 0xffffffff;
						__eflags =  *_t10;
						_t15 = _t58;
					} else {
						HeapFree(GetProcessHeap(), _t17, ??);
						goto L3;
					}
				}
				return E01002EF3(_t15);
			}

0x01002d03
0x01002d05
0x01002d0a
0x01002d17
0x01002d26
0x01002d2a
0x01002d44
0x01002d44
0x01002d2c
0x01002d2c
0x01002d2f
0x01002d35
0x01002d38
0x01002d51
0x01002d59
0x01002d61
0x01002d6e
0x01002d79
0x01002d7f
0x01002d86
0x01002d88
0x01002d88
0x01002d88
0x01002d8f
0x01002d9d
0x01002da7
0x01002dab
0x01002db0
0x01002db1
0x01002db3
0x01002db5
0x01002dbc
0x01002dbe
0x01002dbe
0x01002dc5
0x01002dcf
0x01002dd5
0x01002dd5
0x01002dd6
0x01002dd9
0x01002dde
0x01002de0
0x01002de4
0x01002de9
0x01002de9
0x01002df0
0x01002dfa
0x01002dff
0x01002e04
0x01002e06
0x01002e0a
0x01002e0f
0x01002e0f
0x01002e10
0x01002e15
0x01002e17
0x01002e1b
0x01002e20
0x01002e20
0x01002e21
0x01002e26
0x01002e29
0x01002e2b
0x01002e2e
0x01002e33
0x01002e34
0x01002e39
0x01002e3e
0x01002e3f
0x01002e45
0x01002e53
0x01002e55
0x01002e58
0x01002e5b
0x01002e5e
0x01002e5e
0x01002e63
0x01002e95
0x01002e95
0x01002e95
0x01002e99
0x01002d3a
0x01002d3e
0x00000000
0x01002d3e
0x01002d38
0x01002ea0

APIs

GetProcessHeap.KERNEL32(00000000,00000094,01001930,00000018), ref: 01002D1D
HeapAlloc.KERNEL32(00000000), ref: 01002D20
GetVersionExA.KERNEL32(00000000), ref: 01002D2F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01002D3B
HeapFree.KERNEL32(00000000), ref: 01002D3E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01002D76
HeapFree.KERNEL32(00000000), ref: 01002D79
GetCommandLineA.KERNEL32 ref: 01002DEA

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Heap$Process$Free$AllocCommandLineVersion
String ID:
API String ID: 826746151-0
Opcode ID: bf102b306ffdeef7ed89b6f1286d54ec7839290e7d159e5f70d8306e11a7a3de
Instruction ID: 5073178f2c7d989ce9512fb027d1b2bb7e8f7bb8605ea761298f4b9429aa29f5
Opcode Fuzzy Hash: bf102b306ffdeef7ed89b6f1286d54ec7839290e7d159e5f70d8306e11a7a3de
Instruction Fuzzy Hash: 9A317F709017439FFB33BBB9A94DA9A37A4BB14314F00452AE5C5DA2C5DF3AC9408B52

Uniqueness

Uniqueness Score: -1.00%

Function 0100310D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E0100310D(int _a4) {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t4;

				_t3 = GetModuleHandleA("mscoree.dll");
				if(_t3 != 0) {
					_t4 = GetProcAddress(_t3, "CorExitProcess");
					if(_t4 != 0) {
						 *_t4(_a4);
					}
				}
				ExitProcess(_a4);
			}

0x01003112
0x0100311a
0x01003122
0x0100312a
0x01003130
0x01003130
0x0100312a
0x01003136

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,0100324A,01002E68,01003278,00000000), ref: 01003112
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01003122
ExitProcess.KERNEL32 ref: 01003136

Strings

CorExitProcess, xrefs: 0100311C
mscoree.dll, xrefs: 0100310D

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 529e37545e4ba4fd7c9b357ff47d3beea48d12a8122bd4f7e4ef6922b13353c0
Instruction ID: 7a45136e91f90fddc287ce630dc5d34e9d8a6d77c05d6ab46d0c33c1576ab863
Opcode Fuzzy Hash: 529e37545e4ba4fd7c9b357ff47d3beea48d12a8122bd4f7e4ef6922b13353c0
Instruction Fuzzy Hash: 8AD0C7303412406FF7236B61DD09A5A7FBDBE50B81F444458B5D5D4094CB75CA019711

Uniqueness

Uniqueness Score: -1.00%

Function 010039A7 Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E010039A7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t43;
				signed int _t46;
				long _t51;
				signed int _t53;
				signed int _t54;
				int* _t55;
				signed int* _t58;
				signed char _t60;
				void** _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				void* _t72;
				void* _t75;
				signed int** _t81;
				signed int* _t82;
				void* _t85;
				int* _t86;
				void** _t88;
				int _t89;
				void* _t90;

				_push(0x50);
				_push(0x1001cc0);
				E01002EB8(__ebx, __edi, __esi);
				 *(_t90 - 4) =  *(_t90 - 4) & 0x00000000;
				GetStartupInfoA(_t90 - 0x60);
				 *(_t90 - 4) =  *(_t90 - 4) | 0xffffffff;
				_t43 = E0100545C(0x100);
				if(_t43 != 0) {
					 *0x100b960 = _t43;
					 *0x100b94c = 0x20;
					_t6 = _t43 + 0x100; // 0x100
					_t72 = _t6;
					while(_t43 < _t72) {
						 *((char*)(_t43 + 4)) = 0;
						 *_t43 =  *_t43 | 0xffffffff;
						 *((char*)(_t43 + 5)) = 0xa;
						_t43 = _t43 + 8;
						_t72 =  *0x100b960 + 0x100;
					}
					if( *((short*)(_t90 - 0x2e)) == 0) {
						L25:
						_t67 = 0;
						do {
							_t88 =  *0x100b960 + _t67 * 8;
							if( *_t88 != 0xffffffff) {
								_t88[1] = _t88[1] | 0x00000080;
								goto L37;
							}
							_t88[1] = 0x81;
							if(_t67 != 0) {
								asm("sbb eax, eax");
								_t51 =  ~(_t67 - 1) + 0xfffffff5;
							} else {
								_t51 = 0xfffffff6;
							}
							_t85 = GetStdHandle(_t51);
							if(_t85 == 0xffffffff) {
								L33:
								_t88[1] = _t88[1] | 0x00000040;
							} else {
								_t53 = GetFileType(_t85); // executed
								if(_t53 == 0) {
									goto L33;
								}
								 *_t88 = _t85;
								_t54 = _t53 & 0x000000ff;
								if(_t54 != 2) {
									if(_t54 == 3) {
										_t88[1] = _t88[1] | 0x00000008;
									}
									goto L37;
								}
								goto L33;
							}
							L37:
							_t67 = _t67 + 1;
						} while (_t67 < 3);
						SetHandleCount( *0x100b94c);
						_t46 = 0;
						goto L39;
					}
					_t55 =  *(_t90 - 0x2c);
					if(_t55 == 0) {
						goto L25;
					}
					_t89 =  *_t55;
					_t86 =  &(_t55[1]);
					 *(_t90 - 0x1c) = _t86 + _t89;
					if(_t89 >= 0x800) {
						_t89 = 0x800;
					}
					_t69 = 1;
					while( *0x100b94c < _t89) {
						_t58 = E0100545C(0x100);
						if(_t58 == 0) {
							_t89 =  *0x100b94c;
							L18:
							_t70 = 0;
							if(_t89 <= 0) {
								goto L25;
							} else {
								goto L19;
							}
							do {
								L19:
								_t75 =  *( *(_t90 - 0x1c));
								if(_t75 != 0xffffffff) {
									_t60 =  *_t86;
									if((_t60 & 0x00000001) != 0 && ((_t60 & 0x00000008) != 0 || GetFileType(_t75) != 0)) {
										_t64 = 0x100b960[_t70 >> 5] + (_t70 & 0x0000001f) * 8;
										 *_t64 =  *( *(_t90 - 0x1c));
										_t64[1] =  *_t86;
									}
								}
								_t70 = _t70 + 1;
								_t86 =  &(_t86[0]);
								 *(_t90 - 0x1c) =  &(( *(_t90 - 0x1c))[1]);
							} while (_t70 < _t89);
							goto L25;
						}
						_t81 =  &(0x100b960[_t69]);
						 *_t81 = _t58;
						 *0x100b94c =  *0x100b94c + 0x20;
						_t16 =  &(_t58[0x40]); // 0x100
						_t82 = _t16;
						while(_t58 < _t82) {
							_t58[1] = 0;
							 *_t58 =  *_t58 | 0xffffffff;
							_t58[1] = 0xa;
							_t58 =  &(_t58[2]);
							_t82 =  &(( *_t81)[0x40]);
						}
						_t69 = _t69 + 1;
					}
					goto L18;
				} else {
					_t46 = _t43 | 0xffffffff;
					L39:
					return E01002EF3(_t46);
				}
			}

0x010039a7
0x010039a9
0x010039ae
0x010039b3
0x010039bb
0x010039c1
0x010039ca
0x010039d1
0x010039db
0x010039e0
0x010039ea
0x010039ea
0x01003a0c
0x010039f2
0x010039f6
0x010039f9
0x010039fd
0x01003a06
0x01003a06
0x01003a15
0x01003ae1
0x01003ae1
0x01003ae3
0x01003ae8
0x01003aee
0x01003b3d
0x00000000
0x01003b3d
0x01003af0
0x01003af6
0x01003b02
0x01003b04
0x01003af8
0x01003afa
0x01003afa
0x01003b0e
0x01003b13
0x01003b2c
0x01003b2c
0x01003b15
0x01003b16
0x01003b1e
0x00000000
0x00000000
0x01003b20
0x01003b22
0x01003b2a
0x01003b35
0x01003b37
0x01003b37
0x00000000
0x01003b35
0x00000000
0x01003b2a
0x01003b41
0x01003b41
0x01003b42
0x01003b4d
0x01003b53
0x00000000
0x01003b53
0x01003a1b
0x01003a20
0x00000000
0x00000000
0x01003a26
0x01003a28
0x01003a2e
0x01003a38
0x01003a3a
0x01003a3a
0x01003a3e
0x01003a82
0x01003a46
0x01003a4d
0x01003a8c
0x01003a92
0x01003a92
0x01003a96
0x00000000
0x00000000
0x00000000
0x00000000
0x01003a98
0x01003a98
0x01003a9b
0x01003aa0
0x01003aa2
0x01003aa6
0x01003ac8
0x01003ad0
0x01003ad4
0x01003ad4
0x01003aa6
0x01003ad7
0x01003ad8
0x01003ad9
0x01003add
0x00000000
0x01003a98
0x01003a4f
0x01003a56
0x01003a58
0x01003a5f
0x01003a5f
0x01003a7d
0x01003a67
0x01003a6b
0x01003a6e
0x01003a72
0x01003a77
0x01003a77
0x01003a81
0x01003a81
0x00000000
0x010039d3
0x010039d3
0x01003b64
0x01003b69
0x01003b69

APIs

GetStartupInfoA.KERNEL32(?), ref: 010039BB

Part of subcall function 0100545C: Sleep.KERNEL32(00000000,765E7800,00000000,00000000,010039CF), ref: 01005471

GetFileType.KERNEL32 ref: 01003AAD
GetStdHandle.KERNEL32(-000000F6), ref: 01003B08
GetFileType.KERNELBASE(00000000), ref: 01003B16
SetHandleCount.KERNEL32 ref: 01003B4D

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: FileHandleType$CountInfoSleepStartup
String ID:
API String ID: 1302456922-0
Opcode ID: 36e60e99dcc27b8a42fda6c32ecc2f29bd421e3a25a40305a19b35e82e39fb39
Instruction ID: 92b4fc194d147d7d6476f674b341aa4de407157f7e774a5043ab5c88aca40dc5
Opcode Fuzzy Hash: 36e60e99dcc27b8a42fda6c32ecc2f29bd421e3a25a40305a19b35e82e39fb39
Instruction Fuzzy Hash: E951D630A017468FE7278F2CC8847A97BA0BB06328F1547A8D6E29F2E1C779D481CB11

Uniqueness

Uniqueness Score: -1.00%

Function 010063F9 Relevance: 6.1, APIs: 4, Instructions: 142
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E010063F9(void* __edx, long _a4, void* _a8, long _a12) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				struct _OVERLAPPED* _v20;
				signed char* _v24;
				void _v1052;
				signed char _t59;
				void** _t65;
				intOrPtr _t68;
				char* _t73;
				int _t78;
				long _t80;
				signed char* _t84;
				signed int _t85;
				void* _t89;
				char _t92;
				struct _OVERLAPPED* _t93;
				long _t95;
				signed int _t98;

				_t85 = _a4;
				if(_t85 >=  *0x100b94c) {
					L31:
					 *0x1009994 =  *0x1009994 & 0x00000000;
					L32:
					 *0x1009990 = 9;
					L33:
					return _t59 | 0xffffffff;
				}
				_t84 = 0x100b960 + (_t85 >> 5) * 4;
				_t98 = (_t85 & 0x0000001f) << 3;
				_t59 =  *((intOrPtr*)( *_t84 + _t98 + 4));
				_v24 = _t84;
				if((_t59 & 0x00000001) == 0) {
					goto L31;
				}
				_t93 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_a12 != 0) {
					if((_t59 & 0x00000020) != 0) {
						E01007308(_t85, __edx, _t85, 0, 0, 2);
					}
					_t65 =  *_t84 + _t98;
					if((_t65[1] & 0x00000080) == 0) {
						if(WriteFile( *_t65, _a8, _a12,  &_v16, _t93) == 0) {
							_a4 = GetLastError();
						} else {
							_a4 = _t93;
							_v12 = _v16;
						}
					} else {
						_v8 = _a8;
						_a4 = _t93;
						if(_a12 <= _t93) {
							L27:
							_t59 =  *_t84;
							if(( *(_t59 + _t98 + 4) & 0x00000040) == 0) {
								L29:
								 *0x1009990 = 0x1c;
								 *0x1009994 = _t93;
								goto L33;
							}
							_t59 = _a8;
							if( *_t59 == 0x1a) {
								goto L3;
							}
							goto L29;
						} else {
							goto L8;
						}
						do {
							L8:
							_t89 = _v8 - _a8;
							_t73 =  &_v1052;
							while(_t89 < _a12) {
								_v8 = _v8 + 1;
								_t92 =  *_v8;
								_t89 = _t89 + 1;
								if(_t92 == 0xa) {
									_v20 = _v20 + 1;
									 *_t73 = 0xd;
									_t73 = _t73 + 1;
									_t93 =  &(_t93->Internal);
								}
								_t84 = _v24;
								 *_t73 = _t92;
								_t73 = _t73 + 1;
								_t93 =  &(_t93->Internal);
								if(_t93 < 0x400) {
									continue;
								} else {
									break;
								}
							}
							_t95 = _t73 -  &_v1052;
							_t78 = WriteFile( *( *_t84 + _t98),  &_v1052, _t95,  &_v16, 0); // executed
							if(_t78 == 0) {
								_a4 = GetLastError();
								L18:
								_t93 = 0;
								L19:
								_t68 = _v12;
								if(_t68 != _t93) {
									return _t68 - _v20;
								}
								if(_a4 == _t93) {
									goto L27;
								}
								_t59 = 5;
								if(_a4 != _t59) {
									_t59 = E010071F3(_a4);
									goto L33;
								}
								 *0x1009994 = _t59;
								goto L32;
							}
							_t80 = _v16;
							_v12 = _v12 + _t80;
							if(_t80 < _t95) {
								goto L18;
							}
							_t93 = 0;
						} while (_v8 - _a8 < _a12);
					}
					goto L19;
				}
				L3:
				return 0;
			}

