Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1546802
MD5:	d940ad60dee55174455c2a43a8353d2e
SHA1:	7b0832cd378423da73831e6a45144248fe5d17e4
SHA256:	47c1439cbe3d3ea852e7e45c2d201cb83e5949193b07d9f321c41e0343eaa6a8
Tags:	exeReversingLabsuser-NDA0E
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May infect USB drives

PE file contains an invalid checksum

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

×

Process Tree

System is w10x64

1.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\1.exe" MD5: D940AD60DEE55174455C2A43A8353D2E)

conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1.exe

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: 1.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005D3644 CryptHashData,_strnlen,___crtLCMapStringA,_malloc,___crtLCMapStringA,_strcpy_s,__freea,		0_2_005D3644
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005D1906 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptHashData,_memset,CryptHashData,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,__snwprintf_s,#205,		0_2_005D1906

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msinfo32.pdb source: 1.exe
Source:	Binary string: d:\_Bld\10657\7994\Sources\obj\Win32\Release\EvaluationContainer.csproj\Microsoft.Mashup.Container.pdb source: 1.exe
Source:	Binary string: AcroRd32Info.pdb source: 1.exe
Source:	Binary string: AcroRd32Info.pdb7 source: 1.exe
Source:	Binary string: C:\re\jdk7u45\229\build\windows-amd64\tmp\sun\launcher\keytool\obj64\keytool.pdb source: 1.exe
Source:	Binary string: SqlDumper.pdb source: 1.exe
Source:	Binary string: C:\Perforce\FRMain\code\build\win\results\Release\info\arh.pdb source: 1.exe

Source: 1.exe	Binary or memory string: :\autorun.inf
Source: 1.exe	Binary or memory string: [Autorun]

Source: 1.exe	String found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: 1.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 1.exe	String found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: 1.exe	String found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: 1.exe	String found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: 1.exe	String found in binary or memory: http://ocsp.geotrust.com0K
Source: 1.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: 1.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 1.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 1.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 1.exe	String found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: 1.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: 1.exe	String found in binary or memory: http://www.symauth.com/cps09
Source: 1.exe	String found in binary or memory: http://www.symauth.com/rpa04

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005D9D7A

Source: C:\Users\user\Desktop\1.exe

Code function: String function: 005D6024 appears 32 times

Source: 1.exe, 00000000.00000000.2030756299.00000000005E5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamearh.exe8 vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenamearh.exe8 vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenameSqlDumper.exeJ vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenameFirewall.exe vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenameAcroRd32Info.exe< vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenamekeytool.exeV vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenamemsinfo.dllj% vs 1.exe
Source: 1.exe	Binary or memory string: OriginalFilenameMicrosoft.Mashup.Container.exeT vs 1.exe

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.exe	Binary or memory string: d:\_Bld\10657\7994\Sources\obj\Win32\Release\EvaluationContainer.csproj\Microsoft.Mashup.Container.pdb
Source: 1.exe	Binary or memory string: @`@*\AC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp

Source: classification engine

Classification label: mal52.winEXE@2/1@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.81%

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe

ReversingLabs: Detection: 36%

Source: 1.exe	String found in binary or memory: -installAppSilent
Source: 1.exe	String found in binary or memory: -help
Source: 1.exe	String found in binary or memory: arh -help
Source: 1.exe	String found in binary or memory: arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>
Source: 1.exe	String found in binary or memory: arh -help
Source: 1.exe	String found in binary or memory: arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>
Source: 1.exe	String found in binary or memory: -help
Source: 1.exe	String found in binary or memory: arh -help
Source: 1.exe	String found in binary or memory: arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>
Source: 1.exe	String found in binary or memory: -installAppSilent
Source: 1.exe	String found in binary or memory: -helpusage:
Source: 1.exe	String found in binary or memory: -installAppSilent-locationargument -location already specified

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\1.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: msi.dll			Jump to behavior

Source: 1.exe

Static file information: File size 1212233 > 1048576

Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msinfo32.pdb source: 1.exe
Source:	Binary string: d:\_Bld\10657\7994\Sources\obj\Win32\Release\EvaluationContainer.csproj\Microsoft.Mashup.Container.pdb source: 1.exe
Source:	Binary string: AcroRd32Info.pdb source: 1.exe
Source:	Binary string: AcroRd32Info.pdb7 source: 1.exe
Source:	Binary string: C:\re\jdk7u45\229\build\windows-amd64\tmp\sun\launcher\keytool\obj64\keytool.pdb source: 1.exe
Source:	Binary string: SqlDumper.pdb source: 1.exe
Source:	Binary string: C:\Perforce\FRMain\code\build\win\results\Release\info\arh.pdb source: 1.exe

Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005D4CEC LoadLibraryW,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: 1.exe

Static PE information: real checksum: 0x2563c should be: 0x133046

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005D6069 push ecx; ret

Source: C:\Users\user\Desktop\1.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\1.exe

API coverage: 9.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005D24BC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005D4CEC LoadLibraryW,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005D1C57 WideCharToMultiByte,GetProcessHeap,HeapFree,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005D24BC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_005D24BC
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005D44B5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_005D44B5
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005D66B0 SetUnhandledExceptionFilter,		0_2_005D66B0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005D49C3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005D49C3

