Edit tour

Windows Analysis Report
Wind0ws7l0aderV3.4875.exe

Overview

General Information

Sample name:	Wind0ws7l0aderV3.4875.exe
Analysis ID:	1391067
MD5:	9631809ff9e66cc5809e51e2929dfbe8
SHA1:	4ee1085393d94978fc17b1453517f0aa7f40b8a3
SHA256:	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583
Tags:	exe
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Binary is likely a compiled AutoIt script file

Contains functionality to automate explorer (e.g. start an application)

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May use bcdedit to modify the Windows boot settings

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the product ID of Windows

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Wind0ws7l0aderV3.4875.exe (PID: 7520 cmdline: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe MD5: 9631809FF9E66CC5809E51E2929DFBE8)

WindowsLoader.exe (PID: 7536 cmdline: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe MD5: 323C0FD51071400B51EEDB1BE90A8188)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: Wind0ws7l0aderV3.4875.exe

ReversingLabs: Detection: 63%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Wind0ws7l0aderV3.4875.exe

Joe Sandbox ML: detected

Source: Wind0ws7l0aderV3.4875.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00DA5AE0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose,	1_2_02696A40
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose,	1_2_026B5B80
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose,	1_2_026D52A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose,	1_2_026F3FB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose,	1_2_02703CC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose,	1_2_02F9FAB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose,	1_2_1000F790

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_0053A130 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,

1_2_0053A130

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

1_2_0053A130

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_004159E0 GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,

1_2_004159E0

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_005586C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

1_2_005586C0

System Summary

Binary is likely a compiled AutoIt script file

Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9caf6c5c-e
Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_57dc25a1-0
Source: Wind0ws7l0aderV3.4875.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_53f12a50-5
Source: Wind0ws7l0aderV3.4875.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"	memstr_5d1a8329-6

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00576849	1_2_00576849
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00571427	1_2_00571427
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_005196C0	1_2_005196C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_0040CEF0	1_2_0040CEF0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_0051A770	1_2_0051A770
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00519F00	1_2_00519F00
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00DA25F0	1_2_00DA25F0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02693550	1_2_02693550
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026B10E9	1_2_026B10E9
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026B25C0	1_2_026B25C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026F1C50	1_2_026F1C50
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026F1310	1_2_026F1310
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02F9BE90	1_2_02F9BE90
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02F92110	1_2_02F92110
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_10009C00	1_2_10009C00
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_100114A0	1_2_100114A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_10004DC0	1_2_10004DC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_1000DACB	1_2_1000DACB
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_100087C0	1_2_100087C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_0279321C	1_2_0279321C
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_0278901E	1_2_0278901E
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_0274A0FD	1_2_0274A0FD
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_027494EF	1_2_027494EF
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_0274BA1A	1_2_0274BA1A

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe 2F2ABA1E074F5F4BAA08B524875461889F8F04D4FFC43972AC212E286022AB94

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: String function: 02F974B0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: String function: 004AB970 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: String function: 004F1FC0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: String function: 10001000 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: String function: 004F1F50 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: String function: 005253E0 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: String function: 004C9900 appears 41 times

Source: WindowsLoader.exe.0.dr

Static PE information: Resource name: RT_CURSOR type: Microsoft a.out overlay pure segmented standalone word-swapped not-stripped pre-SysV V3.0 386 small model executable not stripped

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Wind0ws7l0aderV3.4875.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: WindowsLoader.exe.0.dr

Static PE information: Section: UPX1 ZLIB complexity 0.9983461850649351

Source: WindowsLoader.exe.0.dr

Binary string: \ArcName\multi(0)disk(0)rdisk(1)\ArcName\multi(0)disk(0)rdisk(0)multi(%d)disk(%d)rdisk(%d)FirmwareBootDevice\Registry\Machine\SYSTEM\CurrentControlSet\Control%s\Partition%lu\Partition0SystemPartition\Registry\Machine\SYSTEM\CurrentControlSet\Control\Syspart\Device\Harddisk%lu\Partition%luMININTSystemStartOptions%s%s\ArcName\multi(%d)disk(%d)rdisk(%d)partition(%d)

Source: classification engine

Classification label: mal80.evad.winEXE@3/2@0/0

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_00DA1462 CoInitialize,CoCreateInstance,

1_2_00DA1462

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Mutant created: \Sessions\1\BaseNamedObjects\WIN7LDRMU

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

File created: C:\Users\user\AppData\Local\Temp\aut2507.tmp

Jump to behavior

Source: Wind0ws7l0aderV3.4875.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Wind0ws7l0aderV3.4875.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Process created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Wind0ws7l0aderV3.4875.exe

Static file information: File size 4612608 > 1048576

Source: Wind0ws7l0aderV3.4875.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x39da00

Source: Wind0ws7l0aderV3.4875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Wind0ws7l0aderV3.4875.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source:	Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr

Source: Wind0ws7l0aderV3.4875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Wind0ws7l0aderV3.4875.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress,

1_2_0044E350

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00568521 push ecx; ret		1_2_00568534
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_100179F0 push eax; ret		1_2_10017BE1

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

File created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Jump to dropped file

Source: WindowsLoader.exe.0.dr

Binary or memory string: bcdedit.exe

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_00482F50 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize,

1_2_00482F50

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion			Jump to behavior

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-614

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	API coverage: 7.0 %
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	API coverage: 4.0 %

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Product from Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00DA5AE0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose,	1_2_02696A40
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose,	1_2_026B5B80
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose,	1_2_026D52A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose,	1_2_026F3FB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose,	1_2_02703CC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose,	1_2_02F9FAB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose,	1_2_1000F790

Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr	Binary or memory string: Created encrypted hyper-v loader
Source: WindowsLoader.exe, 00000001.00000002.2875761773.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	API call chain: ExitProcess graph end node	graph_1-79313
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	API call chain: ExitProcess graph end node	graph_1-80220
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	API call chain: ExitProcess graph end node	graph_1-79453

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

Code function: 0_2_00715A39 IsDebuggerPresent,

0_2_00715A39

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

Code function: 0_2_00715BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00715BFC

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress,

1_2_0044E350

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe	Code function: 0_2_0070A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0070A2D5
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_00566120 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00566120
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_005662C8 _malloc,std::exception::exception,__CxxThrowException@8,__set_abort_behavior,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005662C8
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_0056AB47 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0056AB47

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow,		1_2_004D91C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow,		1_2_004D91C0

Source: Wind0ws7l0aderV3.4875.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr	Binary or memory string: Shell_TrayWnd
Source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: uMmenuShutdownSHELL_TRAYWNDSHELL_TRAYWND
Source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: SHELL_TRAYWND

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_00DA5770 cpuid

1_2_00DA5770

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: GetLocaleInfoA,	1_2_00423190
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: _memset,GetDateFormatA,GetDateFormatA,GetLocaleInfoA,GetDateFormatA,GetTimeFormatA,GetTimeFormatA,	1_2_00423A10
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: _strnlen,GetLocaleInfoA,___crtLCMapStringA,_malloc,___crtLCMapStringA,_strcpy_s,	1_2_00566A3E
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,_strupr_s_l_stat,	1_2_00566BBA
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: GetLocaleInfoA,RtlInitializeCriticalSection,RtlEnterCriticalSection,RtlLeaveCriticalSection,	1_2_00409C60
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: GetUserDefaultLCID,GetLocaleInfoA,TranslateCharsetInfo,	1_2_0041A740
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	1_2_00422FA0

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Jump to behavior

Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe

Code function: 0_2_00715007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00715007

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_004236B0 _swprintf,MessageBoxA,ExitProcess,LoadLibraryA,GetProcAddress,_memset,_memset,GetTimeZoneInformation,

1_2_004236B0

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: 1_2_005650F0 _memset,GetVersionExA,GetVersionExA,GetVersionExA,

1_2_005650F0

Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Code function: cmd.exe /A /C "

1_2_026D12D0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Bootkit	2 Process Injection	12 Virtualization/Sandbox Evasion	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	2 Process Injection	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	21 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	43 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Wind0ws7l0aderV3.4875.exe	63%	ReversingLabs	Win32.Trojan.Strictor
Wind0ws7l0aderV3.4875.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	67%	ReversingLabs	Win32.Hacktool.AutoKMS

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1391067
Start date and time:	2024-02-12 20:10:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Wind0ws7l0aderV3.4875.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Wind0ws7l0aderV3.4875.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\WindowsLoader.exe	Windows Loader.exe	Get hash	malicious	Unknown	Browse
	7E00B2F55E86F4EC8DF7F75D4038C1978CB8EF8A20ED3.exe	Get hash	malicious	njRat, MicroClip	Browse
	3C386A66E5F1D1B341A1466ABDFD137FC23B39956009A.exe	Get hash	malicious	njRat, MicroClip	Browse
	Windowsloader.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

Download File

Process:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	4021049
Entropy (8bit):	6.7402573000786825
Encrypted:	false
SSDEEP:	49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt
MD5:	323C0FD51071400B51EEDB1BE90A8188
SHA1:	0EFC35935957C25193BBE9A83AB6CAA25A487ADA
SHA-256:	2F2ABA1E074F5F4BAA08B524875461889F8F04D4FFC43972AC212E286022AB94
SHA-512:	4C501C7135962E2F02B68D6069F2191DDB76F990528DACD209955A44972122718B9598400BA829ABAB2D4345B4E1A4B93453C8E7BA42080BD492A34CF8443E7E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Joe Sandbox View:	Filename: Windows Loader.exe, Detection: malicious, Browse Filename: 7E00B2F55E86F4EC8DF7F75D4038C1978CB8EF8A20ED3.exe, Detection: malicious, Browse Filename: 3C386A66E5F1D1B341A1466ABDFD137FC23B39956009A.exe, Detection: malicious, Browse Filename: Windowsloader.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f...f...f..U....f.....f.....f....f...i...f...E...f..*y...f...i...f...f...d.....g.....f.....f..Rich.f..................PE..L.....(G.....................p........!.......!...@..........................0".............................................x&".......!.xf..........................................................................................................UPX0....................................UPX1................................@....rsrc....p....!..j..................@......................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

C:\Users\user\AppData\Local\Temp\aut2507.tmp

Download File

Process:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
File Type:	data
Category:	dropped
Size (bytes):	2010518
Entropy (8bit):	7.908466865020099
Encrypted:	false
SSDEEP:	49152:3h1opoI7NgzPKvrw8YUUPzXKVZEX+Cs0frmDzPTi:x1opLNgR8YD7Co+Cs4OzPTi
MD5:	91DA1720A3D04E5F7DCC00600D3A509C
SHA1:	F7A47DCDA3F575E8D54FD0EB5E95E6300CA9202E
SHA-256:	6F5AFEC574510CB154C1CA98AA28BD8E51DD0934CC3B6EF3BF75020C4730F06A
SHA-512:	F652E613021B244023C0CAB8F2E41B65BED50B5321A06BC629EA0F19236E351C412A28A58189574B6B2581D5B6180A2D3278ABB3A5A930C6FC11DA62ED4FB1D0
Malicious:	false
Reputation:	low
Preview:	EA06.=[9.....................Z..F@.~.D....G.P...... 4.l..h........r..d.;...o.H,VY...n.Zm..%>. ...Yt6...."g...h.Vo....U]......<.......a~....+......N.....#._'...J.?/...b..;`........8........./.....T.6;@.B....(...2.....R.8..........@ ..L..p..4....S!.@6.....!.&.@.....b......a"..... ...@.#.......i....R.,..0........j....L...H...I...B...b.k.H.. .....8.K.W;...5..fb.j..!P..............9t.f...a..t++..n.;.....2.D.sg..$...5..J.].F.O......fS{.J.......qat_...&..5.8V..b.....B!Qn..3.........p{...c!..^<..f...K......cd.=$"Q....H.?..wn1;.n..F...D....j.N....X..Y..mH..88^g*....h.i.f..E9..=v.)....x....W....my..3...n........S.S..(..7.v!._.....sz.ZE.}..I"w......kl...g.....Z_.K._.Px.:.....C....7...L.../W#...x..O..@.4..qh.[...$.+..e...Z.6.d...."...K.)..-$....t[{\.A....i.K'./.....S....z'..}aW.>..{.yl..,J..@;q.Mk..].......Q+.\GJ...t......=...<~...h..6..E..3.za.N.nUq.f)0.]^..a.U^.JKh.{......r..w...._.r&..&......\..3\.h:...G...B...-.WL.N~..:..c.^...b..u9x..[9.sk..o..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.902132269958546
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Wind0ws7l0aderV3.4875.exe
File size:	4'612'608 bytes
MD5:	9631809ff9e66cc5809e51e2929dfbe8
SHA1:	4ee1085393d94978fc17b1453517f0aa7f40b8a3
SHA256:	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583
SHA512:	3e350e41e7a86756438762c0a6772e5781757bb941e8c88c58238e1f19e15a3eb743301119050b30476d69bc68568a0bad1cdd4560f1ecac2cf4c0c72c9d77d1
SSDEEP:	98304:k8sjkFhRWieWT0ywsagZ9VeXD3qJJXg2cMUGZWh:2jyhRPeWvnzwrivWh
TLSH:	2F26122273EDC360CB669173BF5973117EBB7C214630B95B2E882D78B931460662D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	336572f07071318f

Static PE Info

General

Entrypoint:	0x427f4a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CA6981 [Mon Feb 12 18:54:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9E9C95619Dh
jmp 00007F9E9C948F64h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9E9C9490EAh
cmp edi, eax
jc 00007F9E9C94944Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F9E9C9490E9h
rep movsb
jmp 00007F9E9C9493FCh
cmp ecx, 00000080h
jc 00007F9E9C9492B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9E9C9490F0h
bt dword ptr [004BE324h], 01h
jc 00007F9E9C9495C0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9E9C94928Dh
test edi, 00000003h
jne 00007F9E9C94929Eh
test esi, 00000003h
jne 00007F9E9C94927Dh
bt edi, 02h
jnc 00007F9E9C9490EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9E9C9490F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9E9C949145h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x39d9d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x465000	0x7130	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dd2e	0x8de00	c2c2260508750422d20cd5cbb116b146	False	0.5729952505506608	data	6.675875439961112	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	4513b58651e3d8d87c81a396e5b2f1d1	False	0.3353340955284553	OpenPGP Public Key	5.760731648769018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	c2de4a3d214eae7e87c7bfc06bd79775	False	0.1017530487804878	data	1.1988106744719143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x39d9d0	0x39da00	449fc5a43f67a724c5e524edec1b504d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x465000	0x7130	0x7200	1254908a9a03d2bcf12045d49cd572b9	False	0.7703536184210527	data	6.782377328042204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7440	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7568	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.42991329479768786
RT_ICON	0xc7ad0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.3768050541516246
RT_ICON	0xc8378	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.3070362473347548
RT_ICON	0xc9220	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.7641843971631206
RT_ICON	0xc9688	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.6674484052532833
RT_ICON	0xca730	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.6400414937759336
RT_STRING	0xcccd8	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcd26c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcd8f8	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcdd88	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xce384	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xce9e0	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcee48	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcefa0	0x3954e6	data			1.0003108978271484
RT_GROUP_ICON	0x464488	0x5a	data	English	Great Britain	0.7
RT_GROUP_ICON	0x4644e4	0x14	data	English	Great Britain	1.15
RT_VERSION	0x4644f8	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x4645d4	0x3fa	ASCII text, with CRLF line terminators	English	Great Britain	0.5068762278978389

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	20:10:53
Start date:	12/02/2024
Path:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Imagebase:	0x6e0000
File size:	4'612'608 bytes
MD5 hash:	9631809FF9E66CC5809E51E2929DFBE8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:10:54
Start date:	12/02/2024
Path:	C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Imagebase:	0x400000
File size:	4'021'049 bytes
MD5 hash:	323C0FD51071400B51EEDB1BE90A8188
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21%
Total number of Nodes:	167
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00700F36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0070588C: __FF_MSGBANNER.LIBCMT ref: 007058A3
Part of subcall function 0070588C: __NMSG_WRITE.LIBCMT ref: 007058AA
Part of subcall function 0070588C: RtlAllocateHeap.NTDLL(01430000,00000000,00000001,00000000,?,?,?,00700F53,?), ref: 007058CF

std::exception::exception.LIBCMT ref: 00700F6C
__CxxThrowException@8.LIBCMT ref: 00700F81

Part of subcall function 0070871B: RaiseException.KERNEL32(?,?,?,00799E78,00000000,?,?,?,?,00700F86,?,00799E78,?,00000001), ref: 00708770

Strings

9I, xrefs: 00700F4E

Memory Dump Source

Source File: 00000000.00000002.1632888005.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1632800413.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1632930230.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1632930230.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1633089786.000000000079E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1633224859.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Wind0ws7l0aderV3.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: 9I
API String ID: 3902256705-3853901842
Opcode ID: b9223c84ab14527a9af45f3477ba82b07a75fd3fe06ea09f6a42312f1a933365
Instruction ID: b191e12b0439f41fa96d6ee31de64164677f8206383b481540906491b81d12ac
Opcode Fuzzy Hash: b9223c84ab14527a9af45f3477ba82b07a75fd3fe06ea09f6a42312f1a933365
Instruction Fuzzy Hash: A1F0F47150420EE6DF20AA98EC09AEE7BECDF01360F104625FD48922C2DFB99A5192D1

Uniqueness

Uniqueness Score: -1.00%

Function 0070321F Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00703225

Part of subcall function 007031EB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,0070322A,00700F53,?,007058B9,000000FF,0000001E,00000000,?,?,?,00700F53), ref: 007031FA
Part of subcall function 007031EB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 0070320C

ExitProcess.KERNEL32 ref: 0070322E

Memory Dump Source

Source File: 00000000.00000002.1632888005.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1632800413.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1632930230.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1632930230.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1633089786.000000000079E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1633224859.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Wind0ws7l0aderV3.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 8fbefb41c5a38e12a39dee5936aa9dd2d49075af84c43d201fef9e4394ea1dca
Instruction ID: c7bbdc5036308e982a87ceffcd3a2b65167b3d6b43f9fcdccc8ad8147b4439c0
Opcode Fuzzy Hash: 8fbefb41c5a38e12a39dee5936aa9dd2d49075af84c43d201fef9e4394ea1dca
Instruction Fuzzy Hash: 2BB0923000820CFBCB012F12EC0A8483F69EF09A90B008120F80508171DBB7AA929A84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0070A2D5 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00708ED7,?,?,?,00000000), ref: 0070A2DA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0070A2E3

Memory Dump Source

Source File: 00000000.00000002.1632888005.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000000.00000002.1632800413.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1632930230.000000000076F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1632930230.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1633089786.000000000079E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1633224859.00000000007A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0000_Wind0ws7l0aderV3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78edb1f2aaf4e8137390a4c50c570e204952f302cc55f6b28ce8ace831aa4afa
Instruction ID: 9526f8fed1aa4bf4f7ee7dbeffcca0b93840ea1d239c0569db2f3f08ebb8246b
Opcode Fuzzy Hash: 78edb1f2aaf4e8137390a4c50c570e204952f302cc55f6b28ce8ace831aa4afa
Instruction Fuzzy Hash: B0B09231058308ABCA002B92FC09B883F68EB44AA2F408020F60E84260EBA658508A99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WindowsLoader.exePID: 7536, Parent PID: 7520COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	17%
Signature Coverage:	2.9%
Total number of Nodes:	1528
Total number of Limit Nodes:	88

Executed Functions

Function 0044E350 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 172
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,0000000C,0000000C,00000000,?,?,00000000,?,00454DF7,00000000), ref: 0044E367

Part of subcall function 004ABDF0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABDFE
Part of subcall function 004ABDF0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABE10
Part of subcall function 004ABDF0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABE37

GetProcAddress.KERNEL32(74DD0000,GetLongPathNameW), ref: 0044E39A
GetLongPathNameW.KERNELBASE(00000000,?,00000000), ref: 0044E3D8

Strings

Kernel32.dll, xrefs: 0044E362
GetLongPathNameW, xrefs: 0044E394
GetLongPathNameA, xrefs: 0044E44F

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$AddressEnterInitializeLeaveLibraryLoadLongNamePathProc
String ID: GetLongPathNameA$GetLongPathNameW$Kernel32.dll
API String ID: 356203037-4216808704
Opcode ID: 9b2df83c8f1b468fc0fee933d0a6912d85cc9406c96227b5607584fffbf7d209
Instruction ID: 7fe1ce91f742e0c81011a923d3b22c638415b5909c64345684655730f3436efb
Opcode Fuzzy Hash: 9b2df83c8f1b468fc0fee933d0a6912d85cc9406c96227b5607584fffbf7d209
Instruction Fuzzy Hash: 8051D371A00208ABDB10EFA6D84579E77B4FF54719F14415AEC04AB342E738AE48DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1462 Relevance: 3.1, APIs: 2, Instructions: 89comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1105: GetTickCount.KERNEL32 ref: 00DA1174

CoInitialize.OLE32(00000000), ref: 00DA147C
CoCreateInstance.OLE32(00DA72E8,00000000,00000001,00DA72D8,00000000), ref: 00DA1498

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: CountCreateInitializeInstanceTick
String ID:
API String ID: 3998390126-0
Opcode ID: 48d2357db9ce80880b35999f86dadee446e31522eb87002a93281f9db5aed45e
Instruction ID: fdd46dcf0499d7c788b8ad9de0616d01c7e74ad58296661a3a7e9edae7b84d9a
Opcode Fuzzy Hash: 48d2357db9ce80880b35999f86dadee446e31522eb87002a93281f9db5aed45e
Instruction Fuzzy Hash: 86310576508301AFD702CF14C884A5BBBF9EF86721F048969FC959B360D7B1E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0051D1F0 Relevance: 58.4, APIs: 30, Strings: 3, Instructions: 604COMMON

Download Yara Rule

APIs

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

SetRect.USER32(00000000,?,00000000,?,0057E81C), ref: 0051D288
OffsetRect.USER32(00000000,00000000,?), ref: 0051D406
ClientToScreen.USER32(?,00000000), ref: 0051D41D
ClientToScreen.USER32(?,00000000), ref: 0051D42A
ScreenToClient.USER32(?,00000000), ref: 0051D437
ScreenToClient.USER32(?,00000000), ref: 0051D43E
CreateWindowExW.USER32(00000000,005F4C08,005F4C08,00000000,00000000,000000FF,00000000,?,00559EF4,00000000,00400000,00000000), ref: 0051D4FF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051D522
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051D534
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051D551
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051D569
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051D581
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051D59C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051D5C1
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051D5D3
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051D5EC
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051D603
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051D615
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051D62A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051D6DF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051D6F1
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051D70A
CreateWindowExA.USER32(00000000,00000000,0057E81C,00000000,00400000,00000000,?,?,0057E81C,00000000,?,00559EF4), ref: 0051D72D
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051D74C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051D75E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051D777
SetWindowLongA.USER32(?,00000000,?), ref: 0051D782
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051D8F9
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051D90B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051D924

Strings

COMBOBOX, xrefs: 0051D2A9
RB_Pane, xrefs: 0051D632
RB_CanvasPane, xrefs: 0051D644

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$ClientScreen$Window$CreateRect$LongOffset_malloc
String ID: COMBOBOX$RB_CanvasPane$RB_Pane
API String ID: 1843661786-786992740
Opcode ID: d9708e0daf0f340ef6dffab37e9cd2c9e5bcbcb44894efd2d665f2453fc1626b
Instruction ID: e10c4608ead985d64ee737a26a4f5b1685c9c08f258cc805fdc53ec5898b153e
Opcode Fuzzy Hash: d9708e0daf0f340ef6dffab37e9cd2c9e5bcbcb44894efd2d665f2453fc1626b
Instruction Fuzzy Hash: A332E171A0021AAFEB10DF68DC84BFFBBB4BF48710F144569E954A7281D774AC84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0051D940 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 278
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFocus.USER32(00000000), ref: 0051D9A5
_swprintf.LIBCMT ref: 0051DA06
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0051DA20
ExitProcess.KERNEL32 ref: 0051DA28
_swprintf.LIBCMT ref: 0051DA66
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0051DA80
ExitProcess.KERNEL32 ref: 0051DA88
_swprintf.LIBCMT ref: 0051DAC1

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0051DADB
ExitProcess.KERNEL32 ref: 0051DAE3
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051DB0A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051DB1C
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051DB39
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051DB70
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051DB82
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051DB9F
GetClassNameA.USER32(?,?,000000FF), ref: 0051DC54
KiUserCallbackDispatcher.NTDLL(?), ref: 0051DCAD

Strings

Runtime Error, xrefs: 0051DA13, 0051DA73, 0051DACE
RB_Pane, xrefs: 0051DC60
..\..\..\..\Common\SubPane.cpp, xrefs: 0051D9E3, 0051DA43, 0051DA9E
RB_CanvasPane, xrefs: 0051DC78
mLockCount <= 0, xrefs: 0051DA94
this != GetFocusPane(), xrefs: 0051D9D9
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0051D9F5, 0051DA55, 0051DAB0
this != currentPane, xrefs: 0051DA39

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$ExitMessageProcess_swprintf$EnterInitializeLeave$CallbackClassDispatcherFocusNameUser__vsprintf_s_l
String ID: ..\..\..\..\Common\SubPane.cpp$RB_CanvasPane$RB_Pane$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$mLockCount <= 0$this != GetFocusPane()$this != currentPane
API String ID: 3013605808-41089943
Opcode ID: 9c8b906048b127210d8383f476223dd5cfd938f3806ff961534b4836efe03f08
Instruction ID: 812bc1d298740c136201e31c531d3d64638f35b8cbadb4f44ecc42aee2057c71
Opcode Fuzzy Hash: 9c8b906048b127210d8383f476223dd5cfd938f3806ff961534b4836efe03f08
Instruction Fuzzy Hash: 64A109B1600204AFFB20AB249C85FBA7F78BF95B04F040558FA09A7285E7749DC4DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00546400 Relevance: 37.8, APIs: 25, Instructions: 327
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00546496
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005464A8
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005464BA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005464E1
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005464FF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00546511
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0054652E
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0054658F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005465A1
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005465B0
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005465CC
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005465DE
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005465FB
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00546611
CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,00000000,00000000,00000000,005F4C08), ref: 00546698
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005466B6
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005466C8
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005466E5
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00546711
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00546723
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0054673C
CreateFontA.GDI32(?,00000000,00000000,00000000,?,?,?,00000000,?,00000000,00000000,00000000,00000000,0057E81C), ref: 005467B1
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005467D3
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005467E5
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00546802

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize$CreateFont
String ID:
API String ID: 3622657208-0
Opcode ID: 7fa89a3a601a8ccb6a9d29f7e59df4ee4f0de7de94deee4211623a86d8341321
Instruction ID: 3ed3164b128a985cca407c0c4c241598a44814e01ef81af2713b017768d61d17
Opcode Fuzzy Hash: 7fa89a3a601a8ccb6a9d29f7e59df4ee4f0de7de94deee4211623a86d8341321
Instruction Fuzzy Hash: F0C12770600344AFEB109F64EC85BF67FF4BF62728F144098F88897285D774A984EB62

Uniqueness

Uniqueness Score: -1.00%

Function 0051F3C0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 154
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_swprintf.LIBCMT ref: 0051F410

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0051F428
ExitProcess.KERNEL32 ref: 0051F434
SetRect.USER32(?,?,?,?,?), ref: 0051F483
OffsetRect.USER32(?,00000000,?), ref: 0051F497
ClientToScreen.USER32(?,?), ref: 0051F4A6
ClientToScreen.USER32(?,?), ref: 0051F4B5
ScreenToClient.USER32(00000000), ref: 0051F4D3
ScreenToClient.USER32(00000000), ref: 0051F4E7
ShowWindow.USER32(?,00000000), ref: 0051F4FB
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0051F51B
SetParent.USER32(?,00000000), ref: 0051F532
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,0000000B), ref: 0051F548
ShowWindow.USER32(?,00000001), ref: 0051F55A

Strings

Runtime Error, xrefs: 0051F41D
..\..\..\..\Common\SubPane.cpp, xrefs: 0051F3F1
newParent, xrefs: 0051F3E7
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0051F401

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ClientScreenWindow$RectShow$ExitMessageMoveOffsetParentProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\SubPane.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$newParent
API String ID: 2495631781-759841484
Opcode ID: 84ebf1d131761f9ab01ccb9910031bad37e1ef68374bb83bfff3df8309a8950f
Instruction ID: 28c322e87707f4e21b19e343c730d96390af2071dfd1248fb9edd8a5698997d6
Opcode Fuzzy Hash: 84ebf1d131761f9ab01ccb9910031bad37e1ef68374bb83bfff3df8309a8950f
Instruction Fuzzy Hash: AE515DB1200701AFE614DB64DC85FBBB7E9BB98700F004A1CF65987290DB74E989DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00559E70 Relevance: 28.7, APIs: 14, Strings: 2, Instructions: 669windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

SetRect.USER32(?,?,00000000,?,?), ref: 0055A270
AdjustWindowRect.USER32(?,00000000,00000000), ref: 0055A27D
CreateWindowExW.USER32(76ECFFB0,00000000,00000000,005F4C08,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00400000), ref: 0055A3D6
CreateWindowExA.USER32(00000000,0057E81C,0057E81C,00000000,00000000,00000000,00400000,00000000), ref: 0055A5DC

Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52
Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB

SetWindowLongA.USER32(?,00000000,00000000), ref: 0055A609
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 0055A622
GetSystemMenu.USER32(?,00000000), ref: 0055A62E
EnableMenuItem.USER32(00000000,0000F030,00000000), ref: 0055A64F
EnableMenuItem.USER32(00000000,0000F020,00000000), ref: 0055A660
EnableMenuItem.USER32(00000000,0000F000,00000000), ref: 0055A671
EnableMenuItem.USER32(00000000,0000F120,00000001), ref: 0055A67B
EnableMenuItem.USER32(00000000,0000F010,00000000), ref: 0055A685
EnableMenuItem.USER32(00000000,0000F060,00000001), ref: 0055A6A1
RegisterDragDrop.OLE32(?,00000000), ref: 0055A6CD

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

Strings

RB_ModelessDialog, xrefs: 0055A181
RBWindow, xrefs: 0055A13D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Menu$EnableItem$Window$CriticalSection$ByteCharCreateMultiRectWide$AdjustDragDropEnterInitializeLeaveLongMessageRegisterSendSystemVersion_memset
String ID: RBWindow$RB_ModelessDialog
API String ID: 4193574891-764765173
Opcode ID: 3eff8c74f3303afa74221c051970a1a2d28062ec0cd5ee7339966d0e55aaddd8
Instruction ID: 56b2e9fe8d974af2c2efd81cbf50f2ee9a630ee65ec930a6f38b5cf70cd84bbc
Opcode Fuzzy Hash: 3eff8c74f3303afa74221c051970a1a2d28062ec0cd5ee7339966d0e55aaddd8
Instruction Fuzzy Hash: 1642C571A042459FDB14CF68C855BEE7FB4FF55304F18826EEC48AB242D774A948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 005287B0 Relevance: 23.1, APIs: 15, Instructions: 613
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsValidCodePage.KERNEL32(?,?,00000000,?,00528EC4,00529751,00000000,00000000,00000000,00000000,00529751,?,00529751,?,?,08000100), ref: 00528818
IsValidCodePage.KERNELBASE(?,?,00000000,?,00528EC4,00529751,00000000,00000000,00000000,00000000,00529751,?,00529751,?,?,08000100), ref: 00528D0E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CodePageValid
String ID:
API String ID: 1911128615-0
Opcode ID: cb1b79a0f8188da13008c08a2330da3a0be93ca73344736ff9d19bd30775bcc1
Instruction ID: 2e3ff7fda11fb048d1efb4fc914abcf9368d64d8cc09bde6f7054b29938bc2f7
Opcode Fuzzy Hash: cb1b79a0f8188da13008c08a2330da3a0be93ca73344736ff9d19bd30775bcc1
Instruction Fuzzy Hash: C7F1437A3001159AD720AFE9F84057DB7E9EFC1326B24483FD6CCC6680D77594999F60

Uniqueness

Uniqueness Score: -1.00%

Function 00404F80 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 004050CE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 24270076cd7e57d518fae6c58a45a8b9da1316bdd2079e8956ede10fa240188d
Instruction ID: 7f9abe41b3b7edffaf0c1b04dd8b17c635dd74646c1819234ec055eb69d70e8c
Opcode Fuzzy Hash: 24270076cd7e57d518fae6c58a45a8b9da1316bdd2079e8956ede10fa240188d
Instruction Fuzzy Hash: B8A17771E046818FDB11CFA8D884BBF7BB1EFA5300F1940AED445AB392D27A5948CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00419800 Relevance: 9.2, APIs: 6, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004AC450: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC469
Part of subcall function 004AC450: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC47B
Part of subcall function 004AC450: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC492

Part of subcall function 00554870: SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00554892
Part of subcall function 00554870: SendMessageA.USER32(?,00001307,00000000,?), ref: 005548C3

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0041997D
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041998F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004199A4
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004199BF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004199D1
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004199E6

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$MessageSend
String ID:
API String ID: 3271971177-0
Opcode ID: 2f3739026f88d66c66d32fffddd109d2ad809bd56b13ffbb9ce4d053e5bfff59
Instruction ID: 2a4ed822980861784717bea4a39c146b7e665e00bd10d37f1fed7749f4055cf3
Opcode Fuzzy Hash: 2f3739026f88d66c66d32fffddd109d2ad809bd56b13ffbb9ce4d053e5bfff59
Instruction Fuzzy Hash: A551D4B1A10209AFDB10EF64C891BEBBBA8BF55314F04415EEC49A3341D778AD84CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00407730 Relevance: 9.2, APIs: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Part of subcall function 004ABDF0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABDFE
Part of subcall function 004ABDF0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABE10
Part of subcall function 004ABDF0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABE37

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00407865
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00407877
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00407890
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004078A8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004078BA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004078D3

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 8a9b473e4e493625e9aef00af3ddd07141fa3f0a6710ddb74facdef216e4c45e
Instruction ID: 3d81392e03fbcb4089f1d8ae8c6e59d5663b427b4d2f1db488205566010cbed0
Opcode Fuzzy Hash: 8a9b473e4e493625e9aef00af3ddd07141fa3f0a6710ddb74facdef216e4c45e
Instruction Fuzzy Hash: 90512672E04208ABDB107B6998497AB77A4AF50724F04817EEC48B7381E73DBD40DBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0056646E Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0056648C

Part of subcall function 00568C8F: __mtinitlocknum.LIBCMT ref: 00568CA3
Part of subcall function 00568C8F: __amsg_exit.LIBCMT ref: 00568CAF
Part of subcall function 00568C8F: RtlEnterCriticalSection.NTDLL(?), ref: 00568CB7

___sbh_find_block.LIBCMT ref: 00566497
___sbh_free_block.LIBCMT ref: 005664A6
RtlFreeHeap.NTDLL(00000000,00000000,005ACD80,0000000C,004AB885,?,?,?,00401224), ref: 005664D6
GetLastError.KERNEL32(?,?,00401224), ref: 005664E7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 7bf0336654e738e753f92cd6c02fa8b56064155ecada81399c9221094f8c1b1d
Instruction ID: 9839cbfdc2de0885bc66af9bb9bf29eeabcfea2c92b5d404edf717ffd13dd948
Opcode Fuzzy Hash: 7bf0336654e738e753f92cd6c02fa8b56064155ecada81399c9221094f8c1b1d
Instruction Fuzzy Hash: BA016231941307AADF206FB1AD4AB6E3EA4BF91362F108614F408A71D1CF349944DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00421000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

CreateFileW.KERNELBASE(005F4C08,?,00000001,00000000,00000003,00000080,00000000,?), ref: 00421084
CreateFileA.KERNEL32(0057E81C), ref: 004210CC
GetLastError.KERNEL32 ref: 004210EA

Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52
Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB

Strings

..\..\..\..\Universal\REALstring.cpp, xrefs: 00421058

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ByteCharCreateFileMultiWide$ErrorLastVersion_memset
String ID: ..\..\..\..\Universal\REALstring.cpp
API String ID: 2612109348-192369463
Opcode ID: 9833c3ac847f47ac0e6f936e6b6462fdc77944548e9d1ef4f73e7d3becd5ba92
Instruction ID: 12395bd11d901092b867a74b75161b986cb37362149f27090adf6a5ce9d932eb
Opcode Fuzzy Hash: 9833c3ac847f47ac0e6f936e6b6462fdc77944548e9d1ef4f73e7d3becd5ba92
Instruction Fuzzy Hash: 6B312832700314ABDB209F69EC42B577798FF25710F44866EF908AB291C775ED44C798

Uniqueness

Uniqueness Score: -1.00%

Function 0053ADC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetPropA.USER32 ref: 0053AE5F
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0053AE7B

Strings

KGU, xrefs: 0053ADF5, 0053AE4B, 0053AE51
RBInstance, xrefs: 0053AE52

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: MessagePropSend
String ID: KGU$RBInstance
API String ID: 25370605-515408500
Opcode ID: f44011ea6c6d16aa0f848704842268d45e4fed558d5f5354376c9daa26852ebe
Instruction ID: f72abf7844442ddf8beaaf1ee8b2a69b23152bcf9cf6651a582ddd47a1ab67b9
Opcode Fuzzy Hash: f44011ea6c6d16aa0f848704842268d45e4fed558d5f5354376c9daa26852ebe
Instruction Fuzzy Hash: 00318FB250429AAFDB019F69C880ADABBA8BF59704F158219F85893302D334EC50CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00405079 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharUpperBuffA.USER32(00000000,00000001,?,?,?,00000000,?,?,?,?,?,?,0040799F,?), ref: 004050A3
CharLowerBuffA.USER32(00000000,00000001,?,?,?,00000000,?,?,?,?,?,?,0040799F,?), ref: 004050B1
GetStringTypeA.KERNELBASE(00000400,00000001,?,00000001,?,?,?,?,00000000,?,?,?,?,?,?,0040799F), ref: 004050C8
CompareStringA.KERNEL32(00000400,00000000,02A8F2F8,00000001,?,00000001,?,?,?,00000000), ref: 00405167
CompareStringA.KERNEL32(00000400,00000000,02A8F2F8,00000001,?,00000001,?,00000001,?,?,?,00000000), ref: 004051A7

Strings

H, xrefs: 004050CE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: String$BuffCharCompare$LowerTypeUpper
String ID: H
API String ID: 193227855-2852464175
Opcode ID: 81511e13d00abf09c8aafbb7f72a2d26d7b1973275a777d3a241802a5da0ec03
Instruction ID: bb6aa6bde863c9cbb6d0dd27b60941911d9ea9a5a6d0414d5a76e8765b307706
Opcode Fuzzy Hash: 81511e13d00abf09c8aafbb7f72a2d26d7b1973275a777d3a241802a5da0ec03
Instruction Fuzzy Hash: 7821FD70A40746DFDB01CF90C894BAEBBB4FB98300F40446DD546A7390D3BA6A48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0044DCC0 Relevance: 6.2, APIs: 4, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004ABDF0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABDFE
Part of subcall function 004ABDF0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABE10
Part of subcall function 004ABDF0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABE37

GetFileAttributesW.KERNELBASE(-00000001,?,?,00000000,?,00454DF7,00000000), ref: 0044DED5
GetFileAttributesW.KERNEL32(005F4C08,?,?,00000000,?,00454DF7,00000000), ref: 0044DEE3
GetFileAttributesA.KERNEL32(0057E81C,?,?,?,00000000,?,00454DF7,00000000), ref: 0044DF1A
GetLastError.KERNEL32(?,?,?,00000000,?,00454DF7,00000000), ref: 0044DF34

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AttributesCriticalFileSection$EnterErrorInitializeLastLeave
String ID:
API String ID: 1935198317-0
Opcode ID: 4f54507a705c9cf96ae65f32fefa489c97ba720d2abb04c835b06378320aaf64
Instruction ID: 065a9918e73b0004971f6b2df4d2acbff76299ce8a44a7923cfebc214180542c
Opcode Fuzzy Hash: 4f54507a705c9cf96ae65f32fefa489c97ba720d2abb04c835b06378320aaf64
Instruction Fuzzy Hash: B191AE71E047418FEB20DF29C88161BB7E4AFA5314F19465EE8489B342D738ED44CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00421740 Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(005F2918), ref: 00421765
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0042177A
GetLastError.KERNEL32 ref: 00421786
RtlLeaveCriticalSection.NTDLL(005F2918), ref: 00421794

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLastLeaveRead
String ID:
API String ID: 482531634-0
Opcode ID: e27088565f290a901d137bcb049cf19d39db734f982a6f54148029bc92b9a652
Instruction ID: f0c0e0d758bca9387431b58574b6d9e52cfdb8c2d9ba80d2be6ea89f336ac8eb
Opcode Fuzzy Hash: e27088565f290a901d137bcb049cf19d39db734f982a6f54148029bc92b9a652
Instruction Fuzzy Hash: 78012C79340218AFA7109F56F844EA7BBA9FFE5761B00842AFD1987350D770D844EB60

Uniqueness

Uniqueness Score: -1.00%

Function 004215A0 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(005F2918), ref: 004215AE
SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 004215CE
GetLastError.KERNEL32 ref: 004215D7
RtlLeaveCriticalSection.NTDLL(005F2918), ref: 004215F7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLastLeavePointer
String ID:
API String ID: 1636754350-0
Opcode ID: f0409f1ea3341c9cf2e69cd368710f1e2d9e0c6673f6c7ac5564f5b0b8d29932
Instruction ID: be68dee110f474c6367c32615873237337675d5db1a25cdc45802c9eeac4d324
Opcode Fuzzy Hash: f0409f1ea3341c9cf2e69cd368710f1e2d9e0c6673f6c7ac5564f5b0b8d29932
Instruction Fuzzy Hash: 0EF03170900308EFEB10DFA4E949B9E7BB4FB14311F10459AE94A93380D7B49A84EB91

Uniqueness

Uniqueness Score: -1.00%

Function 02694DA0 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(026A0DB8,00100000,00000001,00000002,026A0DB8,026950D6,00000000), ref: 02694DAF
GetCurrentProcess.KERNEL32(?,00000000), ref: 02694DBA
DuplicateHandle.KERNELBASE(00000000), ref: 02694DC1
GetLastError.KERNEL32 ref: 02694DD1

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 397af7e2fef3703f2d75fc3314fdfe233558d96385dca51c93d6818bf285ee3b
Instruction ID: 5472c3e5ce112d6aebaaabd9f2f8f410645a8efdbcaad3cd9cbcb9cc2ed3ba95
Opcode Fuzzy Hash: 397af7e2fef3703f2d75fc3314fdfe233558d96385dca51c93d6818bf285ee3b
Instruction Fuzzy Hash: F3E0ECB2680300BFDB11AFB0AC8DB5A776CAB4C722F105921B161C51C0CB7584A0DF11

Uniqueness

Uniqueness Score: -1.00%

Function 026F3420 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(026FDE18,00100000,00000001,00000002,026FDE18,026F3756,00000000), ref: 026F342F
GetCurrentProcess.KERNEL32(?,00000000), ref: 026F343A
DuplicateHandle.KERNELBASE(00000000), ref: 026F3441
GetLastError.KERNEL32 ref: 026F3451

Memory Dump Source

Source File: 00000001.00000002.2876409748.00000000026F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000001.00000002.2876395659.00000000026F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876428511.00000000026F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876443259.00000000026F7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26f0000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 86a31f0322cfcd4b2adc8376d5a26ac16f93c0377b402f252e2d567bcf36cfe8
Instruction ID: 7b0e7a0ebb6ce40f49f078ea241df1851fef6ffa08ffc0a8d8754e957404569d
Opcode Fuzzy Hash: 86a31f0322cfcd4b2adc8376d5a26ac16f93c0377b402f252e2d567bcf36cfe8
Instruction Fuzzy Hash: 5BE0ECB2684341AFDF515FE0FC89B0A7769EB4C725F109940B369C65C0C77588609B21

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3E40 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00DADDB8,00100000,00000001,00000002,00DADDB8,00DA4176,00000000), ref: 00DA3E4F
GetCurrentProcess.KERNEL32(?,00000000), ref: 00DA3E5A
DuplicateHandle.KERNELBASE(00000000), ref: 00DA3E61
GetLastError.KERNEL32 ref: 00DA3E71

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: bc833d44b57897dee1b139f97cd3fd1a59867341c4004ce4e4a5f93524cf1e4c
Instruction ID: 2cc94f890507068829da506a93c46ecc906cbd7e66a73df1de3cfec0c2301ff2
Opcode Fuzzy Hash: bc833d44b57897dee1b139f97cd3fd1a59867341c4004ce4e4a5f93524cf1e4c
Instruction Fuzzy Hash: E8E0ECB2340301AFDB105FE4EC89F1677A9AB4AB22F144604F161C52E0C7B98904DB32

Uniqueness

Uniqueness Score: -1.00%

Function 026B3EE0 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(026BFDC0,00100000,00000001,00000002,026BFDC0,026B4216,00000000), ref: 026B3EEF
GetCurrentProcess.KERNEL32(?,00000000), ref: 026B3EFA
DuplicateHandle.KERNELBASE(00000000), ref: 026B3F01
GetLastError.KERNEL32 ref: 026B3F11

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: c386d0872804cdeaca31f78d322c329060326248f5d5c29d7a0c6294bdb2c1eb
Instruction ID: 6bb4578864bb25da9686f2356731388d801d1fd5288e99129d3d0d53e1f05bf1
Opcode Fuzzy Hash: c386d0872804cdeaca31f78d322c329060326248f5d5c29d7a0c6294bdb2c1eb
Instruction Fuzzy Hash: AAE012B2680311AFDB125FF4AD8EF4E376CEB58761F105942F261E51C0C77585E09B21

Uniqueness

Uniqueness Score: -1.00%

Function 02F9EE10 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(02FAC8D8,00100000,00000001,00000002,02FAC8D8,02F9F146,00000000), ref: 02F9EE1F
GetCurrentProcess.KERNEL32(?,00000000), ref: 02F9EE2A
DuplicateHandle.KERNELBASE(00000000), ref: 02F9EE31
GetLastError.KERNEL32 ref: 02F9EE41

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 540781770dc1fb624cd0cd6d452bcc0924d354fd68cfe20dafaf89251550f716
Instruction ID: 7dcb1cdee95c88348242131f3f546f14edb478b8134900888cfdb17aa34c7c58
Opcode Fuzzy Hash: 540781770dc1fb624cd0cd6d452bcc0924d354fd68cfe20dafaf89251550f716
Instruction Fuzzy Hash: 7CE0E6F1581705AFDB105FA49C89B1A779DEB447D1F104D00B165C50C0C7B548109721

Uniqueness

Uniqueness Score: -1.00%

Function 02703130 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0270DE20,00100000,00000001,00000002,0270DE20,02703466,00000000), ref: 0270313F
GetCurrentProcess.KERNEL32(?,00000000), ref: 0270314A
DuplicateHandle.KERNELBASE(00000000), ref: 02703151
GetLastError.KERNEL32 ref: 02703161

Memory Dump Source

Source File: 00000001.00000002.2876472916.0000000002701000.00000020.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: true

Associated: 00000001.00000002.2876458961.0000000002700000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876487733.0000000002705000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.0000000002707000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.000000000270B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2700000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 7a1867c514a74c559946516c8d0fbe792f94e9ddbcd9d85bf602ec4b63c2d555
Instruction ID: a06bab0de15ca3072478b8dc0321e05104376c631430d13a975bc7c5eb05694c
Opcode Fuzzy Hash: 7a1867c514a74c559946516c8d0fbe792f94e9ddbcd9d85bf602ec4b63c2d555
Instruction Fuzzy Hash: 00E0ECB1680301EFEB205FA0ECC9F0A37A8FB48726F50D940B275C60D4DB7189249B21

Uniqueness

Uniqueness Score: -1.00%

Function 026D48C0 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(026DED90,00100000,00000001,00000002,026DED90,026D4BF6,00000000), ref: 026D48CF
GetCurrentProcess.KERNEL32(?,00000000), ref: 026D48DA
DuplicateHandle.KERNELBASE(00000000), ref: 026D48E1
GetLastError.KERNEL32 ref: 026D48F1

Memory Dump Source

Source File: 00000001.00000002.2876347313.00000000026D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.2876333042.00000000026D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876365156.00000000026D6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876379783.00000000026D8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: e89125db34e54724180ec19650aa4673569fca940cf782785b31017aa5fc9b30
Instruction ID: c55c02547c3657d334dcffad40a5684ea9be50638b2d28c73d43c148f0a01d5b
Opcode Fuzzy Hash: e89125db34e54724180ec19650aa4673569fca940cf782785b31017aa5fc9b30
Instruction Fuzzy Hash: 6EE0ECB1A81304AFDB205FB1AC8AF5E3768BB49726F115900F2A1C51C4C77184A09B11

Uniqueness

Uniqueness Score: -1.00%

Function 00416F27 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00416FD7

Part of subcall function 00507C50: _swprintf.LIBCMT ref: 00507CAA
Part of subcall function 00507C50: MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00507CC3
Part of subcall function 00507C50: ExitProcess.KERNEL32 ref: 00507CCC

Strings

e, xrefs: 004170A6
deA, xrefs: 004170B1, 004170B8

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcessShowWindow_swprintf
String ID: deA$e
API String ID: 2715108280-3431294035
Opcode ID: a7898313e31fc15976502e79d676f2e165a374359a7cf2dc61370f54555d07f6
Instruction ID: 445e6541893140a73444fda1ba33f6d8e1978de325c272a8ab86b100a6e4a559
Opcode Fuzzy Hash: a7898313e31fc15976502e79d676f2e165a374359a7cf2dc61370f54555d07f6
Instruction Fuzzy Hash: C5515CB06043019FD714CF15D494BA27BB1BF48314F18426DE8498B792D779ECD6CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00554870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001304,00000000,00000000), ref: 00554892
SendMessageA.USER32(?,00001307,00000000,?), ref: 005548C3

