Create Interactive Tour

Windows Analysis Report
VideoPlayToolSetup.exe

Overview

General Information

Sample Name:	VideoPlayToolSetup.exe
Analysis ID:	651236
MD5:	922064397449569445bc5972b67a09a1
SHA1:	a135d3c6f4c9b513185944304db9415e16ac6b09
SHA256:	9394f8ab0072744045bdfe6f2571211c6b887ace8040424c68de3d46eb083da8
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

VideoPlayToolSetup.exe (PID: 3732 cmdline: "C:\Users\user\Desktop\VideoPlayToolSetup.exe" MD5: 922064397449569445BC5972B67A09A1)

irsetup.exe (PID: 5932 cmdline: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\VideoPlayToolSetup.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002 MD5: DEC931E86140139380EA0DF57CD132B6)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: VideoPlayToolSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VideoPlayToolSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: VideoPlayToolSetup.exe, lua5.1.dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: VideoPlayToolSetup.exe, lua5.1.dll.0.dr	String found in binary or memory: http://www.indigorose.com

Source: VideoPlayToolSetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VideoPlayToolSetup.exe, 00000000.00000000.252693851.000000000029C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesuf_launch.exeL vs VideoPlayToolSetup.exe
Source: VideoPlayToolSetup.exe	Binary or memory string: OriginalFilenamesuf_launch.exeL vs VideoPlayToolSetup.exe
Source: VideoPlayToolSetup.exe	Binary or memory string: OriginalFilenamesuf_rt.exeL vs VideoPlayToolSetup.exe

Source: VideoPlayToolSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VideoPlayToolSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VideoPlayToolSetup.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irsetup.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: irsetup.exe.0.dr

Static PE information: Section: UPX1 ZLIB complexity 0.992034912109375

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

File read: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Jump to behavior

Source: VideoPlayToolSetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VideoPlayToolSetup.exe "C:\Users\user\Desktop\VideoPlayToolSetup.exe"
Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\VideoPlayToolSetup.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002
Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\VideoPlayToolSetup.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002	Jump to behavior

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	Command line argument: /~DBG		0_2_00291000
Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	Command line argument: @7)		0_2_00293690

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: classification engine

Classification label: clean5.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Code function: 0_2_0029188B GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrlenA,lstrcpyA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,lstrcpyA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,

0_2_0029188B

Source: VideoPlayToolSetup.exe

Static file information: File size 12217380 > 1048576

Source: VideoPlayToolSetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: VideoPlayToolSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VideoPlayToolSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VideoPlayToolSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VideoPlayToolSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VideoPlayToolSetup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Code function: 0_2_002937E5 push ecx; ret

0_2_002937F8

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Code function: 0_2_00291821 lstrcatA,wsprintfA,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00291821

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll			Jump to dropped file
Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe			Jump to dropped file

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-3889

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-3012

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Jump to dropped file

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Code function: 0_2_00292E14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00292E14

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Code function: 0_2_00291821 lstrcatA,wsprintfA,LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00291821

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	Code function: 0_2_00292E14 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00292E14
Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	Code function: 0_2_0029239A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0029239A
Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe	Code function: 0_2_00293FC8 SetUnhandledExceptionFilter,	0_2_00293FC8

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\VideoPlayToolSetup.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002

Jump to behavior

Source: C:\Users\user\Desktop\VideoPlayToolSetup.exe

Code function: 0_2_0029478C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0029478C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	11 Process Injection	11 Software Packing	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VideoPlayToolSetup.exe	3%	Virustotal		Browse
VideoPlayToolSetup.exe	7%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	3%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	2%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.indigorose.com	VideoPlayToolSetup.exe, lua5.1.dll.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	651236
Start date and time: 23/06/202217:03:47	2022-06-23 17:03:47 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	VideoPlayToolSetup.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean5.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 92.2%) Quality average: 80.7% Quality standard deviation: 30.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 8
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.54.113.53
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	mv1ONlclvs.exe	Get hash	malicious	Browse
	6kGDqA7Nx4.exe	Get hash	malicious	Browse
	#U70b9#U51fb#U6b64#U5904#U5b89#U88c5#U4e2d#U6587#U8bed#U8a00#U5305.exe	Get hash	malicious	Browse
	#U70b9#U51fb#U5b89#U88c5{#U7eb8#U98de#U673a}#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.exe	Get hash	malicious	Browse
	#U70b9#U51fb#U5b89#U88c5#U7eb8#U98de#U673a-#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305 (3).exe	Get hash	malicious	Browse
	http://xmsecu.com:8080/ocx/NewActive.exe	Get hash	malicious	Browse
	hoQEtWhL5Q.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	mv1ONlclvs.exe	Get hash	malicious	Browse
	6kGDqA7Nx4.exe	Get hash	malicious	Browse
	#U70b9#U51fb#U6b64#U5904#U5b89#U88c5#U4e2d#U6587#U8bed#U8a00#U5305.exe	Get hash	malicious	Browse
	#U70b9#U51fb#U5b89#U88c5{#U7eb8#U98de#U673a}#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.exe	Get hash	malicious	Browse
	#U70b9#U51fb#U5b89#U88c5#U7eb8#U98de#U673a-#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305 (3).exe	Get hash	malicious	Browse
	http://xmsecu.com:8080/ocx/NewActive.exe	Get hash	malicious	Browse
	hoQEtWhL5Q.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Download File

Process:	C:\Users\user\Desktop\VideoPlayToolSetup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	1344512
Entropy (8bit):	7.921180289353584
Encrypted:	false
SSDEEP:	24576:8FYGY9+9d/G7P9lkQ/exnzGn4dLsUvqkaT+0BpCCh+PDed:TN26FOnzGn6LJvqkwnpC+m
MD5:	DEC931E86140139380EA0DF57CD132B6
SHA1:	B717FD548382064189C16CB94DDA28B1967A5712
SHA-256:	5FFD4B20DCCFB84C8890ABDB780184A7651E760AEFBA4AB0C6FBA5B2A81F97D9
SHA-512:	14D594E88C4A1F0EC8BC1B4FE2D66E26358F907B1106C047ADA35D500CA9E608F1CE5A57599453CF10F11F4D9F1948CED9056CE8BD944B16ECA7E9B83E8B27AF
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 3%, Browse Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: mv1ONlclvs.exe, Detection: malicious, Browse Filename: 6kGDqA7Nx4.exe, Detection: malicious, Browse Filename: #U70b9#U51fb#U6b64#U5904#U5b89#U88c5#U4e2d#U6587#U8bed#U8a00#U5305.exe, Detection: malicious, Browse Filename: #U70b9#U51fb#U5b89#U88c5{#U7eb8#U98de#U673a}#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.exe, Detection: malicious, Browse Filename: #U70b9#U51fb#U5b89#U88c5#U7eb8#U98de#U673a-#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305 (3).exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: hoQEtWhL5Q.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wC.33".`3".`3".`\T.`B".`:Z/`2".`.l3`2".`:Z(`#".`(.5`.".`\T.`.".`...`1".`:Z8`.".`3".`.!.`(..`.".`(..`O .`(.1`2".`(.6`2".`Rich3".`........PE..L...+..O......................... (..-<..0(..0<...@...........................<...........@.................................D.<......0<.Dz....................................................................................3.@...................UPX0..... (.............................UPX1.........0(.....................@....rsrc........0<.....................@......................................................................................................................................................................................................................................................................................................................................................................3.05.UPX!....

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Download File

Process:	C:\Users\user\Desktop\VideoPlayToolSetup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	325960
Entropy (8bit):	6.876135679379316
Encrypted:	false
SSDEEP:	6144:ukn2LG5bwf92+0HiDhAqUS0aMkvAvBtAOj+JzOghK:r2x2cdUhZuIBt8xc
MD5:	B5FC476C1BF08D5161346CC7DD4CB0BA
SHA1:	280FAC9CF711D93C95F6B80AC97D89CF5853C096
SHA-256:	12CB9B8F59C00EF40EA8F28BFC59A29F12DC28332BF44B1A5D8D6A8823365650
SHA-512:	17FA97F399287B941E958D2D42FE6ADB62700B01D9DBE0C824604E8E06D903B330F9D7D8FFB109BFB7F6742F46E7E9CEDAD6981F0D94D629B8402D0A0174F697
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: mv1ONlclvs.exe, Detection: malicious, Browse Filename: 6kGDqA7Nx4.exe, Detection: malicious, Browse Filename: #U70b9#U51fb#U6b64#U5904#U5b89#U88c5#U4e2d#U6587#U8bed#U8a00#U5305.exe, Detection: malicious, Browse Filename: #U70b9#U51fb#U5b89#U88c5{#U7eb8#U98de#U673a}#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305.exe, Detection: malicious, Browse Filename: #U70b9#U51fb#U5b89#U88c5#U7eb8#U98de#U673a-#U7b80#U4f53#U4e2d#U6587#U8bed#U8a00#U5305 (3).exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: hoQEtWhL5Q.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)..H...H...H......H...H...H...0 ..H...01..H...0'.GH...06..H...05..H..Rich.H..................PE..L....O`L...........!.....\|..........X........................................0.......o..........................................(.......................H........!.................................. ...@...............x............................text....z.......\|.................. ..`.rdata...'.......(..................@..@.data...$5..........................@....reloc..r&.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.991659999520227
TrID:	Win32 Executable (generic) a (10002005/4) 99.70% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VideoPlayToolSetup.exe
File size:	12217380
MD5:	922064397449569445bc5972b67a09a1
SHA1:	a135d3c6f4c9b513185944304db9415e16ac6b09
SHA256:	9394f8ab0072744045bdfe6f2571211c6b887ace8040424c68de3d46eb083da8
SHA512:	846fed878d13a5f3f4779a3410b310eaa8b5957b95fee1fbbb9fe0758302ceaeb1adbf38d7039750f221241f5e7501848a2f8dd8003da1e56a5f1d4874719d1f
SSDEEP:	196608:d3F6n80W6uGUEEf9Lcj+P7AD0kJbJK/EW4ugFbyMZU8JJYDBH+rHr0+FOS1WOs/0:1FRE6xf9Lcj+Pb2ZW+Fva8JitwLV1x00
TLSH:	F7C63382FBC3C4B4C55908B88824CB66DB39BDA58795D5F3ABE1797D8DB42D08233346
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L...J..O.................X.........

File Icon


Icon Hash:	7af8eae29290c4e8

Static PE Info

General

Entrypoint:	0x4029e1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4FDA0E4A [Thu Jun 14 16:16:10 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1ff847646487d56f85778df99ff3728a

Entrypoint Preview

Instruction
call 00007F22A8BC80DBh
jmp 00007F22A8BC61BEh
mov edi, edi
push esi
push edi
xor esi, esi
mov edi, 0040ABC8h
cmp dword ptr [0040A054h+esi*8], 01h
jne 00007F22A8BC634Fh
lea eax, dword ptr [0040A050h+esi*8]
mov dword ptr [eax], edi
push 00000FA0h
push dword ptr [eax]
add edi, 18h
call dword ptr [004070C0h]
test eax, eax
je 00007F22A8BC633Eh
inc esi
cmp esi, 24h
jl 00007F22A8BC6305h
xor eax, eax
inc eax
pop edi
pop esi
ret
and dword ptr [0040A050h+esi*8], 00000000h
xor eax, eax
jmp 00007F22A8BC6323h
mov edi, edi
push ebx
mov ebx, dword ptr [004070C4h]
push esi
mov esi, 0040A050h
push edi
mov edi, dword ptr [esi]
test edi, edi
je 00007F22A8BC6345h
cmp dword ptr [esi+04h], 01h
je 00007F22A8BC633Fh
push edi
call ebx
push edi
call 00007F22A8BC604Dh
and dword ptr [esi], 00000000h
pop ecx
add esi, 08h
cmp esi, 0040A170h
jl 00007F22A8BC630Eh
mov esi, 0040A050h
pop edi
mov eax, dword ptr [esi]
test eax, eax
je 00007F22A8BC633Bh
cmp dword ptr [esi+04h], 01h
jne 00007F22A8BC6335h
push eax
call ebx
add esi, 08h
cmp esi, 0040A170h
jl 00007F22A8BC6318h
pop esi
pop ebx
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push dword ptr [0040A050h+eax*8]
call dword ptr [004070C8h]
pop ebp
ret
push 0000000Ch
push 004094D0h

Rich Headers

Programming Language:

[ASM] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x963c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x6dcc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13000	0x7c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9390	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x178	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5718	0x5800	False	0.6103959517045454	data	6.459452000665297	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x2e82	0x3000	False	0.3490397135416667	data	4.975333962704712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1968	0xc00	False	0.23014322916666666	data	2.586625009588695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc000	0x6dcc	0x6e00	False	0.5591264204545454	data	5.8200426377024295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13000	0x1092	0x1200	False	0.3784722222222222	data	3.7122019142927596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc2b0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc3d8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc940	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcda8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2290912999, next used block 119	English	United States
RT_ICON	0xd090	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15790320, next used block 16054266	English	United States
RT_ICON	0xd938	0x10a8	data	English	United States
RT_ICON	0xe9e0	0x668	data	English	United States
RT_ICON	0xf048	0xea8	data	English	United States
RT_ICON	0xfef0	0x25a8	data	English	United States
RT_GROUP_ICON	0x12498	0x84	data	English	United States
RT_VERSION	0x1251c	0x3e0	data	English	United States
RT_MANIFEST	0x128fc	0x4d0	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	_lclose, GetModuleFileNameA, _lread, _llseek, _lopen, _lwrite, _lcreat, CreateDirectoryA, SetCurrentDirectoryA, lstrcatA, FreeLibrary, GetProcAddress, LoadLibraryA, GetDiskFreeSpaceA, GetFileAttributesA, RemoveDirectoryA, DeleteFileA, lstrlenA, GetCurrentDirectoryA, CloseHandle, GetExitCodeProcess, GetLastError, LocalFree, GetCurrentProcess, MoveFileExA, Sleep, GetStringTypeW, MultiByteToWideChar, LCMapStringW, HeapReAlloc, RtlUnwind, HeapSize, lstrcpyA, GetTempPathA, CompareStringA, IsValidCodePage, GetOEMCP, GetModuleHandleW, ExitProcess, DecodePointer, HeapFree, HeapAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, EncodePointer, LoadLibraryW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameW, IsProcessorFeaturePresent, HeapCreate, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP
USER32.dll	TranslateMessage, DispatchMessageA, PeekMessageA, wsprintfA, LoadCursorA, SetCursor, MessageBoxA, MsgWaitForMultipleObjects
ADVAPI32.dll	GetTokenInformation, OpenProcessToken
SHELL32.dll	ShellExecuteExA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• VideoPlayToolSetup.exe
• irsetup.exe

Click to jump to process

Behavior

• VideoPlayToolSetup.exe
• irsetup.exe

Click to jump to process

System Behavior

Analysis Process: VideoPlayToolSetup.exePID: 3732, Parent PID: 2872

Function Logs

General

Target ID:	0
Start time:	17:04:58
Start date:	23/06/2022
Path:	C:\Users\user\Desktop\VideoPlayToolSetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VideoPlayToolSetup.exe"
Imagebase:	0x290000
File size:	12217380 bytes
MD5 hash:	922064397449569445BC5972B67A09A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Attributes Queried

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Allocated

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: irsetup.exePID: 5932, Parent PID: 3732

Function Logs

General

Target ID:	2
Start time:	17:05:03
Start date:	23/06/2022
Path:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\user\Desktop\VideoPlayToolSetup.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3853321935-2125563209-4053062332-1002
Imagebase:	0x10e0000
File size:	1344512 bytes
MD5 hash:	DEC931E86140139380EA0DF57CD132B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Virustotal, Browse Detection: 3%, Metadefender, Browse Detection: 4%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: VideoPlayToolSetup.exePID: 3732, Parent PID: 2872COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	1130
Total number of Limit Nodes:	59

Executed Functions

Function 0029188B Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 213
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0029188B(CHAR* __ecx) {
				signed int _v8;
				char _v266;
				char _v267;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				char _v1049;
				char _v1050;
				char _v1051;
				char _v1052;
				signed int _v1056;
				CHAR* _v1060;
				signed int _v1064;
				long _v1068;
				intOrPtr _v1072;
				long _v1076;
				long _v1080;
				long _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t77;
				int _t85;
				long _t99;
				int _t112;
				int _t114;
				int _t135;
				signed int _t142;
				signed int _t143;
				CHAR* _t160;
				void* _t161;
				CHAR* _t169;
				void* _t170;
				CHAR* _t172;
				intOrPtr _t174;
				CHAR* _t177;
				signed int _t178;
				void* _t179;
				void* _t180;
				signed int _t189;

				_t77 =  *0x29a020; // 0x72e8023b
				_v8 = _t77 ^ _t178;
				_v1056 = _v1056 & 0x00000000;
				_t169 = __ecx;
				_v1060 = __ecx;
				GetCurrentDirectoryA(0x104,  &_v1048);
				E00292320( &_v268, 0, 0x104);
				_t180 = _t179 + 0xc;
				GetTempPathA(0x104,  &_v268);
				_t172 = _t169 + 0x1008;
				_t85 = lstrlenA(_t172);
				_t170 = lstrcpyA;
				if(_t85 > 2 && E00291747(_t172) != 0) {
					lstrcpyA( &_v268, _t172);
				}
				_t174 =  &_v268 - 1;
				_v1072 = _t174;
				if( *((char*)(lstrlenA( &_v268) + _t174)) != 0x5c) {
					lstrcatA( &_v268, "\\");
				}
				_v1064 = _v1064 & 0x00000000;
				wsprintfA( &_v528, "%s%s_%d",  &_v268, "_ir_sf_temp", 0);
				wsprintfA( &_v788, "%s\\irsetup.exe",  &_v528);
				while(1) {
					_t180 = _t180 + 0x20;
					DeleteFileA( &_v788); // executed
					RemoveDirectoryA( &_v528); // executed
					_t99 = GetFileAttributesA( &_v528); // executed
					if(_t99 == 0xffffffff) {
						break;
					}
					_v1064 = _v1064 + 1;
					wsprintfA( &_v528, "%s%s_%d",  &_v268, "_ir_sf_temp", _v1064);
					wsprintfA( &_v788, "%s\\irsetup.exe",  &_v528);
				}
				CreateDirectoryA( &_v528, 0); // executed
				lstrcpyA( &_v268,  &_v528);
				_t112 = SetCurrentDirectoryA( &_v268); // executed
				if(_t112 == 0) {
					lstrcpyA( &_v268, "c:\\temp");
					CreateDirectoryA( &_v268, 0);
				}
				_t114 = SetCurrentDirectoryA( &_v268);
				_t177 = _v1060;
				if(_t114 == 0) {
					lstrcpyA( &(_t177[8]), "Could not determine a temp directory name.  Try running setup.exe /T:<Path>");
					_v1056 = 0x38;
				}
				if( *((char*)(lstrlenA( &_v268) + _v1072)) != 0x5c) {
					lstrcatA( &_v268, "\\");
				}
				_t160 =  &(_t177[0x1224]);
				lstrcpyA(_t160,  &_v268);
				lstrcpyA( &(_t177[0x1328]),  &_v268);
				_t161 = lstrcatA;
				lstrcatA(_t160, "irsetup.exe");
				lstrcpyA( &(_t177[0x142c]),  &_v268);
				lstrcatA( &(_t177[0x142c]), "lua5.1.dll");
				_v1052 = _v268;
				_v1051 = _v267;
				_v1050 = _v266;
				_v1049 = 0;
				_t135 = GetDiskFreeSpaceA( &_v1052,  &_v1080,  &_v1068,  &_v1076,  &_v1084); // executed
				if(_t135 == 0) {
					L18:
					lstrcpyA(_t177, "You must have at least 2MB of free space on your TEMP drive!");
					_v1056 = 0x39;
				} else {
					_t142 = _v1080 * _v1068;
					_t168 = _t142 * _v1076 >> 0x20;
					_t143 = _t142 * _v1076;
					_t189 = _t142 * _v1076 >> 0x20;
					if(_t189 <= 0 && (_t189 < 0 || _t143 < 0x1e8480)) {
						goto L18;
					}
				}
				SetCurrentDirectoryA( &_v1048); // executed
				return E0029239A(_v1056, _t161, _v8 ^ _t178, _t168, _t170, _t177);
			}

0x00291894
0x0029189b
0x0029189e
0x002918af
0x002918b7
0x002918bd
0x002918cd
0x002918d2
0x002918dd
0x002918e9
0x002918f0
0x002918f2
0x002918fb
0x00291915
0x00291915
0x00291923
0x00291925
0x00291931
0x0029193f
0x0029193f
0x0029194b
0x0029196c
0x00291981
0x002919c6
0x002919c6
0x002919d0
0x002919d9
0x002919e6
0x002919ef
0x00000000
0x00000000
0x0029198b
0x002919af
0x002919c4
0x002919c4
0x00291a00
0x00291a10
0x00291a1f
0x00291a23
0x00291a31
0x00291a3c
0x00291a3c
0x00291a45
0x00291a47
0x00291a4f
0x00291a5a
0x00291a5c
0x00291a5c
0x00291a7d
0x00291a8b
0x00291a8b
0x00291a98
0x00291a9f
0x00291aaf
0x00291ab7
0x00291abd
0x00291acd
0x00291adb
0x00291ae3
0x00291aef
0x00291afb
0x00291b24
0x00291b2b
0x00291b33
0x00291b55
0x00291b5e
0x00291b60
0x00291b35
0x00291b3b
0x00291b42
0x00291b42
0x00291b48
0x00291b4a
0x00000000
0x00000000
0x00291b4a
0x00291b71
0x00291b8b

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,?,00000000), ref: 002918BD
GetTempPathA.KERNEL32(00000104,?), ref: 002918DD
lstrlenA.KERNEL32(?), ref: 002918F0
lstrcpyA.KERNEL32(?,?,?), ref: 00291915
lstrlenA.KERNEL32(?), ref: 0029192B
lstrcatA.KERNEL32(?,00297380), ref: 0029193F
wsprintfA.USER32 ref: 0029196C
wsprintfA.USER32 ref: 00291981
wsprintfA.USER32 ref: 002919AF
wsprintfA.USER32 ref: 002919C4
DeleteFileA.KERNELBASE(?), ref: 002919D0
RemoveDirectoryA.KERNELBASE(?), ref: 002919D9
GetFileAttributesA.KERNELBASE(?), ref: 002919E6
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00291A00
lstrcpyA.KERNEL32(?,?), ref: 00291A10
SetCurrentDirectoryA.KERNELBASE(?), ref: 00291A1F
lstrcpyA.KERNEL32(?,c:\temp), ref: 00291A31
CreateDirectoryA.KERNEL32(?,00000000), ref: 00291A3C
SetCurrentDirectoryA.KERNEL32(?), ref: 00291A45
lstrcpyA.KERNEL32(?,Could not determine a temp directory name. Try running setup.exe /T:<Path>), ref: 00291A5A
lstrlenA.KERNEL32(?), ref: 00291A6D
lstrcatA.KERNEL32(?,00297380), ref: 00291A8B
lstrcpyA.KERNEL32(?,?), ref: 00291A9F
lstrcpyA.KERNEL32(?,?), ref: 00291AAF