Source: C:\Users\user\Desktop\1.exe

Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005D7356 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1.exe	37%	ReversingLabs	Win32.Worm.Generic
1.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.symauth.com/rpa04	1.exe	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	1.exe	false	URL Reputation: safe	unknown
http://www.symauth.com/cps09	1.exe	false		unknown
http://www.symauth.com/cps0(	1.exe	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	1.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546802
Start date and time:	2024-11-01 15:58:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.exe
Detection:	MAL
Classification:	mal52.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 5 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 1.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Process:	C:\Users\user\Desktop\1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	501
Entropy (8bit):	4.901853079623814
Encrypted:	false
SSDEEP:	12:IfwB/Mv/ClbUnubUnKYcgrqKjveBKbUnCtbUneoRgOuIBGE:RB/SNBQKj2BhHeMgU7
MD5:	8CBFCEA886415DD17F03BC96DB2E6164
SHA1:	DF43C95DE6B49EC456AE972F5115C94A77620060
SHA-256:	5F6290DDE347E8CC9E3051032BA4E1BB8647529B272BA5E6D9CECD200783BCD6
SHA-512:	3EC810A874B743C864200D86CE9B4DB723E376404E9CD16BB1813CC88407F04F7A07C3A5CAFB83D7B4B724964E7B30EB5EF5D3527D59FC2A5A8D93E9252FD4EA
Malicious:	false
Reputation:	low
Preview:	Adobe (R) AIR (R) Redistribution Helper (ARH)..Version 3.5.0.0..Copyright (c) 2008-2011 Adobe Systems Incorporated. All rights reserved.....usage:.. arh -help.. arh -version.. arh -appLocation <appid> (<pubid>)?.. arh -appVersion <appid> (<pubid>)?.. arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>.. arh -uninstallAppSilent <appid> (<pubid>)?.. arh -isAppInstalled <appid> (<pubid>)?.. arh -isRuntimeInstalled.. arh -runtimeVersion.. arh -updateUserState..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.5312679305983075
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.81% Win32 Executable (generic) a (10002005/4) 49.76% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.41% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	1.exe
File size:	1'212'233 bytes
MD5:	d940ad60dee55174455c2a43a8353d2e
SHA1:	7b0832cd378423da73831e6a45144248fe5d17e4
SHA256:	47c1439cbe3d3ea852e7e45c2d201cb83e5949193b07d9f321c41e0343eaa6a8
SHA512:	67f71849e159598fc3aa358cacfff739ab6aa7f470df00497915cc15237b9f66d0d779b079fde3326b93beeaf1414abf2510233929e38da9b32d4c4253ea7f2d
SSDEEP:	24576:87g8Od5CN7g8O+C7WUtLpwbtLpwEoJdXN0BN2qnw4an:87rO67rO5btL2tLFoJdXN0BMOwLn
TLSH:	4D45AE21BBE84432F4B389318AB5D665EA76B9705B30CACF1284462F1E737D1D931B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................T................................{......................................Rich............................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40333c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5036A813 [Thu Aug 23 22:00:51 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	085b8a5d9e723b8ba9982a936ce1c779

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F2D948B9B3Ah
jmp 00007F2D948B59CAh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
xor eax, eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
mov edx, dword ptr [ebp+0Ch]
lea ecx, dword ptr [ecx+00h]
mov al, byte ptr [edx]
or al, al
je 00007F2D948B5B2Bh
add edx, 01h
bts dword ptr [esp], eax
jmp 00007F2D948B5B13h
mov esi, dword ptr [ebp+08h]
or ecx, FFFFFFFFh
lea ecx, dword ptr [ecx+00h]
add ecx, 01h
mov al, byte ptr [esi]
or al, al
je 00007F2D948B5B2Bh
add esi, 01h
bt dword ptr [esp], eax
jc 00007F2D948B5B10h
mov eax, ecx
add esp, 20h
pop esi
leave
ret
mov edi, edi
push ebp
mov ebp, esp
push ebx
push esi
mov esi, dword ptr [ebp+08h]
mov eax, dword ptr [esi+0Ch]
mov ecx, eax
and cl, 00000003h
xor ebx, ebx
cmp cl, 00000002h
jne 00007F2D948B5B62h
test eax, 00000108h
je 00007F2D948B5B5Bh
mov eax, dword ptr [esi+08h]
push edi
mov edi, dword ptr [esi]
sub edi, eax
test edi, edi
jle 00007F2D948B5B4Eh
push edi
push eax
push esi
call 00007F2D948B8B0Ch
pop ecx
push eax
call 00007F2D948BA3D7h
add esp, 0Ch
cmp eax, edi
jne 00007F2D948B5B31h
mov eax, dword ptr [esi+0Ch]
test al, al
jns 00007F2D948B5B31h
and eax, FFFFFFFDh
mov dword ptr [esi+0Ch], eax
jmp 00007F2D948B5B29h
or dword ptr [esi+0Ch], 20h
or ebx, FFFFFFFFh
pop edi
mov eax, dword ptr [esi+08h]
and dword ptr [esi+04h], 00000000h
mov dword ptr [esi], eax
pop esi
mov eax, ebx
pop ebx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10eb4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x4f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x13a00	0x1ed0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xb54	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe1e0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x194	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xce29	0xd000	4daa39d9886367f120ef99196624dd86	False	0.5785381610576923	data	6.512952124582506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x3776	0x3800	8cf60ffda618ab7b4db1326ad4df73b1	False	0.36195591517857145	data	5.346637406106374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0x2d24	0x1000	200276f279210dec423b4d75c4d02560	False	0.228759765625	data	2.385971715246726	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x15000	0x4f0	0x600	c5e2007c37ffa663f97c4f23f337f2bb	False	0.3873697916666667	data	4.504810395738668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0x1768	0x1800	3f1bf9d9187de4bb4a263b3783acea82	False	0.4075520833333333	data	4.009632852542217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x150a0	0x2f4	data	English	United States	0.45634920634920634
RT_MANIFEST	0x15394	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	WideCharToMultiByte, CreateFileA, HeapAlloc, GetProcessHeap, HeapFree, CloseHandle, GetExitCodeProcess, WaitForSingleObject, CreateProcessW, LocalFree, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, WriteFile, SetFilePointer, WriteConsoleW, GetFileType, GetStdHandle, GetModuleFileNameW, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetHandleCount, GetStartupInfoA, Sleep, GetModuleHandleW, GetProcAddress, ExitProcess, LoadLibraryW, RaiseException, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringA, LCMapStringW, VirtualAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, LoadLibraryA, RtlUnwind, WriteConsoleA, GetConsoleOutputCP, SetStdHandle, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
VERSION.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
msi.dll
SHLWAPI.dll	PathAppendW, PathRemoveFileSpecW, StrDupW, StrChrA, PathAppendA
ADVAPI32.dll	CryptAcquireContextW, CryptDestroyHash, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, CryptReleaseContext, CryptCreateHash, CryptHashData, CryptGetHashParam