Strings

Alt+, xrefs: 0055490C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: MessageSend
String ID: Alt+
API String ID: 3850602802-2765002674
Opcode ID: a23fbe0890208e6b0fc2a49ddb3946ab19f2aae3ad0c30fa8b9d2c7cc4ac5f8f
Instruction ID: 3fcaf7fa1dc7c0bc6ff47958b81bb290f0766c1d76f9260f361ead293fab5f44
Opcode Fuzzy Hash: a23fbe0890208e6b0fc2a49ddb3946ab19f2aae3ad0c30fa8b9d2c7cc4ac5f8f
Instruction Fuzzy Hash: F73161B2A043019FD310DF69C881A5BBBE8BB99714F00452DF98897351D770DD488BE6

Uniqueness

Uniqueness Score: -1.00%

Function 026B1945 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 026B1892: GetCurrentProcessId.KERNEL32(?,?,00000000,026B195E,00000000), ref: 026B1899

CreateWindowExA.USER32(00000000,STATIC,00000000,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 026B1988
SetWindowLongA.USER32(00000000,000000EB,?), ref: 026B1999

Strings

STATIC, xrefs: 026B1981

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: Window$CreateCurrentLongProcess
String ID: STATIC
API String ID: 3697309392-1882779555
Opcode ID: 9dde724844b4f4edc81cf09d537864c407678d07dfdbcd4ca052cdf9720d9827
Instruction ID: 73b9f19da797454104db8093d07cdc351d9ede60a97f0eb44ef4f1938e27d625
Opcode Fuzzy Hash: 9dde724844b4f4edc81cf09d537864c407678d07dfdbcd4ca052cdf9720d9827
Instruction Fuzzy Hash: 04F09231684300BAFA3126689C2AF5A36999F44B04F30492DBB41B91D0D9A0B1A0C61A

Uniqueness

Uniqueness Score: -1.00%

Function 026916E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 0269162D: GetCurrentProcessId.KERNEL32(?,?,?,026916F9,00000000), ref: 02691634

FindWindowExA.USER32(00000000,00000000,STATIC,00000000), ref: 02691704
GetWindowLongA.USER32(00000000,000000EB), ref: 02691711

Strings

STATIC, xrefs: 026916FB

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: Window$CurrentFindLongProcess
String ID: STATIC
API String ID: 876373433-1882779555
Opcode ID: ec61f5f8328a446e5aae3afbaae4bd0cdcbd104e7bb1aab2a483f09585c8e44b
Instruction ID: 019b8ae450d73e2be0684223644bdd897fc1e78bf82fff198030ae7a10d27dbc
Opcode Fuzzy Hash: ec61f5f8328a446e5aae3afbaae4bd0cdcbd104e7bb1aab2a483f09585c8e44b
Instruction Fuzzy Hash: F3E026716482016AEF4036349C19F2B32ACAB45600F100E34F202DA1E0DE6090528851

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1365 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00DA12B2: GetCurrentProcessId.KERNEL32(?,?,?,00DA137E,00000000), ref: 00DA12B9

FindWindowExA.USER32(00000000,00000000,STATIC,00000000), ref: 00DA1389
GetWindowLongA.USER32(00000000,000000EB), ref: 00DA1396

Strings

STATIC, xrefs: 00DA1380

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: Window$CurrentFindLongProcess
String ID: STATIC
API String ID: 876373433-1882779555
Opcode ID: d187aeddf061b27bb979569e6733929b1660ef575ff6589132d11c88586b4a93
Instruction ID: ea8add782d2ac4299e1334a3ec20f165d7897ada2749487575772dad451688bd
Opcode Fuzzy Hash: d187aeddf061b27bb979569e6733929b1660ef575ff6589132d11c88586b4a93
Instruction Fuzzy Hash: FEE08C757083006BEA202A78EC1AB6732AD9B86B10F540E35FA52D92E0EAB4D544C032

Uniqueness

Uniqueness Score: -1.00%

Function 00419FC0 Relevance: 4.7, APIs: 3, Instructions: 155windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0041A070
SendMessageA.USER32(?,00001308,?,00000000), ref: 0041A085
SendMessageA.USER32(?,0000130C,?,00000000), ref: 0041A132

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 195b5d3e741bd61549bb9c185ef0ed1592a0920891037dea38c27339b0c5af43
Instruction ID: 48c05d9f3b6b4087e7ab3451ed3a80fe6847ad645489dbc32f980abd9aebf8ea
Opcode Fuzzy Hash: 195b5d3e741bd61549bb9c185ef0ed1592a0920891037dea38c27339b0c5af43
Instruction Fuzzy Hash: B251BD71600302AFC724DF29C8C4AEAB7E4BF88704F04456EEA5597392D735EC94CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00455720 Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,00000000,00455805,00000000,00000000,?,?,00546545), ref: 0045572C

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

EnumFontsW.GDI32(00000000,00000000,00455630,00000000,?,00546545), ref: 00455746
EnumFontsA.GDI32(00000000,00000000,00455530,00000000,?,00546545), ref: 00455766

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: EnumFonts$A570Version_memset
String ID:
API String ID: 2484925774-0
Opcode ID: 1583960378b69a97f2e945012731568b915de48d1b8b166e7e9873ca84ebe50a
Instruction ID: f5a1976d4942b378880303ba5110d77ff496a6014d7a7bb652784a0ba4d9f878
Opcode Fuzzy Hash: 1583960378b69a97f2e945012731568b915de48d1b8b166e7e9873ca84ebe50a
Instruction Fuzzy Hash: 8BF0A030546360BAF63017717D2DBEA3F004B26B32F000082FA0C661E183D815CDF269

Uniqueness

Uniqueness Score: -1.00%

Function 004AB850 Relevance: 4.5, APIs: 3, Instructions: 17COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 305f0b9e61e7a873843bc8d54b7fd9ec522aed605339b4fe785131571a4145c5
Instruction ID: 35912c6ac997d77963f90e8e5bd2c1a2923e124112935fae3ec2d7a75a656872
Opcode Fuzzy Hash: 305f0b9e61e7a873843bc8d54b7fd9ec522aed605339b4fe785131571a4145c5
Instruction Fuzzy Hash: C8E0CD709016446BFF113769BC0DB773D64AB73735F000659F4C5602E587AC05C8ABD5

Uniqueness

Uniqueness Score: -1.00%

Function 0051F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000), ref: 0051F9C3

Strings

u@, xrefs: 0051F9C9, 0051F9CC

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: u@
API String ID: 2492992576-2428100996
Opcode ID: 46549c4fa813892f4cc699c469d9946e11f6cf4837b0c526dbc5fb86fc21e429
Instruction ID: 3ffb3f7cad8f5baf840ecfcbc63cc5f0a3925fe698a86f9c04fe67e3a7b66814
Opcode Fuzzy Hash: 46549c4fa813892f4cc699c469d9946e11f6cf4837b0c526dbc5fb86fc21e429
Instruction Fuzzy Hash: 0D611564218703A9D310EF69C4542ABFBE4FFA8700F10892DE899C3661F370DA88C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?), ref: 0040F4B1

Strings

..\..\..\..\Common\Canvas.cpp, xrefs: 0040F42B

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID: ..\..\..\..\Common\Canvas.cpp
API String ID: 2492992576-3032101696
Opcode ID: 3376179ced31b112340c7f370f2d857ee04af73389a9cde8724f6307281b4db3
Instruction ID: d45e128716e1e8b3031fcdc22cbd7b90557b852c138750697d0bdf7ccb7025c3
Opcode Fuzzy Hash: 3376179ced31b112340c7f370f2d857ee04af73389a9cde8724f6307281b4db3
Instruction Fuzzy Hash: B231AF71604301ABD310DF25D881B67B7A5BF94718F04853EEC5897B82E778E858C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 02692614 Relevance: 3.1, APIs: 2, Instructions: 131COMMON

Download Yara Rule

APIs

VariantChangeType.OLEAUT32(?,?,00000002,00000008), ref: 0269274A
VariantClear.OLEAUT32(00000000), ref: 0269277F

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: Variant$ChangeClearType
String ID:
API String ID: 2403513690-0
Opcode ID: 370fe29054a770bc7c583171d76af8f715633287c304d836a7751946f656976d
Instruction ID: 558a9f4cf98f2de7e712dad12939ef89a144bd3388c9e82ea0edc026cda3942d
Opcode Fuzzy Hash: 370fe29054a770bc7c583171d76af8f715633287c304d836a7751946f656976d
Instruction Fuzzy Hash: 0F418171108302BFDF146F24D8A0E2A7BEDEB45354F10492DF999AA1A0DF32C892DF16

Uniqueness

Uniqueness Score: -1.00%

Function 0041A170 Relevance: 3.1, APIs: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0041A1D4
SetFocus.USER32(00000000), ref: 0041A24F

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: FocusMessageSend
String ID:
API String ID: 223698058-0
Opcode ID: dfdb24625f15f4026e60a23c14bd2b537a3d4b35de6b3c8e9b2aa3cfb427eebd
Instruction ID: 94b121702b6bfc5344731b1946ec1f7bd15b1cba82bd4f366ee5c24fd7c13cfb
Opcode Fuzzy Hash: dfdb24625f15f4026e60a23c14bd2b537a3d4b35de6b3c8e9b2aa3cfb427eebd
Instruction Fuzzy Hash: 0031C130205204AFD725CF68D880BEAF7E9BF98300F2845AAE685C7741C775ADD1CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0051EB80 Relevance: 3.0, APIs: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 0051EBC3
ShowWindow.USER32(?,00000005), ref: 0051EBCF

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: FocusShowWindow
String ID:
API String ID: 631110716-0
Opcode ID: a2f6e3a5f9ec28f04c8691a1bcdca0d2c35cf651bf4caee5efc29251e47129c8
Instruction ID: 30379aef22b6ee945ec1ead2af89f37a34cf598ffc271575a91cf2d32112bf67
Opcode Fuzzy Hash: a2f6e3a5f9ec28f04c8691a1bcdca0d2c35cf651bf4caee5efc29251e47129c8
Instruction Fuzzy Hash: 8C01A43424C2049FF724D769DC4AFBA7BE9AB58301F040469FE4697390D7B498C4D790

Uniqueness

Uniqueness Score: -1.00%

Function 004042DD Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?), ref: 004042E6
GetModuleFileNameW.KERNEL32(00000000), ref: 004042ED

Part of subcall function 004AB9D0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB9E7
Part of subcall function 004AB9D0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB9F9
Part of subcall function 004AB9D0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABA45

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeaveModule$FileHandleName
String ID:
API String ID: 316373176-0
Opcode ID: 16895bfbc0f0af829869eb66597bc066a9e22d6e941b81f07481c60d927db7c8
Instruction ID: 9bdbb6510bbce70fc541e3f9004197e83cfc0a1bcf9f5c8d052bf0a7bbde2efb
Opcode Fuzzy Hash: 16895bfbc0f0af829869eb66597bc066a9e22d6e941b81f07481c60d927db7c8
Instruction Fuzzy Hash: AFF0EC72B4011D57CF10B761AC0A7DE7729EBA4315F0001EAE90DD7282DF345D869BD6

Uniqueness

Uniqueness Score: -1.00%

Function 026917DD Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 026917F0
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02691808

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: Initialize$Security
String ID:
API String ID: 119290355-0
Opcode ID: 7dd8984be4ba4fd578bf452d7f0793b5031af014b17145170d22c01e539a3f25
Instruction ID: f2d14059f34ab329fd201c82ef39370eb2838fa558ae18ef7f9d4d086ac09db8
Opcode Fuzzy Hash: 7dd8984be4ba4fd578bf452d7f0793b5031af014b17145170d22c01e539a3f25
Instruction Fuzzy Hash: E4D0C931BD838175FF319A64BC4FF9C39582346F19F741680B7243C5D08FD422A08629

Uniqueness

Uniqueness Score: -1.00%

Function 026917DE Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 026917F0
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02691808

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: Initialize$Security
String ID:
API String ID: 119290355-0
Opcode ID: 7af87b87a1890a6c48b0d5bc50bc2d2aa3376450c384532a7fa420739d2059fc
Instruction ID: 359d10c7c82859913363c346b2646fde5b0f661cdd1638c38d0ef4eefc3d065e
Opcode Fuzzy Hash: 7af87b87a1890a6c48b0d5bc50bc2d2aa3376450c384532a7fa420739d2059fc
Instruction Fuzzy Hash: E6D0C931BD938076FB319A647C4FF1C39186715F19F305654B3247C5C1DAD021A08A29

Uniqueness

Uniqueness Score: -1.00%

Function 0269186D Relevance: 1.6, APIs: 1, Instructions: 147comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(026994F4,00000000,00000001,026992B4,?), ref: 026918A2

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: fbc3c68b184f8f379db40667b2ac5275329e8075cb27263db99223820b4b3403
Instruction ID: 3dc2dd8d66811f42dc8411042b85010b2f8fa452839db0a7a941d27a2417cfcf
Opcode Fuzzy Hash: fbc3c68b184f8f379db40667b2ac5275329e8075cb27263db99223820b4b3403
Instruction Fuzzy Hash: 4151BC31108343AFEB159F20C984B2AB7E9EB46769F24486DF4CD962A0DF70D884CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0051E840 Relevance: 1.6, APIs: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,?,?,?,0040CDCA,?,?), ref: 0051E907

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Focus
String ID:
API String ID: 2734777837-0
Opcode ID: 3af327859d3f24441789cace742b79e7a9e4bf3a7c1339a4dc225a79ffbd4cc8
Instruction ID: ef189ec3947e21a7cf0ac76ffe68e4f076b3a686a32eebeca27095334224728e
Opcode Fuzzy Hash: 3af327859d3f24441789cace742b79e7a9e4bf3a7c1339a4dc225a79ffbd4cc8
Instruction Fuzzy Hash: ED21D831600604AFE725DB29C885FEABBE9BF99700F1440A9E9C58B651D771ADC4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0055C910 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumWindows.USER32(0055C8A0,?), ref: 0055C930

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 9ab252e2b1d5bc4c8bdcbb7a877d2b8a5ab97da4a839f4e648096739a52bcdac
Instruction ID: 5ef84ed129b27095a2ac0646349512ece96ba8535a497161f21893af43a604c0
Opcode Fuzzy Hash: 9ab252e2b1d5bc4c8bdcbb7a877d2b8a5ab97da4a839f4e648096739a52bcdac
Instruction Fuzzy Hash: D7F05E71D05348BEDF10CFA4E8197ADBFB8AB11705F5481C9E809A3280E7742A4CEB91

Uniqueness

Uniqueness Score: -1.00%

Function 00420FC0 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00420FE5

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cc3e56443e4222edbe8ee00dae1bae49249710714fb326dbd776933337e8f618
Instruction ID: 755ef4e9cd87317d17e12ed83ab17ac1bece35af69107d9063c562cfcf0295ad
Opcode Fuzzy Hash: cc3e56443e4222edbe8ee00dae1bae49249710714fb326dbd776933337e8f618
Instruction Fuzzy Hash: D7E046342407208FD720DF29F848B8373E4BF48700F01864DE04ACB790D7B5E8869BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02696DB0 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,026944A4,0269561F,?,C031EC89,000CC25D,026956AE,?,000CC25D,-00000001,?,026A0DE8,02695B59,026944AC,?,02695D4D), ref: 02696DBA

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: e46a44d6abe24e6410471a80ad5c14cfc34023d06f50b9ef48738766f979f5c0
Instruction ID: fbd766ecd8e6f1f61ab8fcd43a45cef7dd7d4d9471d6d681cdfd8dacb0cab71e
Opcode Fuzzy Hash: e46a44d6abe24e6410471a80ad5c14cfc34023d06f50b9ef48738766f979f5c0
Instruction Fuzzy Hash: 00D0A7F15043008BFF060F15CD01735325CEB8074AF440468D006D62C0FB7CE448C610

Uniqueness

Uniqueness Score: -1.00%

Function 026F3240 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,026F3044,026F282F,?,C031EC89,000CC25D,026F28BE,?,000CC25D,-00000001,?,026FDE48,026F2D69,026F304C,?,026F2F5D), ref: 026F324A

Memory Dump Source

Source File: 00000001.00000002.2876409748.00000000026F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000001.00000002.2876395659.00000000026F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876428511.00000000026F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876443259.00000000026F7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26f0000_WindowsLoader.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c5e5274a8a1473404636ebea0d963bba8440851ba403596bce7311a6de767232
Instruction ID: b14ebbe023b4cca5838d8543358dea5c0cd335269af408fb1b298c60f0e11a71
Opcode Fuzzy Hash: c5e5274a8a1473404636ebea0d963bba8440851ba403596bce7311a6de767232
Instruction Fuzzy Hash: C1D0A7F16442C09BFFC40B10DC457253154FB8070AF4004D8D20AD6390F37CE850C620

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5E50 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,00DA3544,00DA46BF,?,C031EC89,000CC25D,00DA474E,?,000CC25D,-00000001,?,00DADDE8,00DA4BF9,00DA354C,?,00DA4DED), ref: 00DA5E5A

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 57fe102210605aa1d677f810b04e2b0de575894901de8e591a57b8cff0df047c
Instruction ID: 7b91658c1e63995c62acb31044883e46d8f0ea798c5ed817661ac95056d6b4c6
Opcode Fuzzy Hash: 57fe102210605aa1d677f810b04e2b0de575894901de8e591a57b8cff0df047c
Instruction Fuzzy Hash: E6D0C7F17046009FFB554B10ED057263595EB62B0AF890498F446D5294F7BCEE40D732

Uniqueness

Uniqueness Score: -1.00%

Function 026B5EF0 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,026B35E4,026B475F,?,C031EC89,000CC25D,026B47EE,?,000CC25D,-00000001,?,026BFDF0,026B4C99,026B35EC,?,026B4E8D), ref: 026B5EFA

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 94225ad58d64fc8345176ef855f83d2f5a004414c41886c044744bb94ae24e17
Instruction ID: 4dcda68110d4b609c1e2ab1c6984b9625c78bb2908ad06dc0b7342bef3dea236
Opcode Fuzzy Hash: 94225ad58d64fc8345176ef855f83d2f5a004414c41886c044744bb94ae24e17
Instruction Fuzzy Hash: 42D05EF16442409BFB060F10DC097A57258EF4070AFC40458E407D5280E7B9E4808B10

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D080 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,02F9CE84,02F9A5FF,?,C031EC89,000CC25D,02F9A68E,?,000CC25D,-00000001,?,02FAC908,02F9AB39,02F9CE8C,?,02F9AD2D), ref: 02F9D08A

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 86416f4fb3b104d583aed84769c8ac4254e99037fa5a7176c5b8e836ab37e4ce
Instruction ID: e84f9f1b4339b0f5d8d6bc548935f835f50a173a18b556ff9d584751cd4bfa76
Opcode Fuzzy Hash: 86416f4fb3b104d583aed84769c8ac4254e99037fa5a7176c5b8e836ab37e4ce
Instruction Fuzzy Hash: 8DD0A7F2A082008BFF045B10DC01B2136A0EB80F8AF840458D207D92A4F7BCE850C611

Uniqueness

Uniqueness Score: -1.00%

Function 02702F50 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,02702D54,0270253F,?,C031EC89,000CC25D,027025CE,?,000CC25D,-00000001,?,0270DE50,02702A79,02702D5C,?,02702C6D), ref: 02702F5A

Memory Dump Source

Source File: 00000001.00000002.2876472916.0000000002701000.00000020.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: true

Associated: 00000001.00000002.2876458961.0000000002700000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876487733.0000000002705000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.0000000002707000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.000000000270B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2700000_WindowsLoader.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: df411a58a28447c5fc4415643492eb01e487ec490a0c13a29c6298219a65f91f
Instruction ID: a675e4b47cc80bc11117700fe9f126ce10be61e5e6dbdaa9d0b15a7cd3daea6c
Opcode Fuzzy Hash: df411a58a28447c5fc4415643492eb01e487ec490a0c13a29c6298219a65f91f
Instruction Fuzzy Hash: 7BD0A7F2604201CBFB040B10CC4972571D4FF41B4EF800458E806EA2C1FB78F408C611

Uniqueness

Uniqueness Score: -1.00%

Function 026D3150 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,026D2F54,026D255F,?,C031EC89,000CC25D,026D25EE,?,000CC25D,-00000001,?,026DEDC0,026D2A99,026D2F5C,?,026D2C8D), ref: 026D315A

Memory Dump Source

Source File: 00000001.00000002.2876347313.00000000026D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.2876333042.00000000026D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876365156.00000000026D6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876379783.00000000026D8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_WindowsLoader.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: b64dec9865d5eac5a7eefb9782bc148524e41042e2384b60ead8b94ddcb95cf0
Instruction ID: 7c388c485ce37d453f398ff8b70c8fd23d2ec809f32fb0bd5e15b9e2dadb28c4
Opcode Fuzzy Hash: b64dec9865d5eac5a7eefb9782bc148524e41042e2384b60ead8b94ddcb95cf0
Instruction Fuzzy Hash: EDD0C7F5E45206FBFB554B10DD057263554FF50B0AF85059CD506D6390F7B8E450CA16

Uniqueness

Uniqueness Score: -1.00%

Function 027308EE Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd191ceb4eb8cafc3ef6226ca4cf31e11335d6b18998511d48c3a74db861434
Instruction ID: e4fc0242b3de36409784248db2c26230331b7c8cf8a26a95d729aadb4c6883da
Opcode Fuzzy Hash: 9cd191ceb4eb8cafc3ef6226ca4cf31e11335d6b18998511d48c3a74db861434
Instruction Fuzzy Hash: F081C2B0D11209AFCF41DFB5D9026AEBBF1AF08304F60846AF914FB351E63599648F95

Uniqueness

Uniqueness Score: -1.00%

Function 0285A6C4 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6386f2c641fe1ae361551c97dc346305906f8cb2b555bd22f57892df623a94fc
Instruction ID: 1ff04eabcc848798b2d28ce014b1036068d78277bd0412de9294bd23d0c7583e
Opcode Fuzzy Hash: 6386f2c641fe1ae361551c97dc346305906f8cb2b555bd22f57892df623a94fc
Instruction Fuzzy Hash: 15519DB4D0121DAFCF40EFB4C9425AEBBF1AF08304F2404AAED18E7211F73599658B95

Uniqueness

Uniqueness Score: -1.00%

Function 02730191 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efffc08bb62a53c99310bfc01fbe5f72ea93ea7e7f15565b9358d3eb14f48bb8
Instruction ID: 83dccadd72092aa30db1cedcd59046d2cda5f01af46ffe0bdf73299eeea81a50
Opcode Fuzzy Hash: efffc08bb62a53c99310bfc01fbe5f72ea93ea7e7f15565b9358d3eb14f48bb8
Instruction Fuzzy Hash: 45215070D1021DAFCF50EFB589466EEBBF5AF0C204F6004AAEA14B7211E7359E648B95

Uniqueness

Uniqueness Score: -1.00%

Function 027AD185 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd29ea51f56938e3b0fe538eebf0e75d076a99da69f28dde804cdb0ff5a9b2c6
Instruction ID: 0bc2bc3ea4a51c5ea55a4b0d3b65f846971735e1a6979e476580fcfd12c319bf
Opcode Fuzzy Hash: bd29ea51f56938e3b0fe538eebf0e75d076a99da69f28dde804cdb0ff5a9b2c6
Instruction Fuzzy Hash: 78215F70D102189FCF50DFA8C9526AEBBF1AF08214F10056AE908F7251E735A965CB99

Uniqueness

Uniqueness Score: -1.00%

Function 02744F13 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fa23989db676c94352e5810e770bfe4023309371ed43c3aca85fbc2ce95414
Instruction ID: 7039487444471d7af970bea9272bb0f2bdfdb4c32d49ef9aa8316c0638b13e3d
Opcode Fuzzy Hash: c2fa23989db676c94352e5810e770bfe4023309371ed43c3aca85fbc2ce95414
Instruction Fuzzy Hash: A7212C30D1414D9FCF40AFB888526FEBBF1AF09304F18446AE824F7252EB359A54DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0276BFDD Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6e7e7e4a34552afc311ffd3608d903d7f4577182327d3402468a3d14b8de67
Instruction ID: f36dd2f0ee4cb17203ae6226a817165f36027bc5a025e180da6e8b2e557ae54f
Opcode Fuzzy Hash: bd6e7e7e4a34552afc311ffd3608d903d7f4577182327d3402468a3d14b8de67
Instruction Fuzzy Hash: 76218070D102199FCF51DFA8C9466EEBBF1BF08310F14046AE918F7211E7356A65CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0278B547 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363fb4d08c07ab87546cf3693b35466efb192beb9283120ec46245cfdd315559
Instruction ID: c66076a50f04350cb2e2a6846b96a1036ad54bc79610c303446af34f862184ea
Opcode Fuzzy Hash: 363fb4d08c07ab87546cf3693b35466efb192beb9283120ec46245cfdd315559
Instruction Fuzzy Hash: AC216070E1021C9FCF50DFA9C9426EEBBF1AF0C214F10146AEA08F7251E735A965CB99

Uniqueness

Uniqueness Score: -1.00%

Function 02742DCA Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ffbcfcc3b428535090375f15dba9e4d0b424fd4ebc57f003bf27f73007ffd2
Instruction ID: c99a8619cfc1259a96291faccbc49bcadd03306ce3f05b586b371d96db99a4dd
Opcode Fuzzy Hash: e2ffbcfcc3b428535090375f15dba9e4d0b424fd4ebc57f003bf27f73007ffd2
Instruction Fuzzy Hash: 5F216070D1021C9FCF50DFA8C9426EEBBF1BF18214F14046AE918F7212E739A965CB99

Uniqueness

Uniqueness Score: -1.00%

Function 02765A3D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa42603898da9a8a8080891586da0128432c63ffc7bc5584cfef20c70e706d0
Instruction ID: f7019bd5830c7ab0b295d455f06007a15826a04897cd173db271090f241eea4c
Opcode Fuzzy Hash: 2fa42603898da9a8a8080891586da0128432c63ffc7bc5584cfef20c70e706d0
Instruction Fuzzy Hash: 2C21A270D1021DAFCF45DFA9D8425AEBBF1BF08300F50446AE928F7221E7355964CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0276AA19 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3033cb3fbf6651616b46f2ad84c99ee9394aa4b6898eb1acc55947c2c3e733
Instruction ID: dceeb26bc44b01ec9fd129a1135642b7149a69c2d4eb42b4a8ac3a963bd66a4f
Opcode Fuzzy Hash: dd3033cb3fbf6651616b46f2ad84c99ee9394aa4b6898eb1acc55947c2c3e733
Instruction Fuzzy Hash: 6521A270D1121DAFCF41DFB8D9426AEBBF5BF08304F10046AA918F7241E7355A64CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0276A8F6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09a6c66fb9aa875c02ab2403ac8895859fcb8130607deb2305712c59f251bce
Instruction ID: d1dfeb18af47f970e99abe3fdc74515f13f07a948c1e8f734690723d22f32b6c
Opcode Fuzzy Hash: b09a6c66fb9aa875c02ab2403ac8895859fcb8130607deb2305712c59f251bce
Instruction Fuzzy Hash: 9221A270D1121DAFCF41DFB8D9426AEBBF5BF08304F20046AA918F7241E7355A64CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0276F3C6 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e865f04c279ec786b060357d5e8366fb2390ab5349e11a18690f215df437d18
Instruction ID: af3f19dc267919171a8a116740c86ef96ab8e1282c9a85c57b9d0e5647e19030
Opcode Fuzzy Hash: 5e865f04c279ec786b060357d5e8366fb2390ab5349e11a18690f215df437d18
Instruction Fuzzy Hash: F0117F70D102199FCF40DFB9C8469EEBBF1BF0C204F10946AE915F7611E73498648BA9

Uniqueness

Uniqueness Score: -1.00%

Function 02749049 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102feeee92aacb7df55f04a5f1f2fb481884e73fc39b611d7fe3ebf97f862270
Instruction ID: 091ed9ae5bb2331dc1933fd8c793fc6428afce342c0ddb94ba6f0c5e1eb61194
Opcode Fuzzy Hash: 102feeee92aacb7df55f04a5f1f2fb481884e73fc39b611d7fe3ebf97f862270
Instruction Fuzzy Hash: 5D118070D1021D9FCF40DFB8C8469EEBBF1AF0C200F10546AEA14F7211E735A9648BA5

Uniqueness

Uniqueness Score: -1.00%

Function 027678C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5776ae61dc78020e0e5c133ca9ba2f8dc49574c2e04d719b5247306c8d9a91
Instruction ID: 9a52814f098820c562bafca05cffe0c093c1fc2278502f66851d4721d656d9ce
Opcode Fuzzy Hash: 8f5776ae61dc78020e0e5c133ca9ba2f8dc49574c2e04d719b5247306c8d9a91
Instruction Fuzzy Hash: 77117E70D102199FCF40DFB88846AEEBBF5AF0C314F008469E918F7251E73599648BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0278440A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8b5a06756aefe89d861b209e9f093a9de7e0f1452f7b0391592d54ff80f169
Instruction ID: a3acd5f1e472005b9337c4fb4bdcc312bb3f29af7ab1e64c724ede9d76d3fb46
Opcode Fuzzy Hash: ef8b5a06756aefe89d861b209e9f093a9de7e0f1452f7b0391592d54ff80f169
Instruction Fuzzy Hash: 44110C75D0124D9FCF41DFE8C8426EEBFF0AF08210F5544A9E858F7212E6359A64CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02730364 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f28533956c767b6daee7b339dbf2556ec1ae76128e1f028166e6808f4c8669b
Instruction ID: bdf34955549c5ebdcbe5e326c0a8b199c1f8b90b569d7f675b15a9bff4f7be6d
Opcode Fuzzy Hash: 6f28533956c767b6daee7b339dbf2556ec1ae76128e1f028166e6808f4c8669b
Instruction Fuzzy Hash: 34119970D0011E9BCF52EBB4CA062AFB7B1BF04305F2004A59D25B7291EB745E64DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 027302CB Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2cabad136cb7252a6557880a4d0c3908367ca1169ee47956766d4d0a5cca74
Instruction ID: 4e54003673ba5ef14eece08ab55bc6bece5d0bcfa0149e91f76caec1126341cb
Opcode Fuzzy Hash: cd2cabad136cb7252a6557880a4d0c3908367ca1169ee47956766d4d0a5cca74
Instruction Fuzzy Hash: E1019570D1021DAFCF40EFB489522AFBBF5AF08304F2008A99914F7251E6349A648BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02748187 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c503d38d53cac01621904d9f6882c17425330e2437c1e8c4c90ad8b6684c80
Instruction ID: a162e3786501b298c49f8abd2b230bcba04902d0c85537115a51253a418f94f2
Opcode Fuzzy Hash: 36c503d38d53cac01621904d9f6882c17425330e2437c1e8c4c90ad8b6684c80
Instruction Fuzzy Hash: 5A01C870D1021D9FCF009FB48C065AEBBB4BF08304F1444AAED14F7212E7399A658B96

Uniqueness

Uniqueness Score: -1.00%

Function 027681AD Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d3b62ead2d67f67171ad62b7f8de15be2d4802596986682d6cc0a35f6a9485
Instruction ID: 91e9cba3d6f412786c17b3a94d058c13509f1d1ba1d597bb721f91ba3c7df80e
Opcode Fuzzy Hash: 85d3b62ead2d67f67171ad62b7f8de15be2d4802596986682d6cc0a35f6a9485
Instruction Fuzzy Hash: F6011E71D102599FCF41DFE8C806BBFBBB0AF18200F144469D814F7242E2389A188B96

Uniqueness

Uniqueness Score: -1.00%

Function 02767F6A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2414143a72273ad519a111950a2d1bc550e800d178261d956e59a29af115fff3
Instruction ID: 8992be36539b2939c8f1a25f7f108cff55120cfb8c3dfef7799def09e31cbd74
Opcode Fuzzy Hash: 2414143a72273ad519a111950a2d1bc550e800d178261d956e59a29af115fff3
Instruction Fuzzy Hash: B8011E71D042499FCF41DFA88806BFFFBB0AF08204F1444A9E854F7242E2389A15DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0276F0B8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8e8fa4d86d81d4db0e2311f3f664e8edf106fb717f593e0c2620f7bb7b94b0
Instruction ID: 807cf5b6fe496f8e2d6e0eacaa5c61f2549050c3bd73e660f7b4d6747535c779
Opcode Fuzzy Hash: 1b8e8fa4d86d81d4db0e2311f3f664e8edf106fb717f593e0c2620f7bb7b94b0
Instruction Fuzzy Hash: 8D01FB70E0021A9FCF009FA9DC46ABEFBF4BF08200F4444A9E824E7312E73899558B95

Uniqueness

Uniqueness Score: -1.00%

Function 0274C0BB Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fe016fdcd8414c1bcb0b335d235c3b4daea67c3987569e41c01352e74e44b5
Instruction ID: b4f15e2b2edbc5bc2d5c8a2c44e636a7b2e16a9c5bfbfe95272c7c2e36eebc8b
Opcode Fuzzy Hash: 44fe016fdcd8414c1bcb0b335d235c3b4daea67c3987569e41c01352e74e44b5
Instruction Fuzzy Hash: 0401A470E102199FCF10DFA9C946AADBBF0AF0C700F5004AAE914FB251E735AD648B95

Uniqueness

Uniqueness Score: -1.00%

Function 0274BFB0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc48e8d13f58e886405d0c13ac9f767616f578ace80471568ba08f4ceb489be
Instruction ID: 7bde4f4e0a2a89dd5a90c4a6dfd61f71ce35a86c7453ec53ebc0c0d0d34b770e
Opcode Fuzzy Hash: 0bc48e8d13f58e886405d0c13ac9f767616f578ace80471568ba08f4ceb489be
Instruction Fuzzy Hash: FF01B670E002199FCF10DFA9CD46AADBBF0BF0C600F5104AAE914FB261E735AD648B95

Uniqueness

Uniqueness Score: -1.00%

Function 0274C517 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45152a958ed2b3d2b9b2ad1121cfaf6b3fde9d699878c37b824ef62f5e2e84d
Instruction ID: 319aa0b4fc193676ff26dcc6128a6f47647a495ecb846f7b47a98c7ca742a633
Opcode Fuzzy Hash: c45152a958ed2b3d2b9b2ad1121cfaf6b3fde9d699878c37b824ef62f5e2e84d
Instruction Fuzzy Hash: EB01A470E002199FCF10DFA9C946AAEBBF0AF0C600F5004AAE914FB251E735A9648B95

Uniqueness

Uniqueness Score: -1.00%

Function 0276F050 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200280d10f1048633e434b72861c2a727b0ba2a39c542f442d8e0b850b23c0ba
Instruction ID: e4740ea8822b4965efcd7ff86be4c4cc35286336ff6e4987b7e6fb5fe274df3d
Opcode Fuzzy Hash: 200280d10f1048633e434b72861c2a727b0ba2a39c542f442d8e0b850b23c0ba
Instruction Fuzzy Hash: 88F0FE70D0011D9FCF10DFA4DD466BFB7F4AF08304F100469AD15E7251E7359A648B96

Uniqueness

Uniqueness Score: -1.00%

Function 0276C10C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d4f63b782b808cb6f74440680d7719657e8bc2c5940dc8735b0bfa68065d86
Instruction ID: 68eddb4087d7d39e46a745883712e490e54d1e295a04717dd2d28fdb129476be
Opcode Fuzzy Hash: b2d4f63b782b808cb6f74440680d7719657e8bc2c5940dc8735b0bfa68065d86
Instruction Fuzzy Hash: 0BF0DA70D0011D9BCF14AFA5CD466BFB7B4AF08304F10046AA915EB211E6359A648B96

Uniqueness

Uniqueness Score: -1.00%

Function 02748F63 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a7dc85f500f55570e4c940ee3c0c1c63ab7b75086b85b4ed175fb746e713071
Instruction ID: 1ecddb04403d1a83c0794e4bffdfc1e78e895f3ca4da81c30219eb4d8a212d88
Opcode Fuzzy Hash: 6a7dc85f500f55570e4c940ee3c0c1c63ab7b75086b85b4ed175fb746e713071
Instruction Fuzzy Hash: B6F0DA70D0011E9FCF109FA4CD066AEB7B4AF08300F100865A914A7251E7359A648B92

Uniqueness

Uniqueness Score: -1.00%

Function 02730000 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c992eb83d3d2a68fa255203c409e8801426bd877818f28382a2e02bedb91c8
Instruction ID: 55c11d1b7f7e642415973b8a7f7fa5a2d7f3861cc890716a5022f37404f05af1
Opcode Fuzzy Hash: 53c992eb83d3d2a68fa255203c409e8801426bd877818f28382a2e02bedb91c8
Instruction Fuzzy Hash: 02E09A74C4014CDBDF10FBA4DA0329DB375AB00314F5040E59E281B255E7352E759BC6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02F92110 Relevance: 159.0, APIs: 77, Strings: 13, Instructions: 1465COMMON

Download Yara Rule

APIs

SetRect.USER32(?,?,?,?,?), ref: 02F922D1
GetSysColor.USER32(00000010), ref: 02F922E9
CreateSolidBrush.GDI32(00000000), ref: 02F922F0
InflateRect.USER32(?,000000FF,000000FF), ref: 02F9233E
GetStockObject.GDI32(00000004), ref: 02F92369
FrameRect.USER32(?,?,00000000), ref: 02F9237F
GetSysColor.USER32(00000010), ref: 02F923B2
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F923BD
SelectObject.GDI32(?,00000000), ref: 02F923CD
MoveToEx.GDI32(?,?,?,00000000), ref: 02F923F0
LineTo.GDI32(?,?,?), ref: 02F9240B
LineTo.GDI32(?,?,?), ref: 02F92426
SelectObject.GDI32(?,00000000), ref: 02F92434
DeleteObject.GDI32(00000000), ref: 02F9243B
GetSysColor.USER32(0000000F), ref: 02F92453
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9245E
SelectObject.GDI32(?,00000000), ref: 02F9246E
MoveToEx.GDI32(?,?,?,00000000), ref: 02F92497
LineTo.GDI32(?,?,?), ref: 02F924BA
LineTo.GDI32(?,?,?), ref: 02F924D9
CreatePen.GDI32(00000000,00000001,00555555), ref: 02F924F8
SelectObject.GDI32(?,00000000), ref: 02F92508
MoveToEx.GDI32(?,?,?,00000000), ref: 02F92527
LineTo.GDI32(?,?,?), ref: 02F92542
LineTo.GDI32(?,?,?), ref: 02F9255D
SelectObject.GDI32(?,00000000), ref: 02F9256B
DeleteObject.GDI32(00000000), ref: 02F92572
SelectObject.GDI32(?,?), ref: 02F92583
DeleteObject.GDI32(00000000), ref: 02F9258A
InflateRect.USER32(?,000000FF,000000FF), ref: 02F9259C
FillRect.USER32(?,?,?), ref: 02F927AD
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 02F927BB
GetClipRgn.GDI32(?,00000000), ref: 02F927D0
OffsetRect.USER32(?,?,?), ref: 02F9283F
CreateRectRgn.GDI32(?,?,?,?), ref: 02F92861
SelectClipRgn.GDI32(?,00000000), ref: 02F92873

Strings

Times New Roman, xrefs: 02F92CA0, 02F92CAC
Times, xrefs: 02F92C2B, 02F92C37
Courier, xrefs: 02F92B3B, 02F92B47
Application, xrefs: 02F929D3, 02F929DF
Osaka, xrefs: 02F92E0B, 02F92E17
MS UI Gothic, xrefs: 02F92E80, 02F92E8C
Arial, xrefs: 02F92D90, 02F92D9C
Helvetica, xrefs: 02F92D1B, 02F92D27
Geneva, xrefs: 02F92A4F, 02F92A5B
SmallSystem, xrefs: 02F92953, 02F9295F
Courier New, xrefs: 02F92BB0, 02F92BBC
System, xrefs: 02F928D7, 02F928E3
MS Sans Serif, xrefs: 02F92AC4, 02F92AD0

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Rect$Select$CreateLine$ColorDeleteMove$ClipInflate$BrushFillFrameOffsetSolidStock
String ID: Application$Arial$Courier$Courier New$Geneva$Helvetica$MS Sans Serif$MS UI Gothic$Osaka$SmallSystem$System$Times$Times New Roman
API String ID: 4228637055-974869481
Opcode ID: 47fab8a0aca8bba365c369a6538ce27abab15b91aab309bed4beb8548afcc048
Instruction ID: 0f3f4f22ce967af47866794fb01bfee90a6f1b4825ceab066f848421d27d7cbd
Opcode Fuzzy Hash: 47fab8a0aca8bba365c369a6538ce27abab15b91aab309bed4beb8548afcc048
Instruction Fuzzy Hash: B9E24771908384EFEB359F24CC48BEFB7E5BF84384F04491DEA99562A0DBB15884CB52

Uniqueness

Uniqueness Score: -1.00%

Function 026D12D0 Relevance: 77.5, APIs: 32, Strings: 12, Instructions: 482pipeprocesssleepCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5), ref: 026D145E
GetStdHandle.KERNEL32(000000F6), ref: 026D146D
GetStdHandle.KERNEL32(000000F4), ref: 026D147C
CreatePipe.KERNEL32(?,?,?,00000000), ref: 026D14C5
SetStdHandle.KERNEL32(000000F5,?), ref: 026D14D4
GetCurrentProcess.KERNEL32 ref: 026D14DA
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000003), ref: 026D14F9
CreatePipe.KERNEL32(00000001,?,00000000,00000000), ref: 026D1516
SetStdHandle.KERNEL32(000000F6,?), ref: 026D1525
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000003), ref: 026D1542
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 026D15C3
GetWindowsDirectoryW.KERNEL32(00000000,00000105), ref: 026D15EA
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 026D162B
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 026D16B5
GetWindowsDirectoryA.KERNEL32(00000000,00000105), ref: 026D16E2
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 026D170D
SetStdHandle.KERNEL32(000000F6,?), ref: 026D172C
SetStdHandle.KERNEL32(000000F5,?), ref: 026D173B
CloseHandle.KERNEL32(?), ref: 026D1748
CloseHandle.KERNEL32(?), ref: 026D1755
GetTickCount.KERNEL32 ref: 026D17C7
SetNamedPipeHandleState.KERNEL32(?,026D847C,00000000,00000000), ref: 026D17FB
GetExitCodeProcess.KERNEL32(?,?), ref: 026D1813
ReadFile.KERNEL32(?,?,00000800,00000000,00000000), ref: 026D1852
Sleep.KERNEL32(00000001,?,00000800,00000000,00000000), ref: 026D18D4
GetTickCount.KERNEL32 ref: 026D18EB
TerminateProcess.KERNEL32(?,00000000,?,00000800,00000000,00000000), ref: 026D190F
GetModuleHandleA.KERNEL32(00000000), ref: 026D19B8
RegisterClassA.USER32(?), ref: 026D19CD
GetModuleHandleA.KERNEL32(00000000,00000000), ref: 026D19DC
CreateWindowExA.USER32(00000000,RBShellTimer,026D84EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 026D19FD
SetTimer.USER32(?,00000064,026D1C30), ref: 026D1A57

Strings

\, xrefs: 026D15D0
\, xrefs: 026D15C9
Shell timed out, xrefs: 026D1922
D, xrefs: 026D1686
\, xrefs: 026D16C5
RBShellTimer, xrefs: 026D19F6
cmd.exe /A /C ", xrefs: 026D1385
No shell available, xrefs: 026D1779
D, xrefs: 026D158D
\, xrefs: 026D16BB
command.com /C , xrefs: 026D13F0
System, xrefs: 026D1301

Memory Dump Source

Source File: 00000001.00000002.2876347313.00000000026D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.2876333042.00000000026D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876365156.00000000026D6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876379783.00000000026D8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_WindowsLoader.jbxd

Similarity

API ID: Handle$CreateProcess$Directory$CurrentPipe$CloseCountDuplicateModuleTickWindows$ClassCodeExitFileNamedReadRegisterSleepStateTerminateTimerWindow
String ID: D$D$No shell available$RBShellTimer$Shell timed out$System$\$\$\$\$cmd.exe /A /C "$command.com /C
API String ID: 1427433727-346036364
Opcode ID: b63ea16c1fdf60264aafe59acf81b60253fabf22f6c23f89a05313fc68ff184f
Instruction ID: d89151f76bbb40cbacd95fa268e74e717dd3e0133a99249e9bccd40e47b5f102
Opcode Fuzzy Hash: b63ea16c1fdf60264aafe59acf81b60253fabf22f6c23f89a05313fc68ff184f
Instruction Fuzzy Hash: 1D12BF71949388AFE330AF60DC48B9FB7E9EF89314F10491DE68C86291DBB06581CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00482F50 Relevance: 64.9, APIs: 18, Strings: 19, Instructions: 173libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

LoadLibraryA.KERNEL32(ole32.dll,?,?,00000000,?,?,00484573,?), ref: 00482FC2
LoadLibraryA.KERNEL32(oleaut32.dll,?,?,00000000,?,?,00484573,?), ref: 00482FE1
GetProcAddress.KERNEL32(752C0000,CoInitialize), ref: 0048300E
GetProcAddress.KERNEL32(752C0000,OleInitialize), ref: 00483020
GetProcAddress.KERNEL32(752C0000,CoCreateInstance), ref: 00483033
GetProcAddress.KERNEL32(752C0000,CLSIDFromProgID), ref: 00483046
GetProcAddress.KERNEL32(752C0000,CLSIDFromString), ref: 00483058
GetProcAddress.KERNEL32(753B0000,GetActiveObject), ref: 0048306B
GetProcAddress.KERNEL32(753B0000,SafeArrayAccessData), ref: 0048307E
GetProcAddress.KERNEL32(753B0000,SafeArrayUnaccessData), ref: 00483090
GetProcAddress.KERNEL32(753B0000,SafeArrayCreate), ref: 004830A3
GetProcAddress.KERNEL32(753B0000,SafeArrayDestroy), ref: 004830B6
GetProcAddress.KERNEL32(753B0000,SafeArrayGetElement), ref: 004830C8
GetProcAddress.KERNEL32(753B0000,SafeArrayPutElement), ref: 004830DB
GetProcAddress.KERNEL32(753B0000,SysFreeString), ref: 004830EE
GetProcAddress.KERNEL32(753B0000,SysAllocString), ref: 00483100
GetProcAddress.KERNEL32(753B0000,VariantChangeType), ref: 00483113
GetProcAddress.KERNEL32(753B0000,VariantInit), ref: 00483126

Strings

CoInitialize, xrefs: 00483008
SafeArrayAccessData, xrefs: 00483073
Cannot initialize OLE, xrefs: 00482F5C
GetActiveObject, xrefs: 00483060
CoCreateInstance, xrefs: 00483028
SafeArrayGetElement, xrefs: 004830C2
CLSIDFromProgID, xrefs: 0048303B
ole32.dll, xrefs: 00482FBD
SafeArrayDestroy, xrefs: 004830AB
SysAllocString, xrefs: 004830FA
SafeArrayCreate, xrefs: 00483098
oleaut32.dll, xrefs: 00482FDC
VariantInit, xrefs: 0048311B
SafeArrayPutElement, xrefs: 004830D0
VariantChangeType, xrefs: 00483108
CLSIDFromString, xrefs: 00483052
SysFreeString, xrefs: 004830E3
SafeArrayUnaccessData, xrefs: 0048308A
OleInitialize, xrefs: 0048301A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressProc$CriticalSection$LibraryLoad$EnterInitializeLeave
String ID: CLSIDFromProgID$CLSIDFromString$Cannot initialize OLE$CoCreateInstance$CoInitialize$GetActiveObject$OleInitialize$SafeArrayAccessData$SafeArrayCreate$SafeArrayDestroy$SafeArrayGetElement$SafeArrayPutElement$SafeArrayUnaccessData$SysAllocString$SysFreeString$VariantChangeType$VariantInit$ole32.dll$oleaut32.dll
API String ID: 3347013416-2026800721
Opcode ID: 2f0068123ebee320c3ce6ab5e19c4032c6a075c2b554bd47223f75937ece52cc
Instruction ID: 3d823692697d370075ac87ecff68829d6b52e861b803860818671a44ff0a0a8d
Opcode Fuzzy Hash: 2f0068123ebee320c3ce6ab5e19c4032c6a075c2b554bd47223f75937ece52cc
Instruction Fuzzy Hash: D7613BB19812049AD711EF68EC48B3A3BA5F728B05F08055BD948D72A0DBBC5948EF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004D91C0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 150windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(SHELL_TRAYWND,00000000), ref: 004D921F
FindWindowA.USER32(SHELL_TRAYWND,00000000), ref: 004D922C
ShowWindow.USER32(00000000,00000000), ref: 004D9239
GetActiveWindow.USER32 ref: 004D9250
GetMenu.USER32(00000000), ref: 004D926C
GetSystemMetrics.USER32(0000000F), ref: 004D9290
GetMenu.USER32(00000000), ref: 004D929B
SetMenu.USER32(00000000,00000000), ref: 004D92A8
SendMessageA.USER32(00000000,00000229,00000000,00000000), ref: 004D92C6
GetWindowLongA.USER32(00000000,00000000), ref: 004D92E2
GetWindowRect.USER32(00000000,?), ref: 004D92F0
ScreenToClient.USER32(00000000,?), ref: 004D9307
ScreenToClient.USER32(00000000,?), ref: 004D9315

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

GetWindowLongA.USER32(00000000,00000000), ref: 004D9335
GetWindowRect.USER32(00000000,?), ref: 004D9343
MoveWindow.USER32(00000000,?,?,?,?,00000001), ref: 004D939B