0x01006402
0x0100640e
0x0100657e
0x0100657e
0x01006585
0x01006585
0x0100658f
0x00000000
0x0100658f
0x01006419
0x01006427
0x0100642a
0x01006430
0x01006433
0x00000000
0x00000000
0x01006439
0x0100643e
0x01006441
0x01006444
0x0100644f
0x01006456
0x0100645b
0x01006460
0x01006466
0x0100652f
0x01006542
0x01006531
0x01006534
0x01006537
0x01006537
0x0100646c
0x01006472
0x01006475
0x01006478
0x01006552
0x01006552
0x01006559
0x01006567
0x01006567
0x01006571
0x00000000
0x01006571
0x0100655b
0x01006561
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0100647e
0x0100647e
0x01006481
0x01006484
0x0100648a
0x01006492
0x01006495
0x01006497
0x0100649b
0x0100649d
0x010064a0
0x010064a3
0x010064a4
0x010064a4
0x010064a5
0x010064a8
0x010064aa
0x010064ab
0x010064b2
0x00000000
0x00000000
0x00000000
0x00000000
0x010064b2
0x010064bc
0x010064d1
0x010064d9
0x010064fa
0x010064fd
0x010064fd
0x010064ff
0x010064ff
0x01006504
0x00000000
0x01006579
0x01006509
0x00000000
0x00000000
0x0100650d
0x01006511
0x0100654a
0x00000000
0x0100654f
0x01006513
0x00000000
0x01006513
0x010064db
0x010064de
0x010064e3
0x00000000
0x00000000
0x010064eb
0x010064ed
0x010064f2
0x00000000
0x01006466
0x01006446
0x00000000

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,00000001,?,?), ref: 010064D1

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 00701a64fb533b92d1b2896180390773b7d6498e5c3a61a89c636f62e84d85be
Instruction ID: 44f3d51c6ef5846a741237d2617c54f4534e0a1aeaf27d6de74035e919c6b284
Opcode Fuzzy Hash: 00701a64fb533b92d1b2896180390773b7d6498e5c3a61a89c636f62e84d85be
Instruction Fuzzy Hash: 1151F071900249EFEB13CF5CC884AAD7BF6FF44344F1080A9E9969B285DB32DA50CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01003B84 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01003B84(intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x100b944 = _t6;
				if(_t6 == 0) {
					L4:
					return 0;
				} else {
					_t8 = E01003B6A();
					 *0x100b948 = _t8;
					if(_t8 != 3 || E0100589A(0x3f8) != 0) {
						return 1;
					} else {
						HeapDestroy( *0x100b944);
						goto L4;
					}
				}
			}

0x01003b95
0x01003b9d
0x01003ba2
0x01003bce
0x01003bd0
0x01003ba4
0x01003ba4
0x01003bac
0x01003bb1
0x01003bd4
0x01003bc2
0x01003bc8
0x00000000
0x01003bc8
0x01003bb1

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,01002DB0,00000000), ref: 01003B95

Part of subcall function 0100589A: HeapAlloc.KERNEL32(00000000,00000140,01003BBD,000003F8), ref: 010058A7

HeapDestroy.KERNEL32 ref: 01003BC8

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: fbc3240dcbca79c9e26f17c1ce97cde289aba65c926a1f2e1b67a628de07aa6f
Instruction ID: 5689e74cb1c87fc0d06e2e9ddddbb095f281ac24748a1c7af68ca62b80646970
Opcode Fuzzy Hash: fbc3240dcbca79c9e26f17c1ce97cde289aba65c926a1f2e1b67a628de07aa6f
Instruction Fuzzy Hash: 55E09A74B127019EFF73AB386D05B2536D4AB80346F000825F6C0C91C8EBB9C0009700

Uniqueness

Uniqueness Score: -1.00%

Function 01006779 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E01006779(intOrPtr _a4) {
				intOrPtr _t3;
				void* _t4;
				intOrPtr _t7;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t17;

				_t8 = _a4;
				_t17 = 0;
				if(_t8 <= 0xffffffe0) {
					do {
						_t3 =  *0x100b948;
						_t12 = _t8;
						if(_t3 != 1) {
							if(_t3 != 3) {
								L9:
								if(_t8 == 0) {
									_t12 = 1;
								}
								_push(_t12 + 0x0000000f & 0xfffffff0);
								goto L12;
							} else {
								_t4 = E01006763(_t8);
								if(_t4 == 0) {
									goto L9;
								}
							}
						} else {
							if(_t8 == 0) {
								_t7 = 1;
							} else {
								_t7 = _t8;
							}
							_push(_t7);
							L12:
							_push(0);
							_t4 = RtlAllocateHeap( *0x100b944); // executed
						}
						_t17 = _t4;
					} while (_t17 == 0 &&  *0x1009eac != _t4 && E010074CC(_t8) != 0);
				}
				return _t17;
			}

0x0100677a
0x0100677f
0x01006784
0x0100678e
0x0100678e
0x01006796
0x01006798
0x010067ab
0x010067b8
0x010067ba
0x010067be
0x010067be
0x010067c5
0x00000000
0x010067ad
0x010067ae
0x010067b6
0x00000000
0x00000000
0x010067b6
0x0100679a
0x0100679c
0x010067a4
0x0100679e
0x0100679e
0x0100679e
0x010067a5
0x010067c6
0x010067c6
0x010067ce
0x010067ce
0x010067d0
0x010067d2
0x010067ea
0x010067ef

APIs

RtlAllocateHeap.NTDLL(00000000,?,765E7800,?,00000000,00000100,01005469,00000100,765E7800,00000000,00000000,010039CF), ref: 010067CE

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b90ace1aa3282a452a4b9dba3a21feb88ddc99ea12492e339039d8a833f1747b
Instruction ID: c4e48a980e67ac2b8353c3ca2c9085ec56967e163d2d69dbf699dc22979f261d
Opcode Fuzzy Hash: b90ace1aa3282a452a4b9dba3a21feb88ddc99ea12492e339039d8a833f1747b
Instruction Fuzzy Hash: 9101813360131216BA7355AE5DC0A2B72DABB84675F1515B9EAD8C22C2FB23D8644251

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01005205 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 29%

			E01005205(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a14) {
				char _v8;
				signed char _v12;
				char _v20;
				intOrPtr* _t13;
				intOrPtr* _t14;
				intOrPtr* _t17;
				void* _t19;
				_Unknown_base(*)()* _t23;
				_Unknown_base(*)()* _t26;
				void* _t28;
				struct HINSTANCE__* _t31;
				void* _t33;

				_t28 = 0;
				_t33 =  *0x1009e68 - _t28; // 0x0
				if(_t33 != 0) {
					L6:
					_t13 =  *0x1009e74; // 0x0
					if(_t13 == 0) {
						L14:
						_t14 =  *0x1009e6c; // 0x0
						if(_t14 != 0) {
							_t28 =  *_t14();
							if(_t28 != 0) {
								_t17 =  *0x1009e70; // 0x0
								if(_t17 != 0) {
									_t28 =  *_t17(_t28);
								}
							}
						}
						L18:
						return  *0x1009e68(_t28, _a4, _a8, _a12);
					}
					_t19 =  *_t13();
					if(_t19 == 0) {
						L10:
						if( *0x10099a8 < 4) {
							_a14 = _a14 | 0x00000004;
						} else {
							_a14 = _a14 | 0x00000020;
						}
						goto L18;
					}
					_push( &_v8);
					_push(0xc);
					_push( &_v20);
					_push(1);
					_push(_t19);
					if( *0x1009e78() == 0 || (_v12 & 0x00000001) == 0) {
						goto L10;
					} else {
						goto L14;
					}
				}
				_t31 = LoadLibraryA("user32.dll");
				if(_t31 == 0) {
					L12:
					return 0;
				}
				_t23 = GetProcAddress(_t31, "MessageBoxA");
				 *0x1009e68 = _t23;
				if(_t23 == 0) {
					goto L12;
				} else {
					 *0x1009e6c = GetProcAddress(_t31, "GetActiveWindow");
					 *0x1009e70 = GetProcAddress(_t31, "GetLastActivePopup");
					if( *0x100999c == 2) {
						_t26 = GetProcAddress(_t31, "GetUserObjectInformationA");
						 *0x1009e78 = _t26;
						if(_t26 != 0) {
							 *0x1009e74 = GetProcAddress(_t31, "GetProcessWindowStation");
						}
					}
					goto L6;
				}
			}

0x0100520c
0x0100520e
0x01005216
0x01005285
0x01005285
0x0100528c
0x010052ca
0x010052ca
0x010052d1
0x010052d5
0x010052d9
0x010052db
0x010052e2
0x010052e7
0x010052e7
0x010052e2
0x010052d9
0x010052e9
0x00000000
0x010052f3
0x0100528e
0x01005292
0x010052b1
0x010052b8
0x010052c4
0x010052ba
0x010052ba
0x010052ba
0x00000000
0x010052b8
0x01005297
0x01005298
0x0100529d
0x0100529e
0x010052a0
0x010052a9
0x00000000
0x00000000
0x00000000
0x00000000
0x010052a9
0x01005223
0x01005227
0x010052c0
0x00000000
0x010052c0
0x01005239
0x0100523d
0x01005242
0x00000000
0x01005244
0x01005252
0x01005260
0x01005265
0x0100526d
0x01005271
0x01005276
0x01005280
0x01005280
0x01005276
0x00000000
0x01005265

APIs

LoadLibraryA.KERNEL32(user32.dll,010099E0,?,010099FA), ref: 0100521D
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 01005239
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0100524A
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 01005257
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0100526D
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0100527E

Strings

, xrefs: 010052BA
GetProcessWindowStation, xrefs: 01005278
GetActiveWindow, xrefs: 01005244
MessageBoxA, xrefs: 01005233
GetUserObjectInformationA, xrefs: 01005267
user32.dll, xrefs: 01005218
GetLastActivePopup, xrefs: 0100524C

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: $GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-752805172
Opcode ID: d8b66a83368226432bc310d989f3d2294fb8a90dd5f05e22d46485e0b3b0e00e
Instruction ID: 15d7bed974f1b4810212bad31d085c6ff0b917372fd8ab29ad5bfdf5b47bdef4
Opcode Fuzzy Hash: d8b66a83368226432bc310d989f3d2294fb8a90dd5f05e22d46485e0b3b0e00e
Instruction Fuzzy Hash: 8C216731604345ABFB63ABB99C89B6A3FE8AF45744F04006AF6C5D50C6EBB5C844CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01002455 Relevance: 18.1, APIs: 12, Instructions: 81
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E01002455(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t29;
				void* _t36;
				void* _t43;
				void* _t45;
				void** _t52;
				void* _t55;

				_push(0x20);
				_push(0x1001170);
				E01002EB8(__ebx, __edi, __esi);
				 *(_t55 - 0x1c) = 0;
				 *(_t55 - 0x28) = 0x80;
				 *(_t55 - 0x20) = 0x32;
				 *((intOrPtr*)(_t55 - 0x24)) = 0;
				 *(_t55 - 4) = 0;
				_t29 = HeapAlloc(GetProcessHeap(), 0, 0x80);
				_t52 =  *(_t55 + 0x10);
				 *_t52 = _t29;
				if(_t29 != 0) {
					_t36 = HeapAlloc(GetProcessHeap(), 0,  *(_t55 - 0x20));
					 *(_t55 - 0x1c) = _t36;
					if(_t36 != 0) {
						while(LookupAccountNameW( *(_t55 + 8),  *(_t55 + 0xc),  *_t52, _t55 - 0x28,  *(_t55 - 0x1c), _t55 - 0x20, _t55 - 0x2c) == 0) {
							if(GetLastError() == 0x7a) {
								_t43 = HeapReAlloc(GetProcessHeap(), 0,  *_t52,  *(_t55 - 0x28));
								 *0x00000000 = _t43;
								if(_t43 != 0) {
									 *_t52 = _t43;
									_t45 = HeapReAlloc(GetProcessHeap(), 0,  *(_t55 - 0x1c),  *(_t55 - 0x20));
									 *(_t55 - 0x30) = _t45;
									if(_t45 != 0) {
										 *(_t55 - 0x1c) = _t45;
										continue;
									}
								}
							}
							goto L9;
						}
						 *((intOrPtr*)(_t55 - 0x24)) = 1;
					}
				}
				L9:
				 *(_t55 - 4) =  *(_t55 - 4) | 0xffffffff;
				E01002540(_t52);
				if( *(_t55 - 0x1c) != 0) {
					HeapFree(GetProcessHeap(), 0,  *(_t55 - 0x1c));
				}
				return E01002EF3( *((intOrPtr*)(_t55 - 0x24)));
			}

0x01002455
0x01002457
0x0100245c
0x01002463
0x0100246b
0x0100246e
0x01002475
0x01002478
0x0100248c
0x0100248e
0x01002491
0x01002495
0x0100249f
0x010024a1
0x010024a6
0x010024ae
0x010024d8
0x010024e4
0x010024e8
0x010024ec
0x010024ee
0x010024fa
0x010024fc
0x01002501
0x01002503
0x00000000
0x01002503
0x01002501
0x010024ec
0x00000000
0x010024d8
0x01002508
0x01002508
0x010024a6
0x0100250f
0x0100250f
0x01002513
0x0100251c
0x01002526
0x01002526
0x01002534

APIs

GetProcessHeap.KERNEL32(00000000,00000080,01001170,00000020,01002BCD,?,?,?,?,00000810,?), ref: 01002483
HeapAlloc.KERNEL32(00000000), ref: 0100248C
GetProcessHeap.KERNEL32(00000000,?), ref: 0100249C
HeapAlloc.KERNEL32(00000000), ref: 0100249F
LookupAccountNameW.ADVAPI32(?,?,?,?,?,?,?), ref: 010024C5
GetLastError.KERNEL32 ref: 010024CF
GetProcessHeap.KERNEL32(00000000,?,?), ref: 010024E1
HeapReAlloc.KERNEL32(00000000), ref: 010024E4
GetProcessHeap.KERNEL32(00000000,?,?), ref: 010024F7
HeapReAlloc.KERNEL32(00000000), ref: 010024FA
GetProcessHeap.KERNEL32(00000000,?), ref: 01002523
HeapFree.KERNEL32(00000000), ref: 01002526

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Heap$Process$Alloc$AccountErrorFreeLastLookupName
String ID:
API String ID: 19990548-0
Opcode ID: 85d46d484257b75950ca4ccdff046d5d296af0747300e02b1757fc142f25c4ae
Instruction ID: 96a9efb9d1ffcaa10e441f0f74a74527ed9008e1232d6dff62d18d61337fb499
Opcode Fuzzy Hash: 85d46d484257b75950ca4ccdff046d5d296af0747300e02b1757fc142f25c4ae
Instruction Fuzzy Hash: 3D21FB7190020AABEF629FA5DC48AEEBFB9FF08351F144015F595E2290DB76C511CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01007A96 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 40
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01007A96() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				struct HINSTANCE__* _t7;
				signed int _t9;
				signed int _t10;
				signed int _t11;
				_Unknown_base(*)()* _t16;
				signed int _t23;

				_t7 =  *0x100900c; // 0xebac68f3
				if(_t7 == 0 || _t7 == 0xbb40e64e) {
					GetSystemTimeAsFileTime( &_v12);
					_t9 = GetCurrentProcessId();
					_t10 = GetCurrentThreadId();
					_t11 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t23 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t9 ^ _t10 ^ _t11 ^ _v16 ^ _v20.LowPart;
					 *0x100900c = _t23;
					if(_t23 == 0) {
						 *0x100900c = 0xbb40e64e;
					}
					_t7 = GetModuleHandleA("kernel32.dll");
					if(_t7 != 0) {
						_t16 = GetProcAddress(_t7, "UnhandledExceptionFilter");
						 *0x100ba78 = _t16;
						return _t16;
					}
				}
				return _t7;
			}

0x01007a9c
0x01007aa3
0x01007ab1
0x01007abd
0x01007ac5
0x01007acd
0x01007ad9
0x01007ae5
0x01007ae7
0x01007aed
0x01007aef
0x01007aef
0x01007afe
0x01007b07
0x01007b0f
0x01007b15
0x00000000
0x01007b15
0x01007b07
0x01007b1b