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: 1.exePID: 7292, Parent PID: 1028

General

Target ID:	0
Start time:	10:59:35
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1.exe"
Imagebase:	0x5d0000
File size:	1'212'233 bytes
MD5 hash:	D940AD60DEE55174455C2A43A8353D2E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7300, Parent PID: 7292

General

Target ID:	1
Start time:	10:59:35
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 1.exePID: 7292, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	1954
Total number of Limit Nodes:	66

Executed Functions

Function 005D1000 Relevance: 138.7, APIs: 27, Strings: 52, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_printf.LIBCMT ref: 005D1020
_printf.LIBCMT ref: 005D103B
_printf.LIBCMT ref: 005D1031

Part of subcall function 005D2DF0: __stbuf.LIBCMT ref: 005D2E46
Part of subcall function 005D2DF0: __output_l.LIBCMT ref: 005D2E5E
Part of subcall function 005D2DF0: __ftbuf.LIBCMT ref: 005D2E6F

_printf.LIBCMT ref: 005D1048
_printf.LIBCMT ref: 005D1054
_printf.LIBCMT ref: 005D1060
_printf.LIBCMT ref: 005D106C
_printf.LIBCMT ref: 005D1078
_printf.LIBCMT ref: 005D1084
_printf.LIBCMT ref: 005D1090
_printf.LIBCMT ref: 005D109C
_printf.LIBCMT ref: 005D10A8
_printf.LIBCMT ref: 005D10B4
_printf.LIBCMT ref: 005D10C0
_printf.LIBCMT ref: 005D1101
_fprintf.LIBCMT ref: 005D11BE
_fprintf.LIBCMT ref: 005D1220
_fprintf.LIBCMT ref: 005D129E
_fprintf.LIBCMT ref: 005D12CE
_printf.LIBCMT ref: 005D13C0
__wassert.LIBCMT ref: 005D1454
_printf.LIBCMT ref: 005D1480
_memset.LIBCMT ref: 005D150D
_printf.LIBCMT ref: 005D152A
_fprintf.LIBCMT ref: 005D155D
_fprintf.LIBCMT ref: 005D1582
_printf.LIBCMT ref: 005D159F

Strings

arh -updateUserState, xrefs: 005D10B9
arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>, xrefs: 005D107D
-location, xrefs: 005D1137
-help, xrefs: 005D10CD
..\..\Deployment\RedistributionHelper\RedistributionHelper.cpp, xrefs: 005D144A
%d.%d.%d.%d, xrefs: 005D13BB
argument -programMenu already specified, xrefs: 005D11DB
Adobe (R) AIR (R) Redistribution Helper (ARH), xrefs: 005D101B
invalid appid, xrefs: 005D12AC, 005D154F
argument -desktopShortcut already specified, xrefs: 005D11D4
arh -isRuntimeInstalled, xrefs: 005D10A1
3.5.0.0, xrefs: 005D1025, 005D10F7
bad parameters, xrefs: 005D1543
arh -runtimeVersion, xrefs: 005D10AD
argument -location already specified, xrefs: 005D11B0
arh -help, xrefs: 005D104D
argument -uninstallAppSilent requires <appid> parameter, xrefs: 005D124A
too many arguments, xrefs: 005D1259
-isAppInstalled, xrefs: 005D12DD
arh -appLocation <appid> (<pubid>)?, xrefs: 005D1065
-installAppSilent, xrefs: 005D1109
-appVersion, xrefs: 005D14BB
-version, xrefs: 005D10E4
unexpected argument %s, xrefs: 005D159A
arh -isAppInstalled <appid> (<pubid>)?, xrefs: 005D1095
argument -appLocation requires <appid> parameter, xrefs: 005D13E9
arh -version, xrefs: 005D1059
%s, xrefs: 005D10FC, 005D147B, 005D1525
application is not installed, xrefs: 005D12C0
AIR is not installed, xrefs: 005D1393
-programMenu, xrefs: 005D117E
-runtimeVersion, xrefs: 005D1368
-updateUserState, xrefs: 005D1493
invalid pubid, xrefs: 005D12B6, 005D156D
application not installed, xrefs: 005D1431
-appLocation, xrefs: 005D13CD
Adobe AIR not installed, xrefs: 005D1212
usage:, xrefs: 005D1043
argument -isAppInstalled requires <appid> parameter, xrefs: 005D12F5
-uninstallAppSilent, xrefs: 005D122E
too many arguments, xrefs: 005D11A9
Copyright (c) 2008-2011 Adobe Systems Incorporated. All rights reserved., xrefs: 005D1036
argument -appVersion requires <appID> parameter, xrefs: 005D14D7
Version %s, xrefs: 005D102C
arh -appVersion <appid> (<pubid>)?, xrefs: 005D1071
-desktopShortcut, xrefs: 005D1160
unknown error, xrefs: 005D120B, 005D1290, 005D1574
result > 0, xrefs: 005D144F
arh -uninstallAppSilent <appid> (<pubid>)?, xrefs: 005D1089
argument -location requires a value, xrefs: 005D11CD
-isRuntimeInstalled, xrefs: 005D1336
missing required argument <file>, xrefs: 005D11E4