Strings

SHELL_TRAYWND, xrefs: 004D921A
SHELL_TRAYWND, xrefs: 004D9227

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Window$Menu$ClientFindLongRectScreen$ActiveMessageMetricsMoveSendShowSystem_malloc
String ID: SHELL_TRAYWND$SHELL_TRAYWND
API String ID: 1236088787-2484331251
Opcode ID: 6208f0c19441ef5c477e637207ca19ee588da2753655ada3f696d939ab8279de
Instruction ID: 7641402a8d58c072d7f08ee5ceb1606f629dafb8fcc8a2db492660ccbc0d378b
Opcode Fuzzy Hash: 6208f0c19441ef5c477e637207ca19ee588da2753655ada3f696d939ab8279de
Instruction Fuzzy Hash: 3A51A170604301AFE710DB64EC59B7B77A4BBA5700F04494BF959C3390DB789C48EBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004236B0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 91libraryloaderwindowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00423700
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0042371C
ExitProcess.KERNEL32 ref: 00423729
LoadLibraryA.KERNEL32(Kernel32), ref: 00423744
GetProcAddress.KERNEL32(00000000,GetDynamicTimeZoneInformation), ref: 00423750
_memset.LIBCMT ref: 0042377A
_memset.LIBCMT ref: 004237CC
GetTimeZoneInformation.KERNEL32(00000000), ref: 004237D8

Strings

..\..\..\..\Universal\DateImp\DateImpWin32.cpp, xrefs: 004236E2
Runtime Error, xrefs: 0042370D
Kernel32, xrefs: 00423738
Failed Assertion, xrefs: 004236E7
GetDynamicTimeZoneInformation, xrefs: 0042374A
utcBias and stdBias and dstBias, xrefs: 004236D8
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004236EE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: _memset$AddressExitInformationLibraryLoadMessageProcProcessTimeZone_swprintf
String ID: ..\..\..\..\Universal\DateImp\DateImpWin32.cpp$Failed Assertion$GetDynamicTimeZoneInformation$Kernel32$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$utcBias and stdBias and dstBias
API String ID: 3148928950-2886455637
Opcode ID: a13728b5ccf83f91dd747c3e5122634af813dfa3dabf59829275673784544e00
Instruction ID: 6413555f56125bdeb6f5b27eccf0f838e0360cfa4709b0407ae6a45be85b4084
Opcode Fuzzy Hash: a13728b5ccf83f91dd747c3e5122634af813dfa3dabf59829275673784544e00
Instruction Fuzzy Hash: 6B3174B16487009BDB209F60EC4AF57BBE9BFA8705F40491DE98D972D0EB755444CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0053A130 Relevance: 22.7, APIs: 15, Instructions: 161clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0053A143
EmptyClipboard.USER32 ref: 0053A15F
GlobalAlloc.KERNEL32(00002002,00000002,?,?,?,?,?,?,?,00000001), ref: 0053A1B0
GlobalFix.KERNEL32(00000000), ref: 0053A1D4
GlobalUnWire.KERNEL32(00000000), ref: 0053A1ED
GlobalAlloc.KERNEL32(00002002,00000000), ref: 0053A223
GlobalSize.KERNEL32(00000000), ref: 0053A23D
GlobalFix.KERNEL32(00000000), ref: 0053A247
GlobalUnWire.KERNEL32(00000000), ref: 0053A25C
SetClipboardData.USER32(00000001,00000000), ref: 0053A265
GlobalAlloc.KERNEL32(00002002,00000000,?,?,?,?,?,?,00000001), ref: 0053A29B
GlobalSize.KERNEL32(00000000), ref: 0053A2B5
GlobalFix.KERNEL32(00000000), ref: 0053A2BE
GlobalUnWire.KERNEL32(00000000), ref: 0053A2D0
SetClipboardData.USER32(00000001,00000000), ref: 0053A2DB

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Global$Clipboard$AllocWire$DataSize$EmptyOpen
String ID:
API String ID: 3905313818-0
Opcode ID: 31d46463d984fd981a765f3f5f21d77c854ec8791e22346f32a7e33bd5b31147
Instruction ID: 26fa5db48a1cbbcde98931052185ba9cbe7ebc51a0426c63ae7fecf164641944
Opcode Fuzzy Hash: 31d46463d984fd981a765f3f5f21d77c854ec8791e22346f32a7e33bd5b31147
Instruction Fuzzy Hash: 6C510272A00614AFE7209BA4AC49B6BBFB8FF64710F04451DF84997242D771AD84E7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEF0 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 306COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 0040CF0D
GetSysColor.USER32(00000012), ref: 0040CF3B
GetSysColor.USER32(00000014), ref: 0040CF3F
GetSysColor.USER32(00000010), ref: 0040CF6D
GetSysColor.USER32(00000010), ref: 0040CFBB

Part of subcall function 0040D410: GetSysColor.USER32(00000012), ref: 0040D43A

Strings

VUUU, xrefs: 0040D134
VUUU, xrefs: 0040D14A
VUUU, xrefs: 0040D1A2
VUUU, xrefs: 0040D160
VUUU, xrefs: 0040D18C
VUUU, xrefs: 0040D176

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Color
String ID: VUUU$VUUU$VUUU$VUUU$VUUU$VUUU
API String ID: 2811717613-4169672726
Opcode ID: 74ff6d873e77b907ba80f9af1e04e405af493b7ade25e70343e155dbf893ac6b
Instruction ID: 1baac0d8d9e1ad1b5df44de461fe47bb2720d046423b1abdac5e36ae9520dcf4
Opcode Fuzzy Hash: 74ff6d873e77b907ba80f9af1e04e405af493b7ade25e70343e155dbf893ac6b
Instruction Fuzzy Hash: D0B1C33461091AABCB08EFA8C890ABEF3B5FF9C300F10820DE585D7794E7799A45C795

Uniqueness

Uniqueness Score: -1.00%

Function 00422FA0 Relevance: 18.1, APIs: 12, Instructions: 145COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,40000038,?,00000050), ref: 00422FB9
GetLocaleInfoA.KERNEL32(00000400,40000039,?,00000050,?,00000050), ref: 00422FCB
GetLocaleInfoA.KERNEL32(00000400,4000003A,?,00000050,?,00000050), ref: 00422FE0
GetLocaleInfoA.KERNEL32(00000400,4000003B,?,00000050,?,00000050), ref: 00422FF5
GetLocaleInfoA.KERNEL32(00000400,4000003C,?,00000050,?,00000050), ref: 0042300A
GetLocaleInfoA.KERNEL32(00000400,4000003D,?,00000050,?,00000050), ref: 0042301F
GetLocaleInfoA.KERNEL32(00000400,4000003E,?,00000050,?,00000050), ref: 00423034
GetLocaleInfoA.KERNEL32(00000400,4000003F,?,00000050,?,00000050), ref: 00423049
GetLocaleInfoA.KERNEL32(00000400,40000040,?,00000050,?,00000050), ref: 0042305E
GetLocaleInfoA.KERNEL32(00000400,40000041,?,00000050,?,00000050), ref: 00423073
GetLocaleInfoA.KERNEL32(00000400,40000042,?,00000050,?,00000050), ref: 00423088
GetLocaleInfoA.KERNEL32(00000400,40000043,?,00000050,?,00000050), ref: 004230A0

Part of subcall function 00566BED: __strupr_s_l.LIBCMT ref: 00566BF7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: InfoLocale$__strupr_s_l
String ID:
API String ID: 2775460573-0
Opcode ID: ad73891f3c7e6758c775bf1beaa379aa5203362e2d1724e3940ee6ea62d631b5
Instruction ID: 673dd6247838cd44a1dba43dab5f86ab73256e67830573e2420493ae0632c891
Opcode Fuzzy Hash: ad73891f3c7e6758c775bf1beaa379aa5203362e2d1724e3940ee6ea62d631b5
Instruction Fuzzy Hash: 2B4183B1288B48BDE131E6749C46FEB7BDC9B94745F400459F3A9EB0D1D6E4E608CB22

Uniqueness

Uniqueness Score: -1.00%

Function 02693550 Relevance: 16.7, Strings: 13, Instructions: 497COMMON

Download Yara Rule

Strings

gfff, xrefs: 026938C2
-NAN, xrefs: 0269372F
E, xrefs: 02693830
inf, xrefs: 026936E0
-nan, xrefs: 02693742
gfff, xrefs: 026938C9
-INF, xrefs: 0269366F
nan, xrefs: 026937A0
-inf, xrefs: 02693682
, xrefs: 026935AC
NAN, xrefs: 0269378F
-, xrefs: 026938AA
INF, xrefs: 026936CF

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: Value$Message
String ID: $-$-INF$-NAN$-inf$-nan$E$INF$NAN$gfff$gfff$inf$nan
API String ID: 3504782000-1862664857
Opcode ID: adf9bf1b69af04e611a687fd5e5116d5a2aebcef573641748dd3cb71de9fca1d
Instruction ID: 082dcf6788f132ae15668465a0c866f830a2af377255fb28b0ea105e306c47d1
Opcode Fuzzy Hash: adf9bf1b69af04e611a687fd5e5116d5a2aebcef573641748dd3cb71de9fca1d
Instruction Fuzzy Hash: 42026D7290C3914ECB158F38D58433EBFE9ABC1318F184A9EE8D487381DB769669C752

Uniqueness

Uniqueness Score: -1.00%

Function 00DA25F0 Relevance: 16.7, Strings: 13, Instructions: 497COMMON

Download Yara Rule

Strings

-inf, xrefs: 00DA2722
gfff, xrefs: 00DA2962
NAN, xrefs: 00DA282F
-INF, xrefs: 00DA270F
nan, xrefs: 00DA2840
-, xrefs: 00DA294A
INF, xrefs: 00DA276F
, xrefs: 00DA264C
E, xrefs: 00DA28D0
-nan, xrefs: 00DA27E2
-NAN, xrefs: 00DA27CF
inf, xrefs: 00DA2780
gfff, xrefs: 00DA2969

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: Value$Message
String ID: $-$-INF$-NAN$-inf$-nan$E$INF$NAN$gfff$gfff$inf$nan
API String ID: 3504782000-1862664857
Opcode ID: 0af5b0dc2390cba8430af50a509c1fe343f4c23d7ff612d90e5c7d36dba94ca5
Instruction ID: 8320c41ba3e452171965ce10f5d90dba680795cb4799a5ae97d32132b8ae54b3
Opcode Fuzzy Hash: 0af5b0dc2390cba8430af50a509c1fe343f4c23d7ff612d90e5c7d36dba94ca5
Instruction Fuzzy Hash: 9302287290C3918BC3218F3E899437ABFE1AB97314F1C4A5EE8C487685D279DA44D772

Uniqueness

Uniqueness Score: -1.00%

Function 026B25C0 Relevance: 16.7, Strings: 13, Instructions: 497COMMON

Download Yara Rule

Strings

-INF, xrefs: 026B26DF
-inf, xrefs: 026B26F2
nan, xrefs: 026B2810
inf, xrefs: 026B2750
gfff, xrefs: 026B2939
gfff, xrefs: 026B2932
-nan, xrefs: 026B27B2
E, xrefs: 026B28A0
-, xrefs: 026B291A
-NAN, xrefs: 026B279F
NAN, xrefs: 026B27FF
, xrefs: 026B261C
INF, xrefs: 026B273F

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: Value$Message
String ID: $-$-INF$-NAN$-inf$-nan$E$INF$NAN$gfff$gfff$inf$nan
API String ID: 3504782000-1862664857
Opcode ID: b6b84263a077949dc6f16444a34c2f1fe09084068af5608dbcf19cd744fd05c2
Instruction ID: ab12170baf876ba2d2d0bf67dbb8cb5943500478e576e2dc2852a2c2ada099e3
Opcode Fuzzy Hash: b6b84263a077949dc6f16444a34c2f1fe09084068af5608dbcf19cd744fd05c2
Instruction Fuzzy Hash: 41025B3290C3914BC3278F3885A43AABFE1AF85318F184A6EECD447781D7759AC9D752

Uniqueness

Uniqueness Score: -1.00%

Function 02F9BE90 Relevance: 16.7, Strings: 13, Instructions: 497COMMON

Download Yara Rule

Strings

NAN, xrefs: 02F9C0CF
gfff, xrefs: 02F9C209
E, xrefs: 02F9C170
-NAN, xrefs: 02F9C06F
-inf, xrefs: 02F9BFC2
, xrefs: 02F9BEEC
-nan, xrefs: 02F9C082
INF, xrefs: 02F9C00F
gfff, xrefs: 02F9C202
nan, xrefs: 02F9C0E0
-, xrefs: 02F9C1EA
inf, xrefs: 02F9C020
-INF, xrefs: 02F9BFAF

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Value$Message
String ID: $-$-INF$-NAN$-inf$-nan$E$INF$NAN$gfff$gfff$inf$nan
API String ID: 3504782000-1862664857
Opcode ID: dd3136a221c931e81b7c5584a1344bbd3cab4841f089b78db63ef65cdcb7fa6f
Instruction ID: 7c47424de8118417ea940b5cf878f92a6c364129116147000870ef605768302c
Opcode Fuzzy Hash: dd3136a221c931e81b7c5584a1344bbd3cab4841f089b78db63ef65cdcb7fa6f
Instruction Fuzzy Hash: 52023A73A0C3914FEB118E3CD54437ABFE1AB8A388F184A5FEAC487285D3769544CB52

Uniqueness

Uniqueness Score: -1.00%

Function 100087C0 Relevance: 16.7, Strings: 13, Instructions: 497COMMON

Download Yara Rule

Strings

gfff, xrefs: 10008B32
inf, xrefs: 10008950
-nan, xrefs: 100089B2
NAN, xrefs: 100089FF
-inf, xrefs: 100088F2
E, xrefs: 10008AA0
gfff, xrefs: 10008B39
, xrefs: 1000881C
-, xrefs: 10008B1A
INF, xrefs: 1000893F
-INF, xrefs: 100088DF
-NAN, xrefs: 1000899F
nan, xrefs: 10008A10

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID: Value$Message
String ID: $-$-INF$-NAN$-inf$-nan$E$INF$NAN$gfff$gfff$inf$nan
API String ID: 3504782000-1862664857
Opcode ID: 71666fa24203b051462859b2ad17bc6b4aefbc1006a8950b30d20dcd9b944383
Instruction ID: 506819c86ff82922b974c0d10d6c49725303e1a7720a36766a006d1f1caa7181
Opcode Fuzzy Hash: 71666fa24203b051462859b2ad17bc6b4aefbc1006a8950b30d20dcd9b944383
Instruction Fuzzy Hash: CC026A7290C3918AF311CF38888432ABFE1FB95394F194A6EE8C48768AD7759B44D753

Uniqueness

Uniqueness Score: -1.00%

Function 00423A10 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 134timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00423950: _swprintf.LIBCMT ref: 00423993
Part of subcall function 00423950: MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 004239AD
Part of subcall function 00423950: ExitProcess.KERNEL32 ref: 004239B9

_memset.LIBCMT ref: 00423A5B
GetDateFormatA.KERNEL32(00000400,00000001,?,00000000,?,00000100), ref: 00423A8E
GetDateFormatA.KERNEL32(00000400,00000002,?,00000000,?,00000100), ref: 00423AB1
GetLocaleInfoA.KERNEL32(00000400,00000020,?,00000050), ref: 00423ACD
GetDateFormatA.KERNEL32(00000400,00000000,?,?,?,00000100), ref: 00423B09
GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,?,00000100), ref: 00423B29
GetTimeFormatA.KERNEL32(00000400,00000000,?,00000000,?,00000100), ref: 00423B49

Strings

You are trying to get a non-existant date string., xrefs: 00423B5B
..\..\..\..\Universal\DateImp\DateImpWin32.cpp, xrefs: 00423B56

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Format$Date$Time$ExitInfoLocaleMessageProcess_memset_swprintf
String ID: ..\..\..\..\Universal\DateImp\DateImpWin32.cpp$You are trying to get a non-existant date string.
API String ID: 2888463170-1460954243
Opcode ID: 12c40b5a1e6609b71ad01a68bb78956dbf1b2caa9dc284393bc90db0002c0d14
Instruction ID: 0c1fddb3d57691d5c72e935ce868f67c10c99bf5a4108018a41ba3fd477c572c
Opcode Fuzzy Hash: 12c40b5a1e6609b71ad01a68bb78956dbf1b2caa9dc284393bc90db0002c0d14
Instruction Fuzzy Hash: 6A419172254300AFE314DF50DC46FAB77E8EB88705F504919F6459B1C1DBB4AA09CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 005662C8 Relevance: 10.6, APIs: 7, Instructions: 108COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 005662E0

Part of subcall function 005663AB: __FF_MSGBANNER.LIBCMT ref: 005663CE
Part of subcall function 005663AB: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 00566423

std::exception::exception.LIBCMT ref: 00566317
__CxxThrowException@8.LIBCMT ref: 0056632C
__set_abort_behavior.LIBCMT ref: 0056634F
_memset.LIBCMT ref: 005688E0
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,005F09C8), ref: 00568900
UnhandledExceptionFilter.KERNEL32(?,?,?,005F09C8), ref: 0056890A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$AllocateException@8HeapThrow__set_abort_behavior_malloc_memsetstd::exception::exception
String ID:
API String ID: 1217140398-0
Opcode ID: 05ca1c38425a62248e9d8afda43745b100735f6c8ad6b4409e3c46d63d372a33
Instruction ID: 0c22c4e92df3425a25bb223e5a6acc189002001425d994c4a5952611595be444
Opcode Fuzzy Hash: 05ca1c38425a62248e9d8afda43745b100735f6c8ad6b4409e3c46d63d372a33
Instruction Fuzzy Hash: 7B41927590134D9BEB20EF64DC0ABED7FA8BF54704F104529F908AB292EF709644DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00566120 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00567D5C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00567D71
UnhandledExceptionFilter.KERNEL32(8_), ref: 00567D7C
GetCurrentProcess.KERNEL32(C0000409), ref: 00567D98
TerminateProcess.KERNEL32(00000000), ref: 00567D9F

Strings

8_, xrefs: 00567D77

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 8_
API String ID: 2579439406-3556952533
Opcode ID: 96691564b83a5f576d0e97c5a61976236a078901203c8df7b90a619385f92148
Instruction ID: 1dc564564572f2523afb8a8def6119a6620363ff7c46b224ddc485a6a0d2a7d0
Opcode Fuzzy Hash: 96691564b83a5f576d0e97c5a61976236a078901203c8df7b90a619385f92148
Instruction Fuzzy Hash: BF21F2B8901308CFD790DF64FC886287BB0BB28308F58245AE908C36E2E7785588EF05

Uniqueness

Uniqueness Score: -1.00%

Function 005586C0 Relevance: 7.5, APIs: 5, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 005586CC
GetKeyState.USER32(00000012), ref: 005586DA
GetKeyState.USER32(00000010), ref: 005586E9
GetKeyState.USER32(0000005B), ref: 005586F8
GetKeyState.USER32(0000005C), ref: 00558701

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: a3c6fbb0df7743aa534a48e371db19afe46259fb23ba108998ab483b19e00878
Instruction ID: 3b714d4c698a1f2f18da16634c3fffc906bc482c3f75bca796c68dc0bcf18dd9
Opcode Fuzzy Hash: a3c6fbb0df7743aa534a48e371db19afe46259fb23ba108998ab483b19e00878
Instruction Fuzzy Hash: 32E0ED2AB4227A91FE4121919D15FFB0C216BA4BC6F520062EE84B70C44EA4754B3AB1

Uniqueness

Uniqueness Score: -1.00%

Function 02696A40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 02696A94
FindNextFileA.KERNEL32(?,?), ref: 02696B1E
FindClose.KERNEL32(?), ref: 02696B3F

Strings

/\:, xrefs: 02696A7C

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: f43d540fcf50962d8fa095e34ff6730898ee37d7226ead04d4bb1e89c6c1e3f1
Instruction ID: 636e76a4dc60627e246a9a1457d45c348e4cc4a639133a5a20676edbf80ecdee
Opcode Fuzzy Hash: f43d540fcf50962d8fa095e34ff6730898ee37d7226ead04d4bb1e89c6c1e3f1
Instruction Fuzzy Hash: DD31B132A002159BDF249F78DC88AAE777EFB84324B24465EE415473C0EF75AD958F90

Uniqueness

Uniqueness Score: -1.00%

Function 026F3FB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 026F4004
FindNextFileA.KERNEL32(?,?), ref: 026F408E
FindClose.KERNEL32(?), ref: 026F40AF

Strings

/\:, xrefs: 026F3FEC

Memory Dump Source

Source File: 00000001.00000002.2876409748.00000000026F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000001.00000002.2876395659.00000000026F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876428511.00000000026F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876443259.00000000026F7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26f0000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: 5e0d7b25c624c059f21d09508d741fc3bdd5504261308cc9fe9968555038fa8a
Instruction ID: bfe248031cfa70097cf726abc5596525ced07702aedcc20a6c5b5fac1b342895
Opcode Fuzzy Hash: 5e0d7b25c624c059f21d09508d741fc3bdd5504261308cc9fe9968555038fa8a
Instruction Fuzzy Hash: D63105329001558BCFA4CB74EC889AE7776EFC4328B15469EE614977C0EF31A9908B90

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5AE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 00DA5B34
FindNextFileA.KERNEL32(?,?), ref: 00DA5BBE
FindClose.KERNEL32(?), ref: 00DA5BDF

Strings

/\:, xrefs: 00DA5B1C

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: 4870b412770fa6173b2108087f5e361d501d3c35c524b47cfc1c324750f2dada
Instruction ID: e58990607d8492332acdd1396941dcb54ec539120324058bb37aa6994541207c
Opcode Fuzzy Hash: 4870b412770fa6173b2108087f5e361d501d3c35c524b47cfc1c324750f2dada
Instruction Fuzzy Hash: A631B632A006158FCB249B78EC859AE7776EBC6321B284359F425877D4EB749E448B70

Uniqueness

Uniqueness Score: -1.00%

Function 026B5B80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 026B5BD4
FindNextFileA.KERNEL32(?,?), ref: 026B5C5E
FindClose.KERNEL32(?), ref: 026B5C7F

Strings

/\:, xrefs: 026B5BBC

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: cd4167324e60e163a03e94fc496ebde00139f98e4f9ab65f04d3ebd42da20aba
Instruction ID: fbe02b2acf41a1bd7fea24db5ef1d57aa86b1aeaef1032a8323367b4accd8b74
Opcode Fuzzy Hash: cd4167324e60e163a03e94fc496ebde00139f98e4f9ab65f04d3ebd42da20aba
Instruction Fuzzy Hash: 5D3133359001159FDB229A78DC989EE7777EFC0335B10825EE029533C1DF71A9C18BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02F9FAB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 02F9FB04
FindNextFileA.KERNEL32(?,?), ref: 02F9FB8E
FindClose.KERNEL32(?), ref: 02F9FBAF

Strings

/\:, xrefs: 02F9FAEC

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: a35d310440556a3d35b4083591de20089db3fb13d1c46f8efd980e0d7da0437f
Instruction ID: d0650cefcc37dc0529146231d8f56a6a99e9686b80ba81afaa26f7e0f80e54c7
Opcode Fuzzy Hash: a35d310440556a3d35b4083591de20089db3fb13d1c46f8efd980e0d7da0437f
Instruction Fuzzy Hash: 5E310375E0011A8BEF20DE78DC989AEB7B6FBC43A5B20475AE122877C0DB309D508F50

Uniqueness

Uniqueness Score: -1.00%

Function 02703CC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 02703D14
FindNextFileA.KERNEL32(?,?), ref: 02703D9E
FindClose.KERNEL32(?), ref: 02703DBF

Strings

/\:, xrefs: 02703CFC

Memory Dump Source

Source File: 00000001.00000002.2876472916.0000000002701000.00000020.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: true

Associated: 00000001.00000002.2876458961.0000000002700000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876487733.0000000002705000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.0000000002707000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.000000000270B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2700000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: 0b6788c6ed103cddaa6ffb6ea461660e12f55b9441d710dbf211cc6d8fe313db
Instruction ID: 3e4b9f3d59708b46c5b5268cc0d3be2f2bceb95c4a61caa52cda3c6ad757a73f
Opcode Fuzzy Hash: 0b6788c6ed103cddaa6ffb6ea461660e12f55b9441d710dbf211cc6d8fe313db
Instruction Fuzzy Hash: 8831D131A00116DBDB24DB75DCC89EE77B6FBC4325B148699E425872C4DF7099588B90

Uniqueness

Uniqueness Score: -1.00%

Function 026D52A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 026D52F4
FindNextFileA.KERNEL32(?,?), ref: 026D537E
FindClose.KERNEL32(?), ref: 026D539F

Strings

/\:, xrefs: 026D52DC

Memory Dump Source

Source File: 00000001.00000002.2876347313.00000000026D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.2876333042.00000000026D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876365156.00000000026D6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876379783.00000000026D8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: 85c66ada285eb5798d759a5331f3ecc78e4afe622cafe4399b24070804075330
Instruction ID: a3b09179c3ebc22640b5ce36ea8dee42cd508c5d1f35407626756c321d71df01
Opcode Fuzzy Hash: 85c66ada285eb5798d759a5331f3ecc78e4afe622cafe4399b24070804075330
Instruction Fuzzy Hash: CA31D131D0111D8BDB249A74DC88AAE7776FFC5325B204A5EE525873C0EB719D948B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000F790 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 1000F7E4
FindNextFileA.KERNEL32(?,?), ref: 1000F86E
FindClose.KERNEL32(?), ref: 1000F88F

Strings

/\:, xrefs: 1000F7CC

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: /\:
API String ID: 3541575487-475140901
Opcode ID: 6b2d6bdfe5ea7100b4f58f58d21731186ef0fda094511fec9f06b76b362c2f25
Instruction ID: 820b56de908acd1a34964584d81fa3abbe4467189d6e850b258f4a79786647e3
Opcode Fuzzy Hash: 6b2d6bdfe5ea7100b4f58f58d21731186ef0fda094511fec9f06b76b362c2f25
Instruction Fuzzy Hash: 7031F135A041659BEB14CB74DC899AE77B6FFC63A0B21825DE02487394DF30ED808B90

Uniqueness

Uniqueness Score: -1.00%

Function 00409C60 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00457B10: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00457C64
Part of subcall function 00457B10: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00457C76
Part of subcall function 00457B10: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00457C93

GetLocaleInfoA.KERNEL32(00000400,0000000E,?,00000004), ref: 00409C8E
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00409D2C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00409D3E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00409D53

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$InfoLocale
String ID:
API String ID: 3589807655-0
Opcode ID: 7be73b1a9f4110895f6fa7e11a18845192c4e181681c9784a1f47077dbb5db3a
Instruction ID: 4fc928125e74de3c478c0539e192aad4626b6cc5ed201c49cad87ecc3d826a3e
Opcode Fuzzy Hash: 7be73b1a9f4110895f6fa7e11a18845192c4e181681c9784a1f47077dbb5db3a
Instruction Fuzzy Hash: AD312671A04308ABEB10AFA9D881B5B7BE8EF14714F0001A9ED44BB386D7785D0887D5

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.1, APIs: 4, Instructions: 63keyboardCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004159E5
GetAsyncKeyState.USER32(0000001B), ref: 00415A3D
GetAsyncKeyState.USER32(00000003), ref: 00415A72
GetTickCount.KERNEL32 ref: 00415A9E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AsyncCountStateTick
String ID:
API String ID: 1635826648-0
Opcode ID: 291caa2fbbd4b1dc4bc01f3b2a70a3a95127f035822828508f3fd245f3b3c504
Instruction ID: 3fcbecbd7e51cc639311fca4629de5ff1df10f5e9263b0554f7c82ce6b999212
Opcode Fuzzy Hash: 291caa2fbbd4b1dc4bc01f3b2a70a3a95127f035822828508f3fd245f3b3c504
Instruction Fuzzy Hash: 5C215BB0900B45DFE700AB65ED4E3E93BA0FBB0754F05421AD404D6262E7B945CCF78A

Uniqueness

Uniqueness Score: -1.00%

Function 026B10E9 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 433COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 026B11A3

Strings

/, xrefs: 026B1687
/, xrefs: 026B15AC

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: CountTick
String ID: /$/
API String ID: 536389180-2523464752
Opcode ID: 11567ab031fefc6187734356b4d4f6e53c436a46d5d7eadb37f62d5647069723
Instruction ID: 056d2f7ff6dea9472ae8af89ce169b92e5d7c96e5feb5cc84ea7b9a8cecbd812
Opcode Fuzzy Hash: 11567ab031fefc6187734356b4d4f6e53c436a46d5d7eadb37f62d5647069723
Instruction Fuzzy Hash: 7AF19231908340EBDB6B8A28C0B47AA77E1AF47305F1855EEE58E87351E77589C5CF42

Uniqueness

Uniqueness Score: -1.00%

Function 005650F0 Relevance: 4.6, APIs: 3, Instructions: 53COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0056511F
GetVersionExA.KERNEL32(?,?,?,?), ref: 00565145
GetVersionExA.KERNEL32(0000009C,?,?,?), ref: 0056515C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Version$_memset
String ID:
API String ID: 4167444357-0
Opcode ID: 3e4db033f3886c6d1a2027b29b2e51c3f2560fdcb54566985e94e3d98c5ea33b
Instruction ID: a2f48fbcee7621f56dc492608b4b7d13f3755f050785d5f9c7445caae3487348
Opcode Fuzzy Hash: 3e4db033f3886c6d1a2027b29b2e51c3f2560fdcb54566985e94e3d98c5ea33b
Instruction Fuzzy Hash: 2511A030E0132DCEDB20EB74AC15BAEBFB4BB56310F4041D9E44897182E7741A8CDBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0041A740 Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32 ref: 0041A751
GetLocaleInfoA.KERNEL32(00000000,20001004,?,00000004), ref: 0041A764
TranslateCharsetInfo.GDI32(?,?,00000002), ref: 0041A79C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Info$CharsetDefaultLocaleTranslateUser
String ID:
API String ID: 2385099915-0
Opcode ID: 45d8edd7a44ce080ca152cee088615badd7cf678e0131d96b67eeff984e5ccf5
Instruction ID: 2759fabb5c618eff46c37d78f657b3ba8ab20ea70e84c40387c19d37b1cebd84
Opcode Fuzzy Hash: 45d8edd7a44ce080ca152cee088615badd7cf678e0131d96b67eeff984e5ccf5
Instruction Fuzzy Hash: 79F0C9B0409301AFE340DF68D949B5ABBE4EB88615F004A1DB59CD2250E7709648DB97

Uniqueness

Uniqueness Score: -1.00%

Function 100114A0 Relevance: 4.2, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 100117E2
invalid literal/length code, xrefs: 10011961
, xrefs: 100118D6

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID:
String ID: $invalid distance code$invalid literal/length code
API String ID: 0-593941763
Opcode ID: 106b2cdcd5c31c9229924990d1b95557d186902db8eae8c178aa6c59ff43be53
Instruction ID: a6297f2fb3b7045dde508b97069c7be29a1f99538a1e1264216c6f48c350bdbb
Opcode Fuzzy Hash: 106b2cdcd5c31c9229924990d1b95557d186902db8eae8c178aa6c59ff43be53
Instruction Fuzzy Hash: 0F32A074E0521ADFCB08CF99D5809EEBBB2FF89310F148196E8156B355C734AA91CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000DACB Relevance: 3.4, Strings: 2, Instructions: 875COMMON

Download Yara Rule

Strings

invalid bit length repeat, xrefs: 1000E08E
too many length or distance symbols, xrefs: 1000DB88

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$too many length or distance symbols
API String ID: 0-3104966124
Opcode ID: 91ef242e0ac40e5fedf7c40ef7a82454b944d5b74683dd8f54588dd86eace56c
Instruction ID: 087b699f6b074056c209f82c520b7f32fba0c564e7866e94798d1f781bc806ec
Opcode Fuzzy Hash: 91ef242e0ac40e5fedf7c40ef7a82454b944d5b74683dd8f54588dd86eace56c
Instruction Fuzzy Hash: BF928E79A01248EFCB05CF88E88499CBBB2FF48360F15816AF9599B365D731EA51CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00576849 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418e67a9abc207e0678c7933bc598aeba4e0ac49b73cf3521ef314521cb64565
Instruction ID: 0a03bb0681eac326e06196cfbbb2feeb595a3a72352c8b44dfc49823edebe68f
Opcode Fuzzy Hash: 418e67a9abc207e0678c7933bc598aeba4e0ac49b73cf3521ef314521cb64565
Instruction Fuzzy Hash: 5C320531D29F414DD7239635E822336A689BFB73C4F15D727F82AB59A6EF29C4836100

Uniqueness

Uniqueness Score: -1.00%

Function 00423190 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,0000001F,?,00000050), ref: 004231B1

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 524a6aeffcdd024a959702c8492935afc5db4859a2c796dddde78727f9f0f367
Instruction ID: d2c19482dcd47e06d6ef1185a095fe3576568d1727d73068678c5aa2e61bde9b
Opcode Fuzzy Hash: 524a6aeffcdd024a959702c8492935afc5db4859a2c796dddde78727f9f0f367
Instruction Fuzzy Hash: 34219130A00356CFCB308F68E9546A6BBF5EB62325FA08B6BD4F58B290D3395645CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5770 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

EMZG, xrefs: 00DA5790

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID:
String ID: EMZG
API String ID: 0-1562380397
Opcode ID: 191192f2e6ef04a8d6569e108781796f129d9130b487d8aac55792d3efd35b3f
Instruction ID: adf79cadf22f6261c7d6a2216cde81dcfb9a6d02ff5d4cffb3ed3bb0293edd5d
Opcode Fuzzy Hash: 191192f2e6ef04a8d6569e108781796f129d9130b487d8aac55792d3efd35b3f
Instruction Fuzzy Hash: 04E012AA73D5039FE39880B82CD4717008753D5315F38CC70A609EAA4DE0A6CD940230

Uniqueness

Uniqueness Score: -1.00%

Function 026F1310 Relevance: .9, Instructions: 885COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876409748.00000000026F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000001.00000002.2876395659.00000000026F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876428511.00000000026F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876443259.00000000026F7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26f0000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d079b5b4c7623332b2640de4c2c941ba51b67824fd56546c85b6fe18ec82bf6
Instruction ID: 8d41ab85fd4cebafde5db37ae921d6ff6247e25dcfa7c6be29931410d75723a5
Opcode Fuzzy Hash: 8d079b5b4c7623332b2640de4c2c941ba51b67824fd56546c85b6fe18ec82bf6
Instruction Fuzzy Hash: D5429277F947284BE318CD9ECC8129AB2D39BC8254F4E863C9A59D3701EDF8DC169588

Uniqueness

Uniqueness Score: -1.00%

Function 0274A0FD Relevance: .6, Instructions: 644COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63db986faaf4e913f3427e23984b9e1791cc0924b924eaa98da8ddf03775de4
Instruction ID: 084d8907c193f1677551dc1e856dff13df77a35276b41e7d5840e8baa5d64fff
Opcode Fuzzy Hash: c63db986faaf4e913f3427e23984b9e1791cc0924b924eaa98da8ddf03775de4
Instruction Fuzzy Hash: 69627D70D4026C9FCF65DF69C8927EEBBB1AF09304F5084EAD918A7212E7305E958F91

Uniqueness

Uniqueness Score: -1.00%

Function 00519F00 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c263331dfd014bc203d63abdc72ebc3be7d5f1a151dbadac5fbb88b9750e2fb
Instruction ID: cfe42ac549cf5f173c8826977c0a0ecdb23f4d79611289b3ed7079d575c61b29
Opcode Fuzzy Hash: 7c263331dfd014bc203d63abdc72ebc3be7d5f1a151dbadac5fbb88b9750e2fb
Instruction Fuzzy Hash: 35D1EF769093459BC302DF29C48019BBBE4FFE9714F094A5EF8988B202D775E9498BC7

Uniqueness

Uniqueness Score: -1.00%

Function 005196C0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb61ecb273b1812698ead6d806f87de24170d5ef999a3b8ffbde16146319c8af
Instruction ID: ea38c2a38ff28de51aeaf3bc0fed4f21752ba8abae37632a499b7e7ccca0eb8f
Opcode Fuzzy Hash: eb61ecb273b1812698ead6d806f87de24170d5ef999a3b8ffbde16146319c8af
Instruction Fuzzy Hash: 14C199729083059BD311DF29809129BBBE4FFE9714F094A1EF8985B202E735D94ACBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0051A770 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda333e590c6e15e1a590bbc70c741961930c1742fc3abe9599e5399fb6bdb9a
Instruction ID: acab93996a6270c581f1e14e550fed8fdd4a86137b96a8ea9897a0f8006e8e68
Opcode Fuzzy Hash: fda333e590c6e15e1a590bbc70c741961930c1742fc3abe9599e5399fb6bdb9a
Instruction Fuzzy Hash: 13C1BB729093459BD302DF29C08129BBBE4FFE9714F094A1EF99857202E735E9498BC7

Uniqueness

Uniqueness Score: -1.00%

Function 0278901E Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9deec917e322b71a7302f71522ba9142325d85ca1180d4e9135088a7fd0bb00f
Instruction ID: 3bce3650aa283cd5c4dd1ad798012105b7971dde70a23c5586e82b77adb1e525
Opcode Fuzzy Hash: 9deec917e322b71a7302f71522ba9142325d85ca1180d4e9135088a7fd0bb00f
Instruction Fuzzy Hash: D5E15170D20268DFDF54DFB5C841AAEBBB1BF08304F1084AAE918EB312E73599659F51

Uniqueness

Uniqueness Score: -1.00%

Function 027494EF Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d16c4e81ca992d16c2f8c95162c3acfc2c53d8527599b8234f8a002f641dd7c
Instruction ID: 3a17ae6809a4eb69a256845674742e4bb541959ea577443d9a6e15411423c229
Opcode Fuzzy Hash: 4d16c4e81ca992d16c2f8c95162c3acfc2c53d8527599b8234f8a002f641dd7c
Instruction Fuzzy Hash: FCE16170D20268DFDF50DFB5C841AAEBBB1BF08304F1084AAE918EB212E73559659F51

Uniqueness

Uniqueness Score: -1.00%

Function 0274BA1A Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b926ac33b7fcbbff6a41f0340621a468c8c1eda3ea95608161ec2230d117f2b
Instruction ID: 5a16b837ee09ef29313b0230878b27491615994ec9e89e1406bc81281d4ffbc7
Opcode Fuzzy Hash: 6b926ac33b7fcbbff6a41f0340621a468c8c1eda3ea95608161ec2230d117f2b
Instruction Fuzzy Hash: C0B16A35D15298CEDF259BF488427EEBF70AF11304F1894AED894E7202EA358E59CF61

Uniqueness

Uniqueness Score: -1.00%

Function 10009C00 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec993595f537f692ec7c3f6cf2d1d05566a41a4622af25f2ea82554170d18f53
Instruction ID: ecedcb05b21e431bab6ecc6f387daab438754103e0f28a44b0ba2cc2fb3ed98f
Opcode Fuzzy Hash: ec993595f537f692ec7c3f6cf2d1d05566a41a4622af25f2ea82554170d18f53
Instruction Fuzzy Hash: BA81E4B19082408FFB01DF28C8C17A67BE5EF843A5F16855EE8894E2CFD679D884CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0279321C Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876576739.0000000002730000.00000040.00001000.00020000.00000000.sdmp, Offset: 02730000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2730000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e849c7e5743e8693bf94335f4d179c5759229e32dc126f673264fa9969b0573
Instruction ID: 47290a15053a104ffe2d390ffb80fe12de3b8e814ef290b69811c6e098a1f165
Opcode Fuzzy Hash: 3e849c7e5743e8693bf94335f4d179c5759229e32dc126f673264fa9969b0573
Instruction Fuzzy Hash: AC716B31D153889ECF55DFF898422FEBFB1AF15304F1804AAD864FB342E6259958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 026F1C50 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876409748.00000000026F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000001.00000002.2876395659.00000000026F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876428511.00000000026F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876443259.00000000026F7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26f0000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fef5349bade7cbb43c484b123814cb21cf5457d8c40ef7a62680d9e74bfd80
Instruction ID: 6fbf7e6ee6baf8964d353c1a68eb873bf596faa1203cead7d95bf220499442f4
Opcode Fuzzy Hash: b1fef5349bade7cbb43c484b123814cb21cf5457d8c40ef7a62680d9e74bfd80
Instruction Fuzzy Hash: FD71C23451518DDFCB21CF9CC4C089ABBB4AE1764876887DAD884CF607D226D66BCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10004DC0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c2482bdfa75be8c8e309c3f16cadc72179bcac471a0b71008d1b577d7c89f7
Instruction ID: 23c894f09914ff4f422a72cf2c4047cee79deccae6c4ecddcb94e8c2acd42cfb
Opcode Fuzzy Hash: 04c2482bdfa75be8c8e309c3f16cadc72179bcac471a0b71008d1b577d7c89f7
Instruction Fuzzy Hash: BA51C93040129AAFEB01CF55CCC06997B72FF8A395F55C26AEE180E649C734E792DB94

Uniqueness

Uniqueness Score: -1.00%

Function 02F9519C Relevance: 78.4, APIs: 52, Instructions: 356COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000003), ref: 02F951A2
FrameRect.USER32(00000000,?,00000000), ref: 02F951AF
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F951C4
LineTo.GDI32(00000000,?,?), ref: 02F951DB
GetSysColor.USER32(0000000F), ref: 02F951E3
CreateSolidBrush.GDI32(00000000), ref: 02F951EA
GetSysColor.USER32(00000014), ref: 02F95212
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9521D
GetSysColor.USER32(0000000F), ref: 02F95232
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9523D
GetSysColor.USER32(0000000F), ref: 02F95249
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F95254
FillRect.USER32(00000000,00000001,?), ref: 02F952A8
SelectObject.GDI32(00000000,?), ref: 02F952B3
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F952CA
LineTo.GDI32(00000000,00000001,00000001), ref: 02F952D9
LineTo.GDI32(00000000,?,00000001), ref: 02F952EC
SelectObject.GDI32(00000000,?), ref: 02F952F7
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F95310
LineTo.GDI32(00000000,?,?), ref: 02F95327
LineTo.GDI32(00000000,?,00000001), ref: 02F9533A
SelectObject.GDI32(00000000,00000000), ref: 02F95342

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Line$ColorCreateObject$MoveSelect$Rect$BrushFillFrameSolidStock
String ID:
API String ID: 1599570670-0
Opcode ID: 359b7d5c63a7c943be373d4cdc59070862b3c6659eb18d993ed23ad28210eebb
Instruction ID: 1a3d463e26e7663f7ce0071c51dd7b64644466eff14d3179b46896eccc8aeb61
Opcode Fuzzy Hash: 359b7d5c63a7c943be373d4cdc59070862b3c6659eb18d993ed23ad28210eebb
Instruction Fuzzy Hash: 8EE119B1948344AFE7508F64DC48B1BFBF9FF89795F04890DF69A82291D7B19860CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02691CE7 Relevance: 77.3, APIs: 1, Strings: 43, Instructions: 308COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0269215C

Strings

integer, xrefs: 02691FE6
blob, xrefs: 02692039
class ID, xrefs: 0269206A
int8, xrefs: 02691FAA
byref , xrefs: 026920B4
uint8, xrefs: 02691FB4
currency, xrefs: 02691F5A
nil, xrefs: 02691F28
stream, xrefs: 02692040
Variant, xrefs: 02691F8C
array of , xrefs: 026920A0
Boolean, xrefs: 02691F82
file time, xrefs: 02692032
string, xrefs: 02692024
uinteger, xrefs: 02691FF0
record, xrefs: 0269202B
IDispatch*, xrefs: 02691F6E
storage, xrefs: 02692047
uint64, xrefs: 02691FDC
vector of , xrefs: 0269208C
version stream, xrefs: 02692071
double, xrefs: 02691F50
void, xrefs: 02691FFA
decimal, xrefs: 02691FA0
int16, xrefs: 02691F32
uint31, xrefs: 02691FC8
hresult, xrefs: 02692001
ErrorCode, xrefs: 02691F78
ptr, xrefs: 02692008
int32, xrefs: 02691F3C
safearray, xrefs: 0269200F
string blob, xrefs: 02692078
carray, xrefs: 02692016
single, xrefs: 02691F46
streamed object, xrefs: 0269204E
date, xrefs: 02691F64
stored object, xrefs: 02692055
userdefined, xrefs: 0269201D
clipboard format, xrefs: 02692063
IUnknown*, xrefs: 02691F96
blob object, xrefs: 0269205C
uint16, xrefs: 02691FBE
int64, xrefs: 02691FD2

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: ClearVariant
String ID: Boolean$ErrorCode$IDispatch*$IUnknown*$Variant$array of $blob$blob object$byref $carray$class ID$clipboard format$currency$date$decimal$double$file time$hresult$int16$int32$int64$int8$integer$nil$ptr$record$safearray$single$storage$stored object$stream$streamed object$string$string blob$uint16$uint31$uint64$uint8$uinteger$userdefined$vector of $version stream$void
API String ID: 1473721057-2498419335
Opcode ID: 527cbe264d94a5206a4994e73eebe61b359b2afe145c3a424d2cc4c87170dcdb
Instruction ID: a62601f31855e38c2ce030eb3e8334dc5d18a5fec92ac0b2172e04438d154625
Opcode Fuzzy Hash: 527cbe264d94a5206a4994e73eebe61b359b2afe145c3a424d2cc4c87170dcdb
Instruction Fuzzy Hash: 3F919373B492C5AADE29193C8F78333798D9793294F190256ED598B76CCF32C94AC341

Uniqueness

Uniqueness Score: -1.00%

Function 0045CC80 Relevance: 75.6, APIs: 30, Strings: 13, Instructions: 310windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0045CCF4
ExitProcess.KERNEL32 ref: 0045CCFC
_swprintf.LIBCMT ref: 0045CD90
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0045CDAA
ExitProcess.KERNEL32 ref: 0045CDB2
_swprintf.LIBCMT ref: 0045CCDA

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

_swprintf.LIBCMT ref: 0045CD35
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0045CD4F
ExitProcess.KERNEL32 ref: 0045CD57

Strings

0 == defn->objectSize, xrefs: 0045CD08
NULL == defn->super, xrefs: 0045CD63
defn, xrefs: 0045CCAF
NULL == defn->hooks, xrefs: 0045CE74
..\..\..\..\Common\intrinsicClass.cpp, xrefs: 0045CCB9, 0045CD12, 0045CD6D, 0045CDC8, 0045CE23, 0045CE7E, 0045CED9, 0045CF34, 0045CF8F, 0045D031
NULL == defn->hookInstances, xrefs: 0045CECF
NULL == defn->menuHandlers, xrefs: 0045CF2A
NULL == defn->interfaces, xrefs: 0045CF85
Runtime Error, xrefs: 0045CCE7, 0045CD42, 0045CD9D, 0045CDF8, 0045CE53, 0045CEAE, 0045CF09, 0045CF64, 0045CFBF, 0045D061
NULL == defn->initializer.toc, xrefs: 0045CDBE
not gIntrinsicModuleMap->HasEntry( defn->className ), xrefs: 0045D027
NULL == defn->finalizer.toc, xrefs: 0045CE19
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0045CCC9, 0045CD24, 0045CD7F, 0045CDDA, 0045CE35, 0045CE90, 0045CEEB, 0045CF46, 0045CFA1, 0045D043

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf$__vsprintf_s_l
String ID: ..\..\..\..\Common\intrinsicClass.cpp$0 == defn->objectSize$NULL == defn->finalizer.toc$NULL == defn->hookInstances$NULL == defn->hooks$NULL == defn->initializer.toc$NULL == defn->interfaces$NULL == defn->menuHandlers$NULL == defn->super$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$defn$not gIntrinsicModuleMap->HasEntry( defn->className )
API String ID: 2931723835-1222728849
Opcode ID: 7b6e0e4f357f541fe3e90676d666487ec8ef95cc7be8a15dbae2ccff71204299
Instruction ID: 14c3d4d2592413f7231950ba00edc7d92b8e9361e8e2b10505949353713d1644
Opcode Fuzzy Hash: 7b6e0e4f357f541fe3e90676d666487ec8ef95cc7be8a15dbae2ccff71204299
Instruction Fuzzy Hash: 06A1DCF1A843057AEA106B609CC7F777A5DFB18709F400055FB09B61C2DBB49D898F69

Uniqueness

Uniqueness Score: -1.00%

Function 00408CB0 Relevance: 74.0, APIs: 37, Strings: 5, Instructions: 467windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00408DC6
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00408E7E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00408E90
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004091A8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004091BA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004091D3
_swprintf.LIBCMT ref: 00409259
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00409274
ExitProcess.KERNEL32 ref: 00409281

Strings

Runtime Error, xrefs: 00409266
..\..\..\..\Common\basicstr.cpp, xrefs: 0040923C
Failed Assertion, xrefs: 00409241
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00409248
ptr - out.CString() == totalLen, xrefs: 00409232

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$ExitLeaveMessageProcess_memset_swprintf
String ID: ..\..\..\..\Common\basicstr.cpp$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$ptr - out.CString() == totalLen
API String ID: 2160060164-1511610817
Opcode ID: 1b01364fab22cfcad7e94f594e0d73b93030e3331863107020a4f5b4047e3764
Instruction ID: 8fb13edfd25428169a526d78e7507eaf1b1da23d40aea0dc940369bd764dbe49
Opcode Fuzzy Hash: 1b01364fab22cfcad7e94f594e0d73b93030e3331863107020a4f5b4047e3764
Instruction Fuzzy Hash: 34020CB0A003199BDB209B24DC85BAB77B4BF94724F0441ADEA8973381D7785DC4DF95

