Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Insanity Loader.exe

Overview

General Information

Sample name:Insanity Loader.exe
Analysis ID:1507525
MD5:3fd87bf20a6572f497fd8707d6a48dc8
SHA1:b87ea66e5642608ba518b1eba1f8d7965747bb1b
SHA256:91e1004b69d539f58774601b050151fb6fb706e03b5f65aa6288a586048e9563
Tags:exe
Infos:

Detection

RedLine
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected RedLine Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Enables security privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Insanity Loader.exe (PID: 5664 cmdline: "C:\Users\user\Desktop\Insanity Loader.exe" MD5: 3FD87BF20A6572F497FD8707D6A48DC8)
    • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Insanity Loader.exeMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 45 88 44 24 2B 88 44 24 2F B0 CE 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Insanity Loader.exe PID: 5664JoeSecurity_RedLineYara detected RedLine StealerJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.Insanity Loader.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 45 88 44 24 2B 88 44 24 2F B0 CE 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    0.2.Insanity Loader.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 45 88 44 24 2B 88 44 24 2F B0 CE 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
    Machine Learning detection for sample
    Source: Insanity Loader.exeJoe Sandbox ML: detected
    Source: Insanity Loader.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: Binary string: _.pdb source: Insanity Loader.exe, 00000000.00000002.2041056918.00000000021F7000.00000004.00000020.00020000.00000000.sdmp, Insanity Loader.exe, 00000000.00000003.2028306043.000000000067B000.00000004.00000020.00020000.00000000.sdmp, Insanity Loader.exe, 00000000.00000002.2044454481.0000000003521000.00000004.00000800.00020000.00000000.sdmp, Insanity Loader.exe, 00000000.00000002.2044602082.0000000004B10000.00000004.08000000.00040000.00000000.sdmp
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.00000000025F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.00000000025F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.00000000025F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.00000000025F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,]q equals www.youtube.com (Youtube)
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.00000000025F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,]q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002795000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_f261fa75-7

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: Insanity Loader.exe, type: SAMPLEMatched rule: Detects RedLine infostealer Author: ditekSHen
    Source: 0.0.Insanity Loader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
    Source: 0.2.Insanity Loader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
    .NET source code contains very large array initializations
    Source: 0.2.Insanity Loader.exe.4b10ee8.6.raw.unpack, HWiM5nizdBqTYpoFw7P.csLarge array initialization: HWiM5nizdBqTYpoFw7P: array initializer size 6160
    Source: 0.2.Insanity Loader.exe.2238ab6.2.raw.unpack, HWiM5nizdBqTYpoFw7P.csLarge array initialization: HWiM5nizdBqTYpoFw7P: array initializer size 6160
    Source: 0.2.Insanity Loader.exe.3576790.5.raw.unpack, HWiM5nizdBqTYpoFw7P.csLarge array initialization: HWiM5nizdBqTYpoFw7P: array initializer size 6160
    Source: 0.2.Insanity Loader.exe.3526458.3.raw.unpack, HWiM5nizdBqTYpoFw7P.csLarge array initialization: HWiM5nizdBqTYpoFw7P: array initializer size 6160
    Source: 0.2.Insanity Loader.exe.5230000.8.raw.unpack, HWiM5nizdBqTYpoFw7P.csLarge array initialization: HWiM5nizdBqTYpoFw7P: array initializer size 6160
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00408C600_2_00408C60
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0040DC110_2_0040DC11
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00407C3F0_2_00407C3F
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00418CCC0_2_00418CCC
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00406CA00_2_00406CA0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004028B00_2_004028B0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0041A4BE0_2_0041A4BE
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004182440_2_00418244
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004016500_2_00401650
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00402F200_2_00402F20
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004193C40_2_004193C4
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004187880_2_00418788
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00402F890_2_00402F89
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00402B900_2_00402B90
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004073A00_2_004073A0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0215E17C0_2_0215E17C
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_02152ECC0_2_02152ECC
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_053A16380_2_053A1638
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_053A01D80_2_053A01D8
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_053A01C80_2_053A01C8
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_054ED3B00_2_054ED3B0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_054ECE880_2_054ECE88
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_056B04D00_2_056B04D0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_056B6C180_2_056B6C18
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess token adjusted: SecurityJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: String function: 0040E1D8 appears 44 times
    Source: Insanity Loader.exe, 00000000.00000003.2028040085.00000000006FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2041056918.00000000021F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameParsimony.exe" vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2041056918.00000000021F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameParsimony.exe" vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000003.2028108861.0000000000711000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000003.2028306043.000000000067B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameParsimony.exe" vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000003.2028306043.000000000067B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2044966965.0000000005230000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameParsimony.exe" vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2044454481.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameParsimony.exe" vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2044454481.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2044602082.0000000004B10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameParsimony.exe" vs Insanity Loader.exe
    Source: Insanity Loader.exe, 00000000.00000002.2044602082.0000000004B10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs Insanity Loader.exe
    Source: Insanity Loader.exeBinary or memory string: OriginalFilenameParsimony.exe" vs Insanity Loader.exe
    Source: Insanity Loader.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: Insanity Loader.exe, type: SAMPLEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 0.0.Insanity Loader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 0.2.Insanity Loader.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 0.2.Insanity Loader.exe.4b10ee8.6.raw.unpack, HWiM5nizdBqTYpoFw7P.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.2.Insanity Loader.exe.4b10ee8.6.raw.unpack, vnUNrf9zTHJhL6tQfxd.csCryptographic APIs: 'TransformFinalBlock'
    Source: 0.2.Insanity Loader.exe.2238ab6.2.raw.unpack, HWiM5nizdBqTYpoFw7P.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.2.Insanity Loader.exe.2238ab6.2.raw.unpack, vnUNrf9zTHJhL6tQfxd.csCryptographic APIs: 'TransformFinalBlock'
    Source: 0.2.Insanity Loader.exe.3576790.5.raw.unpack, HWiM5nizdBqTYpoFw7P.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.2.Insanity Loader.exe.3576790.5.raw.unpack, vnUNrf9zTHJhL6tQfxd.csCryptographic APIs: 'TransformFinalBlock'
    Source: 0.2.Insanity Loader.exe.3526458.3.raw.unpack, HWiM5nizdBqTYpoFw7P.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.2.Insanity Loader.exe.3526458.3.raw.unpack, vnUNrf9zTHJhL6tQfxd.csCryptographic APIs: 'TransformFinalBlock'
    Source: 0.2.Insanity Loader.exe.5230000.8.raw.unpack, HWiM5nizdBqTYpoFw7P.csCryptographic APIs: 'CreateDecryptor'
    Source: 0.2.Insanity Loader.exe.5230000.8.raw.unpack, vnUNrf9zTHJhL6tQfxd.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal72.troj.evad.winEXE@2/1@0/0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
    Source: C:\Users\user\Desktop\Insanity Loader.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Insanity Loader.exe.logJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
    Source: C:\Users\user\Desktop\Insanity Loader.exeCommand line argument: 08A0_2_00413780
    Source: Insanity Loader.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Insanity Loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Insanity Loader.exe "C:\Users\user\Desktop\Insanity Loader.exe"
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Insanity Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: _.pdb source: Insanity Loader.exe, 00000000.00000002.2041056918.00000000021F7000.00000004.00000020.00020000.00000000.sdmp, Insanity Loader.exe, 00000000.00000003.2028306043.000000000067B000.00000004.00000020.00020000.00000000.sdmp, Insanity Loader.exe, 00000000.00000002.2044454481.0000000003521000.00000004.00000800.00020000.00000000.sdmp, Insanity Loader.exe, 00000000.00000002.2044602082.0000000004B10000.00000004.08000000.00040000.00000000.sdmp
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
    Source: Insanity Loader.exeStatic PE information: real checksum: 0x23bfb should be: 0x883eb
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0040E21D push ecx; ret 0_2_0040E230
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_053A8438 push esp; retf 0_2_053A8481
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_053A9A60 push esp; iretd 0_2_053A9A61
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_056B900D push FFFFFF8Bh; iretd 0_2_056B900F
    Source: 0.2.Insanity Loader.exe.4b10ee8.6.raw.unpack, JrDgcb8ExbnxoKvHj0h.csHigh entropy of concatenated method names: 'ShowMessage', 'VxW8CTIwiU', 'IKm8os5L55', 'gom8AC5UqJ', 'B0b8F7YMg0', 'E0c8g7rGpw', 'reY848S8mQ', 'aKZ8z7WlxN', 'nDRQayamBL', 'U5OQ6dLhrU'
    Source: 0.2.Insanity Loader.exe.4b10ee8.6.raw.unpack, eYHragi8ZCpLS1lWPwX.csHigh entropy of concatenated method names: 'lb8iuDNCWP', 'A5UiZDAsol', 'XSai99a8ti', 'S1Eily3Nq0', 'OMTiJWE6ZX', 'AfyitOTe6J', 'LqEiDT7lu7', 'VXbiPDVIHO', 'wjwibsCoYQ', 'pKaidcbP2q'
    Source: 0.2.Insanity Loader.exe.4b10ee8.6.raw.unpack, HMcqtE6J6r1oToPnxPf.csHigh entropy of concatenated method names: 'rpg63nTtcd', 'Fme6OAaSE1', 'MS16rZKoi4', 'wAO6N8pqBw', 'n6p6DgAamV', 'R3o6PgF73A', 'ekH6bn75Ls', 'wrq6dI3ts6', 'jXM60OtGM7', 'KO76wXfsvZ'
    Source: 0.2.Insanity Loader.exe.4b10ee8.6.raw.unpack, qqaOQ7MORaiyuX290kx.csHigh entropy of concatenated method names: 'NOCbz6OMLf', 'TALdQQC9dP', 'qcuMrAL091', 'sGCMNdH9uR', 'DD3MIrZ56s', 'xEvMeNt3nr', 'tgNMcYqoLe', 'hHUbghaJSm', 'bmHdatxIPx', 'AgoduRIEmN'
    Source: 0.2.Insanity Loader.exe.2238ab6.2.raw.unpack, JrDgcb8ExbnxoKvHj0h.csHigh entropy of concatenated method names: 'ShowMessage', 'VxW8CTIwiU', 'IKm8os5L55', 'gom8AC5UqJ', 'B0b8F7YMg0', 'E0c8g7rGpw', 'reY848S8mQ', 'aKZ8z7WlxN', 'nDRQayamBL', 'U5OQ6dLhrU'
    Source: 0.2.Insanity Loader.exe.2238ab6.2.raw.unpack, eYHragi8ZCpLS1lWPwX.csHigh entropy of concatenated method names: 'lb8iuDNCWP', 'A5UiZDAsol', 'XSai99a8ti', 'S1Eily3Nq0', 'OMTiJWE6ZX', 'AfyitOTe6J', 'LqEiDT7lu7', 'VXbiPDVIHO', 'wjwibsCoYQ', 'pKaidcbP2q'
    Source: 0.2.Insanity Loader.exe.2238ab6.2.raw.unpack, HMcqtE6J6r1oToPnxPf.csHigh entropy of concatenated method names: 'rpg63nTtcd', 'Fme6OAaSE1', 'MS16rZKoi4', 'wAO6N8pqBw', 'n6p6DgAamV', 'R3o6PgF73A', 'ekH6bn75Ls', 'wrq6dI3ts6', 'jXM60OtGM7', 'KO76wXfsvZ'
    Source: 0.2.Insanity Loader.exe.2238ab6.2.raw.unpack, qqaOQ7MORaiyuX290kx.csHigh entropy of concatenated method names: 'NOCbz6OMLf', 'TALdQQC9dP', 'qcuMrAL091', 'sGCMNdH9uR', 'DD3MIrZ56s', 'xEvMeNt3nr', 'tgNMcYqoLe', 'hHUbghaJSm', 'bmHdatxIPx', 'AgoduRIEmN'
    Source: 0.2.Insanity Loader.exe.3576790.5.raw.unpack, JrDgcb8ExbnxoKvHj0h.csHigh entropy of concatenated method names: 'ShowMessage', 'VxW8CTIwiU', 'IKm8os5L55', 'gom8AC5UqJ', 'B0b8F7YMg0', 'E0c8g7rGpw', 'reY848S8mQ', 'aKZ8z7WlxN', 'nDRQayamBL', 'U5OQ6dLhrU'
    Source: 0.2.Insanity Loader.exe.3576790.5.raw.unpack, eYHragi8ZCpLS1lWPwX.csHigh entropy of concatenated method names: 'lb8iuDNCWP', 'A5UiZDAsol', 'XSai99a8ti', 'S1Eily3Nq0', 'OMTiJWE6ZX', 'AfyitOTe6J', 'LqEiDT7lu7', 'VXbiPDVIHO', 'wjwibsCoYQ', 'pKaidcbP2q'
    Source: 0.2.Insanity Loader.exe.3576790.5.raw.unpack, HMcqtE6J6r1oToPnxPf.csHigh entropy of concatenated method names: 'rpg63nTtcd', 'Fme6OAaSE1', 'MS16rZKoi4', 'wAO6N8pqBw', 'n6p6DgAamV', 'R3o6PgF73A', 'ekH6bn75Ls', 'wrq6dI3ts6', 'jXM60OtGM7', 'KO76wXfsvZ'
    Source: 0.2.Insanity Loader.exe.3576790.5.raw.unpack, qqaOQ7MORaiyuX290kx.csHigh entropy of concatenated method names: 'NOCbz6OMLf', 'TALdQQC9dP', 'qcuMrAL091', 'sGCMNdH9uR', 'DD3MIrZ56s', 'xEvMeNt3nr', 'tgNMcYqoLe', 'hHUbghaJSm', 'bmHdatxIPx', 'AgoduRIEmN'
    Source: 0.2.Insanity Loader.exe.3526458.3.raw.unpack, JrDgcb8ExbnxoKvHj0h.csHigh entropy of concatenated method names: 'ShowMessage', 'VxW8CTIwiU', 'IKm8os5L55', 'gom8AC5UqJ', 'B0b8F7YMg0', 'E0c8g7rGpw', 'reY848S8mQ', 'aKZ8z7WlxN', 'nDRQayamBL', 'U5OQ6dLhrU'
    Source: 0.2.Insanity Loader.exe.3526458.3.raw.unpack, eYHragi8ZCpLS1lWPwX.csHigh entropy of concatenated method names: 'lb8iuDNCWP', 'A5UiZDAsol', 'XSai99a8ti', 'S1Eily3Nq0', 'OMTiJWE6ZX', 'AfyitOTe6J', 'LqEiDT7lu7', 'VXbiPDVIHO', 'wjwibsCoYQ', 'pKaidcbP2q'
    Source: 0.2.Insanity Loader.exe.3526458.3.raw.unpack, HMcqtE6J6r1oToPnxPf.csHigh entropy of concatenated method names: 'rpg63nTtcd', 'Fme6OAaSE1', 'MS16rZKoi4', 'wAO6N8pqBw', 'n6p6DgAamV', 'R3o6PgF73A', 'ekH6bn75Ls', 'wrq6dI3ts6', 'jXM60OtGM7', 'KO76wXfsvZ'
    Source: 0.2.Insanity Loader.exe.3526458.3.raw.unpack, qqaOQ7MORaiyuX290kx.csHigh entropy of concatenated method names: 'NOCbz6OMLf', 'TALdQQC9dP', 'qcuMrAL091', 'sGCMNdH9uR', 'DD3MIrZ56s', 'xEvMeNt3nr', 'tgNMcYqoLe', 'hHUbghaJSm', 'bmHdatxIPx', 'AgoduRIEmN'
    Source: 0.2.Insanity Loader.exe.5230000.8.raw.unpack, JrDgcb8ExbnxoKvHj0h.csHigh entropy of concatenated method names: 'ShowMessage', 'VxW8CTIwiU', 'IKm8os5L55', 'gom8AC5UqJ', 'B0b8F7YMg0', 'E0c8g7rGpw', 'reY848S8mQ', 'aKZ8z7WlxN', 'nDRQayamBL', 'U5OQ6dLhrU'
    Source: 0.2.Insanity Loader.exe.5230000.8.raw.unpack, eYHragi8ZCpLS1lWPwX.csHigh entropy of concatenated method names: 'lb8iuDNCWP', 'A5UiZDAsol', 'XSai99a8ti', 'S1Eily3Nq0', 'OMTiJWE6ZX', 'AfyitOTe6J', 'LqEiDT7lu7', 'VXbiPDVIHO', 'wjwibsCoYQ', 'pKaidcbP2q'
    Source: 0.2.Insanity Loader.exe.5230000.8.raw.unpack, HMcqtE6J6r1oToPnxPf.csHigh entropy of concatenated method names: 'rpg63nTtcd', 'Fme6OAaSE1', 'MS16rZKoi4', 'wAO6N8pqBw', 'n6p6DgAamV', 'R3o6PgF73A', 'ekH6bn75Ls', 'wrq6dI3ts6', 'jXM60OtGM7', 'KO76wXfsvZ'
    Source: 0.2.Insanity Loader.exe.5230000.8.raw.unpack, qqaOQ7MORaiyuX290kx.csHigh entropy of concatenated method names: 'NOCbz6OMLf', 'TALdQQC9dP', 'qcuMrAL091', 'sGCMNdH9uR', 'DD3MIrZ56s', 'xEvMeNt3nr', 'tgNMcYqoLe', 'hHUbghaJSm', 'bmHdatxIPx', 'AgoduRIEmN'
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\]Q
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,]Q
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
    Source: C:\Users\user\Desktop\Insanity Loader.exeMemory allocated: 2150000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeMemory allocated: 4520000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
    Source: C:\Users\user\Desktop\Insanity Loader.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-54594
    Source: C:\Users\user\Desktop\Insanity Loader.exe TID: 3572Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,]q
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\]q
    Source: C:\Users\user\Desktop\Insanity Loader.exeAPI call chain: ExitProcess graph end nodegraph_0-54829
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,0_2_004019F0
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0040ADB0 GetProcessHeap,HeapFree,0_2_0040ADB0
    Source: C:\Users\user\Desktop\Insanity Loader.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040CE09
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040E61C
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00416F6A
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_004123F1 SetUnhandledExceptionFilter,0_2_004123F1
    Source: C:\Users\user\Desktop\Insanity Loader.exeMemory allocated: page read and write | page guardJump to behavior
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002795000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
    Source: Insanity Loader.exe, 00000000.00000002.2041615026.0000000002795000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: GetLocaleInfoA,0_2_00417A20
    Source: C:\Users\user\Desktop\Insanity Loader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Insanity Loader.exeCode function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00412A15
    Source: C:\Users\user\Desktop\Insanity Loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected RedLine Stealer
    Source: Yara matchFile source: Process Memory Space: Insanity Loader.exe PID: 5664, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected RedLine Stealer
    Source: Yara matchFile source: Process Memory Space: Insanity Loader.exe PID: 5664, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		2
    Process Injection    		1
    Masquerading    		11
    Input Capture    		1
    System Time Discovery    		Remote Services11
    Input Capture    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Native API    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory131
    Security Software Discovery    		Remote Desktop Protocol11
    Archive Collected Data    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
    Virtualization/Sandbox Evasion    		Security Account Manager31
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
    Process Injection    		NTDS2
    Process Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Deobfuscate/Decode Files or Information    		LSA Secrets23
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Insanity Loader.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://discord.com/api/v9/users/0%Avira URL Cloudsafe
    https://api.ip.s0%Avira URL Cloudsafe
    https://api.ip.sb/ip0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.ip.sb/ipInsanity Loader.exe, 00000000.00000002.2041615026.00000000025B4000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://api.ip.sInsanity Loader.exe, 00000000.00000002.2041615026.00000000025B4000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://discord.com/api/v9/users/Insanity Loader.exe, 00000000.00000002.2041615026.0000000002646000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1507525
    Start date and time:2024-09-08 15:48:15 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 36s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Insanity Loader.exe
    Detection:MAL
    Classification:mal72.troj.evad.winEXE@2/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 99%
    • Number of executed functions: 44
    • Number of non-executed functions: 33
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: Insanity Loader.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Insanity Loader.exe.log

