Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:	Loader.exe
Analysis ID:	1561197
MD5:	a19206ac176dd5a0a3a02ff70348c1ab
SHA1:	7c9d46c18de701162bdb962618788a0da0872779
SHA256:	3eafeb6f88583eaff49c7bc7e91ddc1a6b0792451465403b07b67e98b447c242
Tags:	exeuser-aachum
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found potential dummy code loops (likely to delay analysis)

Abnormal high CPU Usage

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Loader.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: A19206AC176DD5A0A3A02FF70348C1AB)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Loader.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: JeXhPKdKIKb D7rgFPlKCo34I.PDBr source: Loader.exe

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_0113E898 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_0113E898

Source: C:\Users\user\Desktop\Loader.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036EFE30 NtAllocateVirtualMemory,	0_2_036EFE30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036F12B0 NtProtectVirtualMemory,	0_2_036F12B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036D85F0 NtContinue,	0_2_036D85F0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036E9C30 NtContinue,RtlAddVectoredExceptionHandler,	0_2_036E9C30

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0113100E	0_2_0113100E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_011320B0	0_2_011320B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01131350	0_2_01131350
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0114C3C0	0_2_0114C3C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0113322C	0_2_0113322C
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0113240F	0_2_0113240F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0113276D	0_2_0113276D
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0113362F	0_2_0113362F
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0113B69E	0_2_0113B69E
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_011316A1	0_2_011316A1
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_011319E3	0_2_011319E3
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0114C810	0_2_0114C810
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01112B76	0_2_01112B76
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01132ADA	0_2_01132ADA
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01131D42	0_2_01131D42
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01132E38	0_2_01132E38
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0114BE90	0_2_0114BE90
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01155EF7	0_2_01155EF7
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_030BD2AB	0_2_030BD2AB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_030D183B	0_2_030D183B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_030BF8BB	0_2_030BF8BB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_030CE67B	0_2_030CE67B
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_030D2CBB	0_2_030D2CBB
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036EFE30	0_2_036EFE30
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036F12B0	0_2_036F12B0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036D2740	0_2_036D2740
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036DC320	0_2_036DC320
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036DDEB0	0_2_036DDEB0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036ECC70	0_2_036ECC70
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036D88E0	0_2_036D88E0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036DB8A0	0_2_036DB8A0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036D6CA0	0_2_036D6CA0

Source: C:\Users\user\Desktop\Loader.exe

Code function: String function: 01112720 appears 51 times

Source: Loader.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Loader.exe

Binary or memory string: Q.slnaqb7Mm09E5x1HrOE

Source: classification engine

Classification label: mal56.evad.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03

Source: Loader.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Loader.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Loader.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\Loader.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe	Section loaded: wtsapi32.dll	Jump to behavior

Source: Loader.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Loader.exe

Static file information: File size 6990848 > 1048576

Source: Loader.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x39fe00
Source: Loader.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x19b600

Source: Loader.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: JeXhPKdKIKb D7rgFPlKCo34I.PDBr source: Loader.exe

Source: Loader.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_011184B7 push edi; ret	0_2_011184C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01112770 push ecx; ret	0_2_01112783
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01158FB1 push ecx; ret	0_2_01158FC4

Source: C:\Users\user\Desktop\Loader.exe

API coverage: 5.3 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_0113E898 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

0_2_0113E898

Source: Loader.exe	Binary or memory string: HEfOycLtTmHjqEmUcfzh6M
Source: Loader.exe	Binary or memory string: rxRGjC4C5U2tncdvNASs8tqeMu3

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Loader.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_036DF790 LdrLoadDll,RtlCreateUserThread,

0_2_036DF790

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_011124C9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_011124C9

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_02F60470 mov eax, dword ptr fs:[00000030h]		0_2_02F60470
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036D88E0 mov eax, dword ptr fs:[00000030h]		0_2_036D88E0

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_011110A0 GetProcessHeap,RtlAllocateHeap,

0_2_011110A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_011124C9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_011124C9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01112659 SetUnhandledExceptionFilter,	0_2_01112659
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_0113DAD6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0113DAD6
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_01112EF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01112EF9
Source: C:\Users\user\Desktop\Loader.exe	Code function: 0_2_036E9C30 NtContinue,RtlAddVectoredExceptionHandler,	0_2_036E9C30

Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_0115111E
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_011511B9
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_01141049
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_011510B5
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_01151244
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_011515C0
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_01151497
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0115179C
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_011516C6
Source: C:\Users\user\Desktop\Loader.exe	Code function: GetLocaleInfoW,	0_2_01141990
Source: C:\Users\user\Desktop\Loader.exe	Code function: EnumSystemLocalesW,	0_2_01140EAA

Source: C:\Users\user\Desktop\Loader.exe

Code function: 0_2_01112061 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01112061

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Loader.exe	16%	ReversingLabs	Win32.Malware.Generic

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561197
Start date and time:	2024-11-22 22:05:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Loader.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 67% Number of executed functions: 12 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Loader.exe

File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.4454862218308975
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Loader.exe
File size:	6'990'848 bytes
MD5:	a19206ac176dd5a0a3a02ff70348c1ab
SHA1:	7c9d46c18de701162bdb962618788a0da0872779
SHA256:	3eafeb6f88583eaff49c7bc7e91ddc1a6b0792451465403b07b67e98b447c242
SHA512:	9a6b3290dd419bfbd98adc80a98b8390330fc7f7d9f23ce791d1669d59a8d2b664472a06981d0f75f6b39d7b9d8ca3343fc975dd2231f8b7dfe9a04a9eb5f4ce
SSDEEP:	49152:hAYPitlDx9EF21D+q5iLYzQFO/qgB5ErS4D7gKORCpdb0OF8rDuuBqbUXwW2WQCu:hAYPitllE+F55EG4D7g
TLSH:	9C66A1891808C4F9DFB6C96502BBBFBF970B4718D8429C89D5F60C8D276721D649F23A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."i?g...............+..9...j...............:...@...........................k.....b.j...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x673F6922 [Thu Nov 21 17:08:50 2024 UTC]
TLS Callbacks:	0x401640, 0x401600
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1a54da199406fe111fc3b5a592f08d87

Entrypoint Preview

Instruction
mov dword ptr [00A080A4h], 00000000h
jmp 00007F5C493DC2C6h
nop
jmp 00007F5C493DD728h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 0082A000h
call dword ptr [00A09894h]
sub esp, 04h
test eax, eax
je 00007F5C493DC5D5h
mov ebx, eax
mov dword ptr [esp], 0082A000h
call dword ptr [00A09924h]
mov edi, dword ptr [00A0989Ch]
sub esp, 04h
mov dword ptr [00A08020h], eax
mov dword ptr [esp+04h], 0082A013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 0082A029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [007A1000h], eax
test esi, esi
je 00007F5C493DC573h
mov dword ptr [esp+04h], 00A08024h
mov dword ptr [esp], 009C6100h
call esi
mov dword ptr [esp], 004014B0h
call 00007F5C493DC4D3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi
pop edi
pop ebp
ret
lea esi, dword ptr [esi+00000000h]
mov eax, 00000000h
mov esi, 00000000h
jmp 00007F5C493DC522h
lea esi, dword ptr [esi+00h]
push ebp
mov ebp, esp
sub esp, 18h
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x609000	0x2a9c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60e000	0x4e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60f000	0xa0dd4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5c4e8c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x609700	0x5c0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x39fd98	0x39fe00	71995eaa46a0ccf8152025a10e955bce	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3a1000	0x88fc4	0x89000	d055db72141b03a56d370c3a1e9e745d	False	0.7117233833257299	data	5.867159709730257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x42a000	0x19b5c8	0x19b600	0d68079fb3cd8929e23ea74369bbee3e	False	0.7034264851109086	data	5.866995399894163	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x5c6000	0x41ea0	0x42000	1fefbfa747d98b6ccb3a52a7b807da95	False	0.20487097537878787	data	5.015018994399129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x608000	0xf8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x609000	0x2a9c	0x2c00	2d57c5367a5b9dea6c418386d18c5fe4	False	0.36363636363636365	data	5.482724657748589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x60c000	0x30	0x200	daeb73127b604a5ca13dabf54a40d332	False	0.060546875	data	0.19353182838821048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x60d000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60e000	0x4e8	0x600	ba182ec9fefdb5bc45c1fe1006dc97a5	False	0.3346354166666667	data	4.784930512373522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x60f000	0xa0dd4	0xa0e00	88be94ccaba9fa00b3d399617059ce1b	False	0.19111790986790986	data	6.84099732216444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x60e058	0x48f	XML 1.0 document, ASCII text			0.40102827763496146

Imports

DLL	Import
ADVAPI32.dll	AdjustTokenPrivileges, AllocateAndInitializeSid, CheckTokenMembership, CreateProcessAsUserW, EqualSid, FreeSid, GetKernelObjectSecurity, LookupAccountNameW, LookupPrivilegeValueW, OpenProcessToken, OpenThreadToken, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumKeyW, RegOpenKeyExW, RegOpenKeyW, RegQueryValueExW, RegQueryValueW, RegSetValueExW, SetEntriesInAclW, SetKernelObjectSecurity, SetSecurityDescriptorDacl
COMDLG32.DLL	GetFileTitleW
GDI32.dll	BitBlt, CreateBitmap, CreateCompatibleDC, CreateFontIndirectW, CreatePatternBrush, CreatePen, CreateRectRgnIndirect, DeleteDC, DeleteObject, Ellipse, FillRgn, GetBkColor, GetClipBox, GetDIBColorTable, GetObjectW, GetPixel, GetRgnBox, GetTextColor, GetTextExtentPoint32W, GetViewportExtEx, LPtoDP, LineTo, MoveToEx, OffsetViewportOrgEx, PtVisible, RestoreDC, SaveDC, SelectObject, SetBkColor, SetDIBColorTable, SetMapMode, SetROP2, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, StretchBlt, TextOutW
KERNEL32.dll	CloseHandle, CompareStringW, ConvertDefaultLocale, CreateDirectoryW, CreateEventW, CreateFileA, CreateFileW, CreateMutexW, CreateProcessW, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, EnumResourceLanguagesW, ExitProcess, FileTimeToSystemTime, FindClose, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, FreeResource, GetCPInfo, GetConsoleCP, GetConsoleMode, GetCurrentProcess, GetCurrentThread, GetCurrentThreadId, GetDateFormatA, GetFileAttributesW, GetFileSize, GetFileTime, GetFileType, GetFullPathNameW, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetStartupInfoW, GetStdHandle, GetStringTypeA, GetStringTypeW, GetSystemTimeAsFileTime, GetThreadLocale, GetTimeFormatA, GetTimeZoneInformation, GetVersionExW, GetVolumeInformationW, GlobalAddAtomW, GlobalAlloc, GlobalFlags, GlobalFree, GlobalGetAtomNameW, GlobalHandle, GlobalLock, GlobalUnlock, HeapAlloc, HeapCreate, HeapFree, HeapReAlloc, HeapSetInformation, HeapSize, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, IsDebuggerPresent, IsValidCodePage, K32EnumProcesses, LCMapStringA, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadResource, LocalAlloc, LocalReAlloc, LockFile, LockResource, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, RaiseException, ReadFile, RtlUnwind, SetEndOfFile, SetEnvironmentVariableA, SetErrorMode, SetEvent, SetFilePointer, SetLastError, SetStdHandle, SetSystemPowerState, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, UnhandledExceptionFilter, UnlockFile, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, WriteConsoleA, WriteConsoleW, WriteFile, WritePrivateProfileStringW, lstrcmpA, lstrcmpiW, lstrlenA
MSIMG32.DLL	TransparentBlt
msvcrt.dll	__getmainargs, __p___initenv, __p__commode, __p__fmode, __p__iob, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _initterm, abort, atexit, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf
ole32.dll	CLSIDFromProgID, CLSIDFromString, CoCreateInstance, CoGetClassObject, CoGetObject, CoInitialize, CoRegisterClassObject, CoRevokeClassObject, CoSetProxyBlanket, CoTaskMemRealloc, CoUninitialize, OleFlushClipboard, OleIsCurrentClipboard, OleUninitialize, StgOpenStorageOnILockBytes, StringFromGUID2
oledlg.dll	OleUIBusyW
SHELL32.dll	DragFinish, DragQueryFileW, SHFileOperationW, SHGetSpecialFolderPathW, SHPathPrepareForWriteW
SHLWAPI.dll	PathFindExtensionW, PathFindFileNameW, PathIsDirectoryEmptyW, PathIsUNCW
USER32.dll	AdjustWindowRectEx, AnimateWindow, BeginDeferWindowPos, BringWindowToTop, BroadcastSystemMessageW, CallNextHookEx, CallWindowProcW, CharNextW, CheckMenuItem, ClientToScreen, CopyAcceleratorTableW, CopyRect, CreateDialogIndirectParamW, CreatePopupMenu, CreateWindowExW, DefWindowProcW, DeleteMenu, DestroyIcon, DestroyMenu, DestroyWindow, DispatchMessageW, DrawFocusRect, DrawIcon, DrawIconEx, DrawMenuBar, DrawTextExW, EnableMenuItem, EnableWindow, EndDeferWindowPos, ExitWindowsEx, FillRect, FindWindowW, GetCapture, GetClassInfoW, GetClassLongW, GetClassNameW, GetClientRect, GetDC, GetDlgCtrlID, GetDlgItem, GetForegroundWindow, GetKeyState, GetMenu, GetMenuCheckMarkDimensions, GetMenuItemCount, GetMenuItemInfoW, GetMessagePos, GetMessageTime, GetMessageW, GetNextDlgTabItem, GetParent, GetPropW, GetScrollPos, GetSubMenu, GetSysColor, GetSysColorBrush, GetSystemMenu, GetTopWindow, GetWindow, GetWindowLongW, GetWindowPlacement, GetWindowRect, GetWindowTextLengthW, GetWindowThreadProcessId, GrayStringW, InflateRect, IntersectRect, InvalidateRgn, IsChild, IsIconic, IsRectEmpty, IsWindow, IsWindowEnabled, IsWindowVisible, LoadBitmapW, LoadCursorW, LoadIconW, LockWindowUpdate, MapDialogRect, MapWindowPoints, MessageBeep, MessageBoxW, ModifyMenuW, OffsetRect, PeekMessageW, PtInRect, RegisterClassW, RegisterWindowMessageW, ReleaseDC, ScrollWindow, SendDlgItemMessageA, SendDlgItemMessageW, SendMessageW, SetActiveWindow, SetCapture, SetFocus, SetForegroundWindow, SetMenu, SetPropW, SetRect, SetRectEmpty, SetScrollPos, SetScrollRange, SetTimer, SetWindowContextHelpId, SetWindowLongW, SetWindowPos, SetWindowRgn, SetWindowsHookExW, ShowScrollBar, ShowWindow, SystemParametersInfoW, TabbedTextOutW, TrackPopupMenu, TranslateMessage, UnpackDDElParam, UnregisterClassW, UpdateWindow, ValidateRect, WinHelpW, wsprintfW
VERSION.dll	GetFileVersionInfoSizeW, VerQueryValueW
WININET.DLL	InternetAttemptConnect
WINSPOOL.DRV	ClosePrinter, OpenPrinterW
WTSAPI32.dll	WTSEnumerateProcessesW, WTSFreeMemory

Target ID:	0
Start time:	16:06:06
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\Loader.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Loader.exe"
Imagebase:	0x3c0000
File size:	6'990'848 bytes
MD5 hash:	A19206AC176DD5A0A3A02FF70348C1AB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	16:06:06
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.8%
Total number of Nodes:	127
Total number of Limit Nodes:	14

Executed Functions

Function 036EFE30 Relevance: 18.7, APIs: 1, Strings: 9, Instructions: 1223
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,000127AD,00000000,0000B53F,0000E0E4,0357DAC4), ref: 036F0B1E

Strings

n, xrefs: 036F0319
, xrefs: 036F0558
b, xrefs: 036F07F4
W, xrefs: 036F0CE3
v", xrefs: 036F0D2B
,p, xrefs: 036F0CC1
/D, xrefs: 036F0CDC
M%, xrefs: 036F0671
{l, xrefs: 036EFF73

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: $,p$/D$M%$W$n$v"${l$b
API String ID: 2167126740-3272979823
Opcode ID: 0c81f735a92bdb3de164043c43fd5625e400dd0fde548237762064e1721788f3
Instruction ID: 6f1acaaf7978815ec4d976794e37b851bd0259a6bb1f845121a9f8d0c7df4638
Opcode Fuzzy Hash: 0c81f735a92bdb3de164043c43fd5625e400dd0fde548237762064e1721788f3
Instruction Fuzzy Hash: 24D268B0D002199FDB08CFA9D9959EEBBB1FF88304F24816AD519BB344D7386A81CF54

Function 036DF790 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 263
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,00000000), ref: 036DFA80
RtlCreateUserThread.NTDLL(000000FF,00000000,00000000,00000000,00000000,00000000,Function_0015A760,00000000,?,?), ref: 036DFB33

Strings

write.exe, xrefs: 036DF92B
svchost.exe, xrefs: 036DF919
winhlp32.exe, xrefs: 036DF922
hh.exe, xrefs: 036DF934
cmd.exe, xrefs: 036DF8F5
notepad.exe, xrefs: 036DF8FE
explorer.exe, xrefs: 036DF907
regedit.exe, xrefs: 036DF910

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID: CreateLoadThreadUser
String ID: cmd.exe$explorer.exe$hh.exe$notepad.exe$regedit.exe$svchost.exe$winhlp32.exe$write.exe
API String ID: 3323402184-1645205526
Opcode ID: 23fa01cbad109634c820e7749751651c125e040200654f9697614b444d56e3c4
Instruction ID: 47337b5f185418ff87ca8e498c28007ac1079ef4e5dbf5d2c33657f0bd9f07cb
Opcode Fuzzy Hash: 23fa01cbad109634c820e7749751651c125e040200654f9697614b444d56e3c4
Instruction Fuzzy Hash: 22D13E74D083C8DEEB11CBA8D448BDEBFB26F16308F18419DD4452B386C7BA5659CB62

Function 036F12B0 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 553
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,0000AEDF,00014F70,000051D4,0000C496), ref: 036F1884

Strings

PN, xrefs: 036F1759
E, xrefs: 036F13D9
C, xrefs: 036F12BD
[v, xrefs: 036F12D2

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: E$PN$[v$C
API String ID: 2706961497-23083618
Opcode ID: 391a954e3a94ecc0067cbc1cc8c56d96df2eeea5d58033b772a631a3e0309a4a
Instruction ID: 80fa9d93a67f7d23701135eda51093924e66fba8739451c4839c40f709e50af6
Opcode Fuzzy Hash: 391a954e3a94ecc0067cbc1cc8c56d96df2eeea5d58033b772a631a3e0309a4a
Instruction Fuzzy Hash: 7F5266B0D01219DFDB08CFA9D9959EEBBB2BF88304F24816AE515BB344D7346A42CF54

Function 036E9C30 Relevance: 3.0, APIs: 2, Instructions: 44
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtContinue.NTDLL(?,00000000,?,?,036DFA65,0357DADC,Function_0015B650), ref: 036E9C96
RtlAddVectoredExceptionHandler.NTDLL(0357DA54,036ECC20,?,?,036DFA65,0357DADC,Function_0015B650), ref: 036E9CBB

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID: ContinueExceptionHandlerVectored
String ID:
API String ID: 3817380991-0
Opcode ID: 29d9303fdfd8a73ad587d0f5dc668fa702b9be4ff86baa60f6eff077818df072
Instruction ID: 87a3a8afef13c54a429d840a9e9e286efc05bf7c5ce41890399abe2ceba581b4
Opcode Fuzzy Hash: 29d9303fdfd8a73ad587d0f5dc668fa702b9be4ff86baa60f6eff077818df072
Instruction Fuzzy Hash: 0611B778E04208EFDB04EFA8E559DAEB7F4FF48700F108599E809AB354C674AA45DF90

Function 036D85F0 Relevance: 1.5, APIs: 1, Instructions: 44
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtContinue.NTDLL(00000000,00000000), ref: 036D8677

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID: Continue
String ID:
API String ID: 3935651977-0
Opcode ID: 013da05257a3e0bf08c9110b7d8e3217554a3919e953627e79251bdbf3f3b6f6
Instruction ID: cc69288af8df80ed1c369dad5147fab0ca71f10e65b91c09608ffd7900a0c74a
Opcode Fuzzy Hash: 013da05257a3e0bf08c9110b7d8e3217554a3919e953627e79251bdbf3f3b6f6
Instruction Fuzzy Hash: 281195B8A00208EFDB04DF94D598BAEBBB1FF48704F208599D8056B385D775AE45DF80

Function 02F60000 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 02F6025D
VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 02F602B7
VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 02F602D7

Strings

kernel32.dll, xrefs: 02F601CD, 02F601D0
028entrypoint, xrefs: 02F60114, 02F60117
028shell, xrefs: 02F600A5, 02F600A8
VirtualAlloc, xrefs: 02F601DC, 02F601DF
VirtualProtect, xrefs: 02F601F2, 02F601F5
028text, xrefs: 02F600CF, 02F600D2
028data, xrefs: 02F600FF, 02F60102

Memory Dump Source

Source File: 00000000.00000002.4141926010.0000000002F60000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_Loader.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID: 028data$028entrypoint$028shell$028text$VirtualAlloc$VirtualProtect$kernel32.dll
API String ID: 2541858876-2564195007
Opcode ID: 83228f503a9f582f41d62f85800081b66e8d36cd2ae380decd0e5a74b9a06875
Instruction ID: 08b217d23cb8f791651b84aacc5eabc477825b77748b290789172aa844cda15a
Opcode Fuzzy Hash: 83228f503a9f582f41d62f85800081b66e8d36cd2ae380decd0e5a74b9a06875
Instruction Fuzzy Hash: 53B1FB70D082C8DEEF11C7E8C8487DDBFB56F16308F184199D1887B282D7BA5659CB66