Uniqueness

Uniqueness Score: -1.00%

Function 02F97600 Relevance: 73.6, APIs: 21, Strings: 21, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,02F9114A), ref: 02F97605
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 02F9761E
GetProcAddress.KERNEL32(CloseThemeData), ref: 02F97634
GetProcAddress.KERNEL32(GetThemeSysColor), ref: 02F9764A
GetProcAddress.KERNEL32(GetThemeSysColorBrush), ref: 02F97660
GetProcAddress.KERNEL32(GetThemeColor), ref: 02F97676
GetProcAddress.KERNEL32(IsAppThemed), ref: 02F9768C
GetProcAddress.KERNEL32(IsThemeActive), ref: 02F976A2
GetProcAddress.KERNEL32(IsThemePartDefined), ref: 02F976B8
GetProcAddress.KERNEL32(DrawThemeBackground), ref: 02F976CE
GetProcAddress.KERNEL32(GetCurrentThemeName), ref: 02F976E4
GetProcAddress.KERNEL32(GetThemeMetric), ref: 02F976FA
GetProcAddress.KERNEL32(GetThemePartSize), ref: 02F97710
GetProcAddress.KERNEL32(GetThemeSysSize), ref: 02F97726
GetProcAddress.KERNEL32(SetThemeAppProperties), ref: 02F9773C
GetProcAddress.KERNEL32(GetThemeRect), ref: 02F97752
GetProcAddress.KERNEL32(DrawThemeText), ref: 02F97768
GetProcAddress.KERNEL32(DrawThemeParentBackground), ref: 02F9777E
GetProcAddress.KERNEL32(DrawThemeBorder), ref: 02F97794
GetProcAddress.KERNEL32(GetThemeBackgroundContentRect), ref: 02F977AA
GetProcAddress.KERNEL32(IsThemeBackgroundPartiallyTransparent), ref: 02F977C0

Strings

GetThemePartSize, xrefs: 02F97705
CloseThemeData, xrefs: 02F97629
DrawThemeBackground, xrefs: 02F976C3
DrawThemeBorder, xrefs: 02F97789
SetThemeAppProperties, xrefs: 02F97731
GetThemeBackgroundContentRect, xrefs: 02F9779F
uxtheme.dll, xrefs: 02F97600
DrawThemeParentBackground, xrefs: 02F97773
IsThemeBackgroundPartiallyTransparent, xrefs: 02F977B5
IsThemeActive, xrefs: 02F97697
GetThemeSysColorBrush, xrefs: 02F97655
GetThemeMetric, xrefs: 02F976EF
GetThemeColor, xrefs: 02F9766B
DrawThemeText, xrefs: 02F9775D
IsAppThemed, xrefs: 02F97681
GetCurrentThemeName, xrefs: 02F976D9
GetThemeSysColor, xrefs: 02F9763F
IsThemePartDefined, xrefs: 02F976AD
GetThemeSysSize, xrefs: 02F9771B
GetThemeRect, xrefs: 02F97747
OpenThemeData, xrefs: 02F97618

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeBorder$DrawThemeParentBackground$DrawThemeText$GetCurrentThemeName$GetThemeBackgroundContentRect$GetThemeColor$GetThemeMetric$GetThemePartSize$GetThemeRect$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysSize$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$uxtheme.dll
API String ID: 2238633743-2197439113
Opcode ID: 81367003dcdf60352bdeca6470612b2419274841f1578c7f837ce15d0ed96611
Instruction ID: 9942f956b63bf4e0b859403cbe093523be5b81fcf2d32a17c701bbff7d530515
Opcode Fuzzy Hash: 81367003dcdf60352bdeca6470612b2419274841f1578c7f837ce15d0ed96611
Instruction Fuzzy Hash: C141EDF4EC1309EFF7499F60FA59824BBB1F714BC63128826AD4291221D7F15871AF28

Uniqueness

Uniqueness Score: -1.00%

Function 02F9522B Relevance: 69.3, APIs: 46, Instructions: 325COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 02F95232
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9523D
GetSysColor.USER32(0000000F), ref: 02F95249
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F95254
FillRect.USER32(00000000,00000001,?), ref: 02F952A8
SelectObject.GDI32(00000000,?), ref: 02F952B3
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F952CA
LineTo.GDI32(00000000,00000001,00000001), ref: 02F952D9
LineTo.GDI32(00000000,?,00000001), ref: 02F952EC
SelectObject.GDI32(00000000,?), ref: 02F952F7
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F95310
LineTo.GDI32(00000000,?,?), ref: 02F95327
LineTo.GDI32(00000000,?,00000001), ref: 02F9533A
SelectObject.GDI32(00000000,00000000), ref: 02F95342
GetStockObject.GDI32(00000001), ref: 02F953B4
SelectObject.GDI32(00000000,00000000), ref: 02F953BC
Polygon.GDI32(00000000,?,00000003), ref: 02F953CC
SelectObject.GDI32(00000000,00000000), ref: 02F953D4
DeleteObject.GDI32(?), ref: 02F953DE
DeleteObject.GDI32(?), ref: 02F953E8
DeleteObject.GDI32(?), ref: 02F953F2
GetSysColor.USER32(0000000F), ref: 02F953FA
CreateSolidBrush.GDI32(00000000), ref: 02F95401
GetSysColor.USER32(0000000F), ref: 02F95442
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9544D
GetSysColor.USER32(0000000F), ref: 02F95459
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F95464
FillRect.USER32(00000000,0000000C,?), ref: 02F954B8
SelectObject.GDI32(00000000,?), ref: 02F954C3
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F954DA

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$ColorCreate$Line$DeleteMove$FillRect$BrushPolygonSolidStock
String ID:
API String ID: 997239353-0
Opcode ID: cf28537c7b3a514a29ea1715bd91ef43ed8b0fbed1e9404e7b62e9e53efbba6b
Instruction ID: ef3db8df6b5b3d4eb2b85ae19f9c4b6c0200241482077f8c85e45a1281cd1c86
Opcode Fuzzy Hash: cf28537c7b3a514a29ea1715bd91ef43ed8b0fbed1e9404e7b62e9e53efbba6b
Instruction Fuzzy Hash: D6D129B1948344AFE7508F58DC48B1BFBF9FF89795F04890DF69A82291D7B19860CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02F9520C Relevance: 69.3, APIs: 46, Instructions: 325COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 02F95212
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9521D
GetSysColor.USER32(0000000F), ref: 02F95249
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F95254
FillRect.USER32(00000000,00000001,?), ref: 02F952A8
SelectObject.GDI32(00000000,?), ref: 02F952B3
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F952CA
LineTo.GDI32(00000000,00000001,00000001), ref: 02F952D9
LineTo.GDI32(00000000,?,00000001), ref: 02F952EC
SelectObject.GDI32(00000000,?), ref: 02F952F7
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F95310
LineTo.GDI32(00000000,?,?), ref: 02F95327
LineTo.GDI32(00000000,?,00000001), ref: 02F9533A
SelectObject.GDI32(00000000,00000000), ref: 02F95342
GetStockObject.GDI32(00000001), ref: 02F953B4
SelectObject.GDI32(00000000,00000000), ref: 02F953BC
Polygon.GDI32(00000000,?,00000003), ref: 02F953CC
SelectObject.GDI32(00000000,00000000), ref: 02F953D4
DeleteObject.GDI32(?), ref: 02F953DE
DeleteObject.GDI32(?), ref: 02F953E8
DeleteObject.GDI32(?), ref: 02F953F2
GetSysColor.USER32(0000000F), ref: 02F953FA
CreateSolidBrush.GDI32(00000000), ref: 02F95401
GetSysColor.USER32(0000000F), ref: 02F95442
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9544D
GetSysColor.USER32(0000000F), ref: 02F95459
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F95464
FillRect.USER32(00000000,0000000C,?), ref: 02F954B8
SelectObject.GDI32(00000000,?), ref: 02F954C3
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F954DA

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$ColorCreate$Line$DeleteMove$FillRect$BrushPolygonSolidStock
String ID:
API String ID: 997239353-0
Opcode ID: fdcd1c38704991a2edb2f9b55c5471d4f5a8b10ac0146dfe841718334b16cae8
Instruction ID: 03a51cb4399186be38ae38b90eb275d374bcd1aa8a9852ceb27712f43fecfdeb
Opcode Fuzzy Hash: fdcd1c38704991a2edb2f9b55c5471d4f5a8b10ac0146dfe841718334b16cae8
Instruction Fuzzy Hash: 52D119B1948344AFE7508F58DC48B1BFBF9FF89795F04890DF69A82291D7B198608B12

Uniqueness

Uniqueness Score: -1.00%

Function 00557FA0 Relevance: 66.9, APIs: 31, Strings: 7, Instructions: 357windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005580E3
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005580F5
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055810E
_swprintf.LIBCMT ref: 00558161
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0055817C
ExitProcess.KERNEL32 ref: 00558189
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00558231
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00558243
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055826C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00558280
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00558292
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005582AB
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055830A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055831C
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00558337
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055834F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00558361
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055837E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00558394
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005583B8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005583D0
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005583E9
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055840B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055841D
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00558432
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055844C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055845E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00558473
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00558490
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005584A2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005584BB

Strings

Runtime Error, xrefs: 0055816E
Failed Assertion, xrefs: 00558149
Alt+, xrefs: 005582B2, 00558370
..\..\..\..\Common\Win32\win32windows.cpp, xrefs: 00558144
Alt, xrefs: 005580B8
hasAlt, xrefs: 0055813A
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00558150

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize$ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\Win32\win32windows.cpp$Alt$Alt+$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$hasAlt
API String ID: 3036484253-1942613093
Opcode ID: d0be316f8893b99ac63afc783708431fc93e07cd87ca07eeb8a698a999373cf1
Instruction ID: f028cbf71d29d70d72c288fdaf35cfb2c3ad226f47db07879493cc860e7f3340
Opcode Fuzzy Hash: d0be316f8893b99ac63afc783708431fc93e07cd87ca07eeb8a698a999373cf1
Instruction Fuzzy Hash: D3D1F8B0A003089BEB205F15DC45BBA7FE47F51725F04059AEE88B7281DBB45DC89F91

Uniqueness

Uniqueness Score: -1.00%

Function 0053C150 Relevance: 65.2, APIs: 36, Strings: 1, Instructions: 485COMMON

Download Yara Rule

APIs

CreatePen.GDI32(00000000,00000001,00000000), ref: 0053C221
SelectObject.GDI32(00000000,00000000), ref: 0053C22C
SetPixelV.GDI32(00000000,-00000001,00000000,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C27A
SetPixelV.GDI32(00000000,-00000001,-00000001,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C288
SetPixelV.GDI32(00000000,00000000,-00000001,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C296
SetPixelV.GDI32(00000000,-00000001,00000000,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C2BF
SetPixelV.GDI32(00000000,-00000002,00000000,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C2E5
SetPixelV.GDI32(00000000,-00000001,00000000,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C2F6
SetPixelV.GDI32(00000000,-00000002,-00000001,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C304
GetStockObject.GDI32(00000004), ref: 0053C323
FillRect.USER32(00000000,?,00000000), ref: 0053C32F
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C36D
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C37B
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C389
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C39C
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C3C5
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C3D6
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C3E4
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C428
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C436
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C444
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C46D
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C495
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C4A6
SetPixelV.GDI32(00000000,?,?,00000000,?,?,?,?,?,?,?,?,0053CC2C,00000000), ref: 0053C4B4
GetStockObject.GDI32(00000004), ref: 0053C4D3
SelectObject.GDI32(00000000,?), ref: 0053C5A9
DeleteObject.GDI32(?), ref: 0053C5B3

Strings

Button, xrefs: 0053C172

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Pixel$Object$SelectStock$CreateDeleteFillRect
String ID: Button
API String ID: 94031604-1034594571
Opcode ID: aab55d696376d03219f1a8abe2532153e5e292a08d78586b7ae4ff558c55a875
Instruction ID: db99fb1b39761b5fdd4fec130e09a7da0e62af3db83f361f87f94fcb0c3dda33
Opcode Fuzzy Hash: aab55d696376d03219f1a8abe2532153e5e292a08d78586b7ae4ff558c55a875
Instruction Fuzzy Hash: 60F13871A0060AABDB10CFA8DC89FAF7BB9FF99701F048115F615E7290D770A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00527330 Relevance: 58.9, APIs: 39, Instructions: 371COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005273FB
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0052740D
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527432
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0052744D
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0052745F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0052747C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005274A2
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005274B4
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005274D9
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005274F8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0052750A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527527
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005275BB
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005275CD
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005275EB
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005275FD
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0052761A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527630
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0052764B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0052765D
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0052767A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005276A0
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005276B2
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005276D0
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005276E2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005276FF
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527715
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527734
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527746
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527763
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0052778E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005277A6
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005277C2
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005277D4
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005277ED
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527806
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527825
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527837
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527854

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 9f5c847fdb68344272bad76e7dc71f700699224c99e79210aeb74f0ae390b4ac
Instruction ID: 6be61ca847b2c06ea218fffe4ce98ef62e6ea962552580ae4fa7bc89d5d14205
Opcode Fuzzy Hash: 9f5c847fdb68344272bad76e7dc71f700699224c99e79210aeb74f0ae390b4ac
Instruction Fuzzy Hash: EEE12570A04228AFEF10EB64FC48B7B7FA4BF2A720F180555EC85A72D5D3745984AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00527B30 Relevance: 58.9, APIs: 39, Instructions: 356COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527C13
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527C25
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527C45
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527C57
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527C74
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527C8D
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527CA8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527CBA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527CD7
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527CFD
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527D0F
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527D2F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527D41
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527D5E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527D74
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527D93
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527DA5
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527DC2
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527E06
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527E18
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527E42
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527E5F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527E71
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527E8E
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527EB4
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527EC6
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527EF0
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527F0F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527F21
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527F3E
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527F69
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527F7B
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527F9B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527FAD
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527FCA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527FE0
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527FFF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00528011
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0052802E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: a830096997c3c40f4dd9595f578c1f4bc3138ef8d138884544e52637c8cb66e3
Instruction ID: 5977c15e13c6298cb5f479f1524401fed387e29e0325d60485eb224738df1d4c
Opcode Fuzzy Hash: a830096997c3c40f4dd9595f578c1f4bc3138ef8d138884544e52637c8cb66e3
Instruction Fuzzy Hash: 33D10571A05268ABFB20AB25FC48B7B3FA4BF66720F040195FCC5A32D4D7744D849B91

Uniqueness

Uniqueness Score: -1.00%

Function 004B7010 Relevance: 55.9, APIs: 37, Instructions: 367COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B70AF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B70C1
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B70EF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7114
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7126
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7147
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7159
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7176
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B718A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B71A2
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B71B4
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B71CD
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7200
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7212
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7240
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7265
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7277
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7298
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B72AA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B72C7
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B72DB
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B72F3
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7305
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B731E
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7352
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7364
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7392
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B73B7
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B73C9
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B73DB
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B73F7
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7409
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7426
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B743A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7455
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7467
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7480

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID:
API String ID: 3864236774-0
Opcode ID: 4193ddea00266cda25f822eb10aabc44de0c1db61efd33bbee485fbc116db554
Instruction ID: ab7bccab14c47705b2758131f45fcb393c319c5177ea18a3631d4f89f143a97b
Opcode Fuzzy Hash: 4193ddea00266cda25f822eb10aabc44de0c1db61efd33bbee485fbc116db554
Instruction Fuzzy Hash: 43E10A70904345AFEB109F69DC88BAB7FB4BFE0724F14419AE88467345C77D4988EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00411BE0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 322COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411D89
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411D9B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411DD2
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411DF1
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411E09
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411E17
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411E33
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411E45
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411E62
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411E76
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411E94
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411EA6
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411EBB
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411ED6
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411EE8
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411F21
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411F3C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411F4E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411F63
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411F7B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411F8D
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411FAA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00411FBF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00411FDE
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00411FF0
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00412009
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00412047
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00412059
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00412072

Strings

RB_Pane, xrefs: 00411BFF, 00411D0A
@, xrefs: 00411D58

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID: @$RB_Pane
API String ID: 3864236774-1300237741
Opcode ID: 3bdff84590fccff0e50920aa38f65d120cf8213042f2e2b68cf1e4559ef76f5d
Instruction ID: aa2dd09c1e149af8f9d08a574565a5101789f6a762a2dc23ae0108b982769f31
Opcode Fuzzy Hash: 3bdff84590fccff0e50920aa38f65d120cf8213042f2e2b68cf1e4559ef76f5d
Instruction Fuzzy Hash: 3CD13570600305AFFB109F24EC89BA77BB4BF50720F04456AFE8897395D7B89884DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F96600 Relevance: 49.7, APIs: 33, Instructions: 177COMMON

Download Yara Rule

APIs

SetRect.USER32(?,?,00000000,?,?), ref: 02F9662F
GetSysColor.USER32(00000010), ref: 02F96649
CreateSolidBrush.GDI32(00000000), ref: 02F96650
GetSysColor.USER32(00000014), ref: 02F9665A
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F96665
GetSysColor.USER32(0000000F), ref: 02F96673
CreateSolidBrush.GDI32(00000000), ref: 02F9667A
GetSysColor.USER32(00000014), ref: 02F96684
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9668F
GetSysColor.USER32(00000010), ref: 02F96699
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F966A4
GetStockObject.GDI32(00000004), ref: 02F966AE
FrameRect.USER32(00000000,?,00000000), ref: 02F966BB
InflateRect.USER32(?,000000FF,000000FF), ref: 02F966E9
FillRect.USER32(00000000,?,00000000), ref: 02F966F6
SelectObject.GDI32(00000000,00000000), ref: 02F966FE
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F96717
LineTo.GDI32(00000000,?,?), ref: 02F96726
LineTo.GDI32(00000000,?,?), ref: 02F96739
SelectObject.GDI32(00000000,00000000), ref: 02F96741
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F9675A
LineTo.GDI32(00000000,?,?), ref: 02F96771
LineTo.GDI32(00000000,?,?), ref: 02F96784
SelectObject.GDI32(00000000,?), ref: 02F9678F
CreateSolidBrush.GDI32(00EEEEEE), ref: 02F9679C
CreateSolidBrush.GDI32(00999999), ref: 02F967A9
FrameRect.USER32(00000000,?,00000000), ref: 02F967BA
InflateRect.USER32(?,000000FF,000000FF), ref: 02F967E8
FillRect.USER32(00000000,?,00000000), ref: 02F967F5
DeleteObject.GDI32(?), ref: 02F967FF
DeleteObject.GDI32(00000000), ref: 02F96806
DeleteObject.GDI32(00000000), ref: 02F9680D
DeleteObject.GDI32(00000000), ref: 02F96814

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$CreateRect$Color$BrushDeleteLineSolid$Select$FillFrameInflateMove$Stock
String ID:
API String ID: 2240348727-0
Opcode ID: 98b138e16b55e6d93fc2955c673232b7b39baa02a8346435f5bf634cb6cfaa28
Instruction ID: 67ad69e3aedb8cd2dc00188acc5328b8d60b929fbc95b008bb7c0a2025a10088
Opcode Fuzzy Hash: 98b138e16b55e6d93fc2955c673232b7b39baa02a8346435f5bf634cb6cfaa28
Instruction Fuzzy Hash: D8510AB5548305BFE7009F64DC48E6BFBE9FF88791F008E09F65682291D7B09860CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00507C50 Relevance: 49.3, APIs: 19, Strings: 9, Instructions: 345windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00507CC3
ExitProcess.KERNEL32 ref: 00507CCC
_swprintf.LIBCMT ref: 00507CAA

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

_swprintf.LIBCMT ref: 00507D0E
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00507D2A
ExitProcess.KERNEL32 ref: 00507D33
SetMenu.USER32(?,00000000), ref: 00507D9A

Strings

You don't have an application object and we're expecting one, xrefs: 00507CDB
Runtime Error, xrefs: 00507CB7, 00507D1B
gApplicationObject, xrefs: 00507CE0
window, xrefs: 00507C7F
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp, xrefs: 00507C89, 00507CEA
RuntimeViewWindow, xrefs: 00507C70
view, xrefs: 00507FE3
..\..\..\..\Common\runctl.cpp, xrefs: 00507FDC
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00507C9B, 00507CFC

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf$Menu__vsprintf_s_l
String ID: ..\..\..\..\Common\ClassLib\RuntimeWindow.cpp$..\..\..\..\Common\runctl.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$RuntimeViewWindow$You don't have an application object and we're expecting one$gApplicationObject$view$window
API String ID: 1670376927-2358608725
Opcode ID: 5437b5c03fc6703407a58bf6e8e1e5f5a6b43bf9270ddfca120e20d0b9631989
Instruction ID: 21367796cfdb32fd92159690c84add3f867ea32132a6403433e28126d2668bf1
Opcode Fuzzy Hash: 5437b5c03fc6703407a58bf6e8e1e5f5a6b43bf9270ddfca120e20d0b9631989
Instruction Fuzzy Hash: B0C105716043049BDB24DF24CC85BBA7BA9FF58714F044199EE499B2D2DB70EC84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F95359 Relevance: 48.2, APIs: 32, Instructions: 236COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000001), ref: 02F953B4
SelectObject.GDI32(00000000,00000000), ref: 02F953BC
Polygon.GDI32(00000000,?,00000003), ref: 02F953CC
SelectObject.GDI32(00000000,00000000), ref: 02F953D4
DeleteObject.GDI32(?), ref: 02F953DE
DeleteObject.GDI32(?), ref: 02F953E8
DeleteObject.GDI32(?), ref: 02F953F2
GetSysColor.USER32(0000000F), ref: 02F953FA
CreateSolidBrush.GDI32(00000000), ref: 02F95401
GetSysColor.USER32(0000000F), ref: 02F95442
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9544D
GetSysColor.USER32(0000000F), ref: 02F95459
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F95464
FillRect.USER32(00000000,0000000C,?), ref: 02F954B8
SelectObject.GDI32(00000000,?), ref: 02F954C3
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F954DA
LineTo.GDI32(00000000,0000000C,0000000C), ref: 02F954E9
LineTo.GDI32(00000000,?,0000000C), ref: 02F954FC
SelectObject.GDI32(00000000,?), ref: 02F95507
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F95520

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$ColorCreateDelete$LineMove$BrushFillPolygonRectSolidStock
String ID:
API String ID: 3846926501-0
Opcode ID: 0f709cdba570330a26d70c3fb2ae797fe9ae2870c7f443d439fd4520157770b3
Instruction ID: 4656bacd00b1b813f4bbb88adc5f3b45fd655618d4488863787a788c7bc107c2
Opcode Fuzzy Hash: 0f709cdba570330a26d70c3fb2ae797fe9ae2870c7f443d439fd4520157770b3
Instruction Fuzzy Hash: C0914BB2948344AFE7508F58DC48B1BFBF9FF89399F04891DF69982261D7B19850CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0053CCF0 Relevance: 46.7, APIs: 31, Instructions: 168COMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(00000005), ref: 0053CCFA
FillRect.USER32(00000000,?,00000000), ref: 0053CD06
GetSysColor.USER32(00000010), ref: 0053CD0E
CreatePen.GDI32(00000000,00000001,00000000), ref: 0053CD19
SelectObject.GDI32(00000000,00000000), ref: 0053CD2A
MoveToEx.GDI32(00000000,?,?,00000000), ref: 0053CD3D
LineTo.GDI32(00000000,?,?), ref: 0053CD52
LineTo.GDI32(00000000,?,?), ref: 0053CD5D
DeleteObject.GDI32(0041DF90), ref: 0053CD63
GetSysColor.USER32(00000015), ref: 0053CD6B
CreatePen.GDI32(00000000,00000001,00000000), ref: 0053CD76
SelectObject.GDI32(00000000,00000000), ref: 0053CD81
MoveToEx.GDI32(00000000,?,?,00000000), ref: 0053CD94
LineTo.GDI32(00000000,?,?), ref: 0053CDA9
LineTo.GDI32(00000000,?,?), ref: 0053CDBA
DeleteObject.GDI32(0041DF90), ref: 0053CDC0
GetSysColor.USER32(00000014), ref: 0053CDC8
CreatePen.GDI32(00000000,00000001,00000000), ref: 0053CDD3
SelectObject.GDI32(00000000,00000000), ref: 0053CDDE
MoveToEx.GDI32(00000000,?,?,00000000), ref: 0053CDEE
LineTo.GDI32(00000000,?,?), ref: 0053CE03
LineTo.GDI32(00000000,?,?), ref: 0053CE11
DeleteObject.GDI32(0041DF90), ref: 0053CE17
GetSysColor.USER32(00000016), ref: 0053CE1F
CreatePen.GDI32(00000000,00000001,00000000), ref: 0053CE2A
SelectObject.GDI32(00000000,00000000), ref: 0053CE35
MoveToEx.GDI32(00000000,?,?,00000000), ref: 0053CE48
LineTo.GDI32(00000000,?,?), ref: 0053CE5D
LineTo.GDI32(00000000,?,?), ref: 0053CE6B
SelectObject.GDI32(00000000,?), ref: 0053CE72
DeleteObject.GDI32(0041DF90), ref: 0053CE78

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Object$Line$ColorSelect$CreateDeleteMove$BrushFillRect
String ID:
API String ID: 3147226825-0
Opcode ID: d3f20e69ea5fb6c0736a3c6c34a0ccc6653d1022f0e7ce3fddbfa07cdf526bea
Instruction ID: c81af0beef78fee36505ad3b5b5aad6888974358f3fff768e87c4a9983ab83ad
Opcode Fuzzy Hash: d3f20e69ea5fb6c0736a3c6c34a0ccc6653d1022f0e7ce3fddbfa07cdf526bea
Instruction Fuzzy Hash: EF511CB5100608BFEB009FA4EC49FAF776DEF99321F108209FA25962D0CB749945AB71

Uniqueness

Uniqueness Score: -1.00%

Function 00426750 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004267EA
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004267FC
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00426813
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042682B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042683D
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00426856
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004268BE
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004268D6
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004268EA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004268FF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00426920
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00426932
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042694B
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00426962
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00426974
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042698D
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004269A4
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004269B6
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004269CF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004269FC
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00426A0E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00426A27

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00426A6F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00426A81
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00426A9A

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

Strings

field, xrefs: 00426872

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize$_malloc
String ID: field
API String ID: 3409860162-1542800728
Opcode ID: 9ce3b91b033b9ae56e8884dbaa3dcbbc14a9b3e27a974dce045aa1a81122a146
Instruction ID: 9c55ed499a60452e23d28e8c8aa6fe9f988bdd8b8491853b63ae54470425c1dd
Opcode Fuzzy Hash: 9ce3b91b033b9ae56e8884dbaa3dcbbc14a9b3e27a974dce045aa1a81122a146
Instruction Fuzzy Hash: 4BA146B1E01214AFEB10AF59EC44AABBBB4BF60730F45419AE884A3345D77889C4DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02F95D10 Relevance: 45.2, APIs: 30, Instructions: 244COMMON

Download Yara Rule

APIs

SetRect.USER32(?,?,00000000,?,?), ref: 02F95D43
CreatePen.GDI32(00000000,00000001,00999999), ref: 02F95D52
SelectObject.GDI32(00000000,00000000), ref: 02F95D5C
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F95D76
LineTo.GDI32(00000000,?), ref: 02F95D86
LineTo.GDI32(00000000,?,00000000), ref: 02F95D99
GetStockObject.GDI32(00000006), ref: 02F95DA1
SelectObject.GDI32(00000000,00000000), ref: 02F95DA9
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F95DBE
LineTo.GDI32(00000000,?,?), ref: 02F95DD5
LineTo.GDI32(00000000,?,?), ref: 02F95DE9
SelectObject.GDI32(00000000,?), ref: 02F95DF4
DeleteObject.GDI32(00000000), ref: 02F95DFB
InflateRect.USER32(?,000000FF,000000FF), ref: 02F95E2A
GetStockObject.GDI32(00000004), ref: 02F95E32
FrameRect.USER32(00000000,?,00000000), ref: 02F95E3F
InflateRect.USER32(?,000000FF,000000FF), ref: 02F95E4E
GetStockObject.GDI32(00000000), ref: 02F95E56
FillRect.USER32(00000000,?,00000000), ref: 02F95E63
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 02F95E82
OffsetRect.USER32(?,?,00000000), ref: 02F95EC0
OffsetRect.USER32(?,00000000,?), ref: 02F95EFB
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 02F95F09
GetClipRgn.GDI32(00000000,00000000), ref: 02F95F13
OffsetRect.USER32(?,?,?), ref: 02F95F66
CreateRectRgn.GDI32(?,?,?,?), ref: 02F95F80
SelectClipRgn.GDI32(00000000,00000000), ref: 02F95F8A
SelectClipRgn.GDI32(00000000,00000000), ref: 02F95FD4
DeleteObject.GDI32(00000000), ref: 02F95FDB
DeleteObject.GDI32(00000000), ref: 02F95FE2

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Rect$Object$Select$Line$ClipCreateDeleteOffsetStock$InflateMove$FillFrame
String ID:
API String ID: 2333775301-0
Opcode ID: 3a48d8b3e85048f39c0d750b876239fcdc14cf2effb10eab5d68c5ae81e0ca1d
Instruction ID: 4e8d1e07799efb18056fbec3b7747064867770f58c94dfd1e6a6ab8c11d216a9
Opcode Fuzzy Hash: 3a48d8b3e85048f39c0d750b876239fcdc14cf2effb10eab5d68c5ae81e0ca1d
Instruction Fuzzy Hash: A4912BB5548704AFE744DF64C888B7BB7F9FF88791F108A0DFAA682290D774A850CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0042A0C0 Relevance: 45.2, APIs: 30, Instructions: 240COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A101
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A113
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A12C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A179
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A18B
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A1AC
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A1BE
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A1DB
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A1EF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A20B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A21D
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A236
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A261
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A273
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A294
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A2A6
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A2C3
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A2D7
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A2EF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A301
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A31A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A33E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A350
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A371
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A383
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A3A0
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A3B4
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A3CC
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A3DE
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A3F7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: c9074e675a2ddd91073a85740aa8844d891160fb5b22125b77697b6b26d682c2
Instruction ID: cee77cafc4526bc5bd055825e8b04c3ceec641cf317465817f99cc724a5d4070
Opcode Fuzzy Hash: c9074e675a2ddd91073a85740aa8844d891160fb5b22125b77697b6b26d682c2
Instruction Fuzzy Hash: 3C91D771B01354AFFB105F55FC48B777BA0BB61730F54019AECC5A2394C7B849A8AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00423DF0 Relevance: 42.4, APIs: 28, Instructions: 411timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00423190: GetLocaleInfoA.KERNEL32(00000400,0000001F,?,00000050), ref: 004231B1

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00423F0C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00423F1E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00423F49
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00423F69
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00423F98
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004240A8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004240BA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004240D7
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004240F7
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042410F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042412A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042413A

Part of subcall function 00423260: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004232A0
Part of subcall function 00423260: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004232B2
Part of subcall function 00423260: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004232C7
Part of subcall function 00423260: GetSystemTime.KERNEL32(?), ref: 00423510

RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042414C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00423F7B

Part of subcall function 0056646E: __lock.LIBCMT ref: 0056648C
Part of subcall function 0056646E: ___sbh_find_block.LIBCMT ref: 00566497
Part of subcall function 0056646E: ___sbh_free_block.LIBCMT ref: 005664A6
Part of subcall function 0056646E: RtlFreeHeap.NTDLL(00000000,00000000,005ACD80,0000000C,004AB885,?,?,?,00401224), ref: 005664D6
Part of subcall function 0056646E: GetLastError.KERNEL32(?,?,00401224), ref: 005664E7

RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00424161
SystemTimeToFileTime.KERNEL32(?,?), ref: 00424204
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042422D
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042423F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042425C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004242BB
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004242CD
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004242EA
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042430C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00424324
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042433F
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042434F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00424361
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00424376

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$Time$System$ErrorFileFreeHeapInfoLastLocale___sbh_find_block___sbh_free_block__lock
String ID:
API String ID: 896962874-0
Opcode ID: ccce72223256c3e63b5a42d4139bf884a7a49ba7608a62d188f2e6da7718140a
Instruction ID: 35a9617e336eaec9a5d2e6a7f94ebdf47ea64ab8a60379b10dea1f9eab503eab
Opcode Fuzzy Hash: ccce72223256c3e63b5a42d4139bf884a7a49ba7608a62d188f2e6da7718140a
Instruction Fuzzy Hash: 6AF1DE71A083119FD7109F25E88462BBBF0FFA5724F444A6EF98493350D778DA88CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02F94320 Relevance: 40.9, APIs: 27, Instructions: 398COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 02F943A3
CreateSolidBrush.GDI32(00000000), ref: 02F943AA

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: BrushColorCreateSolid
String ID:
API String ID: 2798526982-0
Opcode ID: 162ebdfa1499e4be9fa3ff410fc6019ffb33870a78f9ff165e3ca49537438511
Instruction ID: fcea2e2bf4100ef54dab06e4be8d49497e539391c7c391f54c3f18298966817d
Opcode Fuzzy Hash: 162ebdfa1499e4be9fa3ff410fc6019ffb33870a78f9ff165e3ca49537438511
Instruction Fuzzy Hash: D8E1ACB1548B54ABE7148F18DC95B3FFAFAFF84B8AF09881DF68640650E3748561CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02F9436C Relevance: 37.8, APIs: 25, Instructions: 320COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 02F943A3
CreateSolidBrush.GDI32(00000000), ref: 02F943AA
SelectObject.GDI32(?,?), ref: 02F94520
Polygon.GDI32(?,?,00000003), ref: 02F94533
SelectObject.GDI32(?,00000000), ref: 02F9453E
DeleteObject.GDI32(?), ref: 02F94548
GetSysColor.USER32(00000014), ref: 02F94566
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F94571
SelectObject.GDI32(?,00000000), ref: 02F94580
MoveToEx.GDI32(?,?,-00000005,00000000), ref: 02F945B8
LineTo.GDI32(?,?), ref: 02F94643
SelectObject.GDI32(?,00000000), ref: 02F94655
DeleteObject.GDI32(?), ref: 02F9465F
GetSysColor.USER32(00000010), ref: 02F94667
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F94672
SelectObject.GDI32(?,00000000), ref: 02F9467F

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$ColorCreate$Delete$BrushLineMovePolygonSolid
String ID:
API String ID: 2756773623-0
Opcode ID: c696c15949f96a352ad39b225963fc1d940f5f456e55a7ce2d3bd869f32a015e
Instruction ID: 1ed5ee663aa0953733441dfcab3633c402805442698d68ad3207512647d9f857
Opcode Fuzzy Hash: c696c15949f96a352ad39b225963fc1d940f5f456e55a7ce2d3bd869f32a015e
Instruction Fuzzy Hash: A6C17CB1548B14ABE7148F18DC9573BFAFAFF84B8AF09881DF68681660F3748561CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0040C38A Relevance: 36.4, APIs: 24, Instructions: 406COMMON

Download Yara Rule

APIs

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C591
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C5A3
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C5CD
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C5E8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C5FA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C617
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C65E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C670
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C695
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C6B0
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C6C2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C6DF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C704
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C716
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C72F
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C758
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C770
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C78B
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C7B0
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C7C2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C7D7
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040C7EE
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040C800
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040C815

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$_malloc
String ID:
API String ID: 2909137988-0
Opcode ID: 5a4eb3ff8802c6ad4e487d190a01609998478c0d02fe15ed7a31f12cc8436f09
Instruction ID: dc54190cd8c47857c79878194214430551bbf4e62fd12a7ca53b2ca00330978d
Opcode Fuzzy Hash: 5a4eb3ff8802c6ad4e487d190a01609998478c0d02fe15ed7a31f12cc8436f09
Instruction Fuzzy Hash: F2D10F71A00305EFEB209F69DCC5B6B3BE4BF55724F04066AE885B7380D778AC449B96

Uniqueness

Uniqueness Score: -1.00%

Function 00568936 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 156fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 005689A2
__invoke_watson.LIBCMT ref: 005689B3
GetModuleFileNameA.KERNEL32(00000000,005F0D91,00000104), ref: 005689CF
_strcpy_s.LIBCMT ref: 005689E4
__invoke_watson.LIBCMT ref: 005689F7
_strlen.LIBCMT ref: 00568A00
_strlen.LIBCMT ref: 00568A0D
__invoke_watson.LIBCMT ref: 00568A3A
_strcat_s.LIBCMT ref: 00568A4D
__invoke_watson.LIBCMT ref: 00568A5E
_strcat_s.LIBCMT ref: 00568A6F
__invoke_watson.LIBCMT ref: 00568A80
GetStdHandle.KERNEL32(000000F4,00000000,00000000,00000000,76ED5E70,00000003,00568B02,000000FC,005663D3,00000001,00000000,00000000,?,00568370,?,00000001), ref: 00568A9F
_strlen.LIBCMT ref: 00568AC0
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,00568370,?,00000001,00000000,00568C19,00000018,005ACE90,0000000C,00568CA8,00000000), ref: 00568ACA

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00568A8D
..., xrefs: 00568A1E
<program name unknown>, xrefs: 005689D9
Runtime Error!Program: , xrefs: 00568991
x_, xrefs: 0056899C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $x_
API String ID: 1879448924-3321094732
Opcode ID: aaff4c850bfa89883e8285e9d6b44936c60513e4c03e63022e9f406fc480a5e7
Instruction ID: aeefe914ad578ee4fd86a20dffaa4b2144b86dbfabf02375f857ba400c7be43d
Opcode Fuzzy Hash: aaff4c850bfa89883e8285e9d6b44936c60513e4c03e63022e9f406fc480a5e7
Instruction Fuzzy Hash: 55312AA2A402162AEA2132B45C4EF3B7E4CFB51364F040725FD09E71E3EE529984D1B2

Uniqueness

Uniqueness Score: -1.00%

Function 02F93449 Relevance: 34.7, APIs: 23, Instructions: 224windowCOMMON

Download Yara Rule

APIs

DrawTextW.USER32(?,00000000,00000000,00000001,00000120), ref: 02F93474
GetSysColor.USER32(00000010), ref: 02F93522
SetTextColor.GDI32(?,00000000), ref: 02F93530
DrawTextW.USER32(?,00000000,00000000,?,00000120), ref: 02F935E3
SetRect.USER32(?,?,?,?,?), ref: 02F936D9
DrawFocusRect.USER32(?,?), ref: 02F936EE
SetTextAlign.GDI32(?,?), ref: 02F936FF
SetBkMode.GDI32(?,?), ref: 02F93710
SetTextColor.GDI32(?,?), ref: 02F93724
SelectClipRgn.GDI32(?,00000000), ref: 02F93749
DeleteObject.GDI32(?), ref: 02F93756
DeleteObject.GDI32(?), ref: 02F93760

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Text$ColorDraw$DeleteObjectRect$AlignClipFocusModeSelect
String ID:
API String ID: 2533809872-0
Opcode ID: acaeb5dac08b176bf195e4107b81f1518a00e43fe6a08d537d61441aa7658ac7
Instruction ID: d3b694283243fcae9a84b2ac4c55ce0406ed39a84c7655a6343efcb4b35c07b2
Opcode Fuzzy Hash: acaeb5dac08b176bf195e4107b81f1518a00e43fe6a08d537d61441aa7658ac7
Instruction Fuzzy Hash: D4A157B2908384DFEB358B24CC48BEEFBE5BF85389F04495DE689462A0C7715994CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02F9543E Relevance: 34.7, APIs: 23, Instructions: 182windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 02F95442
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9544D
GetSysColor.USER32(0000000F), ref: 02F95459
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F95464
FillRect.USER32(00000000,0000000C,?), ref: 02F954B8
SelectObject.GDI32(00000000,?), ref: 02F954C3
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F954DA
LineTo.GDI32(00000000,0000000C,0000000C), ref: 02F954E9
LineTo.GDI32(00000000,?,0000000C), ref: 02F954FC
SelectObject.GDI32(00000000,?), ref: 02F95507
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F95520
LineTo.GDI32(00000000,?,?), ref: 02F95537
LineTo.GDI32(00000000,?,0000000B), ref: 02F9554E
SelectObject.GDI32(00000000,00000000), ref: 02F95556
GetStockObject.GDI32(00000001), ref: 02F955C4
SelectObject.GDI32(00000000,00000000), ref: 02F955CC
Polygon.GDI32(00000000,?,00000003), ref: 02F955DC
SelectObject.GDI32(00000000,00000000), ref: 02F955E4
SetRect.USER32(?,?,?,?,?), ref: 02F9563B
DrawFocusRect.USER32(00000000,?), ref: 02F95647
DeleteObject.GDI32(?), ref: 02F95654
DeleteObject.GDI32(?), ref: 02F9565E
DeleteObject.GDI32(?), ref: 02F95668

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$Line$DeleteRect$ColorCreateMove$DrawFillFocusPolygonStock
String ID:
API String ID: 1436858789-0
Opcode ID: 11a84ae1633e7b2b8a7839508a8c0b6c5f04655a7382e730447a6c6ed1ae7c6b
Instruction ID: 1cb47ed6a8294fcc3b307f8e434e437e7c1c2305c59b1c65329f61a50791edc0
Opcode Fuzzy Hash: 11a84ae1633e7b2b8a7839508a8c0b6c5f04655a7382e730447a6c6ed1ae7c6b
Instruction Fuzzy Hash: 5F614DB1548344AFE7408F68DC48B1BFBF9FF89795F04891DF699822A1D7B19850CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0051A510 Relevance: 30.2, APIs: 20, Instructions: 175COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051A553
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051A567
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051A577
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051A585
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051A599
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051A5A7
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051A5C2
_malloc.LIBCMT ref: 0051A5CE
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051A61F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051A63D
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051A663
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051A675
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051A687
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051A69F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051A6B1
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051A6CE
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051A6E7
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0051A708
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051A71A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051A737

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize$_malloc
String ID:
API String ID: 3409860162-0
Opcode ID: 18c2d33d297ee226b915f02101c5afa78246355770ef4de2152403f9d918ca53
Instruction ID: da9950eb61365fbe89e7d26a516bd7552d96c98a72538f8dea720209e793e512
Opcode Fuzzy Hash: 18c2d33d297ee226b915f02101c5afa78246355770ef4de2152403f9d918ca53
Instruction Fuzzy Hash: C8513371A01308AFFB11AB69DC45BBB7FB4BF61320F054058E8C493285D7B895C89F92

Uniqueness

Uniqueness Score: -1.00%

Function 00519460 Relevance: 30.2, APIs: 20, Instructions: 174COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005194A3
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005194B7
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005194C7
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005194D5
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005194E9
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005194F7
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519512
_malloc.LIBCMT ref: 0051951E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051956F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051958D
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005195B3
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005195C5
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005195D7
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005195EF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519601
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051961E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519637
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519658
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0051966A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519687

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize$_malloc
String ID:
API String ID: 3409860162-0
Opcode ID: 65c01fe334c96b71fdf03ba3835b970fe02eeab1abada0408fb755c0fd06d5ae
Instruction ID: 9b2f1634c3bd6d28490454c461e1d36c55fcfee2b5bf7eb60c20008ee659b866
Opcode Fuzzy Hash: 65c01fe334c96b71fdf03ba3835b970fe02eeab1abada0408fb755c0fd06d5ae
Instruction Fuzzy Hash: 675103706003486BFB10AB69DC45BFB7FA4BFA1724F044169E985A3281D7B895C89FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00519CA0 Relevance: 30.2, APIs: 20, Instructions: 169COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519CE6
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519CFA
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519D0A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519D18
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519D2C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519D3A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519D55
_malloc.LIBCMT ref: 00519D61
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519DB2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519DD0
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519DF6
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519E08
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519E1A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519E32
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519E44
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519E61
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519E7A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519E9B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519EAD
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00519ECA

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize$_malloc
String ID:
API String ID: 3409860162-0
Opcode ID: cc003b7abd5c61c81d0e49b857a0c0b89308eefe66650a69f563dfbc874c9aae
Instruction ID: 40112b00095426e05800961f66c3c8125d9b4e10818366888be957f01538d074
Opcode Fuzzy Hash: cc003b7abd5c61c81d0e49b857a0c0b89308eefe66650a69f563dfbc874c9aae
Instruction Fuzzy Hash: 81514670600348AFFB10AF69EC45BBB7FB8BB61720F040599E8C567285C7B895C89F91

Uniqueness

Uniqueness Score: -1.00%

Function 0045C790 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 271COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0045C86E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0045C880
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0045C899
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0045C8B1
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0045C8C3
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0045C8DC

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Strings

_Poll, xrefs: 0045C799

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: _Poll
API String ID: 3991485460-2041259360
Opcode ID: b6b6c2bbc0fdc754023103bd08246ab60e47c574abbcc35f784283705f47ab1a
Instruction ID: eb624d7c6499e20aa448f5bc030b498b1ab200b98f7a37f8aa4c3f63521cbdcb
Opcode Fuzzy Hash: b6b6c2bbc0fdc754023103bd08246ab60e47c574abbcc35f784283705f47ab1a
Instruction Fuzzy Hash: 44A13671E00309AFEB10EF65D8857AF7BB4AF51725F04016AEC48A3342D7789E489BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00421340 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 181fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(0057E81C), ref: 004213D4

Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52
Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB

CreateFileW.KERNEL32(00000000,?,C0000000,00000001,00000000,00000003,04000100,00000000), ref: 004213A1
GetTempPathW.KERNEL32(00000104,?), ref: 0042140E
GetTempFileNameW.KERNEL32(?,rbt,00000000,?), ref: 00421449
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,04000100,00000000), ref: 00421488
GetTempPathA.KERNEL32(00000104,?), ref: 0042149F
GetTempFileNameA.KERNEL32(?,rbt,00000000,?), ref: 004214DA
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,04000100,00000000), ref: 00421519

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

GetLastError.KERNEL32 ref: 00421528

Strings

0 != ::GetTempPath( _MAX_PATH, dir ), xrefs: 004214B5
0 != ::GetTempPathW( _MAX_PATH, dir ), xrefs: 00421424
..\..\..\..\Universal\DataFile.cpp, xrefs: 0042141D, 00421458, 004214AE, 004214E9
rbt, xrefs: 0042143D
0 != ::GetTempFileNameW( dir, L"rbt", 0, filePath ), xrefs: 0042145F
0 != ::GetTempFileName( dir, "rbt", 0, filePath ), xrefs: 004214F0
rbt, xrefs: 004214CE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: File$CreateTemp$ByteCharMultiNamePathWide$ErrorLastVersion_memset
String ID: ..\..\..\..\Universal\DataFile.cpp$0 != ::GetTempFileName( dir, "rbt", 0, filePath )$0 != ::GetTempFileNameW( dir, L"rbt", 0, filePath )$0 != ::GetTempPath( _MAX_PATH, dir )$0 != ::GetTempPathW( _MAX_PATH, dir )$rbt$rbt
API String ID: 537836023-2317909494
Opcode ID: 7d46d721f68d0c1b13250066e0b68cfbfcf9f61b60ff527ab4866ccd35da41fa
Instruction ID: 92c9f92e8972cf517d4f4594b54bccc22b4431234805273dcfe1003d3836bb1e
Opcode Fuzzy Hash: 7d46d721f68d0c1b13250066e0b68cfbfcf9f61b60ff527ab4866ccd35da41fa
Instruction Fuzzy Hash: 28513F71700314ABE720EF60FC46FD677A8BF24704F4041AAB909A71D1D7B4E984DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00546870 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 154COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00546A08

Part of subcall function 0041A2A0: GetVersionExA.KERNEL32(005F5298), ref: 0041A2D2
Part of subcall function 0041A2A0: _swprintf.LIBCMT ref: 0041A305
Part of subcall function 0041A2A0: MessageBoxA.USER32(005F5900,?,Runtime Error,00000111), ref: 0041A31F
Part of subcall function 0041A2A0: ExitProcess.KERNEL32 ref: 0041A32B

Strings

MS UI Gothic, xrefs: 005469CE
Courier, xrefs: 00546938
Segoe UI, xrefs: 00546A2B
Application, xrefs: 0054690E
System, xrefs: 005468D0
Times, xrefs: 0054698D
Geneva, xrefs: 00546923
Tahoma, xrefs: 00546A3C
Osaka, xrefs: 005469BD
Courier New, xrefs: 00546949
Helvetica, xrefs: 005469A5
Times New Roman, xrefs: 0054699E
Arial, xrefs: 005469B6
SmallSystem, xrefs: 005468F8
MS Sans Serif, xrefs: 005469EB, 00546A48

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcessVersion_memset_swprintf
String ID: Application$Arial$Courier$Courier New$Geneva$Helvetica$MS Sans Serif$MS UI Gothic$Osaka$Segoe UI$SmallSystem$System$Tahoma$Times$Times New Roman
API String ID: 677397696-3904172137
Opcode ID: e7edc6fec795d57a9f203da81267b3a4d199fb721da256a76556add21fe87213
Instruction ID: 0ce60b3a01cef934f21bb462c7f49425598102ab02b70b58739b88f0b74afbee
Opcode Fuzzy Hash: e7edc6fec795d57a9f203da81267b3a4d199fb721da256a76556add21fe87213
Instruction Fuzzy Hash: 7751A232A0021D9BCF20EF15DD827DD7BA5BB12318F1485BAE949AB242D770DD488B93

Uniqueness

Uniqueness Score: -1.00%

Function 0051EC90 Relevance: 25.8, APIs: 17, Instructions: 253COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(?,?,?,?), ref: 0051ED4A
CreateRectRgn.GDI32(?,00000000,?,?), ref: 0051ED6B
CombineRgn.GDI32(00000000,?,00000000,00000003), ref: 0051ED7C
CreateRectRgn.GDI32(?,?,?), ref: 0051EDAB
CombineRgn.GDI32(00000000,00000000,00000000,00000001), ref: 0051EDBA
DeleteObject.GDI32(?), ref: 0051EDC5
InvalidateRgn.USER32(?,00000000,00000001), ref: 0051EDD6
DeleteObject.GDI32(?), ref: 0051EDE1
DeleteObject.GDI32(00000000), ref: 0051EDE8
SetRect.USER32(?,?,?,?,?), ref: 0051EE41
ClientToScreen.USER32(?,?), ref: 0051EE54
ClientToScreen.USER32(?,?), ref: 0051EE63
GetParent.USER32(?), ref: 0051EE72
ScreenToClient.USER32(00000000), ref: 0051EE79
GetParent.USER32(?), ref: 0051EE88
ScreenToClient.USER32(00000000), ref: 0051EE8F
MoveWindow.USER32(?,?,?,?,?,?), ref: 0051EEBE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ClientRectScreen$CreateDeleteObject$CombineParent$InvalidateMoveWindow
String ID:
API String ID: 2629781016-0
Opcode ID: 63d1f6016770646b24e71d89303f179e4f7f4862b88e50999d5fc4dd9b68bc15
Instruction ID: ef0de6c4bd0d0f30ddd577ae577365adbb4af6526b760dc808e7943c0f62c57e
Opcode Fuzzy Hash: 63d1f6016770646b24e71d89303f179e4f7f4862b88e50999d5fc4dd9b68bc15
Instruction Fuzzy Hash: 6CA15AB5204A119FD714DF29D88897BBBF9FFC8711B048A0DF88987215E734E985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F96940 Relevance: 25.6, APIs: 17, Instructions: 118COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 02F96959
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F96964
GetSysColor.USER32(00000014), ref: 02F96970
CreatePen.GDI32(00000000,00000001,00000000), ref: 02F9697B
SelectObject.GDI32(00000000,?), ref: 02F96989
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F969E1
LineTo.GDI32(00000000,?,?), ref: 02F969EE
SelectObject.GDI32(00000000), ref: 02F969F8
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F96A0A
MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F96A38
LineTo.GDI32(00000000,?,?), ref: 02F96A45
SelectObject.GDI32(00000000), ref: 02F96A4F
MoveToEx.GDI32(00000000,?,00000000,00000000), ref: 02F96A60
LineTo.GDI32(00000000,?,?), ref: 02F96A70
SelectObject.GDI32(00000000,?), ref: 02F96A7B
DeleteObject.GDI32(?), ref: 02F96A85
DeleteObject.GDI32 ref: 02F96A8E

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$MoveSelect$Line$ColorCreateDelete
String ID:
API String ID: 4218603526-0
Opcode ID: 1323cf299527473c290b123951e0574e54c1ad6589b0bab785e958c423cce8f5
Instruction ID: 82b99c0c8d39299b6735e9afa6ecd8ad909ecf04e44233b68c3c0d392ffae3e5
Opcode Fuzzy Hash: 1323cf299527473c290b123951e0574e54c1ad6589b0bab785e958c423cce8f5
Instruction Fuzzy Hash: 3A414DB5544709AFE710AF64DC48A7BBBEDFB48B82F008919FA5681180E7759950CB21

Uniqueness

Uniqueness Score: -1.00%

Function 0040B060 Relevance: 24.9, APIs: 9, Strings: 5, Instructions: 447COMMON

Download Yara Rule

APIs

Part of subcall function 00469680: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004696BB
Part of subcall function 00469680: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004696D4
Part of subcall function 00469680: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004696E8
Part of subcall function 00469680: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00469708
Part of subcall function 00469680: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0046971A
Part of subcall function 00469680: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00469729

Part of subcall function 004ABFA0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABFB4
Part of subcall function 004ABFA0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABFCE
Part of subcall function 004ABFA0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABFE8

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040B186
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040B19E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040B1CD
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040B1DD
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040B1EF
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040B218
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040B22F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040B241
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040B26A

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Strings

Abort, xrefs: 0040B319
Cancel, xrefs: 0040B3F4, 0040B558
Retry, xrefs: 0040B2E7, 0040B526
Ignore, xrefs: 0040B350
Yes, xrefs: 0040B3C2, 0040B493

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: Abort$Cancel$Ignore$Retry$Yes
API String ID: 3991485460-2123939639
Opcode ID: c1df4aa0099ff2509993c0a96ded0820c5c20f517769d0686408402dbe63f703
Instruction ID: 2473cdb642c237b5928a7d9e79557cfcdd3f5c04c4f9e7ae45801e8236af6563
Opcode Fuzzy Hash: c1df4aa0099ff2509993c0a96ded0820c5c20f517769d0686408402dbe63f703
Instruction Fuzzy Hash: F30256719083518BD720EF2AC44161FBBE4EB94758F05496EF894AB392C778DC488BDB

Uniqueness

Uniqueness Score: -1.00%

Function 00410940 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 190windowCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00410A93
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00410AA5
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00410AC2
_swprintf.LIBCMT ref: 00410B13
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00410B2E
ExitProcess.KERNEL32 ref: 00410B3B
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00410B59
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00410B6B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00410B88

Strings

Runtime Error, xrefs: 00410B20
Failed Assertion, xrefs: 00410AFB
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00410B02
c:\RB\Universal\StringMap.h, xrefs: 00410AF6
foundInHash == foundInOrder, xrefs: 00410AEC

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$ExitMessageProcess_swprintf
String ID: Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$c:\RB\Universal\StringMap.h$foundInHash == foundInOrder
API String ID: 1597292130-2540027267
Opcode ID: 9eada54d91e4fb9c1bf32dea042d7d9d68157742f58260f8c782b7354f70776c
Instruction ID: 952c628417b1866735a69135314451a5f4886729e205e11383749ca3a5f8c92f
Opcode Fuzzy Hash: 9eada54d91e4fb9c1bf32dea042d7d9d68157742f58260f8c782b7354f70776c
Instruction Fuzzy Hash: 647105B0A00315DFDB20CF54D884BA7BBA4BF24714F04829AE649A7391D7B4ADC5CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00534610 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00534759
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0053476B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00534784
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0053479C
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005347AE
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00534863
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00534875
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0053488E

Strings

%o<, xrefs: 00534654
Operator_Convert%, xrefs: 00534677

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID: %o<$Operator_Convert%
API String ID: 713024617-411561452
Opcode ID: 6537d30764d7147509d9b161acca197116b28a1c06dd16a1a08485c04e9b7aca
Instruction ID: e29abe65b428fbcfa3a3f1873cc3f2c76e2c5713ad1d6e01e129fa6c4f611f6d
Opcode Fuzzy Hash: 6537d30764d7147509d9b161acca197116b28a1c06dd16a1a08485c04e9b7aca
Instruction Fuzzy Hash: B1712375A00208AFDB10EF54D885BAF7FB4FF51320F144169E894A7341C374AE949F90

Uniqueness

Uniqueness Score: -1.00%

Function 0056DD3B Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 164libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,005F0D78,00568A98,005F0D78,Microsoft Visual C++ Runtime Library,00012010), ref: 0056DD68
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0056DD84

Part of subcall function 00567E13: TlsGetValue.KERNEL32(00000000,00567E88,00000000,0056DD49,00000000,00000000,00000314,?,?,?,005F0D78,00568A98,005F0D78,Microsoft Visual C++ Runtime Library,00012010), ref: 00567E20
Part of subcall function 00567E13: TlsGetValue.KERNEL32(00000005,?,?,?,005F0D78,00568A98,005F0D78,Microsoft Visual C++ Runtime Library,00012010), ref: 00567E37

GetProcAddress.KERNEL32(00000000,00000000), ref: 0056DDA1

Part of subcall function 00567E13: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,005F0D78,00568A98,005F0D78,Microsoft Visual C++ Runtime Library,00012010), ref: 00567E4C
Part of subcall function 00567E13: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00567E67

GetProcAddress.KERNEL32(00000000,00000000), ref: 0056DDB6
__invoke_watson.LIBCMT ref: 0056DDD7

Part of subcall function 0056AB47: _memset.LIBCMT ref: 0056ABD3
Part of subcall function 0056AB47: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 0056ABF1
Part of subcall function 0056AB47: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 0056ABFB
Part of subcall function 0056AB47: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0056AC05
Part of subcall function 0056AB47: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 0056AC20
Part of subcall function 0056AB47: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 0056AC27

Part of subcall function 00567E8A: TlsGetValue.KERNEL32(00000000,00567F1F,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567E97
Part of subcall function 00567E8A: TlsGetValue.KERNEL32(00000005,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567EAE

Part of subcall function 00567E8A: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567EC3
Part of subcall function 00567E8A: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00567EDE

GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0056DDEB
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0056DE03
__invoke_watson.LIBCMT ref: 0056DE76

Strings

MessageBoxA, xrefs: 0056DD7E
GetProcessWindowStation, xrefs: 0056DDFD
GetActiveWindow, xrefs: 0056DD94
GetUserObjectInformationA, xrefs: 0056DDE5
USER32.DLL, xrefs: 0056DD63
GetLastActivePopup, xrefs: 0056DDA9

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2940365033-232180764
Opcode ID: fe13697b809a5986d6f8f0985834f675c84dd09343d8fef88ca5d60d2ef91c0d
Instruction ID: c998925a08d157989193babc2067b6b2b0743a3698f31ad131c186794bf37d48
Opcode Fuzzy Hash: fe13697b809a5986d6f8f0985834f675c84dd09343d8fef88ca5d60d2ef91c0d
Instruction Fuzzy Hash: D8419371E0420AEADF20AFF49C8996E7FBDBB64310B140C6EE404EB590DB769D44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00519080 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 176windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00519188
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 005191A3
ExitProcess.KERNEL32 ref: 005191B0
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00519215
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00519227
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0051926B
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005192A8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 005192BA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 005192D3

Strings

..\..\..\..\Universal\StringUtils.cpp, xrefs: 00519165
Runtime Error, xrefs: 00519195
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00519177
(unsigned long)sepChar <= 255, xrefs: 0051915E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$ExitMessageProcess_swprintf
String ID: (unsigned long)sepChar <= 255$..\..\..\..\Universal\StringUtils.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 1597292130-1632319054
Opcode ID: 46ecbb8cc580e553f1045f2705cba3d70a656c461af08e55e77d97554ed5629d
Instruction ID: 0757e34307307dafad21caae5a7f838cc4307af62f1d2df37c786c28959c5149
Opcode Fuzzy Hash: 46ecbb8cc580e553f1045f2705cba3d70a656c461af08e55e77d97554ed5629d
Instruction Fuzzy Hash: 636108B0900219ABEF209F15CC85BE9BBB5BF84310F048599EA0877241C7B49EC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004B7930 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B799A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B79AC
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B79DA
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B79FF
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7A11
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7A32
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7A44
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7A61
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7A75
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B7A8D
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B7A9F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B7AB8

Strings

, xrefs: 004B7AC4

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$_malloc
String ID:
API String ID: 2909137988-3916222277
Opcode ID: 290a8abaab583d7ead81cb118605e15e7b473f1079de7674145708403f760012
Instruction ID: ed53696f0d7caa11e5c08505a1e83693fb31e94bfaf935df475daf1ee95e6ca2
Opcode Fuzzy Hash: 290a8abaab583d7ead81cb118605e15e7b473f1079de7674145708403f760012
Instruction Fuzzy Hash: 27514A70904304AFEB109F59DC44ABBBFB4BFE1320F140596E88463354D7B84A88DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0055C600 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055C677
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055C689
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055C6B4
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055C6C6
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055C6DB
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055C6F7
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055C709
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055C726
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055C73A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055C76F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055C781
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055C79A

Strings

RuntimeViewWindow, xrefs: 0055C60E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: RuntimeViewWindow
API String ID: 3991485460-2028587484
Opcode ID: f915c01827ef7f58cb5e6e5a884cddc5f7af24c94c438fa0579dbb71d1c1c65b
Instruction ID: 19000b7e065937c7ca7bf129a2321824d8e5c72aa5b89f9f9efe0fe8362ba7a0
Opcode Fuzzy Hash: f915c01827ef7f58cb5e6e5a884cddc5f7af24c94c438fa0579dbb71d1c1c65b
Instruction Fuzzy Hash: 7E414770500304AFEB105B69EC98BBB7FA4FF65721F14416EFD89A7280D7B44988AF91

Uniqueness

Uniqueness Score: -1.00%

Function 004B9EC0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 115windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004B9F30
ExitProcess.KERNEL32 ref: 004B9F39
_swprintf.LIBCMT ref: 004B9F15

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

_swprintf.LIBCMT ref: 004B9F6F
MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 004B9F89
ExitProcess.KERNEL32 ref: 004B9F91

Strings

self, xrefs: 004B9EE8
Runtime Error, xrefs: 004B9F22, 004B9F7C
name, xrefs: 004B9F44
+lA, xrefs: 004BA007
self->mMenuHandlers, xrefs: 004B9FEA
..\..\..\..\Common\runctl.cpp, xrefs: 004B9EF2, 004B9F4E, 004B9FE3
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004B9F04, 004B9F5E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf$__vsprintf_s_l
String ID: +lA$..\..\..\..\Common\runctl.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$name$self$self->mMenuHandlers
API String ID: 2931723835-3779408874
Opcode ID: 6ff29cb0082107277cde54acb916abae4c17b976c77bcac9ab3863084d8dd567
Instruction ID: 8c747d0e18fe2bc4d292edc6f8da479a5af26f405f30c9d1d6b4b6e4f1504059
Opcode Fuzzy Hash: 6ff29cb0082107277cde54acb916abae4c17b976c77bcac9ab3863084d8dd567
Instruction Fuzzy Hash: 6141C7B0A44309ABDB149F10DC86FA67BA8BF14714F00406EF709AB291DBB8DD458B69

Uniqueness

Uniqueness Score: -1.00%

Function 004AC150 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 109windowCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC171
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC184
_swprintf.LIBCMT ref: 004AC1D4
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004AC1EF
ExitProcess.KERNEL32 ref: 004AC1FC
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC20E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC257

Strings

..\..\..\..\Universal\REALstring.cpp, xrefs: 004AC1B1, 004AC288
Runtime Error, xrefs: 004AC1E1
not (pos < 0 || pos >= Length()), xrefs: 004AC1A7
not pos, xrefs: 004AC28D
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004AC1C3

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterExitInitializeMessageProcess_swprintf
String ID: ..\..\..\..\Universal\REALstring.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$not (pos < 0 || pos >= Length())$not pos
API String ID: 114532783-3364694716
Opcode ID: 9ef786f550ce557e9e50af7da729fe58f2763977c827eb4c8350e2dfaab290f0
Instruction ID: 5d0e37feb346bfb3d7d51f5e284ef347eafd52a1d1ff235e9d3cb3a7b4fc6ed5
Opcode Fuzzy Hash: 9ef786f550ce557e9e50af7da729fe58f2763977c827eb4c8350e2dfaab290f0
Instruction Fuzzy Hash: D8315171B003089BEB10EB54DC86F6A7BA8FB66710F4040A6FA097B2D5CB749D44DB95

Uniqueness

Uniqueness Score: -1.00%

Function 004120C0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004120ED
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004120FF
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0041211C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0041214F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00412161
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00412184
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004121A2
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004121B4
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004121D1
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004121E8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004121FA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00412217

Strings

?, xrefs: 0041212A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: ?
API String ID: 3991485460-1684325040
Opcode ID: 2dfbcb4bb59e9aaaa6f550fe43a739852526993d7c4a8e0341527103495df618
Instruction ID: cc9c7deb5065789effba70ec98915a047a17b0e2cd1fce63edc0eb5df06b2fce
Opcode Fuzzy Hash: 2dfbcb4bb59e9aaaa6f550fe43a739852526993d7c4a8e0341527103495df618
Instruction Fuzzy Hash: 78310971A012157BFB219B25ED08BBB7E646B61730F040256EE84A3395C7F80DE4AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00508170 Relevance: 22.7, APIs: 15, Instructions: 213COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 005081B3
GetWindowRect.USER32(00000000,?), ref: 0050825C
GetSystemMetrics.USER32(00000003), ref: 0050829A
GetSystemMetrics.USER32(00000002), ref: 005082A6
MoveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,005086BC,?,00000000), ref: 005082B5
GetSystemMetrics.USER32(00000003), ref: 005082C5
GetSystemMetrics.USER32(00000002), ref: 005082CD
MoveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,005086BC,?,00000000), ref: 005082DC
GetWindowLongA.USER32(?,000000F0), ref: 00508307
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0050833C
GetSystemMetrics.USER32(0000000F), ref: 00508344
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?,?,?,005086BC,?,00000000), ref: 00508365

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Window$MetricsSystem$Move$LongRect
String ID:
API String ID: 2432606285-0
Opcode ID: 350136c5096e12c3685766a9fedd76d112ba27698437cf817009a8068aa0d8bd
Instruction ID: 84dfe744cda524d7852281888b4aea4f63ef026df718fe21312ead2fcea05069
Opcode Fuzzy Hash: 350136c5096e12c3685766a9fedd76d112ba27698437cf817009a8068aa0d8bd
Instruction Fuzzy Hash: 9A8186752047019FD210DF68DC85E6AB7F9BF98724B004A0CBA99877A1DB30E849DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00403C70 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 115windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00403CE0
ExitProcess.KERNEL32 ref: 00403CE9
_swprintf.LIBCMT ref: 00403CC5

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

_swprintf.LIBCMT ref: 00403D1F
MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00403D39
ExitProcess.KERNEL32 ref: 00403D41

Strings

self, xrefs: 00403C98
Runtime Error, xrefs: 00403CD2, 00403D2C
name, xrefs: 00403CF4
self->mMenuHandlers, xrefs: 00403D9A
..\..\..\..\Common\application.cpp, xrefs: 00403CA2, 00403CFE, 00403D93
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00403CB4, 00403D0E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf$__vsprintf_s_l
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$name$self$self->mMenuHandlers
API String ID: 2931723835-3622789405
Opcode ID: f474215f6bf2b8f4f9fff44e7b5c69748695fc1eb82af83c47a9f5dc583f5283
Instruction ID: d4242ac550a8a838ec4ad30551792872baf1b4fb86071d8568efc13d1bb1c1b5
Opcode Fuzzy Hash: f474215f6bf2b8f4f9fff44e7b5c69748695fc1eb82af83c47a9f5dc583f5283
Instruction Fuzzy Hash: DE41B4B1640304ABDB149F10DD82F6A7AACBF54705F4040BEF709BB2C1DBB4AA458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00504BB0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 111windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00504C1F
ExitProcess.KERNEL32 ref: 00504C28
_swprintf.LIBCMT ref: 00504C04

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

_swprintf.LIBCMT ref: 00504CC5
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00504CE0

Strings

Runtime Error, xrefs: 00504C11, 00504CD2
sDeadThreadList != sCurrentThread, xrefs: 00504C9E
wCP, xrefs: 00504D13
sCurrentThread, xrefs: 00504BD7
Failed Assertion, xrefs: 00504CAD
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00504BF3, 00504CB4
..\..\..\..\Common\ClassLib\RuntimeThread.cpp, xrefs: 00504BE1, 00504CA8

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Message_swprintf$ExitProcess__vsprintf_s_l
String ID: ..\..\..\..\Common\ClassLib\RuntimeThread.cpp$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$sCurrentThread$sDeadThreadList != sCurrentThread$wCP
API String ID: 1517955830-1293957223
Opcode ID: 969f5829f8bae290e83b0534989380eb3406127f6d2ce10446ad9d9c6e8cd0cd
Instruction ID: 7aee49ab4a3674b21e4901dbec0095698a6bb6cc582a16ab4201f49083a973e8
Opcode Fuzzy Hash: 969f5829f8bae290e83b0534989380eb3406127f6d2ce10446ad9d9c6e8cd0cd
Instruction Fuzzy Hash: 0631E5B1B412046BFB20EB259D47F6E7B58BB54704F000118F748EB1D2EAB4AE44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00418110 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 186windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

_swprintf.LIBCMT ref: 00418210
MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00418228
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00418339
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041834B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00418364
ExitProcess.KERNEL32 ref: 00418385

Strings

..\..\..\..\Common\CommonRunView.cpp, xrefs: 004181F5
Runtime Error, xrefs: 0041821D
Failed Assertion, xrefs: 004181FA
pane, xrefs: 004181EB
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00418201

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\CommonRunView.cpp$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$pane
API String ID: 1597292130-3608493658
Opcode ID: a96694d86d89edfdd4c7d29103c27199deb38556d41560da68cb3772e4af80b2
Instruction ID: cc480b5bc47b994ac1d38cbfd3f63c300f8f9fbe7ade105fbfdd2b6ad17705ae
Opcode Fuzzy Hash: a96694d86d89edfdd4c7d29103c27199deb38556d41560da68cb3772e4af80b2
Instruction Fuzzy Hash: 2D6106716043059FCB20CF18D884BABBBE1BF95704F04456EF95897391CB39E988CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00503EB0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 178sleepwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,005C2A9C,75C50660), ref: 00503F05
Sleep.KERNEL32(00000000,?,005C2A9C,75C50660), ref: 00503FED
_swprintf.LIBCMT ref: 0050408B
MessageBoxA.USER32(005C2A9C,?,Runtime Error,00000111), ref: 005040A3
ExitProcess.KERNEL32 ref: 005040AF

Strings

Runtime Error, xrefs: 00504098
false, xrefs: 00504010
Infinite loop detected in the thread scheduler. This is likely caused by incorrectly locking resources with semaphores or critical sections., xrefs: 0050400B
possibleThread, xrefs: 00504062
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0050407C
..\..\..\..\Common\ClassLib\RuntimeThread.cpp, xrefs: 00504006, 0050406C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Sleep$ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\ClassLib\RuntimeThread.cpp$Infinite loop detected in the thread scheduler. This is likely caused by incorrectly locking resources with semaphores or critical sections.$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$false$possibleThread
API String ID: 667973335-1172121679
Opcode ID: a671cf5100bea8b13cbd0c2285fa67d87b15970de4d493d3644a02f2565321ed
Instruction ID: ed764fd5d4ebdf22b41a4c271c903ea33a9c81f763fc80bc3689fe54c4dc13c0
Opcode Fuzzy Hash: a671cf5100bea8b13cbd0c2285fa67d87b15970de4d493d3644a02f2565321ed
Instruction Fuzzy Hash: CC5127B0A047019FDB20DF24D849B2EBFA9BF95324F144B1EE619972C1D7789A44CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00508410 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0050845F
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00508481
MoveWindow.USER32(00000000,?,?,00000000,?,00000001,?,005086D3,?,00000000), ref: 005084AA
GetWindowLongA.USER32(?,000000F0), ref: 005084D7
GetWindowLongA.USER32(?,000000F0), ref: 00508535
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00508570
GetSystemMetrics.USER32(00000004), ref: 00508591
GetSystemMetrics.USER32(00000021), ref: 0050859D
GetSystemMetrics.USER32(00000008), ref: 005085A5

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

GetSystemMetrics.USER32(00000007), ref: 005085AC

Strings

deA, xrefs: 00508413

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Window$Long$MetricsSystem$MoveVersion_memset
String ID: deA
API String ID: 969298317-2848871434
Opcode ID: 86b2f3a991f12a49da8d78ead0d62977c41575274728b2d5caf038f448a9515e
Instruction ID: ffb54409c017c9990c36d398be7a482bfd64b079326bf0fa9f8d60df459e5425
Opcode Fuzzy Hash: 86b2f3a991f12a49da8d78ead0d62977c41575274728b2d5caf038f448a9515e
Instruction Fuzzy Hash: 1451FD70501A16AFDB10DB64DD88FBEBBA4BF44728F144205EA549B6E0CB34AD94DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 004B0BA0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B0C49
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B0C5B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B0C74
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B0CF2
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B0D04
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B0D32
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B0D7E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B0D90
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B0DA9

Strings

[, xrefs: 004B0C7D
DebuggerThreadCount, xrefs: 004B0BC4, 004B0BEC

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$_malloc
String ID: DebuggerThreadCount$[
API String ID: 2909137988-1031527322
Opcode ID: eb643b929ccfc46688d194ec60aaa06d181801b8886c8b2ac373244b8c2109b4
Instruction ID: cf5c5b5f7688173f4e7db69bdea86f50ff70cb1d2e2aa9c2dd52777baca63062
Opcode Fuzzy Hash: eb643b929ccfc46688d194ec60aaa06d181801b8886c8b2ac373244b8c2109b4
Instruction Fuzzy Hash: 3E5126709002049FDB10DF98DC84AABBFF8BF91314F14429BE88497365D778A948DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00417240 Relevance: 18.3, APIs: 12, Instructions: 253windowCOMMON

Download Yara Rule

APIs

SetMenu.USER32(?,00000000), ref: 0055A7D8
RevokeDragDrop.OLE32(?), ref: 0055A7F0
GetParent.USER32(?), ref: 0055A814
SendMessageA.USER32(00000000,00000221,?,00000000), ref: 0055A82F
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055A8B8

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalDragDropInitializeMenuMessageParentRevokeSectionSend
String ID:
API String ID: 926456168-0
Opcode ID: 7cbbe8709d0da1cb89435515c45d33f3a957e392f81dbf2754a4f4de8a52dfab
Instruction ID: 874626b66bedee948d911b8522afdc2c8cbcfccc5309d5374bb37ba115ef5427
Opcode Fuzzy Hash: 7cbbe8709d0da1cb89435515c45d33f3a957e392f81dbf2754a4f4de8a52dfab
Instruction Fuzzy Hash: 6C91C0706002019FDB209F68D894B7BBBF5BF94311F14466EE85AC7351E734AC89DB52

Uniqueness

Uniqueness Score: -1.00%

Function 004B6DB0 Relevance: 18.2, APIs: 12, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B6E1A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B6E2C
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B6E5D
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B6E7F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B6E91
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B6EB8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B6ECA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B6EEA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B6EFF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004B6F17
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004B6F29
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004B6F42

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave$_malloc
String ID:
API String ID: 2909137988-0
Opcode ID: 273ba783b205529a60c0f26f05afa50fa3972b979634c7dc1cc3b0da9abb128f
Instruction ID: ad7f7d91c7d25299fcd801b0c5159d98c67d24381a3005ee9383d75dfca88a08
Opcode Fuzzy Hash: 273ba783b205529a60c0f26f05afa50fa3972b979634c7dc1cc3b0da9abb128f
Instruction Fuzzy Hash: 1771A070A003059FEB10DF6AD885BABBBF4BF54310F14456AE88993754D37CE988DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004B91F0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 224windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004B9271
_swprintf.LIBCMT ref: 004B92D5
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004B92F0
ExitProcess.KERNEL32 ref: 004B92FD
ScreenToClient.USER32(?,?), ref: 004B9351

Strings

wnd, xrefs: 004B923D
Runtime Error, xrefs: 004B92E2
..\..\..\..\Common\runctl.cpp, xrefs: 004B9238, 004B92B2
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004B92C4
sDisplay, xrefs: 004B92A8

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ClientScreen$ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\runctl.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$sDisplay$wnd
API String ID: 2894995809-606318365
Opcode ID: 918467eb21a8c7445be5493166f02e0a668be49c45b866ab84875c530ea65852
Instruction ID: 5d4a2101dc082d5b60fa7d24bb99723033f2068f390309053a7550788bb1ba39
Opcode Fuzzy Hash: 918467eb21a8c7445be5493166f02e0a668be49c45b866ab84875c530ea65852
Instruction Fuzzy Hash: 3A71E5B1A00214AFDB20DF25DC41BFB73A8AF94714F04815AEE0997391E738AD45CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD80 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040DDD5

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0040DDEF
ExitProcess.KERNEL32 ref: 0040DDFF
_memset.LIBCMT ref: 0040DE10
_memset.LIBCMT ref: 0040DE20

Strings

..\..\..\..\Common\BlowFish.cpp, xrefs: 0040DDB4
Runtime Error, xrefs: 0040DDE2
initStr, xrefs: 0040DDAA
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040DDC4
Cannot initialize blowfish with an empty string, xrefs: 0040DDA5

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: _memset$ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\BlowFish.cpp$Cannot initialize blowfish with an empty string$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$initStr
API String ID: 3522165723-2959070975
Opcode ID: 7e540f164c20a8c43145ff472fa87ea4fb045651738e6dda1838a622f928c3ba
Instruction ID: 846ad168e038a42e6ab892f4d20db0d6162b8ab8277a6da79cdc890322703bf0
Opcode Fuzzy Hash: 7e540f164c20a8c43145ff472fa87ea4fb045651738e6dda1838a622f928c3ba
Instruction Fuzzy Hash: A551B8F2D002149BDB20CF54CD45BDAB7B5BB54304F0185B9EB49B7281D774AA8A8F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC20 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 57registrywindowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041AC63

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0041AC7D
ExitProcess.KERNEL32 ref: 0041AC89
RegisterServiceCtrlHandlerA.ADVAPI32(Aaron's Service,Function_0001AB90), ref: 0041AC99
SetServiceStatus.ADVAPI32(?,?), ref: 0041ACD2

Strings

Runtime Error, xrefs: 0041AC70
obj, xrefs: 0041AC38
..\..\..\..\Common\ConsoleApplication.cpp, xrefs: 0041AC42
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041AC52
Aaron's Service, xrefs: 0041AC94

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Service$CtrlExitHandlerMessageProcessRegisterStatus__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ConsoleApplication.cpp$Aaron's Service$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$obj
API String ID: 3556530136-2166283726
Opcode ID: 7f12ebbd8018b50ac5d8f83bee7e5ddfff699c5afb925cedd5b0898525c4ffaa
Instruction ID: c2ea4941694b64f6956e16b47e99e349f772f1ea519f71486e8f7c7e8ea7c04d
Opcode Fuzzy Hash: 7f12ebbd8018b50ac5d8f83bee7e5ddfff699c5afb925cedd5b0898525c4ffaa
Instruction Fuzzy Hash: 56116AB0945304AFD714DF14ED4AF67BBE8BB08700F40455DE60AA72A1EB74A948CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004AC650 Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC664
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC678
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC696
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC6CD
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC751
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC763
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC77C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC81E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC830
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC846
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC8D4

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID:
API String ID: 3864236774-0
Opcode ID: 36da3cd4845ee2b461caad3d5ac85a9382cfb8e747cf326593830b199b2ab1c3
Instruction ID: ca9ad1b8d0932d866bf8115f098cae1cfc0c9d3c9d97ddc622f5d7b140a45fab
Opcode Fuzzy Hash: 36da3cd4845ee2b461caad3d5ac85a9382cfb8e747cf326593830b199b2ab1c3
Instruction Fuzzy Hash: 9681CD74A003099FEB44EF19D8C5B6ABBB4FF66310B14849EE8099B345D738ED40DB95

Uniqueness

Uniqueness Score: -1.00%

Function 004B9490 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 342windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004B9547
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004B9560
ExitProcess.KERNEL32 ref: 004B956D
ScreenToClient.USER32(?,?), ref: 004B961B

Strings

Runtime Error, xrefs: 004B9554
last, xrefs: 004B976E
..\..\..\..\Common\runctl.cpp, xrefs: 004B9526, 004B9767
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004B9538
sDisplay, xrefs: 004B951C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ClientExitMessageProcessScreen_swprintf
String ID: ..\..\..\..\Common\runctl.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$last$sDisplay
API String ID: 4132004228-1492655430
Opcode ID: e793c5831675640fdf22ee2f449d5cb09d1912d95a0942445dee4294cc50c613
Instruction ID: d7887b937540d621239a2c9625fed42b5b8e40bb791e60a453d0d174c05e1995
Opcode Fuzzy Hash: e793c5831675640fdf22ee2f449d5cb09d1912d95a0942445dee4294cc50c613
Instruction Fuzzy Hash: 7EC1F6B16112019BCB24DF29DD91AB773E4AF90714B04422EFA19C7351EB38EC45CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0050D0B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32,?,?,?,?,?,?,?,0055B415,00000000,?,00000000), ref: 0050D0D7
GetProcAddress.KERNEL32(75BD0000,EnumDisplayMonitors), ref: 0050D0FA
73A1A570.USER32(00000000,?,?,?,?,0055B415,00000000,?,00000000), ref: 0050D107
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0050D143
GetSystemMetrics.USER32(00000000), ref: 0050D162
GetSystemMetrics.USER32(00000001), ref: 0050D172
73A1A570.USER32(00000000,?,?,?,?,0055B415,00000000,?,00000000), ref: 0050D182

Strings

User32, xrefs: 0050D0D2
EnumDisplayMonitors, xrefs: 0050D0F4

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: System$A570Metrics$AddressInfoLibraryLoadParametersProc
String ID: EnumDisplayMonitors$User32
API String ID: 4079382675-3800894243
Opcode ID: 060bbca3582bdcb244806ad7c353d74ff051c05123129b7ef7c994fe33fff343
Instruction ID: a02e94e5cab9e1f3a6aa820b2dc3efe127f1677f0d49d7b39e193cda0bbfc7df
Opcode Fuzzy Hash: 060bbca3582bdcb244806ad7c353d74ff051c05123129b7ef7c994fe33fff343
Instruction Fuzzy Hash: EA41B139A003049FDB20DFA9E884A6EFFF4FB98310B50461EE909D3690E734A841DB60

Uniqueness

Uniqueness Score: -1.00%

Function 004E7E20 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 110windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

_swprintf.LIBCMT ref: 004E7E7D

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004E7E97
ExitProcess.KERNEL32 ref: 004E7EA3
_memset.LIBCMT ref: 004E7F42

Strings

Runtime Error, xrefs: 004E7E8A
hQ_, xrefs: 004E7EBB
..\..\..\..\Common\RuntimeArrayFoundation.cpp, xrefs: 004E7E5C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004E7E6C
out, xrefs: 004E7E52

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_malloc_memset_swprintf
String ID: ..\..\..\..\Common\RuntimeArrayFoundation.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$hQ_$out
API String ID: 3450170629-993128515
Opcode ID: 4d7a22428c2f52b62392cad5d1c0af0b1a7ab11098d12890f1af4a8bee8c56b3
Instruction ID: f6f6fb585bc776e057824c636fb9a4675924ff6a876a4597f46555c32847f98f
Opcode Fuzzy Hash: 4d7a22428c2f52b62392cad5d1c0af0b1a7ab11098d12890f1af4a8bee8c56b3
Instruction Fuzzy Hash: 1D41A5B06007059FD720DF26CC85A67BBE8FF48718F404A2EE54A97641E774F9098B94

Uniqueness

Uniqueness Score: -1.00%

Function 0046F7F0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 90windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004F25C6

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00CC3738,?,Runtime Error,00000111), ref: 004F25E0
ExitProcess.KERNEL32 ref: 004F25EC

Strings

Runtime Error, xrefs: 004F25D3
exclass, xrefs: 004F259B
self->mImp, xrefs: 0046F81B
..\..\..\..\Common\menubar.cpp, xrefs: 0046F816
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004F25B5
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp, xrefs: 004F25A5

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp$..\..\..\..\Common\menubar.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$exclass$self->mImp
API String ID: 2938856589-3095474469
Opcode ID: 63d0efd67bf3ef894d2f8ee05331f45511f8dca2ff0fc112c5e36ac03d73ddd2
Instruction ID: 9ddecefd8808279ed535f38a8f1fbfa89b2b021ee325ccf18401042c1c991e2a
Opcode Fuzzy Hash: 63d0efd67bf3ef894d2f8ee05331f45511f8dca2ff0fc112c5e36ac03d73ddd2
Instruction Fuzzy Hash: 99210A716006187BD710EA25EC02F7B7798EF55724F40416AFB05E7381EBB4AD0987D9

Uniqueness

Uniqueness Score: -1.00%

Function 004F21E0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 89windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004F2226

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004F2240
ExitProcess.KERNEL32 ref: 004F224C

Strings

Runtime Error, xrefs: 004F2233
ptr, xrefs: 004F21FB
z%O, xrefs: 004F21E0
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004F2215
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp, xrefs: 004F2205
lLP, xrefs: 004F21F3

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$lLP$ptr$z%O
API String ID: 2938856589-1820678761
Opcode ID: f900f5b2fa4ae89f2f56a1cc191cf3364a865a8a12a26169ad88800d717b5784
Instruction ID: 953d4bc6abf6773258bb4bec699091c40cb93288babcddf8979e5a6b46d93b02
Opcode Fuzzy Hash: f900f5b2fa4ae89f2f56a1cc191cf3364a865a8a12a26169ad88800d717b5784
Instruction Fuzzy Hash: FF2170B2E0411D17DA348A389E16B777755AB62310F4783E7DF09623C1E6B68E05918A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAB0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041AAF3

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0041AB0D
ExitProcess.KERNEL32 ref: 0041AB19
SetServiceStatus.ADVAPI32(?,?), ref: 0041AB36
SetServiceStatus.ADVAPI32(?,?), ref: 0041AB6F

Strings

Runtime Error, xrefs: 0041AB00
obj, xrefs: 0041AAC8
..\..\..\..\Common\ConsoleApplication.cpp, xrefs: 0041AAD2
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041AAE2

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ServiceStatus$ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ConsoleApplication.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$obj
API String ID: 2083203981-915456421
Opcode ID: c626b79284ca09d06ab2694c43fc6b54f6f7614771fde197ae7fb372ae8260b4
Instruction ID: 4d91d34498639133b6a9454f0bbde884d1b4e2a9e786682546a4eaaed9c5c15d
Opcode Fuzzy Hash: c626b79284ca09d06ab2694c43fc6b54f6f7614771fde197ae7fb372ae8260b4
Instruction Fuzzy Hash: 0D21D1B0601204ABD720DB15DC89FABB7E9BB88700F40011CE70AA7281DB74F985CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A910 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041A953

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0041A96D
ExitProcess.KERNEL32 ref: 0041A979
SetServiceStatus.ADVAPI32(?,?), ref: 0041A996
SetServiceStatus.ADVAPI32(?,?), ref: 0041A9CA

Strings

Runtime Error, xrefs: 0041A960
obj, xrefs: 0041A928
..\..\..\..\Common\ConsoleApplication.cpp, xrefs: 0041A932
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041A942

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ServiceStatus$ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ConsoleApplication.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$obj
API String ID: 2083203981-915456421
Opcode ID: d2fdaad0f032bf3a55f216f464793fe0a6e368e3e2db9d5427ec8199489d5e99
Instruction ID: ba8a51c94ec4ad46fcba006c38be8ac06d21922361160510d9685f557ba0f498
Opcode Fuzzy Hash: d2fdaad0f032bf3a55f216f464793fe0a6e368e3e2db9d5427ec8199489d5e99
Instruction Fuzzy Hash: 2121D2F0601604ABD720DB51DD86E9BB7E9FF88700F40051CE60AA7280DB74F989CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A9E0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 68windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041AA23

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0041AA3D
ExitProcess.KERNEL32 ref: 0041AA49
SetServiceStatus.ADVAPI32(?,?), ref: 0041AA66
SetServiceStatus.ADVAPI32(?,?), ref: 0041AA9A

Strings

Runtime Error, xrefs: 0041AA30
obj, xrefs: 0041A9F8
..\..\..\..\Common\ConsoleApplication.cpp, xrefs: 0041AA02
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041AA12

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ServiceStatus$ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ConsoleApplication.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$obj
API String ID: 2083203981-915456421
Opcode ID: 4c54a4086047918b43d5a5d237abbd01c305828cfcff2f4f64b9682efd67f591
Instruction ID: 2ecc12d3557d9832accb0a165ca96f9414ccbe305a05181c551b81cac5ab36c6
Opcode Fuzzy Hash: 4c54a4086047918b43d5a5d237abbd01c305828cfcff2f4f64b9682efd67f591
Instruction Fuzzy Hash: 3621C3B0241604ABD720DB15DD85E9BB7A8FF48B00F40051CE70AA7280EB74F945CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00426AE0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 57windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00426B2D
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00426B48
ExitProcess.KERNEL32 ref: 00426B55

Strings

Subclassing recordset is not allowed., xrefs: 00426B01
Runtime Error, xrefs: 00426B3A
obj and obj->defn, xrefs: 00426B06
Failed Assertion, xrefs: 00426B15
..\..\..\..\Common\dbInterface.cpp, xrefs: 00426B10
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00426B1C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\dbInterface.cpp$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$Subclassing recordset is not allowed.$obj and obj->defn
API String ID: 3597307922-744343140
Opcode ID: 2ae85e7028422ab25a4deafeffb92c263286aaefac4a38b6ce89d6b08ba86615
Instruction ID: 5c799a5b540fef988edfd28b042942ef762df3ccd50b1f2b7cf1a0f66842aa0e
Opcode Fuzzy Hash: 2ae85e7028422ab25a4deafeffb92c263286aaefac4a38b6ce89d6b08ba86615
Instruction Fuzzy Hash: 0411E970B402186BDE24DB60EC57FAA7BA8AB54B11F400159EB09B72C1DAB4BE458789

Uniqueness

Uniqueness Score: -1.00%

Function 00567F70 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,005ACE28,0000000C,00568081,00000000,00000000,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567F81
GetProcAddress.KERNEL32(?,EncodePointer), ref: 00567FB5
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00567FC5
InterlockedIncrement.KERNEL32(005B0450), ref: 00567FE7
__lock.LIBCMT ref: 00567FEF
___addlocaleref.LIBCMT ref: 0056800E

Strings

KERNEL32.DLL, xrefs: 00567F7C
DecodePointer, xrefs: 00567FBD
EncodePointer, xrefs: 00567FA7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: 7590832798e47178adc9ccd948abf0e2f39fb292431697cabe8ac5b960e5d0b8
Instruction ID: 9545af64fd13510b960180749f49c326df9b462278ad1994933cf6a46c80805b
Opcode Fuzzy Hash: 7590832798e47178adc9ccd948abf0e2f39fb292431697cabe8ac5b960e5d0b8
Instruction Fuzzy Hash: 5B11A0719407069FEB20AF79D849B6FBFE0BF44314F10991DE8A993291DB74A944DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00420580 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 004C1230: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004C125F
Part of subcall function 004C1230: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004C1271
Part of subcall function 004C1230: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004C1286

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004208A3
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004208B7
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004208D1
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042092A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00420938
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00420950

Part of subcall function 004DAAE0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004DAB12
Part of subcall function 004DAAE0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004DAB24
Part of subcall function 004DAAE0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004DAB38

Part of subcall function 004ABB90: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABB9E
Part of subcall function 004ABB90: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABBB0
Part of subcall function 004ABB90: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABBC4

Part of subcall function 0042A0C0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A101
Part of subcall function 0042A0C0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A113
Part of subcall function 0042A0C0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A12C
Part of subcall function 0042A0C0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A261
Part of subcall function 0042A0C0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A273
Part of subcall function 0042A0C0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A294
Part of subcall function 0042A0C0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A2A6
Part of subcall function 0042A0C0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A2C3
Part of subcall function 0042A0C0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0042A2D7
Part of subcall function 0042A0C0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0042A2EF
Part of subcall function 0042A0C0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0042A301

Strings

false, xrefs: 00420844
true, xrefs: 00420816

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID: false$true
API String ID: 713024617-2658103896
Opcode ID: 2f9fde969ccabae05ca900f5e7502d514483963df5493786ce8995c33af2ebb2
Instruction ID: 013ddd71537ae523195c5a20951ebc51fd78f83b9869ef1444d4b3da80d64357
Opcode Fuzzy Hash: 2f9fde969ccabae05ca900f5e7502d514483963df5493786ce8995c33af2ebb2
Instruction Fuzzy Hash: 84C19F71E002199FDB10EFA9D881AAFB7F5BF48314F55416AE908AB342D738AD44CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00403850 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00403A75
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00403A87
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00403AA0

Strings

Beta, xrefs: 004039B4
Alpha, xrefs: 004039AD
FileVersion, xrefs: 00403861
Development, xrefs: 004039A6
Release, xrefs: 0040399F

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: Alpha$Beta$Development$FileVersion$Release
API String ID: 3991485460-1804933203
Opcode ID: 4ee4957bde9dace65156a5117bf1c5fe0e6d5001cdbe33eb17d39a04a33c1779
Instruction ID: 90f51aa61101dcae65b62c826409fb7f107834387459b3697863866014b370b3
Opcode Fuzzy Hash: 4ee4957bde9dace65156a5117bf1c5fe0e6d5001cdbe33eb17d39a04a33c1779
Instruction Fuzzy Hash: 4961D770A003059BDB04AF59E846A6B7FF8EF44305F1445B9F949B7381D739AE00DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00529550 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 190windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005295A7
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 005295C2
ExitProcess.KERNEL32 ref: 005295CF

Strings

Runtime Error, xrefs: 005295B4
s1 and s2, xrefs: 00529580
Failed Assertion, xrefs: 0052958F
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00529596
..\..\..\..\Universal\TextEncodingUtil.cpp, xrefs: 0052958A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf
String ID: ..\..\..\..\Universal\TextEncodingUtil.cpp$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$s1 and s2
API String ID: 3597307922-2317075425
Opcode ID: ad08588a151386454c448dce7fcb312ef64882033d0ce00fe5391e46b04571d1
Instruction ID: c01d607104c3e77a6c87e808f00e7ec28fcd81f242c1423c24fb056ba7b84c6a
Opcode Fuzzy Hash: ad08588a151386454c448dce7fcb312ef64882033d0ce00fe5391e46b04571d1
Instruction Fuzzy Hash: AC51EA71B002294BDF209F59EC817A9B7A4FF86714F1401AEEA0DA73C1DB30AD858BD4

Uniqueness

Uniqueness Score: -1.00%

Function 00479120 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004791A8

Strings

Runtime Error, xrefs: 004792F0
..\..\..\..\Common\Object Model\ObjectDefinition.cpp, xrefs: 004792C6
Invalid Class Definition, xrefs: 004792CB
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004792D2

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: _malloc
String ID: ..\..\..\..\Common\Object Model\ObjectDefinition.cpp$Invalid Class Definition$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 1579825452-1136829176
Opcode ID: b017c6cbdd11f825ad7b2b0ef1efa44859e8838f99be3f82b2fe80a689d69e61
Instruction ID: cfdfbc0f587034131b27ad77da5aab0bb4b7a73d418c7b027810412e4ac77a55
Opcode Fuzzy Hash: b017c6cbdd11f825ad7b2b0ef1efa44859e8838f99be3f82b2fe80a689d69e61
Instruction Fuzzy Hash: CD51D3B0A002099BDB20DF14DC84BE6B7B4EF44304F5481EADA0DAB342D775ED85CB99

Uniqueness

Uniqueness Score: -1.00%

Function 005348A0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 151windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005348EF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00534909
ExitProcess.KERNEL32 ref: 00534915

Strings

Runtime Error, xrefs: 005348FC
..\..\..\..\Common\VariantConversions.cpp, xrefs: 005348CE
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 005348DE
%PA, xrefs: 00534A5C, 00534A4E, 00534A32, 005349EE
out, xrefs: 005348C7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: %PA$..\..\..\..\Common\VariantConversions.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$out
API String ID: 2938856589-2481523261
Opcode ID: b505b63a27b4c91c5abde7884ae15461c4f48c1793f088b04e9420d19ddc7a8d
Instruction ID: f7a44109c4acb8245c59e167d12a972a489802d4c7d4244aa16bf9e0af3c5924
Opcode Fuzzy Hash: b505b63a27b4c91c5abde7884ae15461c4f48c1793f088b04e9420d19ddc7a8d
Instruction Fuzzy Hash: 7C416BB27402145BCB10EF55EC86B6FBF9AFB84314F000169EA09A7283CB34AD45CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00534CC0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 151windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00534D10

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00534D2A
ExitProcess.KERNEL32 ref: 00534D36

Strings

Runtime Error, xrefs: 00534D1D
..\..\..\..\Common\VariantConversions.cpp, xrefs: 00534CEF
JIA, xrefs: 00534E81, 00534E73, 00534E54, 00534E0C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00534CFF
out, xrefs: 00534CE5

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\VariantConversions.cpp$JIA$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$out
API String ID: 2938856589-3383191352
Opcode ID: ebd4c3d1bd4953c84569e397d51b4b467939b5425a84c3ea8e317b49cb8ce511
Instruction ID: 62ace9e894888d2fb876e5c328bc175c69c0b142f8a5b36dbf00deb42bd80eaa
Opcode Fuzzy Hash: ebd4c3d1bd4953c84569e397d51b4b467939b5425a84c3ea8e317b49cb8ce511
Instruction Fuzzy Hash: FD4126B1A403049FCB10EF68EC46B6B7FE9FF94304F00046AEA0997282DB74AD45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00403250 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040329B

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 004032B5
ExitProcess.KERNEL32 ref: 004032C1
SetMenu.USER32(00000000,00000000), ref: 0040332D

Strings

Runtime Error, xrefs: 004032A8
app, xrefs: 00403270
..\..\..\..\Common\application.cpp, xrefs: 0040327A
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040328A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMenuMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$app
API String ID: 2175422193-1823162992
Opcode ID: 5076dfa56aca20dc934ef8d1635b939a8073913a846ffd310a26be3abd4fa4b9
Instruction ID: 22d6652f2e17723fd3887ca54cd19b8c051e08dfc74a975488db17f8fe1828ae
Opcode Fuzzy Hash: 5076dfa56aca20dc934ef8d1635b939a8073913a846ffd310a26be3abd4fa4b9
Instruction Fuzzy Hash: E421D2B16002046BDB24DF14DC46E7BBB6CBB94725F04416DFA06A73C0DB34AD05DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00403DF0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00403E3D

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00403E57
ExitProcess.KERNEL32 ref: 00403E63

Strings

_Poll, xrefs: 00403EA8
Runtime Error, xrefs: 00403E4A
base, xrefs: 00403E12
..\..\..\..\Common\application.cpp, xrefs: 00403E1C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00403E2C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$_Poll$base
API String ID: 2938856589-4065464488
Opcode ID: 46c7fa22662ba69dbd81e68ab39c94a9a8e5d50f6a07e598d2f6e9022b058479
Instruction ID: 47ffe0e8f8d85a218e34ed943b2c076c3835ba6d54726f179814b583e3f3df94
Opcode Fuzzy Hash: 46c7fa22662ba69dbd81e68ab39c94a9a8e5d50f6a07e598d2f6e9022b058479
Instruction Fuzzy Hash: 4F21A6B1A00314ABDB109F15DC46F5B7BACAF15705F0481A9FA08BB282DB74ED458BE9

Uniqueness

Uniqueness Score: -1.00%

Function 004194D0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000130C,?,00000000), ref: 00419512
_swprintf.LIBCMT ref: 004F25C6

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00CC3738,?,Runtime Error,00000111), ref: 004F25E0
ExitProcess.KERNEL32 ref: 004F25EC

Strings

Runtime Error, xrefs: 004F25D3
exclass, xrefs: 004F259B
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004F25B5
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp, xrefs: 004F25A5

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Message$ExitProcessSend__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$exclass
API String ID: 3312957849-2593986390
Opcode ID: 4ef74ec1f5815a4f8705f0afc54ec745bc0111e8d2a22f602bb9fd00c123c9b2
Instruction ID: c0944c6d3fb4bf0dc7168fa5046bf497a47dcec6c2228a8fa0ed14d67f87e726
Opcode Fuzzy Hash: 4ef74ec1f5815a4f8705f0afc54ec745bc0111e8d2a22f602bb9fd00c123c9b2
Instruction Fuzzy Hash: 9F210271600218BBD720DB18DC8AFEB77A9FB88B10F000065F705A7291DBB4AD45DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00416620 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00416671
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0041668C
ExitProcess.KERNEL32 ref: 00416699

Strings

..\..\..\..\Common\CommonRunView.cpp, xrefs: 00416654
Runtime Error, xrefs: 0041667E
Failed Assertion, xrefs: 00416659
templateWindow and templateWindow->mEmbeddedWindowControl, xrefs: 0041664A
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00416660

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\CommonRunView.cpp$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$templateWindow and templateWindow->mEmbeddedWindowControl
API String ID: 3597307922-3881049192
Opcode ID: 62333b5d9848d9e6f5dc281fe246b6c1fe51bdc7cf6216437d711c5ef740aaff
Instruction ID: dcb45f323bb9d3bce84cfb726833df3d5b3f9fdc9087e2a791d9e661b8f7e62e
Opcode Fuzzy Hash: 62333b5d9848d9e6f5dc281fe246b6c1fe51bdc7cf6216437d711c5ef740aaff
Instruction Fuzzy Hash: CB118FB1640208BBDB10DF14DC46FAB7BA9EB94704F014159FB08A72C1D6B0B941CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00404770 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004047B5
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004047D0
ExitProcess.KERNEL32 ref: 004047DD

Strings

not (idx < 0 || idx >= lCount), xrefs: 0040478E
Runtime Error, xrefs: 004047C2
Failed Assertion, xrefs: 0040479D
..\..\..\..\Common\array.cpp, xrefs: 00404798
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004047A4

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\array.cpp$Failed Assertion$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$not (idx < 0 || idx >= lCount)
API String ID: 3597307922-1188926444
Opcode ID: db9157fa631f9551f12315778da08cd2a367ee04310e13a7d7a38facdcd2eac5
Instruction ID: ee77ebaf7254a7f80db7568c8a70528f180a3d3d28ce90c96019eff87e8af784
Opcode Fuzzy Hash: db9157fa631f9551f12315778da08cd2a367ee04310e13a7d7a38facdcd2eac5
Instruction Fuzzy Hash: 351129B0340305ABDB28DF54DD97F6AB7A9FB88704F00465DE71A671C0EBB0B9048655

Uniqueness

Uniqueness Score: -1.00%

Function 0041A2A0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(005F5298), ref: 0041A2D2
_swprintf.LIBCMT ref: 0041A305
MessageBoxA.USER32(005F5900,?,Runtime Error,00000111), ref: 0041A31F
ExitProcess.KERNEL32 ref: 0041A32B

Strings

info, xrefs: 0041A2DD
Runtime Error, xrefs: 0041A312
..\..\..\..\Universal\CommonWinFunctions.cpp, xrefs: 0041A2E4
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041A2F4

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcessVersion_swprintf
String ID: ..\..\..\..\Universal\CommonWinFunctions.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$info
API String ID: 3383123140-1780989819
Opcode ID: ca8e61cc2818561bc73c9fac2256dc7aef63a7791cabce72b34b4766e23f2ba0
Instruction ID: 62117c8c0a605b18e7def1b466fc9fe5bb940d6df3b94b41b2d31f90aa1fd21b
Opcode Fuzzy Hash: ca8e61cc2818561bc73c9fac2256dc7aef63a7791cabce72b34b4766e23f2ba0
Instruction Fuzzy Hash: 3D01F9706417087BEB20A7609D4FFAA3F58AF25704F400144F709762D1D7B4594DE79A

Uniqueness

Uniqueness Score: -1.00%

Function 004024D0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 44windowtimeCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00402518

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00402533
ExitProcess.KERNEL32 ref: 00402540
GetMessageTime.USER32 ref: 00402546

Strings

self, xrefs: 004024EB
Runtime Error, xrefs: 00402525
..\..\..\..\Common\application.cpp, xrefs: 004024F5
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00402507

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Message$ExitProcessTime__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$self
API String ID: 3705116425-540037708
Opcode ID: cfd5d97db80d04c821c6ac4f91b5860704c51f80017e6ae7e316f55de6124081
Instruction ID: d3c4f1bcbb0e0a02649966888c03fd4382fe5fa8b41e0b2148ae1538c41fcda7
Opcode Fuzzy Hash: cfd5d97db80d04c821c6ac4f91b5860704c51f80017e6ae7e316f55de6124081
Instruction Fuzzy Hash: EF0188B0A40308BBEB109B60ED4FB697A68FB55705F404054F70D7A1D1DBB42A84AB59

Uniqueness

Uniqueness Score: -1.00%

Function 02F91900 Relevance: 13.8, APIs: 9, Instructions: 271keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 02F91958
GetKeyState.USER32(00000000), ref: 02F9196D

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 944f3af94cb09c218469807fefca8ba96c938494121c4a71ebe12d97739a9516
Instruction ID: 203d110c2cc904793ebaa1088768b4ae44205fe36d0c3da2b033df407a78ac1a
Opcode Fuzzy Hash: 944f3af94cb09c218469807fefca8ba96c938494121c4a71ebe12d97739a9516
Instruction Fuzzy Hash: E391C172908305AFEF15AF14DC44BAFBBE6EF80395F14482DF688461A0DB759894CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00457B10 Relevance: 13.8, APIs: 9, Instructions: 255COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00457C64
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00457C76
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00457C93
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00457CD5
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00457CE7
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00457D0C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00457D2B
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00457D3D
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00457D5A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 166692222570bdffe0fe8002a8c41de68f07a6555a9efd28ae190a9196144f99
Instruction ID: 5c995f5793cb11b5120a141c016b759d65539bcb0a690d554d5730a130b973c9
Opcode Fuzzy Hash: 166692222570bdffe0fe8002a8c41de68f07a6555a9efd28ae190a9196144f99
Instruction Fuzzy Hash: B5818671A082056BDB116F20FC447AB3BA4AF11756F24456AFC45A7393E73D9C4C8BC9

Uniqueness

Uniqueness Score: -1.00%

Function 00527870 Relevance: 13.7, APIs: 9, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 004AC900: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC915
Part of subcall function 004AC900: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC92E
Part of subcall function 004AC900: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC954
Part of subcall function 004AC900: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC966
Part of subcall function 004AC900: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC97B
Part of subcall function 004AC900: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC9E2

Part of subcall function 004ABDF0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABDFE
Part of subcall function 004ABDF0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABE10
Part of subcall function 004ABDF0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABE37

Part of subcall function 004AC900: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ACA0E

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527A4D
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527A65
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527A82
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527A94
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527AAD
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527AC9
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00527AE8
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00527AFA
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527B17

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID:
API String ID: 3864236774-0
Opcode ID: fac132e21ffbd467a9b1b1883d8ae9235fa07d0f6bf660b1a193de8942234e34
Instruction ID: 835e78ded05de76a4faf7305f8beb6db4ad7e2a505174441003f3fe038b98690
Opcode Fuzzy Hash: fac132e21ffbd467a9b1b1883d8ae9235fa07d0f6bf660b1a193de8942234e34
Instruction Fuzzy Hash: B8812871D0822D9BDF20DF68E8845BE7FB4BF1B324F24455AE855A7282D3349E80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004AC900 Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC915
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC92E
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC954
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC966
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC97B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC9E2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ACA0E
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ACA25
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ACA3B

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID:
API String ID: 3864236774-0
Opcode ID: 74da9fe113831a9be6db2c7aa803013f054b679323412d95b92f73a8bce6f8b7
Instruction ID: adf3741bd9d42d1f879cbb68ffb3475767ba74a52228dc3f347249060bb1f8d5
Opcode Fuzzy Hash: 74da9fe113831a9be6db2c7aa803013f054b679323412d95b92f73a8bce6f8b7
Instruction Fuzzy Hash: 8B31C2713052089FFB00AF19EC84B67BB98FFA2724F1441A6E588DB355C7B8D845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004089A0 Relevance: 13.6, APIs: 9, Instructions: 105COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00408A0E
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00408A20
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00408A39
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00408A71
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00408A83
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00408A9C
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00408AB4
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00408AC6
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00408ADF

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 68934e485506cf4ed77fab3e055437efb1899609dd8c9383ae616ae724c72c00
Instruction ID: 4f5dff134c254f17dd90baecbaa878816754cedbeaeec0ddf293af7c107ad1ba
Opcode Fuzzy Hash: 68934e485506cf4ed77fab3e055437efb1899609dd8c9383ae616ae724c72c00
Instruction Fuzzy Hash: 3B312771A00209AFEF10AF59ED855BF7BB4BB50324F00016BF9C4B2281CB781D949F96

Uniqueness

Uniqueness Score: -1.00%

Function 00403410 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

GetModuleFileNameW.KERNEL32(00400000,?,00000104,0000000B,FileVersion), ref: 0040345C

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

GetModuleFileNameA.KERNEL32(00400000,?,00000104,0000000B,FileVersion), ref: 004034E4
74D41540.VERSION(00000000,0057E81C,?,?,0000000B,FileVersion), ref: 00403771

Strings

\StringFileInfo\040904B0\, xrefs: 0040370E
..\..\..\..\Universal\REALstring.cpp, xrefs: 00403696
FileVersion, xrefs: 00403424
\StringFileInfo\040904B0\, xrefs: 00403579, 00403590

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterFileInitializeLeaveModuleName$D41540Version_malloc_memset
String ID: ..\..\..\..\Universal\REALstring.cpp$FileVersion$\StringFileInfo\040904B0\$\StringFileInfo\040904B0\
API String ID: 4278650574-1881871969
Opcode ID: cfee3099fa03efb9ff47f56fd602e0dfb08e342f458852db37cb4a96b141464d
Instruction ID: b9e92e2ebdc8e3121a8fd7754c3a35fe884f377a6fe79c8461a2a4871e7bf0d0
Opcode Fuzzy Hash: cfee3099fa03efb9ff47f56fd602e0dfb08e342f458852db37cb4a96b141464d
Instruction Fuzzy Hash: BCB1A4729001199BCB20EF94DC85AEB7779EB54705F0446EEE9087B242D738AF84CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004166E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00416731

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0041674B
ExitProcess.KERNEL32 ref: 00416757

Strings

..\..\..\..\Common\CommonRunView.cpp, xrefs: 00416710
Runtime Error, xrefs: 0041673E
templateWindow, xrefs: 00416706
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00416720

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\CommonRunView.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$templateWindow
API String ID: 2938856589-1297713521
Opcode ID: 177a8b06615f44f3c8f4cebc3ce44bd32e26315c1aab2181c33a1dfd86fdbad2
Instruction ID: 23985a3f0b69a6e4a7fe11663629c29425ab597cd5813f2e12bb5d93fef40e3d
Opcode Fuzzy Hash: 177a8b06615f44f3c8f4cebc3ce44bd32e26315c1aab2181c33a1dfd86fdbad2
Instruction Fuzzy Hash: 3441E471A012046BCB20EF25DD45FBB77A9AF54718F05416EEA0997381EB38EC85C758

Uniqueness

Uniqueness Score: -1.00%

Function 00535720 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 135windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00535770

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0053578A
ExitProcess.KERNEL32 ref: 00535796

Strings

Runtime Error, xrefs: 0053577D
..\..\..\..\Common\VariantConversions.cpp, xrefs: 0053574F
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0053575F
out, xrefs: 00535745

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\VariantConversions.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$out
API String ID: 2938856589-3375310924
Opcode ID: 26920bb594b1bd6d0963d293593925e474b29627ae05f6a82b634dd33d7ca80d
Instruction ID: 16f917552c6f4e57371662b33227e9075c28a821ab2326d2ed4eee7e89f9ee63
Opcode Fuzzy Hash: 26920bb594b1bd6d0963d293593925e474b29627ae05f6a82b634dd33d7ca80d
Instruction Fuzzy Hash: C0416CB1A402185BCB20AF21EC56AAF7FA9FF45314F00106AE909A7252EB745D858BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00418610 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041865E

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00418678
ExitProcess.KERNEL32 ref: 00418684

Strings

..\..\..\..\Common\CommonRunView.cpp, xrefs: 0041863D
Runtime Error, xrefs: 0041866B
thePane, xrefs: 00418633
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041864D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\CommonRunView.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$thePane
API String ID: 2938856589-1570630653
Opcode ID: 481f2b959935d177b853b303e734e0c57f365aa42aa2f7ac330f9c49ac819b90
Instruction ID: 5ba366a40349e1e72399818f428791b398fa0c680e9b74c9805378f1aa176db0
Opcode Fuzzy Hash: 481f2b959935d177b853b303e734e0c57f365aa42aa2f7ac330f9c49ac819b90
Instruction Fuzzy Hash: 99414EB1600618ABC724DF19CC81FABB7A5BF48704F14829DE61997281DB34ED85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00410200 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 118windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041025B

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00410273
ExitProcess.KERNEL32 ref: 0041027F

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 00410232
Runtime Error, xrefs: 00410268
..\..\..\..\Common\Canvas.cpp, xrefs: 0041023C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041024C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: a040dbfda661196dbee5883150cdbc2de8e60f0752cf77ea14f04c0299c4a458
Instruction ID: f160e8f73977974a5bf60f7675b81944ef050cc6431c82207191f7587b4dcee7
Opcode Fuzzy Hash: a040dbfda661196dbee5883150cdbc2de8e60f0752cf77ea14f04c0299c4a458
Instruction Fuzzy Hash: B641D2716043099BD720DF18D885AABB7E9FFD4700F00861EF96897241DB75EC85CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00504430 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 99windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00504478

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00504492
ExitProcess.KERNEL32 ref: 0050449E

Strings

Runtime Error, xrefs: 00504485
thread, xrefs: 0050444D
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00504467
..\..\..\..\Common\ClassLib\RuntimeThread.cpp, xrefs: 00504457

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ClassLib\RuntimeThread.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$thread
API String ID: 2938856589-2219531671
Opcode ID: 2e4d999efa81b3c710bd9cdac0758cc761acc1a299e95d04e296981546518e6d
Instruction ID: 2563d84dfb147a82a5f3b126cfc456fe399036786c4e9af1d0debe59ebecfa51
Opcode Fuzzy Hash: 2e4d999efa81b3c710bd9cdac0758cc761acc1a299e95d04e296981546518e6d
Instruction Fuzzy Hash: 553108F1500505ABDB20DF29EC46B7E7BA4BF11318F00422DE618962C2E734E945CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00410370 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004103C4

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004103DC
ExitProcess.KERNEL32 ref: 004103E8

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0041039B
Runtime Error, xrefs: 004103D1
..\..\..\..\Common\Canvas.cpp, xrefs: 004103A5
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004103B5

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: d26ba902573ef49ec2b422e89958e3f483cdfc0916f546a5cbf2081bf9c018bb
Instruction ID: 450e8a0f9174e324bbb60bfc18ff69cee5da78a25e98873e9149b110a4a2bb92
Opcode Fuzzy Hash: d26ba902573ef49ec2b422e89958e3f483cdfc0916f546a5cbf2081bf9c018bb
Instruction Fuzzy Hash: 0B3122716043059BC720CF14C8C1EABB7E9BFD4300F00461EEA5893251DB74E8C9CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDC0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FE0F

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FE2A
ExitProcess.KERNEL32 ref: 0040FE37

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FDE2
Runtime Error, xrefs: 0040FE1C
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FDEC
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FDFE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 9d2894a746345ee5b447527e6945fa0f8705ff3169626fcdc732a614eb5ff5c8
Instruction ID: 9adf973f2fdae2e95659725cf3df87f956d8bf81fe6568262e4973ac2e70582a
Opcode Fuzzy Hash: 9d2894a746345ee5b447527e6945fa0f8705ff3169626fcdc732a614eb5ff5c8
Instruction Fuzzy Hash: FD21B070604208ABDF20CF50DC46F6B73A9BB58700F008178EB09AB6D2DA74AC499BE4

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF80 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FFCF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FFEA
ExitProcess.KERNEL32 ref: 0040FFF7

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FFA2
Runtime Error, xrefs: 0040FFDC
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FFAC
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FFBE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 84a9fe77735db25ea22132be8882a177f31157b8fad42af271fb0ce876f29d76
Instruction ID: 426243dd2ffa3e2c4fe4567919faad60c1c720c2a29e27f610bb4d833a450e1e
Opcode Fuzzy Hash: 84a9fe77735db25ea22132be8882a177f31157b8fad42af271fb0ce876f29d76
Instruction Fuzzy Hash: 0421D470700208ABEB14CB50DC56FAB77A9EF49700F108159EA0DAB2C2CB75AC859B98

Uniqueness

Uniqueness Score: -1.00%

Function 00508610 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00508657

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00508671
ExitProcess.KERNEL32 ref: 0050867D

Strings

Runtime Error, xrefs: 00508664
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp, xrefs: 00508636
view, xrefs: 0050862C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00508646

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ClassLib\RuntimeWindow.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$view
API String ID: 2938856589-103081643
Opcode ID: dd8466a74554cf74a4aedc3872a766cc644a68ba9c4a232e44d318ef0e0a50f2
Instruction ID: fe09141b51fe5275206dea2fae819e9f492785977e3e0e2762d1987b2d9ae9aa
Opcode Fuzzy Hash: dd8466a74554cf74a4aedc3872a766cc644a68ba9c4a232e44d318ef0e0a50f2
Instruction Fuzzy Hash: D8112770904608ABCF20AB20AC46FFF7F68BF15314F440199F98A672C2DE716988C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 0055BF10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0055BF2C
ClientToScreen.USER32(?,?), ref: 0055BF40
ClientToScreen.USER32(?,?), ref: 0055BF4A
GetClassNameA.USER32(?,?,00000040), ref: 0055BF5F
ScreenToClient.USER32(00000000,?), ref: 0055BF8B
ScreenToClient.USER32(00000000,?), ref: 0055BF98

Strings

RB_MDICHILD, xrefs: 0055BF68

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Client$Screen$ClassNameRect
String ID: RB_MDICHILD
API String ID: 1044610182-1170157637
Opcode ID: 33c427cbc39f7918a59f79b64fa65f1ff83c1a08e6a907fd75f9c6349b5d3538
Instruction ID: 95abf5bb1c93460ad55c509fe0e4640793cf59fd654e304365319f3eaff09886
Opcode Fuzzy Hash: 33c427cbc39f7918a59f79b64fa65f1ff83c1a08e6a907fd75f9c6349b5d3538
Instruction Fuzzy Hash: C021887590020D9BDB14DFE5DC84CBFBBB8FF98700F008509E905AB214EB74A989DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004143D0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00414427

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00414441
ExitProcess.KERNEL32 ref: 0041444D

Strings

structure, xrefs: 004143FC
Runtime Error, xrefs: 00414434
..\..\..\..\Common\commonruntime.cpp, xrefs: 00414406
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00414416

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\commonruntime.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$structure
API String ID: 2938856589-3710486091
Opcode ID: 80b626de7e1292576a18cb58b1577b5f0bcc4a81bb645fd8d587414d79fb2b7f
Instruction ID: 8fc1ef778421a092a838cdcd8a42e7d0afbbd3e1a9e3cbdcae97399043b252c4
Opcode Fuzzy Hash: 80b626de7e1292576a18cb58b1577b5f0bcc4a81bb645fd8d587414d79fb2b7f
Instruction Fuzzy Hash: C311B2B1600208BBDB10DF14DC86EBBB77CEF85704F404099FB09A7281DB70AD459BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00509F00 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00509F43

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00509F5D
ExitProcess.KERNEL32 ref: 00509F69

Strings

form, xrefs: 00509F18
Runtime Error, xrefs: 00509F50
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp, xrefs: 00509F22
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00509F32

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ClassLib\RuntimeWindow.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$form
API String ID: 2938856589-2857480298
Opcode ID: 1396205747040e49e38adfb9b4d1e954e890692f58f649b4ef5f58cac81cd6bd
Instruction ID: cb6904f1fd274379518606cce9eb231925e5f0405f2fe0270f3680269ffdff31
Opcode Fuzzy Hash: 1396205747040e49e38adfb9b4d1e954e890692f58f649b4ef5f58cac81cd6bd
Instruction Fuzzy Hash: 9411E470605209ABDB25CB10DD42BAEBB69AF14704F00019CE709AB2C6CB709E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410060 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004100AF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004100CA
ExitProcess.KERNEL32 ref: 004100D7

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 00410082
Runtime Error, xrefs: 004100BC
..\..\..\..\Common\Canvas.cpp, xrefs: 0041008C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041009E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: b96909a81dac6b2c8ec881eee52c2da6fff071721a059a7e7efdab67992dd93f
Instruction ID: d0cf1bc93602a3ad19c67e6e51da764d9b833a57f84b7311742d9acbf2e91186
Opcode Fuzzy Hash: b96909a81dac6b2c8ec881eee52c2da6fff071721a059a7e7efdab67992dd93f
Instruction Fuzzy Hash: B111D3B0700208ABEB14DB10DC47FA77779FB48704F008159EB09AB2C2D7B5ACC58BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00410130 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041017F

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0041019A
ExitProcess.KERNEL32 ref: 004101A7

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 00410152
Runtime Error, xrefs: 0041018C
..\..\..\..\Common\Canvas.cpp, xrefs: 0041015C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041016E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 59e3384fe84e03018f6bdf6b80acff7ed01464fdcbae12fdaa2ed0d6a609a494
Instruction ID: 3147477af9e220f35c590fca2ef3081be28a11a081b4e620ef4f3d419cd8b6fa
Opcode Fuzzy Hash: 59e3384fe84e03018f6bdf6b80acff7ed01464fdcbae12fdaa2ed0d6a609a494
Instruction Fuzzy Hash: 2811D3B0740208ABEB14DB50DC46FAB7379FB48700F408558EB099B2C1DBB9AD85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAA0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FAEF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FB0A
ExitProcess.KERNEL32 ref: 0040FB17

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FAC2
Runtime Error, xrefs: 0040FAFC
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FACC
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FADE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 4cc207e20d89fa227b33c2978edba5ccfa695135d28278f0b382d1c9c34617fb
Instruction ID: 557df9f046efb3636c1adce9bcef5e25bbacfeafd3e9a6ac709520a0ffec8e7d
Opcode Fuzzy Hash: 4cc207e20d89fa227b33c2978edba5ccfa695135d28278f0b382d1c9c34617fb
Instruction Fuzzy Hash: C91181B0740208ABEB24DB50DC56F677779BB58B00F508178EB09AB2C1D774BD498F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FCF0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FD43

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FD5E
ExitProcess.KERNEL32 ref: 0040FD6B

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FD16
Runtime Error, xrefs: 0040FD50
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FD20
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FD32

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 7e8eb63819a1407e317bea8f1d9f5f45f0e19f28c675061483a7d1cb47e06159
Instruction ID: 3e2c8660a1ed0be6678dcb455333ec8ef9a8c69f450e538e9c3a0b64ce14029e
Opcode Fuzzy Hash: 7e8eb63819a1407e317bea8f1d9f5f45f0e19f28c675061483a7d1cb47e06159
Instruction Fuzzy Hash: BF11D370700204ABEB24DB11DC46F677769FF84701F404179EB0ABB2C1DB74AD498BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEB0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FF03

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FF1E
ExitProcess.KERNEL32 ref: 0040FF2B

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FED6
Runtime Error, xrefs: 0040FF10
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FEE0
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FEF2

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 1910e4a5d48ff75890f909e4f7cfa58f612ef53a2337734b7ee8ce485f700456
Instruction ID: 9de8754fe79f9f662b2dafe8f1686a1b05bdcf4f77a6d9db7c14e01d804d3c7a
Opcode Fuzzy Hash: 1910e4a5d48ff75890f909e4f7cfa58f612ef53a2337734b7ee8ce485f700456
Instruction Fuzzy Hash: 1711D370700205ABEB24DB10DC46F6B7769BB55700F408179FB09BB2C1CB74AD49CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041A850 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041A897

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0041A8B1
ExitProcess.KERNEL32 ref: 0041A8BD

Strings

Runtime Error, xrefs: 0041A8A4
obj, xrefs: 0041A86C
..\..\..\..\Common\ConsoleApplication.cpp, xrefs: 0041A876
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041A886

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ConsoleApplication.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$obj
API String ID: 2938856589-915456421
Opcode ID: d10dff01f7d374d9f8fcd69c51e94d89a16a22cd925af9f2795be6567345d2cb
Instruction ID: d2fdf1b62e1820d0d77b8b27fd813a53bbb9683dab5e6ced0d859c9b91d41b75
Opcode Fuzzy Hash: d10dff01f7d374d9f8fcd69c51e94d89a16a22cd925af9f2795be6567345d2cb
Instruction Fuzzy Hash: F71108B0B02204ABDB20EF14DC46FBB77A8EF14714F004119F605E72C1E774AA4ADB89

Uniqueness

Uniqueness Score: -1.00%

Function 00505060 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 005050A7

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 005050C1
ExitProcess.KERNEL32 ref: 005050CD

Strings

Runtime Error, xrefs: 005050B4
thread, xrefs: 0050507C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00505096
..\..\..\..\Common\ClassLib\RuntimeThread.cpp, xrefs: 00505086

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ClassLib\RuntimeThread.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$thread
API String ID: 2938856589-2219531671
Opcode ID: 4bc66d96b5e60c9946a2ecfd0ed86785c501cb9d46cf01633c4fb9e6b80a19a9
Instruction ID: 172e23ea64eb10f9a29be5ca1558db788d38ff49081f30e1b13795b40c94b3c8
Opcode Fuzzy Hash: 4bc66d96b5e60c9946a2ecfd0ed86785c501cb9d46cf01633c4fb9e6b80a19a9
Instruction Fuzzy Hash: 2D11AF70600B04ABDB20DF18DC8AB6B7BA5BF15324F400758E2199B1D1E770A989CFD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F9E0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FA2F

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FA4A
ExitProcess.KERNEL32 ref: 0040FA57

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FA02
Runtime Error, xrefs: 0040FA3C
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FA0C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FA1E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 404b26816c91fe898d80d9d312f66e005835b40d7f41c6f2d849e37d5854e13b
Instruction ID: 7791f5aa1409dd76c7b2fce4f753e081122e262ac7ca962b154aa12134236787
Opcode Fuzzy Hash: 404b26816c91fe898d80d9d312f66e005835b40d7f41c6f2d849e37d5854e13b
Instruction Fuzzy Hash: C511C8B0740208EBEB24DB50DC46F6677A9EB18700F404178EB0DAB2C1DBB4AD498B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB70 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FBBF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FBDA
ExitProcess.KERNEL32 ref: 0040FBE7

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FB92
Runtime Error, xrefs: 0040FBCC
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FB9C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FBAE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: ec91e15c9b31d8aff63c06542af1f5510470ecb553ed0047b479c0e4a6afa814
Instruction ID: 42bbf660c3f7e770e46573e6c535a7652b9ba2d52081089bb5fd08b3bd9ec717
Opcode Fuzzy Hash: ec91e15c9b31d8aff63c06542af1f5510470ecb553ed0047b479c0e4a6afa814
Instruction Fuzzy Hash: AE11C4B0744208ABFB24DB10DC47F667769BB54700F004178EB09AB2C1CB74BC898B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC30 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040FC7F

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040FC9A
ExitProcess.KERNEL32 ref: 0040FCA7

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 0040FC52
Runtime Error, xrefs: 0040FC8C
..\..\..\..\Common\Canvas.cpp, xrefs: 0040FC5C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040FC6E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 948c9249699ae3b5fcc3dbb58a1edc6469ee038539fd6b156dd0b7121b37c2d8
Instruction ID: b7820e54e3fb57259778259f324e726992b555f44cf4377951633fc8df1dfe0e
Opcode Fuzzy Hash: 948c9249699ae3b5fcc3dbb58a1edc6469ee038539fd6b156dd0b7121b37c2d8
Instruction Fuzzy Hash: 6711C1B074420CABFB24DB10DC47F6A77A9BB14704F004178EB09AB6C1DB74AC899B98

Uniqueness

Uniqueness Score: -1.00%

Function 004104A0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004104EF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0041050A
ExitProcess.KERNEL32 ref: 00410517

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 004104C2
Runtime Error, xrefs: 004104FC
..\..\..\..\Common\Canvas.cpp, xrefs: 004104CC
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004104DE

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 5f247103b1c99d53c9c03c3b182d7333847e0ca8609ae887ce13a3d8de52aa91
Instruction ID: d6ab6d8262c8d6098c7608a156974348ff8b2700a3ef8c0cb406650087cd4fb0
Opcode Fuzzy Hash: 5f247103b1c99d53c9c03c3b182d7333847e0ca8609ae887ce13a3d8de52aa91
Instruction Fuzzy Hash: 9811C4B0744208ABEB24DB10DC46FA7776ABB14704F404158EB0DAB2C1DBB4ADC49F98

Uniqueness

Uniqueness Score: -1.00%

Function 00410560 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004105AF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004105CA
ExitProcess.KERNEL32 ref: 004105D7

Strings

embeddedWindowControl->mTemplateWindow, xrefs: 00410582
Runtime Error, xrefs: 004105BC
..\..\..\..\Common\Canvas.cpp, xrefs: 0041058C
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0041059E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Canvas.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$embeddedWindowControl->mTemplateWindow
API String ID: 2938856589-1276149059
Opcode ID: 7e9a31f6ba9643b5266be36597b0eecb9c5619ab3bd1087ca0dd0fa15f2a0c3c
Instruction ID: c1631eebbc12154da724d3aab5dc77ec21f00c3c4db80c6e41f1295c19d57155
Opcode Fuzzy Hash: 7e9a31f6ba9643b5266be36597b0eecb9c5619ab3bd1087ca0dd0fa15f2a0c3c
Instruction Fuzzy Hash: 6811E7B0740204ABEB24DB10DC46FA77769FB54704F404159EB09AB2C5DBB4EDC4CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00422C10 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00422C54

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00422C6E
ExitProcess.KERNEL32 ref: 00422C7A

Strings

date, xrefs: 00422C2C
Runtime Error, xrefs: 00422C61
..\..\..\..\Common\DateCommon.cpp, xrefs: 00422C33
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00422C43

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\DateCommon.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$date
API String ID: 2938856589-4011707887
Opcode ID: 17c74895b7747a1a56ee2a49993518af39de9ffd4df5f8e77125624d5af13f38
Instruction ID: ad9bdccba8d8c0ff4a24c648288a512fa0b00d464509889d622c9637287605d4
Opcode Fuzzy Hash: 17c74895b7747a1a56ee2a49993518af39de9ffd4df5f8e77125624d5af13f38
Instruction Fuzzy Hash: 68012671A00229B7D720AB54ED43FAB775CAF15704F40025AFB04B32C1DBB46D0487E9

Uniqueness

Uniqueness Score: -1.00%

Function 004190C0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0041910E

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00419129
ExitProcess.KERNEL32 ref: 00419136

Strings

..\..\..\..\Common\CommonRunView.cpp, xrefs: 004190EB
Runtime Error, xrefs: 0041911B
ctl->mDelegate == this, xrefs: 004190E1
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004190FD

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\CommonRunView.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$ctl->mDelegate == this
API String ID: 2938856589-734484465
Opcode ID: 1b22f103642893bfdc6e9dc99ed688191c1ac911972d8619e8bfc84634a31ba7
Instruction ID: 275804ad04040bf70976c57296ebee996c88246051d312daaf5fb6fa6a7670cd
Opcode Fuzzy Hash: 1b22f103642893bfdc6e9dc99ed688191c1ac911972d8619e8bfc84634a31ba7
Instruction Fuzzy Hash: AF0149B17402057BEB20DB10DC47F6AFB68FB54B10F104115FB08AB2C1CBB0AD818799

Uniqueness

Uniqueness Score: -1.00%

Function 004FF870 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 51windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004FF8B3

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 004FF8CD
ExitProcess.KERNEL32 ref: 004FF8D9

Strings

Runtime Error, xrefs: 004FF8C0
..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp, xrefs: 004FF892
objToRemove, xrefs: 004FF888
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004FF8A2

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Object Model\RuntimeObjectFoundation.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$objToRemove
API String ID: 2938856589-2513012311
Opcode ID: 8f8f0e441f89d4bfaab912e1b6a922c3f85e1505202e58f4d1fc79a934c6a71a
Instruction ID: 07b50d9a1ca2a8cd9f385fed78efcecb97f2d54ac7751bdc39b7228429312594
Opcode Fuzzy Hash: 8f8f0e441f89d4bfaab912e1b6a922c3f85e1505202e58f4d1fc79a934c6a71a
Instruction Fuzzy Hash: 741152B0A40708ABDB34DF24DD46E6B77E8AF54700F400569EB05A7281DB74E909DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004031B0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004031F7

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00403211
ExitProcess.KERNEL32 ref: 0040321D

Strings

Runtime Error, xrefs: 00403204
app, xrefs: 004031CC
..\..\..\..\Common\application.cpp, xrefs: 004031D6
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004031E6

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$app
API String ID: 2938856589-1823162992
Opcode ID: 3b2672761b58288b2b58594e3e6b15436ab3c10fc7cd4a68f9e5e668348efc5c
Instruction ID: 020b55be4bc796e4b67d937107624e9f8d8542b64d0c1f31ea48d7d570487295
Opcode Fuzzy Hash: 3b2672761b58288b2b58594e3e6b15436ab3c10fc7cd4a68f9e5e668348efc5c
Instruction Fuzzy Hash: 0701D6B0A002086BDB24DF14EC46E6B7BACEF08714F40409DFB09B72C1DB74AE059A99

Uniqueness

Uniqueness Score: -1.00%

Function 0045CAF0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0045CB33

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0045CB4D
ExitProcess.KERNEL32 ref: 0045CB59

Strings

meth, xrefs: 0045CB0B
Runtime Error, xrefs: 0045CB40
..\..\..\..\Common\intrinsicClass.cpp, xrefs: 0045CB12
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0045CB22

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\intrinsicClass.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$meth
API String ID: 2938856589-2245330249
Opcode ID: 32a63db67ab71b151eac2e53c5ded4e15e949509a6e61a69848fd2c9b7b9a348
Instruction ID: 77bb4fc5336333bfa3c3bd267d3b2922cc93b588f931443ccacd01d4358e0f56
Opcode Fuzzy Hash: 32a63db67ab71b151eac2e53c5ded4e15e949509a6e61a69848fd2c9b7b9a348
Instruction Fuzzy Hash: 210128B0A412147BDA20AB10AC47EAB779CDF15701F000159FF0577282EB74BE0986E9

Uniqueness

Uniqueness Score: -1.00%

Function 005042E0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00504323

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(005C2A9C,?,Runtime Error,00000111), ref: 0050433D
ExitProcess.KERNEL32 ref: 00504349

Strings

Runtime Error, xrefs: 00504330
thread, xrefs: 005042F8
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00504312
..\..\..\..\Common\ClassLib\RuntimeThread.cpp, xrefs: 00504302

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ClassLib\RuntimeThread.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$thread
API String ID: 2938856589-2219531671
Opcode ID: 08875e2ff1c92cf109bca976db3e8eb55e59c4e1435607a3c5cb07d4cd1d4c32
Instruction ID: 991ca71571858b151e5a02f70c151082137efe82a3753bad2c32cf378eef18fb
Opcode Fuzzy Hash: 08875e2ff1c92cf109bca976db3e8eb55e59c4e1435607a3c5cb07d4cd1d4c32
Instruction Fuzzy Hash: DB01E1B0501208ABDB20EF20DC57AAE7FA8BF55700F40455CF78AA7181DB70AA49CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00410BA0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00410BE9

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00410C03
ExitProcess.KERNEL32 ref: 00410C0F

Strings

Runtime Error, xrefs: 00410BF6
w~A, xrefs: 00410C15
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00410BD8
c:\RB\Universal\StringMap.h, xrefs: 00410BC8

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$c:\RB\Universal\StringMap.h$w~A
API String ID: 2938856589-2138571140
Opcode ID: 198e0314b6f70bdea73cd173165fd9546eae2a48c057e4dc883e2ec9da7e338f
Instruction ID: 0580424719e8ef13fbd5a29e33c1d035d821919709885cc045daec2ca434994b
Opcode Fuzzy Hash: 198e0314b6f70bdea73cd173165fd9546eae2a48c057e4dc883e2ec9da7e338f
Instruction Fuzzy Hash: 7011A1B0600709ABC720DF15DD4AB26FBF8BF94B04F00455DE709A3281EBB4A9899BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00402430 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00402478

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00402493
ExitProcess.KERNEL32 ref: 004024A0

Strings

self, xrefs: 0040244B
Runtime Error, xrefs: 00402485
..\..\..\..\Common\application.cpp, xrefs: 00402455
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00402467

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$self
API String ID: 2938856589-540037708
Opcode ID: 2e68a6081a1b93b63429d24d71518e7a8d380910640e7c461511c4ff87f50f93
Instruction ID: 1e006a937b1bee4de12eb3b93f149a3e443b541f8aa9d3024aa728d93e799bb0
Opcode Fuzzy Hash: 2e68a6081a1b93b63429d24d71518e7a8d380910640e7c461511c4ff87f50f93
Instruction Fuzzy Hash: 1B0126B0B40308BBEF20EB50EC4BF6A7768AB58B05F004054F7097B1C1DAF46A44DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004023A0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004023E7

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00402401
ExitProcess.KERNEL32 ref: 0040240D

Strings

self, xrefs: 004023BC
Runtime Error, xrefs: 004023F4
..\..\..\..\Common\application.cpp, xrefs: 004023C6
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004023D6

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$self
API String ID: 2938856589-540037708
Opcode ID: aa4c9c952133b6866cb40ab0e6259d99f54ba9a279ab249fce906471fd48d5c6
Instruction ID: d69bfa1df5165fb2cd826cf5edecb59ff943a6ae940a4d4061ada326d6f07ee9
Opcode Fuzzy Hash: aa4c9c952133b6866cb40ab0e6259d99f54ba9a279ab249fce906471fd48d5c6
Instruction Fuzzy Hash: 6C01A2B0641318A7DB209B10AD8BEAA7B68AB55704F4000A5FB09772C2DBB06A459699

Uniqueness

Uniqueness Score: -1.00%

Function 00402310 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00402357

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 00402371
ExitProcess.KERNEL32 ref: 0040237D

Strings

self, xrefs: 0040232C
Runtime Error, xrefs: 00402364
..\..\..\..\Common\application.cpp, xrefs: 00402336
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00402346

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\application.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$self
API String ID: 2938856589-540037708
Opcode ID: 405f974e822dd981bd3d24f8edb94b8eeb48dd63c22379f72664161b24c6e009
Instruction ID: 4ebd426a6ba40c69fb1a872727ee8da5522840ac56439931d75a7080f39718a8
Opcode Fuzzy Hash: 405f974e822dd981bd3d24f8edb94b8eeb48dd63c22379f72664161b24c6e009
Instruction Fuzzy Hash: 7EF0D6B0A4031877DB20DB10ED4BEAA7BACAF15B00F400195FB09771C1DBB46E459A99

Uniqueness

Uniqueness Score: -1.00%

Function 0051DCD0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0051DD18

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0051DD33
ExitProcess.KERNEL32 ref: 0051DD40

Strings

Runtime Error, xrefs: 0051DD25
..\..\..\..\Common\SubPane.cpp, xrefs: 0051DCF5
mRunControl == nil, xrefs: 0051DCEB
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0051DD07

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\SubPane.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$mRunControl == nil
API String ID: 2938856589-173778899
Opcode ID: 039b76a78506227fefff4ae21c0630e91794c6a069e76a84c7494daf3dc52059
Instruction ID: f6bc339737cdb7a14600b963f375d016c2f562b1176a064c89f2430b9967dc06
Opcode Fuzzy Hash: 039b76a78506227fefff4ae21c0630e91794c6a069e76a84c7494daf3dc52059
Instruction Fuzzy Hash: F00181B0A40308ABEB24DB50DD8BFAA7BB8AB54B04F404158F7066A1C1DBB06945DA69

Uniqueness

Uniqueness Score: -1.00%

Function 00486E90 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00486ED8

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00486EF3
ExitProcess.KERNEL32 ref: 00486F00

Strings

not mDelegate, xrefs: 00486EAB
Runtime Error, xrefs: 00486EE5
..\..\..\..\Common\ClassLib\pane.cpp, xrefs: 00486EB5
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00486EC7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ClassLib\pane.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$not mDelegate
API String ID: 2938856589-880898654
Opcode ID: d6ff5005d40e527f40d7f88f86c4f376e14ee30e13f00af49360c522d6955870
Instruction ID: 7a3a41fdbc4f600eea566c5c521c10017b0206b24cf70ec05bd810593246d956
Opcode Fuzzy Hash: d6ff5005d40e527f40d7f88f86c4f376e14ee30e13f00af49360c522d6955870
Instruction Fuzzy Hash: EC01F9B0B44309B7EB20EB50DD47F6A77A4EB54700F404454F709761C0DBB0A944DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 004F2040 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004F2080

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004F209A
ExitProcess.KERNEL32 ref: 004F20A6

Strings

Runtime Error, xrefs: 004F208D
exc, xrefs: 004F2058
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004F206F
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp, xrefs: 004F205F

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$exc
API String ID: 2938856589-2933821333
Opcode ID: 806f349135c198f0a5c5eec752dfb95509541e597db6ea9abcc62feeec16a133
Instruction ID: aeaba69c2226e20312c975cd230ee9a4ae6d698dc165ec59ea23b3e54b31aff5
Opcode Fuzzy Hash: 806f349135c198f0a5c5eec752dfb95509541e597db6ea9abcc62feeec16a133
Instruction Fuzzy Hash: 34F0C8B0A41208BBDB20EB10DD47F7B7BACAB15B00F800055F705761C1DFB46E49DA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004F20C0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004F2103

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004F211D
ExitProcess.KERNEL32 ref: 004F2129

Strings

Runtime Error, xrefs: 004F2110
exc, xrefs: 004F20D8
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004F20F2
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp, xrefs: 004F20E2

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$exc
API String ID: 2938856589-2933821333
Opcode ID: 13b6439301c1f3ce6b74f90fa585fa67034925f9d6885096ec3e80d7fac152e6
Instruction ID: a98fdb5e596a4351c9a95317d3ee7f1dbd7bb49d4d9a3d5345c696fc706a669b
Opcode Fuzzy Hash: 13b6439301c1f3ce6b74f90fa585fa67034925f9d6885096ec3e80d7fac152e6
Instruction Fuzzy Hash: C3F0C8B0A4020877DB20EB10DD47F7B7BACEB15B00F400055F709761C1DBB46A09DA9D

Uniqueness

Uniqueness Score: -1.00%

Function 004F2150 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004F2193

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004F21AD
ExitProcess.KERNEL32 ref: 004F21B9

Strings

Runtime Error, xrefs: 004F21A0
exc, xrefs: 004F2168
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004F2182
..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp, xrefs: 004F2172

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\Object Model\RuntimeExceptionFoundation.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$exc
API String ID: 2938856589-2933821333
Opcode ID: 5de007a83b7ef17f0ce738d87fbf780bea03b9460858b9c08560d784362ba1a7
Instruction ID: 3deb1b938613bbe4842e063c1585b00ca29f53029f33b285ef2f9195c55f85e6
Opcode Fuzzy Hash: 5de007a83b7ef17f0ce738d87fbf780bea03b9460858b9c08560d784362ba1a7
Instruction Fuzzy Hash: 69F0A4B0A4020877DA20AB10DD47F6A7BACEB15B00F400055FB09761C1DBB46A499A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00507950 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00507998

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 005079B3
ExitProcess.KERNEL32 ref: 005079C0

Strings

Runtime Error, xrefs: 005079A5
window, xrefs: 0050796B
..\..\..\..\Common\ClassLib\RuntimeWindow.cpp, xrefs: 00507975
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00507987

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\ClassLib\RuntimeWindow.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$window
API String ID: 2938856589-1803218126
Opcode ID: db3900e885d886029a8ccd7b241764106d2de032db458c06456ea2be1e456828
Instruction ID: 5bce446b0019eb102dde4cc6d64dcbcbac3ab052ce8c42961eeed5f1437e7bab
Opcode Fuzzy Hash: db3900e885d886029a8ccd7b241764106d2de032db458c06456ea2be1e456828
Instruction Fuzzy Hash: D6F0BBF0B4430CBBEF20EB50DC4BF697B68EB58B05F400054F709BA1C1DAB069449A59

Uniqueness

Uniqueness Score: -1.00%

Function 00504E10 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,00504C4D), ref: 00504E30
GetProcAddress.KERNEL32(74DD0000,SwitchToFiber), ref: 00504E59
SwitchToFiber.KERNEL32(?,00504C4D), ref: 00504E99

Strings

kernel32, xrefs: 00504E2B
SwitchToFiberAPI, xrefs: 00504E7A
SwitchToFiber, xrefs: 00504E53
..\..\..\..\Common\ClassLib\RuntimeThread.cpp, xrefs: 00504E75

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressFiberLibraryLoadProcSwitch
String ID: ..\..\..\..\Common\ClassLib\RuntimeThread.cpp$SwitchToFiber$SwitchToFiberAPI$kernel32
API String ID: 1646922967-2764609305
Opcode ID: eb6a4a28a0fa3c773b978ed0e9a26fd68081fc54689bac3be41310152cec59f2
Instruction ID: 79ac06623080b391656f488f288ccdf62ea01e299cba13cdec8c0fa2de04b263
Opcode Fuzzy Hash: eb6a4a28a0fa3c773b978ed0e9a26fd68081fc54689bac3be41310152cec59f2
Instruction Fuzzy Hash: 7C0162B05002028BEB119B64EE4A7297FA9B76C340B00041DA98EC25E1E779984CEB53

Uniqueness

Uniqueness Score: -1.00%

Function 02F96A1B Relevance: 12.0, APIs: 8, Instructions: 46COMMON

Download Yara Rule

APIs

MoveToEx.GDI32(00000000,?,?,00000000), ref: 02F96A38
LineTo.GDI32(00000000,?,?), ref: 02F96A45
SelectObject.GDI32(00000000), ref: 02F96A4F
MoveToEx.GDI32(00000000,?,00000000,00000000), ref: 02F96A60
LineTo.GDI32(00000000,?,?), ref: 02F96A70
SelectObject.GDI32(00000000,?), ref: 02F96A7B
DeleteObject.GDI32(?), ref: 02F96A85
DeleteObject.GDI32 ref: 02F96A8E

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$DeleteLineMoveSelect
String ID:
API String ID: 3188529432-0
Opcode ID: 5a0a09e561f2f376fc1c0995887a0a04d930b39909c2ce0f2681c67e9bb6b1c8
Instruction ID: bba261b1c02b72f32ef08da9c05f4b445e3952aed011c255f6286289fd323f7e
Opcode Fuzzy Hash: 5a0a09e561f2f376fc1c0995887a0a04d930b39909c2ce0f2681c67e9bb6b1c8
Instruction Fuzzy Hash: 090171B654420DBBE7006F60DC4CD7BBBBCFB44B86F005D19F65680051DB769920CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00528E50 Relevance: 10.8, APIs: 7, Instructions: 283COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00528E79
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00528E8B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00528E9D

Part of subcall function 005287B0: IsValidCodePage.KERNELBASE(?,?,00000000,?,00528EC4,00529751,00000000,00000000,00000000,00000000,00529751,?,00529751,?,?,08000100), ref: 00528D0E

Part of subcall function 00527330: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 005273FB
Part of subcall function 00527330: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0052740D
Part of subcall function 00527330: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00527432
Part of subcall function 00527330: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0052744D
Part of subcall function 00527330: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0052745F
Part of subcall function 00527330: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0052747C

MultiByteToWideChar.KERNEL32(00529751,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,00000000,00529751), ref: 00528FE2
MultiByteToWideChar.KERNEL32(00529751,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000,00529751,?,00529751), ref: 0052902C

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

WideCharToMultiByte.KERNEL32(?,00000000,0057E81C,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00529751), ref: 00529092
WideCharToMultiByte.KERNEL32(?,00000000,0057E81C,00000000,0057E81C,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00529751), ref: 005290E1

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$ByteCharEnterInitializeLeaveMultiWide$CodePageValid
String ID:
API String ID: 38778127-0
Opcode ID: bd002cee9fe8d4cbb65128250013fafca530b6a9dbf29fcb59f55dde86fd8549
Instruction ID: f76196ea4b96524af913abf4b368e698852f0bf91f47b80f158ffd6b81c0758e
Opcode Fuzzy Hash: bd002cee9fe8d4cbb65128250013fafca530b6a9dbf29fcb59f55dde86fd8549
Instruction Fuzzy Hash: 2091EB32E002286BDB20DB99EC85BBEBB69FF86710F05455EED08A7381D7749D4087D0

Uniqueness

Uniqueness Score: -1.00%

Function 00419DB0 Relevance: 10.7, APIs: 7, Instructions: 182COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00419E48
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00419E5A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00419E77

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 83160538a958dece2523778014f7702ca1f34c6d41da76ac3b2f604abd7e212e
Instruction ID: 42feb7c1a87acf3a0b1784f9501ee15784cf884148d32698f80b70bbddd1b1f0
Opcode Fuzzy Hash: 83160538a958dece2523778014f7702ca1f34c6d41da76ac3b2f604abd7e212e
Instruction Fuzzy Hash: 1F510D31200304AFDB24CF19D898BEBB7A5BF98720F28015EE54987380C739ADC1DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0055AB60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0055AC18
GetClassNameA.USER32(?,?,00000040), ref: 0055AC28
ScreenToClient.USER32(00000000,?), ref: 0055AC4D
ScreenToClient.USER32(00000000,?), ref: 0055AC5E
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0055ACC6

Strings

RB_MDICHILD, xrefs: 0055AC31

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ClientScreenWindow$ClassMoveNameRect
String ID: RB_MDICHILD
API String ID: 1559747499-1170157637
Opcode ID: 4858d718e19923eb9714e207c06bfac5471f44c6e4114719fe792b51af0d6a7b
Instruction ID: 26f3d746a0a0e939ba7414c935dcde7b3135494c21652cb8ec323297c0512398
Opcode Fuzzy Hash: 4858d718e19923eb9714e207c06bfac5471f44c6e4114719fe792b51af0d6a7b
Instruction Fuzzy Hash: 8F718C70E043889EDB25CBB8C8987EEBFF1BF55305F08451ED8855B245D7B86889CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004ABFA0 Relevance: 10.6, APIs: 7, Instructions: 138COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABFB4
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABFCE
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABFE8
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC049
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC080
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC092
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC0A6

Part of subcall function 004AC650: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC664
Part of subcall function 004AC650: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC678
Part of subcall function 004AC650: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC696

Part of subcall function 004ABDF0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABDFE
Part of subcall function 004ABDF0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABE10
Part of subcall function 004ABDF0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABE37

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID:
API String ID: 3864236774-0
Opcode ID: e8f3e9c651ec5bcd7065e1f5b96046a4bc6b33bc475a81f0df9b584fcbea0104
Instruction ID: 0de88e67b426073f2d9509694ef13eb2b24b8d70161ce7495267cd7e8744bc4d
Opcode Fuzzy Hash: e8f3e9c651ec5bcd7065e1f5b96046a4bc6b33bc475a81f0df9b584fcbea0104
Instruction Fuzzy Hash: 8241E331A04204EBDB10DF59D885AAB7BB4FF66710F18809AEC45AB302C779ED44DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 005151B0 Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00515270
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00515278
TranslateMDISysAccel.USER32(00000000,?), ref: 005152A5
TranslateAccelerator.USER32(?,00000000,?), ref: 005152C0
TranslateMessage.USER32(?), ref: 005152CE
DispatchMessageW.USER32(?), ref: 005152E1
DispatchMessageA.USER32(?), ref: 005152ED

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Message$Translate$DispatchPeek$AccelAccelerator
String ID:
API String ID: 3681251259-0
Opcode ID: 0f9c2132f4b7fb8a0a66e29106b33b34233504af138f49cdec9ec3a34e401b1c
Instruction ID: 90bd78340ef72a48861726975705b4ec8825e87a53999bd001b57321af80dd0f
Opcode Fuzzy Hash: 0f9c2132f4b7fb8a0a66e29106b33b34233504af138f49cdec9ec3a34e401b1c
Instruction Fuzzy Hash: 2841083A900504DFEF14DF68EC44FF9BB75BBA8300F444149EA51AB251E739E889DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00422A47 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00422AAF

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00422AC9
ExitProcess.KERNEL32 ref: 00422AD5

Strings

Runtime Error, xrefs: 00422ABC
..\..\..\..\Common\DateCommon.cpp, xrefs: 00422A8E
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00422A9E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\DateCommon.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 2938856589-1467614787
Opcode ID: e8d67e8ce819e0343928afcb351293bd1a13ca8b88578e795394c9d3c6d9aa4a
Instruction ID: 4f77cebc59c0ac912947e298f21e54dc77c69a857453f38949099af0a571c8e2
Opcode Fuzzy Hash: e8d67e8ce819e0343928afcb351293bd1a13ca8b88578e795394c9d3c6d9aa4a
Instruction Fuzzy Hash: 25318EB4740604AFD720DF64DC92E6BB7A9EF88704F104649FA099B391CA70ED85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004AC450 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC469
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC47B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC492
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC4E2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC537

Strings

y{@, xrefs: 004AC4C5, 004AC524, 004AC4E8

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID: y{@
API String ID: 3864236774-511077216
Opcode ID: 8f272504aaf4504c1cd69a769d7499d175b97f7d93230991d0af6cba84b4cade
Instruction ID: bfc8b227d3413afaa68fbf5953d74b8fceadf2917c47a4a88442b9f528bbb388
Opcode Fuzzy Hash: 8f272504aaf4504c1cd69a769d7499d175b97f7d93230991d0af6cba84b4cade
Instruction Fuzzy Hash: 9E31E472B003149FEB509F59D8C1A6AB7E4FBAA720B1540AAEC48DB311D775EC448BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00404650 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 95windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040473C
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00404757
ExitProcess.KERNEL32 ref: 00404764

Part of subcall function 004141B0: _malloc.LIBCMT ref: 004141B3
Part of subcall function 004141B0: _malloc.LIBCMT ref: 004141BB

Strings

Runtime Error, xrefs: 00404749
..\..\..\..\Common\array.cpp, xrefs: 00404719
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 0040472B

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: _malloc$ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\array.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 1677785200-2515518560
Opcode ID: 2bccbd5fc35965a88f73f67d491617690f381153dae34a3ec37569591e7918ae
Instruction ID: 98c8cd254d4ed0b55e34c0b7620158b0a4473481ef88e3053225b0dcaa2a3440
Opcode Fuzzy Hash: 2bccbd5fc35965a88f73f67d491617690f381153dae34a3ec37569591e7918ae
Instruction Fuzzy Hash: DE31FBB16402156BD714DF14DC82BA9B7A5FB84710F044569EB09FB380EBB9ED818BD4

Uniqueness

Uniqueness Score: -1.00%

Function 004AC370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC386
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC398
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC3B9
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC3F1
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC438

Strings

b{@, xrefs: 004AC3A4, 004AC425

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID: b{@
API String ID: 3864236774-235218929
Opcode ID: ecfba69230903c7eebbfcdd44bf4540f8d756ea694efe3f98377753284f735cd
Instruction ID: e165b069f8a90b1e2c7955f8ea6f776b4c5547935a3a48f61cd827162deffd49
Opcode Fuzzy Hash: ecfba69230903c7eebbfcdd44bf4540f8d756ea694efe3f98377753284f735cd
Instruction Fuzzy Hash: 8D21F1716003149BEB509F1DE88476ABBE8FF66724B1041AEEC48EB300C7B9DD809BC5

Uniqueness

Uniqueness Score: -1.00%

Function 02F938BE Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000001), ref: 02F938C2
SelectObject.GDI32(?,00000000), ref: 02F938D0
Polygon.GDI32(?,?,00000003), ref: 02F93945
SelectObject.GDI32(?,00000000), ref: 02F93953
DeleteObject.GDI32(?), ref: 02F939E1
SelectObject.GDI32(?,?), ref: 02F939F2
DeleteObject.GDI32(?), ref: 02F939FC

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$Delete$PolygonStock
String ID:
API String ID: 2676145389-0
Opcode ID: 78ada7ce593a696d8170189caf11dc10a866f76e7cdba19060706907174ffdbd
Instruction ID: 7d3e1d11a26bf16fed33015ab1b1d6af5b5454f2d68b99e24068b11ff3491abb
Opcode Fuzzy Hash: 78ada7ce593a696d8170189caf11dc10a866f76e7cdba19060706907174ffdbd
Instruction Fuzzy Hash: AA3148715083849FE7359F24DC48BDEFBE1FF88395F00492DE699862A0D77159A4CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00422B60 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 56windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00422BB0

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00422BCA
ExitProcess.KERNEL32 ref: 00422BD6

Strings

Runtime Error, xrefs: 00422BBD
..\..\..\..\Common\DateCommon.cpp, xrefs: 00422B8F
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00422B9F

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Common\DateCommon.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 2938856589-1467614787
Opcode ID: db8e243baf1d06c4344ccdbcff0fb51ac424f77de0976adefe6c09e4469faf3a
Instruction ID: 2d2b4b218b9ac4c9c8bba264232ed618debdd944356e06628dd540b36d21b51a
Opcode Fuzzy Hash: db8e243baf1d06c4344ccdbcff0fb51ac424f77de0976adefe6c09e4469faf3a
Instruction Fuzzy Hash: AE0144B1B0011877CA10BA20AD47FBF3B6CAB84714F400019FB08A72C2DBB8AD0582D9

Uniqueness

Uniqueness Score: -1.00%

Function 00423950 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 55windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00423993

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 004239AD
ExitProcess.KERNEL32 ref: 004239B9

Strings

..\..\..\..\Universal\DateImp\DateImpWin32.cpp, xrefs: 00423972
Runtime Error, xrefs: 004239A0
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00423982

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Universal\DateImp\DateImpWin32.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 2938856589-50624562
Opcode ID: 3aee5a79fa638e5e58cb1d89feabbd7a7ae29598c5c90d964ae3b5117eab8f92
Instruction ID: 6c5c9681452ec061c8d30737df85dc1d88cbaee333e50d96325a7fa05383ddd5
Opcode Fuzzy Hash: 3aee5a79fa638e5e58cb1d89feabbd7a7ae29598c5c90d964ae3b5117eab8f92
Instruction Fuzzy Hash: 811193B0504B15A5C720DF61D806A76B7F4FF28B01B408519FA8993AD0F778E584D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 004AB9D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB9E7
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB9F9
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABA45
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABA65

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Strings

FileVersion, xrefs: 004AB9D8
\StringFileInfo\040904B0\, xrefs: 004ABA2C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID: FileVersion$\StringFileInfo\040904B0\
API String ID: 3864236774-2592243052
Opcode ID: 1c63a94705948b746f28cbe7cb6ffac48a3c713c505496e6baa2f7d359949cbc
Instruction ID: ed15901668958b6862f7d1ad96c1c7f2ec0c2fe3d183ceed7b30c953eaa11aca
Opcode Fuzzy Hash: 1c63a94705948b746f28cbe7cb6ffac48a3c713c505496e6baa2f7d359949cbc
Instruction Fuzzy Hash: 4611E9757002109FE7109B19D888B677FE4EFA6721B1980DAF5489B31AC7788844DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00424510 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 55windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00424553

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 0042456D
ExitProcess.KERNEL32 ref: 00424579

Strings

..\..\..\..\Universal\DateImp\DateImpWin32.cpp, xrefs: 00424532
Runtime Error, xrefs: 00424560
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00424542

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: ..\..\..\..\Universal\DateImp\DateImpWin32.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 2938856589-50624562
Opcode ID: d056e828fa6246214c071ab69fdb65aecb9ca0964636bd19b7362956a19878f9
Instruction ID: f8aa5a7b69fdeda2d44b4853ab520312dd77983c9b0ab77b2740a1942665effc
Opcode Fuzzy Hash: d056e828fa6246214c071ab69fdb65aecb9ca0964636bd19b7362956a19878f9
Instruction Fuzzy Hash: 5811B260504B15B2C720DF21D802A77B7F8FF28B01B404519FA8AA3AD0F778EA94D79D

Uniqueness

Uniqueness Score: -1.00%

Function 00404500 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00404562
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 0040457D
ExitProcess.KERNEL32 ref: 0040458A

Strings

Runtime Error, xrefs: 0040456F
..\..\..\..\Common\array.cpp, xrefs: 0040453F
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00404551

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\array.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 3597307922-2515518560
Opcode ID: bd59cdc395c67ef1371cb3de6e0d54fb84f516134caf1853c97bbf2d41f68d35
Instruction ID: a96d11839e30ce78a551a842150a9c1fd9cb0f1a705ecb5309e913b95e10ce24
Opcode Fuzzy Hash: bd59cdc395c67ef1371cb3de6e0d54fb84f516134caf1853c97bbf2d41f68d35
Instruction Fuzzy Hash: 9501F9B0744208BBDB20DB60EC47F2A77A4EB58705F5040A9F709AB2C1DA71A945D759

Uniqueness

Uniqueness Score: -1.00%

Function 004AB8C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB8CE
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB8E1
_malloc.LIBCMT ref: 004AB8FB
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB952
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB964

Strings

MS Sans Serif, xrefs: 004AB8DB

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize_malloc
String ID: MS Sans Serif
API String ID: 3797137078-168460110
Opcode ID: abb91e47000a3af35b6b256d691409fff658d6dfe6c10716f2c02ced6df19399
Instruction ID: 0ec0c0c72a48a7c2244658e214fac7d0d144a35f7ea27bed9c34e99702da6c0c
Opcode Fuzzy Hash: abb91e47000a3af35b6b256d691409fff658d6dfe6c10716f2c02ced6df19399
Instruction Fuzzy Hash: 7E1106704043419FEB119F25D848BA67FA5FFA3324F4582D9D5984F3A6C3BD8089EB91

Uniqueness

Uniqueness Score: -1.00%

Function 004FFC40 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004FFC93
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004FFCAE
ExitProcess.KERNEL32 ref: 004FFCBB

Strings

Runtime Error, xrefs: 004FFCA0
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004FFC82
c:\RB\Universal\SimpleVector.h, xrefs: 004FFC70

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf
String ID: Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$c:\RB\Universal\SimpleVector.h
API String ID: 3597307922-659385905
Opcode ID: 6b7ce987bef706dbe5501b559b30e4b6a923f6d7a95f137ee4cd667aba244272
Instruction ID: 8ea19e5f228a8b994cc9463ef2a3ab888140063fae1263b2e9eae1abc807d023
Opcode Fuzzy Hash: 6b7ce987bef706dbe5501b559b30e4b6a923f6d7a95f137ee4cd667aba244272
Instruction Fuzzy Hash: F40156B0640248AFDB10DB54EE87F2577A4BB14701F400055F70DE72C5D6B4694CD65A

Uniqueness

Uniqueness Score: -1.00%

Function 004045B0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00404615
MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 00404630
ExitProcess.KERNEL32 ref: 0040463D

Strings

Runtime Error, xrefs: 00404622
..\..\..\..\Common\array.cpp, xrefs: 004045F2
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 00404604

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess_swprintf
String ID: ..\..\..\..\Common\array.cpp$Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s
API String ID: 3597307922-2515518560
Opcode ID: 88d12e6a7ee7bc3e30304638aa415d45f5e08c2a589ff59eeebd3f1e8a9e5bf2
Instruction ID: 15c35246580bbc3177657f9f3c6ccab8554756689af233d17dfb4286757fc348
Opcode Fuzzy Hash: 88d12e6a7ee7bc3e30304638aa415d45f5e08c2a589ff59eeebd3f1e8a9e5bf2
Instruction Fuzzy Hash: D401D8F4340208BBDB10DB10DC87F257764EB58B05F104099F709AB2C1DB71A945DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004F1FC0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39windowCOMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 004F1FFA

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

MessageBoxA.USER32(00000000,?,Runtime Error,00000111), ref: 004F2015
ExitProcess.KERNEL32 ref: 004F2022

Strings

Runtime Error, xrefs: 004F2007
not pos, xrefs: 004F1FD7
Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s, xrefs: 004F1FE9

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ExitMessageProcess__vsprintf_s_l_swprintf
String ID: Runtime Error$Runtime Error %d: %sPress OK to ContinuePress Cancel to Quit.Please report what caused this erroralong with the information below.%s: %dFailure Condition: %s%s$not pos
API String ID: 2938856589-219810707
Opcode ID: 0def266416e8b0ad3a3675fb0843fc1e97e9c0af3cb9f5b35b07391296b844f1
Instruction ID: 3c937bdd0d775b79d0778adfeb93d5f28468097eaad575f33e5a906542454ae2
Opcode Fuzzy Hash: 0def266416e8b0ad3a3675fb0843fc1e97e9c0af3cb9f5b35b07391296b844f1
Instruction Fuzzy Hash: 9DF0C2B0600208BBDB10EB54DC46F7B7BACEB98701F404148F70DA61C1DA70AE458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00567E13 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00567E88,00000000,0056DD49,00000000,00000000,00000314,?,?,?,005F0D78,00568A98,005F0D78,Microsoft Visual C++ Runtime Library,00012010), ref: 00567E20
TlsGetValue.KERNEL32(00000005,?,?,?,005F0D78,00568A98,005F0D78,Microsoft Visual C++ Runtime Library,00012010), ref: 00567E37
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,005F0D78,00568A98,005F0D78,Microsoft Visual C++ Runtime Library,00012010), ref: 00567E4C
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00567E67

Strings

KERNEL32.DLL, xrefs: 00567E47
EncodePointer, xrefs: 00567E61

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 1929421221-3682587211
Opcode ID: 43889dca8309a31cec7a4e10dbf57d67e919eb84f66d1187662325f21fedefe0
Instruction ID: 8894baac2512e57d82e82fe88af763229aa399dd0fbda313389689a07d6e2222
Opcode Fuzzy Hash: 43889dca8309a31cec7a4e10dbf57d67e919eb84f66d1187662325f21fedefe0
Instruction Fuzzy Hash: 94F0963450821B9B9A616738EC48E6B3F98BF083587041690F818E31B0CB31DC8AEBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00567E8A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00567F1F,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567E97
TlsGetValue.KERNEL32(00000005,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567EAE
GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567EC3
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 00567EDE

Strings

KERNEL32.DLL, xrefs: 00567EBE
DecodePointer, xrefs: 00567ED8

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Value$AddressHandleModuleProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 1929421221-629428536
Opcode ID: bc9afc4c19c6a0cb116d3d8a5a5671f3a3af6234e93ff706ca905c38f51a07bc
Instruction ID: 6ec9a6859dd4153ca6ee7a302e6cfa432561f9cc155fe64603918d9ffed81c65
Opcode Fuzzy Hash: bc9afc4c19c6a0cb116d3d8a5a5671f3a3af6234e93ff706ca905c38f51a07bc
Instruction Fuzzy Hash: 87F0963050861B9B9751A738ED08A6F3F9DBF187587144694F818E32B0DB31DC8EABA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD00 Relevance: 9.2, APIs: 6, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cf773d05bda0de630060e9b325cbde9ed9c5d117515c2d07ea510515f32a2b
Instruction ID: a5e98e9b169ecd04c1310c1a01336130a74691945cb61c492e0088b7f69bbfc8
Opcode Fuzzy Hash: 83cf773d05bda0de630060e9b325cbde9ed9c5d117515c2d07ea510515f32a2b
Instruction Fuzzy Hash: 49610672908184DFEB129A24C8817A63F92EF23315F1D04AAC6856B3C2D37D8909D7DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0E0 Relevance: 9.2, APIs: 6, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f29f67eceba1145f8c9d319f8cb964c9861a45e2f03591ce3ffa6ed71b7fc3
Instruction ID: 5cc0027db47bad2595fc8b6ac454a83f4e827e7ac53dbfa0cb8c272da5eb7c35
Opcode Fuzzy Hash: 75f29f67eceba1145f8c9d319f8cb964c9861a45e2f03591ce3ffa6ed71b7fc3
Instruction Fuzzy Hash: 4A51C472D0C3C0CFE70297A8CC817663F91AB63315F1A42E6D4956F7E2C2BD59049BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEAE Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040AF84
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040AF9C
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040AFC5
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040AFD5
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040AFE7
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040B00A

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 8d4cf8d93303528c6655ac0de8263db12df2892cf5d68ee178337cfeaec95bdc
Instruction ID: 6f038ecec66573afc2536721684a42d164be8c03e0118004f37cbff714f8af98
Opcode Fuzzy Hash: 8d4cf8d93303528c6655ac0de8263db12df2892cf5d68ee178337cfeaec95bdc
Instruction Fuzzy Hash: 5741A172A043018FD720EF6AD88165BFBE4AF94B14F05096EF888A7352D7789C448BD7

Uniqueness

Uniqueness Score: -1.00%

Function 00420A10 Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00420A76
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00420A88
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00420A9A
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00420AF4
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00420B06
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00420B18

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 2109be82705f41c8ef9fd50d3727ec8b8c978ec6dfe7148b1f7726c33fbd7f27
Instruction ID: a5ead632d06110f0c0ea08648f7ecc2d0c18398f0cf73d3acacda67b7c6359cf
Opcode Fuzzy Hash: 2109be82705f41c8ef9fd50d3727ec8b8c978ec6dfe7148b1f7726c33fbd7f27
Instruction Fuzzy Hash: C2413A30B003149FDB30CB64E885B6B7BF5AF55714F9445AAE4446B392C7746C84DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0050CB70 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0050CC10
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0050CC22
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0050CC3F
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0050CC6A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0050CC7C
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0050CC99

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: d13477b3cf57c46f1ff5d58d53af6e1a15531301fde6691705afff6aafb7748b
Instruction ID: b0af1487460dcaacefc4d6c8fc2ce58b504985f282893bfef845139f009b12da
Opcode Fuzzy Hash: d13477b3cf57c46f1ff5d58d53af6e1a15531301fde6691705afff6aafb7748b
Instruction Fuzzy Hash: 7D3127716002059FEB20DF18E844BAEBFA4BF66720F448359EC99972D0C770AD85DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00407BE0 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00407C7F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00407C91
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00407CAA
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00407CBE
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00407CD0
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00407CE9

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: f53fb72251a42ddd9bd353dc145c59669ba7f9ce3986bc512a78f84b4cbcecfb
Instruction ID: 6a384d670cc16eccec1379be1943490dd369e969545e3f7dd4e72be12631a22c
Opcode Fuzzy Hash: f53fb72251a42ddd9bd353dc145c59669ba7f9ce3986bc512a78f84b4cbcecfb
Instruction Fuzzy Hash: 3D313971A082089BEB106B29E84576B77A4EF91338F00426FF858A2381D77D6C549BD7

Uniqueness

Uniqueness Score: -1.00%

Function 0045D400 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0045D497
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0045D4A9
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0045D4C6
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0045D4E9
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0045D4FB
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0045D518

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: d24e18e2878fa52c0ba49866d65fbd8c7809f239454cbe42cd1e5c921b201eb5
Instruction ID: 2aeeb3a1373aa5110325c31c08ac2cce3033c317667d039771d45cc43b1a17d8
Opcode Fuzzy Hash: d24e18e2878fa52c0ba49866d65fbd8c7809f239454cbe42cd1e5c921b201eb5
Instruction Fuzzy Hash: 2F315971E01205AFDB309F14E844BBB77A4AF62725F044216EC8897392C338AD88DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00416320 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004163B0
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004163C2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004163DF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00416409
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041641B
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00416438

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 4be71a5d10be0b5ae6ad8f22064773f9b7d1cd50d6a6a244bebd10f3aa2f3002
Instruction ID: 7075798d5d7bbb84afe1fe31af1f4a66c3e8af088db5609bbefc9b902d871466
Opcode Fuzzy Hash: 4be71a5d10be0b5ae6ad8f22064773f9b7d1cd50d6a6a244bebd10f3aa2f3002
Instruction Fuzzy Hash: 9A3103316012199FDB219F18D844AEB77A4BF14720B06814AEC9897380D778E9C4DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004FE4F0 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004FE580
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004FE592
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004FE5AF
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004FE5D1
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004FE5E3
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004FE600

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: f2d8abf5f305a3236d215ddd633f586026621e6182d15bc4a83a68112bfffd12
Instruction ID: 8850237a25e2f1b8e6121d4098bd425a4fe48279143eaa1f9c8e52e14881b3c3
Opcode Fuzzy Hash: f2d8abf5f305a3236d215ddd633f586026621e6182d15bc4a83a68112bfffd12
Instruction Fuzzy Hash: 9A314871601219FFEB208F95E804BBB77A4AF10729F04411AEE84973A4E738DD84DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0055C7B0 Relevance: 9.1, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055C80A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055C81C
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055C835
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0055C863
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0055C875
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0055C88E

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: f6a835dbd1bcf6e7020ec288e728ecd85f6befe1a9ab50e1f82b2c3a96991e86
Instruction ID: 508f22c18b58847bcb8063bf2b7ce989faecc809ff99da31b7a77677ce707016
Opcode Fuzzy Hash: f6a835dbd1bcf6e7020ec288e728ecd85f6befe1a9ab50e1f82b2c3a96991e86
Instruction Fuzzy Hash: 24213B71501308AFEB109F59EC84BAA7FA4FB65731F04016BFD88A3280C7755988DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 004998E0 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0049991A
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0049992C
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00499945
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00499978
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0049998A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004999A3

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 2c079eb935841e6eab640b6f135e262b6fc8587ac41070823bf4613d44ff7b25
Instruction ID: 5494dbb268ab408ae10eb886f1173d77a626047814566199f8d612a26f484e27
Opcode Fuzzy Hash: 2c079eb935841e6eab640b6f135e262b6fc8587ac41070823bf4613d44ff7b25
Instruction Fuzzy Hash: AA21D4716002146BEF205B2AEC04A6B3FA4AF51734F04016EFC98A3354C7789D84DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 004C1230 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004C125F
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004C1271
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004C1286
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004C12BB
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004C12CD
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004C12DF

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: ad394ebb67fd09c5f10638c64f0745e268953dfd7fdaae0d0aa4e457c19ba345
Instruction ID: 57bcf4cfb6d2d8f4d61d6dcb69dc10305cf3f28d601d04fe587afd212f0f1532
Opcode Fuzzy Hash: ad394ebb67fd09c5f10638c64f0745e268953dfd7fdaae0d0aa4e457c19ba345
Instruction Fuzzy Hash: 7611E4397003145FE760AB69E848F677BA4AF56B20B04009EFD88E7366C3689C84DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6F0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 305COMMON

Download Yara Rule

APIs

Part of subcall function 004ABDF0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABDFE
Part of subcall function 004ABDF0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABE10
Part of subcall function 004ABDF0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABE37

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0041F850
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041F862
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0041F87B

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Strings

false, xrefs: 0041FA42
true, xrefs: 0041F9FD

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: false$true
API String ID: 3991485460-2658103896
Opcode ID: 4f6d1385aa0b6247cc75edae5df1f369183ddd0aa4ce872c114e3272bd130243
Instruction ID: f1f4d59cd19f4d4744a9b0a6293c9097bf60cdb3270246aeb1ccff3a52ae6854
Opcode Fuzzy Hash: 4f6d1385aa0b6247cc75edae5df1f369183ddd0aa4ce872c114e3272bd130243
Instruction Fuzzy Hash: 62B1D371D00219ABCF10EBA5C441BEFB7B4AF15314F08416AE855B7351E73CAE8ACB98

Uniqueness

Uniqueness Score: -1.00%

Function 00469680 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 004AB970: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
Part of subcall function 004AB970: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
Part of subcall function 004AB970: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004696BB
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004696D4
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004696E8
RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00469708
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0046971A
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00469729

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 25e41a164ab6fcad786b2dff9b5906e34ae6b202139032095271ff7c7486468b
Instruction ID: 33566d67d3f0aac115c6fc8beaefa6defc6169787695b34b3b119e959511a928
Opcode Fuzzy Hash: 25e41a164ab6fcad786b2dff9b5906e34ae6b202139032095271ff7c7486468b
Instruction Fuzzy Hash: 31110A72901318ABF7206B99D804B6BBAECAB51B20F04015BEDC463355D3FD4D445BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A850 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040A8EE
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040A900
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040A919

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Strings

..\..\..\..\Common\basicstr.cpp, xrefs: 0040A891
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII, xrefs: 0040A896

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: ..\..\..\..\Common\basicstr.cpp$theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
API String ID: 3991485460-2457223637
Opcode ID: fb0e3810693712582a826bf56833a39bd4aaaf5803d1409bf21510067e8cddab
Instruction ID: 698a5f27019440da8ab0eeb0a9f1eea92ef52b64398679adeb31ff051a7813dd
Opcode Fuzzy Hash: fb0e3810693712582a826bf56833a39bd4aaaf5803d1409bf21510067e8cddab
Instruction Fuzzy Hash: 0F412D73B003144BDB20AE6DD8856ABB755EB41325F058A7BDC58E73C5D23ACC5483D6

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0040A75D
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0040A76F
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0040A788

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Strings

..\..\..\..\Common\basicstr.cpp, xrefs: 0040A703
theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII, xrefs: 0040A708

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: ..\..\..\..\Common\basicstr.cpp$theStr.Encoding() == kEncodingUTF8 or theStr.Encoding() == kEncodingUTF16 or theStr.Encoding() == kEncodingASCII
API String ID: 3991485460-2457223637
Opcode ID: 02b6ef7e017205b24e8a80987231bfe4ed3d3f6705f9381eb2b9ed0bc9f3fd58
Instruction ID: 2a4ea5f4727ee9dd3c512476e52d9c8aa83c6c79812ab3d7d3681f352909269e
Opcode Fuzzy Hash: 02b6ef7e017205b24e8a80987231bfe4ed3d3f6705f9381eb2b9ed0bc9f3fd58
Instruction Fuzzy Hash: D041C632A002085BDB109E29E8856AAB7A4FB54324F04867BEC08E7781E379DD6597D6

Uniqueness

Uniqueness Score: -1.00%

Function 00472CF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 005599F0: IsWindowVisible.USER32(?), ref: 00559A06

GetWindowTextLengthA.USER32(00000000), ref: 00472D67

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

GetWindowTextW.USER32(00000000,00000000,0040AF71), ref: 00472DA9

Part of subcall function 004AB9D0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB9E7
Part of subcall function 004AB9D0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB9F9
Part of subcall function 004AB9D0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABA45

GetWindowTextA.USER32(00000000,00000000,00000001), ref: 00472DD1

Part of subcall function 005662C8: _malloc.LIBCMT ref: 005662E0

Strings

HO_, xrefs: 00472CF6
O_, xrefs: 00472D13

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Window$CriticalSectionText$EnterInitializeLeaveLengthVersionVisible_malloc_memset
String ID: HO_$O_
API String ID: 3949655741-2490943392
Opcode ID: 329589381944bee7d7eb09378ce6ed93c17aae17aa9731526b34cd585f37d791
Instruction ID: 1fdb5ac3e124e09bf50d4ecbcd352bd20b2bb48386d38c674ef00f89e3d39917
Opcode Fuzzy Hash: 329589381944bee7d7eb09378ce6ed93c17aae17aa9731526b34cd585f37d791
Instruction Fuzzy Hash: 8C31CEB28002209FCB54EF2888856AF7BA9AF49700B1541AFEC098B346E779D905DBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00416020 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

ShellExecuteA.SHELL32(00000000,open,0057E81C), ref: 004160C8

Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52
Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB

ShellExecuteW.SHELL32(00000000,open,005F4C08,00000000,00000000,00000001), ref: 00416084

Strings

..\..\..\..\Universal\REALstring.cpp, xrefs: 0041605C
open, xrefs: 0041607D
open, xrefs: 004160C1

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ByteCharExecuteMultiShellWide$Version_memset
String ID: ..\..\..\..\Universal\REALstring.cpp$open$open
API String ID: 444232615-3050431660
Opcode ID: 3e9673c7e4740f592ce58f95521243f4be4a7726ed86c28cacfa2fae2694edec
Instruction ID: aca14a40f9b8bf4c0b0eb5178e64692a152f2da809db228943910ab3806d6de9
Opcode Fuzzy Hash: 3e9673c7e4740f592ce58f95521243f4be4a7726ed86c28cacfa2fae2694edec
Instruction Fuzzy Hash: 1521D8316403046BD720DB04DC06FA73FA8EF05B54F15415AF908AB382DB65ED81D699

Uniqueness

Uniqueness Score: -1.00%

Function 02694D40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,02695EF0,00000001,?,026944AC), ref: 02694D47
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 02694D82

Part of subcall function 02694A60: TlsGetValue.KERNEL32(-00000001,026A0DB8,02694C60,00000000,02695167,?,?,026944AC), ref: 02694A68
Part of subcall function 02694A60: GetLastError.KERNEL32(?,?,026944AC), ref: 02694A76

TlsGetValue.KERNEL32 ref: 02694D68

Strings

MW Win32 Runtime, xrefs: 02694D76
Could not allocate thread local data., xrefs: 02694D7B

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: 349f00375a08af8fe0d02a0d6f50a6c0c031e083a752abc927f6b962cda1be45
Instruction ID: 36997b28cdf3e622b3cf0cb65418cd64d0bcaeef2f4e79d2940963d62e30f48c
Opcode Fuzzy Hash: 349f00375a08af8fe0d02a0d6f50a6c0c031e083a752abc927f6b962cda1be45
Instruction Fuzzy Hash: 48E06D317843016BFF01AE94F8C5B2C361DAB0474DF000438F609881E0DFA148D58A08

Uniqueness

Uniqueness Score: -1.00%

Function 026F3C60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,026F4370,00000001,?,026F304C), ref: 026F3C67
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 026F3CA2

Part of subcall function 026F3980: TlsGetValue.KERNEL32(-00000001,026FDE18,026F3B80,00000000,026F37E7,?,?,026F304C), ref: 026F3988
Part of subcall function 026F3980: GetLastError.KERNEL32(?,?,026F304C), ref: 026F3996

TlsGetValue.KERNEL32 ref: 026F3C88

Strings

MW Win32 Runtime, xrefs: 026F3C96
Could not allocate thread local data., xrefs: 026F3C9B

Memory Dump Source

Source File: 00000001.00000002.2876409748.00000000026F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000001.00000002.2876395659.00000000026F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876428511.00000000026F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876443259.00000000026F7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26f0000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: c398bfb84c3ebb9aac745ad2cfab46f35b35a58d2a46ebd6ffa2a64e2c1a2371
Instruction ID: ee591deb9562c649daa2da2ec4cc4426c8a5e512b7581c6f0d4852edacb48d98
Opcode Fuzzy Hash: c398bfb84c3ebb9aac745ad2cfab46f35b35a58d2a46ebd6ffa2a64e2c1a2371
Instruction Fuzzy Hash: F7E012327C8341ABFFC02BD0AC89B1976559B1470AF1154A9F709993E0DFB598F49514

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00DA4F90,00000001,?,00DA354C), ref: 00DA3DE7
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 00DA3E22

Part of subcall function 00DA3B00: TlsGetValue.KERNEL32(-00000001,00DADDB8,00DA3D00,00000000,00DA4207,?,?,00DA354C), ref: 00DA3B08
Part of subcall function 00DA3B00: GetLastError.KERNEL32(?,?,00DA354C), ref: 00DA3B16

TlsGetValue.KERNEL32 ref: 00DA3E08

Strings

Could not allocate thread local data., xrefs: 00DA3E1B
MW Win32 Runtime, xrefs: 00DA3E16

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: 7ccc23fb01151a04cda0cdc9e55bedc345253691013d32b5028073b4332c7f30
Instruction ID: d41a5bad192f3ff8fa0d051aab293970762bc74666c41c599283b2b41a4cf611
Opcode Fuzzy Hash: 7ccc23fb01151a04cda0cdc9e55bedc345253691013d32b5028073b4332c7f30
Instruction Fuzzy Hash: 8BE092303643026BE7052FD4AC96B26B616E717751F140128F605C92E1DBE19E14C635

Uniqueness

Uniqueness Score: -1.00%

Function 026B3E80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,026B5030,00000001,?,026B35EC), ref: 026B3E87
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 026B3EC2

Part of subcall function 026B3BA0: TlsGetValue.KERNEL32(-00000001,026BFDC0,026B3DA0,00000000,026B42A7,?,?,026B35EC), ref: 026B3BA8
Part of subcall function 026B3BA0: GetLastError.KERNEL32(?,?,026B35EC), ref: 026B3BB6

TlsGetValue.KERNEL32 ref: 026B3EA8

Strings

Could not allocate thread local data., xrefs: 026B3EBB
MW Win32 Runtime, xrefs: 026B3EB6

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: 4a9039ce0aa70a6775b86566e0b699204bd62050179338b8ea22d17831113b85
Instruction ID: 59f35ed92eb5c78e501454c5d45f7408bc42951bbad3a491ad914d2663ce1b13
Opcode Fuzzy Hash: 4a9039ce0aa70a6775b86566e0b699204bd62050179338b8ea22d17831113b85
Instruction Fuzzy Hash: 1FE06D30BC83016FF7472AD0A8D5B593712AF20705F24042BF60164280DBB1ACF48B09

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,02F9FE70,00000001,?,02F9CE8C), ref: 02F9D427
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 02F9D462

Part of subcall function 02F9D140: TlsGetValue.KERNEL32(-00000001,02FAC8D8,02F9D340,00000000,02F9F1D7,?,?,02F9CE8C), ref: 02F9D148
Part of subcall function 02F9D140: GetLastError.KERNEL32(?,?,02F9CE8C), ref: 02F9D156

TlsGetValue.KERNEL32 ref: 02F9D448

Strings

MW Win32 Runtime, xrefs: 02F9D456
Could not allocate thread local data., xrefs: 02F9D45B

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: a93a2f48831e14121caa7523e0cb375736d39a3a06c0f4c8d835abf31fc17cbb
Instruction ID: 2695860e37f3cccf447666434dde3efd2a467cefdb3f82f6e44a01f78d231bc3
Opcode Fuzzy Hash: a93a2f48831e14121caa7523e0cb375736d39a3a06c0f4c8d835abf31fc17cbb
Instruction Fuzzy Hash: 35E092F0BC5306ABFF043A94AEA5B257798AB047C9F240434F301D81A0DFE1AC608924

Uniqueness

Uniqueness Score: -1.00%

Function 02703970 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,02704080,00000001,?,02702D5C), ref: 02703977
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 027039B2

Part of subcall function 02703690: TlsGetValue.KERNEL32(-00000001,0270DE20,02703890,00000000,027034F7,?,?,02702D5C), ref: 02703698
Part of subcall function 02703690: GetLastError.KERNEL32(?,?,02702D5C), ref: 027036A6

TlsGetValue.KERNEL32 ref: 02703998

Strings

Could not allocate thread local data., xrefs: 027039AB
MW Win32 Runtime, xrefs: 027039A6

Memory Dump Source

Source File: 00000001.00000002.2876472916.0000000002701000.00000020.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: true

Associated: 00000001.00000002.2876458961.0000000002700000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876487733.0000000002705000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.0000000002707000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.000000000270B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2700000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: 7ea147f39325177337fc7416cbe9179d9257e38c4fa25976531740ba0cc6e694
Instruction ID: 3c30d3bbdf9e31a51b725d511eedcc95d0a3046499a8b77c6f4a0acba609aea8
Opcode Fuzzy Hash: 7ea147f39325177337fc7416cbe9179d9257e38c4fa25976531740ba0cc6e694
Instruction Fuzzy Hash: F1E01271BA4701EBF7112FE0ECC9B152AD5AB0874DF1084A5FA15942D6DFF1982C891B

Uniqueness

Uniqueness Score: -1.00%

Function 026D34F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,026D5660,00000001,?,026D2F5C), ref: 026D34F7
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 026D3532

Part of subcall function 026D3210: TlsGetValue.KERNEL32(-00000001,026DED90,026D3410,00000000,026D4C87,?,?,026D2F5C), ref: 026D3218
Part of subcall function 026D3210: GetLastError.KERNEL32(?,?,026D2F5C), ref: 026D3226

TlsGetValue.KERNEL32 ref: 026D3518

Strings

Could not allocate thread local data., xrefs: 026D352B
MW Win32 Runtime, xrefs: 026D3526

Memory Dump Source

Source File: 00000001.00000002.2876347313.00000000026D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.2876333042.00000000026D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876365156.00000000026D6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876379783.00000000026D8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: fad18409212805b62cc0705e6e71117739499e3e472282a73af868c6d3fd950d
Instruction ID: ef2f53dd9907ff251e91c6a51acc33854841d77b4028ede41d6ccbc091ec4343
Opcode Fuzzy Hash: fad18409212805b62cc0705e6e71117739499e3e472282a73af868c6d3fd950d
Instruction Fuzzy Hash: 67E01230FC730E7BF7542B91ED85B293755A718B0AF141568F605D9290EFB158B08E16

Uniqueness

Uniqueness Score: -1.00%

Function 100077C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,1000FB50,00000001,?,10004C6C), ref: 100077C7
MessageBoxA.USER32(00000000,Could not allocate thread local data.,MW Win32 Runtime,00000030), ref: 10007802

Part of subcall function 100074E0: TlsGetValue.KERNEL32(-00000001,1001E080,100076E0,00000000,1000A5A7,?,?,10004C6C), ref: 100074E8
Part of subcall function 100074E0: GetLastError.KERNEL32(?,?,10004C6C), ref: 100074F6

TlsGetValue.KERNEL32 ref: 100077E8

Strings

MW Win32 Runtime, xrefs: 100077F6
Could not allocate thread local data., xrefs: 100077FB

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID: Value$ErrorLastMessage
String ID: Could not allocate thread local data.$MW Win32 Runtime
API String ID: 1449083153-2242202967
Opcode ID: a8b13ffb1c69c31345eedc6610f282c641206430738aefdbbcb85f6205ca52ed
Instruction ID: fa1804e83d4ada8a387969f3d1deee0b5586c42a8c81afdce5c623d4c29944d0
Opcode Fuzzy Hash: a8b13ffb1c69c31345eedc6610f282c641206430738aefdbbcb85f6205ca52ed
Instruction Fuzzy Hash: 6CE06D30248212ABF2015BD0CCD9B152698F7083E5F10C134F2089B0A5DFB5D8C0C614

Uniqueness

Uniqueness Score: -1.00%

Function 00421220 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 00421238
GetProcAddress.KERNEL32(00000000,_fdopen), ref: 00421249

Strings

_fdopen, xrefs: 0042123E
r+b, xrefs: 00421264
msvcrt.dll, xrefs: 0042122C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: _fdopen$msvcrt.dll$r+b
API String ID: 2574300362-3792600504
Opcode ID: 4c5664c8c909828884d1f46142b11bff79103c1bb52e49b7f236f9279ca1cffb
Instruction ID: c13519b3aec006094295a53e5dfa2a6d42840ce25ed864d9758e35cb6b427631
Opcode Fuzzy Hash: 4c5664c8c909828884d1f46142b11bff79103c1bb52e49b7f236f9279ca1cffb
Instruction Fuzzy Hash: 9DE06570644B85AED7049FA8BC44B353B946774785F442849FA0DE52E0E2BC508CE754

Uniqueness

Uniqueness Score: -1.00%

Function 00423260 Relevance: 7.8, APIs: 5, Instructions: 322timeCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004232A0
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004232B2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004232C7
GetSystemTime.KERNEL32(?), ref: 00423510
GetSystemTime.KERNEL32(?), ref: 00423610

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$SystemTime$EnterInitializeLeave
String ID:
API String ID: 83708466-0
Opcode ID: f1b78e075314d06b94cedd4f71f7c637c27856e55d0f9dbc8a029e45e529e799
Instruction ID: dd3f2db73147a58c785069cff6cdf79c93e053699846d9f5410cc16b4897b289
Opcode Fuzzy Hash: f1b78e075314d06b94cedd4f71f7c637c27856e55d0f9dbc8a029e45e529e799
Instruction Fuzzy Hash: 14C19530A002259BCB25EF14EC517AA77B4BF05745F8441E6E80AAB385DB3CEF85CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6E0 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B735
SetStretchBltMode.GDI32(?,00000003), ref: 0041B741
SelectObject.GDI32(00000000,?), ref: 0041B7DF
DeleteDC.GDI32(00000000), ref: 0041B808

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ObjectSelect$DeleteModeStretch
String ID:
API String ID: 1778814800-0
Opcode ID: e12ce2ff5f241957e327575d836651cb52f8c9266131e518101727b2bd2012ab
Instruction ID: 8b53bf280fab5591f7ee40e3d9282174377eb7f1e99455c1336237541af4b84a
Opcode Fuzzy Hash: e12ce2ff5f241957e327575d836651cb52f8c9266131e518101727b2bd2012ab
Instruction Fuzzy Hash: D641F875A00205AFDB04CFA9DC98EAFBBB9EF88310F148119F919D3254DB34A945DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041B5A0 Relevance: 7.6, APIs: 5, Instructions: 130windowCOMMON

Download Yara Rule

APIs

GlobalFix.KERNEL32(?), ref: 0041B5BE
SetStretchBltMode.GDI32(?,00000003), ref: 0041B5FC
SetDIBitsToDevice.GDI32(?,?,?,?,?,?,?,00000000,?,?,00000000,00000000), ref: 0041B66C
GlobalUnWire.KERNEL32(?), ref: 0041B6B0

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Global$BitsDeviceModeStretchWire
String ID:
API String ID: 198352536-0
Opcode ID: 7a5549933cce9265f2b536b3dac7808f3456ab9b91bda46d5335f881515ca793
Instruction ID: fc0c999af8f859fddf1bfd736a28df40c5f0eec5144cb314e28180e4da172023
Opcode Fuzzy Hash: 7a5549933cce9265f2b536b3dac7808f3456ab9b91bda46d5335f881515ca793
Instruction Fuzzy Hash: F6411675A00215AFDB10CFA9D988EAABBF9EF58310F108559F909DB344D734ED80DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041E750 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0041E790
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041E7A2
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0041E7BB
_malloc.LIBCMT ref: 0041E7DE
_memset.LIBCMT ref: 0041E82C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave_malloc_memset
String ID:
API String ID: 769329994-0
Opcode ID: 977085db6c368bc3025c59d841e33f6b78ba8c3f99569398eda34811d99751b4
Instruction ID: 0f21fcb847318453f60571baa25c0fa9362842206d3768715b0d856a84f325a3
Opcode Fuzzy Hash: 977085db6c368bc3025c59d841e33f6b78ba8c3f99569398eda34811d99751b4
Instruction Fuzzy Hash: 7B312375A002019FE720DF6AD885A6BB7E8EF84710F10852EED4DC7381E734A8808B91

Uniqueness

Uniqueness Score: -1.00%

Function 02F919DB Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 02F91A0E
AppendMenuA.USER32(?,00000800,000003E8,00000000), ref: 02F91A3A
AppendMenuW.USER32(?,00000000,000003E8,00000000), ref: 02F91AD4
ClientToScreen.USER32(00000000,?), ref: 02F91BBB
TrackPopupMenu.USER32(?,00000180,?,?,00000000,00000000,00000000), ref: 02F91BD7
DestroyMenu.USER32(?), ref: 02F91BE3

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Menu$AppendPopup$ClientCreateDestroyScreenTrack
String ID:
API String ID: 2148485350-0
Opcode ID: a7c253aa10437558922975fa77641337e9b5ada3c19ca9c4f902789ce5d3ea99
Instruction ID: 6c9a46875aca912c5908d505f1cd4578546c6957b6637db2cd29e6d61a4e11da
Opcode Fuzzy Hash: a7c253aa10437558922975fa77641337e9b5ada3c19ca9c4f902789ce5d3ea99
Instruction Fuzzy Hash: 8731E072908344AFEF219F14DC44BAFBBE5EF84784F14092DFA88661A0E7B19954CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0269278F Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 026927DD
SafeArrayGetUBound.OLEAUT32(?,00000001,00000000), ref: 026927EE
SafeArrayGetElement.OLEAUT32(?,00000000,?), ref: 02692827
SysFreeString.OLEAUT32(?), ref: 02692850
SafeArrayDestroy.OLEAUT32 ref: 02692872

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: ArraySafe$Bound$DestroyElementFreeString
String ID:
API String ID: 897418820-0
Opcode ID: de529b049f85dda88b51407746be9b5b7b2b7bf8e1e444cd445220d95d210d1e
Instruction ID: cd21c2f26f8165b8dad597151386439f224b7d735d9ff65a3082fc14af30f2dc
Opcode Fuzzy Hash: de529b049f85dda88b51407746be9b5b7b2b7bf8e1e444cd445220d95d210d1e
Instruction Fuzzy Hash: 2E315C31508305BFEB10AF24D884B2EB7ECFF44751F10892DF89996290DB71A898CF56

Uniqueness

Uniqueness Score: -1.00%

Function 004AC560 Relevance: 7.6, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AC576
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AC588
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC5A7
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC5DF
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AC62F

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID:
API String ID: 3864236774-0
Opcode ID: ae56f5eda62031a70124ab6aede3225def4a15e6b16eb8809193df09e27d0471
Instruction ID: 92de9cbcb6354d8384d2eb6af127fa1561722df5019352650d93fd67133ddacf
Opcode Fuzzy Hash: ae56f5eda62031a70124ab6aede3225def4a15e6b16eb8809193df09e27d0471
Instruction Fuzzy Hash: BD21B5316003149FEB549F1DEC84656BBE8BF66324B0505EEEC48AB350DBB89D449BC5

Uniqueness

Uniqueness Score: -1.00%

Function 026D1AE0 Relevance: 7.5, APIs: 5, Instructions: 48timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000000,?,026D1029,?), ref: 026D1B05
CloseHandle.KERNEL32(?,00000000,?,026D1029,?), ref: 026D1B18
CloseHandle.KERNEL32(?,00000000,?,026D1029,?), ref: 026D1B28
CloseHandle.KERNEL32(?,00000000,?,026D1029,?), ref: 026D1B38
CloseHandle.KERNEL32(?,00000000,?,026D1029,?), ref: 026D1B48

Memory Dump Source

Source File: 00000001.00000002.2876347313.00000000026D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.2876333042.00000000026D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876365156.00000000026D6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876379783.00000000026D8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_WindowsLoader.jbxd

Similarity

API ID: CloseHandle$KillTimer
String ID:
API String ID: 382129482-0
Opcode ID: b598bfd12b322dd3fc66a012e92041c616326875626bfe441e5fc10c17ceae47
Instruction ID: 35cf910b697e7a94752c514c4d2402c537b28a8e07d26ef88c8ba731fff81279
Opcode Fuzzy Hash: b598bfd12b322dd3fc66a012e92041c616326875626bfe441e5fc10c17ceae47
Instruction Fuzzy Hash: A2019274F012089FDB508F69DC98F1637E8AB4C709F259598EC08CB34AEB75E890CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00421B10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00421D44
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00421D56
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 00421D68

Strings

0000, xrefs: 00421C5B

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: 0000
API String ID: 3991485460-211534962
Opcode ID: 6a2291e6cac8b61adf1f99c43c42d37aefaad8eab3c8c5d0fac38b11e6b4a014
Instruction ID: 22ceb552526f54e05d2b591bf7f663f334f99aef7a15a907d5b0361ea9f3ae3d
Opcode Fuzzy Hash: 6a2291e6cac8b61adf1f99c43c42d37aefaad8eab3c8c5d0fac38b11e6b4a014
Instruction Fuzzy Hash: 4C61D4B2A043209BC720EF55D48061BB7F4AFA4714F454A6EF9846B316D778ED088BDA

Uniqueness

Uniqueness Score: -1.00%

Function 004132E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 00413433
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 00413445
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0041345E

Strings

,, xrefs: 00413511

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: ,
API String ID: 3991485460-3772416878
Opcode ID: a78478188f54bb8310335e978c174d7e6bba4064cdefb881aa49c11ed7804f48
Instruction ID: 12dfbd3baf00a84b481b6c7eb5c8ba11274302a6bbe009ead272036a8769d6cc
Opcode Fuzzy Hash: a78478188f54bb8310335e978c174d7e6bba4064cdefb881aa49c11ed7804f48
Instruction Fuzzy Hash: 3A610AB0608301AFD711DF29C885AABBBE9FFC4758F004A5EF4D983251D7389A85CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0055BD20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055BD94
GetClassNameA.USER32(?,?,00000100), ref: 0055BDAC
GetWindowLongA.USER32(?,000000F0), ref: 0055BE91

Strings

BUTTON, xrefs: 0055BDBF

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ClassLongNameWindow_memset
String ID: BUTTON
API String ID: 883063418-3405671355
Opcode ID: 7f5de2ecdebf78b40e054c0bc40bb24b4c844b6774a6072677830ec670b14a89
Instruction ID: 88ef8f36758116369a8667ddc5c72c9a8a01202092b14f42ed547a2d3700028f
Opcode Fuzzy Hash: 7f5de2ecdebf78b40e054c0bc40bb24b4c844b6774a6072677830ec670b14a89
Instruction Fuzzy Hash: 4C416C71D0022C8BDB24DF24CC967D9B7B9BB59310F1842DADA48A7251D770AEC88FC0

Uniqueness

Uniqueness Score: -1.00%

Function 00556470 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

CreateWindowExA.USER32(00000000,RB_MDICHILD,0057E81C,00000000,?,0055A352,?,76ECFFB0,?,?), ref: 00556557

Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52
Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB

CreateWindowExW.USER32(00000000,RB_MDICHILD,005F4C08,00000000,80000000,80000000,00000000,76ECFFB0,00000000,00000000,00400000,00000000), ref: 005564D7

Strings

RB_MDICHILD, xrefs: 00556551
RB_MDICHILD, xrefs: 005564D1

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ByteCharCreateMultiWideWindow$Version_memset
String ID: RB_MDICHILD$RB_MDICHILD
API String ID: 4292999437-629717569
Opcode ID: 27453dadbba754654a9947a7b3c4bf5e429784ac1dd97aeabf4169bf2863bfe8
Instruction ID: 5357508957d34f70be1651430f3ad114866a89ad1bfbc22ee4490c97da6287e1
Opcode Fuzzy Hash: 27453dadbba754654a9947a7b3c4bf5e429784ac1dd97aeabf4169bf2863bfe8
Instruction Fuzzy Hash: FA318DB2600214ABDB10DF58EC85F6B7BACFB99750F95410AFD08A7205E674EC14CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420E50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

CreateFileW.KERNEL32(005F4C08,C0000000,00000001,00000000,00000002,00000080,00000000,?), ref: 00420EC0
CreateFileA.KERNEL32(0057E81C), ref: 00420F09
GetLastError.KERNEL32 ref: 00420F24

Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52
Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB

Strings

..\..\..\..\Universal\REALstring.cpp, xrefs: 00420E93

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ByteCharCreateFileMultiWide$ErrorLastVersion_memset
String ID: ..\..\..\..\Universal\REALstring.cpp
API String ID: 2612109348-192369463
Opcode ID: 1ae86e5b253941f5fd676cda002e9df24e3b8c270472fdb7b73ae6de8c7e919f
Instruction ID: 904ca5c680160ae5418cb12737a12aad7a35eb076e8e3bf11139814e241fe819
Opcode Fuzzy Hash: 1ae86e5b253941f5fd676cda002e9df24e3b8c270472fdb7b73ae6de8c7e919f
Instruction Fuzzy Hash: 5E313431740314ABE7209B29ED86B5677D8BF15710F81826AF908AB282C7B4EC44C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 00556370 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 0041A360: _memset.LIBCMT ref: 0041A391
Part of subcall function 0041A360: GetVersionExA.KERNEL32(?), ref: 0041A3AA

CreateMDIWindowA.USER32(RB_MDICHILD,0057E81C,00000000,?,?,0055A2BF,?,00000000,?), ref: 00556444

Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52
Part of subcall function 004ABC10: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB

CreateMDIWindowW.USER32(RB_MDICHILD,005F4C08,00000000,80000000,80000000,76ECFFB0,?,00000000,00400000,00000000), ref: 005563CE

Strings

RB_MDICHILD, xrefs: 0055643F
RB_MDICHILD, xrefs: 005563C9

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: ByteCharCreateMultiWideWindow$Version_memset
String ID: RB_MDICHILD$RB_MDICHILD
API String ID: 4292999437-629717569
Opcode ID: 531becd71ecdd16ce558943437f18872521ae1361ceaedfea22129b183097786
Instruction ID: 2d1a0533c1d18d6f7e4daffc407aad28f13cc2b420f32a6bb6c99169c31c7410
Opcode Fuzzy Hash: 531becd71ecdd16ce558943437f18872521ae1361ceaedfea22129b183097786
Instruction Fuzzy Hash: 1A218C72600258ABDB209B49EC91E7B7BACFB95754F55411EBD0897301EB30EC04DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004F1780 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004F17EC
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004F17FE
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004F1825

Strings

Bitwise, xrefs: 004F17B2

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: Bitwise
API String ID: 3991485460-3849680091
Opcode ID: af6fb427c8afd9aac3c1602fa2ea3b697a48fc668e603dc073128b1fc293477c
Instruction ID: 84ef5630711b138a9a92202b9afad4bec26be96e7a3cbbd45d40fb959ebc60f5
Opcode Fuzzy Hash: af6fb427c8afd9aac3c1602fa2ea3b697a48fc668e603dc073128b1fc293477c
Instruction Fuzzy Hash: 69118C74940348DBE7147B55EC057273FA6AB53718F04019EFA0C2B362C7BD194487D1

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0041D2D7
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041D2E9
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0041D31C

Strings

DataChanged, xrefs: 0041D309

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: DataChanged
API String ID: 3991485460-1931435307
Opcode ID: e7645c25fc55cc93231221b4418fbf5d6d8eff927cd313992263a66cc5d080de
Instruction ID: b514576725eb750f2e126224af2cea86b501cdc1f44282ea07ff02523293f996
Opcode Fuzzy Hash: e7645c25fc55cc93231221b4418fbf5d6d8eff927cd313992263a66cc5d080de
Instruction Fuzzy Hash: 6D11E5B5A003045BEB10AF55EC85B573BA4AF55720F08005EFC449B346C77CDC84CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041D360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0041D387
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041D399
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0041D3CC

Strings

PerformAction, xrefs: 0041D3B9

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: PerformAction
API String ID: 3991485460-3134466132
Opcode ID: b818a68bef8fdd4cd9c63d10163e53138f6a244193ef4300fb4db0058585840e
Instruction ID: 3e01ea91f469c145b7b6ba05449010fde4e9b4e6f1b9feaeb6f70cab8ada37ca
Opcode Fuzzy Hash: b818a68bef8fdd4cd9c63d10163e53138f6a244193ef4300fb4db0058585840e
Instruction Fuzzy Hash: FD11E5B5A003045BEB10AB55DC85B573BA4AF54724F08005EFC489B346D77CE888CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0041D410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 0041D437
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 0041D449
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 0041D47C

Strings

listDataReload, xrefs: 0041D469

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: listDataReload
API String ID: 3991485460-782124486
Opcode ID: f5ca64c53d00f4eaf894212c368bc51f3731b23d4a9dd47e60ec23f1e3e8b25d
Instruction ID: 377ad161ad5f45751664b34d62763bee7e8c6c1d94409427b3dbf7bdbd80c07e
Opcode Fuzzy Hash: f5ca64c53d00f4eaf894212c368bc51f3731b23d4a9dd47e60ec23f1e3e8b25d
Instruction Fuzzy Hash: 861108B1A003105BEB10AF55EC85B633BE8AF54725F08405EFD48AB345C7BCE884CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0041A6DB
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0041A6ED
FreeLibrary.KERNEL32(00000000), ref: 0041A727

Strings

DllGetVersion, xrefs: 0041A6E7

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DllGetVersion
API String ID: 145871493-2861820592
Opcode ID: 621b7c974348d3c53731f8c8670bfe3656fec54250fa3ab1800704e3fc2dc359
Instruction ID: 1ec6227fe9e68e867dc99945e33228df8ed3662b25bbccb6eb1557687f52e5b6
Opcode Fuzzy Hash: 621b7c974348d3c53731f8c8670bfe3656fec54250fa3ab1800704e3fc2dc359
Instruction Fuzzy Hash: F9F0A471D052296797149FAAAC045EF7BB8EF84740B00416BF819E3380DB34864497B5

Uniqueness

Uniqueness Score: -1.00%

Function 00503CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32,75C50660,00504D01), ref: 00503CFB
GetProcAddress.KERNEL32(?,DeleteFiber), ref: 00503D25

Strings

kernel32, xrefs: 00503CF6
DeleteFiber, xrefs: 00503D1F

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: DeleteFiber$kernel32
API String ID: 2574300362-2590593264
Opcode ID: e331e1dc742642358bbd1443b4a9b8bd592b9a7597f1f460fe2ebe0f96879fdb
Instruction ID: 97fe11fbe3ebf913d40c9b17685c2bbc63fba1997e38705afef3b281e1d33831
Opcode Fuzzy Hash: e331e1dc742642358bbd1443b4a9b8bd592b9a7597f1f460fe2ebe0f96879fdb
Instruction Fuzzy Hash: 2D0186B16003418FEB148FA5BC89B393FE8F724340F14855ADC46CB1A5DB798D44EB11

Uniqueness

Uniqueness Score: -1.00%

Function 02F91080 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 02F9108E
GetClassNameA.USER32(00000000,000000FF,000000FF), ref: 02F910AB
GetParent.USER32(00000000), ref: 02F910C7

Strings

SysTabControl32, xrefs: 02F910B1

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Parent$ClassName
String ID: SysTabControl32
API String ID: 2950633569-1221429905
Opcode ID: 86685ace213b493bf4afe88fc34d8d5a3862ec675a51fdb6a468774239364ff6
Instruction ID: 2b64f4f3299db12102c6ecadc5ac8a4f8fe93337778724821dc4279ebe70a143
Opcode Fuzzy Hash: 86685ace213b493bf4afe88fc34d8d5a3862ec675a51fdb6a468774239364ff6
Instruction Fuzzy Hash: 6FF0A0FAE003075BFB209AA0EC84BB77698AB48784F040838F64985052EBB1D8184701

Uniqueness

Uniqueness Score: -1.00%

Function 00421170 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 00421188
GetProcAddress.KERNEL32(00000000,_open_osfhandle), ref: 004211A2

Strings

_open_osfhandle, xrefs: 0042119C
msvcrt.dll, xrefs: 0042117C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: _open_osfhandle$msvcrt.dll
API String ID: 2574300362-1526513292
Opcode ID: aec0eff9a3d28a36af979616e89c8b5020bc280e6255b5705fbb2032b730ecfa
Instruction ID: 540d601b8794ed679b998c95f75d2b61861f105e6aba06e6e882e99b7f87dbcb
Opcode Fuzzy Hash: aec0eff9a3d28a36af979616e89c8b5020bc280e6255b5705fbb2032b730ecfa
Instruction Fuzzy Hash: DAF0A0307407445EE7108FADBC04B393E986B38390F80890AE71CC62E0E7B88458EB54

Uniqueness

Uniqueness Score: -1.00%

Function 004AB970 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB981
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB993
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB9C2

Strings

MS Sans Serif, xrefs: 004AB9B3

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID: MS Sans Serif
API String ID: 3991485460-168460110
Opcode ID: ffe552dd682293dabf9e715eaf5e218e18d1b264e753ae44e24019132dd474f2
Instruction ID: 5530d260801a8edbd6d604b6625f237394509c3d6f8b7b9c910f267483019b3a
Opcode Fuzzy Hash: ffe552dd682293dabf9e715eaf5e218e18d1b264e753ae44e24019132dd474f2
Instruction Fuzzy Hash: A5F0E5B06002046BFB10A765EC89F277FA8EF72710F044096B9889A31AC36C8448DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00421120 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 00421138
GetProcAddress.KERNEL32(00000000,_get_osfhandle), ref: 00421152

Strings

_get_osfhandle, xrefs: 0042114C
msvcrt.dll, xrefs: 0042112C

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: _get_osfhandle$msvcrt.dll
API String ID: 2574300362-1729355977
Opcode ID: 8e9ec59248bf47aeda0f0b72270f443a9297c677a8b18057bfbb69cf63c8823d
Instruction ID: a3bc126585c7bed3f6d0eb78e8a4996ade2740756690489237f55c15499c431d
Opcode Fuzzy Hash: 8e9ec59248bf47aeda0f0b72270f443a9297c677a8b18057bfbb69cf63c8823d
Instruction Fuzzy Hash: 34E03030694B445AD7009FACBC447713B986B35794B805909AB0DC52F0E7B98498E754

Uniqueness

Uniqueness Score: -1.00%

Function 004211D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 004211E8
GetProcAddress.KERNEL32(00000000,_fileno), ref: 00421202

Strings

_fileno, xrefs: 004211FC
msvcrt.dll, xrefs: 004211DC

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: _fileno$msvcrt.dll
API String ID: 2574300362-1460868816
Opcode ID: f93fabbdf84d1d531267970bfdd66b7d66edfb7d45e564480b58f033b5786873
Instruction ID: 90b2a38ad295d6da94894c8560175aab954ca979aafc0af284ae20d7d0e13b39
Opcode Fuzzy Hash: f93fabbdf84d1d531267970bfdd66b7d66edfb7d45e564480b58f033b5786873
Instruction Fuzzy Hash: 76E0A9306407889ED7108FB9BC04B393B986B34791B80590AA60CC22E0E7F88088E720

Uniqueness

Uniqueness Score: -1.00%

Function 02694A60 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,026A0DB8,02694C60,00000000,02695167,?,?,026944AC), ref: 02694A68
GetLastError.KERNEL32(?,?,026944AC), ref: 02694A76

Part of subcall function 02695D30: EnterCriticalSection.KERNEL32(026A0DE8,-00000001,026A0DB8,02694A8E,000001D0,?,?,026944AC), ref: 02695D38
Part of subcall function 02695D30: LeaveCriticalSection.KERNEL32(026A0DE8,?,?,026944AC), ref: 02695D52

EnterCriticalSection.KERNEL32(026A0E48,?,?,026944AC), ref: 02694AA6
LeaveCriticalSection.KERNEL32(026A0E48,?,?,026944AC), ref: 02694ABB
TlsSetValue.KERNEL32(00000000), ref: 02694C34

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: c3400ef310e309f1c46b15a427988d009482fe37ece12acf6b6e3ae67bf4df88
Instruction ID: e46668449ffe82b0a7bb5560f76355640fc979351b57690481fdfa9c46497866
Opcode Fuzzy Hash: c3400ef310e309f1c46b15a427988d009482fe37ece12acf6b6e3ae67bf4df88
Instruction Fuzzy Hash: 2F41E9B05452008FEB54CF18E5D47967BA9FB48318F1496ADDC094F38ACFB69894CF94

Uniqueness

Uniqueness Score: -1.00%

Function 026F3980 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,026FDE18,026F3B80,00000000,026F37E7,?,?,026F304C), ref: 026F3988
GetLastError.KERNEL32(?,?,026F304C), ref: 026F3996

Part of subcall function 026F2F40: EnterCriticalSection.KERNEL32(026FDE48,-00000001,026FDE18,026F39AE,000001D0,?,?,026F304C), ref: 026F2F48
Part of subcall function 026F2F40: LeaveCriticalSection.KERNEL32(026FDE48,?,?,026F304C), ref: 026F2F62

EnterCriticalSection.KERNEL32(026FDEA8,?,?,026F304C), ref: 026F39C6
LeaveCriticalSection.KERNEL32(026FDEA8,?,?,026F304C), ref: 026F39DB
TlsSetValue.KERNEL32(00000000), ref: 026F3B54

Memory Dump Source

Source File: 00000001.00000002.2876409748.00000000026F1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026F0000, based on PE: true

Associated: 00000001.00000002.2876395659.00000000026F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876428511.00000000026F5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876443259.00000000026F7000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26f0000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: 3ac2b2ed69cb5aed80bf977f3212c4ee888a8e286d3fb2bd99bfd1308a32b4ba
Instruction ID: 9e1f4ac23e63432f60ca1fac8b9765d4ae7a4a63be039d3e39f647df10167f50
Opcode Fuzzy Hash: 3ac2b2ed69cb5aed80bf977f3212c4ee888a8e286d3fb2bd99bfd1308a32b4ba
Instruction Fuzzy Hash: 2741D2B25452008BEF948F14E5D87867BA1FF48318F1486EADD088F39ADB769894CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3B00 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,00DADDB8,00DA3D00,00000000,00DA4207,?,?,00DA354C), ref: 00DA3B08
GetLastError.KERNEL32(?,?,00DA354C), ref: 00DA3B16

Part of subcall function 00DA4DD0: EnterCriticalSection.KERNEL32(00DADDE8,-00000001,00DADDB8,00DA3B2E,000001D0,?,?,00DA354C), ref: 00DA4DD8
Part of subcall function 00DA4DD0: LeaveCriticalSection.KERNEL32(00DADDE8,?,?,00DA354C), ref: 00DA4DF2

EnterCriticalSection.KERNEL32(00DADE48,?,?,00DA354C), ref: 00DA3B46
LeaveCriticalSection.KERNEL32(00DADE48,?,?,00DA354C), ref: 00DA3B5B
TlsSetValue.KERNEL32(00000000), ref: 00DA3CD4

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: 11c1cf16827d52ac01571a69646b310888fb37661bc2b3d29863c65e0d31b00a
Instruction ID: 78b65bba4ea828e56f81f0e09d3c74a50efbfd1ae82f12de0b5b3c32f54242c4
Opcode Fuzzy Hash: 11c1cf16827d52ac01571a69646b310888fb37661bc2b3d29863c65e0d31b00a
Instruction Fuzzy Hash: 6641E7B01053018FEB48CF18D8D47917BA5FB4A318F1492A9EC098F39ADBB69594CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 026B3BA0 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,026BFDC0,026B3DA0,00000000,026B42A7,?,?,026B35EC), ref: 026B3BA8
GetLastError.KERNEL32(?,?,026B35EC), ref: 026B3BB6

Part of subcall function 026B4E70: EnterCriticalSection.KERNEL32(026BFDF0,-00000001,026BFDC0,026B3BCE,000001D0,?,?,026B35EC), ref: 026B4E78
Part of subcall function 026B4E70: LeaveCriticalSection.KERNEL32(026BFDF0,?,?,026B35EC), ref: 026B4E92

EnterCriticalSection.KERNEL32(026BFE50,?,?,026B35EC), ref: 026B3BE6
LeaveCriticalSection.KERNEL32(026BFE50,?,?,026B35EC), ref: 026B3BFB
TlsSetValue.KERNEL32(00000000), ref: 026B3D74

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: 75c08fd73a2e8e5b67f8e2990fcd3a00b64749d40f787a6dbb2bd4f790126ed1
Instruction ID: 654e852879165f046c9070ec08468508bff0c83682e581dfd368d98f363e88f2
Opcode Fuzzy Hash: 75c08fd73a2e8e5b67f8e2990fcd3a00b64749d40f787a6dbb2bd4f790126ed1
Instruction Fuzzy Hash: AE4103B0A452018FEB4ACF54D4D47867BA1FF48319F1496AEEC084E38ADB7698D4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F9D140 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,02FAC8D8,02F9D340,00000000,02F9F1D7,?,?,02F9CE8C), ref: 02F9D148
GetLastError.KERNEL32(?,?,02F9CE8C), ref: 02F9D156

Part of subcall function 02F9AD10: EnterCriticalSection.KERNEL32(02FAC908,-00000001,02FAC8D8,02F9D16E,000001D0,?,?,02F9CE8C), ref: 02F9AD18
Part of subcall function 02F9AD10: LeaveCriticalSection.KERNEL32(02FAC908,?,?,02F9CE8C), ref: 02F9AD32

EnterCriticalSection.KERNEL32(02FAC968,?,?,02F9CE8C), ref: 02F9D186
LeaveCriticalSection.KERNEL32(02FAC968,?,?,02F9CE8C), ref: 02F9D19B
TlsSetValue.KERNEL32(00000000), ref: 02F9D314

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: 89caa41c982dc2a0eb4c778264eedbb523a20f7954198a8462106dba60c69b55
Instruction ID: 87e638654e6c43a148e472d3fa77ff60cddd7527ce294f1fd77fd8b12a6de83e
Opcode Fuzzy Hash: 89caa41c982dc2a0eb4c778264eedbb523a20f7954198a8462106dba60c69b55
Instruction Fuzzy Hash: 074118F0541205CFEF54CF14D5D8792BBA9FB48394F1886A9DD088E38ACBB69854CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02703690 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,0270DE20,02703890,00000000,027034F7,?,?,02702D5C), ref: 02703698
GetLastError.KERNEL32(?,?,02702D5C), ref: 027036A6

Part of subcall function 02702C50: EnterCriticalSection.KERNEL32(0270DE50,-00000001,0270DE20,027036BE,000001D0,?,?,02702D5C), ref: 02702C58
Part of subcall function 02702C50: LeaveCriticalSection.KERNEL32(0270DE50,?,?,02702D5C), ref: 02702C72

EnterCriticalSection.KERNEL32(0270DEB0,?,?,02702D5C), ref: 027036D6
LeaveCriticalSection.KERNEL32(0270DEB0,?,?,02702D5C), ref: 027036EB
TlsSetValue.KERNEL32(00000000), ref: 02703864

Memory Dump Source

Source File: 00000001.00000002.2876472916.0000000002701000.00000020.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: true

Associated: 00000001.00000002.2876458961.0000000002700000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876487733.0000000002705000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.0000000002707000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876501732.000000000270B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2700000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: 746edea91143415d6b3209ab210a855858a4e8d250af54515c1287f640774cf7
Instruction ID: e0b0d3913130ecfccf337d4cf9cb59b47578aeabd36ab938d284c19df84fc7a1
Opcode Fuzzy Hash: 746edea91143415d6b3209ab210a855858a4e8d250af54515c1287f640774cf7
Instruction Fuzzy Hash: 3641F7B0541201CFEB54CF24D4D8B927BE6FB49318F1486A9DC084F38ADB76A498CF95

Uniqueness

Uniqueness Score: -1.00%

Function 026D3210 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,026DED90,026D3410,00000000,026D4C87,?,?,026D2F5C), ref: 026D3218
GetLastError.KERNEL32(?,?,026D2F5C), ref: 026D3226

Part of subcall function 026D2C70: EnterCriticalSection.KERNEL32(026DEDC0,-00000001,026DED90,026D323E,000001D0,?,?,026D2F5C), ref: 026D2C78
Part of subcall function 026D2C70: LeaveCriticalSection.KERNEL32(026DEDC0,?,?,026D2F5C), ref: 026D2C92

EnterCriticalSection.KERNEL32(026DEE20,?,?,026D2F5C), ref: 026D3256
LeaveCriticalSection.KERNEL32(026DEE20,?,?,026D2F5C), ref: 026D326B
TlsSetValue.KERNEL32(00000000), ref: 026D33E4

Memory Dump Source

Source File: 00000001.00000002.2876347313.00000000026D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026D0000, based on PE: true

Associated: 00000001.00000002.2876333042.00000000026D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876365156.00000000026D6000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876379783.00000000026D8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26d0000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: 42f5cd91b6217fe71f22ba82a9b87adb3c8befcf3df210f5b1f5628b61407c9f
Instruction ID: ca8207f4ac34c012818943219f1859b83a92ab439a691ad852246203d857fabd
Opcode Fuzzy Hash: 42f5cd91b6217fe71f22ba82a9b87adb3c8befcf3df210f5b1f5628b61407c9f
Instruction Fuzzy Hash: 604157B0D463488FEB54CF14D5D47967BA1FB48318F1882A9DC088F38ACB769898CF90

Uniqueness

Uniqueness Score: -1.00%

Function 100074E0 Relevance: 6.4, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(-00000001,1001E080,100076E0,00000000,1000A5A7,?,?,10004C6C), ref: 100074E8
GetLastError.KERNEL32(?,?,10004C6C), ref: 100074F6

Part of subcall function 100046A0: EnterCriticalSection.KERNEL32(1001E0B0,-00000001,1001E080,1000750E,000001D0,?,?,10004C6C), ref: 100046A8
Part of subcall function 100046A0: LeaveCriticalSection.KERNEL32(1001E0B0,?,?,10004C6C), ref: 100046C2

EnterCriticalSection.KERNEL32(1001E110,?,?,10004C6C), ref: 10007526
LeaveCriticalSection.KERNEL32(1001E110,?,?,10004C6C), ref: 1000753B
TlsSetValue.KERNEL32(00000000), ref: 100076B4

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterLeaveValue$ErrorLast
String ID:
API String ID: 1628909245-0
Opcode ID: e36405d1e1f715ab105da38b614d493a4186d0b62efdf5cd36d84cab84462e1f
Instruction ID: c514d6e5681980036690898f8544117aeafa2c806c715fb1bfab7ab25ab77066
Opcode Fuzzy Hash: e36405d1e1f715ab105da38b614d493a4186d0b62efdf5cd36d84cab84462e1f
Instruction Fuzzy Hash: B341F6B45052018FEB48CF14D8D47957BB5FB49318F5481A9EC098F39ADBBAD884CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02F98DD0 Relevance: 6.3, APIs: 4, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe49a67f566647d99466ff030263bd6b131c46d980414a1b23c30d15f4fd4f5b
Instruction ID: 2048613b0d5f689281c29e3f9260a97feda64bdc05c9bdacc8a6c19e40adae62
Opcode Fuzzy Hash: fe49a67f566647d99466ff030263bd6b131c46d980414a1b23c30d15f4fd4f5b
Instruction Fuzzy Hash: 1DB181316083009FEB18EF54DC94BAAB3E5FF847D4F01092DE69556290DBB5AD84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02F961B0 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000001), ref: 02F963C2
SelectObject.GDI32(00000000,00000000), ref: 02F963CA
Polygon.GDI32(00000000,00000003,00000003), ref: 02F963DA
SelectObject.GDI32(00000000,00000000), ref: 02F963E2

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$PolygonStock
String ID:
API String ID: 519140896-0
Opcode ID: 0d5f29c3b8937c4cd59450418d25bb26d986855963d4920cb3e7f16660f4b59e
Instruction ID: 339aad07d972cf8d129d90189351ac941f9083c0389fbcea02a7dd7b0e2438df
Opcode Fuzzy Hash: 0d5f29c3b8937c4cd59450418d25bb26d986855963d4920cb3e7f16660f4b59e
Instruction Fuzzy Hash: D671C8B1408B219ADB48CF08D8D123FBBF4FF88B46F05C86EE98559319E3389591DB56

Uniqueness

Uniqueness Score: -1.00%

Function 004ABC10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000,00000008,?,?,0054664D,00000000), ref: 004ABC52

Part of subcall function 004AB8C0: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB8CE
Part of subcall function 004AB8C0: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB8E1
Part of subcall function 004AB8C0: _malloc.LIBCMT ref: 004AB8FB
Part of subcall function 004AB8C0: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB952

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,0057E81C,00000000,?,00000000,?,?,0054664D), ref: 004ABCAB
GetLastError.KERNEL32(?,?,0054664D), ref: 004ABCC4

Strings

MfT, xrefs: 004ABD71, 004ABD58, 004ABD21, 004ABCD3, 004ABD5B

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterErrorInitializeLastLeave_malloc
String ID: MfT
API String ID: 2497481835-3634536013
Opcode ID: 0b4e9490dd16bd428b591fb576d80ac9051c6c4aff0f744392acf9ff5b78d2f5
Instruction ID: c6ae6c428ee62840e1e2f6ca0bdaf6e1cd1745d59426f6dc6bef7cd7483a070f
Opcode Fuzzy Hash: 0b4e9490dd16bd428b591fb576d80ac9051c6c4aff0f744392acf9ff5b78d2f5
Instruction Fuzzy Hash: 7A41DE726002059FE7249F59D841B66B7A4FFA6720F24856EE908CB382DB75EC01DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 02F94BD0 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 02F94C9A
GetTickCount.KERNEL32 ref: 02F94CB1

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 309ff6a91c56797a0c5787e3b3738ef87a6b0300c5deb3f7a768e97011baeae2
Instruction ID: 0584e2af7da840b7038a7669278835c09892adea74b3cd14c70c495811db28bb
Opcode Fuzzy Hash: 309ff6a91c56797a0c5787e3b3738ef87a6b0300c5deb3f7a768e97011baeae2
Instruction Fuzzy Hash: D1419B75E402086FFF20AB18EC41B7E73A5AB91BDAF14881FFB059A280E7718456CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02F94F9E Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SetRect.USER32(?,?,?,00000000,?), ref: 02F94FC2
SetRect.USER32(?,?,?,-0000000D,?), ref: 02F95007
SetRect.USER32(?,?,?,?,?), ref: 02F9503F
SetRect.USER32(?,?,?,?,?), ref: 02F95097
DrawFocusRect.USER32(00000000,?), ref: 02F950A3

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Rect$DrawFocus
String ID:
API String ID: 1615663015-0
Opcode ID: 6f7693acd0cf9a11b934aeb25feecb5c798677092e30a3568c42e0db5807dd8b
Instruction ID: bf8acb498978536985b5ce7ce47eb271084e4114ac100d71cb91589f6443d83c
Opcode Fuzzy Hash: 6f7693acd0cf9a11b934aeb25feecb5c798677092e30a3568c42e0db5807dd8b
Instruction Fuzzy Hash: E02105B2854B107AEB118B68DC85F7BF7EDEF80792F00890EF29180090E2799854C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 004ABA70 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004ABA87
RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004ABA99
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABAE5
RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004ABB05

Part of subcall function 004AB850: RtlInitializeCriticalSection.NTDLL(005F3A18), ref: 004AB85E
Part of subcall function 004AB850: RtlEnterCriticalSection.NTDLL(005F3A18), ref: 004AB870
Part of subcall function 004AB850: RtlLeaveCriticalSection.NTDLL(005F3A18), ref: 004AB88D

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$EnterInitialize
String ID:
API String ID: 3864236774-0
Opcode ID: 23ef763bbd2953e2ab46ab6746d2dc88633cba0f6771fc94f6018cc96f752b75
Instruction ID: 19d25a9dcb0149c0bea8b4706d6787f694a78d7dc0dd9e2c666e9dfd4e4fe33b
Opcode Fuzzy Hash: 23ef763bbd2953e2ab46ab6746d2dc88633cba0f6771fc94f6018cc96f752b75
Instruction Fuzzy Hash: 38112C756002105FE7109F19D884BA37FA4EFA6720B08409AE9489B35AC7788804DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00569C7F Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005680A6: __amsg_exit.LIBCMT ref: 005680B4

__amsg_exit.LIBCMT ref: 00569CAB
__lock.LIBCMT ref: 00569CBB
InterlockedDecrement.KERNEL32(?), ref: 00569CD8
InterlockedIncrement.KERNEL32(006A1558), ref: 00569D03

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__lock
String ID:
API String ID: 4129207761-0
Opcode ID: 5f1ed02313a0a162c39a16bae10014bc4e29a1c1a7684cb52b1d2a11f772b3e7
Instruction ID: 9e8ff4615eb97cc77e01b10aedbf20ebed89c0a13b512a0843a609b7b24efc10
Opcode Fuzzy Hash: 5f1ed02313a0a162c39a16bae10014bc4e29a1c1a7684cb52b1d2a11f772b3e7
Instruction Fuzzy Hash: 7401C032941622DBFB21AB68A94976E7FE4BF40720F040215F804A7291CF30AD84EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 004238D0 Relevance: 6.0, APIs: 4, Instructions: 46timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00423950: _swprintf.LIBCMT ref: 00423993
Part of subcall function 00423950: MessageBoxA.USER32(?,?,Runtime Error,00000111), ref: 004239AD
Part of subcall function 00423950: ExitProcess.KERNEL32 ref: 004239B9

SystemTimeToFileTime.KERNEL32(?,?), ref: 004238EC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00423903
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00423926
FileTimeToSystemTime.KERNEL32(?,?,?,?,2A69C000,000000C9), ref: 0042393A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Time$FileSystem$ExitMessageProcessUnothrow_t@std@@@__ehfuncinfo$??2@_swprintf
String ID:
API String ID: 3523310507-0
Opcode ID: 439f3d3717cbdb87db4f7da2f5ad7001293a6d3053412e48bd403b776e074a5e
Instruction ID: 1e76d03dc79d583696d14197a38718a8c614343561da0560845367f9b9acf52c
Opcode Fuzzy Hash: 439f3d3717cbdb87db4f7da2f5ad7001293a6d3053412e48bd403b776e074a5e
Instruction Fuzzy Hash: BF0140B6910229AACB04DFE4DC409FEB77CFF58700F40455AE915A3204D6759A44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0056802F Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,005698B4,005664E5,?,?,00401224), ref: 00568031

Part of subcall function 00567F01: TlsGetValue.KERNEL32(00000000,00568044,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567F08
Part of subcall function 00567F01: TlsSetValue.KERNEL32(00000000,00000000,005698B4,005664E5,?,?,00401224), ref: 00567F29

__calloc_crt.LIBCMT ref: 00568053

Part of subcall function 005683A3: __calloc_impl.LIBCMT ref: 005683B1
Part of subcall function 005683A3: Sleep.KERNEL32(00000000), ref: 005683C8

Part of subcall function 00567E8A: TlsGetValue.KERNEL32(00000000,00567F1F,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567E97
Part of subcall function 00567E8A: TlsGetValue.KERNEL32(00000005,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567EAE

Part of subcall function 00567F70: GetModuleHandleA.KERNEL32(KERNEL32.DLL,005ACE28,0000000C,00568081,00000000,00000000,?,00000000,005698B4,005664E5,?,?,00401224), ref: 00567F81
Part of subcall function 00567F70: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00567FB5
Part of subcall function 00567F70: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00567FC5
Part of subcall function 00567F70: InterlockedIncrement.KERNEL32(005B0450), ref: 00567FE7
Part of subcall function 00567F70: __lock.LIBCMT ref: 00567FEF
Part of subcall function 00567F70: ___addlocaleref.LIBCMT ref: 0056800E

GetCurrentThreadId.KERNEL32 ref: 00568083
SetLastError.KERNEL32(00000000,?,00000000,005698B4,005664E5,?,?,00401224), ref: 0056809B

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
String ID:
API String ID: 1081334783-0
Opcode ID: b7215e0251636035e3b555bd85ff3a36f926e69f090a7d15df2878a04fb89ed0
Instruction ID: 1d10331bda30d574034ef3f3537a258cff51b9a7a4886f922be8b00e5598d38d
Opcode Fuzzy Hash: b7215e0251636035e3b555bd85ff3a36f926e69f090a7d15df2878a04fb89ed0
Instruction Fuzzy Hash: 85F0F43290532297DA3137747C0EB6E3E94BF507717200704F559E71E1CF21C88567A0

Uniqueness

Uniqueness Score: -1.00%

Function 00421610 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(005F2918), ref: 0042161F
SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0042163C
GetLastError.KERNEL32 ref: 00421645
RtlLeaveCriticalSection.NTDLL(005F2918), ref: 00421669

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLastLeavePointer
String ID:
API String ID: 1636754350-0
Opcode ID: d8f582371205a4aad3cb245e8dbd01a094f27d023beec718d88e94b91587a870
Instruction ID: 689cd217e21988c7f4553b92668b3bc228ca42c3379a99c32921d74024d107ec
Opcode Fuzzy Hash: d8f582371205a4aad3cb245e8dbd01a094f27d023beec718d88e94b91587a870
Instruction Fuzzy Hash: 05018171940308EFDB10DFA8E945ADE7BB8FB28311F10865AF849D3340D7749A84EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00420F60 Relevance: 6.0, APIs: 4, Instructions: 32fileCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(005F2918), ref: 00420F74
WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 00420F8C
GetLastError.KERNEL32 ref: 00420F98
RtlLeaveCriticalSection.NTDLL(005F2918), ref: 00420FA6

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLastLeaveWrite
String ID:
API String ID: 1726892732-0
Opcode ID: be9b9b4810b3c4177a25f6f65cd4be5efc5adfd306961bb655297c56511e2ce7
Instruction ID: c43c03b4c019ab22b138e2d6ed632b4e7effc51eb89012404f0cf1b8a3c41222
Opcode Fuzzy Hash: be9b9b4810b3c4177a25f6f65cd4be5efc5adfd306961bb655297c56511e2ce7
Instruction Fuzzy Hash: 89F05E75541208AFE7109B95EC09FAA7BACFB19711F00450AF98987240D7B09988ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F963BC Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000001), ref: 02F963C2
SelectObject.GDI32(00000000,00000000), ref: 02F963CA
Polygon.GDI32(00000000,00000003,00000003), ref: 02F963DA
SelectObject.GDI32(00000000,00000000), ref: 02F963E2

Memory Dump Source

Source File: 00000001.00000002.2876893867.0000000002F91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: true

Associated: 00000001.00000002.2876878642.0000000002F90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876912151.0000000002FA1000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876926698.0000000002FA3000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2f90000_WindowsLoader.jbxd

Similarity

API ID: Object$Select$PolygonStock
String ID:
API String ID: 519140896-0
Opcode ID: f29a76c220f1bb0420b4e6e78bd2b7543f99005276b74d4b5bfc04bf5803d10e
Instruction ID: 5dbb847bbb09409d5361d22b3a35782aa9a9b77dffdeb57d850924d25cac0cca
Opcode Fuzzy Hash: f29a76c220f1bb0420b4e6e78bd2b7543f99005276b74d4b5bfc04bf5803d10e
Instruction Fuzzy Hash: 69D067B659014CBFF2405B94AC49F76B7ACEB08786F440845FB0E85042DAB559B08B61

Uniqueness

Uniqueness Score: -1.00%

Function 0269162D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,026916F9,00000000), ref: 02691634

Strings

0123456789ABCDEF, xrefs: 02691652
q3TDgcZ4p2up0Z77amQP , xrefs: 0269163A

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess
String ID: 0123456789ABCDEF$q3TDgcZ4p2up0Z77amQP
API String ID: 2050909247-2646360417
Opcode ID: 6911a8c7c13d9ddaa16fb3dd82fff06f141f59bf70df190f6721a4a7637f4aa9
Instruction ID: e2c7cd28ffe0c4a1846df7610773d90322ba20a7a4633e5cca530a502450c849
Opcode Fuzzy Hash: 6911a8c7c13d9ddaa16fb3dd82fff06f141f59bf70df190f6721a4a7637f4aa9
Instruction Fuzzy Hash: 1E118FA6648AE24BCB2E4A3D58B1336BED2AAE700171C44DDF6D38F3A3D4144584DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA12B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,00DA137E,00000000), ref: 00DA12B9

Strings

q3TDgcZ4p2up0Z77amQP , xrefs: 00DA12BF
0123456789ABCDEF, xrefs: 00DA12D7

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess
String ID: 0123456789ABCDEF$q3TDgcZ4p2up0Z77amQP
API String ID: 2050909247-2646360417
Opcode ID: bd6af788d2df10e76dba6c634094873960c74982f9449325c038d9dcd5e7ffad
Instruction ID: 859427f6f097fa8e23608c955a3040fd70edcc8671947ea31bf10122e431a2d6
Opcode Fuzzy Hash: bd6af788d2df10e76dba6c634094873960c74982f9449325c038d9dcd5e7ffad
Instruction Fuzzy Hash: 9E1142A6649AE24BC72E463D58B1375BFD29AA7401B0C44DDFAD38F3A3D0148944E7B1

Uniqueness

Uniqueness Score: -1.00%

Function 026B1892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,00000000,026B195E,00000000), ref: 026B1899

Strings

0123456789ABCDEF, xrefs: 026B18B7
q3TDgcZ4p2up0Z77amQP , xrefs: 026B189F

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: CurrentProcess
String ID: 0123456789ABCDEF$q3TDgcZ4p2up0Z77amQP
API String ID: 2050909247-2646360417
Opcode ID: 9bde5ccc7c9af701d2a39dfad9148a54713a2d23090b25ad63e11ea9219b3a3a
Instruction ID: dede8a7cfa95bf6ae85a7a27e6cde1e2efbcc4d1d8b0f7e3582a639be3d28271
Opcode Fuzzy Hash: 9bde5ccc7c9af701d2a39dfad9148a54713a2d23090b25ad63e11ea9219b3a3a
Instruction Fuzzy Hash: C7116DA5648BE24BD72F4A3D58B137ABED2AEA7001B0C44DDEAD34F3A3D0154984D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0052FE10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0052FE3D
_swprintf.LIBCMT ref: 0052FE59

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

Strings

%lld, xrefs: 0052FE4A

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: __vsprintf_s_l_memset_swprintf
String ID: %lld
API String ID: 2576962049-1962030014
Opcode ID: b270d501c076522f3aebd36458f36b8e5ecca4c90e7554b7f3fe337b8ad5653d
Instruction ID: 7d7a462fa3ab0ece361ae9fe9be48989ff24fd20ea29eb40534c64a8ab688229
Opcode Fuzzy Hash: b270d501c076522f3aebd36458f36b8e5ecca4c90e7554b7f3fe337b8ad5653d
Instruction Fuzzy Hash: 45018E712043049BD720DF28DC86F977BE9EF89714F044629EA489B292EB74E9098796

Uniqueness

Uniqueness Score: -1.00%

Function 0052FEB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0052FED8
_swprintf.LIBCMT ref: 0052FEF6

Part of subcall function 00567446: __vsprintf_s_l.LIBCMT ref: 00567459

Strings

%llu, xrefs: 0052FEE5

Memory Dump Source

Source File: 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2875330874.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005B0000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C2000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005C4000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.00000000005FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.000000000060A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000610000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875348989.0000000000617000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875618521.000000000061A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2875633747.000000000061C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_WindowsLoader.jbxd

Similarity

API ID: __vsprintf_s_l_memset_swprintf
String ID: %llu
API String ID: 2576962049-507646796
Opcode ID: 51811b0213a189110b92eeaa43d9489c4127785020265c25952fe7318a948217
Instruction ID: 6c69468faf36f6049da7c74d2f7d75e607579644280ddfeba115a18a43c18476
Opcode Fuzzy Hash: 51811b0213a189110b92eeaa43d9489c4127785020265c25952fe7318a948217
Instruction Fuzzy Hash: 54118CB060021C5BDB10DF54DD55F9677FCEF85704F5041A5E704AB282D770AE468B95

Uniqueness

Uniqueness Score: -1.00%

Function 02691519 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(026915A2,?,026915A2,00000000), ref: 0269151F
MessageBoxA.USER32(00000000,026915A2,MBS REALbasic Plugins,00000010), ref: 0269152F

Strings

MBS REALbasic Plugins, xrefs: 02691527

Memory Dump Source

Source File: 00000001.00000002.2876226182.0000000002691000.00000020.00001000.00020000.00000000.sdmp, Offset: 02690000, based on PE: true

Associated: 00000001.00000002.2876210818.0000000002690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876241992.0000000002698000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876257033.000000000269B000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2690000_WindowsLoader.jbxd

Similarity

API ID: DebugMessageOutputString
String ID: MBS REALbasic Plugins
API String ID: 3630955307-633217917
Opcode ID: 74f120093d76b266d70df34c681577c1590286d6023491e417b02c55872518f2
Instruction ID: 7a322ade5345a4cd08655448d7a47fee38099a8af7801eea90fafab211b142ed
Opcode Fuzzy Hash: 74f120093d76b266d70df34c681577c1590286d6023491e417b02c55872518f2
Instruction Fuzzy Hash: 10C04CB26C4304BBE7006BA19DC9FAE776CE74C757F001815F246560918BB154A09A35

Uniqueness

Uniqueness Score: -1.00%

Function 00DA119E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(00DA1227,?,00DA1227,00000000), ref: 00DA11A4
MessageBoxA.USER32(00000000,00DA1227,MBS REALbasic Plugins,00000010), ref: 00DA11B4

Strings

MBS REALbasic Plugins, xrefs: 00DA11AC

Memory Dump Source

Source File: 00000001.00000002.2876128112.0000000000DA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: true

Associated: 00000001.00000002.2876112704.0000000000DA0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876145215.0000000000DA7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876159981.0000000000DA8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_da0000_WindowsLoader.jbxd

Similarity

API ID: DebugMessageOutputString
String ID: MBS REALbasic Plugins
API String ID: 3630955307-633217917
Opcode ID: b48065f625c3f9d27d5440e35caab6ae8b5cfeac71b20ff70d3d504945cfd6d2
Instruction ID: 8b1eead21cfe6bf747f9a1ef3368ef58f6fe9157a4d8f9fd7fa85c46cd95fd5d
Opcode Fuzzy Hash: b48065f625c3f9d27d5440e35caab6ae8b5cfeac71b20ff70d3d504945cfd6d2
Instruction Fuzzy Hash: C4C08CB6380300BBD20007A4ACC9F863B1CA70D702F000400F30A89191CBE184409732

Uniqueness

Uniqueness Score: -1.00%

Function 026B177D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(026B17FD,?,026B17FD,00000000), ref: 026B1783
MessageBoxA.USER32(00000000,026B17FD,MBS REALbasic Plugins,00000010), ref: 026B1793

Strings

MBS REALbasic Plugins, xrefs: 026B178B

Memory Dump Source

Source File: 00000001.00000002.2876285867.00000000026B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 026B0000, based on PE: true

Associated: 00000001.00000002.2876271806.00000000026B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876301547.00000000026B7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2876315449.00000000026B9000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_26b0000_WindowsLoader.jbxd

Similarity

API ID: DebugMessageOutputString
String ID: MBS REALbasic Plugins
API String ID: 3630955307-633217917
Opcode ID: 02d3a89f7e1c1d576df9ee0b309b4906585cdb4a8e9baa1396faf9fc66b8caf3
Instruction ID: e26db537bc2f97b9ecc0e3a1d6f5ef567864320c7890c19ad36bafd9c9b3fd49
Opcode Fuzzy Hash: 02d3a89f7e1c1d576df9ee0b309b4906585cdb4a8e9baa1396faf9fc66b8caf3
Instruction Fuzzy Hash: F7C04CB2685705BFE30156A5DCC9F8E775CAB4C746F005C01B346650C186A565E09B35

Uniqueness

Uniqueness Score: -1.00%

Function 1000F0A0 Relevance: 5.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(1001E0C8,00001000,?), ref: 1000F11F
LeaveCriticalSection.KERNEL32(1001E0C8), ref: 1000F174
LeaveCriticalSection.KERNEL32(1001E0C8), ref: 1000F199

Memory Dump Source

Source File: 00000001.00000002.2877213525.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2877196871.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877231222.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.2877245622.0000000010014000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_WindowsLoader.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: db032701301577b49d2e250bca2db4e9cb6c5dd343349cde029e658a7b085ca0
Instruction ID: a669631974111da8149c4fbd516e4fdd9e9092abbba7cfba8b0b615316e8a93b
Opcode Fuzzy Hash: db032701301577b49d2e250bca2db4e9cb6c5dd343349cde029e658a7b085ca0
Instruction Fuzzy Hash: C24118765002448BEB01CF25D8807EA7BD0EF8A3B6F15427EFC589B281D736D988D755

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Wind0ws7l0aderV3.4875.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\WindowsLoader.exe

C:\Users\user\AppData\Local\Temp\aut2507.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Wind0ws7l0aderV3.4875.exePID: 7520, Parent PID: 2580

General

Windows Analysis Report
Wind0ws7l0aderV3.4875.exe

Function 00700F36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMON

Function 0070321F Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Function 0070A2D5 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 0044E350 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 172
libraryloaderCOMMON

Function 0051D940 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 278
windowCOMMON

Function 00546400 Relevance: 37.8, APIs: 25, Instructions: 327
COMMON

Function 0051F3C0 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 154
windowCOMMON

Function 005287B0 Relevance: 23.1, APIs: 15, Instructions: 613
COMMON

Function 00404F80 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 267
COMMON

Function 00419800 Relevance: 9.2, APIs: 6, Instructions: 165
COMMON

Function 00407730 Relevance: 9.2, APIs: 6, Instructions: 158
COMMON

Function 0056646E Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 00421000 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107
fileCOMMON

Function 0053ADC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84
windowCOMMON

Function 00405079 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56
COMMON

Function 0044DCC0 Relevance: 6.2, APIs: 4, Instructions: 240
COMMON

Function 00421740 Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMON

Function 004215A0 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON