Edit tour

Windows Analysis Report
Prezi.exe

Overview

General Information

Sample Name:	Prezi.exe
Analysis ID:	895528
MD5:	a75988e32c623dd43071861e5677cfe2
SHA1:	e0be685f8b62f42724d06678916714680afef3d7
SHA256:	e3328de058cc66e4b0431844320814f7298038ae82f34d3d15ee3335b2f7de1e
Infos:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Prezi.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\Prezi.exe" -install MD5: A75988E32C623DD43071861E5677CFE2)

conhost.exe (PID: 4688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 2424 cmdline: C:\Windows\system32\cmd.exe /c start content\Prezi.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

Prezi.exe (PID: 4764 cmdline: "C:\Users\user\Desktop\Prezi.exe" /install MD5: A75988E32C623DD43071861E5677CFE2)

conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5448 cmdline: C:\Windows\system32\cmd.exe /c start content\Prezi.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

Prezi.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\Prezi.exe" /load MD5: A75988E32C623DD43071861E5677CFE2)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 5940 cmdline: C:\Windows\system32\cmd.exe /c start content\Prezi.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Joe Sandbox Signatures

• Compliance
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Prezi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Prezi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: Y:\prezi-repo\portable-prezi-launcher\win\portable-air-launcher\Release\portable-air-launcher.pdb source: Prezi.exe

Source: Prezi.exe, 00000000.00000002.390891298.000000000126A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Prezi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Prezi.exe	Code function: 0_2_009D22FF		0_2_009D22FF
Source: C:\Users\user\Desktop\Prezi.exe	Code function: 0_2_009D8014		0_2_009D8014

Source: Prezi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Prezi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Prezi.exe "C:\Users\user\Desktop\Prezi.exe" -install
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe
Source: unknown	Process created: C:\Users\user\Desktop\Prezi.exe "C:\Users\user\Desktop\Prezi.exe" /install
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe
Source: unknown	Process created: C:\Users\user\Desktop\Prezi.exe "C:\Users\user\Desktop\Prezi.exe" /load
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4688:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01

Source: Prezi.exe

String found in binary or memory: Y:\prezi-repo\portable-prezi-launcher\win\portable-air-launcher\Release\portable-air-launcher.pdb

Source: classification engine

Classification label: clean7.winEXE@12/0@0/0

Source: C:\Windows\SysWOW64\cmd.exe	Automated click: OK
Source: C:\Windows\SysWOW64\cmd.exe	Automated click: OK
Source: C:\Windows\SysWOW64\cmd.exe	Automated click: OK

Source: Prezi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Prezi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Prezi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Prezi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Prezi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Prezi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Prezi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Prezi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: Y:\prezi-repo\portable-prezi-launcher\win\portable-air-launcher\Release\portable-air-launcher.pdb source: Prezi.exe

Source: Prezi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Prezi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Prezi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Prezi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Prezi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Prezi.exe

Code function: 0_2_009D2E95 push ecx; ret

0_2_009D2EA8

Source: C:\Users\user\Desktop\Prezi.exe

Code function: 0_2_009D53D0 EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_009D53D0

Source: C:\Users\user\Desktop\Prezi.exe

Code function: 0_2_009D22FF RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009D22FF

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Prezi.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-4785

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Prezi.exe

Code function: 0_2_009D1283 IsDebuggerPresent,

0_2_009D1283

Source: C:\Users\user\Desktop\Prezi.exe

0_2_009D53D0

Source: C:\Users\user\Desktop\Prezi.exe

0_2_009D53D0

Source: C:\Users\user\Desktop\Prezi.exe

Code function: 0_2_009D26E2 GetProcessHeap,

0_2_009D26E2

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Prezi.exe	Code function: 0_2_009D3348 SetUnhandledExceptionFilter,		0_2_009D3348
Source: C:\Users\user\Desktop\Prezi.exe	Code function: 0_2_009D336B SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_009D336B

Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe	Jump to behavior
Source: C:\Users\user\Desktop\Prezi.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start content\Prezi.exe	Jump to behavior

Source: C:\Users\user\Desktop\Prezi.exe

Code function: 0_2_009D5F9C cpuid

0_2_009D5F9C

Source: C:\Users\user\Desktop\Prezi.exe

Code function: 0_2_009D2D0D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_009D2D0D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	11 Process Injection	11 Process Injection	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Prezi.exe	0%	ReversingLabs
Prezi.exe	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	895528
Start date and time:	2023-06-28 09:06:53 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Prezi.exe
Detection:	CLEAN
Classification:	clean7.winEXE@12/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 93.5%) Quality average: 83.6% Quality standard deviation: 28.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 7 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.567605189747324
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Prezi.exe
File size:	117'248 bytes
MD5:	a75988e32c623dd43071861e5677cfe2
SHA1:	e0be685f8b62f42724d06678916714680afef3d7
SHA256:	e3328de058cc66e4b0431844320814f7298038ae82f34d3d15ee3335b2f7de1e
SHA512:	4dce88c56555810c2e56b2d8dbf442e3360d15b33d3112f13c82108500b74d3c9a1a15e6d9692603022e12627e71fc50ab4544dbca0f3ede4a4b82065a279c3f
SSDEEP:	3072:7bfvOSiYGbZ36uq6mMpL2b2ocpPrFJ2q:P+S3GtRGMpL2M5f2q
TLSH:	69B36A03AADFD072E8324335D82481FD452B7D1BDA749B17AB907D9939B41D1BF28B22
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........EZ[.+.[.+.[.+..O..@.+..O..V.+..O..=.+.R...X.+.[.*...+..N..Y.+..N..Z.+.[...Z.+..N..Z.+.Rich[.+.........................PE..L..

File Icon


Icon Hash:	130f333933130b17

Static PE Info

General

Entrypoint:	0x401279
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x50C0FFCA [Thu Dec 6 20:27:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	8e37642c48b09f3a73eb4b7dd07fbc44

Entrypoint Preview

Instruction
call 00007F2BFC9B5624h
jmp 00007F2BFC9B3A10h
push ebp
mov ebp, esp
call dword ptr [0040A004h]
push 00000001h
mov dword ptr [004100E4h], eax
call 00007F2BFC9B5942h
push dword ptr [ebp+08h]
call 00007F2BFC9B5C60h
cmp dword ptr [004100E4h], 00000000h
pop ecx
pop ecx
jne 00007F2BFC9B3B9Ah
push 00000001h
call 00007F2BFC9B5928h
pop ecx
push C0000409h
call 00007F2BFC9B5C2Eh
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F2BFC9BBAC9h
test eax, eax
je 00007F2BFC9B3B97h
push 00000002h
pop ecx
int 29h
mov dword ptr [0040FEC8h], eax
mov dword ptr [0040FEC4h], ecx
mov dword ptr [0040FEC0h], edx
mov dword ptr [0040FEBCh], ebx
mov dword ptr [0040FEB8h], esi
mov dword ptr [0040FEB4h], edi
mov word ptr [0040FEE0h], ss
mov word ptr [0040FED4h], cs
mov word ptr [0040FEB0h], ds
mov word ptr [0040FEACh], es
mov word ptr [0040FEA8h], fs
mov word ptr [0040FEA4h], gs
pushfd
pop dword ptr [0040FED8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0040FECCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0040FED0h], eax
lea eax, dword ptr [ebp+08h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe0b4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xc620	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1f000	0xbec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa160	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xdce8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8210	0x8400	False	0.6102331912878788	data	6.512682987508266	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x4714	0x4800	False	0.3811306423611111	data	4.536938485492855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x2cfc	0xe00	False	0.19642857142857142	data	2.2697057839523724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12000	0xc620	0xc800	False	0.76521484375	data	7.2624992548479295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1f000	0x231c	0x2400	False	0.2836371527777778	data	2.997308606369076	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x121b0	0x2bf5	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9954678752332712
RT_ICON	0x14da8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2833 x 2833 px/m	English	United States	0.31117021276595747
RT_ICON	0x15210	0x5bea	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9928601784955376
RT_ICON	0x1ae00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2833 x 2833 px/m	English	United States	0.34709193245778613
RT_ICON	0x1bea8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2833 x 2833 px/m	English	United States	0.24304979253112033
RT_GROUP_ICON	0x1e450	0x4c	data	English	United States	0.7894736842105263
RT_MANIFEST	0x1e4a0	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

GetCommandLineW, IsDebuggerPresent, IsProcessorFeaturePresent, EncodePointer, DecodePointer, GetLastError, HeapFree, SetLastError, InterlockedIncrement, InterlockedDecrement, GetCurrentThreadId, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, GetFileType, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, CloseHandle, WaitForSingleObject, GetExitCodeProcess, CreateProcessA, Sleep, GetFileAttributesExW, EnterCriticalSection, LeaveCriticalSection, WideCharToMultiByte, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, LoadLibraryExW, OutputDebugStringW, LoadLibraryW, RtlUnwind, HeapAlloc, HeapReAlloc, SetEnvironmentVariableA, GetStringTypeW, HeapSize, CompareStringW, LCMapStringW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetStdHandle, SetFilePointerEx, WriteConsoleW, CreateFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• Prezi.exe
• conhost.exe
• cmd.exe
• Prezi.exe
• conhost.exe
• cmd.exe
• Prezi.exe
• conhost.exe
• cmd.exe

Click to jump to process

Memory Usage

• Prezi.exe
• conhost.exe
• cmd.exe
• Prezi.exe
• conhost.exe
• cmd.exe
• Prezi.exe
• conhost.exe
• cmd.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: Prezi.exePID: 7156, Parent PID: 3452

Function Logs

General

Target ID:	0
Start time:	09:07:49
Start date:	28/06/2023
Path:	C:\Users\user\Desktop\Prezi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Prezi.exe" -install
Imagebase:	0x9d0000
File size:	117'248 bytes
MD5 hash:	A75988E32C623DD43071861E5677CFE2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4688, Parent PID: 7156

Function Logs

General

Target ID:	1
Start time:	09:07:49
Start date:	28/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2424, Parent PID: 7156

Function Logs

General

Target ID:	2
Start time:	09:07:50
Start date:	28/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c start content\Prezi.exe
Imagebase:	0xb0000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: Prezi.exePID: 4764, Parent PID: 3452

Function Logs

General

Target ID:	3
Start time:	09:07:51
Start date:	28/06/2023
Path:	C:\Users\user\Desktop\Prezi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Prezi.exe" /install
Imagebase:	0x9d0000
File size:	117'248 bytes
MD5 hash:	A75988E32C623DD43071861E5677CFE2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6124, Parent PID: 4764

Function Logs

General

Target ID:	4
Start time:	09:07:51
Start date:	28/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5448, Parent PID: 4764

Function Logs

General

Target ID:	5
Start time:	09:07:52
Start date:	28/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c start content\Prezi.exe
Imagebase:	0xb0000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: Prezi.exePID: 7016, Parent PID: 3452

Function Logs

General

Target ID:	6
Start time:	09:07:54
Start date:	28/06/2023
Path:	C:\Users\user\Desktop\Prezi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Prezi.exe" /load
Imagebase:	0x9d0000
File size:	117'248 bytes
MD5 hash:	A75988E32C623DD43071861E5677CFE2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7020, Parent PID: 7016

Function Logs

General

Target ID:	7
Start time:	09:07:54
Start date:	28/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5940, Parent PID: 7016

Function Logs

General

Target ID:	8
Start time:	09:07:54
Start date:	28/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c start content\Prezi.exe
Imagebase:	0xb0000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

File Activities

File Opened

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: Prezi.exePID: 7156, Parent PID: 3452COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.1%
Total number of Nodes:	1056
Total number of Limit Nodes:	25

Executed Functions

Function 009D26F7 Relevance: 15.2, APIs: 10, Instructions: 219
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E009D26F7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t80;
				signed int _t84;
				long _t88;
				signed int _t92;
				signed int _t96;
				signed int _t97;
				signed char _t101;
				signed int _t103;
				intOrPtr _t104;
				intOrPtr* _t107;
				signed char _t109;
				long _t117;
				signed int _t126;
				signed int _t130;
				signed int _t131;
				signed int _t134;
				void** _t135;
				signed int _t137;
				void* _t138;
				signed int _t139;
				void** _t143;
				signed int _t145;
				void* _t146;
				signed int _t150;
				void* _t151;

				_push(0x64);
				_push(0x9dde90);
				E009D2E50(__ebx, __edi, __esi);
				E009D3F7E(0xb);
				_t126 = 0;
				 *(_t151 - 4) = 0;
				_push(0x40);
				_t137 = 0x20;
				_push(_t137);
				_t80 = E009D3D28();
				_t130 = _t80;
				 *(_t151 - 0x24) = _t130;
				if(_t130 != 0) {
					 *0x9e0758 = _t80;
					 *0x9e1cdc = _t137;
					while(1) {
						__eflags = _t130 - _t80 + 0x800;
						if(_t130 >= _t80 + 0x800) {
							break;
						}
						 *((short*)(_t130 + 4)) = 0xa00;
						 *_t130 =  *_t130 | 0xffffffff;
						 *(_t130 + 8) = _t126;
						 *(_t130 + 0x24) =  *(_t130 + 0x24) & 0x00000080;
						 *(_t130 + 0x24) =  *(_t130 + 0x24) & 0x0000007f;
						 *((short*)(_t130 + 0x25)) = 0xa0a;
						 *(_t130 + 0x38) = _t126;
						 *(_t130 + 0x34) = _t126;
						_t130 = _t130 + 0x40;
						 *(_t151 - 0x24) = _t130;
						_t80 =  *0x9e0758; // 0x1270198
					}
					GetStartupInfoW(_t151 - 0x74);
					__eflags =  *((short*)(_t151 - 0x42));
					if( *((short*)(_t151 - 0x42)) == 0) {
						while(1) {
							L27:
							 *(_t151 - 0x2c) = _t126;
							__eflags = _t126 - 3;
							if(_t126 >= 3) {
								break;
							}
							_t143 = (_t126 << 6) +  *0x9e0758;
							 *(_t151 - 0x24) = _t143;
							__eflags =  *_t143 - 0xffffffff;
							if( *_t143 == 0xffffffff) {
								L31:
								_t143[1] = 0x81;
								__eflags = _t126;
								if(_t126 != 0) {
									_t65 = _t126 - 1; // -1
									asm("sbb eax, eax");
									_t88 =  ~_t65 + 0xfffffff5;
									__eflags = _t88;
								} else {
									_t88 = 0xfffffff6;
								}
								_t138 = GetStdHandle(_t88);
								__eflags = _t138 - 0xffffffff;
								if(_t138 == 0xffffffff) {
									L43:
									_t143[1] = _t143[1] | 0x00000040;
									 *_t143 = 0xfffffffe;
									_t92 =  *0x9e0c3c; // 0x0
									__eflags = _t92;
									if(_t92 != 0) {
										 *( *((intOrPtr*)(_t92 + _t126 * 4)) + 0x10) = 0xfffffffe;
									}
									goto L45;
								} else {
									__eflags = _t138;
									if(_t138 == 0) {
										goto L43;
									}
									_t96 = GetFileType(_t138); // executed
									__eflags = _t96;
									if(_t96 == 0) {
										goto L43;
									}
									 *_t143 = _t138;
									_t97 = _t96 & 0x000000ff;
									__eflags = _t97 - 2;
									if(_t97 != 2) {
										__eflags = _t97 - 3;
										if(_t97 != 3) {
											L42:
											_t69 =  &(_t143[3]); // -10356556
											InitializeCriticalSectionAndSpinCount(_t69, 0xfa0);
											_t143[2] = _t143[2] + 1;
											L45:
											_t126 = _t126 + 1;
											continue;
										}
										_t101 = _t143[1] | 0x00000008;
										__eflags = _t101;
										L41:
										_t143[1] = _t101;
										goto L42;
									}
									_t101 = _t143[1] | 0x00000040;
									goto L41;
								}
							}
							__eflags =  *_t143 - 0xfffffffe;
							if( *_t143 == 0xfffffffe) {
								goto L31;
							}
							_t143[1] = _t143[1] | 0x00000080;
							goto L45;
						}
						 *(_t151 - 4) = 0xfffffffe;
						E009D299C();
						_t84 = 0;
						__eflags = 0;
						L47:
						return E009D2E95(_t84);
					}
					_t103 =  *(_t151 - 0x40);
					__eflags = _t103;
					if(_t103 == 0) {
						goto L27;
					}
					_t131 =  *_t103;
					 *(_t151 - 0x1c) = _t131;
					_t104 = _t103 + 4;
					 *((intOrPtr*)(_t151 - 0x28)) = _t104;
					 *(_t151 - 0x20) = _t104 + _t131;
					__eflags = _t131 - 0x800;
					if(_t131 >= 0x800) {
						_t131 = 0x800;
						 *(_t151 - 0x1c) = 0x800;
					}
					_t145 = 1;
					__eflags = 1;
					 *(_t151 - 0x30) = 1;
					while(1) {
						__eflags =  *0x9e1cdc - _t131; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t134 = E009D3D28(_t137, 0x40);
						 *(_t151 - 0x24) = _t134;
						__eflags = _t134;
						if(_t134 != 0) {
							0x9e0758[_t145] = _t134;
							 *0x9e1cdc =  *0x9e1cdc + _t137;
							__eflags =  *0x9e1cdc;
							while(1) {
								__eflags = _t134 - 0x9e0758[_t145] + 0x800;
								if(_t134 >= 0x9e0758[_t145] + 0x800) {
									break;
								}
								 *((short*)(_t134 + 4)) = 0xa00;
								 *_t134 =  *_t134 | 0xffffffff;
								 *(_t134 + 8) = _t126;
								 *(_t134 + 0x24) =  *(_t134 + 0x24) & 0x00000080;
								 *((short*)(_t134 + 0x25)) = 0xa0a;
								 *(_t134 + 0x38) = _t126;
								 *(_t134 + 0x34) = _t126;
								_t134 = _t134 + 0x40;
								 *(_t151 - 0x24) = _t134;
							}
							_t145 = _t145 + 1;
							 *(_t151 - 0x30) = _t145;
							_t131 =  *(_t151 - 0x1c);
							continue;
						}
						_t131 =  *0x9e1cdc; // 0x20
						 *(_t151 - 0x1c) = _t131;
						break;
					}
					_t139 = _t126;
					 *(_t151 - 0x2c) = _t139;
					_t107 =  *((intOrPtr*)(_t151 - 0x28));
					_t135 =  *(_t151 - 0x20);
					while(1) {
						__eflags = _t139 - _t131;
						if(_t139 >= _t131) {
							goto L27;
						}
						_t146 =  *_t135;
						__eflags = _t146 - 0xffffffff;
						if(_t146 == 0xffffffff) {
							L22:
							_t139 = _t139 + 1;
							 *(_t151 - 0x2c) = _t139;
							_t107 =  *((intOrPtr*)(_t151 - 0x28)) + 1;
							 *((intOrPtr*)(_t151 - 0x28)) = _t107;
							_t135 =  &(_t135[1]);
							 *(_t151 - 0x20) = _t135;
							continue;
						}
						__eflags = _t146 - 0xfffffffe;
						if(_t146 == 0xfffffffe) {
							goto L22;
						}
						_t109 =  *_t107;
						__eflags = _t109 & 0x00000001;
						if((_t109 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t109 & 0x00000008;
						if((_t109 & 0x00000008) != 0) {
							L20:
							_t150 = ((_t139 & 0x0000001f) << 6) + 0x9e0758[_t139 >> 5];
							 *(_t151 - 0x24) = _t150;
							 *_t150 =  *_t135;
							 *((char*)(_t150 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t151 - 0x28))));
							_t37 = _t150 + 0xc; // 0xd
							InitializeCriticalSectionAndSpinCount(_t37, 0xfa0);
							_t38 = _t150 + 8;
							 *_t38 =  *(_t150 + 8) + 1;
							__eflags =  *_t38;
							_t135 =  *(_t151 - 0x20);
							L21:
							_t131 =  *(_t151 - 0x1c);
							goto L22;
						}
						_t117 = GetFileType(_t146);
						_t135 =  *(_t151 - 0x20);
						__eflags = _t117;
						if(_t117 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L27;
				}
				_t84 = E009D55C0(_t151, 0x9df000, _t151 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L47;
			}

0x009d26f7
0x009d26f9
0x009d26fe
0x009d2705
0x009d270b
0x009d270d
0x009d2710
0x009d2714
0x009d2715
0x009d2716
0x009d271d
0x009d271f
0x009d2724
0x009d2741
0x009d2746
0x009d274c
0x009d2751
0x009d2753
0x00000000
0x00000000
0x009d2755
0x009d275b
0x009d275e
0x009d2761
0x009d276a
0x009d276d
0x009d2773
0x009d2776
0x009d2779
0x009d277c
0x009d277f
0x009d277f
0x009d278a
0x009d2790
0x009d2795
0x009d28c4
0x009d28c4
0x009d28c4
0x009d28c7
0x009d28ca
0x00000000
0x00000000
0x009d28d5
0x009d28db
0x009d28de
0x009d28e1
0x009d28f6
0x009d28f6
0x009d28fa
0x009d28fc
0x009d2903
0x009d2908
0x009d290a
0x009d290a
0x009d28fe
0x009d2900
0x009d2900
0x009d2914
0x009d2916
0x009d2919
0x009d2960
0x009d2966
0x009d2969
0x009d296f
0x009d2974
0x009d2976
0x009d297b
0x009d297b
0x00000000
0x009d291b
0x009d291b
0x009d291d
0x00000000
0x00000000
0x009d2920
0x009d2926
0x009d2928
0x00000000
0x00000000
0x009d292a
0x009d292c
0x009d2931
0x009d2934
0x009d293e
0x009d2941
0x009d294c
0x009d2951
0x009d2955
0x009d295b
0x009d2982
0x009d2982
0x00000000
0x009d2982
0x009d2947
0x009d2947
0x009d2949
0x009d2949
0x00000000
0x009d2949
0x009d293a
0x00000000
0x009d293a
0x009d2919
0x009d28e3
0x009d28e6
0x00000000
0x00000000
0x009d28ee
0x00000000
0x009d28ee
0x009d2988
0x009d298f
0x009d2994
0x009d2994
0x009d2996
0x009d299b
0x009d299b
0x009d279b
0x009d279e
0x009d27a0
0x00000000
0x00000000
0x009d27a6
0x009d27a8
0x009d27ab
0x009d27ae
0x009d27b3
0x009d27bb
0x009d27bd
0x009d27bf
0x009d27c1
0x009d27c1
0x009d27c6
0x009d27c6
0x009d27c7
0x009d27ca
0x009d27ca
0x009d27d0
0x00000000
0x00000000
0x009d27dc
0x009d27de
0x009d27e1
0x009d27e3
0x009d2877
0x009d287e
0x009d287e
0x009d2884
0x009d2890
0x009d2892
0x00000000
0x00000000
0x009d2894
0x009d289a
0x009d289d
0x009d28a0
0x009d28a4
0x009d28aa
0x009d28ad
0x009d28b0
0x009d28b3
0x009d28b3
0x009d28b8
0x009d28b9
0x009d28bc
0x00000000
0x009d28bc
0x009d27e9
0x009d27ef
0x00000000
0x009d27ef
0x009d27f2
0x009d27f4
0x009d27f7
0x009d27fa
0x009d27fd
0x009d27fd
0x009d27ff
0x00000000
0x00000000
0x009d2805
0x009d2807
0x009d280a
0x009d2864
0x009d2864
0x009d2865
0x009d286b
0x009d286c
0x009d286f
0x009d2872
0x00000000
0x009d2872
0x009d280c
0x009d280f
0x00000000
0x00000000
0x009d2811
0x009d2813
0x009d2815
0x00000000
0x00000000
0x009d2817
0x009d2819
0x009d2829
0x009d2836
0x009d283d
0x009d2842
0x009d2849
0x009d2851
0x009d2855
0x009d285b
0x009d285b
0x009d285b
0x009d285e
0x009d2861
0x009d2861
0x00000000
0x009d2861
0x009d281c
0x009d2822
0x009d2825
0x009d2827
0x00000000
0x00000000
0x00000000
0x009d2827
0x00000000
0x009d27fd
0x009d2739
0x00000000

APIs

__lock.LIBCMT ref: 009D2705

Part of subcall function 009D3F7E: __mtinitlocknum.LIBCMT ref: 009D3F90
Part of subcall function 009D3F7E: EnterCriticalSection.KERNEL32(00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000,COMSPEC), ref: 009D3FA9

__calloc_crt.LIBCMT ref: 009D2716

Part of subcall function 009D3D28: __calloc_impl.LIBCMT ref: 009D3D37
Part of subcall function 009D3D28: Sleep.KERNEL32(00000000,COMSPEC), ref: 009D3D4E

@_EH4_CallFilterFunc@8.LIBCMT ref: 009D2731
GetStartupInfoW.KERNEL32(?,009DDE90,00000064,009D118A,009DDDE0,00000014,00000000,00000000,00000000,00000000,00000000), ref: 009D278A
__calloc_crt.LIBCMT ref: 009D27D5
GetFileType.KERNEL32(00000001), ref: 009D281C
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 009D2855

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: 0108d1318d5f9718a2fb07d2a9f077eede7650250c36edf3d9a76bc25952df49
Instruction ID: ccfd4d845cc1434127e5192fa4d3253df7a32f1b26481f6bf6eaa8c48f6a0fac
Opcode Fuzzy Hash: 0108d1318d5f9718a2fb07d2a9f077eede7650250c36edf3d9a76bc25952df49
Instruction Fuzzy Hash: B7810470D443858FCB24CF68C8806ADBBF4AF65324B24C66FD4A6AB3D1C7359842DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D356B Relevance: 15.2, APIs: 10, Instructions: 198
processsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E009D356B(void* __ebx, void* __edi, long _a4, CHAR* _a8, signed int _a12, void* _a16) {
				char _v5;
				signed int _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES** _v20;
				CHAR* _v24;
				long _v28;
				struct _PROCESS_INFORMATION _v44;
				struct _STARTUPINFOA _v112;
				intOrPtr _v116;
				signed int _v120;
				signed int _v124;
				signed int _v136;
				void* _v148;
				long _v152;
				signed int _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				signed int _v168;
				signed int _v176;
				intOrPtr _v180;
				signed int _v188;
				intOrPtr _v192;
				signed int _v220;
				void* __esi;
				void* __ebp;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				signed int* _t171;
				signed int _t172;
				signed int _t176;
				signed int _t180;
				signed int _t186;
				signed int _t187;
				signed int _t190;
				void* _t192;
				signed int* _t193;
				signed int* _t197;
				signed int _t201;
				signed int _t209;
				signed int _t211;
				signed int _t213;
				signed int _t218;
				signed int _t222;
				signed int* _t226;
				signed int _t227;
				signed int _t228;
				signed int _t235;
				signed int _t243;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t255;
				signed int _t262;
				signed int _t265;
				void* _t271;
				void* _t278;
				signed int* _t286;
				signed char _t289;
				signed int* _t290;
				struct _SECURITY_ATTRIBUTES* _t300;
				signed int _t302;
				void* _t304;
				signed int* _t305;
				signed int* _t306;
				signed int _t307;
				signed int _t314;
				signed int* _t317;
				signed int _t319;
				signed int _t323;
				intOrPtr _t330;
				signed int _t332;
				signed int _t341;
				struct _SECURITY_ATTRIBUTES* _t348;
				signed int* _t352;
				signed int* _t353;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t364;
				void* _t365;
				struct _SECURITY_ATTRIBUTES** _t366;
				long _t368;
				signed int _t369;
				signed int _t371;
				signed int _t373;
				signed int* _t374;
				char* _t377;
				signed int _t378;
				void* _t379;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t386;
				void* _t388;
				signed int _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				signed int _t401;

				_push(__ebx);
				_push(__edi);
				_t361 = _a4;
				_t300 = 0;
				_v16 = 0;
				_v5 = 0;
				if(_t361 == 0) {
					L6:
					_t162 = _a12;
					_v24 = _t162;
					while( *_t162 != _t300) {
						do {
							_t162 = _t162 + 1;
							__eflags =  *_t162 - _t300;
						} while ( *_t162 != _t300);
						__eflags =  *(_t162 + 1) - _t300;
						if( *(_t162 + 1) != _t300) {
							 *_t162 = 0x20;
							_t162 = _t162 + 1;
							__eflags = _t162;
						}
					}
					_t368 = 0x44;
					E009D3390( &_v112, _t300, _t368);
					_v112.cb = _t368;
					_t369 =  *0x9e1cdc; // 0x20
					_t389 = _t388 + 0xc;
					if(_t369 != 0) {
						_t10 = _t369 - 1; // 0x1f
						_t359 = _t10;
						while( *((intOrPtr*)( *((intOrPtr*)(0x9e0758 + (_t359 >> 5) * 4)) + ((_t359 & 0x0000001f) << 6) + 4)) == _t300) {
							_t359 = _t359 - 1;
							_t369 = _t369 - 1;
							if(_t369 != 0) {
								continue;
							}
							break;
						}
						_t401 = _t369;
					}
					if(_t401 < 0 || _t369 >= 0x3332) {
						L43:
						_t165 = E009D1A96();
						 *_t165 = 0xc;
						goto L44;
					} else {
						_v112.cbReserved2 = 4 + _t369 * 5;
						_t171 = E009D3D28(0x00000004 + _t369 * 0x00000005 & 0x0000ffff, 1);
						_v112.lpReserved2 = _t171;
						if(_t171 == 0) {
							goto L43;
						} else {
							 *_t171 = _t369;
							_t172 = _v112.lpReserved2;
							_t357 = _t300;
							_v20 = _t172 + 4;
							_v12 = _t172 + 4 + _t369;
							if(_t369 > 0) {
								_t366 = _v20;
								do {
									_t352 = ((_t357 & 0x0000001f) << 6) +  *((intOrPtr*)(0x9e0758 + (_t357 >> 5) * 4));
									_t289 = _t352[1];
									if((_t289 & 0x00000010) != 0) {
										_t290 = _v12;
										 *_t366 = _t300;
										 *_t290 =  *_t290 | 0xffffffff;
										__eflags =  *_t290;
									} else {
										 *_t366 = _t289;
										_t353 = _v12;
										 *_t353 =  *_t352;
										_t290 = _t353;
									}
									_t357 = _t357 + 1;
									_t366 =  &(_t366[0]);
									_v12 =  &(_t290[1]);
								} while (_t357 < _t369);
								_t172 = _v112.lpReserved2;
								_t361 = _a4;
							}
							if(_v5 != _t300) {
								_t357 = _t172 + 4;
								_t348 = _t300;
								_t286 = _t172 + 4 + _t369;
								while(1) {
									_a4 = _t369;
									if(_t369 >= 3) {
										_a4 = 3;
									}
									if(_t348 >= _a4) {
										break;
									}
									 *_t357 = _t300;
									 *_t286 =  *_t286 | 0xffffffff;
									_t348 =  &(_t348->nLength);
									_t357 = _t357 + 1;
									_t286 =  &(_t286[1]);
								}
								_v16 = 8;
							}
							 *(E009D1A62()) = _t300;
							_t176 = CreateProcessA(_a8, _v24, _t300, _t300, 1, _v16, _a16, _t300,  &_v112,  &_v44); // executed
							_t371 = _t176;
							_a4 = GetLastError();
							E009D1C42(_v112.lpReserved2);
							__eflags = _t371;
							if(_t371 != 0) {
								__eflags = _t361 - 2;
								if(_t361 == 2) {
									E009D22EB(_t300);
									asm("int3");
									_t386 = _t389;
									_t390 = _t389 - 0x3c;
									_t180 =  *0x9df000; // 0x62f017ad
									_v136 = _t180 ^ _t386;
									_t314 = _v124;
									_push(_t300);
									_t302 = _v120;
									_push(_t371);
									_push(_t361);
									asm("movsd");
									asm("movsd");
									_v160 = _v116;
									_v152 = _v112.cb;
									_v168 = _v168 & 0;
									_v176 = _v176 & 0;
									asm("movsw");
									_v164 = 0;
									_push(2);
									asm("movsb");
									_v180 = 0;
									_t364 = 0;
									_v192 = 0;
									_t186 =  *_t314;
									_v156 = _t314;
									_v188 = _t302;
									_t373 = _t314;
									__eflags = _t186;
									if(_t186 != 0) {
										do {
											_t278 = E009D34E0(_t186);
											_t373 = _t373 + 4;
											_t364 = _t364 + _t278 + 1;
											_t186 =  *_t373;
											__eflags = _t186;
										} while (_t186 != 0);
										_v112.dwFlags = _t364;
									}
									_t187 = E009D3D28(_t364, 1);
									_t317 = _v44.dwProcessId;
									 *_t317 = _t187;
									__eflags = _t187;
									if(__eflags != 0) {
										_push( &_v24);
										_push(0);
										_push( &_v44);
										_t190 = E009D1AEA(_t302, _t357, _t364, _t373, __eflags);
										_t391 = _t390 + 0xc;
										__eflags = _t190;
										if(_t190 == 0) {
											_t192 = E009D34E0( &_v24);
											__eflags = _v44.hProcess;
											_t80 = _t192 + 2; // 0x2
											_t364 = _t80;
											if(_v44.hProcess != 0) {
												_t364 = _t364 + E009D34E0(_v44.hProcess);
												__eflags = _t364;
											}
											__eflags = _t302;
											if(_t302 == 0) {
												_t193 = _v28;
												 *_t193 =  *_t193 & 0x00000000;
												__eflags =  *_t193;
												_v112.lpReserved2 = _v112.hStdOutput;
												_v112.hStdError = _v112.hStdOutput;
												_v112.wShowWindow = _v112.hStdOutput;
												goto L86;
											} else {
												_t250 =  *_t302;
												_t381 = _t302;
												__eflags = _t250;
												if(_t250 != 0) {
													_t307 = 2;
													do {
														_t271 = E009D34E0(_t250);
														_t381 = _t381 + 4;
														_t307 = _t307 + _t271 + 1;
														_t250 =  *_t381;
														__eflags = _t250;
													} while (_t250 != 0);
													_v112.hStdInput = _t307;
													_t302 = _v112.wShowWindow;
												}
												_t251 =  *0x9dfdc0; // 0x0
												__eflags = _t251;
												if(_t251 != 0) {
													L66:
													_t382 = 0;
													__eflags =  *_t251;
													_v112.lpReserved2 = 0;
													if( *_t251 != 0) {
														_t341 =  *_t251;
														_t357 = _t251;
														while(1) {
															__eflags = _t341 - 0x3d;
															if(_t341 == 0x3d) {
																break;
															}
															_t382 = _t382 + E009D34E0(_t357) + 1;
															_t251 =  *0x9dfdc0; // 0x0
															_t357 = _t251 + _t382;
															_t341 =  *(_t251 + _t382);
															__eflags = _t341;
															if(_t341 != 0) {
																continue;
															}
															break;
														}
														_v112.lpReserved2 = _t382;
													}
													_t330 = _t382;
													_t252 = _t251 + _t382;
													while(1) {
														__eflags =  *_t252 - 0x3d;
														_v112.hStdError = _t330;
														if( *_t252 != 0x3d) {
															break;
														}
														__eflags =  *((char*)(_t252 + 1));
														if( *((char*)(_t252 + 1)) != 0) {
															__eflags =  *((char*)(_t252 + 2)) - 0x3a;
															if( *((char*)(_t252 + 2)) == 0x3a) {
																__eflags =  *((char*)(_t252 + 3)) - 0x3d;
																if( *((char*)(_t252 + 3)) == 0x3d) {
																	_t330 = _v112.hStdError + 5 + E009D34E0(_t252 + 4);
																	_t265 =  *0x9dfdc0; // 0x0
																	_t252 = _t265 + _t330;
																	__eflags = _t252;
																	continue;
																}
															}
														}
														break;
													}
													_t332 = _v112.hStdInput + _t330 - _t382;
													__eflags =  *_t302;
													_v112.hStdInput = _t332;
													_v112.wShowWindow = _t332;
													_t383 = _t302;
													if( *_t302 == 0) {
														L81:
														_t333 = _t332 + _t364;
														__eflags = _t332 + _t364;
													} else {
														while(1) {
															_t262 = E009D6160( *_t383,  &_v24, E009D34E0( &_v24));
															_t391 = _t391 + 0x10;
															__eflags = _t262;
															if(_t262 == 0) {
																break;
															}
															_t383 = _t383 + 4;
															__eflags =  *_t383;
															if( *_t383 != 0) {
																continue;
															} else {
																_t332 = _v112.hStdInput;
																goto L81;
															}
															goto L82;
														}
														_t333 = _v112.hStdInput;
														_v112.hStdOutput = 1;
													}
													L82:
													_t255 = E009D3D28(_t333, 1);
													 *_v28 = _t255;
													__eflags = _t255;
													if(_t255 != 0) {
														L86:
														_t197 = _v44.dwThreadId;
														_t317 = _v44.dwProcessId;
														__eflags =  *_t197;
														_t373 =  *_t317;
														if( *_t197 != 0) {
															_t201 = E009D3420(_t373, _t373 - _t373 + _v112.dwFlags,  *_t197);
															_t391 = _t391 + 0xc;
															__eflags = _t201;
															if(_t201 != 0) {
																goto L117;
															} else {
																_t373 = _t373 + 1 + E009D34E0( *(_v44.dwThreadId));
																_t197 =  &(_v44.dwThreadId[1]);
																goto L92;
															}
														} else {
															_t373 = _t373 + 1;
															L93:
															_t218 =  *_t197;
															__eflags = _t218;
															if(_t218 != 0) {
																_t222 = E009D3420(_t373,  *_t317 - _t373 + _v112.dwFlags, _t218);
																_t391 = _t391 + 0xc;
																__eflags = _t222;
																if(_t222 != 0) {
																	goto L117;
																} else {
																	_t377 = _t373 + E009D34E0( *(_v44.dwThreadId));
																	_t197 =  &(_v44.dwThreadId[1]);
																	 *_t377 = 0x20;
																	_t373 = _t377 + 1;
																	__eflags = _t373;
																	L92:
																	_t317 = _v44.dwProcessId;
																	_v44.dwThreadId = _t197;
																	goto L93;
																}
															} else {
																 *(_t373 - 1) = _t218;
																_t226 = _v28;
																_t378 =  *_t226;
																__eflags = _t302;
																if(_t302 == 0) {
																	L106:
																	__eflags = _t378;
																	if(_t378 != 0) {
																		__eflags = _t378 -  *_t226;
																		if(_t378 ==  *_t226) {
																			 *_t378 = 0;
																			_t378 = _t378 + 1;
																			__eflags = _t378;
																		}
																		 *_t378 = 0;
																	}
																	goto L110;
																} else {
																	_t235 =  *0x9dfdc0; // 0x0
																	E009D5890(_t378, _t235 + _v112.lpReserved2, _v112.hStdError - _v112.lpReserved2);
																	_t392 = _t391 + 0xc;
																	_t373 = _t378 + _v112.hStdError - _v112.lpReserved2;
																	while(1) {
																		__eflags =  *_t302;
																		if( *_t302 == 0) {
																			break;
																		}
																		_t317 = _v28;
																		_t243 = E009D3420(_t373, _v112.wShowWindow - _t373 +  *_t317,  *_t302);
																		_t391 = _t392 + 0xc;
																		__eflags = _t243;
																		if(_t243 != 0) {
																			goto L117;
																		} else {
																			_t373 = _t373 + 1 + E009D34E0( *_t302);
																			_pop(_t317);
																			_t302 = _t302 + 4;
																			__eflags = _t302;
																			continue;
																		}
																		goto L129;
																	}
																	__eflags = _v112.hStdOutput;
																	if(_v112.hStdOutput != 0) {
																		L105:
																		_t226 = _v28;
																		goto L106;
																	} else {
																		_t246 = E009D3420(_t373, _t364,  &_v24);
																		_t391 = _t391 + 0xc;
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L117;
																		} else {
																			_t247 = E009D3475(_t373, _t364, "=");
																			_t391 = _t391 + 0xc;
																			__eflags = _t247;
																			if(_t247 != 0) {
																				goto L117;
																			} else {
																				_t248 = _v44.hProcess;
																				__eflags = _t248;
																				if(_t248 == 0) {
																					L104:
																					_t378 = _t373 + _t364;
																					__eflags = _t378;
																					goto L105;
																				} else {
																					_t249 = E009D3475(_t373, _t364, _t248);
																					_t391 = _t391 + 0xc;
																					__eflags = _t249;
																					if(_t249 != 0) {
																						goto L117;
																					} else {
																						goto L104;
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t305 = _v44.dwProcessId;
														E009D1C42( *_t305);
														 *_t305 =  *_t305 & 0x00000000;
														 *((intOrPtr*)(E009D1A96())) = 0xc;
														 *(E009D1A62()) = 8;
														goto L111;
													}
												} else {
													_t251 = E009D60D5();
													 *0x9dfdc0 = _t251;
													__eflags = _t251;
													if(_t251 != 0) {
														goto L66;
													} else {
														goto L65;
													}
												}
											}
										} else {
											__eflags = _t190 - 0x16;
											if(_t190 != 0x16) {
												L65:
												_t306 = _v44.dwProcessId;
												_v44.hThread = _t251 | 0xffffffff;
												E009D1C42( *_t306);
												 *_t306 =  *_t306 & 0x00000000;
												 *_v28 =  *_v28 & 0x00000000;
												L110:
												L111:
												_t227 =  *0x9dfdc0; // 0x0
												__eflags = _t227;
												if(_t227 != 0) {
													E009D1C42(_t227);
												}
												_t228 = _v44.hProcess;
												 *0x9dfdc0 =  *0x9dfdc0 & 0x00000000;
												__eflags = _t228;
												if(_t228 != 0) {
													E009D1C42(_t228);
												}
												goto L116;
											} else {
												L117:
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E009D1524(_t302, _t357);
												asm("int3");
												_push(_t386);
												_push(_t373);
												_t374 = _t317;
												_t319 = _v220;
												_t374[3] = 0;
												__eflags = _t319;
												if(_t319 != 0) {
													 *_t374 =  *_t319;
													_t374[1] =  *(_t319 + 4);
												} else {
													_t358 = E009D1F5B();
													_t374[2] = _t358;
													 *_t374 =  *(_t358 + 0x6c);
													_t374[1] =  *(_t358 + 0x68);
													__eflags =  *_t374 -  *0x9df474; // 0x9df478
													if(__eflags != 0) {
														_t213 =  *0x9dfd10; // 0xfffffffe
														__eflags =  *(_t358 + 0x70) & _t213;
														if(__eflags == 0) {
															 *_t374 = E009D455B(_t302, _t358, _t364, _t374, __eflags);
														}
													}
													__eflags = _t374[1] -  *0x9df538; // 0x1272040
													if(__eflags != 0) {
														_t211 =  *0x9dfd10; // 0xfffffffe
														__eflags =  *(_t374[2] + 0x70) & _t211;
														if(__eflags == 0) {
															_t374[1] = E009D48DD(_t302, _t358, _t364, _t374, __eflags);
														}
													}
													_t323 = _t374[2];
													_t209 =  *(_t323 + 0x70);
													__eflags = _t209 & 0x00000002;
													if((_t209 & 0x00000002) == 0) {
														 *(_t323 + 0x70) = _t209 | 0x00000002;
														_t374[3] = 1;
													}
												}
												return _t374;
											}
										}
									} else {
										 *_v28 =  *_v28 & 0x00000000;
										 *((intOrPtr*)(E009D1A96())) = 0xc;
										 *(E009D1A62()) = 8;
										L116:
										_pop(_t365);
										_pop(_t379);
										__eflags = _v12 ^ _t386;
										_pop(_t304);
										return E009D1010(_t304, _v12 ^ _t386, _t357, _t365, _t379);
									}
								} else {
									__eflags = _t361;
									if(_t361 != 0) {
										__eflags = _t361 - 4;
										if(_t361 != 4) {
											_t300 = _v44.hProcess;
										} else {
											goto L40;
										}
									} else {
										WaitForSingleObject(_v44.hProcess, 0xffffffff);
										GetExitCodeProcess(_v44.hProcess,  &_v28); // executed
										_t300 = _v28;
										L40:
										CloseHandle(_v44);
									}
									CloseHandle(_v44.hThread);
									_t166 = _t300;
									goto L45;
								}
							} else {
								_t165 = E009D1A75(_a4);
								L44:
								_t166 = _t165 | 0xffffffff;
								__eflags = _t166;
								L45:
								goto L46;
							}
						}
					}
				} else {
					_t394 = _t361 - 1;
					if(_t394 == 0) {
						goto L6;
					} else {
						if(_t394 <= 0) {
							L7:
							 *(E009D1A62()) = _t300;
							 *((intOrPtr*)(E009D1A96())) = 0x16;
							_t166 = E009D1514() | 0xffffffff;
							L46:
							return _t166;
						} else {
							if(_t361 <= 3) {
								goto L6;
							} else {
								if(_t361 != 4) {
									goto L7;
								} else {
									_v5 = 1;
									goto L6;
								}
							}
						}
					}
				}
				L129:
			}

0x009d3571
0x009d3572
0x009d3573
0x009d3576
0x009d3578
0x009d357b
0x009d3580
0x009d3597
0x009d3597
0x009d359a
0x009d35cc
0x009d35be
0x009d35be
0x009d35bf
0x009d35bf
0x009d35c3
0x009d35c6
0x009d35c8
0x009d35cb
0x009d35cb
0x009d35cb
0x009d35c6
0x009d35d3
0x009d35da
0x009d35df
0x009d35e2
0x009d35e8
0x009d35ed
0x009d35ef
0x009d35ef
0x009d35f2
0x009d360c
0x009d360d
0x009d360e
0x00000000
0x00000000
0x00000000
0x009d360e
0x009d3610
0x009d3610
0x009d3612
0x009d3769
0x009d3769
0x009d376e
0x00000000
0x009d3624
0x009d362c
0x009d3636
0x009d363d
0x009d3642
0x00000000
0x009d3648
0x009d3648
0x009d364a
0x009d364d
0x009d3652
0x009d365a
0x009d365f
0x009d3661
0x009d3664
0x009d3671
0x009d3678
0x009d367d
0x009d368c
0x009d368f
0x009d3691
0x009d3691
0x009d367f
0x009d367f
0x009d3683
0x009d3686
0x009d3688
0x009d3688
0x009d3694
0x009d3698
0x009d3699
0x009d369c
0x009d36a0
0x009d36a3
0x009d36a3
0x009d36a9
0x009d36ab
0x009d36b1
0x009d36b3
0x009d36b5
0x009d36b5
0x009d36bb
0x009d36bd
0x009d36bd
0x009d36c7
0x00000000
0x00000000
0x009d36c9
0x009d36cb
0x009d36ce
0x009d36cf
0x009d36d0
0x009d36d0
0x009d36d5
0x009d36d5
0x009d36e1
0x009d36fc
0x009d3702
0x009d370d
0x009d3710
0x009d3716
0x009d3718
0x009d3725
0x009d3728
0x009d377d
0x009d3782
0x009d3784
0x009d3786
0x009d3789
0x009d3790
0x009d3796
0x009d3799
0x009d379a
0x009d379d
0x009d379e
0x009d37a7
0x009d37a8
0x009d37a9
0x009d37af
0x009d37b4
0x009d37b7
0x009d37ba
0x009d37bc
0x009d37bf
0x009d37c2
0x009d37c3
0x009d37c6
0x009d37c8
0x009d37cb
0x009d37cd
0x009d37d0
0x009d37d3
0x009d37d5
0x009d37d7
0x009d37d9
0x009d37da
0x009d37e0
0x009d37e3
0x009d37e5
0x009d37e8
0x009d37e8
0x009d37ec
0x009d37ec
0x009d37f2
0x009d37f9
0x009d37fc
0x009d37fe
0x009d3800
0x009d3829
0x009d382d
0x009d382f
0x009d3830
0x009d3835
0x009d3838
0x009d383a
0x009d384a
0x009d384f
0x009d3854
0x009d3854
0x009d3857
0x009d3862
0x009d3862
0x009d3862
0x009d3864
0x009d3866
0x009d39b7
0x009d39ba
0x009d39ba
0x009d39c0
0x009d39c6
0x009d39cc
0x00000000
0x009d386c
0x009d386c
0x009d386e
0x009d3870
0x009d3872
0x009d3876
0x009d3877
0x009d3878
0x009d387e
0x009d3881
0x009d3883
0x009d3886
0x009d3886
0x009d388a
0x009d388d
0x009d388d
0x009d3890
0x009d3895
0x009d3897
0x009d38c6
0x009d38c6
0x009d38c8
0x009d38cb
0x009d38ce
0x009d38d0
0x009d38d2
0x009d38d4
0x009d38d4
0x009d38d7
0x00000000
0x00000000
0x009d38e0
0x009d38e2
0x009d38e8
0x009d38eb
0x009d38ed
0x009d38ef
0x00000000
0x00000000
0x00000000
0x009d38ef
0x009d38f1
0x009d38f1
0x009d38f4
0x009d38f6
0x009d3925
0x009d3925
0x009d3928
0x009d392b
0x00000000
0x00000000
0x009d38fa
0x009d38fe
0x009d3900
0x009d3904
0x009d3906
0x009d390a
0x009d391c
0x009d391e
0x009d3923
0x009d3923
0x00000000
0x009d3923
0x009d390a
0x009d3904
0x00000000
0x009d38fe
0x009d3934
0x009d3936
0x009d3939
0x009d393c
0x009d393f
0x009d3941
0x009d396a
0x009d396a
0x009d396a
0x009d3943
0x009d3943
0x009d3953
0x009d3958
0x009d395b
0x009d395d
0x00000000
0x00000000
0x009d395f
0x009d3962
0x009d3965
0x00000000
0x009d3967
0x009d3967
0x00000000
0x009d3967
0x00000000
0x009d3965
0x009d39ab
0x009d39ae
0x009d39ae
0x009d396c
0x009d396f
0x009d3979
0x009d397b
0x009d397d
0x009d39cf
0x009d39cf
0x009d39d2
0x009d39d5
0x009d39d8
0x009d39da
0x009d39ea
0x009d39ef
0x009d39f2
0x009d39f4
0x00000000
0x009d39fa
0x009d3a05
0x009d3a0a
0x00000000
0x009d3a0a
0x009d39dc
0x009d39dc
0x009d3a46
0x009d3a46
0x009d3a48
0x009d3a4a
0x009d3a19
0x009d3a1e
0x009d3a21
0x009d3a23
0x00000000
0x009d3a29
0x009d3a33
0x009d3a38
0x009d3a3b
0x009d3a3e
0x009d3a3e
0x009d3a3f
0x009d3a40
0x009d3a43
0x00000000
0x009d3a43
0x009d3a4c
0x009d3a4c
0x009d3a50
0x009d3a53
0x009d3a55
0x009d3a57
0x009d3af7
0x009d3af7
0x009d3af9
0x009d3afb
0x009d3afd
0x009d3aff
0x009d3b02
0x009d3b02
0x009d3b02
0x009d3b03
0x009d3b03
0x00000000
0x009d3a5d
0x009d3a64
0x009d3a6e
0x009d3a79
0x009d3a7c
0x009d3aac
0x009d3aac
0x009d3aaf
0x00000000
0x00000000
0x009d3a83
0x009d3a8e
0x009d3a93
0x009d3a96
0x009d3a98
0x00000000
0x009d3a9e
0x009d3aa6
0x009d3aa8
0x009d3aa9
0x009d3aa9
0x00000000
0x009d3aa9
0x00000000
0x009d3a98
0x009d3ab1
0x009d3ab5
0x009d3af4
0x009d3af4
0x00000000
0x009d3ab7
0x009d3abd
0x009d3ac2
0x009d3ac5
0x009d3ac7
0x00000000
0x009d3ac9
0x009d3ad0
0x009d3ad5
0x009d3ad8
0x009d3ada
0x00000000
0x009d3adc
0x009d3adc
0x009d3adf
0x009d3ae1
0x009d3af2
0x009d3af2
0x009d3af2
0x00000000
0x009d3ae3
0x009d3ae6
0x009d3aeb
0x009d3aee
0x009d3af0
0x00000000
0x00000000
0x00000000
0x00000000
0x009d3af0
0x009d3ae1
0x009d3ada
0x009d3ac7
0x009d3ab5
0x009d3a57
0x009d3a4a
0x009d397f
0x009d397f
0x009d3984
0x009d3989
0x009d3992
0x009d399d
0x00000000
0x009d39a3
0x009d3899
0x009d3899
0x009d389e
0x009d38a3
0x009d38a5
0x00000000
0x00000000
0x00000000
0x00000000
0x009d38a5
0x009d3897
0x009d383c
0x009d383c
0x009d383f
0x009d38a7
0x009d38a7
0x009d38af
0x009d38b2
0x009d38ba
0x009d38bd
0x009d3b06
0x009d3b09
0x009d3b09
0x009d3b0e
0x009d3b10
0x009d3b13
0x009d3b18
0x009d3b19
0x009d3b1c
0x009d3b23
0x009d3b25
0x009d3b28
0x009d3b2d
0x00000000
0x009d3841
0x009d3b3f
0x009d3b41
0x009d3b42
0x009d3b43
0x009d3b44
0x009d3b45
0x009d3b46
0x009d3b4b
0x009d3b4c
0x009d3b4f
0x009d3b50
0x009d3b52
0x009d3b55
0x009d3b59
0x009d3b5b
0x009d3bc5
0x009d3bca
0x009d3b5d
0x009d3b62
0x009d3b64
0x009d3b6a
0x009d3b6f
0x009d3b74
0x009d3b7a
0x009d3b7c
0x009d3b81
0x009d3b84
0x009d3b8b
0x009d3b8b
0x009d3b84
0x009d3b90
0x009d3b96
0x009d3b9b
0x009d3ba0
0x009d3ba3
0x009d3baa
0x009d3baa
0x009d3ba3
0x009d3bad
0x009d3bb0
0x009d3bb3
0x009d3bb5
0x009d3bba
0x009d3bbd
0x009d3bbd
0x009d3bb5
0x009d3bd1
0x009d3bd1
0x009d383f
0x009d3802
0x009d3805
0x009d380d
0x009d3818
0x009d3b30
0x009d3b33
0x009d3b34
0x009d3b35
0x009d3b37
0x009d3b3e
0x009d3b3e
0x009d372a
0x009d3730
0x009d3732
0x009d3751
0x009d3754
0x009d375d
0x00000000
0x00000000
0x00000000
0x009d3734
0x009d3739
0x009d3746
0x009d374c
0x009d3756
0x009d3759
0x009d3759
0x009d3763
0x009d3765
0x00000000
0x009d3765
0x009d371a
0x009d371d
0x009d3774
0x009d3774
0x009d3774
0x009d3777
0x00000000
0x009d3777
0x009d3718
0x009d3642
0x009d3582
0x009d3582
0x009d3585
0x00000000
0x009d3587
0x009d3587
0x009d359f
0x009d35a4
0x009d35ab
0x009d35b6
0x009d3778
0x009d377b
0x009d3589
0x009d358c
0x00000000
0x009d358e
0x009d3591
0x00000000
0x009d3593
0x009d3593
0x00000000
0x009d3593
0x009d3591
0x009d358c
0x009d3587
0x009d3585
0x00000000

APIs

_memset.LIBCMT ref: 009D35DA
__calloc_crt.LIBCMT ref: 009D3636
CreateProcessA.KERNELBASE(00000000,009D1790,00000000,00000000,00000001,00000000,009D1790,00000000,?,?,00000000,00000000,00000000), ref: 009D36FC
GetLastError.KERNEL32 ref: 009D3704
_free.LIBCMT ref: 009D3710
__dosmaperr.LIBCMT ref: 009D371D
WaitForSingleObject.KERNEL32(?,000000FF), ref: 009D3739
GetExitCodeProcess.KERNELBASE ref: 009D3746
CloseHandle.KERNEL32(?), ref: 009D3759
CloseHandle.KERNEL32(?), ref: 009D3763

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastObjectSingleWait__calloc_crt__dosmaperr_free_memset
String ID:
API String ID: 2219505352-0
Opcode ID: b363d75a7285dfac103472e37d997eaf770044707c172eebce471efed857e7b1
Instruction ID: 9bcbb86ba039ef160e3355eea948cbca218d47dfc52c41e3aa5f3f761921ab77
Opcode Fuzzy Hash: b363d75a7285dfac103472e37d997eaf770044707c172eebce471efed857e7b1
Instruction Fuzzy Hash: CF61F3B6980248AFCF128F58D8816ACBF78EF45321F14C55BE406AB351D731DE40CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009D1000 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E009D1000() {
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				E009D101F(_t3, _t4, _t5, _t6, _t9, "start content\\Prezi.exe"); // executed
				return 0;
			}

0x009d1005
0x009d100f

APIs

__wsystem.LIBCMT ref: 009D1005

Part of subcall function 009D101F: __wdupenv_s.LIBCMT ref: 009D1038
Part of subcall function 009D101F: _free.LIBCMT ref: 009D10E7

Strings

start content\Prezi.exe, xrefs: 009D1000

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: __wdupenv_s__wsystem_free
String ID: start content\Prezi.exe
API String ID: 1469334009-3679132289
Opcode ID: 922a338c3e896d67be836d36169a10f4cb675296dcaeb7746a1f106129bba2f9
Instruction ID: a5ac4f91cce04d280bc397528be655959f1130e9f179d1e202c034f38218f1ea
Opcode Fuzzy Hash: 922a338c3e896d67be836d36169a10f4cb675296dcaeb7746a1f106129bba2f9
Instruction Fuzzy Hash: 229002C2AE214411568431745C1B506104119D5605F058472A545D5346FE959198B053

Uniqueness

Uniqueness Score: -1.00%

Function 009D77C0 Relevance: 3.0, APIs: 2, Instructions: 30
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E009D77C0(intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24) {
				signed int _t13;
				signed int _t14;
				void* _t17;

				_t13 =  *0x9e1ccc; // 0x163b661d
				_t14 = _t13 ^  *0x9df000;
				if(_t14 == 0) {
					return LCMapStringW(E009D7796(_a4), _a8, _a12, _a16, _a20, _a24);
				} else {
					_t17 =  *_t14(_a4, _a8, _a12, _a16, _a20, _a24, 0, 0, 0); // executed
					return _t17;
				}
			}

0x009d77c3
0x009d77c8
0x009d77ce
0x009d780b
0x009d77d0
0x009d77e7
0x009d77ea
0x009d77ea

APIs

LCMapStringEx.KERNELBASE(?,?,?,?,?,7FFFFFFF,00000000,00000000,00000000,?,009D746A,?,?,00000000,?,00000000), ref: 009D77E7
LCMapStringW.KERNEL32(00000000,?,?,?,?,7FFFFFFF,?,009D746A,?,?,00000000,?,00000000,00000000), ref: 009D7804

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: aa9c827222c5f2584a99d60c6192edd14b7d226ce8eb48cca6df8242c8c31a6b
Instruction ID: c1ebfd8bd971ac50eaf1f28c1f5f30969c4911d0946da91516c9f02a9b181434
Opcode Fuzzy Hash: aa9c827222c5f2584a99d60c6192edd14b7d226ce8eb48cca6df8242c8c31a6b
Instruction Fuzzy Hash: 48F0923205410AFFDF069FD0EC4ACAA3F6AFB08310B048515FA1845130E772A9B1AB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D220A Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E009D220A(int _a4) {
				void* _t4;

				E009D21D8(_t4, _a4);
				ExitProcess(_a4);
			}

0x009d2210
0x009d2219

APIs

___crtCorExitProcess.LIBCMT ref: 009D2210

Part of subcall function 009D21D8: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,009D2215,?,?,009D65A4,000000FF,0000001E,00000000,00000000,00000000,?,009D3D88), ref: 009D21E7
Part of subcall function 009D21D8: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 009D21F9

ExitProcess.KERNEL32 ref: 009D2219

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 0af92bbdce7025b641cd9ee372abe49f361f4256d29a62a53db9503406c0a065
Instruction ID: 0dd4ec81ca8a00ba332242633ba00897886d1e980dd1ea0cb55ae55a3462d0f2
Opcode Fuzzy Hash: 0af92bbdce7025b641cd9ee372abe49f361f4256d29a62a53db9503406c0a065
Instruction Fuzzy Hash: F2B0923008820CFBCB012F21DC0A8483F29EB01290B40C022F90408131DB72A9E2AA91

Uniqueness

Uniqueness Score: -1.00%

Function 009D24B6 Relevance: 1.5, APIs: 1, Instructions: 9
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E009D24B6(intOrPtr _a4) {
				void* __ebp;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t8;

				_push(0);
				_push(0);
				_push(_a4);
				_t2 = E009D2387(_t3, _t4, _t5, _t8); // executed
				return _t2;
			}

0x009d24b9
0x009d24bb
0x009d24bd
0x009d24c0
0x009d24c9

APIs

_doexit.LIBCMT ref: 009D24C0

Part of subcall function 009D2387: __lock.LIBCMT ref: 009D2395
Part of subcall function 009D2387: RtlDecodePointer.NTDLL(009DDE70,0000001C,009D22FA,?,00000001,00000000,?,009D223B,000000FF,?,009D3FA1,00000011,00000000,?,009D1AFD,00000007), ref: 009D23D4
Part of subcall function 009D2387: DecodePointer.KERNEL32(?,009D223B,000000FF,?,009D3FA1,00000011,00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000), ref: 009D23E5
Part of subcall function 009D2387: EncodePointer.KERNEL32(00000000,?,009D223B,000000FF,?,009D3FA1,00000011,00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000), ref: 009D23FE
Part of subcall function 009D2387: DecodePointer.KERNEL32(-00000004,?,009D223B,000000FF,?,009D3FA1,00000011,00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000), ref: 009D240E
Part of subcall function 009D2387: EncodePointer.KERNEL32(00000000,?,009D223B,000000FF,?,009D3FA1,00000011,00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000), ref: 009D2414
Part of subcall function 009D2387: DecodePointer.KERNEL32(?,009D223B,000000FF,?,009D3FA1,00000011,00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000), ref: 009D242A
Part of subcall function 009D2387: DecodePointer.KERNEL32(?,009D223B,000000FF,?,009D3FA1,00000011,00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000), ref: 009D2435

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 730d0586982bc90015fdf000af8b78df9498dc4d3cb2e0df1f42b3359f1315f6
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 2DB012315C030C33DA102641EC03F45BB0D4B90F54F104021FA0C1C2E1E593B56050C9

Uniqueness

Uniqueness Score: -1.00%

Function 009D4623 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E009D4623(void* __eax, void* __edx) {
				void* _t6;
				void* _t9;
				void* _t10;
				void* _t11;

				 *((intOrPtr*)(_t11 + 0x12)) =  *((intOrPtr*)(_t11 + 0x12)) + __edx;
				_push(0xfffffffd); // executed
				E009D4982(_t6, __edx, _t9, _t10, __eax - 0x9e1cf0); // executed
				 *0x9e1cf0 = 1;
				return 0;
			}

0x009d4628
0x009d462b
0x009d462d
0x009d4633
0x009d463f

APIs

__setmbcp.LIBCMT ref: 009D462D

Part of subcall function 009D4982: getSystemCP.LIBCMT ref: 009D49A6
Part of subcall function 009D4982: __malloc_crt.LIBCMT ref: 009D49BD
Part of subcall function 009D4982: __setmbcp_nolock.LIBCMT ref: 009D49E4
Part of subcall function 009D4982: InterlockedDecrement.KERNEL32(?), ref: 009D49FE
Part of subcall function 009D4982: _free.LIBCMT ref: 009D4A17
Part of subcall function 009D4982: InterlockedIncrement.KERNEL32(00000000), ref: 009D4A24
Part of subcall function 009D4982: __lock.LIBCMT ref: 009D4A46
Part of subcall function 009D4982: InterlockedDecrement.KERNEL32 ref: 009D4ABF
Part of subcall function 009D4982: _free.LIBCMT ref: 009D4AD6

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: Interlocked$Decrement_free$IncrementSystem__lock__malloc_crt__setmbcp__setmbcp_nolock
String ID:
API String ID: 2147202352-0
Opcode ID: ebdebfd75f05e65b21d96c71b06b524707effcc32c9e52b73ac1729752c345c4
Instruction ID: 78d879f7f5394e9f32f505b20458d6b356ec6f3e4b06a9e93f425d0685c8a413
Opcode Fuzzy Hash: ebdebfd75f05e65b21d96c71b06b524707effcc32c9e52b73ac1729752c345c4
Instruction Fuzzy Hash: 18C09B7105D18109CB055B297C59B4E37D16745765F304759F460C41D6DF7445546145

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009D8014 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E009D8014(void* __ebx, void* __esi, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				void* _v6848;
				signed int _v6852;
				short _v6856;
				signed int _v6860;
				signed int _v6864;
				signed int _v6868;
				char _v6872;
				long _v6876;
				long _v6880;
				char _v6881;
				long _v6888;
				intOrPtr _v6892;
				signed int _v6896;
				int _v6900;
				void* __edi;
				signed int _t252;
				signed int _t254;
				signed char _t256;
				signed int _t257;
				intOrPtr _t259;
				signed int _t260;
				intOrPtr _t265;
				signed int* _t271;
				signed int _t276;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t292;
				short _t295;
				signed int _t296;
				signed int _t302;
				intOrPtr _t306;
				void* _t307;
				signed int _t312;
				int _t313;
				short _t315;
				signed int _t317;
				void* _t318;
				signed int _t323;
				void* _t325;
				signed int _t326;
				long _t330;
				signed int _t334;
				signed int _t340;
				void* _t347;
				short _t351;
				void* _t352;
				signed char _t364;
				signed int _t365;
				signed int _t366;
				signed int* _t367;
				long _t368;
				char* _t369;
				long _t370;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				intOrPtr _t375;
				signed int _t380;
				short _t382;
				signed int _t383;
				signed int _t386;
				signed int _t388;
				signed int _t391;
				char _t394;
				signed int _t395;
				signed int _t396;
				signed short* _t399;
				void* _t400;
				char _t401;
				short _t407;
				signed int _t408;
				signed int _t410;
				short _t411;
				intOrPtr _t416;
				intOrPtr* _t417;
				signed int _t418;
				signed int _t420;
				char _t421;
				signed int _t426;
				signed int _t427;
				signed short* _t428;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				void* _t433;

				_t423 = __esi;
				_t361 = __ebx;
				E009D8AE0(0x1af0);
				_t252 =  *0x9df000; // 0x62f017ad
				_v8 = _t252 ^ _t432;
				_t254 = _a4;
				_t372 = _a8;
				_t407 = 0;
				_t418 = 0;
				_v6852 = _t254;
				_v6848 = _t372;
				_v6856 = 0;
				_v6872 = 0;
				if(_a12 != 0) {
					__eflags = _t372;
					if(_t372 != 0) {
						_push(__ebx);
						_push(__esi);
						_t374 = _t254 >> 5;
						_t426 = (_t254 & 0x0000001f) << 6;
						_v6868 = _t374;
						_t375 =  *((intOrPtr*)(0x9e0758 + _t374 * 4));
						_v6896 = _t426;
						_t364 =  *((intOrPtr*)(_t426 + _t375 + 0x24)) +  *((intOrPtr*)(_t426 + _t375 + 0x24)) >> 1;
						__eflags = _t364 - 2;
						if(_t364 == 2) {
							L6:
							_t256 =  !_a12;
							__eflags = _t256 & 0x00000001;
							if((_t256 & 0x00000001) != 0) {
								_t254 = _v6852;
								L9:
								__eflags =  *(_t426 + _t375 + 4) & 0x00000020;
								if(__eflags != 0) {
									E009D8CF1(_t375, __eflags, _t254, _t407, _t407, 2);
									_t433 = _t433 + 0x10;
								}
								_t257 = E009D789E(_v6852);
								__eflags = _t257;
								if(_t257 == 0) {
									L50:
									_t259 =  *((intOrPtr*)(0x9e0758 + _v6868 * 4));
									__eflags =  *(_t426 + _t259 + 4) & 0x00000080;
									if(( *(_t426 + _t259 + 4) & 0x00000080) == 0) {
										_t260 = WriteFile( *(_t426 + _t259), _v6848, _a12,  &_v6876, 0);
										__eflags = _t260;
										if(_t260 == 0) {
											goto L92;
										}
										_t418 = _v6876;
										_t427 = 0;
										goto L93;
									}
									_t407 = _v6848;
									_t427 = 0;
									_v6860 = 0;
									__eflags = _t364;
									if(_t364 != 0) {
										_t382 = _t407;
										__eflags = _t364 - 2;
										if(_t364 != 2) {
											_t366 = _a12;
											_v6880 = _t382;
											__eflags = _t366;
											if(_t366 == 0) {
												goto L99;
											}
											_v6892 = 0xa;
											do {
												_v6888 = _v6888 & 0x00000000;
												_t428 = _v6880;
												_t383 = _t382 - _t407;
												__eflags = _t383;
												_t408 = _v6888;
												_t271 =  &_v1724;
												do {
													__eflags = _t383 - _t366;
													if(_t383 >= _t366) {
														break;
													}
													_t420 =  *_t428 & 0x0000ffff;
													_t428 =  &(_t428[1]);
													_t383 = _t383 + 2;
													_v6880 = _t428;
													__eflags = _t420 - _v6892;
													if(_t420 == _v6892) {
														_t430 = 0xd;
														 *_t271 = _t430;
														_t428 = _v6880;
														_t271 =  &(_t271[0]);
														_t408 = _t408 + 2;
														__eflags = _t408;
													}
													 *_t271 = _t420;
													_t408 = _t408 + 2;
													_t271 =  &(_t271[0]);
													__eflags = _t408 - 0x6a8;
												} while (_t408 < 0x6a8);
												asm("cdq");
												_t276 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t271 -  &_v1724 - _t408 >> 1,  &_v5140, 0xd55, 0, 0);
												_t427 = _v6860;
												_t418 = _v6856;
												_v6864 = _t276;
												__eflags = _t276;
												if(_t276 == 0) {
													goto L92;
												}
												_t386 = 0;
												__eflags = 0;
												_v6852 = 0;
												while(1) {
													_t282 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x9e0758 + _v6868 * 4))),  &(( &_v5140)[_t386]), _t276 - _t386,  &_v6876, 0);
													__eflags = _t282;
													if(_t282 == 0) {
														break;
													}
													_t386 = _v6852 + _v6876;
													_t276 = _v6864;
													_v6852 = _t386;
													__eflags = _t276 - _t386;
													if(_t276 > _t386) {
														continue;
													}
													L87:
													__eflags = _t284 - _t388;
													if(_t284 > _t388) {
														goto L93;
													}
													goto L88;
												}
												_t283 = GetLastError();
												_t388 = _v6852;
												_t427 = _t283;
												_t284 = _v6864;
												_v6860 = _t427;
												goto L87;
												L88:
												_t382 = _v6880;
												_t407 = _v6848;
												_t418 = _t382 - _t407;
												_v6856 = _t418;
												__eflags = _t418 - _t366;
											} while (_t418 < _t366);
											goto L94;
										}
										_v6852 = _t382;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L99;
										}
										_v6892 = 0xa;
										do {
											_v6888 = _v6888 & 0x00000000;
											_t421 = _v6872;
											_t286 = _t382 - _t407;
											__eflags = _t286;
											_t410 = _v6888;
											_t367 =  &_v6844;
											do {
												__eflags = _t286 - _a12;
												if(_t286 >= _a12) {
													break;
												}
												_t431 =  *_t382 & 0x0000ffff;
												_t382 = _t382 + 2;
												_t286 = _t286 + 2;
												_v6852 = _t382;
												__eflags = _t431 - _v6892;
												if(_t431 == _v6892) {
													_t391 = 0xd;
													 *_t367 = _t391;
													_t382 = _v6852;
													_t421 = _t421 + 2;
													_t367 =  &(_t367[0]);
													_t410 = _t410 + 2;
													__eflags = _t410;
												}
												 *_t367 = _t431;
												_t410 = _t410 + 2;
												_t367 =  &(_t367[0]);
												__eflags = _t410 - 0x13fe;
											} while (_t410 < 0x13fe);
											_t368 = _t367 -  &_v6844;
											_v6872 = _t421;
											_t292 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x9e0758 + _v6868 * 4))),  &_v6844, _t368,  &_v6876, 0);
											_t427 = _v6860;
											_t418 = _v6856;
											__eflags = _t292;
											if(_t292 == 0) {
												goto L92;
											}
											_t418 = _t418 + _v6876;
											_t407 = _v6848;
											_v6856 = _t418;
											__eflags = _v6876 - _t368;
											if(_v6876 < _t368) {
												goto L94;
											}
											_t382 = _v6852;
											__eflags = _t382 - _t407 - _a12;
										} while (_t382 - _t407 < _a12);
										goto L94;
									}
									_t295 = _t407;
									_v6856 = _t295;
									__eflags = _a12;
									if(_a12 <= 0) {
										goto L99;
									} else {
										goto L53;
									}
									do {
										L53:
										_t296 = _t295 - _t407;
										__eflags = _t296;
										_t411 = _v6856;
										_t369 =  &_v6844;
										_v6852 = 0;
										do {
											__eflags = _t296 - _a12;
											if(_t296 >= _a12) {
												break;
											}
											_t394 =  *_t411;
											_t296 = _t296 + 1;
											_v6881 = _t394;
											__eflags = _t394 - 0xa;
											_t395 = _v6852;
											_v6856 = _t411 + 1;
											if(_t394 == 0xa) {
												_v6872 = _v6872 + 1;
												 *_t369 = 0xd;
												_t369 = _t369 + 1;
												_t395 = _t395 + 1;
												__eflags = _t395;
											}
											 *_t369 = _v6881;
											_t411 = _v6856;
											_t369 = _t369 + 1;
											_t396 = _t395 + 1;
											_v6852 = _t396;
											__eflags = _t396 - 0x13ff;
										} while (_t396 < 0x13ff);
										_t370 = _t369 -  &_v6844;
										_t302 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x9e0758 + _v6868 * 4))),  &_v6844, _t370,  &_v6876, 0);
										__eflags = _t302;
										if(_t302 == 0) {
											goto L92;
										}
										_t418 = _t418 + _v6876;
										_t407 = _v6848;
										__eflags = _v6876 - _t370;
										if(_v6876 < _t370) {
											goto L94;
										}
										__eflags = _v6856 - _t407 - _a12;
										_t295 = _v6856;
									} while (_v6856 - _t407 < _a12);
									goto L94;
								} else {
									_t306 =  *((intOrPtr*)(0x9e0758 + _v6868 * 4));
									__eflags =  *(_t426 + _t306 + 4) & 0x00000080;
									if(( *(_t426 + _t306 + 4) & 0x00000080) == 0) {
										goto L50;
									}
									_t307 = E009D1F5B();
									__eflags =  *( *((intOrPtr*)(_t307 + 0x6c)) + 0xa8);
									_v6852 = 0 |  *( *((intOrPtr*)(_t307 + 0x6c)) + 0xa8) == 0x00000000;
									_t312 = GetConsoleMode( *(_t426 +  *((intOrPtr*)(0x9e0758 + _v6868 * 4))),  &_v6888);
									__eflags = _t312;
									if(_t312 == 0) {
										goto L50;
									}
									__eflags = _v6852 - _t418;
									if(_v6852 == _t418) {
										L16:
										_t313 = GetConsoleCP();
										_t407 = _v6848;
										_v6880 = _v6880 & _t418;
										_t399 = _t407;
										_v6900 = _t313;
										_v6864 = _t399;
										__eflags = _a12 - _t418;
										if(_a12 <= _t418) {
											_t427 = _v6852;
											L95:
											__eflags = _t427;
											if(_t427 == 0) {
												L99:
												_t380 = _v6896;
												_t265 =  *((intOrPtr*)(0x9e0758 + _v6868 * 4));
												__eflags =  *(_t380 + _t265 + 4) & 0x00000040;
												if(( *(_t380 + _t265 + 4) & 0x00000040) == 0) {
													L102:
													 *((intOrPtr*)(E009D1A96())) = 0x1c;
													_t267 = E009D1A62();
													 *_t267 =  *_t267 & 0x00000000;
													__eflags =  *_t267;
													L103:
													L105:
													_pop(_t423);
													_pop(_t361);
													L106:
													return E009D1010(_t361, _v8 ^ _t432, _t407, _t418, _t423);
												}
												__eflags =  *_t407 - 0x1a;
												if( *_t407 != 0x1a) {
													goto L102;
												}
												goto L105;
											}
											_t365 = 5;
											__eflags = _t427 - _t365;
											if(_t427 != _t365) {
												_t267 = E009D1A75(_t427);
											} else {
												 *((intOrPtr*)(E009D1A96())) = 9;
												 *(E009D1A62()) = _t365;
											}
											goto L103;
										}
										__eflags = 0;
										_v6860 = 0;
										_v6892 = 0xa;
										do {
											__eflags = _t364;
											if(_t364 != 0) {
												__eflags = _t364 - 1;
												if(_t364 == 1) {
													L37:
													_t315 =  *_t399 & 0x0000ffff;
													__eflags = _t315 - _v6892;
													_v6856 = _t315;
													_t399 =  &(_t399[1]);
													_t317 = _v6860 + 2;
													__eflags = _t317;
													_v6864 = _t399;
													_v6860 = _t317;
													_v6852 = 0 | _t315 == _v6892;
													L38:
													__eflags = _t364 - 1;
													if(_t364 == 1) {
														L40:
														_t318 = E009D8E6D(_t399, _v6856);
														_pop(_t400);
														__eflags = _t318 - _v6856;
														if(_t318 != _v6856) {
															L92:
															_t427 = GetLastError();
															L93:
															_t407 = _v6848;
															L94:
															__eflags = _t418;
															if(_t418 != 0) {
																__eflags = _t418;
																goto L105;
															}
															goto L95;
														}
														_t418 = _t418 + 2;
														__eflags = _v6852;
														if(_v6852 == 0) {
															L44:
															_t317 = _v6860;
															_t399 = _v6864;
															goto L45;
														}
														_t351 = 0xd;
														_v6856 = _t351;
														_t352 = E009D8E6D(_t400, _t351);
														__eflags = _t352 - _v6856;
														if(_t352 != _v6856) {
															goto L92;
														}
														_t418 = _t418 + 1;
														_t118 =  &_v6872;
														 *_t118 = _v6872 + 1;
														__eflags =  *_t118;
														goto L44;
													}
													__eflags = _t364 - 2;
													if(_t364 != 2) {
														goto L45;
													}
													goto L40;
												}
												__eflags = _t364 - 2;
												if(_t364 != 2) {
													goto L38;
												}
												goto L37;
											}
											_t401 =  *_t399;
											__eflags = _t401 - 0xa;
											_v6852 = 0 | _t401 == 0x0000000a;
											_t416 =  *((intOrPtr*)(0x9e0758 + _v6868 * 4));
											__eflags =  *(_t426 + _t416 + 0x38);
											if( *(_t426 + _t416 + 0x38) == 0) {
												_t323 = E009D8CE0(_t401);
												__eflags = _t323;
												if(_t323 == 0) {
													_push(1);
													_push(_v6864);
													L26:
													_push( &_v6856);
													_t325 = E009D8E55();
													_t433 = _t433 + 0xc;
													__eflags = _t325 - 0xffffffff;
													if(_t325 == 0xffffffff) {
														L48:
														_t427 = _v6852;
														goto L93;
													}
													_t326 = _v6864;
													L28:
													_v6860 = _v6860 + 1;
													_v6864 = _t326 + 1;
													_t330 = WideCharToMultiByte(_v6900, 0,  &_v6856, 1,  &_v16, 5, 0, 0);
													_v6888 = _t330;
													__eflags = _t330;
													if(_t330 == 0) {
														goto L48;
													}
													_t334 = WriteFile( *(_t426 +  *((intOrPtr*)(0x9e0758 + _v6868 * 4))),  &_v16, _t330,  &_v6880, 0);
													__eflags = _t334;
													if(_t334 == 0) {
														goto L92;
													}
													_t418 = _v6860 + _v6872;
													__eflags = _v6880 - _v6888;
													if(_v6880 < _v6888) {
														goto L48;
													}
													__eflags = _v6852;
													if(_v6852 == 0) {
														goto L44;
													}
													_v16 = 0xd;
													_t340 = WriteFile( *(_t426 +  *((intOrPtr*)(0x9e0758 + _v6868 * 4))),  &_v16, 1,  &_v6880, 0);
													__eflags = _t340;
													if(_t340 == 0) {
														goto L92;
													}
													__eflags = _v6880 - 1;
													if(_v6880 < 1) {
														goto L48;
													}
													_v6872 = _v6872 + 1;
													_t418 = _t418 + 1;
													goto L44;
												}
												_t417 = _v6864;
												__eflags = _v6848 - _t417 + _a12 - 1;
												if(_v6848 - _t417 + _a12 <= 1) {
													_t371 = _v6868;
													_t418 = _t418 + 1;
													__eflags = _t418;
													 *((char*)(_t426 +  *((intOrPtr*)(0x9e0758 + _t371 * 4)) + 0x34)) =  *_t417;
													 *(_t426 +  *((intOrPtr*)(0x9e0758 + _t371 * 4)) + 0x38) = 1;
													goto L48;
												}
												_t347 = E009D8E55( &_v6856, _t417, 2);
												_t433 = _t433 + 0xc;
												__eflags = _t347 - 0xffffffff;
												if(_t347 == 0xffffffff) {
													goto L48;
												}
												_t326 = _v6864 + 1;
												_v6860 = _v6860 + 1;
												goto L28;
											}
											_v16 =  *((intOrPtr*)(_t426 + _t416 + 0x34));
											_push(2);
											_v15 = _t401;
											 *(_t426 + _t416 + 0x38) =  *(_t426 + _t416 + 0x38) & 0x00000000;
											_push( &_v16);
											goto L26;
											L45:
											__eflags = _t317 - _a12;
										} while (_t317 < _a12);
										goto L48;
									}
									__eflags = _t364;
									if(_t364 == 0) {
										goto L50;
									}
									goto L16;
								}
							}
							 *(E009D1A62()) =  *_t354 & _t418;
							 *((intOrPtr*)(E009D1A96())) = 0x16;
							_t267 = E009D1514();
							goto L103;
						}
						__eflags = _t364 - 1;
						if(_t364 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E009D1A62()) =  *_t356 & 0;
					 *((intOrPtr*)(E009D1A96())) = 0x16;
					E009D1514();
					goto L106;
				}
				goto L106;
			}

0x009d8014
0x009d8014
0x009d801c
0x009d8021
0x009d8028
0x009d802b
0x009d802e
0x009d8031
0x009d8034
0x009d8036
0x009d803c
0x009d8042
0x009d8048
0x009d8051
0x009d805a
0x009d805c
0x009d807d
0x009d807e
0x009d8081
0x009d8089
0x009d808c
0x009d8092
0x009d8099
0x009d80a5
0x009d80a7
0x009d80aa
0x009d80b1
0x009d80b4
0x009d80b6
0x009d80b8
0x009d80d6
0x009d80dc
0x009d80dc
0x009d80e1
0x009d80e8
0x009d80ed
0x009d80ed
0x009d80f6
0x009d80fc
0x009d80fe
0x009d841c
0x009d8422
0x009d8429
0x009d842e
0x009d879e
0x009d87a4
0x009d87a6
0x00000000
0x00000000
0x009d87a8
0x009d87ae
0x00000000
0x009d87ae
0x009d8434
0x009d843a
0x009d843c
0x009d8442
0x009d8444
0x009d852b
0x009d852d
0x009d8530
0x009d8634
0x009d8637
0x009d863d
0x009d863f
0x00000000
0x00000000
0x009d8645
0x009d864f
0x009d864f
0x009d8656
0x009d865c
0x009d865c
0x009d865e
0x009d8664
0x009d866a
0x009d866a
0x009d866c
0x00000000
0x00000000
0x009d866e
0x009d8671
0x009d8674
0x009d8677
0x009d867d
0x009d8684
0x009d8688
0x009d8689
0x009d868c
0x009d8692
0x009d8695
0x009d8695
0x009d8695
0x009d8698
0x009d869b
0x009d869e
0x009d86a1
0x009d86a1
0x009d86c1
0x009d86d0
0x009d86d6
0x009d86dc
0x009d86e2
0x009d86e8
0x009d86ea
0x00000000
0x00000000
0x009d86f0
0x009d86f0
0x009d86f2
0x009d86f8
0x009d8723
0x009d8729
0x009d872b
0x00000000
0x00000000
0x009d8733
0x009d8739
0x009d873f
0x009d8745
0x009d8747
0x00000000
0x00000000
0x009d8765
0x009d8765
0x009d8767
0x00000000
0x00000000
0x00000000
0x009d8767
0x009d874b
0x009d8751
0x009d8757
0x009d8759
0x009d875f
0x00000000
0x009d8769
0x009d8769
0x009d876f
0x009d8777
0x009d8779
0x009d877f
0x009d877f
0x00000000
0x009d8787
0x009d8536
0x009d853c
0x009d853f
0x00000000
0x00000000
0x009d8545
0x009d854f
0x009d854f
0x009d8556
0x009d855e
0x009d855e
0x009d8560
0x009d8566
0x009d856c
0x009d856c
0x009d856f
0x00000000
0x00000000
0x009d8571
0x009d8574
0x009d8577
0x009d857a
0x009d8580
0x009d8587
0x009d858b
0x009d858c
0x009d858f
0x009d8595
0x009d8598
0x009d859b
0x009d859b
0x009d859b
0x009d859e
0x009d85a1
0x009d85a4
0x009d85a7
0x009d85a7
0x009d85bb
0x009d85d4
0x009d85e4
0x009d85ea
0x009d85f0
0x009d85f6
0x009d85f8
0x00000000
0x00000000
0x009d85fe
0x009d8604
0x009d860a
0x009d8610
0x009d8616
0x00000000
0x00000000
0x009d861c
0x009d8626
0x009d8626
0x00000000
0x009d862f
0x009d844a
0x009d844c
0x009d8452
0x009d8455
0x00000000
0x00000000
0x00000000
0x00000000
0x009d845b
0x009d845b
0x009d845d
0x009d845d
0x009d845f
0x009d8465
0x009d846b
0x009d8471
0x009d8471
0x009d8474
0x00000000
0x00000000
0x009d8476
0x009d8479
0x009d847a
0x009d8480
0x009d8483
0x009d8489
0x009d848f
0x009d8491
0x009d8497
0x009d849a
0x009d849b
0x009d849b
0x009d849b
0x009d84a2
0x009d84a4
0x009d84aa
0x009d84ab
0x009d84ac
0x009d84b2
0x009d84b2
0x009d84c6
0x009d84e9
0x009d84ef
0x009d84f1
0x00000000
0x00000000
0x009d84f7
0x009d84fd
0x009d8503
0x009d8509
0x00000000
0x00000000
0x009d8517
0x009d851a
0x009d851a
0x00000000
0x009d8104
0x009d810a
0x009d8111
0x009d8116
0x00000000
0x00000000
0x009d811c
0x009d8126
0x009d8146
0x009d814c
0x009d8152
0x009d8154
0x00000000
0x00000000
0x009d815a
0x009d8160
0x009d816a
0x009d816a
0x009d8170
0x009d8176
0x009d817c
0x009d817e
0x009d8184
0x009d818a
0x009d818d
0x009d8411
0x009d87c4
0x009d87c4
0x009d87c6
0x009d87ec
0x009d87f2
0x009d87f8
0x009d87ff
0x009d8804
0x009d880f
0x009d8814
0x009d881a
0x009d881f
0x009d881f
0x009d8822
0x009d882f
0x009d882f
0x009d8830
0x009d8831
0x009d883d
0x009d883d
0x009d8806
0x009d8809
0x00000000
0x00000000
0x00000000
0x009d880b
0x009d87ca
0x009d87cb
0x009d87cd
0x009d87e4
0x009d87cf
0x009d87d4
0x009d87df
0x009d87df
0x00000000
0x009d87cd
0x009d8193
0x009d8195
0x009d819b
0x009d81a5
0x009d81a5
0x009d81a7
0x009d833c
0x009d833f
0x009d8346
0x009d8346
0x009d834b
0x009d8352
0x009d8361
0x009d8364
0x009d8364
0x009d8367
0x009d836d
0x009d8373
0x009d8379
0x009d8379
0x009d837c
0x009d8383
0x009d8389
0x009d838e
0x009d838f
0x009d8396
0x009d87b2
0x009d87b8
0x009d87ba
0x009d87ba
0x009d87c0
0x009d87c0
0x009d87c2
0x009d8827
0x00000000
0x009d882d
0x00000000
0x009d87c2
0x009d839c
0x009d839f
0x009d83a6
0x009d83cc
0x009d83cc
0x009d83d2
0x00000000
0x009d83d2
0x009d83aa
0x009d83ac
0x009d83b2
0x009d83b8
0x009d83bf
0x00000000
0x00000000
0x009d83c5
0x009d83c6
0x009d83c6
0x009d83c6
0x00000000
0x009d83c6
0x009d837e
0x009d8381
0x00000000
0x00000000
0x00000000
0x009d8381
0x009d8341
0x009d8344
0x00000000
0x00000000
0x00000000
0x009d8344
0x009d81ad
0x009d81b1
0x009d81b7
0x009d81c3
0x009d81ca
0x009d81cf
0x009d81ec
0x009d81f2
0x009d81f4
0x009d823a
0x009d823c
0x009d8242
0x009d8248
0x009d8249
0x009d824e
0x009d8251
0x009d8254
0x009d8406
0x009d8406
0x00000000
0x009d8406
0x009d825a
0x009d8260
0x009d8265
0x009d826d
0x009d8287
0x009d828d
0x009d8293
0x009d8295
0x00000000
0x00000000
0x009d82b9
0x009d82bf
0x009d82c1
0x00000000
0x00000000
0x009d82d3
0x009d82d9
0x009d82df
0x00000000
0x00000000
0x009d82e5
0x009d82ec
0x00000000
0x00000000
0x009d8307
0x009d8315
0x009d831b
0x009d831d
0x00000000
0x00000000
0x009d8323
0x009d832a
0x00000000
0x00000000
0x009d8330
0x009d8336
0x00000000
0x009d8336
0x009d81fc
0x009d8207
0x009d820a
0x009d83e3
0x009d83f2
0x009d83f2
0x009d83f3
0x009d83fe
0x00000000
0x009d83fe
0x009d821a
0x009d821f
0x009d8222
0x009d8225
0x00000000
0x00000000
0x009d8231
0x009d8232
0x00000000
0x009d8232
0x009d81d5
0x009d81d8
0x009d81dd
0x009d81e0
0x009d81e5
0x00000000
0x009d83d8
0x009d83d8
0x009d83d8
0x00000000
0x009d83e1
0x009d8162
0x009d8164
0x00000000
0x00000000
0x00000000
0x009d8164
0x009d80fe
0x009d80bf
0x009d80c6
0x009d80cc
0x00000000
0x009d80cc
0x009d80ac
0x009d80af
0x00000000
0x00000000
0x00000000
0x009d80af
0x009d8063
0x009d806a
0x009d8070
0x00000000
0x009d8075
0x00000000

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e7532f56ed3d570bea179647c9e42687c9ed01fa5c4f845b0fb3650f62a48d
Instruction ID: 2e84c73f339e37db2c0d395a3ee4590479a22325151cbec58ce622d1714751b0
Opcode Fuzzy Hash: 12e7532f56ed3d570bea179647c9e42687c9ed01fa5c4f845b0fb3650f62a48d
Instruction Fuzzy Hash: F4326075B522598FCB248F14DD806EAB7F9FB46310F1480DAE40AA7B91DB349E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 009D336B Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E009D336B(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x009d3370
0x009d3380

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,009D14B7,?,?,?,00000000), ref: 009D3370
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 009D3379

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 56e65b9d2def352cf967b72e963a9c906f07c381a9b15324692f83ccfcece091
Instruction ID: 9a7c8f88f7994b896cf0317c209061d3aaa29b7b6095bdc2fd7c59bb6d4be514
Opcode Fuzzy Hash: 56e65b9d2def352cf967b72e963a9c906f07c381a9b15324692f83ccfcece091
Instruction Fuzzy Hash: DEB09235099608ABDA002BA1FC0DB883F28EB06652F000012F60D44060CB7358E4AA92

Uniqueness

Uniqueness Score: -1.00%

Function 009D3348 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009D3348(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x009d3355

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,009D1CC5,009D1C7A), ref: 009D334E

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 907fcaf9575ba7634a50552ba77ef90dfe04c6a221a514dc2adf46b2dfb872dc
Instruction ID: a89c535f1b9d072bc2ee0f57150e1f3dd0adf12ca89c67d1563c3303035bc345
Opcode Fuzzy Hash: 907fcaf9575ba7634a50552ba77ef90dfe04c6a221a514dc2adf46b2dfb872dc
Instruction Fuzzy Hash: AAA0123004410CA78A001B51FC044843F1CD6011627000011F40C00020C73358E45581

Uniqueness

Uniqueness Score: -1.00%

Function 009D26E2 Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E009D26E2() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0x9e0750 = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x009d26e2
0x009d26ef
0x009d26f6

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009D26E2

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 907918385c77ae75f6717e056e5fdf7472186c806fc7640bb3659fb9d3058441
Instruction ID: a5bf8c2b4fa3cce232eb8dce32e1e49ecbc4d7f810db0c978caa7e041ba3a084
Opcode Fuzzy Hash: 907918385c77ae75f6717e056e5fdf7472186c806fc7640bb3659fb9d3058441
Instruction Fuzzy Hash: 30B012B07161428BC7084B38EC5415937D4B749101300403E7003C6970EB70C8A0BF00

Uniqueness

Uniqueness Score: -1.00%

Function 009D6E88 Relevance: 19.6, APIs: 13, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E009D6E88(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t56 =  *((intOrPtr*)(_t54 + 0xc)) -  *0x9dfd3c; // 0x9e0c28
					if(_t56 != 0) {
						E009D1C42(_t16);
					}
					_t57 =  *((intOrPtr*)(_t54 + 0x10)) -  *0x9dfd40; // 0x9e0c28
					if(_t57 != 0) {
						E009D1C42(_t17);
					}
					_t58 =  *((intOrPtr*)(_t54 + 0x14)) -  *0x9dfd44; // 0x9e0c28
					if(_t58 != 0) {
						E009D1C42(_t18);
					}
					_t59 =  *((intOrPtr*)(_t54 + 0x18)) -  *0x9dfd48; // 0x9e0c28
					if(_t59 != 0) {
						E009D1C42(_t19);
					}
					_t60 =  *((intOrPtr*)(_t54 + 0x1c)) -  *0x9dfd4c; // 0x9e0c28
					if(_t60 != 0) {
						E009D1C42(_t20);
					}
					_t61 =  *((intOrPtr*)(_t54 + 0x20)) -  *0x9dfd50; // 0x9e0c28
					if(_t61 != 0) {
						E009D1C42(_t21);
					}
					_t62 =  *((intOrPtr*)(_t54 + 0x24)) -  *0x9dfd54; // 0x9e0c28
					if(_t62 != 0) {
						E009D1C42(_t22);
					}
					_t63 =  *((intOrPtr*)(_t54 + 0x38)) -  *0x9dfd68; // 0x9e0c2c
					if(_t63 != 0) {
						E009D1C42(_t23);
					}
					_t64 =  *((intOrPtr*)(_t54 + 0x3c)) -  *0x9dfd6c; // 0x9e0c2c
					if(_t64 != 0) {
						E009D1C42(_t24);
					}
					_t65 =  *((intOrPtr*)(_t54 + 0x40)) -  *0x9dfd70; // 0x9e0c2c
					if(_t65 != 0) {
						E009D1C42(_t25);
					}
					_t66 =  *((intOrPtr*)(_t54 + 0x44)) -  *0x9dfd74; // 0x9e0c2c
					if(_t66 != 0) {
						E009D1C42(_t26);
					}
					_t67 =  *((intOrPtr*)(_t54 + 0x48)) -  *0x9dfd78; // 0x9e0c2c
					if(_t67 != 0) {
						E009D1C42(_t27);
					}
					_t15 =  *((intOrPtr*)(_t54 + 0x4c));
					_t68 = _t15 -  *0x9dfd7c; // 0x9e0c2c
					if(_t68 != 0) {
						return E009D1C42(_t15);
					}
				}
				return _t15;
			}

0x009d6e8c
0x009d6e91
0x009d6e9a
0x009d6ea0
0x009d6ea3
0x009d6ea8
0x009d6eac
0x009d6eb2
0x009d6eb5
0x009d6eba
0x009d6ebe
0x009d6ec4
0x009d6ec7
0x009d6ecc
0x009d6ed0
0x009d6ed6
0x009d6ed9
0x009d6ede
0x009d6ee2
0x009d6ee8
0x009d6eeb
0x009d6ef0
0x009d6ef4
0x009d6efa
0x009d6efd
0x009d6f02
0x009d6f06
0x009d6f0c
0x009d6f0f
0x009d6f14
0x009d6f18
0x009d6f1e
0x009d6f21
0x009d6f26
0x009d6f2a
0x009d6f30
0x009d6f33
0x009d6f38
0x009d6f3c
0x009d6f42
0x009d6f45
0x009d6f4a
0x009d6f4e
0x009d6f54
0x009d6f57
0x009d6f5c
0x009d6f60
0x009d6f66
0x009d6f69
0x009d6f6e
0x009d6f6f
0x009d6f72
0x009d6f78
0x00000000
0x009d6f80
0x009d6f78
0x009d6f83

APIs

_free.LIBCMT ref: 009D6EA3

Part of subcall function 009D1C42: HeapFree.KERNEL32(00000000,00000000,?,009D1FD3,00000000,?,?,?,00000000,?,009D404A,00000018,009DDEB0,00000008,009D3F95,?), ref: 009D1C56
Part of subcall function 009D1C42: GetLastError.KERNEL32(00000000,?,009D1FD3,00000000,?,?,?,00000000,?,009D404A,00000018,009DDEB0,00000008,009D3F95,?,00000000), ref: 009D1C68

_free.LIBCMT ref: 009D6EB5
_free.LIBCMT ref: 009D6EC7
_free.LIBCMT ref: 009D6ED9
_free.LIBCMT ref: 009D6EEB
_free.LIBCMT ref: 009D6EFD
_free.LIBCMT ref: 009D6F0F
_free.LIBCMT ref: 009D6F21
_free.LIBCMT ref: 009D6F33
_free.LIBCMT ref: 009D6F45
_free.LIBCMT ref: 009D6F57
_free.LIBCMT ref: 009D6F69
_free.LIBCMT ref: 009D6F7B

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2dee812885a301b777514d78aaa5fa0ffbaf6f559de0e50a6891e6c09deaace8
Instruction ID: 8fc5d44d32dcb0a17eb9d42b5e09e6af79845a696bc6670e381c538db9c4e0cb
Opcode Fuzzy Hash: 2dee812885a301b777514d78aaa5fa0ffbaf6f559de0e50a6891e6c09deaace8
Instruction Fuzzy Hash: F921AF735ED600AB8628DBACF997D1673EAAA44311764C81BF046D7791CB34F8C05A64

Uniqueness

Uniqueness Score: -1.00%

Function 009D2128 Relevance: 13.6, APIs: 9, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E009D2128(char* _a4, signed int* _a8) {
				int _v8;
				void* __ecx;
				intOrPtr* _t7;
				intOrPtr _t9;
				int _t12;
				short* _t14;
				int _t24;
				void* _t27;
				signed int* _t32;
				intOrPtr _t33;

				_push(_t27);
				_t24 = 0;
				if(_a4 != 0) {
					_t32 = _a8;
					if(_t32 == 0) {
						goto L1;
					} else {
						if(E009D30CB(_t27) == 0 && AreFileApisANSI() == 0) {
							_t24 = 1;
						}
						 *_t32 = 0;
						_t12 = MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t12;
						if(_t12 != 0) {
							_t14 = E009D3D72(_t12 + _t12);
							 *_t32 = _t14;
							if(_t14 == 0) {
								goto L9;
							} else {
								if(MultiByteToWideChar(_t24, 0, _a4, 0xffffffff, _t14, _v8) != 0) {
									_t9 = 1;
								} else {
									E009D1A75(GetLastError());
									E009D1C42( *_t32);
									 *_t32 =  *_t32 & 0x00000000;
									goto L8;
								}
							}
						} else {
							E009D1A75(GetLastError());
							L8:
							L9:
							_t9 = 0;
						}
					}
				} else {
					L1:
					_t7 = E009D1A96();
					_t33 = 0x16;
					 *_t7 = _t33;
					E009D1514();
					_t9 = _t33;
				}
				return _t9;
			}

0x009d212b
0x009d212d
0x009d2133
0x009d214b
0x009d2150
0x00000000
0x009d2152
0x009d2159
0x009d2167
0x009d2167
0x009d2171
0x009d2175
0x009d217b
0x009d2180
0x009d2196
0x009d219c
0x009d21a0
0x00000000
0x009d21a2
0x009d21b6
0x009d21d3
0x009d21b8
0x009d21bf
0x009d21c6
0x009d21cb
0x00000000
0x009d21ce
0x009d21b6
0x009d2182
0x009d2189
0x009d218e
0x009d218f
0x009d218f
0x009d218f
0x009d2180
0x009d2135
0x009d2135
0x009d2135
0x009d213c
0x009d213d
0x009d213f
0x009d2144
0x009d2144
0x009d21d7

APIs

AreFileApisANSI.KERNEL32(00000000,00000000,?,?,009D1A34,00000000,00000000,?,?,009D16D0,00000000,00000000), ref: 009D215B
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,009D1A34,00000000,00000000,?,?,009D16D0), ref: 009D2175
GetLastError.KERNEL32(?,?,009D1A34,00000000,00000000,?,?,009D16D0,00000000,00000000), ref: 009D2182
__dosmaperr.LIBCMT ref: 009D2189

Part of subcall function 009D1A96: __getptd_noexit.LIBCMT ref: 009D1A96

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: ApisByteCharErrorFileLastMultiWide__dosmaperr__getptd_noexit
String ID:
API String ID: 370057422-0
Opcode ID: 34141b684069784a55e0e90dd2bc2f11346c7c540fbeae6ae2c979ca4e9ab0e8
Instruction ID: 37e73c9370c272376d3e45d5e4eee2cf45886bbe4a21638f7f043ecad28a1b39
Opcode Fuzzy Hash: 34141b684069784a55e0e90dd2bc2f11346c7c540fbeae6ae2c979ca4e9ab0e8
Instruction Fuzzy Hash: 2D1108B259C202BFEB202FB0DC05B7A77ACDF21391B20C427FA51D2390E630C9809761

Uniqueness

Uniqueness Score: -1.00%

Function 009D2095 Relevance: 9.0, APIs: 6, Instructions: 45
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E009D2095(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E009D22FF(_t3);
				if(E009D40B0() != 0) {
					_t6 = E009D304D(E009D1E24);
					 *0x9df188 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E009D3D28(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E009D210B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E009D30A9( *0x9df188, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E009D1FE2(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E009D210B();
					return 0;
				}
			}

0x009d2095
0x009d20a1
0x009d20b0
0x009d20b6
0x009d20bb
0x009d20be
0x00000000
0x009d20c0
0x009d20cd
0x009d20d1
0x009d20d3
0x009d2102
0x009d2102
0x009d2107
0x009d210a
0x009d20d5
0x009d20e3
0x009d20e5
0x00000000
0x009d20e7
0x009d20e7
0x009d20e9
0x009d20ea
0x009d20f1
0x009d20f7
0x009d20fb
0x009d20ff
0x009d2101
0x009d2101
0x009d20e5
0x009d20d3
0x009d20a3
0x009d20a3
0x009d20a3
0x009d20aa
0x009d20aa

APIs

__init_pointers.LIBCMT ref: 009D2095

Part of subcall function 009D22FF: RtlEncodePointer.NTDLL(00000000,00000000,009D209A,009D1170,009DDDE0,00000014,00000000,00000000,00000000,00000000,00000000), ref: 009D2302
Part of subcall function 009D22FF: __initp_misc_winsig.LIBCMT ref: 009D2323
Part of subcall function 009D22FF: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 009D3110
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009D3124
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009D3137
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009D314A
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009D315D
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009D3170
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009D3183
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009D3196
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009D31A9
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009D31BC
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009D31CF
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009D31E2
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009D31F5
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009D3208
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009D321B
Part of subcall function 009D22FF: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 009D322E

__mtinitlocks.LIBCMT ref: 009D209A

Part of subcall function 009D40B0: InitializeCriticalSectionAndSpinCount.KERNEL32(009DF1E8,00000FA0,?,00000000,009D209F,009D1170,009DDDE0,00000014,00000000,00000000,00000000,00000000,00000000), ref: 009D40CE

__mtterm.LIBCMT ref: 009D20A3

Part of subcall function 009D210B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000000,009D20A8,009D1170,009DDDE0,00000014,00000000,00000000,00000000,00000000,00000000), ref: 009D3FCC
Part of subcall function 009D210B: _free.LIBCMT ref: 009D3FD3
Part of subcall function 009D210B: DeleteCriticalSection.KERNEL32(009DF1E8,?,00000000,009D20A8,009D1170,009DDDE0,00000014,00000000,00000000,00000000,00000000,00000000), ref: 009D3FF5

__calloc_crt.LIBCMT ref: 009D20C8
GetCurrentThreadId.KERNEL32 ref: 009D20F1

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentEncodeHandleInitializeModulePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2930087205-0
Opcode ID: 96d67af63deb8484d178cc1c179627e202928d66c31354a13acdbf63309db64e
Instruction ID: 41e64033156886df7493b97ddef7e7d7e3f2e64d339e5804d5153526625fbb93
Opcode Fuzzy Hash: 96d67af63deb8484d178cc1c179627e202928d66c31354a13acdbf63309db64e
Instruction Fuzzy Hash: 29F090325DE7116EE2347778FE07B4A27888FA2731B20C62BF560D52D2EE108A815591

Uniqueness

Uniqueness Score: -1.00%

Function 009D6609 Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E009D6609(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x9e0750, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x9e0c34 == _t7) {
									_t9 = E009D1A96();
									 *_t9 = E009D1AA9(GetLastError());
									goto L17;
								} else {
									if(E009D4FCA(_t7, _t31) == 0) {
										_t12 = E009D1A96();
										 *_t12 = E009D1AA9(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E009D4FCA(_t6, _t31);
						 *((intOrPtr*)(E009D1A96())) = 0xc;
						goto L12;
					} else {
						E009D1C42(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E009D6577(__ebx, __edx, __edi, _a8);
				}
			}

0x009d6610
0x009d661e
0x009d6623
0x009d6632
0x009d6665
0x009d6637
0x009d6639
0x009d6639
0x009d6646
0x009d664c
0x009d6650
0x009d66b0
0x009d66b0
0x009d6652
0x009d6658
0x009d669a
0x009d66ae
0x00000000
0x009d665a
0x009d6663
0x009d6682
0x009d6696
0x009d667c
0x009d667c
0x00000000
0x00000000
0x00000000
0x009d6663
0x009d6658
0x00000000
0x009d667e
0x009d666b
0x009d6676
0x00000000
0x009d6625
0x009d6628
0x009d662e
0x009d662e
0x009d667f
0x009d6681
0x009d6612
0x009d661c
0x009d661c

APIs

_malloc.LIBCMT ref: 009D6615

Part of subcall function 009D6577: __FF_MSGBANNER.LIBCMT ref: 009D658E
Part of subcall function 009D6577: __NMSG_WRITE.LIBCMT ref: 009D6595
Part of subcall function 009D6577: RtlAllocateHeap.NTDLL(01260000,00000000,00000001,00000000,00000000,00000000,?,009D3D88,?,?,?,00000000,?,009D404A,00000018,009DDEB0), ref: 009D65BA

_free.LIBCMT ref: 009D6628

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 5e9beda9dd4cccb2a4084d6cdd78cb926044d4f671995aa7f7112d5e287b6414
Instruction ID: a6daaf3cc235848eb81bf3d1370811bf932e05c652358a8ac187cec4394be03d
Opcode Fuzzy Hash: 5e9beda9dd4cccb2a4084d6cdd78cb926044d4f671995aa7f7112d5e287b6414
Instruction Fuzzy Hash: CC1106339C9216BFCB202FB4BC057693B9CAF50360F50C527F8489A361DB34C8809694

Uniqueness

Uniqueness Score: -1.00%

Function 009D7D7E Relevance: 7.6, APIs: 5, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E009D7D7E(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _t10;
				signed int _t11;
				void* _t14;
				signed int _t20;
				void* _t27;

				_t27 = __edx;
				if(_a4 != 0) {
					_push(__ebx);
					_push(__edi);
					_t3 = E009D34E0(_a4) + 1; // 0x1
					_t29 = _t3;
					_t20 = E009D6577(__ebx, _t27, _t3, _t3);
					__eflags = _t20;
					if(_t20 == 0) {
						_t10 = 0;
						__eflags = 0;
						goto L6;
					} else {
						_t11 = E009D3420(_t20, _t29, _a4);
						__eflags = _t11;
						if(_t11 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E009D1524(_t20, _t27);
							asm("int3");
							_push(8);
							_push(0x9ddff8);
							_t14 = E009D2E50(_t20, _t29, __esi);
							__eflags =  *0x9df474 - 0x9df478; // 0x9df478
							if(__eflags != 0) {
								E009D3F7E(0xc);
								_t5 =  &_v8;
								 *_t5 = _v8 & 0x00000000;
								__eflags =  *_t5;
								 *0x9df474 = E009D45D7(0x9df474, 0x9df478);
								_v8 = 0xfffffffe;
								_t14 = E009D7E17();
							}
							return E009D2E95(_t14);
						} else {
							_t10 = _t20;
							L6:
							return _t10;
						}
					}
				} else {
					return 0;
				}
			}

0x009d7d7e
0x009d7d85
0x009d7d8b
0x009d7d8c
0x009d7d95
0x009d7d95
0x009d7d9e
0x009d7da2
0x009d7da4
0x009d7dbb
0x009d7dbb
0x00000000
0x009d7da6
0x009d7dab
0x009d7db3
0x009d7db5
0x009d7dc3
0x009d7dc4
0x009d7dc5
0x009d7dc6
0x009d7dc7
0x009d7dc8
0x009d7dcd
0x009d7dce
0x009d7dd0
0x009d7dd5
0x009d7ddf
0x009d7de5
0x009d7de9
0x009d7def
0x009d7def
0x009d7def
0x009d7e00
0x009d7e05
0x009d7e0c
0x009d7e0c
0x009d7e16
0x009d7db7
0x009d7db7
0x009d7dbd
0x009d7dc0
0x009d7dc0
0x009d7db5
0x009d7d87
0x009d7d8a
0x009d7d8a

APIs

_strlen.LIBCMT ref: 009D7D90
_malloc.LIBCMT ref: 009D7D99

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: _malloc_strlen
String ID:
API String ID: 1889909783-0
Opcode ID: 285f324915b18256bee08733b21c9b9e7194cdeef798027f0ff988a58045fbf3
Instruction ID: 13eff188b16aed1b3def9351f7ff583fe675308c0cd11e96fe3fc52bc5378c0c
Opcode Fuzzy Hash: 285f324915b18256bee08733b21c9b9e7194cdeef798027f0ff988a58045fbf3
Instruction Fuzzy Hash: EC01B9365C93056ADB106BF4AC47B7A779DDBC0715F10C53BF508953A2EA7549408171

Uniqueness

Uniqueness Score: -1.00%

Function 009D8D62 Relevance: 6.1, APIs: 4, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E009D8D62(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E009D3B4C( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E009D8CAA( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E009D1A96();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x009d8d6a
0x009d8d6f
0x009d8d89
0x00000000
0x009d8d89
0x009d8d71
0x009d8d76
0x00000000
0x00000000
0x009d8d7b
0x009d8d96
0x009d8d9b
0x009d8d9e
0x009d8da5
0x009d8dc4
0x009d8dcb
0x009d8dcd
0x009d8e11
0x009d8e19
0x009d8e28
0x009d8e2e
0x009d8e30
0x009d8e40
0x009d8e40
0x009d8e44
0x009d8e46
0x009d8e49
0x009d8e49
0x009d8e49
0x009d8e49
0x00000000
0x009d8e4f
0x009d8e32
0x009d8e32
0x009d8e37
0x009d8e37
0x009d8e3a
0x00000000
0x009d8e3a
0x009d8dcf
0x009d8dd2
0x009d8dd6
0x009d8dff
0x009d8dff
0x009d8e02
0x009d8e02
0x00000000
0x00000000
0x009d8e04
0x009d8e08
0x00000000
0x00000000
0x009d8e0a
0x009d8e0a
0x00000000
0x009d8e0a
0x009d8dd8
0x009d8ddb
0x00000000
0x00000000
0x009d8ddf
0x009d8df2
0x009d8df8
0x009d8dfb
0x009d8dfd
0x00000000
0x00000000
0x00000000
0x009d8dfd
0x009d8da7
0x009d8daa
0x009d8dac
0x009d8db1
0x009d8db1
0x009d8db6
0x00000000
0x009d8db6
0x009d8d7d
0x009d8d82
0x009d8d86
0x009d8d86
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009D8D96
__isleadbyte_l.LIBCMT ref: 009D8DC4
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 009D8DF2
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 009D8E28

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f21666b44f8e9f045529ed3bfd3a52c9b862bde3f9325e3ecc47451b09fcd8a7
Instruction ID: 39544676ed722a512ca2d86e583c04c9f21430bc1a6fd03723ba0541711fd4d0
Opcode Fuzzy Hash: f21666b44f8e9f045529ed3bfd3a52c9b862bde3f9325e3ecc47451b09fcd8a7
Instruction Fuzzy Hash: 1E31AE31680246EFDB219E65C845BBB7BBAFF41350F19842AE4549B2D2DB30D851DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D48DD Relevance: 6.0, APIs: 4, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E009D48DD(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x9ddf10);
				E009D2E50(__ebx, __edi, __esi);
				_t31 = E009D1F5B();
				_t25 =  *0x9dfd10; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E009D3F7E(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x9df538; // 0x1272040
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x9df838;
								if(__eflags != 0) {
									E009D1C42(_t33);
								}
							}
						}
						_t20 =  *0x9df538; // 0x1272040
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x9df538; // 0x1272040
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E009D4979();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E009D2220(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E009D2E95(_t33);
			}

0x009d48dd
0x009d48dd
0x009d48dd
0x009d48df
0x009d48e4
0x009d48ee
0x009d48f0
0x009d48f9
0x009d491a
0x009d4920
0x009d4924
0x009d4927
0x009d492a
0x009d4930
0x009d4932
0x009d4934
0x009d493d
0x009d493f
0x009d4941
0x009d4947
0x009d494a
0x009d494f
0x009d4947
0x009d493f
0x009d4950
0x009d4955
0x009d4958
0x009d495e
0x009d4962
0x009d4962
0x009d4968
0x009d496f
0x009d4901
0x009d4901
0x009d4901
0x009d4904
0x009d4906
0x009d490a
0x009d490f
0x009d4917

APIs

Part of subcall function 009D1F5B: __getptd_noexit.LIBCMT ref: 009D1F5C

__lock.LIBCMT ref: 009D491A
InterlockedDecrement.KERNEL32(?), ref: 009D4937
_free.LIBCMT ref: 009D494A
InterlockedIncrement.KERNEL32(01272040), ref: 009D4962

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: e28efc96ef7bea7c4aa03cf000ade692cb78852d7b91c2be0eec2a1efc61b82c
Instruction ID: 30ba94f322a26efcd1e0890de515e829ca54c0ac40406d825756f33541f47e2a
Opcode Fuzzy Hash: e28efc96ef7bea7c4aa03cf000ade692cb78852d7b91c2be0eec2a1efc61b82c
Instruction Fuzzy Hash: C0010032DC6711ABDB24AFAAA82675E73A0AF44B21F10C01BF41167390C7346981EBD5

Uniqueness

Uniqueness Score: -1.00%

Function 009D1FE2 Relevance: 6.0, APIs: 4, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E009D1FE2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				short _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t41;
				void* _t42;

				_push(8);
				_push(0x9dde48);
				E009D2E50(__ebx, __edi, __esi);
				_t41 =  *((intOrPtr*)(_t42 + 8));
				 *((intOrPtr*)(_t41 + 0x5c)) = 0x9da1e8;
				 *(_t41 + 8) =  *(_t41 + 8) & 0x00000000;
				 *((intOrPtr*)(_t41 + 0x14)) = 1;
				 *((intOrPtr*)(_t41 + 0x70)) = 1;
				_t23 = 0x43;
				 *((short*)(_t41 + 0xb8)) = _t23;
				 *((short*)(_t41 + 0x1be)) = _t23;
				 *(_t41 + 0x68) = 0x9df838;
				 *(_t41 + 0x3b8) =  *(_t41 + 0x3b8) & 0x00000000;
				E009D3F7E(0xd);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				InterlockedIncrement( *(_t41 + 0x68));
				 *(_t42 - 4) = 0xfffffffe;
				E009D2083();
				E009D3F7E(0xc);
				 *(_t42 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t42 + 0xc));
				 *((intOrPtr*)(_t41 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x9df474; // 0x9df478
					 *((intOrPtr*)(_t41 + 0x6c)) = _t32;
				}
				E009D42D6( *((intOrPtr*)(_t41 + 0x6c)));
				 *(_t42 - 4) = 0xfffffffe;
				return E009D2E95(E009D208C());
			}

0x009d1fe2
0x009d1fe4
0x009d1fe9
0x009d1fee
0x009d1ff1
0x009d1ff8
0x009d1fff
0x009d2002
0x009d2007
0x009d2008
0x009d200f
0x009d2016
0x009d201d
0x009d2026
0x009d202c
0x009d2033
0x009d2039
0x009d2040
0x009d2047
0x009d204d
0x009d2050
0x009d2053
0x009d2058
0x009d205a
0x009d205f
0x009d205f
0x009d2065
0x009d206b
0x009d207c

APIs

__lock.LIBCMT ref: 009D2026

Part of subcall function 009D3F7E: __mtinitlocknum.LIBCMT ref: 009D3F90
Part of subcall function 009D3F7E: EnterCriticalSection.KERNEL32(00000000,?,009D1AFD,00000007,009DDE00,00000010,009D103D,?,00000000,COMSPEC), ref: 009D3FA9

InterlockedIncrement.KERNEL32(009DF838), ref: 009D2033
__lock.LIBCMT ref: 009D2047
___addlocaleref.LIBCMT ref: 009D2065

Memory Dump Source

Source File: 00000000.00000002.390831198.00000000009D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000000.00000002.390825813.00000000009D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390848579.00000000009DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390854245.00000000009DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.390859127.00000000009E2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d0000_Prezi.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: b093b456329b0837eb312e73a93f792a0b608e8d2fbae4938b628e35678681d1
Instruction ID: ad7301101c4ec020e028daf25fb78e980fbb44eefbaefed37cee86c758a5cb8c
Opcode Fuzzy Hash: b093b456329b0837eb312e73a93f792a0b608e8d2fbae4938b628e35678681d1
Instruction Fuzzy Hash: 59012D75485B00DFD720AFA5D80674AB7F4AFA4325F20C90FE4AA977A0CBB0A644CB51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Prezi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: Prezi.exePID: 7156, Parent PID: 3452

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Windows Analysis Report
Prezi.exe