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: _printf$_fprintf$__ftbuf__output_l__stbuf__wassert_memset
String ID: arh -appLocation <appid> (<pubid>)?$ arh -appVersion <appid> (<pubid>)?$ arh -help$ arh -installAppSilent { (-location <loc>) -desktopShortcut -programMenu } <file>$ arh -isAppInstalled <appid> (<pubid>)?$ arh -isRuntimeInstalled$ arh -runtimeVersion$ arh -uninstallAppSilent <appid> (<pubid>)?$ arh -updateUserState$ arh -version$%d.%d.%d.%d$%s$-appLocation$-appVersion$-desktopShortcut$-help$-installAppSilent$-isAppInstalled$-isRuntimeInstalled$-location$-programMenu$-runtimeVersion$-uninstallAppSilent$-updateUserState$-version$..\..\Deployment\RedistributionHelper\RedistributionHelper.cpp$3.5.0.0$AIR is not installed$Adobe (R) AIR (R) Redistribution Helper (ARH)$Adobe AIR not installed$Copyright (c) 2008-2011 Adobe Systems Incorporated. All rights reserved.$Version %s$application is not installed$application not installed$argument -appLocation requires <appid> parameter$argument -appVersion requires <appID> parameter$argument -desktopShortcut already specified$argument -isAppInstalled requires <appid> parameter$argument -location already specified$argument -location requires a value$argument -programMenu already specified$argument -uninstallAppSilent requires <appid> parameter$bad parameters$invalid appid$invalid pubid$missing required argument <file>$result > 0$too many arguments$too many arguments$unexpected argument %s$unknown error$usage:
API String ID: 2890418644-195186187
Opcode ID: 9f18d8e17cdd10e617d8669c75b4e41808a93afcca651e8e73948d66a61d2145
Instruction ID: f3aa070131011c6aed7a6dda926e3969a110dd208db187212a6d518d613e52c5
Opcode Fuzzy Hash: 9f18d8e17cdd10e617d8669c75b4e41808a93afcca651e8e73948d66a61d2145
Instruction Fuzzy Hash: 07D14D35548F43BADB3877EE9D4BA3E2ED5BB91720F20091BF581D13C1EAB19880561E

Function 005D15A9 Relevance: 3.1, APIs: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005D315D: _malloc.LIBCMT ref: 005D3177

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005D15F8

Part of subcall function 005D315D: std::bad_alloc::bad_alloc.LIBCMT ref: 005D319A
Part of subcall function 005D315D: std::bad_exception::bad_exception.LIBCMT ref: 005D31AE

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 005D1618

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: ByteCharMultiWide$_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
String ID:
API String ID: 4062004971-0
Opcode ID: a35d736b4a6e9c08bfb30ee18fe80382a0dddacac685e15531b2fac8e3d32a64
Instruction ID: b90b202f13203e12340b9b218aad9ce0abf26598049e6886177b2bc38f91eafe
Opcode Fuzzy Hash: a35d736b4a6e9c08bfb30ee18fe80382a0dddacac685e15531b2fac8e3d32a64
Instruction Fuzzy Hash: 7B218475A00215BFDB24AFACDC4687EBBADEF84360B20451BF815E7391DA71AD408B54

Function 005D4043 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 005D404B

Part of subcall function 005D4018: GetModuleHandleW.KERNEL32(mscoree.dll,?,005D4050,?,?,005D655A,000000FF,0000001E,?,005D3E52,?,00000001,?,?,005D43FD,00000018), ref: 005D4022
Part of subcall function 005D4018: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005D4032

ExitProcess.KERNEL32 ref: 005D4054

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 90783c5a67da387f44b95becf9d55dfed7018f3986320c96115ccfa6eb29ae2d
Instruction ID: 88873b549842df5f4013c14702175f67f097ea0f655feadb83bb0a36d862984f
Opcode Fuzzy Hash: 90783c5a67da387f44b95becf9d55dfed7018f3986320c96115ccfa6eb29ae2d
Instruction Fuzzy Hash: 79B04C3100110C7B9B212B15DC0E8493F19EA802507514012B508491219B719995A990

Function 005D7326 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 005D733B

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 369af11a9297f7c9c3e2087a11d7cf3da95fc964b4bd5cd9618aaa11f5376ff0
Instruction ID: 9ea3a2e59d18687dde27bd4dd0e84768c3bdc45cbdb360470b08cb40d918ced8
Opcode Fuzzy Hash: 369af11a9297f7c9c3e2087a11d7cf3da95fc964b4bd5cd9618aaa11f5376ff0
Instruction Fuzzy Hash: 48D05E725543485ADB149F75AC0D7663BDC9394795F008437B94DCA190F570C644EA40

Function 005D425F Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_doexit.LIBCMT ref: 005D426B

Part of subcall function 005D4133: __lock.LIBCMT ref: 005D4141
Part of subcall function 005D4133: __decode_pointer.LIBCMT ref: 005D4178
Part of subcall function 005D4133: __decode_pointer.LIBCMT ref: 005D418D
Part of subcall function 005D4133: __decode_pointer.LIBCMT ref: 005D41B7
Part of subcall function 005D4133: __decode_pointer.LIBCMT ref: 005D41CD
Part of subcall function 005D4133: __decode_pointer.LIBCMT ref: 005D41DA
Part of subcall function 005D4133: __initterm.LIBCMT ref: 005D4209
Part of subcall function 005D4133: __initterm.LIBCMT ref: 005D4219

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 9a01ce31730c96d16642584fe2742a69bc590029bb79107d7ea602d7788550dc
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: AEB0923298020C33DA202586AC0BF063E0997D0B60E240022BA0C192A1A9A2A9A18889

Non-executed Functions

Function 005D1906 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040,?,00000000,?), ref: 005D193D
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,005D2182), ref: 005D195C
CryptHashData.ADVAPI32(?,00000100,00000101,00000000,?,?,?,?,?,?,?,?,?,?,005D2182,?), ref: 005D1987
_memset.LIBCMT ref: 005D19AF
CryptHashData.ADVAPI32(?,005DE408,00000001,00000000), ref: 005D19E5
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 005D1A06
CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 005D1A25
CryptDestroyHash.ADVAPI32(?), ref: 005D1A3D
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,?,?,005D2182,?,?,?), ref: 005D1A47
__snwprintf_s.LIBCMT ref: 005D1AAE
#205.MSI(?,00000000,00000000,?), ref: 005D1ABE

Strings

{%0.2hhX%0.2hhX%0.2hhX%0.2hhX-%0.2hhX%0.2hhX-%0.2hhX%0.2hhX-%0.2hhX%0.2hhX-%0.2hhX%0.2hhX%0.2hhX%0.2hhX%0.2hhX%0.2hhX}, xrefs: 005D1AA2