Function 036DBF70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000008,000139C1), ref: 036DC1A5
RtlAllocateHeap.NTDLL(00000000), ref: 036DC1AC

Strings

hb, xrefs: 036DBFFB
0", xrefs: 036DBFB5

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: 0"$hb
API String ID: 1357844191-1558456265
Opcode ID: aa2314fe0bf9d1e8d7090be6d2a55398f615b45a2cb0c348496fe3e082edcca9
Instruction ID: 2202a70051b7401bc00d79c0a29d502275af817619a862c59c542a67d1bdceab
Opcode Fuzzy Hash: aa2314fe0bf9d1e8d7090be6d2a55398f615b45a2cb0c348496fe3e082edcca9
Instruction Fuzzy Hash: D2717DB0D0421DDFDB04CFD8D998AAEBBB1BF48308F148269D005BB288D7786A46CF54

Function 01111ECF Relevance: 4.6, APIs: 3, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 01111F0C
dllmain_raw.LIBCMT ref: 01111F6B
dllmain_raw.LIBCMT ref: 01111F91

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: dllmain_raw
String ID:
API String ID: 3813456430-0
Opcode ID: 907db30afe28592688259a98519294382570c6c5db90c5563d5c49043e8066a7
Instruction ID: 61eb581c800fca4761e07184bfd00973cf456be67f2fcaee39f66c3051f0b875
Opcode Fuzzy Hash: 907db30afe28592688259a98519294382570c6c5db90c5563d5c49043e8066a7
Instruction Fuzzy Hash: 1C21E571D0022BBBDF2A9F39CC40EAFFA69EBA0694B014139FA1457218C3318D559BD2

Function 01111D18 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 01111D65

Part of subcall function 011120F9: RtlInitializeSListHead.NTDLL(0116CAE0), ref: 011120FE

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 01111DCF

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 5250a661b322473d5d418f40b048eb3c9bc3dc5805f79f9ae54330ee0ed90fa9
Instruction ID: 465822004732fa2167b312371d4b042d45e20d0845c81dfcc8e89967eecefd1a
Opcode Fuzzy Hash: 5250a661b322473d5d418f40b048eb3c9bc3dc5805f79f9ae54330ee0ed90fa9
Instruction Fuzzy Hash: 86212732684313AADF1DBBF8B405B9CFB619F26229F200439C6A1271C9DB721081C766

Function 036D9940 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,00000000,00000000,00000000,00000003,00000080,00000000), ref: 036D9973

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5b2a7a54fa81b511c1f91b3869c231b9318a4e20827afa4fb6f4182aaaf6cfdb
Instruction ID: d10866fb27c05a529e0445b23a35b8de45987466926da725d3c917a8323b5fec
Opcode Fuzzy Hash: 5b2a7a54fa81b511c1f91b3869c231b9318a4e20827afa4fb6f4182aaaf6cfdb
Instruction Fuzzy Hash: 42F01234E50309FBD720DFB49905B6DB7F4AB04710F1446A8E952AF2C0D67166459B84

Function 0111200D Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___security_init_cookie.LIBCMT ref: 01112017

Part of subcall function 011120AE: ___get_entropy.LIBCMT ref: 011120C8

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ___get_entropy___security_init_cookie
String ID:
API String ID: 864368843-0
Opcode ID: 38a8115a88cc7ea42df35cfebbd135a0407f23b021b086826ff78ae53b35049e
Instruction ID: 612c7138f57c43012483788155172a79635bee9a3cd053ee842d8f9394ac6ed8
Opcode Fuzzy Hash: 38a8115a88cc7ea42df35cfebbd135a0407f23b021b086826ff78ae53b35049e
Instruction Fuzzy Hash: 2CD0CA3280001DFBCF2A6FA0DC0589DBB22AB20224B208238F918180248B328260EF02

Function 0111200E Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___security_init_cookie.LIBCMT ref: 01112017

Part of subcall function 011120AE: ___get_entropy.LIBCMT ref: 011120C8

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ___get_entropy___security_init_cookie
String ID:
API String ID: 864368843-0
Opcode ID: 8e3dc87434a601cdc3d07f34a8ffaf66e8656ff63a3baeda67220093dea37a90
Instruction ID: bd68112684e2bd8a24c2e9a4a94173b6b2f29a3c9ef0daffdf016b1bdb44dce5
Opcode Fuzzy Hash: 8e3dc87434a601cdc3d07f34a8ffaf66e8656ff63a3baeda67220093dea37a90
Instruction Fuzzy Hash: 76C0123240020DFBCF0A6F90DD009AEBBABAB20224F50C134FA18080249732C670EB92

Non-executed Functions

Function 036D6CA0 Relevance: 12.9, Strings: 9, Instructions: 1673COMMON

Download Yara Rule

Strings

:, xrefs: 036D7B0A
d, xrefs: 036D7D8F
T, xrefs: 036D7C33
:m, xrefs: 036D6D4C, 036D6D55
e|, xrefs: 036D827E
:m, xrefs: 036D7BA0, 036D7A76, 036D7EAD, 036D77D4, 036D7EE6, 036D7753, 036D7AC0, 036D7D6E, 036D7F9E, 036D73DE, 036D7F45, 036D76C0, 036D7DBF, 036D803A, 036D82B0, 036D7710, 036D79AC, 036D7784, 036D7D38, 036D7F7E, 036D7483
O6, xrefs: 036D8437
.v, xrefs: 036D7A2E
m, xrefs: 036D82C7

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID:
String ID: .v$:m$:m$:$O6$d$e|$m$T
API String ID: 0-1297523147
Opcode ID: 7810630a227974c3693c00c5d33abf6db4366635c9c326adacae79a6464061c9
Instruction ID: 226237d1f4bdfd06c38784874801a630a17f90d6afee83f32d9ef48f1fc0d3ba
Opcode Fuzzy Hash: 7810630a227974c3693c00c5d33abf6db4366635c9c326adacae79a6464061c9
Instruction Fuzzy Hash: 831357B0D016199FDB08CFA9D9959EEBBB2FF88304F24816AE415BB344D7386A41CF54

Function 030D183B Relevance: 12.5, Strings: 9, Instructions: 1223COMMON

Download Yara Rule

Strings

,p, xrefs: 030D26CC
, xrefs: 030D1F63
M%, xrefs: 030D207C
v", xrefs: 030D2736
n, xrefs: 030D1D24
W, xrefs: 030D26EE
/D, xrefs: 030D26E7
{l, xrefs: 030D197E
b, xrefs: 030D21FF

Memory Dump Source

Source File: 00000000.00000002.4141926010.0000000002F60000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_Loader.jbxd

Similarity

API ID:
String ID: $,p$/D$M%$W$n$v"${l$b
API String ID: 0-3272979823
Opcode ID: 3e35df64f1dffea0fba1e76d10e467ac626c9e4ec211c680c70c52c00be5c575
Instruction ID: 5a56377d0a92f386c248dc31bf571460bb19dc6a1518f03a4e7bbe4dad429818
Opcode Fuzzy Hash: 3e35df64f1dffea0fba1e76d10e467ac626c9e4ec211c680c70c52c00be5c575
Instruction Fuzzy Hash: E1D249B4D01219DFDB08CFA9D9959EEBBB2FF88304F24816AD419BB244D7346A81CF54

Function 030CE67B Relevance: 10.7, Strings: 8, Instructions: 654COMMON

Download Yara Rule

Strings

_, xrefs: 030CE6A4
[, xrefs: 030CED09
G, xrefs: 030CEA9B
r=, xrefs: 030CE6B2
q, xrefs: 030CE84D
`k, xrefs: 030CE973
&+, xrefs: 030CEDB3
^=, xrefs: 030CE6CE

Memory Dump Source

Source File: 00000000.00000002.4141926010.0000000002F60000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_Loader.jbxd

Similarity

API ID:
String ID: [$&+$G$^=$_$`k$r=$q
API String ID: 0-4071359380
Opcode ID: 2b3b9079b957356a2c337bd71133b8d292d0ab930f8f3571a2f3ce08eb2b3eb3
Instruction ID: b020bf1170e3e5d1d0a7d2107dc8e1fee46988d3f7f1d93a0f4ac5f5de4cea1c
Opcode Fuzzy Hash: 2b3b9079b957356a2c337bd71133b8d292d0ab930f8f3571a2f3ce08eb2b3eb3
Instruction Fuzzy Hash: 157277B0D11619DFDB08CFA8D9959EEBBB2FF88304F24816AE415BB244D7386A41CF54

Function 036ECC70 Relevance: 10.7, Strings: 8, Instructions: 654COMMON

Download Yara Rule

Strings

r=, xrefs: 036ECCA7
_, xrefs: 036ECC99
^=, xrefs: 036ECCC3
q, xrefs: 036ECE42
&+, xrefs: 036ED3A8
[, xrefs: 036ED2FE
`k, xrefs: 036ECF68
G, xrefs: 036ED090

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID:
String ID: [$&+$G$^=$_$`k$r=$q
API String ID: 0-4071359380
Opcode ID: c70f3095cf9cdad89dbaf3359ea3d461cc370fada9a17a392e2b65bf2313c7f1
Instruction ID: 410f3bcbf4a45a7da484c8bdb1d955deab3d28d38cc3dea728fe6e13a6577b06
Opcode Fuzzy Hash: c70f3095cf9cdad89dbaf3359ea3d461cc370fada9a17a392e2b65bf2313c7f1
Instruction Fuzzy Hash: 137269B0D016199FDB08CFA8DA959EEBBB2FF88304F248169E415BB344D7386A45CF54

Function 011515C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 01151659
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 01151682
GetACP.KERNEL32 ref: 01151697

Strings

ACP, xrefs: 011515DE
OCP, xrefs: 01151614

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 942d472357195f40f5c293878e4595bbfb4a65b864300a7f916b7fa389235d12
Instruction ID: e4725d4aa7b20fea202b6f4b67484eb60cf26c22b25a7ac5adf3986d839d3b02
Opcode Fuzzy Hash: 942d472357195f40f5c293878e4595bbfb4a65b864300a7f916b7fa389235d12
Instruction Fuzzy Hash: DD21B666600201FAEB7F8F68C905BE777A7AB40E54B4E8464ED2AD7105F7B2D940C370

Function 0115179C Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 0113D47A: GetLastError.KERNEL32(00000000,?,01142747), ref: 0113D47E
Part of subcall function 0113D47A: SetLastError.KERNEL32(00000000,?,?,00000028,0111F899), ref: 0113D520

GetUserDefaultLCID.KERNEL32 ref: 011518A4
IsValidCodePage.KERNEL32(00000000), ref: 011518E2
IsValidLocale.KERNEL32(?,00000001), ref: 011518F5
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0115193D
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 01151958

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: b288b211acb1c813e2154183cf9b606828e0ac5f17fd96a688bd486b81003422
Instruction ID: 922021551a3aa3c4e8b741c9b8f354681bfe1b557f1c657aaf6b0a3680701b89
Opcode Fuzzy Hash: b288b211acb1c813e2154183cf9b606828e0ac5f17fd96a688bd486b81003422
Instruction Fuzzy Hash: F3518071A00206FBEB6ADFA9DC85BBE77B8BF15700F044569EE21E7150E7709540CB61

Function 036D88E0 Relevance: 7.0, Strings: 5, Instructions: 773COMMON

Download Yara Rule

Strings

*e, xrefs: 036D8E46
px, xrefs: 036D8A2C
w`, xrefs: 036D8C37
e, xrefs: 036D8B00
,, xrefs: 036D92D7

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID:
String ID: ,$*e$e$px$w`
API String ID: 0-3197299803
Opcode ID: 2df168d4d14f58df77b78b96a8ddebc828c98ab4d78808a64b9b552d5ab93529
Instruction ID: 374e44a0033f3e8de9f4fd482a3eb5c37e574d3feecc52bf2656031c2f1cc323
Opcode Fuzzy Hash: 2df168d4d14f58df77b78b96a8ddebc828c98ab4d78808a64b9b552d5ab93529
Instruction Fuzzy Hash: 788268B0D016199FDB08CFA9D9959EEBBB2FF88304F248169E415BB344D7386A41CF58

Function 0114BE90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a484541b56190ed5c905c45ba7956b897675f31433f8d0abb24f07cc6cfebd
Instruction ID: 2726bac6d50fd78d462d8b77fbeea9b28c3b00303e72f2911556caf541c243e7
Opcode Fuzzy Hash: f6a484541b56190ed5c905c45ba7956b897675f31433f8d0abb24f07cc6cfebd
Instruction Fuzzy Hash: A4023D75E012199BDF18CFA9C890BAEBBB1FF49714F248269D919E7341D731AA01CB90

Function 0113E898 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0113E933
FindNextFileW.KERNEL32(00000000,?), ref: 0113E9AE
FindClose.KERNEL32(00000000), ref: 0113E9D0
FindClose.KERNEL32(00000000), ref: 0113E9F3

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: f3a2e4594817f91bf0795632e3c2122b3ea74253f080027ee8552e888097e5b9
Instruction ID: f22ad9e5be3ba770d44467bc037f96b1bb1171a1b1b2f5f6e139f8500c1a4b12
Opcode Fuzzy Hash: f3a2e4594817f91bf0795632e3c2122b3ea74253f080027ee8552e888097e5b9
Instruction Fuzzy Hash: 4641C671D023299EDF39EFA8DC88AAAB779EFC5205F0041D5E405E7189F7309E848B61

Function 011124C9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 011124D5
IsDebuggerPresent.KERNEL32 ref: 011125A1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 011125BA
UnhandledExceptionFilter.KERNEL32(?), ref: 011125C4

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a90af6685a3742a52529f39c1e2935b772e804f4caca6cf9a6260996f350c257
Instruction ID: 3eba118c0f80686d5f5fca24cd0f2cfa58236484b2a86f48681fd541e2d80ba6
Opcode Fuzzy Hash: a90af6685a3742a52529f39c1e2935b772e804f4caca6cf9a6260996f350c257
Instruction Fuzzy Hash: 06310575D01219DADF24DFA4D9497CDBBB8AF08300F1041AAE80CAB244EB709A85CF44

Function 030D2CBB Relevance: 5.6, Strings: 4, Instructions: 553COMMON

Download Yara Rule

Strings

PN, xrefs: 030D3164
E, xrefs: 030D2DE4
[v, xrefs: 030D2CDD
C, xrefs: 030D2CC8

Memory Dump Source

Source File: 00000000.00000002.4141926010.0000000002F60000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_Loader.jbxd

Similarity

API ID:
String ID: E$PN$[v$C
API String ID: 0-23083618
Opcode ID: b846a00175a895f70f09af5a958be3e956c0569e0aef1e3c2bbc89ce06a238e5
Instruction ID: 27157c80cf022e972dda626b55a100f8191b52c4dca5d71170ade02c0de6955a
Opcode Fuzzy Hash: b846a00175a895f70f09af5a958be3e956c0569e0aef1e3c2bbc89ce06a238e5
Instruction Fuzzy Hash: 6C5266B4D012199FDB08CFA9D9959EEBBF2FF88304F24816AE415BB244D7386A41CF54

Function 036DC320 Relevance: 5.5, Strings: 4, Instructions: 531COMMON

Download Yara Rule

Strings

M., xrefs: 036DC638
Y%, xrefs: 036DC345
@u, xrefs: 036DC360
aK, xrefs: 036DCAE5

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID:
String ID: @u$M.$Y%$aK
API String ID: 0-3285596633
Opcode ID: a625395b8a7b85c1e55c8fee7644929e870bc2fd41024a9167482793f2fc6054
Instruction ID: b341d2dc1a1da9043929474de3403499c9031523e97ed355d7fa032d61bea82b
Opcode Fuzzy Hash: a625395b8a7b85c1e55c8fee7644929e870bc2fd41024a9167482793f2fc6054
Instruction Fuzzy Hash: D65279B0D00618DFDB18CFA9D995AEDBBB1FF88304F248169D019AB345D7386A86CF54

Function 01151244 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0113D47A: GetLastError.KERNEL32(00000000,?,01142747), ref: 0113D47E
Part of subcall function 0113D47A: SetLastError.KERNEL32(00000000,?,?,00000028,0111F899), ref: 0113D520

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 01151298
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 011512E2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 011513A8

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: e86c371b7a1bf581cce8ae3778e8a5329d6a358e6b82b644be76a51e2fc29e85
Instruction ID: d86e0b5503c59453b346e80a7db64045b9c7be5bebde5ecac0ebd31ddb9c5898
Opcode Fuzzy Hash: e86c371b7a1bf581cce8ae3778e8a5329d6a358e6b82b644be76a51e2fc29e85
Instruction Fuzzy Hash: BC619F71904207EFEBAE9F28CC91BAA7BB8EF04314F144179ED25CA586E774D981CB50

Function 0113DAD6 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0113DBCE
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0113DBD8
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0113DBE5

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6c80d12a28fd62bd1163b15ec545e7d926ed433aa71a56b5b3fe01e60a38405f
Instruction ID: 7f96fe135f3d41391e32bd66da9608a75539e800ad57983e3c5ea6f316bfbe86
Opcode Fuzzy Hash: 6c80d12a28fd62bd1163b15ec545e7d926ed433aa71a56b5b3fe01e60a38405f
Instruction Fuzzy Hash: 4731C57491122D9BCF25DF68D98878DBBB8BF48310F5041EAE81CA7294EB709B858F44

Function 030BD2AB Relevance: 4.2, Strings: 3, Instructions: 470COMMON

Download Yara Rule

Strings

D+, xrefs: 030BD2E9
uu, xrefs: 030BD6BD
b}, xrefs: 030BD44B

Memory Dump Source

Source File: 00000000.00000002.4141926010.0000000002F60000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_Loader.jbxd

Similarity

API ID:
String ID: D+$b}$uu
API String ID: 0-2931196776
Opcode ID: e71fa48afa4b9799a567f57c11f943e2c386d3f7de76671fb664c98cb8ffa6fe
Instruction ID: 005c25bb51e334d43d9178ed9f0214de917b7476640f8f651a773c8235ed179a
Opcode Fuzzy Hash: e71fa48afa4b9799a567f57c11f943e2c386d3f7de76671fb664c98cb8ffa6fe
Instruction Fuzzy Hash: 293266B4D012199FDB08CFA9D9959EEFBB1FF88304F24816AE415BB244D7386A42CF54

Function 036DB8A0 Relevance: 4.2, Strings: 3, Instructions: 470COMMON

Download Yara Rule

Strings

uu, xrefs: 036DBCB2
D+, xrefs: 036DB8DE
b}, xrefs: 036DBA40

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID:
String ID: D+$b}$uu
API String ID: 0-2931196776
Opcode ID: e71fa48afa4b9799a567f57c11f943e2c386d3f7de76671fb664c98cb8ffa6fe
Instruction ID: e545ed898a77d93d49cee4cce7b0dbfb6ea203a358af547d27ffa25b07805ab1
Opcode Fuzzy Hash: e71fa48afa4b9799a567f57c11f943e2c386d3f7de76671fb664c98cb8ffa6fe
Instruction Fuzzy Hash: 5D3256B4D012199FDB08CF99D9959EEBBB1FF88304F24816AD415BB348D7386A42CF94

Function 030BF8BB Relevance: 3.4, Strings: 2, Instructions: 899COMMON

Download Yara Rule

Strings

%L, xrefs: 030BF8F2
-, xrefs: 030BF946

Memory Dump Source

Source File: 00000000.00000002.4141926010.0000000002F60000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_Loader.jbxd

Similarity

API ID:
String ID: %L$-
API String ID: 0-412675669
Opcode ID: e04c98860c95100e425c153fe435bde9fb3e53c313b9709fd8aac779154b8373
Instruction ID: 9c2e04b6b569c023cf3e38b1be40919b6f0479478bb783ac46d391fbc58a654b
Opcode Fuzzy Hash: e04c98860c95100e425c153fe435bde9fb3e53c313b9709fd8aac779154b8373
Instruction Fuzzy Hash: 85A27BB0D11609DFDB08CF99D995AEEBBB1FF88304F24816AE415BB244D738AA41CF54

Function 036DDEB0 Relevance: 3.4, Strings: 2, Instructions: 899COMMON

Download Yara Rule

Strings

%L, xrefs: 036DDEE7
-, xrefs: 036DDF3B

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID:
String ID: %L$-
API String ID: 0-412675669
Opcode ID: e04c98860c95100e425c153fe435bde9fb3e53c313b9709fd8aac779154b8373
Instruction ID: 39660e49bd402ea66493a143024f507268e11c216356d2a585223381c0c9614c
Opcode Fuzzy Hash: e04c98860c95100e425c153fe435bde9fb3e53c313b9709fd8aac779154b8373
Instruction Fuzzy Hash: 7BA27AB0D016099FDB08CF99D9959EEBBB2FF88304F24816AE415BB348D7386A51CF54

Function 011110A0 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 011110AC
RtlAllocateHeap.NTDLL(0116CAC8,?,?), ref: 011110C6

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 3728c49f917234a8095207467f1e89422636e5c5e1279602d0de7a782e1823c3
Instruction ID: 32aac7c6c9df4d3c96d99cfa9ae52e8126d2e7d13874db41d9983ad53a3e8be4
Opcode Fuzzy Hash: 3728c49f917234a8095207467f1e89422636e5c5e1279602d0de7a782e1823c3
Instruction Fuzzy Hash: 15D05E7A100208EFCB68DF98F484B5937A8B748310F444035F66CC2618D73194C0CB95

Function 01155EF7 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01155EF2,?,?,00000008,?,?,01151A6C,00000000), ref: 01156124

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0d6a22b742089d726fba0915dcf2e7ea5765a56f36f0a22e238abed640adeabf
Instruction ID: 4ef014ee72e9123998269c0d959e8305ea9e15f9d1b5e23493516fb9c2be700d
Opcode Fuzzy Hash: 0d6a22b742089d726fba0915dcf2e7ea5765a56f36f0a22e238abed640adeabf
Instruction Fuzzy Hash: FFB13931210608DFE759CF2CC48AB657FA1FF45364F658658E9A9CF2A2C335E981CB80

Function 01112B76 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 01112B8C

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 144be54985dd128685ac9e101085657811f5dbde6d9b73ea9441401fe3903f00
Instruction ID: 08af1ef24ad9e1db7d56f7064c36d3f2185a841cd52d072a99709bacdecf6ee9
Opcode Fuzzy Hash: 144be54985dd128685ac9e101085657811f5dbde6d9b73ea9441401fe3903f00
Instruction Fuzzy Hash: 55A16AB6A013158FDB2CCF58D8817ADBBB1FB49324F24813AD565E72A8D3359980CF94

Function 0113322C Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

0, xrefs: 011333CC

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0e30283854f4742f1e045181577e8ff2942cd622fa071a2efc0c219a83654ff5
Instruction ID: 7cb549e1ba209fe590628cbed27475986261ab33a35d3a30038e0f3dc3f5e370
Opcode Fuzzy Hash: 0e30283854f4742f1e045181577e8ff2942cd622fa071a2efc0c219a83654ff5
Instruction Fuzzy Hash: 35D1DD74A246068FDB2DCF6CC484A7EBBB0FF84314B14861DD566DB399CB30A942CB59

Function 0113362F Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

0, xrefs: 011337C0

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: c3119f712276389607c6a09dd338044141ccd34ebfe6ac42ad7ca3ae200bf80d
Instruction ID: 40f0f4cd9f55298ce0c7a3ed9b38e6e6e7fe1d76b3bbe03e71ca42e9a7e000de
Opcode Fuzzy Hash: c3119f712276389607c6a09dd338044141ccd34ebfe6ac42ad7ca3ae200bf80d
Instruction Fuzzy Hash: B2D1E0B0A206068FDB2DCF6CC58067ABBB1FF88314B14465DD5669B398D331E942CB59

Function 01132E38 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

0, xrefs: 01132FC9

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 24593f6789661f2d797a05af9de06d0f24605786899f108e029b63ab7cc7f401
Instruction ID: f247fddb88fd95661ced18f98cf6e6a94dd11b7f5f442d391a0efa59add76e5e
Opcode Fuzzy Hash: 24593f6789661f2d797a05af9de06d0f24605786899f108e029b63ab7cc7f401
Instruction Fuzzy Hash: B8D10E34A106068FDB2DEF6CC580A7AFBB1FFC9314F14461DD6669B698C330A942CB56

Function 01131D42 Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

0, xrefs: 01131EC1

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a5b48075ceea4356827be6f30c9e30580564d9514a5193f6887aa2abef8bde51
Instruction ID: 01db65feb8b866c9fdcb79d11473734d51c748bd4456fd5386413820eb3dc21c
Opcode Fuzzy Hash: a5b48075ceea4356827be6f30c9e30580564d9514a5193f6887aa2abef8bde51
Instruction Fuzzy Hash: 4BC12630900606AFDB2EDF6CC4986BABBB6FFD5304F044628D55297699C331E949CB62

Function 011320B0 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 01132220

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 47a401445dda7cceb1a93e137e8c3b06ef317ab6b19a4df1ee1e286dacac28dd
Instruction ID: 7fa1f9be8da49e3966d578d1392081f73ea0acf87ac7161bbc52c35418384a2f
Opcode Fuzzy Hash: 47a401445dda7cceb1a93e137e8c3b06ef317ab6b19a4df1ee1e286dacac28dd
Instruction Fuzzy Hash: 41C12238A047069FDB2DEF6CCA84A7EBBB1FF89304F144618CA5297299C331E945CB51

Function 01151497 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0113D47A: GetLastError.KERNEL32(00000000,?,01142747), ref: 0113D47E
Part of subcall function 0113D47A: SetLastError.KERNEL32(00000000,?,?,00000028,0111F899), ref: 0113D520

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 011514EB

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c1019d51be8a40ba15fe0256142c3bc1442d1319d0f2cb56541ae6a1a6b8b718
Instruction ID: 08bb167d1483128b41d774080fb2edafc09d90c558f69ea20cdd3c88d27e3766
Opcode Fuzzy Hash: c1019d51be8a40ba15fe0256142c3bc1442d1319d0f2cb56541ae6a1a6b8b718
Instruction Fuzzy Hash: 5821D472621206FBDF6E9A69DC81BBA77ACEF45318F15007AED22C7140EB34E940CB50

Function 011319E3 Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 01131B53

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a15366f969398463b0eebbd2ff31f78554085fed59f74bde083a1eb48b51aaa1
Instruction ID: e6b15b3503ca4c936b736f2bd750266ed3a10be5272c81d861d820f5b084aa35
Opcode Fuzzy Hash: a15366f969398463b0eebbd2ff31f78554085fed59f74bde083a1eb48b51aaa1
Instruction Fuzzy Hash: 02C1117090064AAFDB2DCF6CC5846BABBF1EF86315F084A19C59297299D331E946CB11

Function 0113276D Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

0, xrefs: 01132910

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: bff85b3fac3dc40ffab68dc06fd6b6208dc44d9014c3af603bc7c249b2f5261d
Instruction ID: 44c7f0b21bde35a29d4a5e7605dd14504fb4c36c39b62a3301402f584175646b
Opcode Fuzzy Hash: bff85b3fac3dc40ffab68dc06fd6b6208dc44d9014c3af603bc7c249b2f5261d
Instruction Fuzzy Hash: C2B1F130A0061A9BDF3DEFACC544ABEBBF1BFC4614F04451DE642A7698D730A946CB51

Function 0113240F Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

0, xrefs: 011325A3

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8867e969ef836f5487f8d6ff8a44d4ff15b17ecd84d93723b0abe8a0330b1fce
Instruction ID: 4b7388a313829ff40c8f3af7fff590c0e2b65781b4f04aede4f74cf61f93ed92
Opcode Fuzzy Hash: 8867e969ef836f5487f8d6ff8a44d4ff15b17ecd84d93723b0abe8a0330b1fce
Instruction Fuzzy Hash: 33B1F170A0070A8BDB2DEF6CC994ABEBBF1BFD8214F00461DD546A7698D730EA45CB51

Function 01132ADA Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

0, xrefs: 01132C6E

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f318f7a0ea5154224fd230120779b828aea0bada24fd5b294b4694f73d0bc6d7
Instruction ID: 1b82bfc5a64512b3a7f4cae4f79f9e46638292ccca7893e29ba9bdd12c2b6b82
Opcode Fuzzy Hash: f318f7a0ea5154224fd230120779b828aea0bada24fd5b294b4694f73d0bc6d7
Instruction Fuzzy Hash: 26B1E030A0070ACBDB2DEFACC594ABEBBB1EFC4214F04451DD556A769CD730A942CB52

Function 01131350 Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 011314E3

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1b7eb949c810ecf483787684acde7091239cda256cb9f79407875a6e5216f548
Instruction ID: d37e8a00d94c6b045272c1d63cd62172c156b771e09dcd99d179ce4230881f91
Opcode Fuzzy Hash: 1b7eb949c810ecf483787684acde7091239cda256cb9f79407875a6e5216f548
Instruction Fuzzy Hash: 4EB1F070A0460BABDF2CCF6CC5946BEBBB5AFC1314F084619D952E7699CB70D602CB52

Function 0113100E Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 01131192

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 7ce20850da29ae6e7e84ce7add72343d53709ed4f9ea8d875410c6ec97b2c4ba
Instruction ID: 7f642f0f3da08945fbb44367da8e0686e451525199344464fe32bed13d1648c1
Opcode Fuzzy Hash: 7ce20850da29ae6e7e84ce7add72343d53709ed4f9ea8d875410c6ec97b2c4ba
Instruction Fuzzy Hash: 91B1E370A0464BABDB2CCE7CC8546FEBFB1AFC4314F140619DA92E7698C731A501CB55

Function 011316A1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 01131825

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: fbf78d7c2c622c1a7272ceb44cdc16bcdf83d46cd9557f4cf468d0a56f71e71e
Instruction ID: d2f970f9492d9aac3b2573c5d20e9d9b98dd56f0ac56cf4faafa06eefbc7e575
Opcode Fuzzy Hash: fbf78d7c2c622c1a7272ceb44cdc16bcdf83d46cd9557f4cf468d0a56f71e71e
Instruction Fuzzy Hash: 0FB11370900A0BABDB3DCF6CC9546BEBBB1AFC5314F08061ED592A7698D730E606CB51

Function 0115111E Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0113D47A: GetLastError.KERNEL32(00000000,?,01142747), ref: 0113D47E
Part of subcall function 0113D47A: SetLastError.KERNEL32(00000000,?,?,00000028,0111F899), ref: 0113D520

EnumSystemLocalesW.KERNEL32(01151244,00000001), ref: 01151190

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: fdadc21d54501a3c3c16f97a9e05572de1ef69a2722654f5d35e2790c48c3853
Instruction ID: c7a9e38b30a42595591bc047386b780a1746daada95a7aba3fecc26ccd7bd26d
Opcode Fuzzy Hash: fdadc21d54501a3c3c16f97a9e05572de1ef69a2722654f5d35e2790c48c3853
Instruction Fuzzy Hash: 9E11027A200305AFDB1D9F3988D16BABBA1FB80358B19852CE99687A00D371A842CB40

Function 011516C6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0113D47A: GetLastError.KERNEL32(00000000,?,01142747), ref: 0113D47E
Part of subcall function 0113D47A: SetLastError.KERNEL32(00000000,?,?,00000028,0111F899), ref: 0113D520

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,01151460,00000000,00000000,?), ref: 011516F2

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 08e934b7401526fa592a0530499d511d6e513bee78440b7de478f1334d099812
Instruction ID: 2954b29f41b00abd5e6d2f452e24027b1a5b0094da6a06c214b68c3b632f519a
Opcode Fuzzy Hash: 08e934b7401526fa592a0530499d511d6e513bee78440b7de478f1334d099812
Instruction Fuzzy Hash: 1701D636610612FBDF2D9A688C46BBA3B68EB40654F054438ED66A3180EB30FD41C690

Function 011511B9 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 0113D47A: GetLastError.KERNEL32(00000000,?,01142747), ref: 0113D47E
Part of subcall function 0113D47A: SetLastError.KERNEL32(00000000,?,?,00000028,0111F899), ref: 0113D520

EnumSystemLocalesW.KERNEL32(01151497,00000001), ref: 01151203

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 31005bdc3cd2425f7174ad4130f54ce4ddb21c4e2a481b26188514bc19355f7b
Instruction ID: fb65dbe5720aeaddadd72d0aaaf7e2f167998ef956766034ebd90b07c1e39636
Opcode Fuzzy Hash: 31005bdc3cd2425f7174ad4130f54ce4ddb21c4e2a481b26188514bc19355f7b
Instruction Fuzzy Hash: 7FF04C76200308AFDB296F7998C0B767F95FF80368B15442CFD5587540C7716841CB50

Function 01140EAA Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0113CBD2: RtlEnterCriticalSection.NTDLL(-0001B7A7), ref: 0113CBE1

EnumSystemLocalesW.KERNEL32(Function_0002FE97,00000001,0116A8A8,0000000C), ref: 01140EE2

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 8c1a2231530133bbaf150bf2eaa9ba1676c40867772e9fcfedab255e1930766d
Instruction ID: 245e675eb618f82cb4c1b0e151792994732612f08067e48bc851ad7678716272
Opcode Fuzzy Hash: 8c1a2231530133bbaf150bf2eaa9ba1676c40867772e9fcfedab255e1930766d
Instruction Fuzzy Hash: B2F0A932A00205DFDB18DFA9E401B8D77F0FB58725F10812AF514EB290C776A9408F51

Function 011510B5 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0113D47A: GetLastError.KERNEL32(00000000,?,01142747), ref: 0113D47E
Part of subcall function 0113D47A: SetLastError.KERNEL32(00000000,?,?,00000028,0111F899), ref: 0113D520

EnumSystemLocalesW.KERNEL32(0115100E,00000001), ref: 011510EC

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7fd347524dffe11a68a7c26d178d0e540d0568105a2e60efb85ea90fc1c7f477
Instruction ID: 19041c29312133ec9b37bea3082848ad82f8c558786554e5ebb79ea5200b1c5f
Opcode Fuzzy Hash: 7fd347524dffe11a68a7c26d178d0e540d0568105a2e60efb85ea90fc1c7f477
Instruction Fuzzy Hash: 2BF05C35300345A7CB199F39D8457667F90EFC1654B06405CEE158B150C3729482C750

Function 01141990 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?), ref: 011419C4

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 86a1dedff4fa473ed81ae86a2afc35cb02f5118e4b8a473cf2931d87e965e135
Instruction ID: 21ee53e30d338b876858f6400105c7c1df36fea27c2c5083fb92a77f2cab3212
Opcode Fuzzy Hash: 86a1dedff4fa473ed81ae86a2afc35cb02f5118e4b8a473cf2931d87e965e135
Instruction Fuzzy Hash: D3E04F7650022CBBCF1A2FA0EC04E9E3E2AFF54B51F014021FD1565120DB32A9A19BD5

Function 01141049 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_0002FE97,00000001), ref: 01141063

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 91ef72ca6300c545797e772b5aa7cd891cc28a0b2a28ef3b3a47edd3e0f31a94
Instruction ID: 900fe921a85ea74982e0220148d4bdb83edef4391e7c32b5b261ad97ecf78ac4
Opcode Fuzzy Hash: 91ef72ca6300c545797e772b5aa7cd891cc28a0b2a28ef3b3a47edd3e0f31a94
Instruction Fuzzy Hash: C6D05E31105304ABCF2C5BA2F505A803B99F348754B000039F55C06795DB73B8808B40

Function 01112659 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001668), ref: 0111265E

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 39d9117d891d6ea7b04508ae654dde16cbde9989921f0e2592efb7bdb5d538a0
Instruction ID: 6aa0768ac6ac119648f75eed0259470b2c5fdf89c96414e1bd1e1bc6036aca73
Opcode Fuzzy Hash: 39d9117d891d6ea7b04508ae654dde16cbde9989921f0e2592efb7bdb5d538a0
Instruction Fuzzy Hash:

Function 036D2740 Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

Q., xrefs: 036D2915

Memory Dump Source

Source File: 00000000.00000002.4142318815.000000000357E000.00000020.00001000.00020000.00000000.sdmp, Offset: 0357E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_357e000_Loader.jbxd

Similarity

API ID:
String ID: Q.
API String ID: 0-1051685669
Opcode ID: be3ecdb16c3f598ed2548b2bba623acb1031ea13949f5db27b26e21a2a093abe
Instruction ID: eb43b97f0bb27ddf2d1a00649833d89db8f14d12ada1fb708d84cf849fd427ec
Opcode Fuzzy Hash: be3ecdb16c3f598ed2548b2bba623acb1031ea13949f5db27b26e21a2a093abe
Instruction Fuzzy Hash: E17199B4D012099FDF04CF98D9949EEBBB1FF48308F108169E819AB344C778AA55CF98

Function 0114C810 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c48c4ae7fb3c8dc4237112ba9dd4124f457e8650bae2c8356ce750ac910de63
Instruction ID: ba258ddb5f8c2605495577a5b6dac208b33b7a1c475ba72bb8ac5c7f0576b6a8
Opcode Fuzzy Hash: 3c48c4ae7fb3c8dc4237112ba9dd4124f457e8650bae2c8356ce750ac910de63
Instruction Fuzzy Hash: DAF18071A012299FDB29DF18C890BAAB7B9FF46B04F1400EAD949A7345E7715F818FC1

Function 0113B69E Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db82edd64cb1af7cfb90950166cae697cdf200776af2b583b8769fbd88ce2ea
Instruction ID: ae3934457b6b9d95007e6106c2806f235e2b1633dcd573c46d4d760278d18e93
Opcode Fuzzy Hash: 4db82edd64cb1af7cfb90950166cae697cdf200776af2b583b8769fbd88ce2ea
Instruction Fuzzy Hash: DEB1CF20D2AF518DD72799398431336FA9CAFBB2D5B51D72BFC2670D5AEB2181C34280

Function 0114C3C0 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f704e83e07128fa0ba674abda326634586ff0bde3e6be2a5995f54308d7591
Instruction ID: 4bc2a0dbe2f96209aac370352537adad4c632c51bc52a7474cd3c121ce79f70e
Opcode Fuzzy Hash: c9f704e83e07128fa0ba674abda326634586ff0bde3e6be2a5995f54308d7591
Instruction Fuzzy Hash: 4AA15E72A012298BDB29CF18C890BEDB7B5FF89714F1545EAD909A7341D771AE818FC0

Function 02F60470 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141926010.0000000002F60000.00000020.00001000.00020000.00000000.sdmp, Offset: 02F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f60000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcf609f7e593687e09549c7d8e547f9bc53d275433b23cdcb5ecd32cbab4405
Instruction ID: 002765da08ccd7ead9ca0d517826674c118afedd358eb63c73d09637cfcb989f
Opcode Fuzzy Hash: 9bcf609f7e593687e09549c7d8e547f9bc53d275433b23cdcb5ecd32cbab4405
Instruction Fuzzy Hash: 8411F875E01208EFCB04CF98C994AAEBBB5FF88304F208499D905A7704EB35AE41CF90

Function 01117844 Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0111790D
DName::operator+.LIBCMT ref: 0111794A
DName::DName.LIBVCRUNTIME ref: 0111795E
DName::operator+.LIBCMT ref: 0111796D
DName::operator+.LIBCMT ref: 011179FB
DName::DName.LIBVCRUNTIME ref: 01117A23
DName::operator+.LIBCMT ref: 01117A31
DName::operator+.LIBCMT ref: 01117A6B
DName::operator+.LIBCMT ref: 01117AAC
UnDecorator::getReturnType.LIBCMT ref: 01117ADC
operator+.LIBVCRUNTIME ref: 01117BDE

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
String ID:
API String ID: 2932655852-0
Opcode ID: 9951886f064034d25f75f4990dbb9173c426c608e184611167cb53e98c59a3f3
Instruction ID: 3b15c23f0672e912e10bbff81e222d09b8907ce8a314789abe7f18a96a26022b
Opcode Fuzzy Hash: 9951886f064034d25f75f4990dbb9173c426c608e184611167cb53e98c59a3f3
Instruction Fuzzy Hash: 27C18471900219AFDB1CDF98D890EEEFBB8FB18714F044079E652A7398EB719A44CB51

Function 01118E3C Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 01118EA7
DName::operator+.LIBCMT ref: 01118FEA

Part of subcall function 0111489A: shared_ptr.LIBCMT ref: 011148B6

DName::operator+.LIBCMT ref: 01118F95
DName::operator+.LIBCMT ref: 01119036
DName::operator+.LIBCMT ref: 01119045
DName::operator+.LIBCMT ref: 01119171
DName::operator=.LIBVCRUNTIME ref: 011191B1
DName::DName.LIBVCRUNTIME ref: 011191BB
DName::operator+.LIBCMT ref: 011191D8
DName::operator+.LIBCMT ref: 011191E4

Part of subcall function 0111A6FE: Replicator::operator[].LIBCMT ref: 0111A73B

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
String ID:
API String ID: 1043660730-0
Opcode ID: c32928085734ce20ffc1d968b64db7cd9dc1b840ef206d2b3901883005aed917
Instruction ID: 03331d11a65b4e14f07b333e09f584a6272ee605abe33ad1d0aa95887ee88f48
Opcode Fuzzy Hash: c32928085734ce20ffc1d968b64db7cd9dc1b840ef206d2b3901883005aed917
Instruction Fuzzy Hash: 33C1F4B19002199FDB2CDFA8C868BEEFBF8AF19708F04447DE555A7284EB759584CB40

Function 0113A7D4 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0113ABAC

Strings

f, xrefs: 0113A92C
f, xrefs: 0113A8CA
:, xrefs: 0113A89F
p, xrefs: 0113A933
p, xrefs: 0113A8ED
f, xrefs: 0113A8E6
p, xrefs: 0113A8D1

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 955540331c9ed18d307cf044e9781ad1c0a05ff00e52a9f63dc6ddd8dec2893f
Instruction ID: 4b8f356610300c63efa95dea1f233e6349f65203c30b0c09b6475a1745752bb4
Opcode Fuzzy Hash: 955540331c9ed18d307cf044e9781ad1c0a05ff00e52a9f63dc6ddd8dec2893f
Instruction Fuzzy Hash: 7502AF39900119DBDB2C8FA4E4586EDBBB3FF81B25FA8451AD595FB288D3308D84CB11

Function 0111A6FE Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBCMT ref: 0111A73B

Strings

@, xrefs: 0111A8A7

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Replicator::operator[]
String ID: @
API String ID: 3676697650-2766056989
Opcode ID: 625b3e132dc4a323d78d32c5247ad11d1233f7852118377bba707237bd71f4d5
Instruction ID: 292e424ebfa2294c43daf2d8425629a9c58f04da2da718e3cd7e70adcce277aa
Opcode Fuzzy Hash: 625b3e132dc4a323d78d32c5247ad11d1233f7852118377bba707237bd71f4d5
Instruction Fuzzy Hash: 1561E371D012599FDB1CDFA8E850BEEFFB8AF18714F00403ADA51A3298EB759945CB90

Function 0114420A Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01144290

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 8aec6c5df48ba320977836bb13f7074ec09afc02cd7a1e3d5dd1fff37ea8d533
Instruction ID: 7d254473a6738c2b5786cd585e45beb1fb5ea77135793b29cba21b3160a3c55c
Opcode Fuzzy Hash: 8aec6c5df48ba320977836bb13f7074ec09afc02cd7a1e3d5dd1fff37ea8d533
Instruction Fuzzy Hash: 93B19A72A04366DFEB19CF28CC81BAE7FA5EF15B14F184165E900AF682D3709901C7A1

Function 0111C2D2 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0111C3F1
___TypeMatch.LIBVCRUNTIME ref: 0111C4FF
CallUnexpected.LIBVCRUNTIME ref: 0111C66C

Strings

csm, xrefs: 0111C30F
csm, xrefs: 0111C37C
csm, xrefs: 0111C428

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: d7bf862dec0d075490bdaf822c65df364787b4284955776f420cd726878cf5fb
Instruction ID: 3fee268538fbd18d5b337ff3794b2352a9b4bed7108acfa463097af62b6d102b
Opcode Fuzzy Hash: d7bf862dec0d075490bdaf822c65df364787b4284955776f420cd726878cf5fb
Instruction Fuzzy Hash: 24B15C7198020ADFCF1DDFA8C840AAEFBB5BF54314B044579E8156B21AD335EA61CBD1

Function 01115D63 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 01115DF1
DName::operator+.LIBCMT ref: 01115E44

Part of subcall function 0111489A: shared_ptr.LIBCMT ref: 011148B6

Part of subcall function 01114789: DName::operator+.LIBCMT ref: 011147AA

DName::operator+.LIBCMT ref: 01115E35
DName::operator+.LIBCMT ref: 01115E95
DName::operator+.LIBCMT ref: 01115EA2
DName::operator+.LIBCMT ref: 01115EE9
DName::operator+.LIBCMT ref: 01115EF6

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: 0ba86b6190891ac7a1d3ef6a02fbf353ce2074e1c9579deac9d553e5e23c29e3
Instruction ID: 4ea1e6e8713c25c35a372f4464f5542e78068b64475e252e0e5398bbe25c3667
Opcode Fuzzy Hash: 0ba86b6190891ac7a1d3ef6a02fbf353ce2074e1c9579deac9d553e5e23c29e3
Instruction Fuzzy Hash: 585182B1D01219AFDF1DDFD4C844EEEFBB9AF59704F04806AE506A7184EB709644CBA1

Function 01153429 Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e4f1f5597a88cfae75fb7ac50e3bddeca188d93d588ef4c4e3b46616a9f893
Instruction ID: 2df18dd3ad21107a032d56a4245602bb6a3d30f282bfa36fa28b15c6b9f29b4b
Opcode Fuzzy Hash: 14e4f1f5597a88cfae75fb7ac50e3bddeca188d93d588ef4c4e3b46616a9f893
Instruction Fuzzy Hash: 88B1FF71A14609EFDF5E8F98D880BAE7FB1BF55388F044168E9319B281C7709942CB61

Function 0111A5AA Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0111A5EE
DName::operator+.LIBCMT ref: 0111A5FA

Part of subcall function 0111489A: shared_ptr.LIBCMT ref: 011148B6

DName::operator+=.LIBCMT ref: 0111A6B8

Part of subcall function 01118E3C: DName::operator+.LIBCMT ref: 01118EA7
Part of subcall function 01118E3C: DName::operator+.LIBCMT ref: 01119171

Part of subcall function 01114789: DName::operator+.LIBCMT ref: 011147AA

DName::operator+.LIBCMT ref: 0111A675

Part of subcall function 011148F2: DName::operator=.LIBVCRUNTIME ref: 01114913

DName::DName.LIBVCRUNTIME ref: 0111A6DC
DName::operator+.LIBCMT ref: 0111A6E8

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: 205c3273e956667560d308562f5350f141f6cf296b1ca38c6528902fa191cc04
Instruction ID: 5a5d3b8e2bcae6770517e59583745f3b0f0cff389ded5b56c79a2af316dd72b4
Opcode Fuzzy Hash: 205c3273e956667560d308562f5350f141f6cf296b1ca38c6528902fa191cc04
Instruction Fuzzy Hash: AB413CB0A012949FDB1DDFA8D864B9EFFF8AF59700F404478D19597288E7355980CB90

Function 011191FA Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0111A6FE: Replicator::operator[].LIBCMT ref: 0111A73B

DName::operator=.LIBVCRUNTIME ref: 011192A6

Part of subcall function 01118E3C: DName::operator+.LIBCMT ref: 01118EA7
Part of subcall function 01118E3C: DName::operator+.LIBCMT ref: 01119171

DName::operator+.LIBCMT ref: 01119260
DName::operator+.LIBCMT ref: 0111926C
DName::DName.LIBVCRUNTIME ref: 011192B0
DName::operator+.LIBCMT ref: 011192CD
DName::operator+.LIBCMT ref: 011192D9

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: 2a8a4774b9a1a34b395d2ba08d6890ca99d681b5e365aae051bc3c75453c40bb
Instruction ID: 9068accd626220a2ea25f47c234678b34ea02652da8c444db1c9263e3f6e1e60
Opcode Fuzzy Hash: 2a8a4774b9a1a34b395d2ba08d6890ca99d681b5e365aae051bc3c75453c40bb
Instruction Fuzzy Hash: 9B31E4B1A002189FCB1CDFA8C464AEEFFF8AFA9704F00842DE5A6A7754E7749544CB50

Function 0111AF12 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,01113627,0111223A,01111CF0), ref: 0111AF20
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0111AF2E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0111AF47
SetLastError.KERNEL32(00000000,?,01113627,0111223A,01111CF0), ref: 0111AF99

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8170b893a8ce8c3a6ff4f87e34f2a96ec8e61b26581b410bec8e93bce5692aad
Instruction ID: 2f3e61eb4305a12fb33b2a0a32c3991d999236dac2d46bbf88dd36a6ced1c92e
Opcode Fuzzy Hash: 8170b893a8ce8c3a6ff4f87e34f2a96ec8e61b26581b410bec8e93bce5692aad
Instruction Fuzzy Hash: 4601F57210E313AEAB3E25BD7C8462FAF54DF16178720033AF525861ECEF1308854786

Function 0113F154 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Loader.exe, xrefs: 0113F170

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Loader.exe
API String ID: 0-3241315448
Opcode ID: 83993110f45ce35c25e49c6e770889f7e57b94c7634cc35e437837fe748c1974
Instruction ID: c6397a8fc02d7393fb555d82958df96fd7aaac6c858c0d44d2b78cf7a951af0d
Opcode Fuzzy Hash: 83993110f45ce35c25e49c6e770889f7e57b94c7634cc35e437837fe748c1974
Instruction Fuzzy Hash: C721C639A00207EFDF2DAFB5EC8096B7769AFD12A87014524F829D7159D731EC4287A2

Function 01149B68 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0116C080,00000000,00000000,?), ref: 01149BCB

Part of subcall function 01140345: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,01142B0D,00000000,0114A5BA,?,00000000,?,?,?,0114A290,0000FDE9,00000000,?), ref: 011403A6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 01149E1D
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 01149E63
GetLastError.KERNEL32 ref: 01149F06

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: d2e08fda68f2e5db65e86cb8e28779422b4afedc8622c023b53d9309472e3b81
Instruction ID: 8f37395abbdbae9829bbfbb48cd646a6b30588e0ca31e01d06397c5583590727
Opcode Fuzzy Hash: d2e08fda68f2e5db65e86cb8e28779422b4afedc8622c023b53d9309472e3b81
Instruction Fuzzy Hash: 43D1ACB5D042589FCF19CFA8D8809EEBBB4EF49718F28412AE566EB351D730A941CB50

Function 01116E8A Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01116E91
UnDecorator::getSymbolName.LIBCMT ref: 01116F23
DName::operator+.LIBCMT ref: 01117027
DName::DName.LIBVCRUNTIME ref: 011170CA

Part of subcall function 0111489A: shared_ptr.LIBCMT ref: 011148B6

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name$Decorator::getH_prolog3Name::Name::operator+Symbolshared_ptr
String ID:
API String ID: 334624791-0
Opcode ID: 791f9a6ed2ec0a7b41528ba277667f552f126e585c38ac078f9b56eaf75978c8
Instruction ID: bd1a2884767a8d6dbd9c1b351fba162dcf39ee4e12b27fa816737dd24343ed9a
Opcode Fuzzy Hash: 791f9a6ed2ec0a7b41528ba277667f552f126e585c38ac078f9b56eaf75978c8
Instruction Fuzzy Hash: CA71AE76D0431A8FEB1DCF98C490BEEFBB4AB09710F04407AD951A7399D7729940CBA1

Function 01117519 Relevance: 6.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0111764D

Part of subcall function 011144E9: __aulldvrm.LIBCMT ref: 0111451A

DName::operator+.LIBCMT ref: 011175AE
DName::operator=.LIBVCRUNTIME ref: 01117692
DName::DName.LIBVCRUNTIME ref: 011176C4

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=__aulldvrm
String ID:
API String ID: 2973644308-0
Opcode ID: 975dca9229db041ef07abd690eb04ac315c1081fb322a0660b15d99f26777a19
Instruction ID: 2510cf98e3dca4450536f7b6ac3c41b290cb72adbd637dc03e4e278061a23b91
Opcode Fuzzy Hash: 975dca9229db041ef07abd690eb04ac315c1081fb322a0660b15d99f26777a19
Instruction Fuzzy Hash: CD618D74900229DFEB1DDF58C890AADFBB4BB19700F05847AD9516B398E7B19A80CFD1

Function 0111C07B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0111C142
___AdjustPointer.LIBCMT ref: 0111C165
___AdjustPointer.LIBCMT ref: 0111C201

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 278cd1c04bdf31a30720709e9bcd632273908e44bfa06c9314e4b32c969fbdc8
Instruction ID: 9a2b624b742923e1e781ac0527276e3ec93c72d6e83b74063564c1c419e46a14
Opcode Fuzzy Hash: 278cd1c04bdf31a30720709e9bcd632273908e44bfa06c9314e4b32c969fbdc8
Instruction Fuzzy Hash: DB51CE76680702EFEB2D9F58D840BAAFBA4EF00614F14413DDD0197298EB31E890CBD1

Function 0111724A Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 0111727D

Part of subcall function 0111485E: DName::operator+=.LIBCMT ref: 01114874

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: Name::operator+Name::operator+=
String ID:
API String ID: 382699925-0
Opcode ID: 718db1dbddd22fcfbb37919d224c40634a30832eadf21bdfe78493581b4a8067
Instruction ID: 3f670f45bab9c4f7c577721a5645e2616468d34b1449b7f66d63f77019c48628
Opcode Fuzzy Hash: 718db1dbddd22fcfbb37919d224c40634a30832eadf21bdfe78493581b4a8067
Instruction Fuzzy Hash: 7C415A71D0421ADBDB0DDFA8C585AEEFFB4EB08314F10402AE915B7388DB759685CBA1

Function 0113E079 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 01140345: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,01142B0D,00000000,0114A5BA,?,00000000,?,?,?,0114A290,0000FDE9,00000000,?), ref: 011403A6

GetLastError.KERNEL32 ref: 0113E0DD
__dosmaperr.LIBCMT ref: 0113E0E4
GetLastError.KERNEL32(?,?,?,?), ref: 0113E11E
__dosmaperr.LIBCMT ref: 0113E125

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 1b04137277e1a992e2d7252555c6ac2ce5621e4493cdcb9796b2b78e4f6fcb46
Instruction ID: 7a1816850b3e8db8689c7ccf322de50bc2ec4edef249f74bed91eb397f286625
Opcode Fuzzy Hash: 1b04137277e1a992e2d7252555c6ac2ce5621e4493cdcb9796b2b78e4f6fcb46
Instruction Fuzzy Hash: F621D771601716EFDF29AFB9D88086FBBA9FF943687008528F829D7144D731EC4187A1

Function 01141409 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,0116C080,?,01141518,01156234,0113DE60,00000000,?), ref: 011414CA

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e9f3a0578057046da4e7590d033f4102f9f7e115d38211eaf89607671b4322aa
Instruction ID: eb00da04b10a436ed2aab441be8f14fee324355dd07ced10cbf417591a11ffea
Opcode Fuzzy Hash: e9f3a0578057046da4e7590d033f4102f9f7e115d38211eaf89607671b4322aa
Instruction Fuzzy Hash: 0F212B71A01311FBDB3D9A65EC44A5A7758AF41BB0F2D0221ED15AB2C5D730F981C7E0

Function 0114044C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 01140454

Part of subcall function 01140345: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,01142B0D,00000000,0114A5BA,?,00000000,?,?,?,0114A290,0000FDE9,00000000,?), ref: 011403A6

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0114048C
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 011404AC

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: afca1aeb8be13845c90bcf39e3cf739aa7899c77d728dfda0371f7989094fac7
Instruction ID: a8481ac9026af399febeef9117d80c4067a0715637b6f7dc6573d685631c800e
Opcode Fuzzy Hash: afca1aeb8be13845c90bcf39e3cf739aa7899c77d728dfda0371f7989094fac7
Instruction Fuzzy Hash: F61104F1905217BFAB2E27F66C88CEF295CCF998E87550024FA19E1100FB20CD4282B2

Function 01152A78 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 01152A8E
GetLastError.KERNEL32(?,?,?,?), ref: 01152A9B
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 01152AC1
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 01152AE7

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 37c0dec2a02b9e1b50beef4e87ffddbc4953a8c01af6971f662700600d4203a4
Instruction ID: 6502b5054b9608ca8d505a8886ce1e1ae9b255d3b42692f779e60d6e4607f646
Opcode Fuzzy Hash: 37c0dec2a02b9e1b50beef4e87ffddbc4953a8c01af6971f662700600d4203a4
Instruction Fuzzy Hash: 8A113376900219EFDF289EA5E848D9F3F79EB043A0F004554B824A61A0CB718A80DBA1

Function 01156A2C Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 01156A46
GetLastError.KERNEL32 ref: 01156A52

Part of subcall function 01156AFB: CloseHandle.KERNEL32(0116C980,01156B45,?,01152DAE,00000000,00000001,00000000,?,?,01149F5A,?,00000000,00000000,?,?), ref: 01156B0B

___initconout.LIBCMT ref: 01156A62

Part of subcall function 01156ABD: CreateFileW.KERNEL32(01168E84,40000000,00000003,00000000,00000003,00000000,00000000,01156AEC,01152D9B,?,?,01149F5A,?,00000000,00000000,?), ref: 01156AD0

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 01156A76

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: e1831ff242182c5ccba4c4de81cd57e62c47da0c2d1dd165b8dfa5d48cd2e138
Instruction ID: 52b17fa1f82e73cdd884b6ac989ed87c20bd7087d31eb6e4c5acbe0a7779c40f
Opcode Fuzzy Hash: e1831ff242182c5ccba4c4de81cd57e62c47da0c2d1dd165b8dfa5d48cd2e138
Instruction Fuzzy Hash: CCF0FE3A101641FBCB7A1BE6EC08D46BBB6EB887617558425F9B982120DB3294A0DB91

Function 01156B12 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,01152DAE,00000000,00000001,00000000,?,?,01149F5A,?,00000000,00000000), ref: 01156B29
GetLastError.KERNEL32(?,01152DAE,00000000,00000001,00000000,?,?,01149F5A,?,00000000,00000000,?,?,?,0114A545,00000000), ref: 01156B35

Part of subcall function 01156AFB: CloseHandle.KERNEL32(0116C980,01156B45,?,01152DAE,00000000,00000001,00000000,?,?,01149F5A,?,00000000,00000000,?,?), ref: 01156B0B

___initconout.LIBCMT ref: 01156B45

Part of subcall function 01156ABD: CreateFileW.KERNEL32(01168E84,40000000,00000003,00000000,00000003,00000000,00000000,01156AEC,01152D9B,?,?,01149F5A,?,00000000,00000000,?), ref: 01156AD0

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,01152DAE,00000000,00000001,00000000,?,?,01149F5A,?,00000000,00000000,?), ref: 01156B5A

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: aabf76f828531f8abdb946359f567f52bbeb8979450b3f6d4d8b73c84167e0f4
Instruction ID: e4519f3fc52b31f2588114f0155ebfec3a215fcad889154aa1f551f0d4530cd7
Opcode Fuzzy Hash: aabf76f828531f8abdb946359f567f52bbeb8979450b3f6d4d8b73c84167e0f4
Instruction Fuzzy Hash: 40F0C736501255FBCF761FE5EC0899A7F25FB083B1B454424FD3895124D73288A0DBD5

Function 0113A50C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0113A683

Strings

+, xrefs: 0113A5E1
-, xrefs: 0113A5D4

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: __aulldiv
String ID: +$-
API String ID: 3732870572-2137968064
Opcode ID: 8271c02f295ee639f723ab7f401718d96e610fcdba1de5e3f424324952d9fd94
Instruction ID: c3070195b3eaf084a6cba20270c35b665cc03170d7a902eb97c00e4b37467b19
Opcode Fuzzy Hash: 8271c02f295ee639f723ab7f401718d96e610fcdba1de5e3f424324952d9fd94
Instruction Fuzzy Hash: BCA1E5709402499FDF2DCF3898906EE7FB5AFC6224F048559E8E6DB289D335D9018B51

Function 0111C677 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0111C69C

Strings

MOC, xrefs: 0111C6AE
RCC, xrefs: 0111C6B6

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 86252ce723843a7d169b00fd1c0520c5396cc4aa19a59093a294a35be3cf89e2
Instruction ID: e3c810aa1e202b49bf566036ccff923e0a291cab434c1c96df84dabbdad883fb
Opcode Fuzzy Hash: 86252ce723843a7d169b00fd1c0520c5396cc4aa19a59093a294a35be3cf89e2
Instruction Fuzzy Hash: DB416C7190010AEFDF1ACF98CD80AEEBBB5BF48304F184069FA04A7255D375A950DF91

Function 01117781 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 01117798
DName::DName.LIBVCRUNTIME ref: 0111781D

Strings

A, xrefs: 011177FD

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: NameName::
String ID: A
API String ID: 1333004437-3554254475
Opcode ID: b5d48850f0803a66965e1788db75ccbab3b96ab3556d1ff85075a1e2befb681c
Instruction ID: 44254827144ab5fb0d9f1470fc9c332a0cda584d1e8ee57db2d2b842c332d3ee
Opcode Fuzzy Hash: b5d48850f0803a66965e1788db75ccbab3b96ab3556d1ff85075a1e2befb681c
Instruction Fuzzy Hash: 2F21DE30A0020AAFCF1DDF98D810BACBFB1FB18704F048079E4555B399D7319681CB81

Function 01114215 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01114232

Part of subcall function 0111AD33: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 0111AD43

swprintf.LIBCMT ref: 01114255

Part of subcall function 0111AD4D: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0111AD5F

Strings

%lf, xrefs: 01114228, 0111422D, 01114252

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
String ID: %lf
API String ID: 3672277462-2891890143
Opcode ID: 1fc18bce24cd6c2ff2ec910c7f9d8d5ddfbbd044e2937ec9c8c7349c41caa020
Instruction ID: 5b5c0c2af3210e4905b513aea9852f35f06778e590eca7564b9714b2315d21b8
Opcode Fuzzy Hash: 1fc18bce24cd6c2ff2ec910c7f9d8d5ddfbbd044e2937ec9c8c7349c41caa020
Instruction Fuzzy Hash: C9F0C2A1500009BBDB096B84DC45FBFBE6CDF95264F014098F68527240DB315E1093B1

Function 01114275 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0111428E

Part of subcall function 0111AD33: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 0111AD43

swprintf.LIBCMT ref: 011142B1

Part of subcall function 0111AD4D: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0111AD5F

Strings

%lf, xrefs: 01114284, 01114289, 011142AE

Memory Dump Source

Source File: 00000000.00000002.4141687608.0000000001111000.00000020.00001000.00020000.00000000.sdmp, Offset: 01111000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1111000_Loader.jbxd

Similarity

API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
String ID: %lf
API String ID: 3672277462-2891890143
Opcode ID: 9fcb8c2445ba46c5901102a2cdc55d4b0acafc36fbe042b9c0fed95ced912c00
Instruction ID: 958e4c8301aae8640371795c6f972890cdd42a4f80ff96d0996d63705be0ffa2
Opcode Fuzzy Hash: 9fcb8c2445ba46c5901102a2cdc55d4b0acafc36fbe042b9c0fed95ced912c00
Instruction Fuzzy Hash: 54F0B4A210400DBBDB096B54DC85FBFBF6CDF992A8F018059FA451B280DB359E15D3B5

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: Loader.exePID: 7112, Parent PID: 2580

General

Chronological Activities

Analysis Process: conhost.exePID: 7092, Parent PID: 7112

General

Chronological Activities

Disassembly

Analysis Process: Loader.exePID: 7112, Parent PID: 2580COMMON

Execution Graph

Graph

Executed Functions

Function 036EFE30 Relevance: 18.7, APIs: 1, Strings: 9, Instructions: 1223memorynativeCOMMON

Control-flow Graph

Windows Analysis Report
Loader.exe

Function 036EFE30 Relevance: 18.7, APIs: 1, Strings: 9, Instructions: 1223
memorynativeCOMMON

Function 036DF790 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 263
libraryloaderthreadCOMMON

Function 036F12B0 Relevance: 9.3, APIs: 1, Strings: 4, Instructions: 553
nativeCOMMON

Function 036E9C30 Relevance: 3.0, APIs: 2, Instructions: 44
nativeCOMMON

Function 036D85F0 Relevance: 1.5, APIs: 1, Instructions: 44
nativeCOMMON

Function 02F60000 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 208
memoryCOMMON

Function 036DBF70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153
memoryCOMMON

Function 01111ECF Relevance: 4.6, APIs: 3, Instructions: 87
COMMON

Function 01111D18 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 036D9940 Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 0111200D Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Function 0111200E Relevance: 1.5, APIs: 1, Instructions: 12
COMMON