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 01007AB1
GetCurrentProcessId.KERNEL32 ref: 01007ABD
GetCurrentThreadId.KERNEL32 ref: 01007AC5
GetTickCount.KERNEL32 ref: 01007ACD
QueryPerformanceCounter.KERNEL32(?), ref: 01007AD9
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 01007AFE
GetProcAddress.KERNEL32(00000000,UnhandledExceptionFilter), ref: 01007B0F

Strings

UnhandledExceptionFilter, xrefs: 01007B09
kernel32.dll, xrefs: 01007AF9

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: CurrentTime$AddressCountCounterFileHandleModulePerformanceProcProcessQuerySystemThreadTick
String ID: UnhandledExceptionFilter$kernel32.dll
API String ID: 2672014633-2428948374
Opcode ID: c60d407fdea3ff418fa0a2d1d2a0b2d96f271b34997a08f58ca7bb258c89fbb7
Instruction ID: f301e0a7971121a3bb6f31807c4874eb9fa9d268c707fe1d6dc930422f3fba8f
Opcode Fuzzy Hash: c60d407fdea3ff418fa0a2d1d2a0b2d96f271b34997a08f58ca7bb258c89fbb7
Instruction Fuzzy Hash: 5E012171E00114DBEB23DFF5E94C68A7BF8BB08341F814955F9C1E7145EA79E5448B90

Uniqueness

Uniqueness Score: -1.00%

Function 010076E5 Relevance: 7.6, APIs: 5, Instructions: 92
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E010076E5(void* __ecx, void* __eflags) {
				void* _v8;
				long _v12;
				long _v16;
				signed char _v23;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				void* _v92;
				void* _t29;
				int _t33;
				intOrPtr _t35;
				void* _t43;
				void* _t46;
				signed int _t49;
				void* _t54;
				void* _t55;
				void* _t62;
				void* _t63;

				_t29 = 4;
				E010030D0(_t29, __ecx);
				_t55 = _t63;
				if(VirtualQuery(_t55,  &_v44, 0x1c) == 0) {
					L9:
					_t33 = 0;
				} else {
					_t46 = _v44.AllocationBase;
					GetSystemInfo( &_v80);
					_t49 = _v80.dwPageSize;
					_t35 =  *0x100999c; // 0x2
					_t54 = ( !(_t49 - 1) & _t55) - _t49;
					asm("sbb esi, esi");
					_t62 = (( ~(_t35 - 1) & 0xfffffff1) + 0x11) * _t49 + _t46;
					_v12 = _t49;
					if(_t54 < _t62) {
						goto L9;
					} else {
						if(_t35 == 1) {
							_v8 = _t54;
							goto L14;
						} else {
							_v8 = _t46;
							while(VirtualQuery(_v8,  &_v44, 0x1c) != 0) {
								_v8 = _v8 + _v44.RegionSize;
								if((_v44.State & 0x00001000) == 0) {
									continue;
								} else {
									_t43 = _v44.BaseAddress;
									_v8 = _t43;
									if((_v23 & 0x00000001) == 0) {
										if(_t54 >= _t43) {
											if(_t43 < _t62) {
												_v8 = _t62;
											}
											VirtualAlloc(_v8, _v12, 0x1000, 4);
											_t35 =  *0x100999c; // 0x2
											L14:
											asm("sbb eax, eax");
											_t33 = VirtualProtect(_v8, _v12, ( ~(_t35 - 1) & 0x00000103) + 1,  &_v16);
										} else {
											goto L9;
										}
									} else {
										_t33 = 1;
									}
								}
								goto L15;
							}
							goto L9;
						}
					}
				}
				L15:
				return _t33;
			}

0x010076f0
0x010076f1
0x010076f6
0x01007707
0x01007780
0x01007780
0x01007709
0x01007709
0x01007710
0x01007716
0x01007719
0x01007725
0x0100772c
0x01007737
0x0100773b
0x0100773e
0x00000000
0x01007740
0x01007743
0x010077a1
0x00000000
0x01007745
0x01007745
0x0100774d
0x01007763
0x01007769
0x00000000
0x0100776b
0x0100776f
0x01007772
0x01007775
0x0100777e
0x01007786
0x01007788
0x01007788
0x01007794
0x0100779a
0x010077a4
0x010077a7
0x010077ba
0x00000000
0x00000000
0x00000000
0x01007777
0x01007779
0x01007779
0x01007775
0x00000000
0x01007769
0x00000000
0x0100774d
0x01007743
0x0100773e
0x010077c0
0x010077c7

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 010076FF
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 01007710
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 01007756
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 01007794
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 010077BA

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 47205e10fbdc8f22e0eae3596e8d2650afd35f5240ddd31111943ec2cbc3e74a
Instruction ID: 14da55929b7a8fffa653f07a1f7b6004a284665a98b8bbccb451771ecd0fb5ce
Opcode Fuzzy Hash: 47205e10fbdc8f22e0eae3596e8d2650afd35f5240ddd31111943ec2cbc3e74a
Instruction Fuzzy Hash: 56319535E40119EBEF22CBA8CD44AED7BB8FB04354F144165EAC5E7280D7799A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010079F8 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E010079F8(void* __eax, void* __ecx) {
				intOrPtr _t17;
				intOrPtr* _t18;
				signed int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				void* _t52;

				_t52 = __ecx -  *0x100900c; // 0xebac68f3
				if(_t52 != 0) {
					_t44 = _t47 - 0x2a8;
					_t17 =  *0x100900c; // 0xebac68f3
					 *((intOrPtr*)(_t44 + 0x2a4)) = _t17;
					_t18 =  *0x100ba7c;
					if(_t18 != 0) {
						 *_t18();
					}
					if( *0x100ba78 != 0) {
						 *(_t44 - 0x28) =  *(_t44 - 0x28) & 0;
						_t33 = 0x13;
						memset(_t44 - 0x24, memset(_t44 - 0x7c, 0, _t33 << 2), 0xb2 << 2);
						 *((intOrPtr*)(_t44 - 0x30)) = _t44 - 0x80;
						 *((intOrPtr*)(_t44 - 0x80)) = 0xc0000409;
						 *((intOrPtr*)(_t44 - 0x2c)) = _t44 - 0x28;
						SetUnhandledExceptionFilter(0);
						 *0x100ba78(_t44 - 0x30, _t37);
					}
					return E010079F8(TerminateProcess(GetCurrentProcess(), 0x502),  *((intOrPtr*)(_t44 + 0x2a4)));
				} else {
					return __eax;
				}
			}

0x010079f8
0x010079fe
0x01007a07
0x01007a14
0x01007a19
0x01007a1f
0x01007a26
0x01007a28
0x01007a28
0x01007a31
0x01007a36
0x01007a3b
0x01007a49
0x01007a4e
0x01007a56
0x01007a5d
0x01007a60
0x01007a6a
0x01007a70
0x01007a95
0x01007a00
0x01007a00
0x01007a00

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?), ref: 01007A60
GetCurrentProcess.KERNEL32(00000502), ref: 01007A76
TerminateProcess.KERNEL32(00000000), ref: 01007A7D

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Process$CurrentExceptionFilterTerminateUnhandled
String ID:
API String ID: 3985764695-0
Opcode ID: f19e6e578cf64dba4e64e9770568a82f83f1748e9c31304746f830d4ae2d6e3d
Instruction ID: f9541bfa7e5e0a388108601af8f185fab180c60ba5a73e008205594f2b433ae3
Opcode Fuzzy Hash: f19e6e578cf64dba4e64e9770568a82f83f1748e9c31304746f830d4ae2d6e3d
Instruction Fuzzy Hash: 44115E71A44208DFEF32DFA4E859ADD77B8BB89305F004829E5D1A6180EB79A285CB11

Uniqueness

Uniqueness Score: -1.00%

Function 010074E7 Relevance: 1.5, APIs: 1, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E010074E7(int _a4) {
				char _v6;
				char _v12;
				void* __ecx;
				signed int _t6;
				void* _t10;

				_push(_t10);
				_push(_t10);
				_v6 = 0;
				_t6 = GetLocaleInfoA(_a4, 0x1004,  &_v12, 6);
				if(_t6 != 0) {
					return E010078A6(_t10,  &_v12);
				} else {
					return _t6 | 0xffffffff;
				}
			}

0x010074ea
0x010074eb
0x010074fa
0x010074fe
0x01007506
0x01007518
0x01007508
0x0100750c
0x0100750c

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000006,?,?,?,01006DA3,?,010022E8,0000001C,010055C8,00000001,00000020,00000100,?), ref: 010074FE

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 308901bcedf2aed3fcf7f974d801d1cd4887c83db58e665215759b659d6ce5de
Instruction ID: b251f5a7f7045d8fbc3397745e849fd25da2335e5f632f22ca93ec012913a853
Opcode Fuzzy Hash: 308901bcedf2aed3fcf7f974d801d1cd4887c83db58e665215759b659d6ce5de
Instruction Fuzzy Hash: 5FE0C7717042487AFB128BA4CC0AFDA7ABC8B003A8F000299F691E50C0E2F9E6448362

Uniqueness

Uniqueness Score: -1.00%

Function 01002F04 Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E01002F04(signed int* __eax, void* __ebx, signed int __edx, char _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				signed int _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E01003C1A(_t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E01003CC6(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E01003BD8(_t55, _t66);
										_t89 = _t66 + 0x10;
										E01003C1A(_t66, 0);
										_t99 = _t99 + 0xc;
										E01003CAE(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x01002f08
0x01002f09
0x01002f0a
0x01002f0d
0x01002f0f
0x01002f12
0x01002f13
0x01002f15
0x01002f16
0x01002f17
0x01002f1a
0x01002f24
0x01002fd5
0x01002fdc
0x01002fe5
0x01002f2a
0x01002f2a
0x01002f30
0x01002f36
0x01002f39
0x01002f3c
0x01002f40
0x01002f45
0x01002f4a
0x01002fca
0x00000000
0x01002f4c
0x01002f4c
0x01002f58
0x01002f5a
0x01002fb5
0x01002fb5
0x01002fbb
0x00000000
0x01002f5c
0x01002f6b
0x01002f6d
0x01002f6e
0x01002f6f
0x01002f72
0x01002f72
0x01002f74
0x00000000
0x01002f76
0x01002f76
0x01002fc0
0x01002f78
0x01002f78
0x01002f7c
0x01002f84
0x01002f89
0x01002f8e
0x01002f9a
0x01002fa2
0x01002fa9
0x01002faf
0x01002fb3
0x00000000
0x01002fb3
0x01002f76
0x01002f74
0x00000000
0x01002f5a
0x01002fce
0x01002fce
0x01002fce
0x01002f4a
0x01002fea
0x01002ff1

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cf8ff679db2e7ad0aa7ed847d786cd5510db4dcc7b7a230fa241c97f0e66e9
Instruction ID: 3a46f9a68ba7acbc296c3fd6f0ae310766d9798ee67d540138a2640723104643
Opcode Fuzzy Hash: 91cf8ff679db2e7ad0aa7ed847d786cd5510db4dcc7b7a230fa241c97f0e66e9
Instruction Fuzzy Hash: 2B21C7729002089FEB12EF79C8848BBBBA5BF48350F4581A8D955CB285D730F915C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01002A43 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E01002A43() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t39;
				intOrPtr* _t45;
				signed int _t46;
				intOrPtr* _t47;
				signed int _t49;
				signed int _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				char* _t55;
				void* _t65;
				intOrPtr _t72;
				void* _t78;
				signed int _t87;
				signed int _t90;
				void* _t92;
				void* _t93;
				void* _t96;
				char* _t97;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				char* _t104;
				WCHAR* _t109;
				void* _t116;
				void* _t117;
				void* _t119;
				void* _t121;
				intOrPtr* _t122;

				_t117 = _t119 - 0x6a8;
				_t39 =  *0x100900c; // 0xebac68f3
				 *(_t117 + 0x390) =  *(_t117 + 0x390) & 0x00000000;
				 *((intOrPtr*)(_t117 + 0x6a4)) = _t39;
				_t90 = 0x7f;
				memset(_t117 + 0x392, 0, _t90 << 2);
				_t121 = _t119 - 0x728 + 0xc;
				asm("stosw");
				 *((intOrPtr*)(_t117 - 0x7c)) = 0xd;
				 *(_t117 + 0x590) = 0x114;
				GetVersionExW(_t117 + 0x590);
				if( *((intOrPtr*)(_t117 + 0x5a0)) == 2) {
					_push( *((intOrPtr*)(_t117 + 0x6b4)));
					_push( *((intOrPtr*)(_t117 + 0x6b0)));
					E01002613();
					_t45 = 0x1009680;
					_t13 = _t45 + 1; // 0x1009681
					_t101 = _t13;
					do {
						_t92 =  *_t45;
						_t45 = _t45 + 1;
						__eflags = _t92;
					} while (_t92 != 0);
					_t46 = _t45 - _t101;
					__eflags = _t46;
					_t87 = _t46;
					_t47 = 0x1009880;
					_t14 = _t47 + 1; // 0x1009881
					_t93 = _t14;
					do {
						_t102 =  *_t47;
						_t47 = _t47 + 1;
						__eflags = _t102;
					} while (__eflags != 0);
					 *(_t117 - 0x80) = _t47 - _t93;
					_t49 = 0;
					_t50 = _t49 & 0xffffff00 | __eflags == 0x00000000;
					_t87 = _t50 | _t87 == 0x00000000;
					if((_t50 | _t87 == 0x00000000) == 0) {
						_t52 = 0x1009780;
						_t20 = _t52 + 1; // 0x1009781
						_t103 = _t20;
						do {
							_t96 =  *_t52;
							_t52 = _t52 + 1;
							__eflags = _t96;
						} while (_t96 != 0);
						_t53 = _t52 - _t103;
						__eflags = _t53;
						 *(_t117 - 0x80) = _t53;
						_t104 = "on";
						if(_t53 == 0) {
							_t104 = " ";
						}
						_t54 =  *0x1009000; // 0x1
						__eflags = _t54;
						_t97 = "to";
						if(_t54 != 0) {
							_t55 = "Granting";
						} else {
							_t97 = "from";
							_t55 = "Revoking";
						}
						_push(0x1009780);
						_push(_t104);
						_push(0x1009880);
						_push(_t97);
						_push(0x1009680);
						E0100300D(" %s %s %s %s %s %s", _t55);
						_t109 = L"%hS";
						wsprintfW(_t117 - 0x70, _t109, 0x1009880);
						wsprintfW(_t117 + 0x190, _t109, 0x1009680);
						wsprintfW(_t117 + 0x390, _t109, 0x1009780);
						_t122 = _t121 + 0x40;
						_t65 = E01002419(_t109, _t117 + 0x390, 0x810, _t117 - 0x78);
						__eflags = _t65;
						if(__eflags == 0) {
							_push(_t117 - 0x74);
							_push(_t117 - 0x70);
							_push(_t117 + 0x390);
							__eflags = E01002455(0x1009780, 0, wsprintfW, __eflags);
							if(__eflags == 0) {
								_push(GetLastError());
								E0100300D("... failed (GetAccountSid(%s)=%i \n", 0x1009880);
							} else {
								_t116 = E01002574(_t97, __eflags,  *((intOrPtr*)(_t117 - 0x78)),  *(_t117 - 0x74), _t117 + 0x190,  *0x1009000);
								__eflags = _t116;
								if(__eflags != 0) {
									_push("... failed\n");
									_t78 = E0100300D();
									_pop(_t99);
									_push(_t116);
									E01002960(_t78, _t99, "AddUserRightToAccount");
								} else {
									 *((intOrPtr*)(_t117 - 0x7c)) = 0;
									E0100300D();
									 *_t122 = 0x1388;
									E0100298B(_t97, __eflags, 0x1009780, "NTRights has been successful", 0x100a2c0, 0x1009ec0, "... successful\n");
								}
							}
							_push( *((intOrPtr*)(_t117 - 0x78)));
							L010079F2();
							__eflags =  *(_t117 - 0x74);
							if( *(_t117 - 0x74) != 0) {
								HeapFree(GetProcessHeap(), 0,  *(_t117 - 0x74));
							}
							_t72 =  *((intOrPtr*)(_t117 - 0x7c));
						} else {
							_push(_t65);
							E01002960(_t65, _t97, "OpenPolicy");
							_t72 = 0xd;
						}
						L25:
						goto L26;
					}
					E0100282A();
					_t72 = 1;
					goto L25;
				} else {
					_push("Sorry don\'t know about this OS - runs on NT only!\n");
					E0100300D();
					_t72 = 0x65;
					L26:
					return E010079F8(_t72,  *((intOrPtr*)(_t117 + 0x6a4)));
				}
			}

0x01002a44
0x01002a51
0x01002a56
0x01002a5f
0x01002a67
0x01002a70
0x01002a70
0x01002a72
0x01002a7b
0x01002a82
0x01002a8c
0x01002a99
0x01002aae
0x01002ab4
0x01002aba
0x01002ac4
0x01002ac6
0x01002ac6
0x01002ac9
0x01002ac9
0x01002acb
0x01002acc
0x01002acc
0x01002ad1
0x01002ad1
0x01002ad9
0x01002adb
0x01002add
0x01002add
0x01002ae0
0x01002ae0
0x01002ae2
0x01002ae3
0x01002ae3
0x01002ae9
0x01002aee
0x01002aef
0x01002af9
0x01002afb
0x01002b0f
0x01002b11
0x01002b11
0x01002b14
0x01002b14
0x01002b16
0x01002b17
0x01002b17
0x01002b1b
0x01002b1b
0x01002b1d
0x01002b20
0x01002b25
0x01002b27
0x01002b27
0x01002b2c
0x01002b31
0x01002b33
0x01002b38
0x01002bb2
0x01002b3a
0x01002b3a
0x01002b3f
0x01002b3f
0x01002b44
0x01002b45
0x01002b46
0x01002b47
0x01002b48
0x01002b4f
0x01002b5b
0x01002b65
0x01002b74
0x01002b7f
0x01002b81
0x01002b94
0x01002b9b
0x01002b9d
0x01002bbc
0x01002bc0
0x01002bc7
0x01002bcd
0x01002bcf
0x01002c38
0x01002c43
0x01002bd1
0x01002be9
0x01002beb
0x01002bed
0x01002c1a
0x01002c1f
0x01002c24
0x01002c25
0x01002c2b
0x01002bef
0x01002bf4
0x01002bf7
0x01002bfc
0x01002c13
0x01002c13
0x01002bed
0x01002c4b
0x01002c4e
0x01002c53
0x01002c56
0x01002c63
0x01002c63
0x01002c69
0x01002b9f
0x01002b9f
0x01002ba5
0x01002bac
0x01002bac
0x01002c6c
0x00000000
0x01002c6d
0x01002afd
0x01002b04
0x00000000
0x01002a9b
0x01002a9b
0x01002aa0
0x01002aa8
0x01002c6e
0x01002c81
0x01002c81

APIs

GetVersionExW.KERNEL32(?,765E7800), ref: 01002A8C

Strings

Sorry don't know about this OS - runs on NT only!, xrefs: 01002A9B
%s %s %s %s %s %s, xrefs: 01002B4A
Granting, xrefs: 01002BB2
... successful, xrefs: 01002BEF
%hS, xrefs: 01002B5B, 01002B63, 01002B72, 01002B7D
from, xrefs: 01002B3A, 01002B47
NTRights has been successful, xrefs: 01002C0D
AddUserRightToAccount, xrefs: 01002C26
OpenPolicy, xrefs: 01002BA0
Revoking, xrefs: 01002B3F, 01002B49
... failed (GetAccountSid(%s)=%i , xrefs: 01002C3E
... failed, xrefs: 01002C1A

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Version
String ID: %s %s %s %s %s %s$%hS$... failed$... failed (GetAccountSid(%s)=%i $... successful$AddUserRightToAccount$Granting$NTRights has been successful$OpenPolicy$Revoking$Sorry don't know about this OS - runs on NT only!$from
API String ID: 1889659487-539649293
Opcode ID: 2d0188a5a91ccff9a715afecd334687170e4c0e30c337d928c8428ca960f8a4c
Instruction ID: 1100cb30c3ad7e1686ff37b624a8c232f390351e5842054f68807bd7a7dffaf8
Opcode Fuzzy Hash: 2d0188a5a91ccff9a715afecd334687170e4c0e30c337d928c8428ca960f8a4c
Instruction Fuzzy Hash: 49519171A00249AFFB37AFA5DC58EEE3BA9EB45300F140529F5C9DB1C1DA7197048B61

Uniqueness

Uniqueness Score: -1.00%

Function 01006871 Relevance: 16.8, APIs: 11, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E01006871(void* __ebx, void* __edi, int __esi, void* __eflags) {
				signed int _t123;
				intOrPtr _t124;
				int _t126;
				char* _t129;
				int _t136;
				int _t138;
				signed int _t140;
				int _t143;
				int _t145;
				int _t146;
				int _t165;
				short* _t167;
				short* _t169;
				int _t170;
				signed int _t171;
				long _t175;
				char* _t177;
				signed int _t184;
				signed int _t185;
				signed int _t188;
				signed int _t191;
				signed int _t192;
				signed int _t195;
				int _t200;
				int _t204;
				void* _t205;
				void* _t206;
				void* _t207;
				void* _t208;
				void* _t209;
				signed int _t211;
				signed int _t212;
				int _t215;
				void* _t217;
				short* _t218;
				char* _t220;
				char* _t222;
				void* _t226;

				_t210 = __esi;
				_push(0x34);
				_push(0x10022c0);
				E01002EB8(__ebx, __edi, __esi);
				_t204 = 0;
				_t226 =  *0x1009ea0 - _t204; // 0x1
				if(_t226 == 0) {
					_t210 = 1;
					if(LCMapStringW(0, 0x100, 0x10022bc, 1, 0, 0) == 0) {
						_t175 = GetLastError();
						__eflags = _t175 - 0x78;
						if(_t175 == 0x78) {
							 *0x1009ea0 = 2;
						}
					} else {
						 *0x1009ea0 = 1;
					}
				}
				if( *(_t217 + 0x14) <= _t204) {
					L11:
					_t123 =  *0x1009ea0; // 0x1
					if(_t123 == 2 || _t123 == _t204) {
						 *(_t217 - 0x28) = _t204;
						_t177 = 0;
						 *(_t217 - 0x3c) = _t204;
						__eflags =  *(_t217 + 8) - _t204;
						if( *(_t217 + 8) == _t204) {
							_t146 =  *0x1009e88; // 0x0
							 *(_t217 + 8) = _t146;
						}
						__eflags =  *(_t217 + 0x20) - _t204;
						if( *(_t217 + 0x20) == _t204) {
							_t145 =  *0x1009e98; // 0x0
							 *(_t217 + 0x20) = _t145;
						}
						_t124 = E010074E7( *(_t217 + 8));
						 *((intOrPtr*)(_t217 - 0x40)) = _t124;
						__eflags = _t124 - 0xffffffff;
						if(_t124 != 0xffffffff) {
							__eflags = _t124 -  *(_t217 + 0x20);
							if(__eflags == 0) {
								_t211 = LCMapStringA( *(_t217 + 8),  *(_t217 + 0xc),  *(_t217 + 0x10),  *(_t217 + 0x14),  *(_t217 + 0x18),  *(_t217 + 0x1c));
								L60:
								__eflags =  *(_t217 - 0x28);
								if( *(_t217 - 0x28) != 0) {
									E01005424( *(_t217 - 0x28));
								}
								_t126 = _t211;
								goto L63;
							}
							_push(_t204);
							_push(_t204);
							_t182 = _t217 + 0x14;
							_push(_t217 + 0x14);
							_push( *(_t217 + 0x10));
							_push(_t124);
							_push( *(_t217 + 0x20));
							_t129 = E01007519(_t177, _t204, _t210, __eflags);
							_t220 =  &(_t218[0xc]);
							 *(_t217 - 0x28) = _t129;
							__eflags = _t129 - _t204;
							if(_t129 == _t204) {
								goto L46;
							}
							_t212 = LCMapStringA( *(_t217 + 8),  *(_t217 + 0xc), _t129,  *(_t217 + 0x14), _t204, _t204);
							 *(_t217 - 0x24) = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								L55:
								_t211 = 0;
								L57:
								__eflags =  *(_t217 - 0x3c);
								if( *(_t217 - 0x3c) != 0) {
									E01005424(_t177);
								}
								goto L60;
							}
							 *(_t217 - 4) =  *(_t217 - 4) & 0x00000000;
							E010030D0(_t130 + 0x00000003 & 0xfffffffc, _t182);
							 *(_t217 - 0x18) = _t220;
							_t177 = _t220;
							 *(_t217 - 0x44) = _t177;
							_t184 = _t212;
							_t205 = _t177;
							_t185 = _t184 >> 2;
							_t136 = memset(_t205, 0, _t185 << 2);
							_t206 = _t205 + _t185;
							_t188 = _t184 & 0x00000003;
							memset(_t206, _t136, _t188 << 0);
							_t222 =  &(_t220[0x18]);
							_t207 = _t206 + _t188;
							 *(_t217 - 4) =  *(_t217 - 4) | 0xffffffff;
							__eflags = _t177;
							if(_t177 != 0) {
								L54:
								_t138 = LCMapStringA( *(_t217 + 8),  *(_t217 + 0xc),  *(_t217 - 0x28),  *(_t217 + 0x14), _t177,  *(_t217 - 0x24));
								 *(_t217 - 0x24) = _t138;
								__eflags = _t138;
								if(__eflags != 0) {
									_push( *(_t217 + 0x1c));
									_push( *(_t217 + 0x18));
									_push(_t217 - 0x24);
									_push(_t177);
									_push( *(_t217 + 0x20));
									_push( *((intOrPtr*)(_t217 - 0x40)));
									_t140 = E01007519(_t177, _t207, _t212, __eflags);
									asm("sbb esi, esi");
									_t211 =  ~( ~_t140);
									goto L57;
								}
								goto L55;
							} else {
								_t177 = E0100545C( *(_t217 - 0x24));
								__eflags = _t177;
								if(_t177 == 0) {
									goto L55;
								}
								_t191 =  *(_t217 - 0x24);
								_t208 = _t177;
								_t192 = _t191 >> 2;
								_t143 = memset(_t208, 0, _t192 << 2);
								_t209 = _t208 + _t192;
								_t195 = _t191 & 0x00000003;
								__eflags = _t195;
								memset(_t209, _t143, _t195 << 0);
								_t222 =  &(_t222[0x18]);
								_t207 = _t209 + _t195;
								 *(_t217 - 0x3c) = 1;
								goto L54;
							}
						} else {
							goto L46;
						}
					} else {
						if(_t123 != 1) {
							L46:
							_t126 = 0;
							L63:
							return E01002EF3(_t126);
						}
						 *(_t217 - 0x2c) = _t204;
						 *(_t217 - 0x38) = _t204;
						 *(_t217 - 0x34) = _t204;
						if( *(_t217 + 0x20) == _t204) {
							_t170 =  *0x1009e98; // 0x0
							 *(_t217 + 0x20) = _t170;
						}
						_t215 = MultiByteToWideChar( *(_t217 + 0x20), 1 + (0 |  *((intOrPtr*)(_t217 + 0x24)) != _t204) * 8,  *(_t217 + 0x10),  *(_t217 + 0x14), _t204, _t204);
						 *(_t217 - 0x30) = _t215;
						if(_t215 == 0) {
							goto L46;
						} else {
							 *(_t217 - 4) = 1;
							E010030D0(_t215 + _t215 + 0x00000003 & 0xfffffffc, _t179);
							 *(_t217 - 0x18) = _t218;
							 *(_t217 - 0x1c) = _t218;
							 *(_t217 - 4) =  *(_t217 - 4) | 0xffffffff;
							if( *(_t217 - 0x1c) != 0) {
								L21:
								if(MultiByteToWideChar( *(_t217 + 0x20), 1,  *(_t217 + 0x10),  *(_t217 + 0x14),  *(_t217 - 0x1c), _t215) == 0) {
									L36:
									if( *(_t217 - 0x34) != 0) {
										E01005424( *(_t217 - 0x20));
									}
									if( *(_t217 - 0x38) != 0) {
										E01005424( *(_t217 - 0x1c));
									}
									_t126 = _t204;
									goto L63;
								}
								_t204 = LCMapStringW( *(_t217 + 8),  *(_t217 + 0xc),  *(_t217 - 0x1c), _t215, 0, 0);
								 *(_t217 - 0x2c) = _t204;
								if(_t204 == 0) {
									goto L36;
								}
								if(( *(_t217 + 0xd) & 0x00000004) == 0) {
									 *(_t217 - 4) = 2;
									E010030D0(_t204 + _t204 + 0x00000003 & 0xfffffffc, _t179);
									 *(_t217 - 0x18) = _t218;
									 *(_t217 - 0x20) = _t218;
									 *(_t217 - 4) =  *(_t217 - 4) | 0xffffffff;
									__eflags =  *(_t217 - 0x20);
									if( *(_t217 - 0x20) != 0) {
										L31:
										_t165 = LCMapStringW( *(_t217 + 8),  *(_t217 + 0xc),  *(_t217 - 0x1c), _t215,  *(_t217 - 0x20), _t204);
										__eflags = _t165;
										if(_t165 != 0) {
											_push(0);
											_push(0);
											__eflags =  *(_t217 + 0x1c);
											if( *(_t217 + 0x1c) != 0) {
												_push( *(_t217 + 0x1c));
												_push( *(_t217 + 0x18));
											} else {
												_push(0);
												_push(0);
											}
											_t204 = WideCharToMultiByte( *(_t217 + 0x20), 0,  *(_t217 - 0x20), _t204, ??, ??, ??, ??);
										}
										goto L36;
									} else {
										_t167 = E0100545C(_t204 + _t204);
										 *(_t217 - 0x20) = _t167;
										__eflags = _t167;
										if(_t167 == 0) {
											goto L36;
										}
										 *(_t217 - 0x34) = 1;
										goto L31;
									}
								}
								if( *(_t217 + 0x1c) != 0 && _t204 <=  *(_t217 + 0x1c)) {
									LCMapStringW( *(_t217 + 8),  *(_t217 + 0xc),  *(_t217 - 0x1c), _t215,  *(_t217 + 0x18),  *(_t217 + 0x1c));
								}
								goto L36;
							} else {
								_t179 = _t215 + _t215;
								_t169 = E0100545C(_t215 + _t215);
								 *(_t217 - 0x1c) = _t169;
								if(_t169 == 0) {
									goto L46;
								}
								 *(_t217 - 0x38) = 1;
								goto L21;
							}
						}
					}
				}
				_t200 =  *(_t217 + 0x14);
				_t171 =  *(_t217 + 0x10);
				while(1) {
					_t179 = _t200 - 1;
					if( *_t171 == 0) {
						break;
					}
					_t171 = _t171 + 1;
					if(_t179 != _t204) {
						continue;
					}
					_t179 = _t179 | 0xffffffff;
					break;
				}
				 *(_t217 + 0x14) =  *(_t217 + 0x14) + (_t171 | 0xffffffff) - _t179;
				goto L11;
			}

0x01006871
0x01006871
0x01006873
0x01006878
0x0100687d
0x0100687f
0x01006885
0x0100688b
0x010068a0
0x010068aa
0x010068b0
0x010068b3
0x010068b5
0x010068b5
0x010068a2
0x010068a2
0x010068a2
0x010068a0
0x010068c2
0x010068e0
0x010068e0
0x010068e8
0x01006ac8
0x01006acb
0x01006acd
0x01006ad0
0x01006ad3
0x01006ad5
0x01006ada
0x01006ada
0x01006add
0x01006ae0
0x01006ae2
0x01006ae7
0x01006ae7
0x01006aed
0x01006af3
0x01006af6
0x01006af9
0x01006b02
0x01006b05
0x01006c1c
0x01006c1e
0x01006c1e
0x01006c22
0x01006c27
0x01006c2c
0x01006c2d
0x00000000
0x01006c2d
0x01006b0b
0x01006b0c
0x01006b0d
0x01006b10
0x01006b11
0x01006b14
0x01006b15
0x01006b18
0x01006b1d
0x01006b20
0x01006b23
0x01006b25
0x00000000
0x00000000
0x01006b39
0x01006b3b
0x01006b3e
0x01006b40
0x01006bd0
0x01006bd0
0x01006bf5
0x01006bf5
0x01006bf9
0x01006bfc
0x01006c01
0x00000000
0x01006bf9
0x01006b46
0x01006b50
0x01006b55
0x01006b58
0x01006b5a
0x01006b5d
0x01006b61
0x01006b65
0x01006b68
0x01006b68
0x01006b6c
0x01006b6f
0x01006b6f
0x01006b6f
0x01006b81
0x01006b85
0x01006b87
0x01006bb3
0x01006bc3
0x01006bc9
0x01006bcc
0x01006bce
0x01006bd4
0x01006bd7
0x01006bdd
0x01006bde
0x01006bdf
0x01006be2
0x01006be5
0x01006bf1
0x01006bf3
0x00000000
0x01006bf3
0x00000000
0x01006b89
0x01006b91
0x01006b93
0x01006b95
0x00000000
0x00000000
0x01006b97
0x01006b9c
0x01006ba0
0x01006ba3
0x01006ba3
0x01006ba7
0x01006ba7
0x01006baa
0x01006baa
0x01006baa
0x01006bac
0x00000000
0x01006bac
0x00000000
0x00000000
0x00000000
0x010068f6
0x010068f9
0x01006afb
0x01006afb
0x01006c2f
0x01006c37
0x01006c37
0x010068ff
0x01006902
0x01006905
0x0100690b
0x0100690d
0x01006912
0x01006912
0x01006936
0x01006938
0x0100693f
0x00000000
0x01006945
0x01006945
0x01006955
0x0100695a
0x0100695f
0x01006962
0x01006987
0x010069a3
0x010069ba
0x01006aa5
0x01006aa8
0x01006aad
0x01006ab2
0x01006ab6
0x01006abb
0x01006ac0
0x01006ac1
0x00000000
0x01006ac1
0x010069d2
0x010069d4
0x010069d9
0x00000000
0x00000000
0x010069e3
0x01006a12
0x01006a22
0x01006a27
0x01006a2c
0x01006a2f
0x01006a51
0x01006a54
0x01006a6c
0x01006a7a
0x01006a80
0x01006a82
0x01006a84
0x01006a85
0x01006a86
0x01006a89
0x01006a8f
0x01006a92
0x01006a8b
0x01006a8b
0x01006a8c
0x01006a8c
0x01006aa3
0x01006aa3
0x00000000
0x01006a56
0x01006a59
0x01006a5e
0x01006a61
0x01006a63
0x00000000
0x00000000
0x01006a65
0x00000000
0x01006a65
0x01006a54
0x010069e8
0x01006a07
0x01006a07
0x00000000
0x01006989
0x01006989
0x0100698c
0x01006991
0x01006996
0x00000000
0x00000000
0x0100699c
0x00000000
0x0100699c
0x01006987
0x0100693f
0x010068e8
0x010068c4
0x010068c7
0x010068ca
0x010068ca
0x010068ce
0x00000000
0x00000000
0x010068d0
0x010068d3
0x00000000
0x00000000
0x010068d5
0x00000000
0x010068d5
0x010068dd
0x00000000

APIs

LCMapStringW.KERNEL32(00000000,00000100,010022BC,00000001,00000000,00000000,010022C0,00000034,010055EC,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 01006898
GetLastError.KERNEL32 ref: 010068AA
MultiByteToWideChar.KERNEL32(?,00000000,01005870,?,00000000,00000000,010022C0,00000034,010055EC,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 01006930
MultiByteToWideChar.KERNEL32(?,00000001,01005870,?,?,00000000), ref: 010069B2
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 010069CC
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 01006A07

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 05c9ead9e03e3ab579ca3e354a1ab9c3beb59358a4867412328d8bf5da54a0b3
Instruction ID: 23ae69426bf5ea3a3cffcc35835e00f68d63ec83e7e07bc8171dc10481046b32
Opcode Fuzzy Hash: 05c9ead9e03e3ab579ca3e354a1ab9c3beb59358a4867412328d8bf5da54a0b3
Instruction Fuzzy Hash: 8CB16C7190015AAFEF239FA9CC449EE7FB2FF09314F148129F995A61A0D77689A0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0100328B Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E0100328B(void* __ecx, signed int _a4) {
				long _v8;
				void* _t19;
				void* _t22;
				void* _t27;
				unsigned int _t28;
				signed int _t29;
				void* _t31;
				void _t38;
				signed int _t41;
				void* _t42;
				signed int _t44;
				void _t46;
				void _t47;
				signed int _t50;
				void _t55;
				signed int _t56;
				void* _t58;
				void* _t60;
				void* _t62;
				void* _t68;
				void* _t70;
				signed int _t81;
				void* _t83;
				void* _t86;
				void* _t88;
				void* _t89;

				_t41 = _a4;
				_t19 = 0;
				while(_t41 !=  *((intOrPtr*)(0x1009010 + _t19 * 8))) {
					_t19 = _t19 + 1;
					if(_t19 < 0x12) {
						continue;
					}
					break;
				}
				_t81 = _t19 << 3;
				_t4 = _t81 + 0x1009010; // 0x30000000
				_a4 = _t81;
				if(_t41 ==  *_t4) {
					_t19 =  *0x100998c; // 0x0
					if(_t19 == 1 || _t19 == 0 &&  *0x1009008 == 1) {
						_t19 = GetStdHandle(0xfffffff4);
						if(_t19 != 0) {
							_t16 = _t81 + 0x1009014; // 0x1001c30
							_t83 =  *_t16;
							_t42 = _t83;
							_t17 = _t42 + 1; // 0x1001c31
							_t58 = _t17;
							do {
								_t38 =  *_t42;
								_t42 = _t42 + 1;
							} while (_t38 != 0);
							_t19 = WriteFile(_t19, _t83, _t42 - _t58,  &_v8, 0);
						}
					} else {
						if(_t41 != 0xfc) {
							_t44 = 6;
							memcpy(0x10099e0, "Runtime Error!\n\nProgram: ", _t44 << 2);
							_t89 = _t88 + 0xc;
							asm("movsw");
							 *0x1009afe = 0;
							if(GetModuleFileNameA(0, 0x10099fa, 0x104) == 0) {
								_t56 = 5;
								memcpy(0x10099fa, "<program name unknown>", _t56 << 2);
								_t89 = _t89 + 0xc;
								asm("movsw");
								asm("movsb");
							}
							_t22 = 0x10099fa;
							_t8 = _t22 + 1; // 0x10099fb
							_t60 = _t8;
							do {
								_t46 =  *_t22;
								_t22 = _t22 + 1;
							} while (_t46 != 0);
							if(_t22 - _t60 + 1 > 0x3c) {
								_t31 = 0x10099fa;
								_t9 = _t31 + 1; // 0x10099fb
								_t62 = _t9;
								do {
									_t55 =  *_t31;
									_t31 = _t31 + 1;
								} while (_t55 != 0);
								E01005300(_t31 - _t62 + 0x10099bf, "...", 3);
								_t89 = _t89 + 0xc;
							}
							_t68 = 0x10099df;
							do {
								_t11 = _t68 + 1; // 0x0
								_t68 = _t68 + 1;
							} while ( *_t11 != 0);
							_t27 =  *(_a4 + 0x1009014);
							asm("movsw");
							asm("movsb");
							_t86 = _t27;
							do {
								_t47 =  *_t27;
								_t27 = _t27 + 1;
							} while (_t47 != 0);
							_t28 = _t27 - _t86;
							_t70 = 0x10099df;
							do {
								_t14 = _t70 + 1; // 0x0
								_t70 = _t70 + 1;
							} while ( *_t14 != 0);
							_t50 = _t28 >> 2;
							_t29 = memcpy(_t70, _t86, _t50 << 2);
							_push(0x12010);
							_push("Microsoft Visual C++ Runtime Library");
							_push(0x10099e0);
							memcpy(_t86 + _t50 + _t50, _t86, _t29 & 0x00000003);
							_t19 = E01005205();
						}
					}
				}
				return _t19;
			}

0x0100328f
0x01003292
0x01003294
0x0100329d
0x010032a1
0x00000000
0x00000000
0x00000000
0x010032a1
0x010032a6
0x010032a9
0x010032af
0x010032b2
0x010032b8
0x010032c1
0x010033bb
0x010033c3
0x010033c5
0x010033c5
0x010033cb
0x010033cd
0x010033cd
0x010033d0
0x010033d0
0x010033d2
0x010033d3
0x010033e2
0x010033e2
0x010032d8
0x010032de
0x010032e7
0x010032f2
0x010032f2
0x010032ff
0x01003303
0x01003312
0x01003316
0x01003321
0x01003321
0x01003323
0x01003325
0x01003325
0x01003326
0x01003328
0x01003328
0x0100332b
0x0100332b
0x0100332d
0x0100332e
0x01003338
0x0100333a
0x0100333c
0x0100333c
0x0100333f
0x0100333f
0x01003341
0x01003342
0x01003356
0x0100335b
0x0100335b
0x01003365
0x01003366
0x01003366
0x01003369
0x0100336a
0x01003371
0x0100337c
0x0100337e
0x0100337f
0x01003381
0x01003381
0x01003383
0x01003384
0x0100338a
0x0100338c
0x0100338d
0x0100338d
0x01003390
0x01003391
0x01003397
0x0100339a
0x0100339c
0x010033a6
0x010033ab
0x010033ac
0x010033ae
0x010033b6
0x010032de
0x010033e8
0x010033eb

APIs

GetModuleFileNameA.KERNEL32(00000000,010099FA,00000104,765E7800,00000000,00000000,?,?,01002C99,?,01002E33,00000000), ref: 0100330A
_strncpy.LIBCMT ref: 01003356
GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,?,01002C99,?,01002E33,00000000), ref: 010033BB
WriteFile.KERNEL32(00000000,01001C30,6002- floating point not loaded,?,00000000,?,?,01002C99,?,01002E33,00000000), ref: 010033E2

Strings

Runtime Error!Program: , xrefs: 010032E8
Microsoft Visual C++ Runtime Library, xrefs: 010033A6
..., xrefs: 01003350
<program name unknown>, xrefs: 01003317
6002- floating point not loaded, xrefs: 010033DF

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: File$HandleModuleNameWrite_strncpy
String ID: ...$6002- floating point not loaded$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 4227519811-2455688354
Opcode ID: f5a037c8d6d4d4f5022b467860d6ff2ae133327cb8b951e1de5964f2c16727cf
Instruction ID: 93044b9f845a4b7c5b900bbd8df288fde2f4697c8f305113f3d61717e79a4f44
Opcode Fuzzy Hash: f5a037c8d6d4d4f5022b467860d6ff2ae133327cb8b951e1de5964f2c16727cf
Instruction Fuzzy Hash: D6313C716042026FFB27CA2C98D8BAB77D6BB86744F148195F9C9CF3C2DA62C945C390

Uniqueness

Uniqueness Score: -1.00%

Function 01003881 Relevance: 12.1, APIs: 8, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01003881() {
				int _v4;
				int _v8;
				void* __ecx;
				intOrPtr _t8;
				CHAR* _t9;
				void* _t13;
				WCHAR* _t18;
				int _t21;
				char* _t24;
				int _t30;
				signed int _t32;
				signed int _t33;
				WCHAR* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr _t51;
				CHAR* _t52;
				int _t53;

				_t8 =  *0x1009e08; // 0x1
				_t30 = 0;
				_t48 = 0;
				_t51 = 2;
				if(_t8 != 0) {
					L6:
					if(_t8 != 1) {
						if(_t8 == _t51 || _t8 == _t30) {
							_t9 = GetEnvironmentStrings();
							_t52 = _t9;
							if(_t52 == _t30) {
								goto L20;
							}
							if( *_t52 == _t30) {
								L25:
								_t49 = _t9 - _t52 + 1;
								_t13 = E0100545C(_t49);
								if(_t13 != _t30) {
									_t32 = _t49;
									_t33 = _t32 >> 2;
									_t50 = _t52;
									memcpy(_t13, _t50, _t33 << 2);
									_t30 = memcpy(_t50 + _t33 + _t33, _t50, _t32 & 0x00000003);
								}
								FreeEnvironmentStringsA(_t52);
								L28:
								return _t30;
							} else {
								goto L23;
							}
							do {
								do {
									L23:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t30);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t30);
							goto L25;
						} else {
							L20:
							return 0;
						}
					}
					L7:
					if(_t48 != _t30) {
						L9:
						_t18 = _t48;
						if( *_t48 == _t30) {
							L12:
							_t21 = (_t18 - _t48 >> 1) + 1;
							_v4 = _t21;
							_t53 = WideCharToMultiByte(_t30, _t30, _t48, _t21, _t30, _t30, _t30, _t30);
							if(_t53 != _t30) {
								_t24 = E0100545C(_t53);
								_v8 = _t24;
								if(_t24 != _t30) {
									if(WideCharToMultiByte(_t30, _t30, _t48, _v4, _t24, _t53, _t30, _t30) == 0) {
										E01005424(_v8);
										_v8 = _t30;
									}
									_t30 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t48);
							goto L28;
						} else {
							goto L10;
						}
						do {
							do {
								L10:
								_t18 = _t18 + _t51;
							} while ( *_t18 != _t30);
							_t18 = _t18 + _t51;
						} while ( *_t18 != _t30);
						goto L12;
					}
					_t48 = GetEnvironmentStringsW();
					if(_t48 == _t30) {
						goto L20;
					}
					goto L9;
				}
				_t48 = GetEnvironmentStringsW();
				if(_t48 == 0) {
					if(GetLastError() != 0x78) {
						_t8 =  *0x1009e08; // 0x1
					} else {
						_t8 = _t51;
						 *0x1009e08 = _t8;
					}
					goto L6;
				} else {
					 *0x1009e08 = 1;
					goto L7;
				}
			}

0x01003883
0x01003892
0x01003894
0x0100389a
0x0100389b
0x010038ca
0x010038cd
0x0100394c
0x01003956
0x0100395c
0x01003960
0x00000000
0x00000000
0x01003965
0x01003971
0x01003974
0x01003978
0x0100397f
0x01003981
0x01003985
0x01003988
0x0100398c
0x01003995
0x01003995
0x01003998
0x0100399e
0x00000000
0x00000000
0x00000000
0x00000000
0x01003967
0x01003967
0x01003967
0x01003967
0x01003968
0x0100396c
0x0100396d
0x00000000
0x01003952
0x01003952
0x00000000
0x01003952
0x0100394c
0x010038cf
0x010038d1
0x010038db
0x010038de
0x010038e0
0x010038f0
0x010038fe
0x01003903
0x01003909
0x0100390d
0x01003911
0x01003918
0x0100391c
0x0100392d
0x01003933
0x01003939
0x01003939
0x0100393d
0x0100393d
0x0100391c
0x01003942
0x00000000
0x00000000
0x00000000
0x00000000
0x010038e2
0x010038e2
0x010038e2
0x010038e2
0x010038e4
0x010038e9
0x010038eb
0x00000000
0x010038e2
0x010038d5
0x010038d9
0x00000000
0x00000000
0x00000000
0x010038d9
0x0100389f
0x010038a3
0x010038ba
0x010038c5
0x010038bc
0x010038bc
0x010038be
0x010038be
0x00000000
0x010038a5
0x010038a5
0x00000000
0x010038a5

APIs

GetEnvironmentStringsW.KERNEL32(765E7800,00000000,?,00000000,?,?,01002DFA), ref: 0100389D
GetLastError.KERNEL32(?,00000000,?,?,01002DFA), ref: 010038B1
GetEnvironmentStringsW.KERNEL32(765E7800,00000000,?,00000000,?,?,01002DFA), ref: 010038D3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,765E7800,00000000,?,00000000,?,?,01002DFA), ref: 01003907
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,?,01002DFA), ref: 01003929
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,01002DFA), ref: 01003942
GetEnvironmentStrings.KERNEL32(765E7800,00000000,?,00000000,?,?,01002DFA), ref: 01003956
FreeEnvironmentStringsA.KERNEL32(00000000,?,00000000,?,?,01002DFA), ref: 01003998

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: 94a586a12272b7e991025d9481f6adc45f3a597e1b3d83a2ce569a7a17c5d990
Instruction ID: f2f2bcaa3bb81053d37e7fd51e80f7449e9e998c56be72dac5de48cde6bcf772
Opcode Fuzzy Hash: 94a586a12272b7e991025d9481f6adc45f3a597e1b3d83a2ce569a7a17c5d990
Instruction Fuzzy Hash: C23124B26042595FFB736FAC5C8497ABBDCF744244F1908ADF6C2CB181D6A68C8487A0

Uniqueness

Uniqueness Score: -1.00%

Function 01007519 Relevance: 10.7, APIs: 7, Instructions: 173
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E01007519(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t56;
				char* _t57;
				char* _t69;
				int _t70;
				char* _t77;
				short* _t83;
				signed int _t86;
				signed int _t87;
				void* _t96;
				char* _t100;
				int _t102;
				signed int _t103;
				void* _t104;
				int _t107;
				int _t111;
				void* _t112;
				short* _t113;

				_push(0x34);
				_push(0x10022f8);
				E01002EB8(__ebx, __edi, __esi);
				 *(_t112 - 0x1c) = 0;
				 *(_t112 - 0x2c) = 0;
				_t102 =  *( *(_t112 + 0x14));
				 *(_t112 - 0x28) = _t102;
				 *(_t112 - 0x24) = 0;
				_t56 =  *(_t112 + 8);
				if(_t56 ==  *(_t112 + 0xc)) {
					_t83 =  *(_t112 - 0x30);
					goto L34;
				} else {
					_t85 = _t112 - 0x44;
					if(GetCPInfo(_t56, _t112 - 0x44) != 0 &&  *(_t112 - 0x44) == 1 && GetCPInfo( *(_t112 + 0xc), _t112 - 0x44) != 0 &&  *(_t112 - 0x44) == 1) {
						 *(_t112 - 0x24) = 1;
					}
					if( *(_t112 - 0x24) == 0) {
						_t111 =  *(_t112 - 0x20);
						L14:
						if( *(_t112 - 0x24) != 0) {
							L16:
							 *(_t112 - 4) = 0;
							_t103 = _t111 + _t111;
							E010030D0(_t103 + 0x00000003 & 0xfffffffc, _t85);
							 *(_t112 - 0x18) = _t113;
							_t83 = _t113;
							 *(_t112 - 0x30) = _t83;
							_t86 = _t103;
							_t104 = _t83;
							_t87 = _t86 >> 2;
							memset(_t104 + _t87, memset(_t104, 0, _t87 << 2), (_t86 & 0x00000003) << 0);
							 *(_t112 - 4) =  *(_t112 - 4) | 0xffffffff;
							if(_t83 != 0) {
								L21:
								if(MultiByteToWideChar( *(_t112 + 8), 1,  *(_t112 + 0x10),  *(_t112 - 0x28), _t83, _t111) == 0) {
									L34:
									if( *(_t112 - 0x2c) != 0) {
										E01005424(_t83);
									}
									_t57 =  *(_t112 - 0x1c);
									goto L37;
								}
								_t107 = 0;
								if( *(_t112 + 0x18) == 0) {
									if( *(_t112 - 0x24) != 0) {
										L28:
										_t69 = E01005494(1, _t111);
										 *(_t112 - 0x1c) = _t69;
										if(_t69 != _t107) {
											_t70 = WideCharToMultiByte( *(_t112 + 0xc), 0, _t83, _t111, _t69, _t111, 0, 0);
											if(_t70 != 0) {
												if( *(_t112 - 0x28) != 0xffffffff) {
													 *( *(_t112 + 0x14)) = _t70;
												}
											} else {
												E01005424( *(_t112 - 0x1c));
												 *(_t112 - 0x1c) = 0;
											}
										}
										goto L34;
									}
									_t111 = WideCharToMultiByte( *(_t112 + 0xc), 0, _t83, _t111, 0, 0, 0, 0);
									if(_t111 == 0) {
										goto L34;
									}
									_t107 = 0;
									goto L28;
								}
								if(WideCharToMultiByte( *(_t112 + 0xc), 0, _t83, _t111,  *(_t112 + 0x18),  *(_t112 + 0x1c), 0, 0) != 0) {
									 *(_t112 - 0x1c) =  *(_t112 + 0x18);
								}
								goto L34;
							} else {
								_t96 = 2;
								_t83 = E01005494(_t96, _t111);
								if(_t83 != 0) {
									 *(_t112 - 0x2c) = 1;
									goto L21;
								}
								L19:
								_t57 = 0;
								L37:
								return E01002EF3(_t57);
							}
						}
						_t111 = MultiByteToWideChar( *(_t112 + 8), 1,  *(_t112 + 0x10), _t102, 0, 0);
						 *(_t112 - 0x20) = _t111;
						if(_t111 == 0) {
							goto L19;
						}
						goto L16;
					}
					if(_t102 == 0xffffffff) {
						_t77 =  *(_t112 + 0x10);
						_t16 =  &(_t77[1]); // 0x1005871
						_t100 = _t16;
						do {
							_t85 =  *_t77;
							_t77 =  &(_t77[1]);
						} while (_t85 != 0);
						_t17 = _t77 - _t100 + 1; // 0x1005872
						_t111 = _t17;
						L12:
						 *(_t112 - 0x20) = _t111;
						goto L14;
					}
					_t111 = _t102;
					goto L12;
				}
			}

0x01007519
0x0100751b
0x01007520
0x01007527
0x0100752a
0x01007530
0x01007532
0x01007535
0x01007538
0x0100753e
0x010076c9
0x00000000
0x01007544
0x01007544
0x01007553
0x0100756e
0x0100756e
0x01007578
0x0100759a
0x0100759d
0x010075a0
0x010075bc
0x010075bc
0x010075bf
0x010075ca
0x010075cf
0x010075d2
0x010075d4
0x010075d7
0x010075db
0x010075df
0x010075e9
0x010075eb
0x01007608
0x01007628
0x0100763d
0x010076cc
0x010076d0
0x010076d3
0x010076d8
0x010076d9
0x00000000
0x010076d9
0x01007643
0x01007648
0x0100766d
0x01007687
0x0100768c
0x01007691
0x01007696
0x010076a4
0x010076ac
0x010076c0
0x010076c5
0x010076c5
0x010076ae
0x010076b1
0x010076b7
0x010076b7
0x010076ac
0x00000000
0x01007696
0x0100767f
0x01007683
0x00000000
0x00000000
0x01007685
0x00000000
0x01007685
0x01007660
0x01007665
0x01007665
0x00000000
0x0100760a
0x0100760e
0x01007614
0x01007618
0x01007621
0x00000000
0x01007621
0x0100761a
0x0100761a
0x010076dc
0x010076e4
0x010076e4
0x01007608
0x010075b3
0x010075b5
0x010075ba
0x00000000
0x00000000
0x00000000
0x010075ba
0x0100757d
0x01007583
0x01007586
0x01007586
0x01007589
0x01007589
0x0100758b
0x0100758c
0x01007592
0x01007592
0x01007595
0x01007595
0x00000000
0x01007595
0x0100757f
0x00000000
0x0100757f

APIs

GetCPInfo.KERNEL32(00000000,?,010022F8,00000034,01006DC3,?,00000000,00000000,01005870,00000000,00000000,010022E8,0000001C,010055C8,00000001,00000020), ref: 0100754F
GetCPInfo.KERNEL32(00000000,00000001), ref: 01007562
MultiByteToWideChar.KERNEL32(00000000,00000001,01005870,?,00000000,00000000), ref: 010075AD

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Info$ByteCharMultiWide
String ID:
API String ID: 1166650589-0
Opcode ID: c14a6462586c4cead95461060bbe7d4993be2bf4c00b1a188811514c1b13324a
Instruction ID: 4b5b606b0c9a6056a8dd6ee5a2c08f527fb42d1ebd13a569eddd3c232f7787a8
Opcode Fuzzy Hash: c14a6462586c4cead95461060bbe7d4993be2bf4c00b1a188811514c1b13324a
Instruction Fuzzy Hash: 3F51BF71A0024AABEF238FA9CC449EF7FB5FB88350F144169F9D6A7190D775A901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01006C38 Relevance: 9.1, APIs: 6, Instructions: 148
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E01006C38(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t44;
				void* _t45;
				short* _t47;
				int _t62;
				int _t66;
				long _t69;
				short* _t71;
				short* _t72;
				int _t73;
				void* _t74;
				signed int _t78;
				signed int _t79;
				void* _t85;
				int _t89;
				signed int _t90;
				void* _t91;
				short* _t97;
				short* _t98;
				void* _t99;
				short* _t100;
				void* _t106;

				_t74 = __ecx;
				_push(0x1c);
				_push(0x10022e8);
				E01002EB8(__ebx, __edi, __esi);
				_t97 = 0;
				_t106 =  *0x1009ea4 - _t97; // 0x1
				if(_t106 == 0) {
					if(GetStringTypeW(1, 0x10022bc, 1, _t99 - 0x1c) == 0) {
						_t69 = GetLastError();
						__eflags = _t69 - 0x78;
						if(_t69 == 0x78) {
							 *0x1009ea4 = 2;
						}
					} else {
						 *0x1009ea4 = 1;
					}
				}
				_t44 =  *0x1009ea4; // 0x1
				if(_t44 == 2 || _t44 == _t97) {
					_t89 =  *(_t99 + 0x1c);
					__eflags = _t89 - _t97;
					if(_t89 == _t97) {
						_t89 =  *0x1009e88; // 0x0
					}
					_t71 =  *(_t99 + 0x18);
					__eflags = _t71;
					if(_t71 == 0) {
						_t71 =  *0x1009e98; // 0x0
					}
					_t45 = E010074E7(_t89);
					__eflags = _t45 - 0xffffffff;
					if(_t45 != 0xffffffff) {
						__eflags = _t45 - _t71;
						if(__eflags == 0) {
							L29:
							_t72 = GetStringTypeA(_t89,  *(_t99 + 8),  *(_t99 + 0xc),  *(_t99 + 0x10),  *(_t99 + 0x14));
							__eflags = _t97;
							if(_t97 != 0) {
								E01005424(_t97);
							}
							_t47 = _t72;
							goto L32;
						}
						_push(0);
						_push(0);
						_push(_t99 + 0x10);
						_push( *(_t99 + 0xc));
						_push(_t45);
						_push(_t71);
						_t97 = E01007519(_t71, _t89, _t97, __eflags);
						__eflags = _t97;
						if(_t97 == 0) {
							goto L25;
						}
						 *(_t99 + 0xc) = _t97;
						goto L29;
					} else {
						goto L25;
					}
				} else {
					if(_t44 != 1) {
						L25:
						_t47 = 0;
						L32:
						return E01002EF3(_t47);
					}
					 *(_t99 - 0x24) = _t97;
					 *(_t99 - 0x20) = _t97;
					if( *(_t99 + 0x18) == _t97) {
						_t66 =  *0x1009e98; // 0x0
						 *(_t99 + 0x18) = _t66;
					}
					_t73 = MultiByteToWideChar( *(_t99 + 0x18), 1 + (0 |  *((intOrPtr*)(_t99 + 0x20)) != _t97) * 8,  *(_t99 + 0xc),  *(_t99 + 0x10), _t97, _t97);
					 *(_t99 - 0x28) = _t73;
					if(_t73 == 0) {
						goto L25;
					} else {
						 *(_t99 - 4) =  *(_t99 - 4) & 0x00000000;
						_t90 = _t73 + _t73;
						E010030D0(_t90 + 0x00000003 & 0xfffffffc, _t74);
						 *(_t99 - 0x18) = _t100;
						_t98 = _t100;
						 *(_t99 - 0x2c) = _t98;
						_t78 = _t90;
						_t91 = _t98;
						_t79 = _t78 >> 2;
						memset(_t91 + _t79, memset(_t91, 0, _t79 << 2), (_t78 & 0x00000003) << 0);
						 *(_t99 - 4) =  *(_t99 - 4) | 0xffffffff;
						if(_t98 != 0) {
							L15:
							_t62 = MultiByteToWideChar( *(_t99 + 0x18), 1,  *(_t99 + 0xc),  *(_t99 + 0x10), _t98, _t73);
							if(_t62 != 0) {
								 *(_t99 - 0x24) = GetStringTypeW( *(_t99 + 8), _t98, _t62,  *(_t99 + 0x14));
							}
							if( *(_t99 - 0x20) != 0) {
								E01005424(_t98);
							}
							_t47 =  *(_t99 - 0x24);
							goto L32;
						} else {
							_t85 = 2;
							_t98 = E01005494(_t85, _t73);
							if(_t98 == 0) {
								goto L25;
							}
							 *(_t99 - 0x20) = 1;
							goto L15;
						}
					}
				}
			}

0x01006c38
0x01006c38
0x01006c3a
0x01006c3f
0x01006c44
0x01006c46
0x01006c4c
0x01006c64
0x01006c6e
0x01006c74
0x01006c77
0x01006c79
0x01006c79
0x01006c66
0x01006c66
0x01006c66
0x01006c64
0x01006c83
0x01006c8b
0x01006d83
0x01006d86
0x01006d88
0x01006d8a
0x01006d8a
0x01006d90
0x01006d93
0x01006d95
0x01006d97
0x01006d97
0x01006d9e
0x01006da4
0x01006da7
0x01006dad
0x01006daf
0x01006dcf
0x01006de2
0x01006de4
0x01006de6
0x01006de9
0x01006dee
0x01006def
0x00000000
0x01006def
0x01006db1
0x01006db3
0x01006db8
0x01006db9
0x01006dbc
0x01006dbd
0x01006dc6
0x01006dc8
0x01006dca
0x00000000
0x00000000
0x01006dcc
0x00000000
0x00000000
0x00000000
0x00000000
0x01006c99
0x01006c9c
0x01006da9
0x01006da9
0x01006df1
0x01006df9
0x01006df9
0x01006ca2
0x01006ca5
0x01006cab
0x01006cad
0x01006cb2
0x01006cb2
0x01006cd6
0x01006cd8
0x01006cdd
0x00000000
0x01006ce3
0x01006ce3
0x01006ce7
0x01006cf2
0x01006cf7
0x01006cfa
0x01006cfc
0x01006cff
0x01006d03
0x01006d07
0x01006d11
0x01006d13
0x01006d30
0x01006d49
0x01006d56
0x01006d5e
0x01006d6e
0x01006d6e
0x01006d75
0x01006d78
0x01006d7d
0x01006d7e
0x00000000
0x01006d32
0x01006d36
0x01006d3c
0x01006d40
0x00000000
0x00000000
0x01006d42
0x00000000
0x01006d42
0x01006d30
0x01006cdd

APIs

GetStringTypeW.KERNEL32(00000001,010022BC,00000001,?,010022E8,0000001C,010055C8,00000001,00000020,00000100,?,00000000), ref: 01006C5C
GetLastError.KERNEL32 ref: 01006C6E
MultiByteToWideChar.KERNEL32(?,00000000,00000000,01005870,00000000,00000000,010022E8,0000001C,010055C8,00000001,00000020,00000100,?,00000000), ref: 01006CD0
MultiByteToWideChar.KERNEL32(?,00000001,00000000,01005870,?,00000000), ref: 01006D56
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 01006D68

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 29a9bdc9abbc79fbc15fec2be8754b448d74ed72fb654ce98a39bd252a943bc4
Instruction ID: d198bc96e74b10d3d925cf83711eedde476ed98e976b905eeb6468cd16500cb8
Opcode Fuzzy Hash: 29a9bdc9abbc79fbc15fec2be8754b448d74ed72fb654ce98a39bd252a943bc4
Instruction Fuzzy Hash: 3551A731E00259AFEF239F98DC45AEE3BA6EF44710F144119F9849A1D0DB76CDA0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01003CC6 Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01003CC6(signed int _a4) {
				intOrPtr _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				signed int _t51;
				void* _t52;
				signed int _t53;
				signed int _t55;
				signed int _t56;
				signed int _t57;
				signed int* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				signed int _t64;
				signed int* _t66;
				signed int _t67;
				intOrPtr _t68;
				void* _t69;
				signed int _t70;
				void* _t71;
				intOrPtr _t73;
				void _t74;
				signed int _t75;
				signed int _t76;
				short* _t77;
				void* _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;

				_t92 = _a4;
				_t69 =  *(_t92 + 8);
				if((_t69 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x18];
				_t51 = _a4;
				_t73 =  *((intOrPtr*)(_t51 + 8));
				_v8 = _t73;
				if(_t69 < _t73 || _t69 >=  *((intOrPtr*)(_t51 + 4))) {
					_t88 =  *((intOrPtr*)(_t92 + 0xc));
					__eflags = _t88 - 0xffffffff;
					if(_t88 != 0xffffffff) {
						_t81 = 0;
						__eflags = 0;
						_a4 = 0;
						_t52 = _t69;
						do {
							_t74 =  *_t52;
							__eflags = _t74 - 0xffffffff;
							if(_t74 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t74 - _t81;
							if(_t74 >= _t81) {
								L41:
								_t56 = 0;
								L57:
								return _t56;
							}
							L9:
							__eflags =  *(_t52 + 4);
							if( *(_t52 + 4) != 0) {
								_t13 =  &_a4;
								 *_t13 = _a4 + 1;
								__eflags =  *_t13;
							}
							_t81 = _t81 + 1;
							_t52 = _t52 + 0xc;
							__eflags = _t81 - _t88;
						} while (_t81 <= _t88);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t53 =  *0x1009e10; // 0x0
							_t91 = _t69 & 0xfffff000;
							_t93 = 0;
							__eflags = _t53;
							if(_t53 <= 0) {
								L18:
								_t55 = VirtualQuery(_t69,  &_v36, 0x1c);
								__eflags = _t55;
								if(_t55 == 0) {
									L56:
									_t56 = _t55 | 0xffffffff;
									__eflags = _t56;
									goto L57;
								}
								__eflags = _v36.Type - 0x1000000;
								if(_v36.Type != 0x1000000) {
									goto L56;
								}
								__eflags = _v36.Protect & 0x000000cc;
								if((_v36.Protect & 0x000000cc) == 0) {
									L28:
									_t57 = InterlockedExchange(0x1009e58, 1);
									__eflags = _t57;
									if(_t57 != 0) {
										goto L5;
									}
									_t75 =  *0x1009e10; // 0x0
									__eflags = _t75;
									_t82 = _t75;
									if(_t75 <= 0) {
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											L40:
											InterlockedExchange(0x1009e58, 0);
											goto L5;
										}
										_t70 = 0xf;
										__eflags = _t75 - _t70;
										if(_t75 <= _t70) {
											_t70 = _t75;
										}
										_t83 = 0;
										__eflags = _t70;
										if(_t70 < 0) {
											L38:
											__eflags = _t75 - 0x10;
											if(_t75 < 0x10) {
												_t76 = _t75 + 1;
												__eflags = _t76;
												 *0x1009e10 = _t76;
											}
											goto L40;
										} else {
											do {
												_t60 = 0x1009e18 + _t83 * 4;
												_t83 = _t83 + 1;
												__eflags = _t83 - _t70;
												 *_t60 = _t91;
												_t91 =  *_t60;
											} while (_t83 <= _t70);
											goto L38;
										}
									}
									_t61 = 0x1009e14 + _t75 * 4;
									while(1) {
										__eflags =  *_t61 - _t91;
										if( *_t61 == _t91) {
											goto L33;
										}
										_t82 = _t82 - 1;
										_t61 = _t61 - 4;
										__eflags = _t82;
										if(_t82 > 0) {
											continue;
										}
										goto L33;
									}
									goto L33;
								}
								_t77 = _v36.AllocationBase;
								__eflags =  *_t77 - 0x5a4d;
								if( *_t77 != 0x5a4d) {
									goto L56;
								}
								_t55 =  *((intOrPtr*)(_t77 + 0x3c)) + _t77;
								__eflags =  *_t55 - 0x4550;
								if( *_t55 != 0x4550) {
									goto L56;
								}
								__eflags =  *((short*)(_t55 + 0x18)) - 0x10b;
								if( *((short*)(_t55 + 0x18)) != 0x10b) {
									goto L56;
								}
								_t71 = _t69 - _t77;
								__eflags =  *((short*)(_t55 + 6));
								_t79 = ( *(_t55 + 0x14) & 0x0000ffff) + _t55 + 0x18;
								if( *((short*)(_t55 + 6)) <= 0) {
									goto L56;
								}
								_t63 =  *((intOrPtr*)(_t79 + 0xc));
								__eflags = _t71 - _t63;
								if(_t71 < _t63) {
									goto L28;
								}
								__eflags = _t71 -  *((intOrPtr*)(_t79 + 8)) + _t63;
								if(_t71 >=  *((intOrPtr*)(_t79 + 8)) + _t63) {
									goto L28;
								}
								__eflags =  *(_t79 + 0x27) & 0x00000080;
								if(( *(_t79 + 0x27) & 0x00000080) != 0) {
									goto L41;
								}
								goto L28;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1009e18 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1009e18 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 + 1;
								__eflags = _t93 - _t53;
								if(_t93 < _t53) {
									continue;
								}
								goto L18;
							}
							__eflags = _t93;
							if(_t93 <= 0) {
								goto L5;
							}
							_t64 = InterlockedExchange(0x1009e58, 1);
							__eflags = _t64;
							if(_t64 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1009e18 + _t93 * 4)) - _t91;
							if( *((intOrPtr*)(0x1009e18 + _t93 * 4)) == _t91) {
								L53:
								_t80 = 0;
								__eflags = _t93;
								if(_t93 < 0) {
									L55:
									InterlockedExchange(0x1009e58, 0);
									goto L5;
								} else {
									goto L54;
								}
								do {
									L54:
									_t66 = 0x1009e18 + _t80 * 4;
									_t80 = _t80 + 1;
									__eflags = _t80 - _t93;
									 *_t66 = _t91;
									_t91 =  *_t66;
								} while (_t80 <= _t93);
								goto L55;
							}
							_t67 =  *0x1009e10; // 0x0
							_t43 = _t67 - 1; // -1
							_t93 = _t43;
							__eflags = _t93;
							if(_t93 < 0) {
								L49:
								__eflags = _t67 - 0x10;
								if(_t67 < 0x10) {
									_t67 = _t67 + 1;
									__eflags = _t67;
									 *0x1009e10 = _t67;
								}
								_t46 = _t67 - 1; // 0x0
								_t93 = _t46;
								goto L53;
							} else {
								goto L46;
							}
							while(1) {
								L46:
								__eflags =  *((intOrPtr*)(0x1009e18 + _t93 * 4)) - _t91;
								if( *((intOrPtr*)(0x1009e18 + _t93 * 4)) == _t91) {
									break;
								}
								_t93 = _t93 - 1;
								__eflags = _t93;
								if(_t93 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t93;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L55;
								}
								goto L53;
							}
							goto L49;
						}
						_t68 =  *((intOrPtr*)(_t92 - 8));
						__eflags = _t68 - _v8;
						if(_t68 < _v8) {
							goto L41;
						}
						__eflags = _t68 - _t92;
						if(_t68 >= _t92) {
							goto L41;
						}
						goto L15;
					}
					L5:
					_t56 = 1;
					goto L57;
				} else {
					goto L3;
				}
			}

0x01003cce
0x01003cd1
0x01003cd7
0x01003cf4
0x00000000
0x01003cf4
0x01003cdf
0x01003ce2
0x01003ce5
0x01003cea
0x01003ced
0x01003cfc
0x01003cff
0x01003d02
0x01003d0c
0x01003d0c
0x01003d0e
0x01003d11
0x01003d13
0x01003d13
0x01003d15
0x01003d18
0x00000000
0x00000000
0x01003d1a
0x01003d1c
0x01003e67
0x01003e67
0x01003eea
0x00000000
0x01003eea
0x01003d22
0x01003d22
0x01003d26
0x01003d28
0x01003d28
0x01003d28
0x01003d28
0x01003d2b
0x01003d2c
0x01003d2f
0x01003d2f
0x01003d33
0x01003d37
0x01003d4d
0x01003d4d
0x01003d54
0x01003d5a
0x01003d5c
0x01003d5e
0x01003d72
0x01003d79
0x01003d7f
0x01003d81
0x01003ee7
0x01003ee7
0x01003ee7
0x00000000
0x01003ee7
0x01003d87
0x01003d8e
0x00000000
0x00000000
0x01003d94
0x01003d98
0x01003df0
0x01003df7
0x01003dfd
0x01003dff
0x00000000
0x00000000
0x01003e05
0x01003e0b
0x01003e0d
0x01003e0f
0x01003e24
0x01003e24
0x01003e26
0x01003e55
0x01003e5c
0x00000000
0x01003e5c
0x01003e2a
0x01003e2b
0x01003e2d
0x01003e2f
0x01003e2f
0x01003e31
0x01003e33
0x01003e35
0x01003e49
0x01003e49
0x01003e4c
0x01003e4e
0x01003e4e
0x01003e4f
0x01003e4f
0x00000000
0x01003e37
0x01003e37
0x01003e37
0x01003e40
0x01003e41
0x01003e43
0x01003e45
0x01003e45
0x00000000
0x01003e37
0x01003e35
0x01003e11
0x01003e18
0x01003e18
0x01003e1a
0x00000000
0x00000000
0x01003e1c
0x01003e1d
0x01003e20
0x01003e22
0x00000000
0x00000000
0x00000000
0x01003e22
0x00000000
0x01003e18
0x01003d9a
0x01003d9d
0x01003da2
0x00000000
0x00000000
0x01003dab
0x01003dad
0x01003db3
0x00000000
0x00000000
0x01003db9
0x01003dbf
0x00000000
0x00000000
0x01003dc5
0x01003dc7
0x01003dd0
0x01003dd4
0x00000000
0x00000000
0x01003dda
0x01003ddd
0x01003ddf
0x00000000
0x00000000
0x01003de6
0x01003de8
0x00000000
0x00000000
0x01003dea
0x01003dee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01003d60
0x01003d60
0x01003d60
0x01003d67
0x00000000
0x00000000
0x01003d6d
0x01003d6e
0x01003d70
0x00000000
0x00000000
0x00000000
0x01003d70
0x01003e6b
0x01003e6d
0x00000000
0x00000000
0x01003e80
0x01003e82
0x01003e84
0x00000000
0x00000000
0x01003e8a
0x01003e91
0x01003ec1
0x01003ec1
0x01003ec3
0x01003ec5
0x01003ed9
0x01003ee0
0x00000000
0x00000000
0x00000000
0x00000000
0x01003ec7
0x01003ec7
0x01003ec7
0x01003ed0
0x01003ed1
0x01003ed3
0x01003ed5
0x01003ed5
0x00000000
0x01003ec7
0x01003e93
0x01003e98
0x01003e98
0x01003e9b
0x01003e9d
0x01003eaf
0x01003eaf
0x01003eb2
0x01003eb4
0x01003eb4
0x01003eb5
0x01003eb5
0x01003eba
0x01003eba
0x00000000
0x00000000
0x00000000
0x00000000
0x01003e9f
0x01003e9f
0x01003e9f
0x01003ea6
0x00000000
0x00000000
0x01003ea8
0x01003ea8
0x01003ea9
0x00000000
0x00000000
0x00000000
0x01003ea9
0x01003eab
0x01003ead
0x01003ebf
0x00000000
0x00000000
0x00000000
0x01003ebf
0x00000000
0x01003ead
0x01003d39
0x01003d3c
0x01003d3f
0x00000000
0x00000000
0x01003d45
0x01003d47
0x00000000
0x00000000
0x00000000
0x01003d47
0x01003d04
0x01003d06
0x00000000
0x00000000
0x00000000
0x00000000

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,01002F45,?), ref: 01003D79
InterlockedExchange.KERNEL32(01009E58,00000001), ref: 01003DF7
InterlockedExchange.KERNEL32(01009E58,00000000), ref: 01003E5C
InterlockedExchange.KERNEL32(01009E58,00000001), ref: 01003E80
InterlockedExchange.KERNEL32(01009E58,00000000), ref: 01003EE0

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: fcc34a01a91ccd4eb36485381a10e490a7da2e5d0bb1742d08874f84b2ac98f0
Instruction ID: efafbe7a140e295a1f41e742bb90fb0074278dbeefb564d43c12befe20fcca62
Opcode Fuzzy Hash: fcc34a01a91ccd4eb36485381a10e490a7da2e5d0bb1742d08874f84b2ac98f0
Instruction Fuzzy Hash: 7651C331A006819FFB67CB1DD484BA977E1BB40718F2486AAE5D68F2D6D372DC82C750

Uniqueness

Uniqueness Score: -1.00%

Function 0100298B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0100298B(void* __ecx, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20) {
				intOrPtr _v8;
				char _v4104;
				char _v8200;
				char _v12296;
				int _v12300;
				char* _v12304;
				char* _v12308;
				WCHAR* _v12312;
				intOrPtr _t20;
				void* _t36;

				E010030D0(0x3014, __ecx);
				_t20 =  *0x100900c; // 0xebac68f3
				_v8 = _t20;
				E01002938(_a8,  &_v4104, 0x800);
				E01002938(_a12,  &_v8200, 0x800);
				E01002938(_a16,  &_v12296, 0x800);
				_t36 = RegisterEventSourceW(0, L"NTRights");
				_v12312 =  &_v4104;
				_v12308 =  &_v8200;
				_t30 =  &_v12296;
				_v12304 =  &_v12296;
				_v12300 = 0;
				if(_t36 != 0) {
					ReportEventW(_t36, 4, 0, _a20, 0, 3, 0,  &_v12312, 0);
					_t30 = DeregisterEventSource(_t36);
				}
				return E010079F8(_t30, _v8);
			}

0x01002993
0x01002998
0x0100299f
0x010029b2
0x010029c2
0x010029d2
0x010029e5
0x010029ef
0x010029fb
0x01002a01
0x01002a07
0x01002a0d
0x01002a13
0x01002a28
0x01002a2f
0x01002a2f
0x01002a40

APIs

Part of subcall function 01002938: lstrlenW.KERNEL32(?,?,?,010029B7,?,?,00000800,00000000,00000000,?,01002C18,01009780,NTRights has been successful,0100A2C0,01009EC0,... successful), ref: 01002944
Part of subcall function 01002938: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?), ref: 01002957

RegisterEventSourceW.ADVAPI32(00000000,NTRights), ref: 010029DF
ReportEventW.ADVAPI32(00000000,00000004,00000000,?,00000000,00000003,00000000,?,00000000), ref: 01002A28
DeregisterEventSource.ADVAPI32(00000000), ref: 01002A2F

Strings

NTRights, xrefs: 010029D7

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Event$Source$ByteCharDeregisterMultiRegisterReportWidelstrlen
String ID: NTRights
API String ID: 129629396-966899588
Opcode ID: 5a5367b3d6f3b20794d1cb5de1f47f1a784ae3fdf83a721dc1f7faa8d9634937
Instruction ID: ecd13a54fadb5fa3bfbef9490a9633d059e242eeee719f70d01379aebb228341
Opcode Fuzzy Hash: 5a5367b3d6f3b20794d1cb5de1f47f1a784ae3fdf83a721dc1f7faa8d9634937
Instruction Fuzzy Hash: B8115B76902128ABEB23DF51DC44EDEBBBCEF59341F0000A1BA89E2140D6749B40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100552A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E0100552A() {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t42;
				char _t43;
				signed char _t44;
				signed int _t54;
				signed int _t55;
				void* _t59;
				signed int _t61;
				signed int _t63;
				signed char _t65;
				char _t66;
				signed int _t68;
				signed int _t69;
				signed char* _t73;
				signed char* _t74;
				void* _t75;
				void* _t76;
				void* _t80;
				void* _t81;

				if(GetCPInfo( *0x100a804,  &_v24) == 1) {
					_t43 = 0;
					do {
						 *((char*)(_t80 + _t43 - 0x114)) = _t43;
						_t43 = _t43 + 1;
					} while (_t43 < 0x100);
					_t44 = _v18;
					_v280 = 0x20;
					if(_t44 == 0) {
						L9:
						_push(0);
						_push( *0x100a6dc);
						_push( *0x100a804);
						_push( &_v1304);
						_push(0x100);
						_push( &_v280);
						_push(1);
						E01006C38(_t59, _t61, _t75, 0x100, _t90);
						_push(0);
						_push( *0x100a804);
						_push(0x100);
						_push( &_v536);
						_push(0x100);
						_push( &_v280);
						_push(0x100);
						_push( *0x100a6dc);
						E01006871(_t59, _t75, 0x100, _t90);
						_push(0);
						_push( *0x100a804);
						_push(0x100);
						_push( &_v792);
						_push(0x100);
						_push( &_v280);
						_push(0x200);
						_push( *0x100a6dc);
						E01006871(_t59, _t75, 0x100, _t90);
						_t54 = 0;
						do {
							_t65 =  *((intOrPtr*)(_t80 + _t54 * 2 - 0x514));
							if((_t65 & 0x00000001) == 0) {
								__eflags = _t65 & 0x00000002;
								if((_t65 & 0x00000002) == 0) {
									 *((char*)(_t54 + 0x100a820)) = 0;
									goto L16;
								}
								 *(_t54 + 0x100a701) =  *(_t54 + 0x100a701) | 0x00000020;
								_t66 =  *((intOrPtr*)(_t80 + _t54 - 0x314));
								L12:
								 *((char*)(_t54 + 0x100a820)) = _t66;
								goto L16;
							}
							 *(_t54 + 0x100a701) =  *(_t54 + 0x100a701) | 0x00000010;
							_t66 =  *((intOrPtr*)(_t80 + _t54 - 0x214));
							goto L12;
							L16:
							_t54 = _t54 + 1;
						} while (_t54 < 0x100);
						return _t54;
					}
					_push(_t59);
					_t73 =  &_v17;
					_push(_t75);
					do {
						_t61 =  *_t73 & 0x000000ff;
						_t55 = _t44 & 0x000000ff;
						if(_t55 <= _t61) {
							_t68 = _t61 - _t55 + 1;
							_t69 = _t68 >> 2;
							_t76 = _t80 + _t55 - 0x114;
							memset(_t76 + _t69, memset(_t76, 0x20202020, _t69 << 2), (_t68 & 0x00000003) << 0);
							_t81 = _t81 + 0x18;
							_t61 = 0;
						}
						_t74 =  &(_t73[1]);
						_t44 =  *_t74;
						_t73 =  &(_t74[1]);
						_t90 = _t44;
					} while (_t44 != 0);
					_pop(_t75);
					_pop(_t59);
					goto L9;
				}
				_t42 = 0;
				__eflags = 0;
				do {
					__eflags = _t42 - 0x41;
					if(_t42 < 0x41) {
						L23:
						__eflags = _t42 - 0x61;
						if(_t42 < 0x61) {
							L26:
							 *(_t42 + 0x100a820) = 0;
						} else {
							__eflags = _t42 - 0x7a;
							if(_t42 > 0x7a) {
								goto L26;
							} else {
								 *(_t42 + 0x100a701) =  *(_t42 + 0x100a701) | 0x00000020;
								_t63 = _t42 - 0x20;
								goto L22;
							}
						}
					} else {
						__eflags = _t42 - 0x5a;
						if(_t42 > 0x5a) {
							goto L23;
						} else {
							 *(_t42 + 0x100a701) =  *(_t42 + 0x100a701) | 0x00000010;
							_t63 = _t42 + 0x20;
							__eflags = _t63;
							L22:
							 *(_t42 + 0x100a820) = _t63;
						}
					}
					_t42 = _t42 + 1;
					__eflags = _t42 - 0x100;
				} while (_t42 < 0x100);
				return _t42;
			}

0x0100554c
0x01005552
0x01005554
0x01005554
0x0100555b
0x0100555c
0x01005560
0x01005565
0x0100556c
0x010055a4
0x010055a4
0x010055a6
0x010055b2
0x010055b8
0x010055b9
0x010055c0
0x010055c1
0x010055c3
0x010055c8
0x010055ca
0x010055d6
0x010055d7
0x010055d8
0x010055df
0x010055e0
0x010055e1
0x010055e7
0x010055ec
0x010055ee
0x010055fa
0x010055fb
0x010055fc
0x01005603
0x01005604
0x01005609
0x0100560f
0x01005617
0x01005619
0x01005619
0x01005624
0x0100563c
0x0100563f
0x01005651
0x00000000
0x01005651
0x01005641
0x01005648
0x01005634
0x01005634
0x00000000
0x01005634
0x01005626
0x0100562d
0x00000000
0x01005658
0x01005658
0x01005659
0x00000000
0x01005619
0x0100556e
0x0100556f
0x01005572
0x01005573
0x01005573
0x01005576
0x0100557b
0x0100557f
0x01005582
0x01005585
0x01005598
0x01005598
0x01005598
0x01005598
0x0100559a
0x0100559b
0x0100559d
0x0100559e
0x0100559e
0x010055a2
0x010055a3
0x00000000
0x010055a3
0x0100565f
0x0100565f
0x01005661
0x01005661
0x01005664
0x0100567f
0x0100567f
0x01005682
0x01005697
0x01005697
0x01005684
0x01005684
0x01005687
0x00000000
0x01005689
0x01005689
0x01005692
0x00000000
0x01005692
0x01005687
0x01005666
0x01005666
0x01005669
0x00000000
0x0100566b
0x0100566b
0x01005674
0x01005674
0x01005677
0x01005677
0x01005677
0x01005669
0x0100569e
0x0100569f
0x0100569f
0x010056a5

APIs

GetCPInfo.KERNEL32(?,?), ref: 0100553E

Strings

, xrefs: 0100558C
, xrefs: 01005565

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 7089a9d1a0fbb9add1f757ec2007a6bd3a34fa9fb9f36f07740ec5d78a5932a8
Instruction ID: 5453aaf7a35c7a249c0e11ef95c46c622a4c9ffb15faf64db02484deecee71df
Opcode Fuzzy Hash: 7089a9d1a0fbb9add1f757ec2007a6bd3a34fa9fb9f36f07740ec5d78a5932a8
Instruction Fuzzy Hash: 4F41F77120439C9EFB138A28EC59FFA7FE9EB09704F1804E4D6C9C71D2C2664A488F61

Uniqueness

Uniqueness Score: -1.00%

Function 010037E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E010037E0() {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* __esi;
				CHAR* _t11;
				signed int _t16;
				signed int _t22;
				CHAR* _t25;
				signed int _t37;

				_push(_t27);
				if( *0x100ba6c == 0) {
					E0100587C();
				}
				 *0x1009e04 = 0;
				GetModuleFileNameA(0, 0x1009d00, 0x104);
				_t11 =  *0x100ba74;
				 *0x10099cc = 0x1009d00;
				if(_t11 == 0) {
					L4:
					_t25 = 0x1009d00;
				} else {
					_t25 = _t11;
					if( *_t11 == 0) {
						goto L4;
					}
				}
				E01003674(_t25, 0,  &_v12, 0,  &_v8);
				_t43 = _v8 << 2;
				_t16 = E0100545C((_v8 << 2) + _v12);
				_t37 = _t16;
				if(_t37 != 0) {
					E01003674(_t25, _t43 + _t37,  &_v12, _t37,  &_v8);
					 *0x10099b0 = _v8 - 1;
					 *0x10099b4 = _t37;
					_t22 = 0;
				} else {
					_t22 = _t16 | 0xffffffff;
				}
				return _t22;
			}

0x010037e4
0x010037f0
0x010037f2
0x010037f2
0x01003803
0x0100380a
0x01003810
0x01003817
0x0100381d
0x01003826
0x01003826
0x0100381f
0x01003822
0x01003824
0x00000000
0x00000000
0x01003824
0x01003834
0x01003841
0x01003847
0x0100384c
0x01003850
0x01003864
0x0100386e
0x01003874
0x0100387a
0x01003852
0x01003852
0x01003852
0x01003880

APIs

___initmbctable.LIBCMT ref: 010037F2
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ntrights.exe,00000104,765E7800,00000000,00000000,?,?,?,01002E04), ref: 0100380A

Strings

C:\Users\user\Desktop\ntrights.exe, xrefs: 010037FC, 01003801

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: C:\Users\user\Desktop\ntrights.exe
API String ID: 767393020-3100861066
Opcode ID: 33b54adf60202345d2bd7a662c201b403ba7e1906b9a3b7994dc5a05ef9a95be
Instruction ID: b9afdb77c05a0f73fe5be04d5784601f2b25428a385f4b041f2a6eafbee8ee42
Opcode Fuzzy Hash: 33b54adf60202345d2bd7a662c201b403ba7e1906b9a3b7994dc5a05ef9a95be
Instruction Fuzzy Hash: C211AB72A08204AFEB27DB59EC405DE77E8FB55364F10016AE585D72C5EB74AE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01005C25 Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01005C25() {
				signed int _t15;
				void* _t17;
				void* _t18;
				intOrPtr* _t20;
				void* _t24;
				signed int _t26;
				void* _t27;
				intOrPtr* _t30;

				_t15 =  *0x100a6c4; // 0x0
				_t26 =  *0x100a6d4; // 0x0
				if(_t15 != _t26) {
					L4:
					_t27 =  *0x100a6c8; // 0x0
					_t30 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x100b944, 8, 0x41c4);
					 *(_t30 + 0x10) = _t17;
					if(_t17 != 0) {
						_t18 = VirtualAlloc(0, 0x100000, 0x2000, 4);
						 *(_t30 + 0xc) = _t18;
						if(_t18 != 0) {
							 *(_t30 + 8) =  *(_t30 + 8) | 0xffffffff;
							 *_t30 = 0;
							 *((intOrPtr*)(_t30 + 4)) = 0;
							 *0x100a6c4 =  *0x100a6c4 + 1;
							 *( *(_t30 + 0x10)) =  *( *(_t30 + 0x10)) | 0xffffffff;
							_t20 = _t30;
						} else {
							HeapFree( *0x100b944, 0,  *(_t30 + 0x10));
							goto L5;
						}
					} else {
						L5:
						_t20 = 0;
					}
					return _t20;
				} else {
					_t2 = _t26 * 4; // 0x50
					_t24 = HeapReAlloc( *0x100b944, 0,  *0x100a6c8, _t26 + _t2 + 0x50 << 2);
					if(_t24 != 0) {
						 *0x100a6d4 =  *0x100a6d4 + 0x10;
						 *0x100a6c8 = _t24;
						_t15 =  *0x100a6c4; // 0x0
						goto L4;
					} else {
						return 0;
					}
				}
			}

0x01005c25
0x01005c2a
0x01005c35
0x01005c6b
0x01005c6b
0x01005c82
0x01005c85
0x01005c8d
0x01005c90
0x01005ca3
0x01005cab
0x01005cae
0x01005cc2
0x01005cc6
0x01005cc8
0x01005ccb
0x01005cd4
0x01005cd7
0x01005cb0
0x01005cba
0x00000000
0x01005cba
0x01005c92
0x01005c92
0x01005c92
0x01005c92
0x01005cdb
0x01005c37
0x01005c37
0x01005c4c
0x01005c54
0x01005c5a
0x01005c61
0x01005c66
0x00000000
0x01005c56
0x01005c59
0x01005c59
0x01005c54

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,01005F37,?,00000000,?), ref: 01005C4C
HeapAlloc.KERNEL32(00000008,000041C4,00000000,?,01005F37,?,00000000,?), ref: 01005C85
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 01005CA3
HeapFree.KERNEL32(00000000,?), ref: 01005CBA

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: c2d94327f1208acc5085d101c040efca0b74f39e4c8c3b1dcbe80786d9b05fba
Instruction ID: fd1c391309493bd9aeab031b8da5465c758968df51695a763a032d073c850671
Opcode Fuzzy Hash: c2d94327f1208acc5085d101c040efca0b74f39e4c8c3b1dcbe80786d9b05fba
Instruction Fuzzy Hash: 7B11E434300701DFD7738F69ED49E667BB5E798361B104659E1D2C72E8D77AA8428B00

Uniqueness

Uniqueness Score: -1.00%

Function 01002540 Relevance: 5.0, APIs: 4, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01002540(signed int* __edi) {
				void* _t6;
				int _t8;
				signed int* _t10;
				void* _t11;

				_t10 = __edi;
				if( *(_t11 - 0x1c) != 0) {
					_t6 = HeapFree(GetProcessHeap(), 0,  *(_t11 - 0x1c));
					 *(_t11 - 0x1c) =  *(_t11 - 0x1c) & 0x00000000;
				}
				if( *((intOrPtr*)(_t11 - 0x24)) == 0) {
					_t6 =  *_t10;
					if(_t6 != 0) {
						_t8 = HeapFree(GetProcessHeap(), 0, _t6);
						 *_t10 =  *_t10 & 0x00000000;
						return _t8;
					}
				}
				return _t6;
			}

0x01002540
0x01002544
0x0100254e
0x01002554
0x01002554
0x0100255c
0x0100255e
0x01002562
0x0100256a
0x01002570
0x00000000
0x01002570
0x01002562
0x01002573

APIs

GetProcessHeap.KERNEL32(00000000,?,01002518), ref: 0100254B
HeapFree.KERNEL32(00000000), ref: 0100254E
GetProcessHeap.KERNEL32(00000000,00000000,01002518), ref: 01002567
HeapFree.KERNEL32(00000000), ref: 0100256A

Memory Dump Source

Source File: 00000000.00000002.1702000224.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1701986719.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1702025914.0000000001009000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_ntrights.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 43d514226a425921d27e0fdab9cd9bce744f9239c2b8a29c78bc89d81a018d9a
Instruction ID: b3fad7c8d0dc45a5de0b895e8f72082f4858f9d6be3a432cd09db8814935b7da
Opcode Fuzzy Hash: 43d514226a425921d27e0fdab9cd9bce744f9239c2b8a29c78bc89d81a018d9a
Instruction Fuzzy Hash: 34E0BF30D44205ABFF629BA5D81D7AE7FF4AB00753F404445E256D50C0C7BD8555CF58

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ntrights.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: ntrights.exePID: 7884, Parent PID: 6496

General

File Activities

File Opened

File Created

File Written

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Windows Analysis Report
ntrights.exe