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Crypt$Hash$Data$Context$#205AcquireCreateDestroyParamRelease__snwprintf_s_memset
String ID: {%0.2hhX%0.2hhX%0.2hhX%0.2hhX-%0.2hhX%0.2hhX-%0.2hhX%0.2hhX-%0.2hhX%0.2hhX-%0.2hhX%0.2hhX%0.2hhX%0.2hhX%0.2hhX%0.2hhX}
API String ID: 2329699298-3412396576
Opcode ID: 3cb019b087ffef87a87a9aea5f65d7cae7d06edd48bbe7fc59e9696a657be79e
Instruction ID: 575dbdcff261d92003d3731d5860fb76ad164ad3eb00fe3a5272821f83b86cf3
Opcode Fuzzy Hash: 3cb019b087ffef87a87a9aea5f65d7cae7d06edd48bbe7fc59e9696a657be79e
Instruction Fuzzy Hash: 7951BFB2901199BEDF31DBE88C95ABEBFBCAB08301F140467F251E6280D6749A459B60

Function 005D24BC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 005D3BA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005D3BB7
UnhandledExceptionFilter.KERNEL32(005DE880), ref: 005D3BC2
GetCurrentProcess.KERNEL32(C0000409), ref: 005D3BDE
TerminateProcess.KERNEL32(00000000), ref: 005D3BE5

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 2427f0f1af7208f256661610455dde7635580433a430f068e64d55389913565e
Instruction ID: dff337bad20ce7612d69aa9029b83410331f35f5d3000167eeab6a28aa725279
Opcode Fuzzy Hash: 2427f0f1af7208f256661610455dde7635580433a430f068e64d55389913565e
Instruction Fuzzy Hash: C621C2B4901384DBD718EF19E8CE6547BA4BB38310F40849AE5898F360E7B45B4CEF56

Function 005D1C57 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,005D2114,?), ref: 005D1C89
GetProcessHeap.KERNEL32(00000000,?,?,?,?,005D2114,?), ref: 005D1C95
HeapFree.KERNEL32(00000000,?,?,?,005D2114,?), ref: 005D1C9C

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Heap$ByteCharFreeMultiProcessWide
String ID:
API String ID: 678249979-0
Opcode ID: 856b4eecdb1ba04e4d26355b4165813f9716a482a92a643cb272c242fde40deb
Instruction ID: 1f4d0dc52a792c143ad999ce8c0c3817c819df3680c86681222a07bca65dfcac
Opcode Fuzzy Hash: 856b4eecdb1ba04e4d26355b4165813f9716a482a92a643cb272c242fde40deb
Instruction Fuzzy Hash: 01F03C31A56524BB8B32DB9ADD0CC9F7F69EE867B07200553F415DA2A0D6708E40E6E4

Function 005D66B0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000666E), ref: 005D66B5

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cf2dce9d4378da12a1773f42b46e20af3a424bcdf504c401757352cd86a9fdf2
Instruction ID: c4b8e5dd914ca1b6c8d5e9835c2aceb728abbd162a702715dfc38bf2949a5878
Opcode Fuzzy Hash: cf2dce9d4378da12a1773f42b46e20af3a424bcdf504c401757352cd86a9fdf2
Instruction Fuzzy Hash: DC90026065610096872037B56C8E8096EA06A5860274144936001C9194DFA08019E923

Function 005D175E Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 005D223B, 005D2282
DisplayVersion, xrefs: 005D231E, 005D2365

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: _strspn
String ID: DisplayVersion$Software\Microsoft\Windows\CurrentVersion\Uninstall\
API String ID: 3684824311-2009758878
Opcode ID: b212cc914c0722d89e8bde08594786c53b2db52db5a994a57d1ec4809f98c3bc
Instruction ID: 31270ecd3ddfce54b0c3d760bc6892232a5217351085835840139f877be2353d
Opcode Fuzzy Hash: b212cc914c0722d89e8bde08594786c53b2db52db5a994a57d1ec4809f98c3bc
Instruction Fuzzy Hash: 1D817C71802629AADF30AB68CC4DEAE7F78FF54761F100697F51CA6290D6308E84DF64

Function 005D1AED Relevance: 13.6, APIs: 9, Instructions: 97memoryprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 005D18C8: PathAppendW.SHLWAPI(74C63B59,\Versions\1.0\Adobe AIR Application Installer.exe,00000005,00000000,005D1B05,?,00000000), ref: 005D18FB

_memset.LIBCMT ref: 005D1B37
__wcsdup.LIBCMT ref: 005D1B42
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,000000FF,?,00000005,?,00000000), ref: 005D1B5F

Part of subcall function 005D38C3: __lock.LIBCMT ref: 005D38E1
Part of subcall function 005D38C3: ___sbh_find_block.LIBCMT ref: 005D38EC
Part of subcall function 005D38C3: ___sbh_free_block.LIBCMT ref: 005D38FB
Part of subcall function 005D38C3: HeapFree.KERNEL32(00000000,?,005E0B08,0000000C,005D7041,00000000,?,005D3E52,?,00000001,?,?,005D43FD,00000018,005E0BA8,0000000C), ref: 005D392B
Part of subcall function 005D38C3: GetLastError.KERNEL32(?,005D3E52,?,00000001,?,?,005D43FD,00000018,005E0BA8,0000000C,005D448E,?,00000000,?,005D25F9,?), ref: 005D393C

WaitForSingleObject.KERNEL32(000000FF,000000FF,?,00000005,?,00000000), ref: 005D1B82
GetExitCodeProcess.KERNEL32(000000FF,?), ref: 005D1B9C
CloseHandle.KERNEL32(000000FF,?,00000005,?,00000000), ref: 005D1BB2
CloseHandle.KERNEL32(000000FF,?,00000005,?,00000000), ref: 005D1BB7
GetProcessHeap.KERNEL32(00000000,?,?,00000005,?,00000000), ref: 005D1BBD
HeapFree.KERNEL32(00000000,?,00000005,?,00000000), ref: 005D1BC4

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: HeapProcess$CloseFreeHandle$AppendCodeCreateErrorExitLastObjectPathSingleWait___sbh_find_block___sbh_free_block__lock__wcsdup_memset
String ID:
API String ID: 632834283-0
Opcode ID: a213503b4c99958c3fcd29594af32150c79f94623249fc6f24170cda67de73a1
Instruction ID: ed517d9f92a59e8bc5e90448b591f5f77020a011bd3b3063c335e7e8cc2af3b8
Opcode Fuzzy Hash: a213503b4c99958c3fcd29594af32150c79f94623249fc6f24170cda67de73a1
Instruction Fuzzy Hash: 55317E71901518BADB31ABE8DC49DEFBF78FF85760F200157F210A61A0D6704A81EBA1

Function 005D1712 Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00008000,00000002,?,-installAppSilent,?,005D11FD,?,?,?,?), ref: 005D1F7E
HeapAlloc.KERNEL32(00000000,?,-installAppSilent,?,005D11FD,?,?,?,?), ref: 005D1F85
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00004000,"Adobe AIR Application Installer.exe" -silent ,?,?,-installAppSilent,?,005D11FD,?,?,?,?), ref: 005D2022
HeapFree.KERNEL32(00000000,?,?,-installAppSilent,?,005D11FD,?,?,?,?), ref: 005D2029

Strings

-location , xrefs: 005D1FB5
-programMenu , xrefs: 005D1FF5
"Adobe AIR Application Installer.exe" -silent , xrefs: 005D1F96
-installAppSilent, xrefs: 005D1F6C
-desktopShortcut , xrefs: 005D1FE0

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: "Adobe AIR Application Installer.exe" -silent $-desktopShortcut $-installAppSilent$-location $-programMenu
API String ID: 756756679-3611887749
Opcode ID: f54f06da261e3e78e3e9076d580bad3546ba8565dea412b584eac9ff3d4e99c4
Instruction ID: 98f08bf159165f3f2ffa03b83b176f830d2da8ed3efba95bf203a13cce60b306
Opcode Fuzzy Hash: f54f06da261e3e78e3e9076d580bad3546ba8565dea412b584eac9ff3d4e99c4
Instruction Fuzzy Hash: B521A17150660976CF317BA99C8EB6F3F7CFB61750F10842BF9049A300D6709844DAAA

Function 005D1853 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

#90.MSI({DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E},00000000,00000000,\Versions\1.0\Adobe AIR Application Installer.exe,?,?,005D18ED,005D1B05,\Versions\1.0\Adobe AIR Application Installer.exe,00000005,00000000,005D1B05,?), ref: 005D1868
GetProcessHeap.KERNEL32(00000000,?,005D1B05,{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E},00000000,00000000,\Versions\1.0\Adobe AIR Application Installer.exe,?,?,005D18ED,005D1B05,\Versions\1.0\Adobe AIR Application Installer.exe,00000005,00000000,005D1B05,?), ref: 005D1894
HeapAlloc.KERNEL32(00000000,?,005D18ED,005D1B05,\Versions\1.0\Adobe AIR Application Installer.exe,00000005,00000000,005D1B05,?), ref: 005D189B
#90.MSI({DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E},00000000,00000000,?,005D18ED,005D1B05,\Versions\1.0\Adobe AIR Application Installer.exe,00000005,00000000,005D1B05,?), ref: 005D18B5
PathRemoveFileSpecW.SHLWAPI(?,{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E},00000000,00000000,?,005D18ED,005D1B05,\Versions\1.0\Adobe AIR Application Installer.exe,00000005,00000000,005D1B05,?), ref: 005D18BC

Strings

\Versions\1.0\Adobe AIR Application Installer.exe, xrefs: 005D185B
{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}, xrefs: 005D1862, 005D1867, 005D18B4

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Heap$AllocFilePathProcessRemoveSpec
String ID: \Versions\1.0\Adobe AIR Application Installer.exe${DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}
API String ID: 1966661001-493346412
Opcode ID: a9a805044d46cee8165f0d26ba66c412066711a8a10d6406f3b4a4f2e8b08738
Instruction ID: 113148ebc46a7ace4b67c1c5dc09290ceddf0f4fdb66756d1670bb818fa6b92f
Opcode Fuzzy Hash: a9a805044d46cee8165f0d26ba66c412066711a8a10d6406f3b4a4f2e8b08738
Instruction Fuzzy Hash: EB014CB6600109BFDB20EF98DC4ABAE7BB9FB45351F200517F801DA290DA709A44EB64

Function 005D1D25 Relevance: 12.1, APIs: 8, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,?), ref: 005D1D69
GetFileVersionInfoSizeW.VERSION(?,?), ref: 005D1D7F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 005D1D94
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 005D1D97
GetFileVersionInfoW.VERSION(?,00000000,?,00000000,?,?,?), ref: 005D1DAD
VerQueryValueW.VERSION(?,005DE484,?,?,?,00000000,?,00000000,?,?,?), ref: 005D1DC9
GetProcessHeap.KERNEL32(00000000,?,?,00000000,?,00000000,?,?,?), ref: 005D1DF7
HeapFree.KERNEL32(00000000,?,?,?), ref: 005D1DFA

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Heap$FileInfoProcessVersion$AllocByteCharFreeMultiQuerySizeValueWide
String ID:
API String ID: 3579981898-0
Opcode ID: f6c80f96c42f6d9cd859ab86a89cedc17fc8cc2b4a148005997717ff9494a7c7
Instruction ID: 847d5c8569172c27a4aea4231dd9475291bf95246068edeb985c7191cdfecfef
Opcode Fuzzy Hash: f6c80f96c42f6d9cd859ab86a89cedc17fc8cc2b4a148005997717ff9494a7c7
Instruction Fuzzy Hash: BA3106B1901208AFDB30EFA9DC899EEBBBCFB08310F10452BE955DB291D7749944CB20

Function 005D24D6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005D24F3
__calloc_crt.LIBCMT ref: 005D250C

Strings

p ^, xrefs: 005D2575
=^, xrefs: 005D2523
Assertion failed: %s, file %s, line %d, xrefs: 005D2538

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: __calloc_crt
String ID: =^$Assertion failed: %s, file %s, line %d$p ^
API String ID: 3494438863-3626934911
Opcode ID: 61c24bda07d06aad646ea601d8800c1ed5e1531d270cdcafe18cc0ef57321998
Instruction ID: 85635eade5b4fb3ba22dfa3b44fe1da0f335bbd74d1c0db0879c077a60f496fd
Opcode Fuzzy Hash: 61c24bda07d06aad646ea601d8800c1ed5e1531d270cdcafe18cc0ef57321998
Instruction Fuzzy Hash: 2611253270425247EB3D8E1DBCA8E622F96FBE8724F24422BEA01CF3D4E630CD415A45

Function 005D315D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 005D3177

Part of subcall function 005D6521: __FF_MSGBANNER.LIBCMT ref: 005D6544
Part of subcall function 005D6521: __NMSG_WRITE.LIBCMT ref: 005D654B
Part of subcall function 005D6521: HeapAlloc.KERNEL32(00000000,?,00000001,00000000,00000000,?,005D3E52,?,00000001,?,?,005D43FD,00000018,005E0BA8,0000000C,005D448E), ref: 005D6598

std::bad_alloc::bad_alloc.LIBCMT ref: 005D319A

Part of subcall function 005D30F3: std::exception::exception.LIBCMT ref: 005D30FF

std::bad_exception::bad_exception.LIBCMT ref: 005D31AE

Strings

/^, xrefs: 005D318A
Pa4, xrefs: 005D31BB

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: AllocHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID: Pa4$/^
API String ID: 3322389099-1429830951
Opcode ID: 5139be16657d4d3221de3946f6112e1e30cfaa9a677fe8b13d6ac33fea03fc57
Instruction ID: 3049fb18765d23afc988caf2d79ed13772ea8e566209369219c6f44d3daaf6aa
Opcode Fuzzy Hash: 5139be16657d4d3221de3946f6112e1e30cfaa9a677fe8b13d6ac33fea03fc57
Instruction Fuzzy Hash: 97F0E23160028762CB38A7ADFC0BD4D3F6CBB80314F04002BF85659399DFA0DB46D282

Function 005D936A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 005D9376

Part of subcall function 005D7050: __getptd_noexit.LIBCMT ref: 005D7053
Part of subcall function 005D7050: __amsg_exit.LIBCMT ref: 005D7060

__getptd.LIBCMT ref: 005D938D
__amsg_exit.LIBCMT ref: 005D939B
__lock.LIBCMT ref: 005D93AB

Strings

8,^, xrefs: 005D93B8

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: 8,^
API String ID: 3521780317-1624996455
Opcode ID: b665d9b72f090ca69c273605b75358fe6d75dead008a547b7e5533cef6fb896e
Instruction ID: 43362b3b3affe13364d15cb2102d6942394537b8da1cf751d6b6f43e09ccd0d5
Opcode Fuzzy Hash: b665d9b72f090ca69c273605b75358fe6d75dead008a547b7e5533cef6fb896e
Instruction Fuzzy Hash: 0BF01D32900706DBD730FBBD880E74D7AA07F84710F51594BA494AB3D1CB759941DB92

Function 005D8BFE Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 005D8C0A

Part of subcall function 005D7050: __getptd_noexit.LIBCMT ref: 005D7053
Part of subcall function 005D7050: __amsg_exit.LIBCMT ref: 005D7060

__amsg_exit.LIBCMT ref: 005D8C2A
__lock.LIBCMT ref: 005D8C3A
InterlockedDecrement.KERNEL32(?), ref: 005D8C57
InterlockedIncrement.KERNEL32(00802CF0), ref: 005D8C82

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 2fe11d2b063bff2c1a535f617a0fc0bb7db621474ddcf688060134f2025c8fc4
Instruction ID: 25f685f23f3fd42f2a0efccd27e1fba031d823de7aaa5ac7d76c2aaba173ccbf
Opcode Fuzzy Hash: 2fe11d2b063bff2c1a535f617a0fc0bb7db621474ddcf688060134f2025c8fc4
Instruction Fuzzy Hash: 4B01CB32912A22DBCB31AB6D880A72D7FA0BF00710F100007E8106F3A0CFB46D46DBE2

Function 005D38C3 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 005D38E1

Part of subcall function 005D4473: __mtinitlocknum.LIBCMT ref: 005D4489
Part of subcall function 005D4473: __amsg_exit.LIBCMT ref: 005D4495
Part of subcall function 005D4473: EnterCriticalSection.KERNEL32(00000000,00000000,?,005D25F9,?,?,005D2E39,00000001,00000000,005E0A10,0000000C,005D104D,usage:), ref: 005D449D

___sbh_find_block.LIBCMT ref: 005D38EC
___sbh_free_block.LIBCMT ref: 005D38FB
HeapFree.KERNEL32(00000000,?,005E0B08,0000000C,005D7041,00000000,?,005D3E52,?,00000001,?,?,005D43FD,00000018,005E0BA8,0000000C), ref: 005D392B
GetLastError.KERNEL32(?,005D3E52,?,00000001,?,?,005D43FD,00000018,005E0BA8,0000000C,005D448E,?,00000000,?,005D25F9,?), ref: 005D393C

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 9740a74a4a88c8a1858aa34794a40f64b5146ba5785d3ef0caaf0086b77253d2
Instruction ID: 2eec9d232938c8ad94b4105f012e912cb75c1bc9cfb2c00938867d4850851325
Opcode Fuzzy Hash: 9740a74a4a88c8a1858aa34794a40f64b5146ba5785d3ef0caaf0086b77253d2
Instruction Fuzzy Hash: 22018471801706AADF307FB9AC1EB4E3F64BF50760F10401BF0806A2D0DBB48A40DA96

Function 005D932C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 005D933E

Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(?), ref: 005D9216
Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(?), ref: 005D9223
Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(?), ref: 005D9230
Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(?), ref: 005D923D
Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(?), ref: 005D924A
Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(?), ref: 005D9266
Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(00000000), ref: 005D9276
Part of subcall function 005D9204: InterlockedIncrement.KERNEL32(?), ref: 005D928C

___removelocaleref.LIBCMT ref: 005D9349

Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(00000000), ref: 005D92AD
Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(?), ref: 005D92BA
Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(?), ref: 005D92C7
Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(?), ref: 005D92D4
Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(?), ref: 005D92E1
Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(?), ref: 005D92FD
Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(?), ref: 005D930D
Part of subcall function 005D9293: InterlockedDecrement.KERNEL32(?), ref: 005D9323

___freetlocinfo.LIBCMT ref: 005D935D

Part of subcall function 005D90BB: ___free_lconv_mon.LIBCMT ref: 005D9101
Part of subcall function 005D90BB: ___free_lconv_num.LIBCMT ref: 005D9122
Part of subcall function 005D90BB: ___free_lc_time.LIBCMT ref: 005D91A7

Strings

8,^, xrefs: 005D9354

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: 8,^
API String ID: 467427115-1624996455
Opcode ID: 18b545b2b6c79256e052da1b7b1b5fba61d8b12abdc9691487f57d513326a94c
Instruction ID: 70da7734da01bdee896ceed475c43f88ca833577091e675dcc3f029bd7fffeb2
Opcode Fuzzy Hash: 18b545b2b6c79256e052da1b7b1b5fba61d8b12abdc9691487f57d513326a94c
Instruction Fuzzy Hash: 0AE08636501DA266CA39251CB4846AEAE9C7FC2711B29095BF8D4A73C4DB288D818191

Function 005DC43C Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005DC470
__isleadbyte_l.LIBCMT ref: 005DC4A4
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000,00000020), ref: 005DC4D5
MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,?,?,?,00000000,00000000,00000020), ref: 005DC543

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 36b3ed747f40cbbfe9b0a8900e952fe8cde7657a889baadf45e1d1ef4de3f63c
Instruction ID: 5ba28de54427b09476ac9756f23e1dba63a70f77790d2a0ae23e6a1adc545171
Opcode Fuzzy Hash: 36b3ed747f40cbbfe9b0a8900e952fe8cde7657a889baadf45e1d1ef4de3f63c
Instruction Fuzzy Hash: 46319C31A00257EFDF30DFA8C894ABA7FA5BF01322F1589ABE4618B291D730D940DB51

Function 005D2037 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D1906: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000040,?,00000000,?), ref: 005D193D
Part of subcall function 005D1906: CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,005D2182), ref: 005D195C
Part of subcall function 005D1906: CryptHashData.ADVAPI32(?,00000100,00000101,00000000,?,?,?,?,?,?,?,?,?,?,005D2182,?), ref: 005D1987
Part of subcall function 005D1906: _memset.LIBCMT ref: 005D19AF
Part of subcall function 005D1906: CryptHashData.ADVAPI32(?,005DE408,00000001,00000000), ref: 005D19E5

#173.MSI(?,?,00000000,?), ref: 005D2082
GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,?), ref: 005D209C
HeapAlloc.KERNEL32(00000000), ref: 005D20A3
#173.MSI(?,?,00000000,?), ref: 005D20B8

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: Crypt$Hash$#173DataHeap$AcquireAllocContextCreateProcess_memset
String ID:
API String ID: 3048589869-0
Opcode ID: 2dcc4bd76690f88e972af6007319ee2a341a22209577790816f6f5e796c2cadc
Instruction ID: 08c00e0000e385f0121e996b5b7e3a8fb716139061a6d5d4b544c46f9764e9b8
Opcode Fuzzy Hash: 2dcc4bd76690f88e972af6007319ee2a341a22209577790816f6f5e796c2cadc
Instruction Fuzzy Hash: 6A115EB2910109AFDB24EFA8DD49EFE77F8BB28314F24061BF555D3291EA24D904CB61

Function 005D16B3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_strspn.LIBCMT ref: 005D16EB

Strings

D], xrefs: 005D1700
0123456789ABCDEFabcdef, xrefs: 005D16E5

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: _strspn
String ID: 0123456789ABCDEFabcdef$D]
API String ID: 3684824311-1356279687
Opcode ID: b8b3366a8f8729dc7d3fa5977d6b1b72b13cca4e1c94eb2b7dda6078d4bff957
Instruction ID: ecfaa4d1059e716f6758af0cab27b3fd0780b4bcc24fa9e5280c43c2c1bb20e8
Opcode Fuzzy Hash: b8b3366a8f8729dc7d3fa5977d6b1b72b13cca4e1c94eb2b7dda6078d4bff957
Instruction Fuzzy Hash: 93F05927214B25378B39097C6C999AA2F9EFA82B1132D8553F844CF314E812D98483CC

Function 005D174F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

StrDupW.SHLWAPI("Adobe AIR Application Installer.exe" -updateUserState,?,?,005D14B4), ref: 005D1C36
LocalFree.KERNEL32(00000000,?,?,005D14B4), ref: 005D1C4C

Strings

"Adobe AIR Application Installer.exe" -updateUserState, xrefs: 005D1C31

Memory Dump Source

Source File: 00000000.00000002.2034017200.00000000005D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005D0000, based on PE: true

Associated: 00000000.00000002.2033993716.00000000005D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034075734.00000000005DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034218544.00000000005E2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2034267706.00000000005E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_1.jbxd

Similarity

API ID: FreeLocal
String ID: "Adobe AIR Application Installer.exe" -updateUserState
API String ID: 2826327444-1294534410
Opcode ID: 3486b60132d4d4c93139d5696c9085705874068b0c0259474921e38c2ed83069
Instruction ID: f4a0d4008b1f330ed3aa91468a6a638eb69f0a482a1e46708e083bae2ad70520
Opcode Fuzzy Hash: 3486b60132d4d4c93139d5696c9085705874068b0c0259474921e38c2ed83069
Instruction Fuzzy Hash: 61D05E36743920739530326D7C0ED4B5F54EBC57217060433F9009A35089608C0684E8