    Download File
    Process:C:\Users\user\Desktop\Insanity Loader.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):1119
    Entropy (8bit):5.345080863654519
    Encrypted:false
    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
    MD5:88593431AEF401417595E7A00FE86E5F
    SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
    SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
    SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
    Malicious:true
    Reputation:moderate, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

    Static File Info

    General

    File type:PE32 executable (console) Intel 80386, for MS Windows
    Entropy (8bit):7.729921049550876
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Insanity Loader.exe
    File size:512'000 bytes
    MD5:3fd87bf20a6572f497fd8707d6a48dc8
    SHA1:b87ea66e5642608ba518b1eba1f8d7965747bb1b
    SHA256:91e1004b69d539f58774601b050151fb6fb706e03b5f65aa6288a586048e9563
    SHA512:009dc5784ddd5707489b6ddd177598d8db6dd8b26d497e4c9bc64254e9e7a5d406fde3d59e5bd140b683cc3526e02e39608f24b272aba0fbcca4bcb6241fcacc
    SSDEEP:12288:ph1Lk70TnvjcFqTKfKvMWm3bgZBItgyHn2F05dMF:1k70TrcFqGhWmruWuyH8OMF
    TLSH:40B402207480C5B6C8B2513084D6CB366F3976621B76D6D77ADD277A2F213D3E2392C9
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~..................6.....PE..L...t..P..........#........

    File Icon

    Icon Hash:39399a4c45611d03

    Static PE Info

    General

    Entrypoint:0x40cd2f
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows cui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    DLL Characteristics:TERMINAL_SERVER_AWARE
    Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:bf5a4aa99e5b160f8521cadd6bfe73b8

    Entrypoint Preview

    Instruction
    call 00007F5C208DDA36h
    jmp 00007F5C208D7BF9h
    mov edi, edi
    push ebp
    mov ebp, esp
    sub esp, 20h
    mov eax, dword ptr [ebp+08h]
    push esi
    push edi
    push 00000008h
    pop ecx
    mov esi, 0041F058h
    lea edi, dword ptr [ebp-20h]
    rep movsd
    mov dword ptr [ebp-08h], eax
    mov eax, dword ptr [ebp+0Ch]
    pop edi
    mov dword ptr [ebp-04h], eax
    pop esi
    test eax, eax
    je 00007F5C208D7D5Eh
    test byte ptr [eax], 00000008h
    je 00007F5C208D7D59h
    mov dword ptr [ebp-0Ch], 01994000h
    lea eax, dword ptr [ebp-0Ch]
    push eax
    push dword ptr [ebp-10h]
    push dword ptr [ebp-1Ch]
    push dword ptr [ebp-20h]
    call dword ptr [0041B000h]
    leave
    retn 0008h
    ret
    mov eax, 00413563h
    mov dword ptr [004228E4h], eax
    mov dword ptr [004228E8h], 00412C4Ah
    mov dword ptr [004228ECh], 00412BFEh
    mov dword ptr [004228F0h], 00412C37h
    mov dword ptr [004228F4h], 00412BA0h
    mov dword ptr [004228F8h], eax
    mov dword ptr [004228FCh], 004134DBh
    mov dword ptr [00422900h], 00412BBCh
    mov dword ptr [00422904h], 00412B1Eh
    mov dword ptr [00422908h], 00412AABh
    ret
    mov edi, edi
    push ebp
    mov ebp, esp
    call 00007F5C208D7CEBh
    call 00007F5C208DE570h
    cmp dword ptr [ebp+00h], 00000000h

    Rich Headers

    Programming Language:
    • [ASM] VS2008 build 21022
    • [IMP] VS2005 build 50727
    • [C++] VS2008 build 21022
    • [ C ] VS2008 build 21022
    • [LNK] VS2008 build 21022

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x215b40x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x5afa4.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x1b1c00x1c.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x20da00x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x184.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x197180x19800dfd9b4979fee42231b971517a1ca7fcbFalse0.5789388020833334data6.748508550860781IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x1b0000x6db40x6e005826801f33fc1b607aa8e942aa92e9faFalse0.5467329545454546data6.442956247632331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x220000x30c00x16002fe51a72ede820cd7cf55a77ba59b1f4False0.3126775568181818data3.2625868398009703IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x260000x5afa40x5b000a4a8b35ef6132b317ac458da6f7dd2dfFalse0.9647713126717034data7.920274953517197IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0x263c40x6b1dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.993508624776631
    RT_ICON0x2cee40x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.4432926829268293
    RT_ICON0x2d54c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.553763440860215
    RT_ICON0x2d8340x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.625
    RT_ICON0x2d95c0x8efcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9948912687138017
    RT_ICON0x368580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5575692963752665
    RT_ICON0x377000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.7107400722021661
    RT_ICON0x37fa80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.5151734104046243
    RT_ICON0x385100xced3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9982246397340737
    RT_ICON0x453e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.48018672199170126
    RT_ICON0x4798c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.5318949343339587
    RT_ICON0x48a340x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6888297872340425
    RT_RCDATA0x48e9c0x37b3adata1.0003331083391043
    RT_RCDATA0x809d80x20Non-ISO extended-ASCII text, with no line terminators, with escape sequences1.34375
    RT_GROUP_ICON0x809f80xaedata0.632183908045977
    RT_VERSION0x80aa80x30edata0.4514066496163683
    RT_MANIFEST0x80db80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

    Imports

    DLLImport
    KERNEL32.dllRaiseException, GetLastError, MultiByteToWideChar, lstrlenA, InterlockedDecrement, GetProcAddress, LoadLibraryA, FreeResource, SizeofResource, LockResource, LoadResource, FindResourceA, GetModuleHandleA, Module32Next, CloseHandle, Module32First, CreateToolhelp32Snapshot, GetCurrentProcessId, SetEndOfFile, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, GetLocaleInfoA, HeapFree, GetProcessHeap, HeapAlloc, GetCommandLineA, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, HeapSize, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, ReadFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, FlushFileBuffers, SetFilePointer, SetHandleCount, GetFileType, GetStartupInfoA, RtlUnwind, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, CompareStringA, CompareStringW, SetEnvironmentVariableA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
    ole32.dllOleInitialize
    OLEAUT32.dllSafeArrayCreate, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayDestroy, SafeArrayCreateVector, VariantClear, VariantInit, SysFreeString, SysAllocString

    Network Behavior

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Sep 8, 2024 15:49:50.227878094 CEST5357596162.159.36.2192.168.2.5
    Sep 8, 2024 15:49:50.731770039 CEST53644971.1.1.1192.168.2.5

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:09:49:03
    Start date:08/09/2024
    Path:C:\Users\user\Desktop\Insanity Loader.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\Insanity Loader.exe"
    Imagebase:0x400000
    File size:512'000 bytes
    MD5 hash:3FD87BF20A6572F497FD8707D6A48DC8
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    General

    Target ID:1
    Start time:09:49:03
    Start date:08/09/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff6d64d0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:12.6%
      Dynamic/Decrypted Code Coverage:75.8%
      Signature Coverage:4.9%
      Total number of Nodes:912
      Total number of Limit Nodes:71
      execution_graph 54857 53aa71e 54858 53aa723 54857->54858 54859 53aa701 54858->54859 54860 53a9140 6 API calls 54858->54860 54861 53aa745 54860->54861 53808 2154bd0 53809 2154be2 53808->53809 53810 2154bee 53809->53810 53817 2154ce2 53809->53817 53822 215439c 53810->53822 53812 2154c0d 53826 54e8c68 53812->53826 53830 54e8c59 53812->53830 53818 2154d05 53817->53818 53834 2154df0 53818->53834 53838 2154de0 53818->53838 53823 21543a7 53822->53823 53846 215611c 53823->53846 53825 2157530 53825->53812 53827 54e8c7a 53826->53827 53925 54e8854 53827->53925 53831 54e8c68 53830->53831 53832 54e8854 8 API calls 53831->53832 53833 2154c16 53832->53833 53835 2154e17 53834->53835 53836 2154ef4 53835->53836 53842 2154998 53835->53842 53839 2154df0 53838->53839 53840 2154ef4 53839->53840 53841 2154998 CreateActCtxA 53839->53841 53840->53840 53841->53840 53843 2155e80 CreateActCtxA 53842->53843 53845 2155f43 53843->53845 53847 2156127 53846->53847 53850 215613c 53847->53850 53849 21575d5 53849->53825 53851 2156147 53850->53851 53854 215616c 53851->53854 53853 21576ba 53853->53849 53855 2156177 53854->53855 53858 215619c 53855->53858 53857 21577ad 53857->53853 53860 21561a7 53858->53860 53859 2158bc9 53859->53857 53860->53859 53862 215cf21 53860->53862 53863 215cf51 53862->53863 53864 215cf75 53863->53864 53867 215d4d9 53863->53867 53871 215d4e8 53863->53871 53864->53859 53868 215d4f5 53867->53868 53870 215d52f 53868->53870 53875 215d320 53868->53875 53870->53864 53873 215d4f5 53871->53873 53872 215d52f 53872->53864 53873->53872 53874 215d320 8 API calls 53873->53874 53874->53872 53876 215d325 53875->53876 53878 215de40 53876->53878 53879 215d44c 53876->53879 53878->53878 53880 215d457 53879->53880 53881 215619c 8 API calls 53880->53881 53882 215deaf 53881->53882 53894 215e330 53882->53894 53907 215e308 53882->53907 53920 215e534 53882->53920 53883 215debe 53884 215d45c CreateWindowExW GetConsoleWindow GetConsoleWindow 53883->53884 53885 215ded8 53884->53885 53886 215d46c CreateWindowExW GetConsoleWindow GetConsoleWindow 53885->53886 53887 215dedf 53886->53887 53889 215fc40 CreateWindowExW 53887->53889 53890 215fc28 CreateWindowExW 53887->53890 53888 215dee9 53888->53878 53889->53888 53890->53888 53895 215e35e 53894->53895 53896 215e39f 53895->53896 53897 215e63a 53895->53897 53898 215e42f 53895->53898 53902 215e49b 53896->53902 53903 53a46f8 6 API calls 53896->53903 53904 53a4740 6 API calls 53896->53904 53899 215d46c CreateWindowExW GetConsoleWindow GetConsoleWindow 53898->53899 53898->53902 53899->53902 53900 215e3d6 53901 215e42a KiUserCallbackDispatcher 53900->53901 53901->53902 53902->53897 53905 54ee548 CreateWindowExW GetConsoleWindow GetConsoleWindow 53902->53905 53906 54ee558 CreateWindowExW GetConsoleWindow GetConsoleWindow 53902->53906 53903->53900 53904->53900 53905->53897 53906->53897 53909 215e30d 53907->53909 53908 215e39f 53915 215e49b 53908->53915 53918 53a46f8 6 API calls 53908->53918 53919 53a4740 6 API calls 53908->53919 53909->53908 53910 215e42f 53909->53910 53911 215e63a 53909->53911 53912 215d46c CreateWindowExW GetConsoleWindow GetConsoleWindow 53910->53912 53910->53915 53912->53915 53913 215e3d6 53914 215e42a KiUserCallbackDispatcher 53913->53914 53914->53915 53915->53911 53916 54ee548 CreateWindowExW GetConsoleWindow GetConsoleWindow 53915->53916 53917 54ee558 CreateWindowExW GetConsoleWindow GetConsoleWindow 53915->53917 53916->53911 53917->53911 53918->53913 53919->53913 53921 215e551 53920->53921 53922 215e63a 53921->53922 53923 54ee548 CreateWindowExW GetConsoleWindow GetConsoleWindow 53921->53923 53924 54ee558 CreateWindowExW GetConsoleWindow GetConsoleWindow 53921->53924 53922->53922 53923->53922 53924->53922 53927 54e885f 53925->53927 53929 54e8894 53927->53929 53928 54e8dac 53931 54e889f 53929->53931 53930 54e8adc 8 API calls 53934 54e9019 53930->53934 53933 54e8ebe 53931->53933 53931->53934 53935 54e8adc 53931->53935 53933->53930 53933->53934 53934->53928 53936 54e8ae7 53935->53936 53940 54e9268 53936->53940 53952 54e9257 53936->53952 53937 54e9254 53937->53933 53943 54e928e 53940->53943 53941 54e92a2 53941->53937 53942 54e937f 53949 215e534 3 API calls 53942->53949 53950 215e330 7 API calls 53942->53950 53951 215e308 7 API calls 53942->53951 53943->53941 53943->53942 53947 54e93e2 53943->53947 53944 54e938d 53946 54e93dd 53944->53946 53964 54e8c00 53944->53964 53946->53937 53947->53946 53967 54e31d4 53947->53967 53949->53944 53950->53944 53951->53944 53955 54e9268 53952->53955 53953 54e92a2 53953->53937 53954 54e937f 53961 215e534 3 API calls 53954->53961 53962 215e330 7 API calls 53954->53962 53963 215e308 7 API calls 53954->53963 53955->53953 53955->53954 53959 54e93e2 53955->53959 53956 54e938d 53957 54e8c00 PostMessageW 53956->53957 53958 54e93dd 53956->53958 53957->53958 53958->53937 53959->53958 53960 54e31d4 2 API calls 53959->53960 53960->53958 53961->53956 53962->53956 53963->53956 53965 54ec6e0 PostMessageW 53964->53965 53966 54ec74c 53965->53966 53966->53946 53968 54e31df 53967->53968 53969 54e3fae 53968->53969 53971 54e3f1e 53968->53971 53975 54e3f9e 53968->53975 53980 54ec6a8 53969->53980 53984 54ec6a6 53969->53984 53970 54e3fbf 53978 54ec6a8 PostMessageW 53970->53978 53979 54ec6a6 PostMessageW 53970->53979 53974 54e3f84 53971->53974 53988 54e3204 53971->53988 53973 54e3204 SendMessageW 53973->53975 53974->53973 53975->53946 53978->53975 53979->53975 53981 54ec6b8 53980->53981 53982 54e8c00 PostMessageW 53981->53982 53983 54ec6c9 53982->53983 53983->53970 53985 54ec6b8 53984->53985 53986 54e8c00 PostMessageW 53985->53986 53987 54ec6c9 53986->53987 53987->53970 53989 54e320f 53988->53989 53990 54ede9e 53989->53990 53991 54eded3 SendMessageW 53989->53991 53990->53974 53992 54edf54 53991->53992 53992->53974 54862 215b270 54865 215b358 54862->54865 54863 215b27f 54866 215b379 54865->54866 54867 215b39c 54865->54867 54866->54867 54873 215b600 54866->54873 54877 215b5f0 54866->54877 54867->54863 54868 215b394 54868->54867 54869 215b5a0 GetModuleHandleW 54868->54869 54870 215b5cd 54869->54870 54870->54863 54875 215b614 54873->54875 54874 215b639 54874->54868 54875->54874 54881 215ad60 54875->54881 54880 215b5ff 54877->54880 54878 215ad60 LoadLibraryExW 54879 215b639 54878->54879 54879->54868 54880->54878 54880->54879 54882 215b7e0 LoadLibraryExW 54881->54882 54884 215b859 54882->54884 54884->54874 53993 54eb3c8 53994 54eb3e2 53993->53994 53998 54ea368 53994->53998 54005 54ea378 53994->54005 53995 54eb46c 53999 54ea378 53998->53999 54000 54ea3e1 53999->54000 54012 53a448e 53999->54012 54018 53a1424 53999->54018 54027 53a4450 53999->54027 54036 53a1423 53999->54036 54000->53995 54006 54ea3be 54005->54006 54007 54ea3e1 54006->54007 54008 53a448e 4 API calls 54006->54008 54009 53a1423 4 API calls 54006->54009 54010 53a4450 4 API calls 54006->54010 54011 53a1424 4 API calls 54006->54011 54007->53995 54008->54007 54009->54007 54010->54007 54011->54007 54013 53a454c 54012->54013 54014 53a44a2 54012->54014 54046 53a12fc 54013->54046 54016 53a44fa CallWindowProcW 54014->54016 54017 53a44a9 54014->54017 54016->54017 54017->54000 54019 53a142f 54018->54019 54020 53a448e 3 API calls 54019->54020 54021 53a4490 54020->54021 54022 53a454c 54021->54022 54023 53a44a2 54021->54023 54024 53a12fc 3 API calls 54022->54024 54025 53a44fa CallWindowProcW 54023->54025 54026 53a44a9 54023->54026 54024->54026 54025->54026 54026->54000 54028 53a4453 54027->54028 54029 53a4490 54028->54029 54030 53a448e 3 API calls 54028->54030 54031 53a454c 54029->54031 54032 53a44a2 54029->54032 54030->54029 54033 53a12fc 3 API calls 54031->54033 54034 53a44fa CallWindowProcW 54032->54034 54035 53a44a9 54032->54035 54033->54035 54034->54035 54035->54000 54037 53a142f 54036->54037 54038 53a149c 54036->54038 54039 53a448e 3 API calls 54037->54039 54040 53a4490 54039->54040 54041 53a454c 54040->54041 54042 53a44a2 54040->54042 54043 53a12fc 3 API calls 54041->54043 54044 53a44fa CallWindowProcW 54042->54044 54045 53a44a9 54042->54045 54043->54045 54044->54045 54045->54000 54047 53a1307 54046->54047 54048 53a2e19 54047->54048 54051 53a2e09 54047->54051 54049 53a1424 4 API calls 54048->54049 54050 53a2e17 54049->54050 54055 53a300c 54051->54055 54061 53a2f40 54051->54061 54066 53a2f30 54051->54066 54056 53a2fca 54055->54056 54057 53a301a 54055->54057 54071 53a2ff8 54056->54071 54078 53a2fe8 54056->54078 54058 53a2fe0 54058->54050 54063 53a2f54 54061->54063 54062 53a2fe0 54062->54050 54064 53a2ff8 4 API calls 54063->54064 54065 53a2fe8 4 API calls 54063->54065 54064->54062 54065->54062 54068 53a2f40 54066->54068 54067 53a2fe0 54067->54050 54069 53a2ff8 4 API calls 54068->54069 54070 53a2fe8 4 API calls 54068->54070 54069->54067 54070->54067 54072 53a3009 54071->54072 54086 54e9d08 54071->54086 54104 53a4430 54071->54104 54107 54e9cf7 54071->54107 54125 54eea18 54071->54125 54130 54eea08 54071->54130 54072->54058 54079 53a2ff8 54078->54079 54080 53a3009 54079->54080 54081 54e9d08 4 API calls 54079->54081 54082 54eea08 4 API calls 54079->54082 54083 54eea18 4 API calls 54079->54083 54084 54e9cf7 4 API calls 54079->54084 54085 53a4430 4 API calls 54079->54085 54080->54058 54081->54080 54082->54080 54083->54080 54084->54080 54085->54080 54087 54e9d21 54086->54087 54097 54e9d3d 54086->54097 54088 54e9d26 54087->54088 54089 54e9d68 54087->54089 54090 54e9d2b 54088->54090 54091 54e9d42 54088->54091 54092 54e9ff4 54089->54092 54089->54097 54093 54e9d34 54090->54093 54094 54e9f52 54090->54094 54091->54097 54099 54e9fbc 54091->54099 54102 54e9e6e 54091->54102 54142 54e97d0 54092->54142 54093->54097 54098 54e9fca 54093->54098 54134 54e9720 54094->54134 54097->54102 54146 54ea2d8 54097->54146 54151 54e97a0 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 54098->54151 54138 54e9790 54099->54138 54102->54072 54105 53a1424 4 API calls 54104->54105 54106 53a444a 54105->54106 54106->54072 54108 54e9d08 54107->54108 54109 54e9d68 54108->54109 54110 54e9d26 54108->54110 54116 54e9d3d 54108->54116 54112 54e9ff4 54109->54112 54109->54116 54111 54e9d2b 54110->54111 54115 54e9d42 54110->54115 54113 54e9d34 54111->54113 54114 54e9f52 54111->54114 54118 54e97d0 4 API calls 54112->54118 54113->54116 54119 54e9fca 54113->54119 54117 54e9720 4 API calls 54114->54117 54115->54116 54120 54e9fbc 54115->54120 54123 54e9e6e 54115->54123 54116->54123 54124 54ea2d8 4 API calls 54116->54124 54117->54123 54118->54123 54168 54e97a0 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 54119->54168 54122 54e9790 4 API calls 54120->54122 54122->54123 54123->54072 54124->54123 54126 54eea58 54125->54126 54127 54eea26 54125->54127 54126->54072 54128 54eea2d 54127->54128 54169 54eea71 54127->54169 54128->54072 54131 54eea18 54130->54131 54132 54eea2d 54131->54132 54133 54eea71 4 API calls 54131->54133 54132->54072 54133->54132 54135 54e972b 54134->54135 54136 54ea2d8 4 API calls 54135->54136 54137 54ea4ee 54136->54137 54137->54102 54139 54e979b 54138->54139 54140 54ea2d8 4 API calls 54139->54140 54141 54ef804 54140->54141 54141->54102 54143 54e97db 54142->54143 54144 54ea2d8 4 API calls 54143->54144 54145 54eb4a1 54144->54145 54145->54102 54147 54ea2ea 54146->54147 54148 54ea2e3 54146->54148 54152 54ea2f8 54147->54152 54148->54102 54149 54ea2f0 54149->54102 54151->54102 54153 54ea316 54152->54153 54155 54ea338 54152->54155 54154 54ea324 54153->54154 54158 53a3828 54153->54158 54163 53a3818 54153->54163 54154->54149 54155->54149 54160 53a3874 54158->54160 54159 53a3b14 54159->54154 54160->54159 54161 54ea368 4 API calls 54160->54161 54162 54ea378 4 API calls 54160->54162 54161->54159 54162->54159 54165 53a3874 54163->54165 54164 53a3b14 54164->54154 54165->54164 54166 54ea368 4 API calls 54165->54166 54167 54ea378 4 API calls 54165->54167 54166->54164 54167->54164 54168->54123 54170 54eeaa6 54169->54170 54171 54eeadb 54169->54171 54170->54128 54171->54170 54172 53a3828 4 API calls 54171->54172 54173 53a3818 4 API calls 54171->54173 54174 53a4430 4 API calls 54171->54174 54172->54170 54173->54170 54174->54170 54885 54eb068 54886 54eb0aa 54885->54886 54887 54eb0b0 SetWindowTextW 54885->54887 54886->54887 54888 54eb0e1 54887->54888 54889 54ef4a8 54890 54ef4cf 54889->54890 54891 54ef530 54890->54891 54893 215d46c 3 API calls 54890->54893 54894 215fa37 54890->54894 54893->54891 54895 215e250 3 API calls 54894->54895 54896 215fa6f 54894->54896 54895->54896 54896->54891 54897 54edfe8 54898 54edff8 54897->54898 54899 54ee00a 54898->54899 54901 53a2098 54898->54901 54902 53a20da SetWindowLongW 54901->54902 54904 53a20a7 54901->54904 54903 53a2144 54902->54903 54903->54899 54904->54899 54175 210d01c 54176 210d034 54175->54176 54177 210d08e 54176->54177 54181 53a12fc 4 API calls 54176->54181 54182 53a2038 54176->54182 54186 53a2da9 54176->54186 54195 53a2048 54176->54195 54181->54177 54183 53a206e 54182->54183 54184 53a12fc 4 API calls 54183->54184 54185 53a208f 54184->54185 54185->54177 54187 53a2de5 54186->54187 54188 53a2e19 54187->54188 54190 53a2e09 54187->54190 54189 53a1424 4 API calls 54188->54189 54191 53a2e17 54189->54191 54192 53a300c 4 API calls 54190->54192 54193 53a2f30 4 API calls 54190->54193 54194 53a2f40 4 API calls 54190->54194 54192->54191 54193->54191 54194->54191 54196 53a206e 54195->54196 54197 53a12fc 4 API calls 54196->54197 54198 53a208f 54197->54198 54198->54177 54199 54e3e00 54200 54e3e0e 54199->54200 54201 54e3e35 54200->54201 54202 54e31d4 2 API calls 54200->54202 54203 54e3e7b 54202->54203 54905 53a45c8 54906 53a45d8 54905->54906 54911 54eafb8 54906->54911 54917 53a5eb4 54906->54917 54923 54eafa9 54906->54923 54907 53a4601 54912 54eafed 54911->54912 54916 53a5eb4 6 API calls 54912->54916 54913 54eb042 54929 54e3158 SendMessageW PostMessageW 54913->54929 54915 54eb049 54915->54907 54916->54913 54918 53a5ebd 54917->54918 54920 53a5edb 54917->54920 54919 53a4740 6 API calls 54918->54919 54918->54920 54919->54920 54921 53a4740 6 API calls 54920->54921 54922 53a6014 54920->54922 54921->54922 54922->54907 54924 54eafed 54923->54924 54928 53a5eb4 6 API calls 54924->54928 54925 54eb042 54930 54e3158 SendMessageW PostMessageW 54925->54930 54927 54eb049 54927->54907 54928->54925 54929->54915 54930->54927 54204 215d600 54205 215d646 GetCurrentProcess 54204->54205 54207 215d691 54205->54207 54208 215d698 GetCurrentThread 54205->54208 54207->54208 54209 215d6d5 GetCurrentProcess 54208->54209 54210 215d6ce 54208->54210 54211 215d70b 54209->54211 54210->54209 54212 215d733 GetCurrentThreadId 54211->54212 54213 215d764 54212->54213 54214 215fc0d 54215 215fc18 54214->54215 54218 54ef818 54214->54218 54223 54ef809 54214->54223 54219 54ef82a 54218->54219 54220 54ef867 54219->54220 54228 54efa10 54219->54228 54233 54efa20 54219->54233 54220->54215 54225 54ef82a 54223->54225 54224 54ef867 54224->54215 54225->54224 54226 54efa10 2 API calls 54225->54226 54227 54efa20 2 API calls 54225->54227 54226->54224 54227->54224 54229 54efa43 54228->54229 54230 54efb78 54229->54230 54238 54efda0 54229->54238 54243 54efdb0 54229->54243 54230->54220 54234 54efa43 54233->54234 54235 54efb78 54234->54235 54236 54efda0 2 API calls 54234->54236 54237 54efdb0 2 API calls 54234->54237 54235->54220 54236->54235 54237->54235 54239 54efdc5 54238->54239 54248 56b04c1 54239->54248 54252 56b04d0 54239->54252 54240 54efdd1 54240->54230 54244 54efdc5 54243->54244 54246 56b04c1 2 API calls 54244->54246 54247 56b04d0 2 API calls 54244->54247 54245 54efdd1 54245->54230 54246->54245 54247->54245 54249 56b04d0 54248->54249 54256 56b0838 54249->54256 54250 56b0556 54250->54240 54253 56b04f2 54252->54253 54255 56b0838 2 API calls 54253->54255 54254 56b0556 54254->54240 54255->54254 54257 56b0864 54256->54257 54261 56b74a8 54257->54261 54265 56b74b0 54257->54265 54258 56b08b8 54258->54250 54262 56b74b0 GetConsoleWindow 54261->54262 54264 56b751e 54262->54264 54264->54258 54266 56b74ee GetConsoleWindow 54265->54266 54268 56b751e 54266->54268 54268->54258 54269 53a6a60 54270 53a6a84 54269->54270 54283 53a66cc 54270->54283 54274 53a6afb 54291 53a66fc 54274->54291 54276 53a6b51 54295 53a674c 54276->54295 54278 53a6c16 54299 53abd7b 54278->54299 54317 53abd38 54278->54317 54335 53abd40 54278->54335 54279 53a6c36 54284 53a66d7 54283->54284 54353 53a67cc 54284->54353 54286 53a6a9f 54287 53a66dc 54286->54287 54288 53a66e7 54287->54288 54362 53a696c 54288->54362 54290 53a7086 54290->54274 54292 53a6707 54291->54292 54293 53a9927 54292->54293 54294 53a696c 6 API calls 54292->54294 54293->54276 54294->54293 54296 53a6757 54295->54296 54297 53aa745 54296->54297 54528 53a9140 54296->54528 54297->54278 54301 53abd82 54299->54301 54300 53abddb 54314 53abd7b 9 API calls 54300->54314 54315 53abd38 9 API calls 54300->54315 54316 53abd40 9 API calls 54300->54316 54301->54300 54304 53abe10 54301->54304 54302 53abde5 54302->54279 54303 53abf14 54303->54279 54304->54303 54313 53abf42 54304->54313 54543 53ab8f4 54304->54543 54307 53ab8f4 7 API calls 54307->54313 54308 53abf6e 54308->54279 54309 53ac24a 54311 53a4740 6 API calls 54309->54311 54310 53ac25f GetCurrentThreadId 54312 53ac251 54310->54312 54311->54312 54312->54279 54313->54308 54313->54309 54313->54310 54314->54302 54315->54302 54316->54302 54319 53abd55 54317->54319 54318 53abddb 54332 53abd7b 9 API calls 54318->54332 54333 53abd38 9 API calls 54318->54333 54334 53abd40 9 API calls 54318->54334 54319->54318 54322 53abe55 54319->54322 54320 53abde5 54320->54279 54321 53abf14 54321->54279 54322->54321 54323 53ab8f4 7 API calls 54322->54323 54331 53abf42 54322->54331 54324 53abf38 54323->54324 54325 53ab8f4 7 API calls 54324->54325 54325->54331 54326 53abf6e 54326->54279 54327 53ac24a 54329 53a4740 6 API calls 54327->54329 54328 53ac25f GetCurrentThreadId 54330 53ac251 54328->54330 54329->54330 54330->54279 54331->54326 54331->54327 54331->54328 54332->54320 54333->54320 54334->54320 54337 53abd55 54335->54337 54336 53abddb 54350 53abd7b 9 API calls 54336->54350 54351 53abd38 9 API calls 54336->54351 54352 53abd40 9 API calls 54336->54352 54337->54336 54340 53abe55 54337->54340 54338 53abde5 54338->54279 54339 53abf14 54339->54279 54340->54339 54341 53ab8f4 7 API calls 54340->54341 54349 53abf42 54340->54349 54342 53abf38 54341->54342 54343 53ab8f4 7 API calls 54342->54343 54343->54349 54344 53abf6e 54344->54279 54345 53ac24a 54347 53a4740 6 API calls 54345->54347 54346 53ac25f GetCurrentThreadId 54348 53ac251 54346->54348 54347->54348 54348->54279 54349->54344 54349->54345 54349->54346 54350->54338 54351->54338 54352->54338 54354 53a67d7 54353->54354 54356 215619c 8 API calls 54354->54356 54358 21588c8 54354->54358 54355 53a6da4 54355->54286 54356->54355 54359 21588d8 54358->54359 54360 2158bc9 54359->54360 54361 215cf21 8 API calls 54359->54361 54360->54355 54361->54360 54363 53a6977 54362->54363 54364 53a7140 54363->54364 54370 53a7160 54363->54370 54374 53aaca0 54363->54374 54382 53aacb0 54363->54382 54390 53a7150 54363->54390 54364->54290 54365 53a710a 54365->54290 54371 53a718f 54370->54371 54372 53a7216 54371->54372 54394 53a4740 54371->54394 54375 53aaca3 54374->54375 54376 53aaf16 54375->54376 54379 53aaef5 54375->54379 54377 53a7160 6 API calls 54376->54377 54378 53aaf29 54377->54378 54378->54365 54380 53a7160 6 API calls 54379->54380 54381 53aaf0c 54380->54381 54381->54365 54386 53aacd7 54382->54386 54383 53aaf16 54384 53a7160 6 API calls 54383->54384 54385 53aaf29 54384->54385 54385->54365 54386->54383 54387 53aaef5 54386->54387 54388 53a7160 6 API calls 54387->54388 54389 53aaf0c 54388->54389 54389->54365 54391 53a718f 54390->54391 54392 53a7216 54391->54392 54393 53a4740 6 API calls 54391->54393 54393->54392 54395 53a4750 54394->54395 54396 53a478d 54395->54396 54400 54e9968 54395->54400 54423 54e9a10 54395->54423 54446 54e9a00 54395->54446 54396->54372 54404 54e996d 54400->54404 54403 54e31d4 2 API calls 54406 54e9b5d 54403->54406 54405 54e9ae7 54404->54405 54469 215fc40 54404->54469 54474 215fc28 54404->54474 54479 54e8c3c 54405->54479 54407 54e9c7d 54406->54407 54483 54e961c 54406->54483 54409 54e9cd0 54407->54409 54493 215f4f1 54407->54493 54497 215e15c 54407->54497 54410 54e9c24 54410->54407 54411 54e961c CreateWindowExW 54410->54411 54412 54e9c4f 54411->54412 54412->54407 54413 54e961c CreateWindowExW 54412->54413 54414 54e9c60 54413->54414 54415 54e3204 SendMessageW 54414->54415 54416 54e9c6f 54415->54416 54417 54e3204 SendMessageW 54416->54417 54488 54ede80 54416->54488 54417->54407 54427 54e9a49 54423->54427 54424 54e8c3c CreateWindowExW 54425 54e9b53 54424->54425 54426 54e31d4 2 API calls 54425->54426 54429 54e9b5d 54426->54429 54428 54e9ae7 54427->54428 54440 215fc40 CreateWindowExW 54427->54440 54441 215fc28 CreateWindowExW 54427->54441 54428->54424 54430 54e9c7d 54429->54430 54431 54e961c CreateWindowExW 54429->54431 54432 54e9cd0 54430->54432 54442 215f4f1 3 API calls 54430->54442 54443 215e15c 3 API calls 54430->54443 54433 54e9c24 54431->54433 54432->54432 54433->54430 54434 54e961c CreateWindowExW 54433->54434 54435 54e9c4f 54434->54435 54435->54430 54436 54e961c CreateWindowExW 54435->54436 54437 54e9c60 54436->54437 54438 54e3204 SendMessageW 54437->54438 54439 54e9c6f 54438->54439 54444 54e3204 SendMessageW 54439->54444 54445 54ede80 SendMessageW 54439->54445 54440->54428 54441->54428 54442->54432 54443->54432 54444->54430 54445->54430 54447 54e9a10 54446->54447 54451 54e9ae7 54447->54451 54463 215fc40 CreateWindowExW 54447->54463 54464 215fc28 CreateWindowExW 54447->54464 54448 54e8c3c CreateWindowExW 54449 54e9b53 54448->54449 54450 54e31d4 2 API calls 54449->54450 54452 54e9b5d 54450->54452 54451->54448 54453 54e9c7d 54452->54453 54454 54e961c CreateWindowExW 54452->54454 54455 54e9cd0 54453->54455 54465 215f4f1 3 API calls 54453->54465 54466 215e15c 3 API calls 54453->54466 54456 54e9c24 54454->54456 54455->54455 54456->54453 54457 54e961c CreateWindowExW 54456->54457 54458 54e9c4f 54457->54458 54458->54453 54459 54e961c CreateWindowExW 54458->54459 54460 54e9c60 54459->54460 54461 54e3204 SendMessageW 54460->54461 54462 54e9c6f 54461->54462 54467 54e3204 SendMessageW 54462->54467 54468 54ede80 SendMessageW 54462->54468 54463->54451 54464->54451 54465->54455 54466->54455 54467->54453 54468->54453 54470 215fc71 54469->54470 54471 215fc7d 54469->54471 54470->54471 54501 53a0b58 54470->54501 54505 53a0b48 54470->54505 54471->54405 54475 215fc40 54474->54475 54476 215fc7d 54475->54476 54477 53a0b58 CreateWindowExW 54475->54477 54478 53a0b48 CreateWindowExW 54475->54478 54476->54405 54477->54476 54478->54476 54481 54e8c47 54479->54481 54480 54e9b53 54480->54403 54481->54480 54482 54e961c CreateWindowExW 54481->54482 54482->54480 54485 54e9627 54483->54485 54484 54ec633 54484->54410 54485->54484 54486 53a0b58 CreateWindowExW 54485->54486 54487 53a0b48 CreateWindowExW 54485->54487 54486->54484 54487->54484 54490 54ede90 54488->54490 54489 54ede9e 54489->54407 54490->54489 54491 54eded3 SendMessageW 54490->54491 54492 54edf54 54491->54492 54492->54407 54494 215f51f 54493->54494 54496 215f595 54493->54496 54494->54496 54514 215d46c 54494->54514 54496->54409 54498 215e167 54497->54498 54499 215f595 54498->54499 54500 215d46c 3 API calls 54498->54500 54499->54409 54500->54499 54502 53a0b83 54501->54502 54503 53a0c32 54502->54503 54509 53a1e31 54502->54509 54506 53a0b83 54505->54506 54507 53a0c32 54506->54507 54508 53a1e31 CreateWindowExW 54506->54508 54508->54507 54510 53a1e7e CreateWindowExW 54509->54510 54511 53a1e46 54509->54511 54513 53a1fb4 54510->54513 54511->54503 54515 215d477 54514->54515 54518 215e250 54515->54518 54517 215fa6f 54517->54496 54520 215e25b 54518->54520 54519 215fc18 54519->54517 54520->54519 54523 215fb42 54520->54523 54524 215fc40 CreateWindowExW 54520->54524 54525 215fc28 CreateWindowExW 54520->54525 54521 215fbe1 54526 54ef818 2 API calls 54521->54526 54527 54ef809 2 API calls 54521->54527 54522 215e250 3 API calls 54522->54523 54523->54521 54523->54522 54524->54523 54525->54523 54526->54519 54527->54519 54529 53a914b 54528->54529 54533 53aa770 54529->54533 54536 53aa780 54529->54536 54530 53aa76c 54530->54297 54539 53aa858 54533->54539 54537 53aa7be 54536->54537 54538 53aa858 6 API calls 54536->54538 54537->54530 54538->54537 54540 53aa884 54539->54540 54541 53a66fc 6 API calls 54540->54541 54542 53aa7be 54541->54542 54542->54530 54544 53ab8ff 54543->54544 54545 53ac24a 54544->54545 54546 53ac25f GetCurrentThreadId 54544->54546 54547 53a4740 6 API calls 54545->54547 54548 53abf38 54546->54548 54547->54548 54548->54307 54549 215d848 DuplicateHandle 54550 215d8de 54549->54550 54551 40cbdd 54552 40cbe9 __close 54551->54552 54592 40d534 HeapCreate 54552->54592 54555 40cc46 54594 41087e GetModuleHandleW 54555->54594 54559 40cc57 __RTC_Initialize 54628 411a15 54559->54628 54562 40cc66 54563 40cc72 GetCommandLineA 54562->54563 54702 40e79a 62 API calls 3 library calls 54562->54702 54643 412892 71 API calls 3 library calls 54563->54643 54566 40cc71 54566->54563 54567 40cc82 54703 4127d7 107 API calls 3 library calls 54567->54703 54569 40cc8c 54570 40cc90 54569->54570 54571 40cc98 54569->54571 54704 40e79a 62 API calls 3 library calls 54570->54704 54644 41255f 106 API calls 6 library calls 54571->54644 54574 40cc97 54574->54571 54575 40cc9d 54576 40cca1 54575->54576 54577 40cca9 54575->54577 54705 40e79a 62 API calls 3 library calls 54576->54705 54645 40e859 73 API calls 5 library calls 54577->54645 54580 40cca8 54580->54577 54581 40ccb0 54582 40ccb5 54581->54582 54583 40ccbc 54581->54583 54706 40e79a 62 API calls 3 library calls 54582->54706 54646 4019f0 OleInitialize 54583->54646 54586 40ccd8 54588 40ccea 54586->54588 54707 40ea0a 62 API calls _doexit 54586->54707 54587 40ccbb 54587->54583 54708 40ea36 62 API calls _doexit 54588->54708 54591 40ccef __close 54593 40cc3a 54592->54593 54593->54555 54700 40cbb4 62 API calls 3 library calls 54593->54700 54595 410892 54594->54595 54596 410899 54594->54596 54709 40e76a Sleep GetModuleHandleW 54595->54709 54597 410a01 54596->54597 54598 4108a3 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 54596->54598 54725 410598 7 API calls __decode_pointer 54597->54725 54600 4108ec TlsAlloc 54598->54600 54604 40cc4c 54600->54604 54605 41093a TlsSetValue 54600->54605 54602 410898 54602->54596 54604->54559 54701 40cbb4 62 API calls 3 library calls 54604->54701 54605->54604 54606 41094b 54605->54606 54710 40ea54 6 API calls 4 library calls 54606->54710 54608 410950 54711 41046e 6 API calls __crt_waiting_on_module_handle 54608->54711 54610 41095b 54712 41046e 6 API calls __crt_waiting_on_module_handle 54610->54712 54612 41096b 54713 41046e 6 API calls __crt_waiting_on_module_handle 54612->54713 54614 41097b 54714 41046e 6 API calls __crt_waiting_on_module_handle 54614->54714 54616 41098b 54715 40d564 InitializeCriticalSectionAndSpinCount ___lock_fhandle 54616->54715 54618 410998 54618->54597 54716 4104e9 6 API calls __crt_waiting_on_module_handle 54618->54716 54620 4109ac 54620->54597 54717 411cba 54620->54717 54624 4109df 54624->54597 54625 4109e6 54624->54625 54724 4105d5 62 API calls 5 library calls 54625->54724 54627 4109ee GetCurrentThreadId 54627->54604 54745 40e1d8 54628->54745 54630 411a21 GetStartupInfoA 54631 411cba __calloc_crt 62 API calls 54630->54631 54637 411a42 54631->54637 54632 411c60 __close 54632->54562 54633 411bdd GetStdHandle 54638 411ba7 54633->54638 54634 411cba __calloc_crt 62 API calls 54634->54637 54635 411c42 SetHandleCount 54635->54632 54636 411bef GetFileType 54636->54638 54637->54632 54637->54634 54637->54638 54641 411b2a 54637->54641 54638->54632 54638->54633 54638->54635 54638->54636 54747 41389c InitializeCriticalSectionAndSpinCount __close 54638->54747 54640 411b53 GetFileType 54640->54641 54641->54632 54641->54638 54641->54640 54746 41389c InitializeCriticalSectionAndSpinCount __close 54641->54746 54643->54567 54644->54575 54645->54581 54647 401ab9 54646->54647 54748 40b99e 54647->54748 54649 401abf 54650 401acd GetCurrentProcessId CreateToolhelp32Snapshot Module32First 54649->54650 54680 402467 54649->54680 54651 401dc3 FindCloseChangeNotification GetModuleHandleA 54650->54651 54658 401c55 54650->54658 54761 401650 54651->54761 54653 401e8b FindResourceA LoadResource LockResource SizeofResource 54763 40b84d 54653->54763 54657 401c9c CloseHandle 54657->54586 54658->54657 54663 401cf9 Module32Next 54658->54663 54659 401ecb _memset 54660 401efc SizeofResource 54659->54660 54661 401f1c 54660->54661 54662 401f5f 54660->54662 54661->54662 54819 401560 __VEC_memcpy __fptostr 54661->54819 54665 401f92 _memset 54662->54665 54820 401560 __VEC_memcpy __fptostr 54662->54820 54663->54651 54672 401d0f 54663->54672 54667 401fa2 FreeResource 54665->54667 54668 40b84d _malloc 62 API calls 54667->54668 54669 401fbb SizeofResource 54668->54669 54670 401fe5 _memset 54669->54670 54671 4020aa LoadLibraryA 54670->54671 54673 401650 54671->54673 54672->54657 54675 401dad Module32Next 54672->54675 54674 40216c GetProcAddress 54673->54674 54676 4021aa 54674->54676 54674->54680 54675->54651 54675->54672 54676->54680 54793 4018f0 54676->54793 54678 40243f 54678->54680 54821 40b6b5 62 API calls 2 library calls 54678->54821 54680->54586 54681 4021f1 54681->54678 54805 401870 54681->54805 54683 402269 VariantInit 54684 401870 75 API calls 54683->54684 54685 40228b VariantInit 54684->54685 54686 4022a7 54685->54686 54687 4022d9 SafeArrayCreate SafeArrayAccessData 54686->54687 54810 40b350 54687->54810 54690 40232c 54691 402354 SafeArrayDestroy 54690->54691 54699 40235b 54690->54699 54691->54699 54692 402392 SafeArrayCreateVector 54693 4023a4 54692->54693 54694 4023bc VariantClear VariantClear 54693->54694 54812 4019a0 54694->54812 54697 40242e 54698 4019a0 65 API calls 54697->54698 54698->54678 54699->54692 54700->54555 54701->54559 54702->54566 54703->54569 54704->54574 54705->54580 54706->54587 54707->54588 54708->54591 54709->54602 54710->54608 54711->54610 54712->54612 54713->54614 54714->54616 54715->54618 54716->54620 54720 411cc3 54717->54720 54719 4109c5 54719->54597 54723 4104e9 6 API calls __crt_waiting_on_module_handle 54719->54723 54720->54719 54721 411ce1 Sleep 54720->54721 54726 40e231 54720->54726 54722 411cf6 54721->54722 54722->54719 54722->54720 54723->54624 54724->54627 54727 40e23d __close 54726->54727 54728 40e255 54727->54728 54738 40e274 _memset 54727->54738 54739 40bfc1 62 API calls __getptd_noexit 54728->54739 54730 40e25a 54740 40e744 6 API calls 2 library calls 54730->54740 54732 40e2e6 HeapAlloc 54732->54738 54733 40e26a __close 54733->54720 54738->54732 54738->54733 54741 40d6e0 62 API calls 2 library calls 54738->54741 54742 40def2 5 API calls 2 library calls 54738->54742 54743 40e32d LeaveCriticalSection _doexit 54738->54743 54744 40d2e3 6 API calls __decode_pointer 54738->54744 54739->54730 54741->54738 54742->54738 54743->54738 54744->54738 54745->54630 54746->54641 54747->54638 54750 40b9aa __close _strnlen 54748->54750 54749 40b9b8 54822 40bfc1 62 API calls __getptd_noexit 54749->54822 54750->54749 54754 40b9ec 54750->54754 54752 40b9bd 54823 40e744 6 API calls 2 library calls 54752->54823 54824 40d6e0 62 API calls 2 library calls 54754->54824 54756 40b9f3 54825 40b917 120 API calls 3 library calls 54756->54825 54758 40b9ff 54826 40ba18 LeaveCriticalSection _doexit 54758->54826 54760 40b9cd __close 54760->54649 54762 4017cc _memcpy_s 54761->54762 54762->54653 54764 40b900 54763->54764 54779 40b85f 54763->54779 54834 40d2e3 6 API calls __decode_pointer 54764->54834 54766 40b870 54766->54779 54827 40ec4d 62 API calls 2 library calls 54766->54827 54828 40eaa2 62 API calls 7 library calls 54766->54828 54829 40e7ee GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 54766->54829 54767 40b906 54835 40bfc1 62 API calls __getptd_noexit 54767->54835 54772 401ebf 54781 40af66 54772->54781 54773 40b8bc RtlAllocateHeap 54773->54779 54775 40b8ec 54832 40bfc1 62 API calls __getptd_noexit 54775->54832 54778 40b8f1 54833 40bfc1 62 API calls __getptd_noexit 54778->54833 54779->54766 54779->54772 54779->54773 54779->54775 54779->54778 54830 40b7fe 62 API calls 4 library calls 54779->54830 54831 40d2e3 6 API calls __decode_pointer 54779->54831 54783 40af70 54781->54783 54782 40b84d _malloc 62 API calls 54782->54783 54783->54782 54784 40af8a 54783->54784 54788 40af8c std::bad_alloc::bad_alloc 54783->54788 54836 40d2e3 6 API calls __decode_pointer 54783->54836 54784->54659 54786 40afb2 54838 40af49 62 API calls std::exception::exception 54786->54838 54788->54786 54837 40d2bd 73 API calls __cinit 54788->54837 54789 40afbc 54839 40cd39 RaiseException 54789->54839 54792 40afca 54794 401903 lstrlenA 54793->54794 54795 4018fc 54793->54795 54840 4017e0 54794->54840 54795->54681 54798 401940 GetLastError 54800 40194b MultiByteToWideChar 54798->54800 54801 40198d 54798->54801 54799 401996 54799->54681 54802 4017e0 72 API calls 54800->54802 54801->54799 54848 401030 GetLastError 54801->54848 54803 401970 MultiByteToWideChar 54802->54803 54803->54801 54806 40af66 74 API calls 54805->54806 54807 40187c 54806->54807 54808 401885 SysAllocString 54807->54808 54809 4018a4 54807->54809 54808->54809 54809->54683 54811 40231a SafeArrayUnaccessData 54810->54811 54811->54690 54813 4019aa InterlockedDecrement 54812->54813 54818 4019df VariantClear 54812->54818 54814 4019b8 54813->54814 54813->54818 54815 4019c2 SysFreeString 54814->54815 54817 4019c9 54814->54817 54814->54818 54815->54817 54852 40aec0 63 API calls 2 library calls 54817->54852 54818->54697 54819->54661 54820->54665 54821->54680 54822->54752 54824->54756 54825->54758 54826->54760 54827->54766 54828->54766 54830->54779 54831->54779 54832->54778 54833->54772 54834->54767 54835->54772 54836->54783 54837->54786 54838->54789 54839->54792 54841 4017e9 54840->54841 54846 401844 54841->54846 54847 40182d 54841->54847 54849 40b783 72 API calls 5 library calls 54841->54849 54845 40186d MultiByteToWideChar 54845->54798 54845->54799 54846->54845 54851 40b743 62 API calls 2 library calls 54846->54851 54847->54846 54850 40b6b5 62 API calls 2 library calls 54847->54850 54849->54847 54850->54846 54851->54846 54852->54818 54853 54ee950 54854 54ee995 GetClassInfoW 54853->54854 54856 54ee9db 54854->54856

      Executed Functions

      Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 4019f0-401ac7 OleInitialize call 401650 call 40b99e 5 40248a-402496 0->5 6 401acd-401c4f GetCurrentProcessId CreateToolhelp32Snapshot Module32First 0->6 7 401dc3-401ed4 FindCloseChangeNotification GetModuleHandleA call 401650 FindResourceA LoadResource LockResource SizeofResource call 40b84d call 40af66 6->7 8 401c55-401c6c call 401650 6->8 27 401ed6-401eed call 40ba30 7->27 28 401eef 7->28 14 401c73-401c77 8->14 16 401c93-401c95 14->16 17 401c79-401c7b 14->17 21 401c98-401c9a 16->21 19 401c7d-401c83 17->19 20 401c8f-401c91 17->20 19->16 23 401c85-401c8d 19->23 20->21 24 401cb0-401cce call 401650 21->24 25 401c9c-401caf CloseHandle 21->25 23->14 23->20 32 401cd0-401cd4 24->32 31 401ef3-401f1a call 401300 SizeofResource 27->31 28->31 41 401f1c-401f2f 31->41 42 401f5f-401f69 31->42 35 401cf0-401cf2 32->35 36 401cd6-401cd8 32->36 40 401cf5-401cf7 35->40 38 401cda-401ce0 36->38 39 401cec-401cee 36->39 38->35 45 401ce2-401cea 38->45 39->40 40->25 46 401cf9-401d09 Module32Next 40->46 47 401f33-401f5d call 401560 41->47 43 401f73-401f75 42->43 44 401f6b-401f72 42->44 49 401f92-4021a4 call 40ba30 FreeResource call 40b84d SizeofResource call 40ac60 call 40ba30 call 401650 LoadLibraryA call 401650 GetProcAddress 43->49 50 401f77-401f8d call 401560 43->50 44->43 45->32 45->39 46->7 51 401d0f 46->51 47->42 49->5 85 4021aa-4021c0 49->85 50->49 55 401d10-401d2e call 401650 51->55 61 401d30-401d34 55->61 63 401d50-401d52 61->63 64 401d36-401d38 61->64 67 401d55-401d57 63->67 65 401d3a-401d40 64->65 66 401d4c-401d4e 64->66 65->63 69 401d42-401d4a 65->69 66->67 67->25 70 401d5d-401d7b call 401650 67->70 69->61 69->66 77 401d80-401d84 70->77 79 401da0-401da2 77->79 80 401d86-401d88 77->80 84 401da5-401da7 79->84 82 401d8a-401d90 80->82 83 401d9c-401d9e 80->83 82->79 86 401d92-401d9a 82->86 83->84 84->25 87 401dad-401dbd Module32Next 84->87 89 4021c6-4021ca 85->89 90 40246a-402470 85->90 86->77 86->83 87->7 87->55 89->90 91 4021d0-402217 call 4018f0 89->91 92 402472-402475 90->92 93 40247a-402480 90->93 98 40221d-40223d 91->98 99 40244f-40245f 91->99 92->93 93->5 95 402482-402487 93->95 95->5 98->99 103 402243-402251 98->103 99->90 100 402461-402467 call 40b6b5 99->100 100->90 103->99 106 402257-4022b7 call 401870 VariantInit call 401870 VariantInit call 4018d0 103->106 114 4022c3-40232a call 4018d0 SafeArrayCreate SafeArrayAccessData call 40b350 SafeArrayUnaccessData 106->114 115 4022b9-4022be call 40ad90 106->115 122 402336-40234d call 4018d0 114->122 123 40232c-402331 call 40ad90 114->123 115->114 154 40234e call 61d006 122->154 155 40234e call 61d01d 122->155 123->122 127 402350-402352 128 402354-402355 SafeArrayDestroy 127->128 129 40235b-402361 127->129 128->129 130 402363-402368 call 40ad90 129->130 131 40236d-402375 129->131 130->131 132 402377-402379 131->132 133 40237b 131->133 135 40237d-40238f call 4018d0 132->135 133->135 152 402390 call 61d006 135->152 153 402390 call 61d01d 135->153 138 402392-4023a2 SafeArrayCreateVector 139 4023a4-4023a9 call 40ad90 138->139 140 4023ae-4023b4 138->140 139->140 142 4023b6-4023b8 140->142 143 4023ba 140->143 144 4023bc-402417 VariantClear * 2 call 4019a0 142->144 143->144 146 40241c-40242c VariantClear 144->146 147 402436-402445 call 4019a0 146->147 148 40242e-402433 146->148 147->99 151 402447-40244c 147->151 148->147 151->99 152->138 153->138 154->127 155->127
      APIs
      • OleInitialize.OLE32(00000000), ref: 004019FD
      • _getenv.LIBCMT ref: 00401ABA
      • GetCurrentProcessId.KERNEL32 ref: 00401ACD
      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
      • Module32First.KERNEL32 ref: 00401C48
      • CloseHandle.KERNEL32(00000000,?,?,00000000,?), ref: 00401C9D
      • Module32Next.KERNEL32(00000000,?), ref: 00401D02
      • Module32Next.KERNEL32(00000000,?), ref: 00401DB6
      • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401DC4
      • GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
      • FindResourceA.KERNEL32(00000000,00000000,00000000), ref: 00401E90
      • LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
      • LockResource.KERNEL32(00000000), ref: 00401EA7
      • SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
      • _malloc.LIBCMT ref: 00401EBA
      • _memset.LIBCMT ref: 00401EDD
      • SizeofResource.KERNEL32(00000000,?), ref: 00401F02
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: Resource$Module32$CloseFindHandleNextSizeof$ChangeCreateCurrentFirstInitializeLoadLockModuleNotificationProcessSnapshotToolhelp32_getenv_malloc_memset
      • String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
      • API String ID: 2366190142-2962942730
      • Opcode ID: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
      • Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
      • Opcode Fuzzy Hash: 224088bd6fdf40f00aacdd5f7db7c03047c3cc993abb63ba2c7175de51848a6e
      • Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B
      Function 053A1638 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID: 0-76226702
      • Opcode ID: daaaf56acd7ed661bd3f91006973b022672c6f6ccaa5a283335ea9aaec4ee207
      • Instruction ID: a7a23d52d81d8d1c47236f0fc6f9deb2baa0f8ffa58888a3a02d5eac5d39089c
      • Opcode Fuzzy Hash: daaaf56acd7ed661bd3f91006973b022672c6f6ccaa5a283335ea9aaec4ee207
      • Instruction Fuzzy Hash: 9F915B75B006058FCB18EF79D49096ABBF6FF88310B008969D80ACB755EF74E945CB90
      Function 056B04D0 Relevance: .2, Instructions: 233COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2045623724.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_56b0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 93798fb3e659a4ed1302169d433e94e2f8f78487d91b974970ffb1780227519c
      • Instruction ID: 9c24d773fc7d1abfd86d8c2fd55a06ed6ae276753317d152a025047aaf40a43a
      • Opcode Fuzzy Hash: 93798fb3e659a4ed1302169d433e94e2f8f78487d91b974970ffb1780227519c
      • Instruction Fuzzy Hash: 0EA1E074D05228CFEB14DFA9C5887EEBBF2BF49311F1091A9D409A7291DB749A86CF10
      Function 053ABD7B Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 341COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 450 53abd7b-53abd84 call 53a9358 453 53abd8a-53abda6 450->453 454 53abe10-53abe4e 450->454 459 53abdac-53abdc8 453->459 460 53abe55-53abe93 453->460 454->460 467 53abdca-53abdd5 call 53a927c 459->467 468 53abddb-53abddd 459->468 474 53abe9a-53abf12 460->474 467->468 467->474 560 53abddf call 53abd7b 468->560 561 53abddf call 53abd38 468->561 562 53abddf call 53abd40 468->562 473 53abde5-53abdf4 477 53abe0c-53abe0f 473->477 478 53abdf6-53abe07 call 53a9368 473->478 488 53abf1b-53abf25 call 53a58c0 474->488 489 53abf14-53abf1a 474->489 478->477 492 53abf2b-53abf44 call 53ab8f4 * 2 488->492 493 53ac161-53ac18d 488->493 500 53abf4a-53abf6c 492->500 501 53ac194-53ac248 492->501 493->501 508 53abf6e-53abf7c call 53a9368 500->508 509 53abf7d-53abf8c 500->509 527 53ac24a-53ac25d call 53a4740 501->527 528 53ac25f-53ac285 GetCurrentThreadId 501->528 515 53abf8e-53abfab call 53a675c 509->515 516 53abfb1-53abfd2 509->516 515->516 524 53ac022-53ac04a 516->524 525 53abfd4-53abfe5 516->525 558 53ac04d call 53ac430 524->558 559 53ac04d call 53ac421 524->559 535 53abfe7-53abfff call 53ab904 525->535 536 53ac014-53ac018 525->536 534 53ac295-53ac2a2 527->534 529 53ac28e 528->529 530 53ac287-53ac28d 528->530 529->534 530->529 546 53ac001-53ac002 535->546 547 53ac004-53ac012 535->547 536->524 542 53ac050-53ac075 550 53ac0bb 542->550 551 53ac077-53ac08c 542->551 546->547 547->535 547->536 550->493 551->550 553 53ac08e-53ac0b1 551->553 553->550 557 53ac0b3 553->557 557->550 558->542 559->542 560->473 561->473 562->473
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID: Haq$Haq$Haq$Haq$Haq
      • API String ID: 0-1792267638
      • Opcode ID: a2ba7ec311d39cd7241308e62dc78d756c6c642a4b82ec705d009ba60db19cb6
      • Instruction ID: 3d24ccbd8d4c4aa83c98364422f4651595289a1f5ced66d9bb9a5316c5f18393
      • Opcode Fuzzy Hash: a2ba7ec311d39cd7241308e62dc78d756c6c642a4b82ec705d009ba60db19cb6
      • Instruction Fuzzy Hash: 2CC15B35B002188FCB14EBA8C5949AEBBF6FF89310F2444A9D506AB3A4DF75DD41CB61
      Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 563 4018f0-4018fa 564 401903-40193e lstrlenA call 4017e0 MultiByteToWideChar 563->564 565 4018fc-401900 563->565 568 401940-401949 GetLastError 564->568 569 401996-40199a 564->569 570 40194b-40198c MultiByteToWideChar call 4017e0 MultiByteToWideChar 568->570 571 40198d-40198f 568->571 570->571 571->569 573 401991 call 401030 571->573 573->569
      APIs
      • lstrlenA.KERNEL32(?), ref: 00401906
      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
      • GetLastError.KERNEL32 ref: 00401940
      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: ByteCharMultiWide$ErrorLastlstrlen
      • String ID:
      • API String ID: 3322701435-0
      • Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
      • Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
      • Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
      • Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8
      Function 0215D5F0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 576 215d5f0-215d68f GetCurrentProcess 581 215d691-215d697 576->581 582 215d698-215d6cc GetCurrentThread 576->582 581->582 583 215d6d5-215d709 GetCurrentProcess 582->583 584 215d6ce-215d6d4 582->584 586 215d712-215d72d call 215d7d1 583->586 587 215d70b-215d711 583->587 584->583 590 215d733-215d762 GetCurrentThreadId 586->590 587->586 591 215d764-215d76a 590->591 592 215d76b-215d7cd 590->592 591->592
      APIs
      • GetCurrentProcess.KERNEL32 ref: 0215D67E
      • GetCurrentThread.KERNEL32 ref: 0215D6BB
      • GetCurrentProcess.KERNEL32 ref: 0215D6F8
      • GetCurrentThreadId.KERNEL32 ref: 0215D751
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: Current$ProcessThread
      • String ID:
      • API String ID: 2063062207-0
      • Opcode ID: 1216ec0648a6b4e153864ec72c232b9a1060c63fd9a77fab6d26a3b7cec74299
      • Instruction ID: bd0016ace00877299c879bbec4c04c79fbcef382fe72ce9dd94d1f2783f9a36a
      • Opcode Fuzzy Hash: 1216ec0648a6b4e153864ec72c232b9a1060c63fd9a77fab6d26a3b7cec74299
      • Instruction Fuzzy Hash: 205167B0900349CFDB14DFA9D648BAEBFF5EF89304F208499E419A7360D7789984CB65
      Function 0215D600 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 599 215d600-215d68f GetCurrentProcess 603 215d691-215d697 599->603 604 215d698-215d6cc GetCurrentThread 599->604 603->604 605 215d6d5-215d709 GetCurrentProcess 604->605 606 215d6ce-215d6d4 604->606 608 215d712-215d72d call 215d7d1 605->608 609 215d70b-215d711 605->609 606->605 612 215d733-215d762 GetCurrentThreadId 608->612 609->608 613 215d764-215d76a 612->613 614 215d76b-215d7cd 612->614 613->614
      APIs
      • GetCurrentProcess.KERNEL32 ref: 0215D67E
      • GetCurrentThread.KERNEL32 ref: 0215D6BB
      • GetCurrentProcess.KERNEL32 ref: 0215D6F8
      • GetCurrentThreadId.KERNEL32 ref: 0215D751
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: Current$ProcessThread
      • String ID:
      • API String ID: 2063062207-0
      • Opcode ID: eaa71c1e98e3b303cbe72f38b0f208f227fdd3f7a289c17c0b2f516d717208f7
      • Instruction ID: 82d59a92e9e1e483e2fe19f0d0b0b97f560f6d998c3fea9f54e9dc4ea1f16527
      • Opcode Fuzzy Hash: eaa71c1e98e3b303cbe72f38b0f208f227fdd3f7a289c17c0b2f516d717208f7
      • Instruction Fuzzy Hash: C85167B0900309CFDB14DFA9D649BAEBFF5EF89304F208499E419A7360D7749984CB65
      Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 621 40af66-40af6e 622 40af7d-40af88 call 40b84d 621->622 625 40af70-40af7b call 40d2e3 622->625 626 40af8a-40af8b 622->626 625->622 629 40af8c-40af98 625->629 630 40afb3-40afca call 40af49 call 40cd39 629->630 631 40af9a-40afb2 call 40aefc call 40d2bd 629->631 631->630
      APIs
      • _malloc.LIBCMT ref: 0040AF80
        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
      • std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3
        • Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08
      • std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
      • __CxxThrowException@8.LIBCMT ref: 0040AFC5
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
      • String ID:
      • API String ID: 1411284514-0
      • Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
      • Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
      • Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
      • Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E
      Function 0215B358 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2837 215b358-215b377 2838 215b3a3-215b3a7 2837->2838 2839 215b379-215b386 call 215acfc 2837->2839 2840 215b3a9-215b3b3 2838->2840 2841 215b3bb-215b3fc 2838->2841 2846 215b39c 2839->2846 2847 215b388 2839->2847 2840->2841 2848 215b3fe-215b406 2841->2848 2849 215b409-215b417 2841->2849 2846->2838 2892 215b38e call 215b600 2847->2892 2893 215b38e call 215b5f0 2847->2893 2848->2849 2850 215b419-215b41e 2849->2850 2851 215b43b-215b43d 2849->2851 2854 215b420-215b427 call 215ad08 2850->2854 2855 215b429 2850->2855 2853 215b440-215b447 2851->2853 2852 215b394-215b396 2852->2846 2856 215b4d8-215b598 2852->2856 2857 215b454-215b45b 2853->2857 2858 215b449-215b451 2853->2858 2860 215b42b-215b439 2854->2860 2855->2860 2887 215b5a0-215b5cb GetModuleHandleW 2856->2887 2888 215b59a-215b59d 2856->2888 2861 215b45d-215b465 2857->2861 2862 215b468-215b471 call 215ad18 2857->2862 2858->2857 2860->2853 2861->2862 2868 215b473-215b47b 2862->2868 2869 215b47e-215b483 2862->2869 2868->2869 2870 215b485-215b48c 2869->2870 2871 215b4a1-215b4ae 2869->2871 2870->2871 2873 215b48e-215b49e call 215ad28 call 215ad38 2870->2873 2877 215b4d1-215b4d7 2871->2877 2878 215b4b0-215b4ce 2871->2878 2873->2871 2878->2877 2889 215b5d4-215b5e8 2887->2889 2890 215b5cd-215b5d3 2887->2890 2888->2887 2890->2889 2892->2852 2893->2852
      APIs
      • GetModuleHandleW.KERNELBASE(00000000), ref: 0215B5BE
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: HandleModule
      • String ID:
      • API String ID: 4139908857-0
      • Opcode ID: a221fd2b72d858ea10b18c8a396dcede0b623242ab00e86772dbb129e7b2eb25
      • Instruction ID: a93b9164bdcaf19f5ead303c093e13cfcf436dcb440fa13c41d3661d01a1afd4
      • Opcode Fuzzy Hash: a221fd2b72d858ea10b18c8a396dcede0b623242ab00e86772dbb129e7b2eb25
      • Instruction Fuzzy Hash: 13813470A44B14CFD764DF29D1407AABBF2FF88304F008A69D896D7A54DB74E94ACB90
      Function 053A1E31 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053A1FA2
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID: CreateWindow
      • String ID:
      • API String ID: 716092398-0
      • Opcode ID: b5fc5a6aa72c7ca5ce342360b9aba0e499d1b7069bc9e733c7fef7df59d22ba4
      • Instruction ID: a8f2123a0657c231b4a5a1f6f1808d807f32c99e6155cdaf763e742faf9d574a
      • Opcode Fuzzy Hash: b5fc5a6aa72c7ca5ce342360b9aba0e499d1b7069bc9e733c7fef7df59d22ba4
      • Instruction Fuzzy Hash: D65102B2C04249AFCF11CFA9C984ADEBFB2FF49310F14816AE918AB221D7759845CF50
      Function 02155E75 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
      Download Yara Rule
      APIs
      • CreateActCtxA.KERNEL32(?), ref: 02155F31
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: Create
      • String ID:
      • API String ID: 2289755597-0
      • Opcode ID: 77dc276f498b1fcee862a0dc79a8769c7d0a7ef998a7c198de5a65f296f06925
      • Instruction ID: 5e913b5256ae6b7a5152108bb0ff4176de65bedcd0ad0f033733cbc4b517306f
      • Opcode Fuzzy Hash: 77dc276f498b1fcee862a0dc79a8769c7d0a7ef998a7c198de5a65f296f06925
      • Instruction Fuzzy Hash: 12410FB1C00619DEDB24DFA9C9447DDBBF6FF48304F2080AAD918AB250D779694ACF90
      Function 053A1E85 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053A1FA2
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID: CreateWindow
      • String ID:
      • API String ID: 716092398-0
      • Opcode ID: 619c0209c8dcc1743f9863602a9f0285cb9dc18f3d30e85715b8e0a1e44e3a62
      • Instruction ID: 054a6a0da42ce465fba213b6345eaae120ea39315999ab239cca70ae0937f73c
      • Opcode Fuzzy Hash: 619c0209c8dcc1743f9863602a9f0285cb9dc18f3d30e85715b8e0a1e44e3a62
      • Instruction Fuzzy Hash: DB51C2B1D003499FDB14CF99C984ADEBFB6FF48310F24822AE819AB250D775A945CF90
      Function 053A1E90 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053A1FA2
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID: CreateWindow
      • String ID:
      • API String ID: 716092398-0
      • Opcode ID: f5130d66d64c4ab1468d269cc949327d2e9a22ce39b4264ee61409d7ed6b3370
      • Instruction ID: 423362668df56be8a0312d7b4c181d3c35e570034b14dde791e494aabdb5db81
      • Opcode Fuzzy Hash: f5130d66d64c4ab1468d269cc949327d2e9a22ce39b4264ee61409d7ed6b3370
      • Instruction Fuzzy Hash: 0141B2B1D003499FDB14CF99C984ADEBFB6FF48310F24822AE819AB250D775A945CF90
      Function 02154998 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
      Download Yara Rule
      APIs
      • CreateActCtxA.KERNEL32(?), ref: 02155F31
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: Create
      • String ID:
      • API String ID: 2289755597-0
      • Opcode ID: 85f6b61045f55e07aef41927271fcb48c7af6c70d18ca342e9b0ffc039dad880
      • Instruction ID: 75477c130b928ead0b5ccc110edb067b264e866678ddbcecfffb794689108760
      • Opcode Fuzzy Hash: 85f6b61045f55e07aef41927271fcb48c7af6c70d18ca342e9b0ffc039dad880
      • Instruction Fuzzy Hash: C54102B0C00619DADB24DFA9C944B8DBBB6FF44304F6080AAD818AB254DB75694ACF90
      Function 054E3204 Relevance: 1.6, APIs: 1, Instructions: 84windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,?,?,?), ref: 054EDF45
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: 6264f8620970c136f8fd06c4cef55a2c50c784c6da218578c0a77e371ac87521
      • Instruction ID: cc8d3cee7db80886db62a75cf6d145847d6c06d0063793c36de0689a78533be0
      • Opcode Fuzzy Hash: 6264f8620970c136f8fd06c4cef55a2c50c784c6da218578c0a77e371ac87521
      • Instruction Fuzzy Hash: 742139B59042089FCB10DFA9D888BEEBFF8EF49310F14845AE519A7350C774A944CFA5
      Function 053A448E Relevance: 1.6, APIs: 1, Instructions: 80COMMON
      Download Yara Rule
      APIs
      • CallWindowProcW.USER32(?,?,?,?,?), ref: 053A4521
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID: CallProcWindow
      • String ID:
      • API String ID: 2714655100-0
      • Opcode ID: 36be671decd3f816928745b7263c913dd6dc997eece44c5c8eea504493a85813
      • Instruction ID: 885e5ba0222a7add4151b7d53e148f483db7af9359a126812e93cb168e6fff6c
      • Opcode Fuzzy Hash: 36be671decd3f816928745b7263c913dd6dc997eece44c5c8eea504493a85813
      • Instruction Fuzzy Hash: 9A3118B9A002059FDB14CF99C449AAABBF6FF88314F24C459D519AB321D7B4E841CBA0
      Function 0215D840 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
      Download Yara Rule
      APIs
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0215D8CF
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: DuplicateHandle
      • String ID:
      • API String ID: 3793708945-0
      • Opcode ID: 1c5e9b22506c62570782a8333583a4e36090e1e6c105bf816679f446114fbf19
      • Instruction ID: d04e43771eb8c97c3a6f300a944a77d804072c86f26135316c86ba4a4a7d46f6
      • Opcode Fuzzy Hash: 1c5e9b22506c62570782a8333583a4e36090e1e6c105bf816679f446114fbf19
      • Instruction Fuzzy Hash: 4F2105B5D00208AFDB10CFAAD584ADEBBF9FB48310F10845AE914A3310D378A944CFA0
      Function 054EE948 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • GetClassInfoW.USER32(?,00000000), ref: 054EE9CC
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID: ClassInfo
      • String ID:
      • API String ID: 3534257612-0
      • Opcode ID: ee282e3a8ff9038c4618060ea369514efe5ccfb0fda616ce8100f3a654969eb3
      • Instruction ID: 0167dc8fb22c686457d776932904de894f4821bbbd857b3f8b876bb30b1393cc
      • Opcode Fuzzy Hash: ee282e3a8ff9038c4618060ea369514efe5ccfb0fda616ce8100f3a654969eb3
      • Instruction Fuzzy Hash: DF2125B19012098FDB10DF9AC884ADEFBF8FF48210F14846AE959A3350D378A904CB64
      Function 0215D848 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0215D8CF
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: DuplicateHandle
      • String ID:
      • API String ID: 3793708945-0
      • Opcode ID: 4834353795b23ae79a44dbb07fa53f7135f3f0a994ea26bc1fc4b18796bd02a6
      • Instruction ID: ebf7e7ec04f573057af722f3dca9e839d858626346297fd6714ec538f054afb3
      • Opcode Fuzzy Hash: 4834353795b23ae79a44dbb07fa53f7135f3f0a994ea26bc1fc4b18796bd02a6
      • Instruction Fuzzy Hash: 8221E4B5900208DFDB10DF9AD584ADEBFF9FB48310F14845AE918A3350D378A944CFA0
      Function 054EE950 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
      Download Yara Rule
      APIs
      • GetClassInfoW.USER32(?,00000000), ref: 054EE9CC
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID: ClassInfo
      • String ID:
      • API String ID: 3534257612-0
      • Opcode ID: 6986dfdfcaf5771abfc8f4994958f8f21f53bd81fd129c2d4827e03e6335543a
      • Instruction ID: 561ebbf5608dfe22dfca24ba80229c19aad1fceba05fa6ca6aaf28b61edbc9ad
      • Opcode Fuzzy Hash: 6986dfdfcaf5771abfc8f4994958f8f21f53bd81fd129c2d4827e03e6335543a
      • Instruction Fuzzy Hash: EE2115B19017098FDB10DF9AC884ADEFBF8FF48310F14846AE959A3340D378A944CB65
      Function 053A2098 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
      Download Yara Rule
      APIs
      • SetWindowLongW.USER32(?,?,?), ref: 053A2135
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID: LongWindow
      • String ID:
      • API String ID: 1378638983-0
      • Opcode ID: 12d80b88882ecbb51a8f66267f0d372775ca31be60c3eb5e54c078bb7490d7b6
      • Instruction ID: 51872b097505715d608e24586375120de26884ffc1b6d5d0c8d0aeaf75ec8b93
      • Opcode Fuzzy Hash: 12d80b88882ecbb51a8f66267f0d372775ca31be60c3eb5e54c078bb7490d7b6
      • Instruction Fuzzy Hash: 7E216ABA800209CFDB10DF99D949BDEBFF4EB48314F14845AE919A7260C379A944CFA1
      Function 0215AD60 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0215B639,00000800,00000000,00000000), ref: 0215B84A
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 6e2f01a6690d884cdb28ed43a86d868489ef15eb6c127c03734ec51282753d60
      • Instruction ID: 62d94182de837df3954fab45fd8f93fc415756f10a80fe90419f2d38f0ae9ed8
      • Opcode Fuzzy Hash: 6e2f01a6690d884cdb28ed43a86d868489ef15eb6c127c03734ec51282753d60
      • Instruction Fuzzy Hash: 831114B6D04308CFCB10DF9AC544BAEFBF4EB48314F10846AD929A7210C379AA45CFA4
      Function 054EB060 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • SetWindowTextW.USER32(?,00000000), ref: 054EB0D2
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID: TextWindow
      • String ID:
      • API String ID: 530164218-0
      • Opcode ID: ff20473821ca27cc9cca0b0900291e44e6eba057fb5a9c37aadd6dd31889d1c2
      • Instruction ID: 195b55ed700527e6363ad8256c9d2d443fa0b96440f73c65c453807b4349a442
      • Opcode Fuzzy Hash: ff20473821ca27cc9cca0b0900291e44e6eba057fb5a9c37aadd6dd31889d1c2
      • Instruction Fuzzy Hash: CB1124B68006498BCB14CF9AC544BEEBBF4EB48320F14842AD868A3350D338A549CFA1
      Function 054EB068 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • SetWindowTextW.USER32(?,00000000), ref: 054EB0D2
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID: TextWindow
      • String ID:
      • API String ID: 530164218-0
      • Opcode ID: 77b4d94f74d774433632444787edb00a7d0305fa5ed2f66fea2d856aa3cf1c7b
      • Instruction ID: afbb93618b900902f0fd1c3db364162840cb87909c2f3d71a2fa5a707d1993ec
      • Opcode Fuzzy Hash: 77b4d94f74d774433632444787edb00a7d0305fa5ed2f66fea2d856aa3cf1c7b
      • Instruction Fuzzy Hash: 5A1114B28002498FDB10DF9AC444BDEFBF5EB48320F10842AD969A3350D378A549CFA1
      Function 0215B7D8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0215B639,00000800,00000000,00000000), ref: 0215B84A
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: a2354d5629c440867198fff554246ef35788f547999af0d31f65d8931ca8a8c1
      • Instruction ID: cb732786f562f8f9fc8dc0482bbe6b15842226be149808888e5a206ee3b0705b
      • Opcode Fuzzy Hash: a2354d5629c440867198fff554246ef35788f547999af0d31f65d8931ca8a8c1
      • Instruction Fuzzy Hash: B711E2B6D00309CFDB10DF9AD544AEEFBF5AB48314F14846AD929B7250C378AA45CFA4
      Function 056B74A8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
      Download Yara Rule
      APIs
      • GetConsoleWindow.KERNELBASE ref: 056B750F
      Memory Dump Source
      • Source File: 00000000.00000002.2045623724.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_56b0000_Insanity Loader.jbxd
      Similarity
      • API ID: ConsoleWindow
      • String ID:
      • API String ID: 2863861424-0
      • Opcode ID: 2cbcd9bd46282917f6d83673f8e8b0289d881404ca052249c02054ea81b9de7b
      • Instruction ID: abf3f41051e4cbc13e3f4675766ef0686fe4adafcc5b827c2961885116325f73
      • Opcode Fuzzy Hash: 2cbcd9bd46282917f6d83673f8e8b0289d881404ca052249c02054ea81b9de7b
      • Instruction Fuzzy Hash: EF1128B19002098BDB20EFAAC8457DFBBF5EB48314F108819D519A7340DB78A545CFA1
      Function 0215B558 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNELBASE(00000000), ref: 0215B5BE
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID: HandleModule
      • String ID:
      • API String ID: 4139908857-0
      • Opcode ID: bf3d03ae86d78c6f7e3e078a69c5178161b706cef1fcadce6661074f478fdc28
      • Instruction ID: df77ea8bb3321812fd347ed8c39380f5ca2660f58ab07f7f367439f5cf8cffd9
      • Opcode Fuzzy Hash: bf3d03ae86d78c6f7e3e078a69c5178161b706cef1fcadce6661074f478fdc28
      • Instruction Fuzzy Hash: 6E110FB5C002498FCB14DF9AC544A9EFBF5EF88314F14845AD928A7210D378A645CFA1
      Function 054EC6D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
      Download Yara Rule
      APIs
      • PostMessageW.USER32(?,00000018,00000001,?), ref: 054EC73D
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID: MessagePost
      • String ID:
      • API String ID: 410705778-0
      • Opcode ID: 226fb8e4d2367706f20c1827d6d565e9e7c5684ce0712ac336cb767b1022c8ba
      • Instruction ID: 693eb025a922e3b302ca1b16a3e9a33c4b48405a74699c0782c0324ff647d7d9
      • Opcode Fuzzy Hash: 226fb8e4d2367706f20c1827d6d565e9e7c5684ce0712ac336cb767b1022c8ba
      • Instruction Fuzzy Hash: 2611F5B58002499FCB10DF9AC985BDEBBF8EB48310F10845AD518A3310C379A944CFA5
      Function 054E8C00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
      Download Yara Rule
      APIs
      • PostMessageW.USER32(?,00000018,00000001,?), ref: 054EC73D
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID: MessagePost
      • String ID:
      • API String ID: 410705778-0
      • Opcode ID: ff25f99506dfb9e278897e4f34d94aeafad64f6c939e34f26e1a6cd2ee0a6ccf
      • Instruction ID: 03c85172d2475e0b19ed4f1b1b560ebebb8477d6d1a300ef96c4d69ac1069114
      • Opcode Fuzzy Hash: ff25f99506dfb9e278897e4f34d94aeafad64f6c939e34f26e1a6cd2ee0a6ccf
      • Instruction Fuzzy Hash: C21103B5800349DFCB10DF9AC985BEEBBF8EB48310F10845AE918A7310C378A944CFA5
      Function 056B74B0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • GetConsoleWindow.KERNELBASE ref: 056B750F
      Memory Dump Source
      • Source File: 00000000.00000002.2045623724.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_56b0000_Insanity Loader.jbxd
      Similarity
      • API ID: ConsoleWindow
      • String ID:
      • API String ID: 2863861424-0
      • Opcode ID: 95bd7528f9896a266364dd5034070d160b6d0968a58b339c7071cc2b1a61e462
      • Instruction ID: 380ab55a98459ffdbe1b371bb73dbaa6c0b858aacfb536fc588db1bc1779f394
      • Opcode Fuzzy Hash: 95bd7528f9896a266364dd5034070d160b6d0968a58b339c7071cc2b1a61e462
      • Instruction Fuzzy Hash: 031106B1D002498FDB20DFAAC5457DEFBF5EF88314F208859C519A7240DB79A944CBA1
      Function 053A20D0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
      Download Yara Rule
      APIs
      • SetWindowLongW.USER32(?,?,?), ref: 053A2135
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID: LongWindow
      • String ID:
      • API String ID: 1378638983-0
      • Opcode ID: 47ea167828eff8e24438a685f36176b44bfe5a6272a69912a6d6952fe5f887be
      • Instruction ID: 31a55801e6815a84d5a4f89f0794fc9e43032ec66aba6720d0ce10629c45753f
      • Opcode Fuzzy Hash: 47ea167828eff8e24438a685f36176b44bfe5a6272a69912a6d6952fe5f887be
      • Instruction Fuzzy Hash: 0511D3BA800249CFDB10DF99D585BDEBBF8EB48324F20841AD959B7750C378A944CFA5
      Function 053A20D8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • SetWindowLongW.USER32(?,?,?), ref: 053A2135
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID: LongWindow
      • String ID:
      • API String ID: 1378638983-0
      • Opcode ID: 21cefbeeec8ba275be93d1449d634b3935d0f9b532287048938819d7bcbf9bc8
      • Instruction ID: 56b7b3c1f54b3a8fbe20048dd376677569b13d547d9b9f684bbd69015666ec5d
      • Opcode Fuzzy Hash: 21cefbeeec8ba275be93d1449d634b3935d0f9b532287048938819d7bcbf9bc8
      • Instruction Fuzzy Hash: 3E11E5B58002499FDB10DF9AD585BDEFBF8EB48320F10841AE919A7350C378A944CFA5
      Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80
      • SysAllocString.OLEAUT32 ref: 00401898
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: AllocString_malloc
      • String ID:
      • API String ID: 959018026-0
      • Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
      • Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
      • Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
      • Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA
      Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
      Download Yara Rule
      APIs
      • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: CreateHeap
      • String ID:
      • API String ID: 10892065-0
      • Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
      • Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
      • Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
      • Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548
      Function 0061D4E8 Relevance: .1, Instructions: 75COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040032176.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_61d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b3caa9b9d289c9a8c60a87623ef953c8d5280a794c3f054d98f5bce61eef8fdf
      • Instruction ID: 754e7661b67faf25d34b617843aa38f080e2b3fb07d132cce7935a47b46da46e
      • Opcode Fuzzy Hash: b3caa9b9d289c9a8c60a87623ef953c8d5280a794c3f054d98f5bce61eef8fdf
      • Instruction Fuzzy Hash: 6D2103B1500200EFCB05DF14D9C0BA6BF67FB98318F28C569D9090B356C33AD896D6A1
      Function 0061D5D4 Relevance: .1, Instructions: 75COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040032176.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_61d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 844fe548248bcc374a8a9e83a7671841c1b084f2205d4fd3b431d71096bae38e
      • Instruction ID: 77d80b96b41da25cd9812522c728ea2687fd75a1db5329c8c0b41af7edea6568
      • Opcode Fuzzy Hash: 844fe548248bcc374a8a9e83a7671841c1b084f2205d4fd3b431d71096bae38e
      • Instruction Fuzzy Hash: AC2121B1500240DFCB05DF14D9C0FA6BFA6FB98314F288169E9090A356C33AD886D6E1
      Function 0210D1D4 Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040527098.000000000210D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_210d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 56f871988ee63639792baefb953e45a3d92657636e51781cbc0bb6c697176f1b
      • Instruction ID: 320cbe902ca040d31d36a79b190f45063753258d1b732d14ffeee6310d7f1648
      • Opcode Fuzzy Hash: 56f871988ee63639792baefb953e45a3d92657636e51781cbc0bb6c697176f1b
      • Instruction Fuzzy Hash: 9B210771584304EFDB05DF94E5C0F26BBA5FB8C314F20C56DE9094B296C3BAD806CA61
      Function 0210D01C Relevance: .1, Instructions: 72COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040527098.000000000210D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_210d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aed3b8d146bf074811bf64e099f85c9ef41d27d681f5a3940beb847c8131083f
      • Instruction ID: 420da8bd59a3291ea18aa4ca4deb51691517f26ea40f6315964b0f85482fa5e5
      • Opcode Fuzzy Hash: aed3b8d146bf074811bf64e099f85c9ef41d27d681f5a3940beb847c8131083f
      • Instruction Fuzzy Hash: F321F571684204DFDB14DF64E9C4F16BF65EB88314F20C569D94D4B29AC3BAD407CA62
      Function 0210D007 Relevance: .1, Instructions: 61COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040527098.000000000210D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_210d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d705a0299ffde082b29c72d3358b91a0439dd632b62eb980b075a125e88a8d1c
      • Instruction ID: 26be5f6a3085edcd1ea452e4998e394a4d1f0c56554e6476fb2999b1e88a5dd4
      • Opcode Fuzzy Hash: d705a0299ffde082b29c72d3358b91a0439dd632b62eb980b075a125e88a8d1c
      • Instruction Fuzzy Hash: 31219F755493C08FCB02CF24D9D4B15BF71EB46214F28C5DAD8898F6A7C33A980ACB62
      Function 0061D4E3 Relevance: .1, Instructions: 56COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040032176.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_61d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
      • Instruction ID: 97b71ec512cf803aaa41ea6f1a043fc69ee2df27dc0d87db0474d701106b1926
      • Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
      • Instruction Fuzzy Hash: B611B176504240CFCB16CF10D9C4B96BF72FB98314F28C5A9D9090B356C336D85ADBA2
      Function 0061D5CF Relevance: .1, Instructions: 56COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040032176.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_61d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
      • Instruction ID: 8202271cb1a9b9694c300f3ac62bee2fb88b31f73c6d6801307e74f2a3bc17cb
      • Opcode Fuzzy Hash: 3fcf16f0ce3997a393d561b9291fa03094e96af132afbef0229708fa6f6a02d1
      • Instruction Fuzzy Hash: B811E472504240CFCB06CF00D5C4B56BF72FB94314F28C5A9D8490B356C336D856CBA1
      Function 0210D1CF Relevance: .1, Instructions: 53COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040527098.000000000210D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0210D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_210d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
      • Instruction ID: 5a45da5e46d671f56acca185560fb18c843c6ac1de7862be7db4b0f269fd378b
      • Opcode Fuzzy Hash: 2c5635bf6bf0a90c65c6f78b78781ef727195c12e75a23b42f627594c6f222ba
      • Instruction Fuzzy Hash: A411BB75544280DFCB02CF54D5C4B15BBA1FB88214F24C6A9D8494B696C37AD40ACB62
      Function 0061D006 Relevance: .0, Instructions: 45COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040032176.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_61d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2cd5697b0f827f9172a12bb37c8631350dfb09a37a1e07f387f9934994a14bc7
      • Instruction ID: f2db3b6bcfdc93a2476590d1d6575b043bd06bccc74dac37fe5461202427a6b6
      • Opcode Fuzzy Hash: 2cd5697b0f827f9172a12bb37c8631350dfb09a37a1e07f387f9934994a14bc7
      • Instruction Fuzzy Hash: FF014C7140E3C09ED7128B258994B92BFB4EF57225F1DC0DBD9888F2A7C2695C49C772
      Function 0061D01D Relevance: .0, Instructions: 45COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040032176.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_61d000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ad4dec6c58e2040698e86f91d4edd330d1ddf1a0639ab50f7d51fcec762a5930
      • Instruction ID: ddfc6252b379cfb7b0a08ad5174505b3cab1a6ee543330ac6bc4c028dcacec62
      • Opcode Fuzzy Hash: ad4dec6c58e2040698e86f91d4edd330d1ddf1a0639ab50f7d51fcec762a5930
      • Instruction Fuzzy Hash: CF01F771405340AAD7208F19C984BE7BF99EF49321F1CC429ED480B346C2799C82C6B1

      Non-executed Functions

      Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • IsDebuggerPresent.KERNEL32 ref: 004136F4
      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
      • UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
      • GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
      • TerminateProcess.KERNEL32(00000000), ref: 00413737
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
      • String ID:
      • API String ID: 2579439406-0
      • Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
      • Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
      • Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
      • Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D
      Function 054ECE88 Relevance: 6.9, Strings: 5, Instructions: 652COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID: Haq$Haq$Haq$Haq$Haq
      • API String ID: 0-1792267638
      • Opcode ID: 0b2fc027b21d79801a39756b6a2eb8d89c45cf7d948e289c7275b8e39df0a07e
      • Instruction ID: 10a109474e92fbd7db9f6b9d882321ce3a8bc325107236cf441554f9ad92452c
      • Opcode Fuzzy Hash: 0b2fc027b21d79801a39756b6a2eb8d89c45cf7d948e289c7275b8e39df0a07e
      • Instruction Fuzzy Hash: 31425070E002188FDB54DFA9C4947AEBBF6AF88301F1485AED409AB395DF349D85CB91
      Function 00408C60 Relevance: 4.1, Strings: 3, Instructions: 377COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID: @$@$PA
      • API String ID: 0-3039612711
      • Opcode ID: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
      • Instruction ID: 284407f43597d2b1529aa5dbb826e4f49811f0ea4eaa41d9cabafce47d44ff82
      • Opcode Fuzzy Hash: 524773d1bc2011db47f0014430bcd25baf081f96639b8f8b2c6f9a821cea509b
      • Instruction Fuzzy Hash: 64E159316083418FC724DF28C58066BB7E1AFD9314F14493EE8C5A7391EB79D949CB8A
      Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON
      Download Yara Rule
      APIs
      • GetProcessHeap.KERNEL32 ref: 0040ADD0
      • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: Heap$FreeProcess
      • String ID:
      • API String ID: 3859560861-0
      • Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
      • Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
      • Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
      • Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58
      Function 056B6C18 Relevance: 1.7, Strings: 1, Instructions: 497COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2045623724.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_56b0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID: 4|bq
      • API String ID: 0-1932486993
      • Opcode ID: 132741a3d19d154b84768f7e742031c8281a3942e06d3b6dff73ff8961879fac
      • Instruction ID: 909f86d5ae2d5459db8bf0c4b6716c1b44183ccb9c3f352ab5d10e6c62dcc33d
      • Opcode Fuzzy Hash: 132741a3d19d154b84768f7e742031c8281a3942e06d3b6dff73ff8961879fac
      • Instruction Fuzzy Hash: 2C22BA75E002298FDB68CFA9CC91BEDBBB2BB88300F5481A9D50DA7351DA705E85CF50
      Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
      Download Yara Rule
      APIs
      • SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled
      • String ID:
      • API String ID: 3192549508-0
      • Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
      • Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
      • Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
      • Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569
      Function 00407C3F Relevance: .8, Instructions: 783COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
      • Instruction ID: d5e3495c9826dce769b252ea72d1bcaf7b5d46a24141b332915225fd3cdae7ad
      • Opcode Fuzzy Hash: 8976f0a61fc1960936828f21bd26f3318fd330ab7a4f50ce487ee3b945538f04
      • Instruction Fuzzy Hash: 9852A471A047129FC708CF29C99066AB7E1FF88304F044A3EE896E7B81D739E955CB95
      Function 004073A0 Relevance: .6, Instructions: 633COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
      • Instruction ID: 17d22deff8d32e931318445bbea846c6b698fa6fcc44f6923348d96d7e24b863
      • Opcode Fuzzy Hash: 20055dc05f39624d89f9d13173d00032c9ddb5f23ed3028259e70998ae7a08b4
      • Instruction Fuzzy Hash: 0A329E70A087029FD318CF29C98472AB7E1BF84304F148A3EE89567781D779E955CBDA
      Function 00406CA0 Relevance: .4, Instructions: 401COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
      • Instruction ID: cc67e10771130af0a5279b37c8f7fa75a2653c997645fd1ae8a0b8309c7f2627
      • Opcode Fuzzy Hash: 020392db844ceed98276714fd2150c2ad4a639f6bad3fb02a1d0621011a6745a
      • Instruction Fuzzy Hash: 48E1D6306083514FC708CF28C99456ABBE2EFC5304F198A7EE8D68B386D779D94ACB55
      Function 053A01D8 Relevance: .3, Instructions: 315COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1a18a5b1ac631123f7e758437ad2574adadf8b052acec2a83a98d62f2d1d2fdf
      • Instruction ID: 61dd9c7b669374c8937b9d4657a172c9d7e3773850f0b00c18d7adc08dae0905
      • Opcode Fuzzy Hash: 1a18a5b1ac631123f7e758437ad2574adadf8b052acec2a83a98d62f2d1d2fdf
      • Instruction Fuzzy Hash: 7912A8B0C957458BE718CF25EACC1893BB1FB81318FD08A0AD1615B2E9D7B815EADF44
      Function 054ED3B0 Relevance: .3, Instructions: 279COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2045327792.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54e0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 472b1fb93c3875fd49fda3d96c04df39eaff7be53446dae7734972a2ecdc8500
      • Instruction ID: fbf63f8bee19d125a8576145005801956304a63862ac2b009b24597af6165235
      • Opcode Fuzzy Hash: 472b1fb93c3875fd49fda3d96c04df39eaff7be53446dae7734972a2ecdc8500
      • Instruction Fuzzy Hash: DFC15F71E002148FCB25DF69C884BDEBBB2BF89305F14C5AAD459AB255DB30D985CF90
      Function 0215E17C Relevance: .3, Instructions: 264COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8fb21bc17e6a7deb697416ae79e1f67a3103a2a398d43451d9b0fcd8664e85c4
      • Instruction ID: c3446a78c94386859bf63021e46f9aca7459060e76d9f3ccfe5d84af66de2af0
      • Opcode Fuzzy Hash: 8fb21bc17e6a7deb697416ae79e1f67a3103a2a398d43451d9b0fcd8664e85c4
      • Instruction Fuzzy Hash: 63A19132E50229CFCF09DFB4C98459EB7B2FF85300B1585AAE815AB265DB31E956CF40
      Function 053A01C8 Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2045179714.00000000053A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053A0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_53a0000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 97e17076a659aa63c886eb6de4e6216d5e65722324cb479ed6df677141513fb6
      • Instruction ID: 2f67933b29bad3da7e457187f1a54517000ae07282ae2535b8cfde9ce68759bd
      • Opcode Fuzzy Hash: 97e17076a659aa63c886eb6de4e6216d5e65722324cb479ed6df677141513fb6
      • Instruction Fuzzy Hash: DBC10CB0C947458BD718CF65EACC1897BB1FF85318F908A0AD1616B2E8DBB414EACF44
      Function 00402B90 Relevance: .2, Instructions: 212COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
      • Instruction ID: 74c1b90a01db230de662c72faab58802bb742d928f34651097fec506a9751401
      • Opcode Fuzzy Hash: 519d71d31dfe2b71d65c539f7253ce4d0ce1a0c509a5eaaf561cac07154b4855
      • Instruction Fuzzy Hash: 15717072A9155347E39CCF5CECD17763713DBC5351F49C23ACA025B6EAC938A922C688
      Function 004028B0 Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
      • Instruction ID: e93c334361593eb17f37b37ed9e80cdb2c00b1b1e1af3e0e9a736190e966ddef
      • Opcode Fuzzy Hash: 56d4400f77c04dc4446d24fbb084ed78fa0beaad766ef6ff58d44a670f1be69a
      • Instruction Fuzzy Hash: 4A615E3266055747E391DF6DEEC47663762EBC9351F18C630CA008B6A6CB39B92297CC
      Function 00401650 Relevance: .1, Instructions: 111COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
      • Instruction ID: 39afabd8a370e1aacf823bb5b0eb141e0e266d105c364ee31248ba7b153c19f0
      • Opcode Fuzzy Hash: f84f8abda09efbfc4fc50908dec446613bf2f52d635c093d4d9c5e236f650133
      • Instruction Fuzzy Hash: 2851F94400D7E18EC716873A44E0AA7BFD10FAB115F4E9ACDA5E90B2E3C159C288DB77
      Function 00402F20 Relevance: .1, Instructions: 103COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
      • Instruction ID: cff114a85fcb8f5deb46d81d22c4208fa3965af46b01a687ebeadebabb5a60ab
      • Opcode Fuzzy Hash: 5804b07f674ae3d268ec1438c7da71b35f3107e62f64f1f633515dfb68ee091a
      • Instruction Fuzzy Hash: 9A31D8302052028BE738CE19C954BEBB3B5AFC0349F44883ED986A73C4DABDD945D795
      Function 02152ECC Relevance: .1, Instructions: 101COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2040882107.0000000002150000.00000040.00000800.00020000.00000000.sdmp, Offset: 02150000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2150000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b39c472eca11945ff4c8b5f47d2a9ae46389faa88d0647c7af249e2d18603eb0
      • Instruction ID: 3a15a50bb9e0a8a59e4e5bdfec22f70c3d387030d4a014c8387a04c5e3d7b1bf
      • Opcode Fuzzy Hash: b39c472eca11945ff4c8b5f47d2a9ae46389faa88d0647c7af249e2d18603eb0
      • Instruction Fuzzy Hash: 9231A532696271DEC302AF3088944DB77B0D71E2C4B5648DBDD60CB0AADBB5E00EDB91
      Function 00402F89 Relevance: .1, Instructions: 77COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
      • Instruction ID: 40597224e526abc728bb10992f322fa75c91b34d76fbbe6bc80328d1c420bfc2
      • Opcode Fuzzy Hash: 9961543af999a1320c5b9d9b8c59a9b64f893fc8dbb42675723320a25693eab2
      • Instruction Fuzzy Hash: F321923170520247EB68C929C9547ABB3A5ABC0389F48853EC986A73C8DAB9E941D785
      Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
      • GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,021B18D8), ref: 004170C5
      • MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
      • _malloc.LIBCMT ref: 0041718A
      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
      • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
      • _malloc.LIBCMT ref: 0041724C
      • LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
      • __freea.LIBCMT ref: 004172A4
      • __freea.LIBCMT ref: 004172AD
      • ___ansicp.LIBCMT ref: 004172DE
      • ___convertcp.LIBCMT ref: 00417309
      • LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
      • _malloc.LIBCMT ref: 00417362
      • _memset.LIBCMT ref: 00417384
      • LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
      • ___convertcp.LIBCMT ref: 004173BA
      • __freea.LIBCMT ref: 004173CF
      • LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
      • String ID:
      • API String ID: 3809854901-0
      • Opcode ID: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
      • Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
      • Opcode Fuzzy Hash: b820e78b463918eed32479816903fc70d8532b7c557c67349a3712e4f0fad1ae
      • Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98
      Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON
      Download Yara Rule
      APIs
      • _malloc.LIBCMT ref: 004057DE
        • Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
        • Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
        • Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4
      • _malloc.LIBCMT ref: 00405842
      • _malloc.LIBCMT ref: 00405906
      • _malloc.LIBCMT ref: 00405930
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: _malloc$AllocateHeap
      • String ID: 1.2.3
      • API String ID: 680241177-2310465506
      • Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
      • Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
      • Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
      • Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A
      Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
      • String ID:
      • API String ID: 3886058894-0
      • Opcode ID: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
      • Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
      • Opcode Fuzzy Hash: c4afc057559a022db8f819d9985b866907c7fad8716f86744927840939a860f5
      • Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD
      Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
      Download Yara Rule
      APIs
      • __lock_file.LIBCMT ref: 0040C6C8
      • __fileno.LIBCMT ref: 0040C6D6
      • __fileno.LIBCMT ref: 0040C6E2
      • __fileno.LIBCMT ref: 0040C6EE
      • __fileno.LIBCMT ref: 0040C6FE
        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
      • String ID: 'B
      • API String ID: 2805327698-2787509829
      • Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
      • Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
      • Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
      • Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D
      Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __getptd.LIBCMT ref: 00414744
        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
      • __getptd.LIBCMT ref: 0041475B
      • __amsg_exit.LIBCMT ref: 00414769
      • __lock.LIBCMT ref: 00414779
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: __amsg_exit__getptd$__getptd_noexit__lock
      • String ID: @.B
      • API String ID: 3521780317-470711618
      • Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
      • Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
      • Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
      • Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D
      Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __getptd.LIBCMT ref: 00413FD8
        • Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
        • Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745
      • __amsg_exit.LIBCMT ref: 00413FF8
      • __lock.LIBCMT ref: 00414008
      • InterlockedDecrement.KERNEL32(?), ref: 00414025
      • InterlockedIncrement.KERNEL32(021B1670), ref: 00414050
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
      • String ID:
      • API String ID: 4271482742-0
      • Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
      • Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
      • Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
      • Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD
      Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: __calloc_crt
      • String ID: P$B$`$B
      • API String ID: 3494438863-235554963
      • Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
      • Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
      • Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
      • Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C
      Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: AddressHandleModuleProc
      • String ID: IsProcessorFeaturePresent$KERNEL32
      • API String ID: 1646373207-3105848591
      • Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
      • Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
      • Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
      • Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A
      Function 004146FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • ___addlocaleref.LIBCMT ref: 0041470C
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(00000001), ref: 004145E4
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145F1
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 004145FE
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041460B
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414618
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414634
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 00414644
        • Part of subcall function 004145D2: InterlockedIncrement.KERNEL32(?), ref: 0041465A
      • ___removelocaleref.LIBCMT ref: 00414717
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 0041467B
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414688
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 00414695
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146A2
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146AF
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146CB
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(00000000), ref: 004146DB
        • Part of subcall function 00414661: InterlockedDecrement.KERNEL32(?), ref: 004146F1
      • ___freetlocinfo.LIBCMT ref: 0041472B
        • Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
        • Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
        • Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
      • String ID: @.B
      • API String ID: 467427115-470711618
      • Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
      • Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
      • Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
      • Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D
      Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • __fileno.LIBCMT ref: 0040C77C
      • __locking.LIBCMT ref: 0040C791
        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: __decode_pointer__fileno__getptd_noexit__locking
      • String ID:
      • API String ID: 2395185920-0
      • Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
      • Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
      • Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
      • Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D
      Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: _fseek_malloc_memset
      • String ID:
      • API String ID: 208892515-0
      • Opcode ID: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
      • Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
      • Opcode Fuzzy Hash: 689e5a2a8d0df6628a55ca55f65915ee6a0b33bdec45a2b9390eeacb6c5b01b1
      • Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89
      Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON
      Download Yara Rule
      APIs
      • __flush.LIBCMT ref: 0040BB6E
      • __fileno.LIBCMT ref: 0040BB8E
      • __locking.LIBCMT ref: 0040BB95
      • __flsbuf.LIBCMT ref: 0040BBC0
        • Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1
        • Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
      • String ID:
      • API String ID: 3240763771-0
      • Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
      • Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
      • Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
      • Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C
      Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
      • __isleadbyte_l.LIBCMT ref: 00415307
      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00415338
      • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 004153A6
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
      • String ID:
      • API String ID: 3058430110-0
      • Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
      • Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
      • Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
      • Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59
      Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2039681329.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.2039659519.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039713106.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039731155.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039751670.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2039786224.0000000000480000.00000004.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Insanity Loader.jbxd
      Similarity
      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
      • String ID:
      • API String ID: 3016257755-0
      • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
      • Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
      • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
      • Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89