Part of subcall function 00291747: lstrlenA.KERNEL32(00291909,76CC8170,?,76C86980), ref: 00291771
Part of subcall function 00291747: lstrcatA.KERNEL32(00291909,00297380), ref: 00291780
Part of subcall function 00291747: lstrlenA.KERNEL32(00291909), ref: 00291787
Part of subcall function 00291747: SetCurrentDirectoryA.KERNEL32(?), ref: 002917DF
Part of subcall function 00291747: CreateDirectoryA.KERNEL32(?,00000000), ref: 002917F1

lstrcatA.KERNEL32(?,irsetup.exe), ref: 00291ABD
lstrcpyA.KERNEL32(?,?), ref: 00291ACD
lstrcatA.KERNEL32(?,lua5.1.dll), ref: 00291ADB
GetDiskFreeSpaceA.KERNELBASE(?,?,?,?,?), ref: 00291B2B
lstrcpyA.KERNEL32(?,You must have at least 2MB of free space on your TEMP drive!), ref: 00291B5E
SetCurrentDirectoryA.KERNELBASE(?), ref: 00291B71

Strings

Could not determine a temp directory name. Try running setup.exe /T:<Path>, xrefs: 00291A51
You must have at least 2MB of free space on your TEMP drive!, xrefs: 00291B55
_ir_sf_temp, xrefs: 00291954, 0029199D
%s%s_%d, xrefs: 00291966, 002919A9
9, xrefs: 00291B60
lua5.1.dll, xrefs: 00291ACF
c:\temp, xrefs: 00291A25
irsetup.exe, xrefs: 00291AB1
%s\irsetup.exe, xrefs: 0029197B, 002919BE

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: Directory$lstrcpy$Currentlstrcatlstrlen$wsprintf$Create$File$AttributesDeleteDiskFreePathRemoveSpaceTemp
String ID: %s%s_%d$%s\irsetup.exe$9$Could not determine a temp directory name. Try running setup.exe /T:<Path>$You must have at least 2MB of free space on your TEMP drive!$_ir_sf_temp$c:\temp$irsetup.exe$lua5.1.dll
API String ID: 597744483-2787291893
Opcode ID: 6511bc144eb1f8ac423ff5c6938dc9e0a7731e826ddebcc853b18113b1fea756
Instruction ID: 736208be88aeb170f3537229b6aeea405fec45e0b638886aedeba5f292ca98d3
Opcode Fuzzy Hash: 6511bc144eb1f8ac423ff5c6938dc9e0a7731e826ddebcc853b18113b1fea756
Instruction Fuzzy Hash: E38124B691421D9ACF21DB61DC84FDAB7BCAF19300F4044D6E649E3141DA74ABD8CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00291000 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 127
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E00291000(void* __edx, void* __eflags, CHAR* _a12) {
				signed int _v8;
				char _v265;
				char _v266;
				intOrPtr _v267;
				char _v268;
				intOrPtr _v1356;
				int _v1360;
				char _v1620;
				char _v3668;
				char _v5716;
				char _v5724;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t28;
				intOrPtr _t45;
				int _t49;
				intOrPtr _t50;
				int _t52;
				void* _t62;
				void* _t68;
				CHAR* _t69;
				signed int _t70;
				signed int _t75;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t81;
				void* _t90;

				_t68 = __edx;
				E002923B0(0x1658);
				_t28 =  *0x29a020; // 0x72e8023b
				_v8 = _t28 ^ _t75;
				_t69 = _a12;
				 *0x29ab80 = 0;
				SetCursor(LoadCursorA(0, 0x7f02));
				E002911A3( &_v5724);
				E00292320( &_v3668, 0, 0x800);
				_t62 = lstrlenA;
				_t77 = _t76 + 0xc;
				if(lstrlenA(_t69) < 0x800) {
					lstrcpyA( &_v3668, _t69);
				}
				_t70 = 0;
				_v1360 = 0;
				E00292320( &_v1620, 0, 0x104);
				_t78 = _t77 + 0xc;
				_t81 =  *0x29ab88 - _t70; // 0x1
				if(_t81 <= 0) {
					L18:
					_t21 = E00291F7A( &_v5724, _t68, _t90) - 0x32; // -50
					if(_t21 <= 0x31 && _v1356 == 0) {
						MessageBoxA(0,  &_v5716, "Launcher Error", 0x10);
					}
					E00291205( &_v5724);
					return E0029239A(_t72, _t62, _v8 ^ _t75, _t68, _t70, _t72);
				} else {
					do {
						_t45 =  *0x29ab8c; // 0x2311828
						lstrcpyA( &_v268,  *(_t45 + _t70 * 4));
						if(_v268 != 0x2f) {
							goto L15;
						}
						_t50 = _v267;
						if(_t50 == 0x54) {
							L11:
							_t52 = lstrlenA( &_v268);
							__eflags = _t52 - 3;
							if(__eflags > 0) {
								__eflags = _v266 - 0x3a;
								if(__eflags == 0) {
									__eflags = _t52 - 3;
									if(__eflags > 0) {
										__eflags = _t52 + 0xfffffffd;
										E002923E0( &_v1620,  &_v265, _t52 + 0xfffffffd);
										_t78 = _t78 + 0xc;
									}
								}
							}
							goto L15;
						}
						if(_t50 == 0x57) {
							L9:
							if(lstrlenA( &_v268) == 2) {
								_v1360 = 1;
							}
							goto L15;
						}
						if(_t50 == 0x74) {
							goto L11;
						}
						if(_t50 != 0x77) {
							goto L15;
						}
						goto L9;
						L15:
						_t49 = CompareStringA(0x7f, 1,  &_v268, 0xffffffff, "/~DBG", 0xffffffff); // executed
						if(_t49 == 2) {
							 *0x29ab80 = 1;
						}
						_t70 = _t70 + 1;
						_t90 = _t70 -  *0x29ab88; // 0x1
					} while (_t90 < 0);
					goto L18;
				}
			}

0x00291000
0x00291008
0x0029100d
0x00291014
0x0029101a
0x00291025
0x00291032
0x0029103e
0x00291051
0x00291056
0x0029105c
0x00291064
0x0029106e
0x0029106e
0x00291074
0x00291083
0x00291089
0x0029108e
0x00291091
0x00291097
0x00291151
0x0029115e
0x00291164
0x0029117f
0x0029117f
0x0029118b
0x002911a0
0x0029109d
0x002910a0
0x002910a0
0x002910af
0x002910bc
0x00000000
0x00000000
0x002910be
0x002910c6
0x002910ea
0x002910f1
0x002910f3
0x002910f6
0x002910f8
0x002910ff
0x00291101
0x00291104
0x00291106
0x00291118
0x0029111d
0x0029111d
0x00291104
0x002910ff
0x00000000
0x002910f6
0x002910ca
0x002910d4
0x002910e0
0x002910e2
0x002910e2
0x00000000
0x002910e0
0x002910ce
0x00000000
0x00000000
0x002910d2
0x00000000
0x00000000
0x00000000
0x00291120
0x00291133
0x0029113c
0x0029113e
0x0029113e
0x00291144
0x00291145
0x00291145
0x00000000
0x002910a0

APIs

LoadCursorA.USER32 ref: 0029102B
SetCursor.USER32(00000000), ref: 00291032
lstrlenA.KERNEL32(?), ref: 00291060
lstrcpyA.KERNEL32(?,?), ref: 0029106E
lstrcpyA.KERNEL32(?,02311828), ref: 002910AF
lstrlenA.KERNEL32(0000002F), ref: 002910DB
lstrlenA.KERNEL32(0000002F), ref: 002910F1
_memmove.LIBCMT ref: 00291118
CompareStringA.KERNELBASE(0000007F,00000001,0000002F,000000FF,/~DBG,000000FF), ref: 00291133
MessageBoxA.USER32 ref: 0029117F

Strings

/, xrefs: 002910B5
/~DBG, xrefs: 00291122
:, xrefs: 002910F8
Launcher Error, xrefs: 00291171

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: lstrlen$Cursorlstrcpy$CompareLoadMessageString_memmove
String ID: /$/~DBG$:$Launcher Error
API String ID: 1772744953-896055402
Opcode ID: 790b9d772b6144480c6d60ce22cd0a02b80cf25f9745d799a0238e820ac147aa
Instruction ID: cee3f1151d00680e71ac330e5826fdc05d0dc71e2d110e99caa93e4a26cbde7d
Opcode Fuzzy Hash: 790b9d772b6144480c6d60ce22cd0a02b80cf25f9745d799a0238e820ac147aa
Instruction Fuzzy Hash: F041D07182421AABCF209FA9EC88AEE777DAB15314F0005A6E149E2191D7709EE58F91

Uniqueness

Uniqueness Score: -1.00%

Function 00291B8C Relevance: 72.0, APIs: 32, Strings: 9, Instructions: 270
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00291B8C(CHAR* __ecx, void* __edx) {
				signed int _v8;
				char _v300;
				struct HWND__* _v304;
				void* _v308;
				void* _v312;
				long _v316;
				struct _SHELLEXECUTEINFOA _v376;
				struct tagMSG _v404;
				void* _v416;
				char _v420;
				struct HWND__* _v436;
				short _v438;
				struct HWND__* _v444;
				struct HWND__* _v480;
				void* _v484;
				char _v488;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t90;
				int _t103;
				int _t138;
				struct HWND__* _t141;
				void* _t158;
				int _t159;
				CHAR* _t172;
				void* _t181;
				intOrPtr _t183;
				void* _t184;
				CHAR* _t186;
				void* _t188;
				long _t189;
				signed int _t192;
				void* _t193;
				void* _t194;
				void* _t197;
				intOrPtr _t205;

				_t181 = __edx;
				_t90 =  *0x29a020; // 0x72e8023b
				_v8 = _t90 ^ _t192;
				_t172 = __ecx;
				_v488 = 0;
				E00292320( &_v484, 0, 0x40);
				_v420 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t183 = 0x44;
				E00292320( &_v488, 0, _t183);
				E00292320( &_v420, 0, 0x10);
				_push(_t172[0x153c]);
				_v438 = 0;
				_v488 = _t183;
				_t184 = wsprintfA;
				_v484 = 0;
				_v436 = 0;
				_v480 = 0;
				_v444 = 0;
				wsprintfA( &_v300, "__IRAOFF:%I64u", _t172[0x1538]);
				_t194 = _t193 + 0x34;
				_t103 = lstrlenA( &(_t172[0x808]));
				_t188 = lstrcatA;
				if(_t103 != 0) {
					lstrcatA( &(_t172[0x808]), " ");
				}
				lstrcatA( &(_t172[0x808]),  &_v300);
				wsprintfA( &_v300, "\"__IRAFN:%s\"",  &(_t172[0x1120]));
				lstrcatA( &(_t172[0x808]), " ");
				lstrcatA( &(_t172[0x808]),  &_v300);
				wsprintfA( &_v300, "\"__IRCT:%d\"", _t172[0x1114] & 0x000000ff);
				lstrcatA( &(_t172[0x808]), " ");
				lstrcatA( &(_t172[0x808]),  &_v300);
				_push(_t172[0x111c]);
				wsprintfA( &_v300, "\"__IRTSS:%I64u\"", _t172[0x1118]);
				_t197 = _t194 + 0x28;
				lstrcatA( &(_t172[0x808]), " ");
				lstrcatA( &(_t172[0x808]),  &_v300);
				_v308 = _v308 & 0x00000000;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v308) != 0) {
					_v316 = _v316 & 0x00000000;
					_t158 = E002927AC(_t181, _t184, _t188, 0x4000);
					_v312 = _t158;
					if(_t158 != 0) {
						_t159 = GetTokenInformation(_v308, 1, _t158, 0x4000,  &_v316); // executed
						if(_t159 != 0) {
							_v304 = _v304 & 0x00000000;
							if(E00291821( *_v312,  &_v304) != 0 && _v304 != 0) {
								wsprintfA( &_v300, "\"__IRSID:%s\"", _v304);
								_t197 = _t197 + 0xc;
								_t186 =  &(_t172[0x808]);
								lstrcatA(_t186, " ");
								lstrcatA(_t186,  &_v300);
								LocalFree(_v304);
							}
							E00292772(_v312);
						}
					}
				}
				_t205 =  *0x29ab80; // 0x0
				if(_t205 != 0) {
					MessageBoxA(0,  &(_t172[0x808]),  &(_t172[0x1224]), 0);
				}
				_t189 = 0x3c;
				E00292320( &_v376, 0, _t189);
				_v376.lpFile =  &(_t172[0x1224]);
				_v376.cbSize = _t189;
				_v376.lpParameters =  &(_t172[0x808]);
				_v376.fMask = 0x40;
				_v376.hwnd = 0;
				_v376.lpVerb = "open";
				_v376.lpDirectory = 0;
				_v376.nShow = 1;
				_v376.hInstApp = 0;
				_t138 = ShellExecuteExA( &_v376); // executed
				if(_t138 != 0) {
					if(_t172[0x110c] == 0) {
						L22:
						GetExitCodeProcess(_v376.hProcess,  &(_t172[0x1548]));
						_t141 = _t172[0x1548];
						_v304 = _t141;
						_t172[0x1110] = 1;
						if(_t141 == 0x103 && _t172[0x110c] == 0) {
							_v304 = 0;
						}
						CloseHandle(_v376.hProcess);
						goto L26;
					}
					while(MsgWaitForMultipleObjects(1,  &(_v376.hProcess), 0, 0xffffffff, 0xff) == 1) {
						while(PeekMessageA( &_v404, 0, 0, 0, 1) > 0) {
							if(_v404.message == 0xf || _v404.message == 0x200) {
								TranslateMessage( &_v404);
								DispatchMessageA( &_v404);
							}
						}
					}
					goto L22;
				} else {
					if(GetLastError() == 0x4c7) {
						_v304 = 5;
					} else {
						lstrcpyA(_t172, "Could not start the setup");
						_v304 = 0x37;
					}
					L26:
					return E0029239A(_v304, _t172, _v8 ^ _t192, _t181, 0, 1);
				}
			}

0x00291b8c
0x00291b95
0x00291b9c
0x00291bae
0x00291bb0
0x00291bb6
0x00291bbd
0x00291bc9
0x00291bca
0x00291bcd
0x00291bce
0x00291bd8
0x00291be7
0x00291bec
0x00291bfa
0x00291c07
0x00291c0d
0x00291c19
0x00291c1f
0x00291c25
0x00291c2b
0x00291c31
0x00291c33
0x00291c3d
0x00291c43
0x00291c4b
0x00291c59
0x00291c59
0x00291c69
0x00291c7e
0x00291c8f
0x00291c9f
0x00291cb5
0x00291cc6
0x00291cd6
0x00291cd8
0x00291cf0
0x00291cf2
0x00291d01
0x00291d11
0x00291d13
0x00291d32
0x00291d38
0x00291d44
0x00291d4a
0x00291d52
0x00291d6d
0x00291d75
0x00291d77
0x00291d96
0x00291db3
0x00291db5
0x00291dbd
0x00291dc4
0x00291dce
0x00291dd6
0x00291dd6
0x00291de2
0x00291de7
0x00291d75
0x00291d52
0x00291dea
0x00291df0
0x00291e02
0x00291e02
0x00291e0a
0x00291e15
0x00291e20
0x00291e26
0x00291e32
0x00291e47
0x00291e51
0x00291e57
0x00291e61
0x00291e67
0x00291e6d
0x00291e73
0x00291e7b
0x00291ebd
0x00291f1f
0x00291f2c
0x00291f32
0x00291f38
0x00291f3e
0x00291f49
0x00291f53
0x00291f53
0x00291f5f
0x00000000
0x00291f5f
0x00291f05
0x00291ef0
0x00291ec8
0x00291edd
0x00291eea
0x00291eea
0x00291ec8
0x00291ef0
0x00000000
0x00291e7d
0x00291e88
0x00291ea8
0x00291e8a
0x00291e93
0x00291e99
0x00291e99
0x00291f65
0x00291f79
0x00291f79

APIs

wsprintfA.USER32 ref: 00291C31
lstrlenA.KERNEL32(?), ref: 00291C3D
lstrcatA.KERNEL32(?,002974E0), ref: 00291C59
lstrcatA.KERNEL32(?,?), ref: 00291C69
wsprintfA.USER32 ref: 00291C7E
lstrcatA.KERNEL32(?,002974E0), ref: 00291C8F
lstrcatA.KERNEL32(?,?), ref: 00291C9F
wsprintfA.USER32 ref: 00291CB5
lstrcatA.KERNEL32(?,002974E0), ref: 00291CC6
lstrcatA.KERNEL32(?,?), ref: 00291CD6
wsprintfA.USER32 ref: 00291CF0
lstrcatA.KERNEL32(?,002974E0), ref: 00291D01
lstrcatA.KERNEL32(?,?), ref: 00291D11
GetCurrentProcess.KERNEL32(00000008,00000000), ref: 00291D23
OpenProcessToken.ADVAPI32(00000000), ref: 00291D2A
_malloc.LIBCMT ref: 00291D44
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00004000,00000000), ref: 00291D6D
wsprintfA.USER32 ref: 00291DB3
lstrcatA.KERNEL32(?,002974E0), ref: 00291DC4
lstrcatA.KERNEL32(?,?), ref: 00291DCE
LocalFree.KERNEL32(00000000), ref: 00291DD6
_free.LIBCMT ref: 00291DE2

Part of subcall function 00292772: RtlFreeHeap.NTDLL(00000000,00000000,?,00293178,00000000), ref: 00292788
Part of subcall function 00292772: GetLastError.KERNEL32(00000000,?,00293178,00000000), ref: 0029279A

MessageBoxA.USER32 ref: 00291E02
ShellExecuteExA.SHELL32(?), ref: 00291E73
GetLastError.KERNEL32 ref: 00291E7D
lstrcpyA.KERNEL32(?,Could not start the setup), ref: 00291E93

Strings

Could not start the setup, xrefs: 00291E8A
"__IRCT:%d", xrefs: 00291CAF
"__IRSID:%s", xrefs: 00291DAD
open, xrefs: 00291E57
__IRAOFF:%I64u, xrefs: 00291C13
@, xrefs: 00291E47
7, xrefs: 00291E99
"__IRTSS:%I64u", xrefs: 00291CEA
"__IRAFN:%s", xrefs: 00291C78

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: lstrcat$wsprintf$ErrorFreeLastProcessToken$CurrentExecuteHeapInformationLocalMessageOpenShell_free_malloclstrcpylstrlen
String ID: "__IRAFN:%s"$"__IRCT:%d"$"__IRSID:%s"$"__IRTSS:%I64u"$7$@$Could not start the setup$__IRAOFF:%I64u$open
API String ID: 2145089835-2339310841
Opcode ID: 05e17f9ddc5666dccbbb845f61c690a6af83f8c9a2f5e9156761bd1690305472
Instruction ID: f8b06e035428f2303bce4df5fa3913f85353e5289e28d5484820566fbee04e81
Opcode Fuzzy Hash: 05e17f9ddc5666dccbbb845f61c690a6af83f8c9a2f5e9156761bd1690305472
Instruction Fuzzy Hash: 20B14171920229ABCF219F65DC48BDA7BBCFF09710F0400E6E949E6151DB749AA4CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00291233 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 184
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00291233(void* __ecx) {
				void _v5;
				int _v12;
				long _v16;
				void* __edi;
				void* __esi;
				int _t81;
				void* _t82;
				int _t87;
				int _t91;
				int _t103;
				intOrPtr* _t104;
				void* _t107;
				void* _t108;
				void* _t113;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t118;

				_t118 = __ecx;
				_t117 = 0;
				_v12 = 0;
				_v16 = 0x7d00;
				_t81 = _lopen(__ecx + 0x1120, 0); // executed
				_t103 = _t81;
				 *(_t118 + 0x1530) = _t103;
				if(_t103 != 0xffffffff) {
					_t82 = E002927AC(_t115, 0, _t118, 0x1f400); // executed
					_t117 = _t82;
					if(_t117 != 0) {
						_t104 = _llseek; // executed
						_llseek(_t103, 0x7d00, 0); // executed
						while(_v16 < 0xa00000) {
							_t87 = _lread( *(_t118 + 0x1530), _t117, 0x1f400); // executed
							_t113 = 0;
							if(_t87 == 0) {
								L25:
								_v16 = _v16 + _t87;
								continue;
							} else {
								goto L7;
							}
							while(1) {
								L7:
								_t9 = _t113 + 0xf; // 0xf
								_t116 = _t9;
								if( *((char*)(_t117 + _t116 - 0xf)) == 0xe0 && _t116 < _t87 &&  *((char*)(_t113 + _t117 + 1)) == 0xe0 &&  *((char*)(_t113 + _t117 + 2)) == 0xe1 &&  *((char*)(_t113 + _t117 + 3)) == 0xe1 &&  *((char*)(_t113 + _t117 + 4)) == 0xe2 &&  *((char*)(_t113 + _t117 + 5)) == 0xe2 &&  *((char*)(_t113 + _t117 + 6)) == 0xe3 &&  *((char*)(_t113 + _t117 + 7)) == 0xe3 &&  *((char*)(_t113 + _t117 + 8)) == 0xe4 &&  *((char*)(_t113 + _t117 + 9)) == 0xe4 &&  *((char*)(_t113 + _t117 + 0xa)) == 0xe5 &&  *((char*)(_t113 + _t117 + 0xb)) == 0xe5 &&  *((char*)(_t113 + _t117 + 0xc)) == 0xe6 &&  *((char*)(_t113 + _t117 + 0xd)) == 0xe6 &&  *((char*)(_t113 + _t117 + 0xe)) == 0xe7 &&  *((char*)(_t113 + _t117 + 0xf)) == 0xe7) {
									break;
								}
								_t113 = _t113 + 1;
								if(_t113 < _t87) {
									continue;
								}
								goto L25;
							}
							 *(_t118 + 0x153c) =  *(_t118 + 0x153c) & 0x00000000;
							_t48 = _t113 + 0x10; // 0xa00010
							_t114 = _v16 + _t48;
							 *(_t118 + 0x1538) = _t114;
							_v5 = 0;
							 *_t104( *(_t118 + 0x1530), _t114, 0); // executed
							_t91 = _lread( *(_t118 + 0x1530),  &_v5, 1); // executed
							if(_t91 == 1) {
								 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 1;
								asm("adc dword [esi+0x153c], 0x0");
								if(_v5 == 0) {
									 *((intOrPtr*)(_t118 + 0x110c)) = 1;
								}
								_t107 = _t118 + 0x1114;
								 *_t107 = 0; // executed
								_llseek( *(_t118 + 0x1530),  *(_t118 + 0x1538), 0); // executed
								if(_lread( *(_t118 + 0x1530), _t107, 1) == 1) {
									 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 1;
									_t108 = _t118 + 0x1118;
									asm("adc dword [esi+0x153c], 0x0");
									 *_t108 = 0;
									 *((intOrPtr*)(_t108 + 4)) = 0;
									_llseek( *(_t118 + 0x1530),  *(_t118 + 0x1538), 0); // executed
									if(_lread( *(_t118 + 0x1530), _t108, 8) == 8) {
										 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 8;
										asm("adc dword [esi+0x153c], 0x0");
										_llseek( *(_t118 + 0x1530),  *(_t118 + 0x1538), 0); // executed
										if(_lread( *(_t118 + 0x1530), _t118 + 0x1540, 8) == 8) {
											 *(_t118 + 0x1538) =  *(_t118 + 0x1538) + 8;
											asm("adc dword [esi+0x153c], 0x0");
										} else {
											lstrcpyA(_t118 + 8, "Could not find setup size");
											_v12 = 0x35;
										}
										goto L39;
									}
									_push("Could not find total size indicator");
									goto L29;
								} else {
									_push("Could not find compression type indicator");
									L29:
									lstrcpyA(_t118 + 8, ??);
									_v12 = 0x34;
									L39:
									E00292772(_t117);
									return _v12;
								}
							}
							_push("Could not find multi-segment indicator");
							goto L29;
						}
						_push("Could not find data segment");
						goto L29;
					}
					lstrcpyA(_t118 + 8, "Unable to allocate memory buffer");
					_v12 = 0x33;
					goto L39;
				}
				lstrcpyA(_t118 + 8, "Unable to open archive file");
				_v12 = 0x32;
				goto L39;
			}

0x0029123c
0x0029123e
0x00291248
0x0029124b
0x00291252
0x00291258
0x0029125a
0x00291263
0x00291285
0x0029128a
0x0029128f
0x002912b4
0x002912ba
0x002912bc
0x002912d5
0x002912db
0x002912df
0x0029135d
0x0029135d
0x00000000
0x00000000
0x00000000
0x00000000
0x002912e1
0x002912e1
0x002912e1
0x002912e1
0x002912e9
0x00000000
0x00000000
0x00291358
0x0029135b
0x00000000
0x00000000
0x00000000
0x0029135b
0x00291368
0x0029136f
0x0029136f
0x0029137c
0x00291382
0x00291386
0x00291396
0x0029139e
0x002913c2
0x002913c8
0x002913d3
0x002913d5
0x002913d5
0x002913e3
0x002913ef
0x002913f2
0x0029140a
0x00291413
0x0029141a
0x00291420
0x00291430
0x00291438
0x0029143b
0x00291455
0x00291461
0x0029146a
0x0029147d
0x00291497
0x002914b1
0x002914b8
0x00291499
0x002914a2
0x002914a8
0x002914a8
0x00000000
0x00291497
0x00291457
0x00000000
0x0029140c
0x0029140c
0x002913ac
0x002913b0
0x002913b6
0x002914bf
0x002914c0
0x002914cd
0x002914cd
0x0029140a
0x002913a0
0x00000000
0x002913a0
0x002913a7
0x00000000
0x002913a7
0x0029129a
0x002912a0
0x00000000
0x002912a0
0x0029126e
0x00291274
0x00000000

APIs

_lopen.KERNEL32(?,00000000), ref: 00291252
lstrcpyA.KERNEL32(?,Unable to open archive file), ref: 0029126E
_malloc.LIBCMT ref: 00291285
lstrcpyA.KERNEL32(?,Unable to allocate memory buffer), ref: 0029129A
_free.LIBCMT ref: 002914C0

Strings

Could not find total size indicator, xrefs: 00291457
Could not find setup size, xrefs: 00291499
Unable to allocate memory buffer, xrefs: 00291291
Could not find data segment, xrefs: 002913A7
Could not find multi-segment indicator, xrefs: 002913A0
Could not find compression type indicator, xrefs: 0029140C
5, xrefs: 002914A8
Unable to open archive file, xrefs: 00291265

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: lstrcpy$_free_lopen_malloc
String ID: 5$Could not find compression type indicator$Could not find data segment$Could not find multi-segment indicator$Could not find setup size$Could not find total size indicator$Unable to allocate memory buffer$Unable to open archive file
API String ID: 3261646874-2242580901
Opcode ID: fe785b796949bb0d6124b63ccd3481e32d00ea08dcbb4e3c4ae51db5c02cfd52
Instruction ID: 8059b971251548542bf975ed9e84282ff044e34aa34a9f4f3e81892b39c01eeb
Opcode Fuzzy Hash: fe785b796949bb0d6124b63ccd3481e32d00ea08dcbb4e3c4ae51db5c02cfd52
Instruction Fuzzy Hash: 01713470838B43EADF308B329C88BD5BAB0AF51365F1483DEE4BB964D1D33059668B14

Uniqueness

Uniqueness Score: -1.00%

Function 002915E0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 107
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E002915E0(void* __ecx) {
				int _v8;
				CHAR* _v12;
				int _v16;
				void _v20;
				void* __edi;
				void* __esi;
				int _t42;
				CHAR* _t43;
				int _t53;
				int _t54;
				intOrPtr* _t62;
				void* _t68;
				intOrPtr* _t69;
				int _t70;
				void* _t71;

				_t69 = _llseek;
				_t71 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				_llseek( *(__ecx + 0x1530),  *(__ecx + 0x1538), 0); // executed
				_t62 = _lread;
				_t42 = _lread( *(_t71 + 0x1530),  &_v20, 8); // executed
				if(_t42 == 8) {
					 *((intOrPtr*)(_t71 + 0x1538)) =  *((intOrPtr*)(_t71 + 0x1538)) + 8;
					asm("adc dword [esi+0x153c], 0x0");
				} else {
					lstrcpyA(_t71 + 8, "Could not find Lua DLL file size");
					_v8 = 0x3a;
				}
				_t43 = E002927AC(_t68, _t69, _t71, _v20); // executed
				_v12 = _t43;
				if(_t43 == 0) {
					lstrcpyA(_t71 + 8, "Failed to alloc memory.");
					_v8 = 0x36;
				} else {
					 *_t69( *(_t71 + 0x1530),  *((intOrPtr*)(_t71 + 0x1538)), 0); // executed
					_push(_v20);
					_push(_v12);
					_push( *(_t71 + 0x1530));
					if( *_t62() != _v20 || 0 != _v16) {
						lstrcpyA(_t71 + 8, "Failed to read Lua DLL");
						_v8 = 0x36;
					} else {
						if(_v8 == 0) {
							_t53 = _lcreat(_t71 + 0x142c, 0); // executed
							_t70 = _t53;
							if(_t70 != 0xffffffff) {
								_t54 = _lwrite(_t70, _v12, _v20); // executed
								if(_t54 != _v20 || 0 != _v16) {
									lstrcpyA(_t71 + 8, "Unable to write to Lua file.");
									_v8 = 0x37;
								}
								_lclose(_t70); // executed
							} else {
								lstrcpyA(_t71 + 8, "Unable to open Lua DLL file");
								_v8 = 0x37;
							}
						}
						 *((intOrPtr*)(_t71 + 0x1538)) =  *((intOrPtr*)(_t71 + 0x1538)) + _v20;
						asm("adc [esi+0x153c], eax");
					}
					E00292772(_v12);
				}
				return _v8;
			}

0x002915e9
0x002915f1
0x002915fa
0x00291603
0x00291606
0x00291609
0x0029160b
0x0029161d
0x00291622
0x0029163c
0x00291643
0x00291624
0x0029162d
0x00291633
0x00291633
0x0029164d
0x00291653
0x00291658
0x00291732
0x00291738
0x0029165e
0x0029166c
0x0029166e
0x00291671
0x00291674
0x00291681
0x00291711
0x00291717
0x0029168c
0x0029168f
0x00291699
0x0029169f
0x002916a4
0x002916c5
0x002916d0
0x002916e0
0x002916e6
0x002916e6
0x002916ee
0x002916a6
0x002916af
0x002916b5
0x002916b5
0x002916a4
0x002916f7
0x00291700
0x00291700
0x00291721
0x00291726
0x00291746

APIs

_llseek.KERNEL32(?,?,00000000), ref: 00291609
_lread.KERNEL32(?,?,00000008), ref: 0029161D
lstrcpyA.KERNEL32(?,Could not find Lua DLL file size), ref: 0029162D
_malloc.LIBCMT ref: 0029164D
_llseek.KERNEL32(?,?,00000000), ref: 0029166C
_lread.KERNEL32(?,?,?), ref: 0029167A
_lcreat.KERNEL32(?,?), ref: 00291699
lstrcpyA.KERNEL32(?,Unable to open Lua DLL file), ref: 002916AF
_lwrite.KERNEL32(00000000,?,?), ref: 002916C5
lstrcpyA.KERNEL32(?,Unable to write to Lua file.), ref: 002916E0
_lclose.KERNEL32(00000000), ref: 002916EE
lstrcpyA.KERNEL32(?,Failed to read Lua DLL), ref: 00291711
_free.LIBCMT ref: 00291721
lstrcpyA.KERNEL32(?,Failed to alloc memory.), ref: 00291732

Strings

Unable to write to Lua file., xrefs: 002916D7
Unable to open Lua DLL file, xrefs: 002916A6
6, xrefs: 00291738
Could not find Lua DLL file size, xrefs: 00291624
Failed to read Lua DLL, xrefs: 00291708
Failed to alloc memory., xrefs: 00291729

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: lstrcpy$_llseek_lread$_free_lclose_lcreat_lwrite_malloc
String ID: 6$Could not find Lua DLL file size$Failed to alloc memory.$Failed to read Lua DLL$Unable to open Lua DLL file$Unable to write to Lua file.
API String ID: 4172578098-1978040295
Opcode ID: 209bf9680cf50202aef92ab9b1177c69fe0a043f6b9866e904f472ce8c6ec282
Instruction ID: b4d8ee9c174ecc5f2dbdbc404d7847cdf82e621f7c8890623aad0471c8dd168d
Opcode Fuzzy Hash: 209bf9680cf50202aef92ab9b1177c69fe0a043f6b9866e904f472ce8c6ec282
Instruction Fuzzy Hash: 4F415D75D24606EBCF219FA1EC889EEB7B8FF44351F10485AE826A3150D7716A24DF10

Uniqueness

Uniqueness Score: -1.00%

Function 002914CE Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E002914CE(void* __edx, void* __edi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				CHAR* _t27;
				int _t30;
				int _t35;
				void* _t36;
				CHAR* _t43;
				void* _t45;
				void* _t49;
				void* _t50;
				int _t52;
				void* _t55;
				CHAR* _t57;

				_t50 = __edx;
				_push(_t45);
				_push(_t45);
				_v8 = _v8 & 0x00000000;
				_t55 = _t45;
				_t27 = E002927AC(__edx, __edi, _t55,  *(_t55 + 0x1540)); // executed
				_v12 = _v12 | 0xffffffff;
				_t43 = _t27;
				if(_t43 != 0) {
					_push(__edi);
					_llseek( *(_t55 + 0x1530),  *(_t55 + 0x1538), 0); // executed
					_t30 = _lread( *(_t55 + 0x1530), _t43,  *(_t55 + 0x1540)); // executed
					if(_t30 !=  *(_t55 + 0x1540) || 0 !=  *((intOrPtr*)(_t55 + 0x1544))) {
						_t57 = _t55 + 8;
						__eflags = _t57;
						lstrcpyA(_t57, "Failed to read setup engine");
						_t52 = _v12;
						_v8 = 0x36;
					} else {
						_t35 = _lcreat(_t55 + 0x1224, 0); // executed
						_t52 = _t35;
						if(_t52 != 0xffffffff) {
							_t49 = 0;
							__eflags = 0;
							while(1) {
								_t36 = _t49;
								asm("cdq");
								__eflags = _t50 -  *((intOrPtr*)(_t55 + 0x1544));
								if(__eflags > 0) {
									break;
								}
								if(__eflags < 0) {
									L9:
									 *(_t49 + _t43) =  *(_t49 + _t43) ^ 0x00000007;
									_t49 = _t49 + 1;
									__eflags = _t49 - 0x7d0;
									if(_t49 < 0x7d0) {
										continue;
									}
								} else {
									__eflags = _t36 -  *(_t55 + 0x1540);
									if(_t36 <  *(_t55 + 0x1540)) {
										goto L9;
									}
								}
								break;
							}
							_lwrite(_t52, _t43,  *(_t55 + 0x1540)); // executed
						} else {
							lstrcpyA(_t55 + 8, "Unable to open setup file");
							_v8 = 0x37;
						}
						 *(_t55 + 0x1538) =  *(_t55 + 0x1538) +  *(_t55 + 0x1540);
						asm("adc [esi+0x153c], eax");
					}
					E00292772(_t43); // executed
					if(_t52 != 0xffffffff) {
						_lclose(_t52); // executed
					}
				}
				return _v8;
			}

0x002914ce
0x002914d1
0x002914d2
0x002914d3
0x002914d9
0x002914e1
0x002914e6
0x002914ea
0x002914ef
0x002914f5
0x00291504
0x00291517
0x00291525
0x002915b1
0x002915b1
0x002915b5
0x002915bb
0x002915be
0x00291533
0x0029153b
0x00291541
0x00291546
0x00291560
0x00291560
0x00291562
0x00291562
0x00291564
0x00291565
0x0029156b
0x00000000
0x00000000
0x0029156d
0x00291577
0x00291577
0x0029157b
0x0029157c
0x00291582
0x00000000
0x00000000
0x0029156f
0x0029156f
0x00291575
0x00000000
0x00000000
0x00291575
0x00000000
0x0029156d
0x0029158c
0x00291548
0x00291551
0x00291557
0x00291557
0x00291598
0x002915a4
0x002915a4
0x002915c6
0x002915cf
0x002915d2
0x002915d2
0x002915d8
0x002915df

APIs

_malloc.LIBCMT ref: 002914E1

Part of subcall function 002927AC: __FF_MSGBANNER.LIBCMT ref: 002927C5
Part of subcall function 002927AC: __NMSG_WRITE.LIBCMT ref: 002927CC
Part of subcall function 002927AC: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,00000000,?,0029128A,0001F400), ref: 002927F1

_llseek.KERNEL32(?,?,00000000), ref: 00291504
_lread.KERNEL32(?,00000000,?,?,00291FA7,00000000,00000800), ref: 00291517
_lcreat.KERNEL32(?,?), ref: 0029153B
lstrcpyA.KERNEL32(?,Unable to open setup file,?,00291FA7,00000000,00000800), ref: 00291551
_lwrite.KERNEL32(00000000,00000000,?,?,00291FA7,00000000,00000800), ref: 0029158C
lstrcpyA.KERNEL32(?,Failed to read setup engine,?,00291FA7,00000000,00000800), ref: 002915B5
_free.LIBCMT ref: 002915C6
_lclose.KERNEL32(000000FF), ref: 002915D2

Strings

Unable to open setup file, xrefs: 00291548
Failed to read setup engine, xrefs: 002915AC
6, xrefs: 002915BE

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: lstrcpy$AllocateHeap_free_lclose_lcreat_llseek_lread_lwrite_malloc
String ID: 6$Failed to read setup engine$Unable to open setup file
API String ID: 694386576-1523045757
Opcode ID: 3f00aa653cc788b6485085e2453c033d4886419bee78f1192ce7f22e935bbdaf
Instruction ID: 7169710f66581d1dde987b1b9c0c14a0ac359c1af5961911ebea0edb29c0a62c
Opcode Fuzzy Hash: 3f00aa653cc788b6485085e2453c033d4886419bee78f1192ce7f22e935bbdaf
Instruction Fuzzy Hash: 5C319171530A01EFCB259F75EC88ADAB7F8EF85365F22051EF567D6090E77069608B10

Uniqueness

Uniqueness Score: -1.00%

Function 00291F7A Relevance: 10.6, APIs: 7, Instructions: 66
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00291F7A(CHAR* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* _t6;
				CHAR* _t8;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				void* _t28;
				CHAR* _t32;
				CHAR* _t33;
				intOrPtr _t40;

				_t28 = __edx;
				_t32 = __ecx;
				E0029121E(__ecx);
				_t6 = E00291233(__ecx); // executed
				_t21 = _t6;
				if(_t21 == 0) {
					_t17 = E0029188B(__ecx); // executed
					_t21 = _t17;
					_t37 = _t21;
					if(_t21 == 0) {
						_t18 = E002914CE(_t28, 0, _t37); // executed
						_t21 = _t18;
						if(_t21 == 0) {
							_t19 = E002915E0(__ecx); // executed
							_t21 = _t19;
							if(_t21 == 0) {
								_t20 = E00291B8C(__ecx, _t28); // executed
								_t21 = _t20;
							}
						}
					}
				}
				_t40 =  *0x29ab80; // 0x0
				if(_t40 == 0) {
					Sleep(0xa);
					_t8 = _t32 + 0x1224;
					if( *((intOrPtr*)(_t32 + 0x110c)) == 0) {
						MoveFileExA(_t8, 0, 5);
						MoveFileExA(_t32 + 0x142c, 0, 5);
						_t33 = _t32 + 0x1328;
						__eflags = _t33;
						MoveFileExA(_t33, 0, 5);
					} else {
						DeleteFileA(_t8);
						DeleteFileA(_t32 + 0x142c);
						RemoveDirectoryA(_t32 + 0x1328);
					}
				}
				return _t21;
			}

0x00291f7a
0x00291f7d
0x00291f7f
0x00291f86
0x00291f8b
0x00291f91
0x00291f95
0x00291f9a
0x00291f9c
0x00291f9e
0x00291fa2
0x00291fa7
0x00291fab
0x00291faf
0x00291fb4
0x00291fb8
0x00291fbc
0x00291fc1
0x00291fc1
0x00291fb8
0x00291fab
0x00291f9e
0x00291fc3
0x00291fc9
0x00291fcd
0x00291fd3
0x00291fdf
0x0029200c
0x00292019
0x0029201f
0x0029201f
0x00292026
0x00291fe1
0x00291fe8
0x00291ff1
0x00291ffa
0x00291ffa
0x00291fdf
0x0029202d

APIs

Part of subcall function 0029121E: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00291F84,00000000,00000800,76C86980,0029115C), ref: 0029122C

Part of subcall function 00291233: _lopen.KERNEL32(?,00000000), ref: 00291252
Part of subcall function 00291233: lstrcpyA.KERNEL32(?,Unable to open archive file), ref: 0029126E
Part of subcall function 00291233: _free.LIBCMT ref: 002914C0

Sleep.KERNEL32(0000000A,00000000,00000800,76C86980,0029115C), ref: 00291FCD
DeleteFileA.KERNEL32(?), ref: 00291FE8
DeleteFileA.KERNEL32(?), ref: 00291FF1
RemoveDirectoryA.KERNEL32(?), ref: 00291FFA

Part of subcall function 0029188B: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,?,00000000), ref: 002918BD
Part of subcall function 0029188B: GetTempPathA.KERNEL32(00000104,?), ref: 002918DD
Part of subcall function 0029188B: lstrlenA.KERNEL32(?), ref: 002918F0
Part of subcall function 0029188B: lstrcpyA.KERNEL32(?,?,?), ref: 00291915
Part of subcall function 0029188B: lstrlenA.KERNEL32(?), ref: 0029192B
Part of subcall function 0029188B: lstrcatA.KERNEL32(?,00297380), ref: 0029193F
Part of subcall function 0029188B: wsprintfA.USER32 ref: 0029196C
Part of subcall function 0029188B: wsprintfA.USER32 ref: 00291981
Part of subcall function 0029188B: DeleteFileA.KERNELBASE(?), ref: 002919D0
Part of subcall function 0029188B: RemoveDirectoryA.KERNELBASE(?), ref: 002919D9
Part of subcall function 0029188B: GetFileAttributesA.KERNELBASE(?), ref: 002919E6
Part of subcall function 0029188B: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00291A00
Part of subcall function 0029188B: lstrcpyA.KERNEL32(?,?), ref: 00291A10
Part of subcall function 0029188B: SetCurrentDirectoryA.KERNELBASE(?), ref: 00291A1F

MoveFileExA.KERNEL32 ref: 0029200C
MoveFileExA.KERNEL32 ref: 00292019
MoveFileExA.KERNEL32 ref: 00292026

Part of subcall function 002914CE: _malloc.LIBCMT ref: 002914E1
Part of subcall function 002914CE: _llseek.KERNEL32(?,?,00000000), ref: 00291504
Part of subcall function 002914CE: _lread.KERNEL32(?,00000000,?,?,00291FA7,00000000,00000800), ref: 00291517
Part of subcall function 002914CE: _lcreat.KERNEL32(?,?), ref: 0029153B
Part of subcall function 002914CE: lstrcpyA.KERNEL32(?,Unable to open setup file,?,00291FA7,00000000,00000800), ref: 00291551
Part of subcall function 002914CE: _free.LIBCMT ref: 002915C6
Part of subcall function 002914CE: _lclose.KERNEL32(000000FF), ref: 002915D2

Part of subcall function 002915E0: _llseek.KERNEL32(?,?,00000000), ref: 00291609
Part of subcall function 002915E0: _lread.KERNEL32(?,?,00000008), ref: 0029161D
Part of subcall function 002915E0: lstrcpyA.KERNEL32(?,Could not find Lua DLL file size), ref: 0029162D
Part of subcall function 002915E0: _malloc.LIBCMT ref: 0029164D
Part of subcall function 002915E0: _llseek.KERNEL32(?,?,00000000), ref: 0029166C
Part of subcall function 002915E0: _lread.KERNEL32(?,?,?), ref: 0029167A
Part of subcall function 002915E0: _lcreat.KERNEL32(?,?), ref: 00291699
Part of subcall function 002915E0: lstrcpyA.KERNEL32(?,Unable to open Lua DLL file), ref: 002916AF
Part of subcall function 002915E0: _free.LIBCMT ref: 00291721

Part of subcall function 00291B8C: wsprintfA.USER32 ref: 00291C31
Part of subcall function 00291B8C: lstrlenA.KERNEL32(?), ref: 00291C3D
Part of subcall function 00291B8C: lstrcatA.KERNEL32(?,002974E0), ref: 00291C59
Part of subcall function 00291B8C: lstrcatA.KERNEL32(?,?), ref: 00291C69
Part of subcall function 00291B8C: wsprintfA.USER32 ref: 00291C7E
Part of subcall function 00291B8C: lstrcatA.KERNEL32(?,002974E0), ref: 00291C8F
Part of subcall function 00291B8C: lstrcatA.KERNEL32(?,?), ref: 00291C9F
Part of subcall function 00291B8C: wsprintfA.USER32 ref: 00291CB5
Part of subcall function 00291B8C: lstrcatA.KERNEL32(?,002974E0), ref: 00291CC6
Part of subcall function 00291B8C: lstrcatA.KERNEL32(?,?), ref: 00291CD6

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: File$lstrcat$lstrcpy$Directorywsprintf$DeleteMove_free_llseek_lreadlstrlen$CurrentRemove_lcreat_malloc$AttributesCreateModuleNamePathSleepTemp_lclose_lopen
String ID:
API String ID: 3481004031-0
Opcode ID: fa250135422eebcdb59bb8f73826067d677752173d7e5cb967467fe1d59b83f8
Instruction ID: 0a2ced9400be540e468285044827a9282e4187cea1144f08e0debac281749b0d
Opcode Fuzzy Hash: fa250135422eebcdb59bb8f73826067d677752173d7e5cb967467fe1d59b83f8
Instruction Fuzzy Hash: 0411E931B60B1667DE2277B15C8AB9E21D99BD8751F110425F10597580EBF44D258FD0

Uniqueness

Uniqueness Score: -1.00%

Function 00295A70 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00295A70(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x29b6a4, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x29b6a8;
					if( *0x29b6a8 == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E00292FAE(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E0029348D(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}

0x00295a75
0x00295a7a
0x00295a97
0x00295a9c
0x00295a9e
0x00295aa0
0x00295aa2
0x00295aa2
0x00295aa2
0x00000000
0x00295aaa
0x00295ab3
0x00295ab9
0x00295abb
0x00000000
0x00000000
0x00295aef
0x00295af1
0x00000000
0x00295abd
0x00295abd
0x00295ac4
0x00295ae2
0x00295ae5
0x00295ae7
0x00295ae9
0x00295ae9
0x00295ac6
0x00295ac7
0x00295acd
0x00295acf
0x00295aa3
0x00295aa3
0x00295aa5
0x00295aa8
0x00000000
0x00000000
0x00000000
0x00000000
0x00295ad1
0x00295ad1
0x00295ad4
0x00295ad6
0x00295ad8
0x00295ad8
0x00295ade
0x00295ade
0x00295acf
0x00000000
0x00295a7c
0x00295a80
0x00295a83
0x00295a86
0x00000000
0x00295a88
0x00295a8d
0x00295a96
0x00295a96
0x00295a86
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00294882,0029128A,?,00000000,00000000,00000000,?,00293139,00000001,00000214,?,0029128A), ref: 00295AB3

Part of subcall function 0029348D: __getptd_noexit.LIBCMT ref: 0029348D

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 7e06ea74e950255a93debbc47dbb5bbf5033f870b189ed00df216f00a80708b0
Instruction ID: 539fe7e46bdd526f57a1689add51be902095558b7089af7e9d01342217f7765f
Opcode Fuzzy Hash: 7e06ea74e950255a93debbc47dbb5bbf5033f870b189ed00df216f00a80708b0
Instruction Fuzzy Hash: 9801B131321A369BEF269F25EC94B6B3759AF81360F11462AE8168B190EB709C208754

Uniqueness

Uniqueness Score: -1.00%

Function 00292FD6 Relevance: 1.5, APIs: 1, Instructions: 3
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000,00295661,0029AD50,00000314,00000000,?,?,?,?,?,00293AF2,0029AD50,Microsoft Visual C++ Runtime Library,00012010), ref: 00292FD8

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 2cc5ffeb90a6d69c4a4817399ad33c843d8b12fe021a221529c2d894521fafbb
Instruction ID: 25104a0fceee3261f9abdbfa17fe9297de6c0066073f7ec5073dbe2e358c19b7
Opcode Fuzzy Hash: 2cc5ffeb90a6d69c4a4817399ad33c843d8b12fe021a221529c2d894521fafbb
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00291821 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00291821(intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				struct HINSTANCE__* _t11;

				_t10 = 0;
				_t11 = LoadLibraryA("Advapi32.dll");
				if(_t11 != 0 && _a8 != 0 && _a4 != 0) {
					_t7 = GetProcAddress(_t11, "ConvertSidToStringSidA");
					if(_t7 != 0) {
						_t10 =  *_t7(_a4, _a8);
					}
					FreeLibrary(_t11);
				}
				return _t10;
			}

0x0029182b
0x00291833
0x00291837
0x00291849
0x00291851
0x0029185b
0x0029185b
0x0029185e
0x0029185e
0x00291869

APIs

LoadLibraryA.KERNEL32(Advapi32.dll,75BCC740,76CC81D0,?,00291D94,?,00000000), ref: 0029182D
GetProcAddress.KERNEL32(00000000,ConvertSidToStringSidA), ref: 00291849
FreeLibrary.KERNEL32(00000000,?,00291D94,?,00000000), ref: 0029185E

Strings

Advapi32.dll, xrefs: 00291826
ConvertSidToStringSidA, xrefs: 00291843

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Advapi32.dll$ConvertSidToStringSidA
API String ID: 145871493-1798845326
Opcode ID: 9a6006ec0e12dd61cbb978f6411500c237d7af84048a897cc0d9eb4610453309
Instruction ID: d9e14e65016a86d86c43bf5f79f9fc746eaea01dc976ea4d1c6f1e23f2025ab4
Opcode Fuzzy Hash: 9a6006ec0e12dd61cbb978f6411500c237d7af84048a897cc0d9eb4610453309
Instruction Fuzzy Hash: 0FE09232239615BB9F222F2BEC08CEEBB65EAC17E13148162FD18C2110D6314D71EAE5

Uniqueness

Uniqueness Score: -1.00%

Function 0029239A Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0029239A(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x29a020; // 0x72e8023b
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x29b480 = _t6;
				 *0x29b47c = _t22;
				 *0x29b478 = _t25;
				 *0x29b474 = _t21;
				 *0x29b470 = _t27;
				 *0x29b46c = _t26;
				 *0x29b498 = ss;
				 *0x29b48c = cs;
				 *0x29b468 = ds;
				 *0x29b464 = es;
				 *0x29b460 = fs;
				 *0x29b45c = gs;
				asm("pushfd");
				_pop( *0x29b490);
				 *0x29b484 =  *_t31;
				 *0x29b488 = _v0;
				 *0x29b494 =  &_a4;
				 *0x29b3d0 = 0x10001;
				 *0x29b384 =  *0x29b488;
				 *0x29b378 = 0xc0000409;
				 *0x29b37c = 1;
				_t12 =  *0x29a020; // 0x72e8023b
				_v812 = _t12;
				_t13 =  *0x29a024; // 0x8d17fdc4
				_v808 = _t13;
				 *0x29b3c8 = IsDebuggerPresent();
				_push(1);
				E002949E0(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x297f60);
				if( *0x29b3c8 == 0) {
					_push(1);
					E002949E0(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0029239a
0x0029239a
0x0029239a
0x0029239a
0x0029239a
0x0029239a
0x0029239a
0x002923a0
0x002923a2
0x002923a2
0x00293c72
0x00293c77
0x00293c7d
0x00293c83
0x00293c89
0x00293c8f
0x00293c95
0x00293c9c
0x00293ca3
0x00293caa
0x00293cb1
0x00293cb8
0x00293cbf
0x00293cc0
0x00293cc9
0x00293cd1
0x00293cd9
0x00293ce4
0x00293cf3
0x00293cf8
0x00293d02
0x00293d0c
0x00293d11
0x00293d17
0x00293d1c
0x00293d28
0x00293d2d
0x00293d2f
0x00293d37
0x00293d42
0x00293d4f
0x00293d51
0x00293d53
0x00293d58
0x00293d6c

APIs

IsDebuggerPresent.KERNEL32 ref: 00293D22
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00293D37
UnhandledExceptionFilter.KERNEL32(00297F60), ref: 00293D42
GetCurrentProcess.KERNEL32(C0000409), ref: 00293D5E
TerminateProcess.KERNEL32(00000000), ref: 00293D65

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 239d16090ba50c4401e317de52d42ccd5609bb975aa1daa7cca121b2d0c45416
Instruction ID: 9cfe0de5ea4c325f068e8f498132a9df4f57eb47c394b7877b10f6f52e552d53
Opcode Fuzzy Hash: 239d16090ba50c4401e317de52d42ccd5609bb975aa1daa7cca121b2d0c45416
Instruction Fuzzy Hash: D921AEB4820308DFDB02DF69FEAD6543BB4BB08704F10605BE90987762E7B05985EF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00293FC8 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00293FC8() {

				SetUnhandledExceptionFilter(E00293F86);
				return 0;
			}

0x00293fcd
0x00293fd5

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00003F86), ref: 00293FCD

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9925bae8aafbf34e96b25026ec11204e4c3cf7bbd4360831dff35e3f3e9b37b8
Instruction ID: 357365b2c21d8d08d180c9a461663638f6019e59eca65b7295b846c867f52b39
Opcode Fuzzy Hash: 9925bae8aafbf34e96b25026ec11204e4c3cf7bbd4360831dff35e3f3e9b37b8
Instruction Fuzzy Hash: 079002606797408E8A1457B06C0D40A65A15E49722B5144556202C4454DE6141109521

Uniqueness

Uniqueness Score: -1.00%

Function 002932D0 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E002932D0(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x29ad40 = GetProcAddress(_t35, "FlsAlloc");
					 *0x29ad44 = GetProcAddress(_t35, "FlsGetValue");
					 *0x29ad48 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x29ad40;
					_t39 = TlsSetValue;
					 *0x29ad4c = _t7;
					if( *0x29ad40 == 0) {
						L6:
						 *0x29ad44 = TlsGetValue;
						 *0x29ad40 = 0x292fdf;
						 *0x29ad48 = _t39;
						 *0x29ad4c = TlsFree;
					} else {
						__eflags =  *0x29ad44;
						if( *0x29ad44 == 0) {
							goto L6;
						} else {
							__eflags =  *0x29ad48;
							if( *0x29ad48 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x29a174 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x29ad44);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00292083();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x29ad40);
							 *0x29ad40 = _t14;
							_t15 =  *_t41( *0x29ad44);
							 *0x29ad44 = _t15;
							_t16 =  *_t41( *0x29ad48);
							 *0x29ad48 = _t16;
							 *0x29ad4c =  *_t41( *0x29ad4c);
							_t18 = E002929EB();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0029301D();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x29ad40, E002931A1);
								 *0x29a170 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E0029486C(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x29ad48,  *0x29a170, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E0029305A(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0029301D();
					return 0;
				}
			}

0x002932d0
0x002932de
0x002932e2
0x00293302
0x0029330f
0x0029331c
0x00293321
0x00293323
0x0029332a
0x00293330
0x00293335
0x0029334d
0x00293352
0x0029335c
0x00293366
0x0029336c
0x00293337
0x00293337
0x0029333e
0x00000000
0x00293340
0x00293340
0x00293347
0x00000000
0x00293349
0x00293349
0x0029334b
0x00000000
0x00000000
0x0029334b
0x00293347
0x0029333e
0x00293371
0x00293377
0x0029337c
0x0029337f
0x00293446
0x00293446
0x00293446
0x00293385
0x0029338c
0x0029338e
0x00293390
0x00000000
0x00293396
0x00293396
0x002933a1
0x002933a7
0x002933af
0x002933b4
0x002933bc
0x002933c1
0x002933c9
0x002933d0
0x002933d5
0x002933da
0x002933dc
0x00293441
0x00293441
0x00000000
0x002933de
0x002933de
0x002933f1
0x002933f3
0x002933f8
0x002933fb
0x00000000
0x002933fd
0x00293409
0x0029340d
0x0029340f
0x00000000
0x00293411
0x00293422
0x00293424
0x00000000
0x00293426
0x00293426
0x00293428
0x00293429
0x00293430
0x00293436
0x0029343a
0x0029343e
0x0029343e
0x00293424
0x0029340f
0x002933fb
0x002933dc
0x00293390
0x0029344a
0x002932e4
0x002932e4
0x002932ec
0x002932ec

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,002928FE), ref: 002932D8
__mtterm.LIBCMT ref: 002932E4

Part of subcall function 0029301D: DecodePointer.KERNEL32(00000005,00293446,?,002928FE), ref: 0029302E
Part of subcall function 0029301D: TlsFree.KERNEL32(00000019,00293446,?,002928FE), ref: 00293048

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002932FA
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00293307
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00293314
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00293321
TlsAlloc.KERNEL32(?,002928FE), ref: 00293371
TlsSetValue.KERNEL32(00000000,?,002928FE), ref: 0029338C
__init_pointers.LIBCMT ref: 00293396
EncodePointer.KERNEL32(?,002928FE), ref: 002933A7
EncodePointer.KERNEL32(?,002928FE), ref: 002933B4
EncodePointer.KERNEL32(?,002928FE), ref: 002933C1
EncodePointer.KERNEL32(?,002928FE), ref: 002933CE
DecodePointer.KERNEL32(002931A1,?,002928FE), ref: 002933EF
__calloc_crt.LIBCMT ref: 00293404
DecodePointer.KERNEL32(00000000,?,002928FE), ref: 0029341E
__initptd.LIBCMT ref: 00293429
GetCurrentThreadId.KERNEL32 ref: 00293430

Strings

FlsAlloc, xrefs: 002932F4
FlsSetValue, xrefs: 00293309
FlsFree, xrefs: 00293316
KERNEL32.DLL, xrefs: 002932D3
FlsGetValue, xrefs: 002932FC

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: d8b12cc84852de859391f1f9ad192c846236acbbead208865d0c021cbb696cc6
Instruction ID: 2b63a52223ba950553296a116267959b90944692e15623a6ceef7ce1094a2cc2
Opcode Fuzzy Hash: d8b12cc84852de859391f1f9ad192c846236acbbead208865d0c021cbb696cc6
Instruction Fuzzy Hash: 6C315E719243119BCF29AF75FC0D6193EE4AB457A1B110127E41C9BAF0DB748561CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 00294F44 Relevance: 9.0, APIs: 6, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E00294F44(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x299600);
				E002937A0(__ebx, __edi, __esi);
				_t31 = E00293187(__ebx, __edx, __edi, _t35);
				_t15 =  *0x29aac0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00292B65(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x29a9c8; // 0x2311600
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x29a5a0;
								if(__eflags != 0) {
									E00292772(_t33);
								}
							}
						}
						_t21 =  *0x29a9c8; // 0x2311600
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x29a9c8; // 0x2311600
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00294FDF();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E002922FB(_t29, _t31, _t38, 0x20);
				}
				return E002937E5(_t33);
			}

0x00294f44
0x00294f44
0x00294f44
0x00294f44
0x00294f46
0x00294f4b
0x00294f55
0x00294f57
0x00294f5f
0x00294f80
0x00294f86
0x00294f8a
0x00294f8d
0x00294f90
0x00294f96
0x00294f98
0x00294f9a
0x00294fa3
0x00294fa5
0x00294fa7
0x00294fad
0x00294fb0
0x00294fb5
0x00294fad
0x00294fa5
0x00294fb6
0x00294fbb
0x00294fbe
0x00294fc4
0x00294fc8
0x00294fc8
0x00294fce
0x00294fd5
0x00294f67
0x00294f67
0x00294f67
0x00294f6a
0x00294f6c
0x00294f70
0x00294f75
0x00294f7d

APIs

__getptd.LIBCMT ref: 00294F50

Part of subcall function 00293187: __getptd_noexit.LIBCMT ref: 0029318A
Part of subcall function 00293187: __amsg_exit.LIBCMT ref: 00293197

__amsg_exit.LIBCMT ref: 00294F70
__lock.LIBCMT ref: 00294F80
InterlockedDecrement.KERNEL32(?), ref: 00294F9D
_free.LIBCMT ref: 00294FB0
InterlockedIncrement.KERNEL32(02311600), ref: 00294FC8

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: 8653be1363c8ae895429b81908e0e7f732917fc0addd1004db4a5f3f10935e15
Instruction ID: ab7189ea84328ca17f973fc2900589c29921af8393dd0ee991d96ae854973126
Opcode Fuzzy Hash: 8653be1363c8ae895429b81908e0e7f732917fc0addd1004db4a5f3f10935e15
Instruction Fuzzy Hash: 78016131D21B23A7DF21FF649849F99B7B0BB05720F15410AE808A7991C734A962CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 00291747 Relevance: 7.6, APIs: 5, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00291747(CHAR* _a4) {
				signed int _v8;
				char _v268;
				int _v272;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				char* _t28;
				struct _SECURITY_ATTRIBUTES* _t30;
				int _t34;
				char _t37;
				void* _t38;
				intOrPtr _t40;
				CHAR* _t41;
				signed int _t42;

				_t19 =  *0x29a020; // 0x72e8023b
				_v8 = _t19 ^ _t42;
				_t41 = _a4;
				_v272 = 1;
				if(_t41[lstrlenA(_t41) - 1] != 0x5c) {
					lstrcatA(_t41, "\\");
				}
				_t34 = lstrlenA(_t41);
				_t40 = 0;
				E00292320( &_v268, 0, 0x104);
				if(_t34 <= 2 || _t41[1] != 0x3a) {
					_v272 = _t40;
				} else {
					if(_t34 <= 0) {
						L14:
						return E0029239A(_v272, _t34, _v8 ^ _t42, _t38, _t40, _t41);
					}
					_t41 = _t41 -  &_v268;
					while(_v272 != 0) {
						_t28 = _t42 + _t40 - 0x108;
						_t37 = _t41[_t28];
						 *_t28 = _t37;
						if(_t37 == 0x5c && _t40 != 2) {
							_t30 = SetCurrentDirectoryA( &_v268);
							if(_t30 == 0) {
								_v272 = CreateDirectoryA( &_v268, _t30);
							}
						}
						_t40 = _t40 + 1;
						if(_t40 < _t34) {
							continue;
						} else {
							goto L14;
						}
					}
				}
			}

0x00291750
0x00291757
0x0029175c
0x00291767
0x00291778
0x00291780
0x00291780
0x0029178e
0x00291790
0x0029179a
0x002917a5
0x00291804
0x002917ad
0x002917af
0x0029180a
0x0029181e
0x0029181e
0x002917b7
0x002917b9
0x002917c2
0x002917c9
0x002917cc
0x002917d1
0x002917df
0x002917e7
0x002917f7
0x002917f7
0x002917e7
0x002917fd
0x00291800
0x00000000
0x00291802
0x00000000
0x00291802
0x00291800
0x002917b9

APIs

lstrlenA.KERNEL32(00291909,76CC8170,?,76C86980), ref: 00291771
lstrcatA.KERNEL32(00291909,00297380), ref: 00291780
lstrlenA.KERNEL32(00291909), ref: 00291787
SetCurrentDirectoryA.KERNEL32(?), ref: 002917DF
CreateDirectoryA.KERNEL32(?,00000000), ref: 002917F1

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: Directorylstrlen$CreateCurrentlstrcat
String ID:
API String ID: 279805598-0
Opcode ID: a14b32b6d5b062a4f5a977f81cf1131b21f49c4e5551b8cc9f66111cf40f2345
Instruction ID: bcf3fe33d1a2e14caa2da8335e4eea854c6a28ab24340692b4b89af2c007d9f5
Opcode Fuzzy Hash: a14b32b6d5b062a4f5a977f81cf1131b21f49c4e5551b8cc9f66111cf40f2345
Instruction Fuzzy Hash: DB21D47692431AABDF21DF66DC49BEEB7ECAB56300F0041AAD98593100C7B45DE4CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00295AF2 Relevance: 7.6, APIs: 5, Instructions: 68
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00295AF2(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x29b6a4, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x29b6a8 - _t7;
								if(__eflags == 0) {
									_t9 = E0029348D(__eflags);
									 *_t9 = E0029344B(GetLastError());
									goto L17;
								} else {
									__eflags = E00292FAE(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E0029348D(__eflags);
										 *_t12 = E0029344B(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00292FAE(_t6, _t30);
						 *((intOrPtr*)(E0029348D(__eflags))) = 0xc;
						goto L12;
					} else {
						E00292772(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E002927AC(__edx, __edi, __esi, _a8);
				}
			}

0x00295afb
0x00295b08
0x00295b09
0x00295b0c
0x00295b0e
0x00295b1d
0x00295b50
0x00295b50
0x00295b53
0x00000000
0x00000000
0x00295b20
0x00295b22
0x00295b24
0x00295b24
0x00295b24
0x00295b31
0x00295b37
0x00295b39
0x00295b3b
0x00295b9b
0x00295b9b
0x00295b3d
0x00295b3d
0x00295b43
0x00295b85
0x00295b99
0x00000000
0x00295b45
0x00295b4c
0x00295b4e
0x00295b6d
0x00295b81
0x00295b67
0x00295b67
0x00295b67
0x00000000
0x00000000
0x00000000
0x00295b4e
0x00295b43
0x00000000
0x00295b69
0x00295b56
0x00295b61
0x00000000
0x00295b10
0x00295b13
0x00295b19
0x00295b19
0x00295b6a
0x00295b6c
0x00295afd
0x00295b07
0x00295b07

APIs

_malloc.LIBCMT ref: 00295B00

Part of subcall function 002927AC: __FF_MSGBANNER.LIBCMT ref: 002927C5
Part of subcall function 002927AC: __NMSG_WRITE.LIBCMT ref: 002927CC
Part of subcall function 002927AC: RtlAllocateHeap.NTDLL(00000000,00000001,00000000,?,00000000,?,0029128A,0001F400), ref: 002927F1

_free.LIBCMT ref: 00295B13

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8b3caf54fa56d46733ecae39c5eb7876331f682987a2586576057f154c60c63e
Instruction ID: 0ce59a164e4637e1e5a997eeaf09ba0c3e53730a6de5d167e7dd31eb92610863
Opcode Fuzzy Hash: 8b3caf54fa56d46733ecae39c5eb7876331f682987a2586576057f154c60c63e
Instruction Fuzzy Hash: 14110A32635A25BFCF236F74BC18A5A37D8AF51374B254029F8489B154EB3488708B94

Uniqueness

Uniqueness Score: -1.00%

Function 00294CA8 Relevance: 7.5, APIs: 5, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E00294CA8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x2995e0);
				E002937A0(__ebx, __edi, __esi);
				_t28 = E00293187(__ebx, __edx, __edi, _t31);
				_t12 =  *0x29aac0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00292B65(_t20, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00294C5B(_t29,  *0x29a598);
					 *(_t30 - 4) = 0xfffffffe;
					E00294D15();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00293187(_t20, __edx, _t26, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					E002922FB(_t25, _t26, _t34, 0x20);
				}
				return E002937E5(_t29);
			}

0x00294ca8
0x00294ca8
0x00294ca8
0x00294ca8
0x00294ca8
0x00294caa
0x00294caf
0x00294cb9
0x00294cbb
0x00294cc3
0x00294ce7
0x00294ce9
0x00294cef
0x00294cf9
0x00294d04
0x00294d07
0x00294d0e
0x00294cc5
0x00294cc5
0x00294cc9
0x00000000
0x00294ccb
0x00294cd0
0x00294cd0
0x00294cc9
0x00294cd3
0x00294cd5
0x00294cd9
0x00294cde
0x00294ce6

APIs

__getptd.LIBCMT ref: 00294CB4

Part of subcall function 00293187: __getptd_noexit.LIBCMT ref: 0029318A
Part of subcall function 00293187: __amsg_exit.LIBCMT ref: 00293197

__getptd.LIBCMT ref: 00294CCB
__amsg_exit.LIBCMT ref: 00294CD9
__lock.LIBCMT ref: 00294CE9
__updatetlocinfoEx_nolock.LIBCMT ref: 00294CFD

Memory Dump Source

Source File: 00000000.00000002.522230184.0000000000291000.00000020.00000001.01000000.00000003.sdmp, Offset: 00290000, based on PE: true

Associated: 00000000.00000002.522226739.0000000000290000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522235133.0000000000297000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522269248.000000000029A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.522277764.000000000029C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_290000_VideoPlayToolSetup.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: b1d8cc6878e4130fc9ab315654ab18930d6f2f4edec4ed812fa164c5a3a9efb8
Instruction ID: 93321a7451a6c69f8ea78d188a4e1aaec4df2028a1b6894e43b87eec84650a01
Opcode Fuzzy Hash: b1d8cc6878e4130fc9ab315654ab18930d6f2f4edec4ed812fa164c5a3a9efb8
Instruction Fuzzy Hash: B8F09072D26700AFDF25FBA89806F8E76A06F04724F11010AF404AA5D2CB645972CE9A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VideoPlayToolSetup.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: VideoPlayToolSetup.exePID: 3732, Parent PID: 2872

General

File Activities

File Opened

File Created

Windows Analysis Report
VideoPlayToolSetup.exe

Function 0029188B Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 213
stringfileCOMMON

Function 00291000 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 127
stringwindowCOMMON

Function 00291B8C Relevance: 72.0, APIs: 32, Strings: 9, Instructions: 270
stringwindowCOMMON

Function 00291233 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 184
stringCOMMON

Function 002915E0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 107
stringCOMMON

Function 002914CE Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 82
stringCOMMON

Function 00291F7A Relevance: 10.6, APIs: 7, Instructions: 66
filesleepCOMMON

Function 00295A70 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMONLIBRARYCODE